Digital, Culture, Media and Sport Committee
Oral evidence: Connected tech: smart or sinister? HC 157
Tuesday 31 January 2023
Ordered by the House of Commons to be published on 31 January 2023.
Members present: Kevin Brennan; Clive Efford; Julie Elliott; Damian Green; Dr Rupa Huq; Jane Stevenson.
In the absence of the Chair, Damian Green took the Chair.
Questions 370 - 427
Witnesses
I: Julia Lopez MP, Minister of State for Media, Data and Digital Infrastructure; Sam Cannicott, Deputy Director and Head of the Office for AI, Digital Identity, Department for Digital, Culture, Media and Sport; and Erika Lewis, Director, Cyber Security and Digital Identity, Department for Digital, Culture, Media and Sport.
Witnesses: Julia Lopez MP, Sam Cannicott and Erika Lewis.
Q370 Chair: This is a meeting of the Digital, Culture, Media and Sport Committee. It is our last hearing on our connected tech inquiry. I am delighted to welcome the Minister, Julia Lopez, and two of her officials, Erika Lewis, Director of Cyber Security and Digital Identity at the Department, and Sam Cannicott, the Deputy Director, the Head of the Office for AI. Welcome all.
I do not think any members of the Committee have any declarations of interest to make, so let me start off with one of the things hanging over the so-called Data Reform Bill, the Data Protection and Digital Information Bill, introduced in July and paused in September. What is happening to it?
Julia Lopez: As you know, we have had a Prime Minister come and go in that time and a new Prime Minister come into place. Each Prime Minister obviously wants to look at the legislative programme and make a decision as to which Bills they wish to take forward, so there was a bit of back and forth. Prime Minister Truss wanted to look at some of the things in the Data Protection Bill. We had a series of groups, with a business advisory group looking at the legislation to make sure it is going in the right direction in terms of burdens for businesses.
My understanding is now that, while the legislation is ready to go, we are now just waiting on the Parliamentary Business and Legislation Committee to give us a slot, but I think that is fairly imminent.
Chair: So the Bill is not dead; it is just resting.
Julia Lopez: No, the Bill is alive and kicking and is probably going to be introduced fairly soon.
Chair: In this Session?
Julia Lopez: Yes.
Q371 Chair: Okay. Looking at the substance of it—obviously everyone has had a chance to kick the tyres and work out what they think is good and bad about it—how do you respond to the comments that the reforms you are proposing will not be any less burdensome than the current set of regulations we have?
Julia Lopez: I disagree with that. We are trying to give businesses flexibility. Businesses will not have to change how they manage data at the moment if they do not wish. They will still be compliant with the new regime, but we are giving them more flexibility as to how they deliver. To give an example, you do not have to have a specific data protection officer. You simply have to have a person within the company who is responsible for your data policies. We are trying to make data protection regulations more proportionate, so the ICO will focus on the highest risk activities. Some of the lower risk activities, where we do not think there is a concern about data processing, will not be as closely monitored. We are going to try to reduce burdens—things like cookies. For the low-risk processing of cookies, you will not have to have a cookie banner.
These are all a series of fairly smallish steps to try to reduce the overall burden of data protection regulations, because I think there is a lot of confusion about what can and cannot be done and we are going to try to clarify some of that confusion.
Q372 Chair: One other point that has been made repeatedly to us by the tech companies—obviously, the big ones are global—is that their business is made easier by harmonisation, and that Britain going its own way and having slightly different regulations from Europe or the USA makes it more burdensome for them rather than less. How do you respond to that?
Julia Lopez: One of the key objectives for our data protection legislation is to maintain adequacy with the European Union, but we are also building what we are calling data bridges with other countries. We are trying to make it easier to have international data transfers. If businesses maintain their current approach to GDPR, they will still be compliant under the UK regime as they would be in the EU one.
Chair: So if they don’t change anything, they will still be compliant under the new regime?
Julia Lopez: Yes.
