Katie Vickery, a regulatory and compliance partner at international law firm Osborne Clarke, reacts to the UK Government’s published plans to protect users of smart speakers, kitchen appliances, cameras and other ‘Internet of Things’ devices from cyber criminals.
The Government has finally lost patience with industry’s promise to introduce security measures for connected products on a voluntary basis. Its proposal opens a consultation on legislation that will require the manufacturers of connected devices to implement the first three security measures outlined in the 2018 Code of Practice, but the door is very much open for the remaining 10 measures to become part of the legislation in the future.
It is not just manufacturers who need to be alive to this. The obligation will also apply to distributors and retailers who will need to check that products comply with the new legislation before supplying the goods and also pass on information to a regulator if any risks are identified. These obligations align with existing product safety rules but will require many businesses to rethink their due diligence and monitoring processes when dealing with connected products.
What is really interesting is that the legislation will extend the obligations to online marketplaces and platforms, placing an obligation on them to ensure that third parties comply with these new requirements. Up till now platforms have not taken responsibility for products sold on their platforms unless they are informed that a product presents a safety risk.
The proposal announced today suggests that the UK Government will be seeking to impose further regulation on online platforms, requiring them to take greater responsibility for the products they allow to be sold on their sites. It is looking likely that the EU’s Digital Services Act, which is also seeking to impose more regulation on online platforms, will form part of the UK’s approach at the end of the transition period.
The proposals around enforcement depart from the way general product safety rules are enforced. If you commit a regulatory breach normally this is enforced through the criminal law.
However, this proposal is suggesting the use of voluntary notices and enforcement undertakings, which can ultimately be enforced through the civil law system. Enforcement also includes the ability to temporarily ban the sale of the product, as well as force a recall, but also the possibility to implement a fine.
The proposal also hints at GDPR-level fines, 4% of annual worldwide turnover is mentioned as an example, which would certainly give these regulations some teeth.