Q373 Chair: This slightly gives rise to the question: what is the point? If businesses are saying, “We are quite happy. Whatever the horrors of GDPR, we have all got used to it and we quite like having a set of international rules that are compliant with each other,” why are we passing our own legislation?
Julia Lopez: Some companies do not transfer a great deal of data internationally, and it will give them more flexibility. We are trying to be more proportionate in the approach that we take, so that we are not pulling in lots of smaller businesses with lots of compliance and regulations that they do not fully understand. We are trying to give scientific researchers more flexibility in how data is shared, so that they can have more bandwidth to do research activities. As I say, it is an evolution rather than revolution.
We think that, as they develop, some of the key technologies will require more flexibility than GDPR allows. We are trying to gradually step away from the very restrictive processes that are under the GDPR, and also to try to build more flexible relationships with international partners whom we trust, so that businesses are able to transfer data internationally to more partners. The adequacy process under the EU can be quite lengthy, and we think that we can be more agile in terms of building the partnerships we need with key international economies going forward. We are just trying to create that agility and flexibility over a period of time, rather than have some great revolution where we suddenly break free of the GDPR system.
Chair: I think we are going to come onto the new technologies later on.
Q374 Dr Rupa Huq: Our inquiry title hints at the sinister nature of connected tech—this idea that it is coming into our homes, our schools, our workplaces, worldwide, even public spaces. What would you say the biggest benefits are of connective tech that your Department can help facilitate?
Julia Lopez: It is a pretty broad question. There is a huge range of benefits that people can get from connected tech, depending on what you are seeking from it. I think one of the most interesting developments will be in terms of healthcare, in terms of ongoing monitoring, making sure that we can focus on prevention rather than cure and making sure that more people can be treated in their own homes rather than in hospitals.
I look at it from this angle: we have been doing a whole bunch of projects under the 5G testbeds and trials work that we have been doing, seeing how you can use connected devices to send data across a range of different applications, including things like farming where you can monitor crops and then have much more targeted application of fertiliser, pesticides and so on. It is about a whole range of applications across the economy where you can probably get productivity and efficiency gains.
Obviously, there are also entertainment gains. A lot of people like using connected devices in their own homes. You can get fridges that tell you when your fridge is empty, and you can have smart speakers installed. I think we are all familiar with the new products coming down the line, but those kinds of products will only develop and increase. Obviously, that creates a greater deal of risk in terms of security and so on, but it is for us to try to manage that against the innovation and benefits that can come from connected products.
Q375 Dr Rupa Huq: Among the risks that you are mitigating, you mention security. Also, there is this idea of people’s privacy being stolen and people being powerless. What would you say the risks are, and is there an inherent thing within the design of connected tech that loss of privacy is the price you pay?
Julia Lopez: It depends on the tech that you are using. Any device connected to the internet creates a level of risk to your overall network, so we are looking at what that means in terms of cyber security in the Department, data security and so on. The Information Commissioner, who was before your Committee, is already looking at some of the data processing activities and making sure that companies are still held to the same account in terms of how they handle users’ data. There are a range of security risks that can come from internet connected devices and it is for us, as a Department, to try to mitigate some of those risks.
Q376 Dr Rupa Huq: As MPs, we are used to seeing on these monitors when it says, “Threat level: high”. People and businesses assume security means burglar alarms, that kind of thing. I think it is an under-appreciated risk to businesses that they are vulnerable to cyberattack. What is DCMS doing to improve cyber-resilience within businesses, including small ones? I think you have figures that show that the business cost can be £4,200 per year for a business, rising to £19,400 if it is a bigger business. People do not know until it has happened, and just I wondered what you were doing in the Department.
Julia Lopez: I think businesses are increasingly aware of the risk. We have had two big things happen to us as an economy: the pandemic, where a lot more activity is going online; and then obviously the Russia-Ukraine situation, where there has been a greater concern about how states might use those kinds of cyber spaces as part of any effort against a country.
There is an increased awareness, for sure, and there have been a number of high-profile breaches, which I think have made a lot more companies much more aware of how they need to close their own gaps. As a Department, I think there are different ways of going about this. One of the things we are trying to do is to make sure that there is an overall awareness and resilience within companies in relation to their own cyber skills.
The NCSC—the National Cyber Security Centre—runs cyber awareness certification. I did an event recently where we were trying to increase the number of businesses going through that, so that there is a base level cyber resilience and security. We have to take a number of different approaches to how we secure infrastructure that companies are relying on, but obviously there is an onus on companies themselves to make sure that they are protecting any gaps. The NCSC has been excellent at providing advice to businesses and being proactive in how they do that, so that people are up to date with the latest steps.
There are also some very basic steps that companies need to take to make sure that each of their employees is aware of their own responsibilities, as users of a network, to make sure that that network is secured.
Q377 Dr Rupa Huq: Yes, I think of some of my very small businesses that were confused by the digitalisation of tax. When it is a one-man band, more awareness raising would be good.
Research has shown that in healthcare alone, 98% of connected device traffic is unencrypted. I think in different sectors there are different figures: 57% of devices are vulnerable to medium or high severity attacks. I remember a time when everyone’s benefit records were on a CD that was lost at Carphone Warehouse, or something. We don’t have those incidents any more. We have got beyond that, but is this an accident waiting to happen?
Julia Lopez: I think everybody has to be aware of the risk they hold when they are doing more and more activities online. I just think that is a risk of doing business, a risk of governing, which we all have to be aware of. It is about taking a whole series of measures to try to close those security vulnerabilities. We do that as a Department in terms of legislation, trying to make sure that there is a better base level of security across devices.
The Government have their own programmes to make sure their own systems are secure, and businesses have to take accountability for making sure their own systems are secure. Therefore, I think we have to get the message out there that each one of us now has a responsibility, in whichever activities we are engaged in, to think about cybersecurity as a relevant risk to their life.
Q378 Dr Rupa Huq: At the other end of the spectrum from the one-man band micro business, Google say that it is constantly under attack from state-sponsored cyberattack from China, Russia and places like that. Google has programmes to mitigate that, but how do we help businesses that do not have Google’s vast resources?
Julia Lopez: The NCSC provides a lot of guidance and proactive support to businesses on some of those risks. It monitors particular attacks to make sure that it is changing its guidance according what the latest measures that particular attackers are using, and it tries to increase the base level understanding of security. That is even things as simple as password management, which is still something that people are not getting right.
As a Department, we also have a number of products where we are trying to skill people up in cyber, because it is a challenge. The digital economy is growing very fast but our skill levels, in terms of managing that, are not keeping pace. Something like 14,000 cyber jobs are unfilled at the moment, so we are trying to make sure that the skill levels are there through various interventions, from cyber explorers with young people in schools—I think it is Year 7 and Year 8, is it?
Erika Lewis: Yes.
Julia Lopez: And digital skilling up across your adult life. If you do not have even a base level of digital skills, you are able to get a level 1 qualification on that for free under a Government programme. There is not one silver bullet about how we tackle these issues. It is about trying to make sure that the overall population and economy is more resilient to cyberattack than elsewhere.
Some of your previous witnesses have talked about what the UK does in this space and how cyber attackers will look at which countries have the greatest vulnerabilities. What we want to try to do is make the UK an unattractive place to carry out a cyberattack.
Q379 Dr Rupa Huq: Does anyone else have anything to add?
Erika Lewis: The only think that I would add is that we also have the NIS Regulations—the Network and Information System Regulations—that look at critical national infrastructure. We have this baseline security, as the Minister has laid out, and we have awareness raising and skills programmes, but when we are looking at critical infrastructure there is something more.
We also work with the regulators in those industries to ensure that they understand the risks for their particular providers. We have a reporting regime, and we have an interaction regime with those critical national infrastructure businesses. It is a risk-based approach that we take and, where the risk is higher for us, obviously with CNI we do something more.
Q380 Chair: Could I pick up on that for a second? Specifically on public sector risk, because clearly the NHS and other big institutions will be vulnerable to attack, is there a drive to get, for example, Chinese equipment out of any critical part of the public sector infrastructure? Is that one of the things you are seeking to achieve?
Julia Lopez: Obviously, there has been a lot of discussion about the presence of Huawei in the 5G core. We are trying to make sure that the fundamental infrastructure on which some of our digital systems are built, is not going to be vulnerable or have any back doors. That is one of the ways in which we are taking that piece of work forward.
There is a lot of debate about other connected devices, which I think the NCSC monitors, but we have not taken an overall Government edict about the types of equipment that should be banned. My main focus in my own portfolio has been the stripping out of Huawei from the 5G core, and then I think there is various different guidance about the types of products that you should be using when you are looking at some of the connected cities work, for instance, and some of the best practice in relation to the IT systems we are procuring.
Q381 Chair: Apart from the 5G debate, which as you say we had some years ago, there is no full-on ongoing push—as new technologies are developed and therefore new things become critical for infrastructure, like smart cities or even smart speakers in people’s homes—to say, “Hang on, let’s go for things other than Chinese technology first”?
Julia Lopez: The whole thing is always being monitored. There is a question at some point about whether you think that there is a systemic risk posed by any one particular activity, which is the debate that happened in relation to Huawei, where there was a view that past a certain percentage of the network, that was a risk that we would find intolerable. I don’t think that piece of work is ever closed down. It is a constant discussion between different parts of government as to the risk levels that cross a certain threshold and the point at which you take action.
Chair: Huawei is not the only Chinese company, either.
Julia Lopez: No.
Q382 Chair: We have had the CCTV debate about Hikvision and so on. The NCSC isn’t giving Ministers advice about, “Don’t have smart speakers” or anything like that?
Julia Lopez: On a personal level?
Chair: Yes.
Julia Lopez: I have never been told, “Don’t have a smart speaker”.
Chair: Do you have one?
Julia Lopez: I was thinking about whether you were going to ask me this, and I thought, “Actually, I would not divulge my security arrangements for my personal life, and I don’t think I should divulge exactly which devices I have in my home, as a cyber security measure.” I am not the best when it comes to connected tech, I have to admit, but I think that is just because I question the use of it in my own life, rather than anything else.
Chair: Yes, that is a separate issue, I agree. If you think it is part of personal security and if you see that as a personally intrusive question, that is quite interesting.
Julia Lopez: Is it ever wise for a politician to declare what is in their house, how they are secured and so on? Probably not.
Chair: No; I would hate to put your security at risk. I am not sure, frankly, if the question of whether you have a smart speaker or not does that.
Q383 Jane Stevenson: Good morning. I want to ask you about tech abuse. We have heard from domestic abuse charities and various bodies about the enormous potential for partners to attack their previous partner using covert cameras and in so many different ways. Is this on your radar, and what do you think the Government’s role is to help on this?
Julia Lopez: As you know, last year we passed an important piece of legislation on domestic abuse. That included tech-enabled abuse as a crime that action could be taken against.
From my perspective, in terms of product security, what we are trying to do is have a base level of security for connected devices. This debate came up in the Committee stage. The challenge often in relation to tech-enabled abuse is that there is legitimate access gained to products, and also that with some of these products, as ever with technology, you can use them for good or you can use them for ill.
I am there to provide a base level of security, but sometimes domestic abuse victims actually welcome connected products on the basis that they can also monitor their homes and make sure they are aware of any security breaches in their own homes. It can be used for bad purposes, and it can be used for good.
On the bad purposes, we have the domestic abuse legislation that covers that off. On the good, we are trying to make sure that illegitimate actors cannot have easy access to particular pieces of technology, which we did through the Product Security and Telecommunications Infrastructure Bill last year. In it, we are trying to make sure that people have more control over the passwords on devices and so on, because a lot of these connected devices just have factory setting passwords, which are easily hacked into. If we increase the overall resilience of these devices on the cyber front, we think they will be harder for bad actors to breach, whether it is a hacker or a former partner.
Q384 Jane Stevenson: The legislation is obviously welcome, but it does put an enormous amount of expectation on the victim to know what the potential risk is and to be able to figure out what is connected to their wi-fi. If someone has put a covert camera in your home—we hear the term gaslighting. I am old enough to remember where that came from, and the film. Someone was adjusting the lighting to make someone think they were going into a mental health crisis. The potential for that is enormous. How would a victim know what is going on around them? Does this need more education from charities?
Julia Lopez: The problem is that the breadth of what can be a connected device is large. There are different people with different roles in this. In terms of whether crime is committed, in terms of covert monitoring, that is covered off by Home Office legislation.
My role in this is to make sure that devices are not as easily hacked. Then I think there is a responsibility on product designers to make sure that there is a greater consumer awareness of what certain devices can and cannot do.
Q385 Jane Stevenson: Are products available to tell you, or should they be, or is there an age-appropriate design code?
Julia Lopez: The age-appropriate design code is there for products that are mainly focused on children. That is something that is enforced through—
Q386 Jane Stevenson: Could anything similar to that work on connected tech that is being abused?
Erika Lewis: I think that is a really difficult question to answer. The route that we went down with the PSTI Bill was not putting the consumer or the citizen in a position where they have to think through that basic level of security, because in the future, when that is in force, the product won’t have a default password, so one of these factory passwords. The consumer will know how long the software on the product will be updated for and there will be somewhere that they can contact in terms of a vulnerability.
In effect, they are becoming a little bit more aware through that, anyway, of the fact that they have introduced something into their home that may be compromised—there is a risk. I think it is good that, through that kind of process, we are raising for the consumer the understanding that there is a risk. We are also taking away the need for them to have to think through. They will know that they have to interact with the password, for example.
We know, from work that NCSC has done, that passwords are the most important things in terms of security for a product. That is the basic level of security. In terms of what might be coming to help in those kinds of situations, I just could not predict that.
Q387 Jane Stevenson: Where do you see the future going for this as tech gets more and more advanced with the potential to plant things in our homes? Can the Government do anything to make it easier to know if you are being monitored by someone else?
Julia Lopez: I don’t know. I do not have enough knowledge of the different tech available out there to know, I am afraid.
Q388 Jane Stevenson: I am thinking about bugging devices or tracking apps on phones or iPads, and also through domestic abuse survivors’ children. Because of the access a former partner has if the children are visiting them, they could be putting on tracking apps and monitoring behaviour that way. It seems such a vast problem. I don't know what the answer is, but I am struggling to see where the Government can assist.
Julia Lopez: The first step is to make sure that that kind of activity is prohibited. I think some of the clauses from last year’s Bill are designed to deal with that, to bring those kinds of activities into the scope of criminal law and to act as a deterrent from taking that kind of action.
Q389 Clive Efford: Thank you, Minister, for coming to give evidence today. I want to ask you a few questions about connected technology and children. The Information Commissioner has told us that, as yet, it does not have the capacity to look at connected toys. What is the Government’s thinking about the impact of connected toys and the potential for data to be collected from these devices? Has the Government given any consideration to that, and are you concerned that the Information Commissioner’s Office says that, as yet, it does not have the capacity—not that it shouldn’t be looking at it, but that it just cannot do it because it does not have the capacity? Do we have a resources issue there?
Julia Lopez: What is your concern in relation to connected toys and their impact?
Q390 Clive Efford: The concern is—this is what has been given to us in evidence—that data could be collected on young people that could be kept and used throughout their lives. Are those devices secure, in terms of the data, and can parents make informed decisions and judgments about those devices?
Julia Lopez: It is difficult to answer questions like this, because it depends on the device, the type of data being collected, where the data is being retained and how long it is being stored. There are some general principles around this, about how companies should not store data for longer than it is required. It is unclear what the use of the data would be in terms of what is being collected. All companies are under certain obligations in relation to how they handle certain types of data, for how long, and how they handle children’s data. It is very difficult, because there is such a range of connected devices. In terms of the toy, it would depend on the toy itself and what the concern generally is.
One of the main things that has been raised with us as a concern is the hacking of baby monitors. That is one of the issues that the PSTI Bill was designed to try to prevent, to make sure that the wrong actors could not get hold of data. It is very difficult for me to answer without knowing with a bit more precision the type of data to be collected and the concern. The Information Commissioner has not expressed any concerns to me about resourcing levels on this issue, but it is something I am happy to speak to him about in more detail.
Q391 Clive Efford: The data reform will mean that there is an age-appropriate design code, and that will need to come back to Parliament. What consideration are you giving to the needs of children when you are considering the Data Bill?
Julia Lopez: The age-appropriate design code will be maintained within that legislation. That is something that is already in operation. For instance, the ICO recently looked at a case with TikTok, about whether it was handling children’s data correctly. The ICO already has enforcement powers on issues in relation to children.
Q392 Clive Efford: I just want to move on to ed tech because we have had evidence from the Oxford Internet Institute, which has informed us that 90% of all products access data and this data was being granted to third parties. When you are considering that children are involved, that has to be an area of concern for potential harms. Are you comfortable with the amount of data that is reported to be being collected on children by connected ed tech in classrooms, given that they may not fully understand the risks involved?
Julia Lopez: There are different types of data. It depends if it is identifiable data that would allow you to learn something about a specific child, whether these are just large datasets that are being collected that will tell you something about a broad population of children, and how that data is used. I think there are general principles about how data is permitted to be used in relation to particular users, but there are different ways. It would depend on how data was being used and whether it was being used within the bounds of the law.
Clive Efford: Yes, but shouldn’t we know?
Julia Lopez: These are very generalised questions. It is very difficult for me to answer without any specific example having been raised. The duty of the Government is to make sure that there are certain ways in which data is permitted to be used and for an Information Commissioner to enforce the law against those sets of principles. If you go into a very detailed question about a certain type of tech but without specifying the type of data being collected, how specific it is and how identifiable the child is, it is very difficult for me to provide you with the answer that I think you are looking for.
Q393 Clive Efford: The answer I think I am looking for is very simple. It seems to me, from the evidence that we have had presented, that there is the potential for people to collect data that they should not have access to and to use it going forward. It has been suggested to us that it could even be used in future for insurance companies and things like that. That does not seem to me an appropriate use of data that has been collected through education technology. Should we not be looking into that to make sure that there are no abuses?
Erika Lewis: I need to add to what the Minister has been saying. DfE is looking at this. It is the Department responsible for this kind of use of tech in schools. It is very keen that schools use tech because it gives a jump forward in education benefit, so obviously that is a good thing and that is the balance.
The DfE is working with schools to set standards, and it is looking at leaders understanding cyber security issues and maintaining security, so it is very alive to the issue. As we have spoken about in all of these other places, it is about trying to hit the balance between using these things that jump us forward and making sure that the people who use them and the children who benefit are safe.
Q394 Clive Efford: My concern is about your answers, and maybe I am overreacting; it is possible. There does not seem to be any urgency about making sure that data is not being collected that shouldn’t be. I fully understand the desire to use the data, and I am not against it. I get the need to collect data to make ed tech effective and be able to target education appropriately, and I see it in action in my schools regularly. However, if there are third parties out there who are seeking to obtain data that they will collect and use going forward, for which the collection of that data was not intended in the first place, shouldn’t we be making sure that we are closing down those loopholes and investigating what is going on?
Julia Lopez: I am not trying to be evasive on this. I just think it depends on the type of data you are talking about.
Clive Efford: Yes, I agree with that.
Julia Lopez: It is about the level to which someone is identifiable, and whether the law is being broken. Is there a situation where you are concerned that there is mass misuse of data in a specific set of circumstances that the Information Commissioner could look at? This is not something that he has raised with me. I am happy to talk to him about it and to understand whether there is a resourcing issue and whether it is something that is coming up regularly that he is concerned about.
It would depend on the type of technology being used and the type of third parties that data is being shared with. All the companies using this technology should be under an obligation to use data within the bounds of the law. They would have terms and conditions to which teachers would sign up when they are using those kinds of equipment. That would allow the ICO to hold those people to account in so far as the terms were breached.
As a Minister, it is my duty to make sure that we set the boundaries by which you can share and use data and then, if there is a specific use of ed tech that is concerning, those breaches could be looked into and the ICO properly resourced to look into them. It is very hard for me to answer a wide-ranging question when I don’t quite know the angle that is being taken.
Clive Efford: All right. I will leave it there.
Q395 Kevin Brennan: Good morning, everybody. I am going to give the Minister a rest for a few moments. Fear not, Mr Cannicott, I am going to ask you some questions on artificial intelligence, as I think you have come along because you are the expert in that.
What has been the response to the proposals around AI regulation that have been brought forward?
Sam Cannicott: Last year the Government published a paper setting out our broad direction of travel towards AI regulation and governance. What we set out was a principles-based approach designed to enable innovation but acknowledging that, as technology develops, there are new risks. What we set out to do was not have a rigid approach, but to leverage the existing regulators, who understand risks in their areas, and provide them with a set of principles to shape how they address risks in their own area.
Q396 Kevin Brennan: What sort of risks are we talking about here?
Sam Cannicott: I think some of the new technology does pose potential risks around security. There have been concerns about privacy. Also, the nature of AI is there are two particular things. One is that, as it develops, it is adaptive or autonomous, and those raise challenges around things like accountability and transparency.
Q397 Kevin Brennan: For people watching this who may not know what the hell we are talking about, what kind of risks might there be in people’s daily lives or in their businesses and so on that AI might bring concerns to people about?
Sam Cannicott: If you have an automated piece of technology—say, a connected vehicle or driverless car, which have been developed—there are obvious risks and concerns that people would have about the safety of those. What we want to do through our system is to make sure that appropriate steps are taken to regulate, depending on the risks and the context in which they are operating.
Q398 Kevin Brennan: Is there any danger in the approach that you have taken that because you are allowing different regulators to go their own way, there will not be an alignment across the piece in how artificial intelligence is regulated?
Sam Cannicott: That is why we set out in the policy paper last year the set of fundamental principles that underpin the regime, which we then ask regulators to apply in their area. That will provide that alignment. The other part of it, on which we will be coming forward with more details as we develop the White Paper, will be: how do you enable and support that co-ordination across regulators to address that issue? We understand that in different contexts—one of the principles, for example, is fairness—it could mean different things depending on the sector.
Q399 Kevin Brennan: There will be a White Paper, which will outline that?
Sam Cannicott: Yes.
Kevin Brennan: When will the White Paper appear?
Sam Cannicott: That will be soon. We are working at pace.
Q400 Kevin Brennan: As you know, that is meaningless. In Civil Service terms, that phrase, “Soon, working at pace” could mean next week, or it could be next year. Give us something to work on here, as a Select Committee, rather than coming back with this response.
Sam Cannicott: The policy paper last year confirmed our commitment to delivering that White Paper. We are working on it. Obviously, we will need to engage with Ministers, and ultimately Ministers will—
Q401 Kevin Brennan: How close are you to having a draft to stick under Ministers’ noses?
Sam Cannicott: Very close.
Q402 Kevin Brennan: We do well in creative technology companies, and we attract a lot of investment into our tech sector. What underpins that success, do you think, Mr Cannicott?
Sam Cannicott: Part of it is the regulatory regime we have, where we have regulators who understand their areas. We have had a huge amount of resource investment in our R&D environment through our leading universities and other research institutes. We have established the Alan Turing Institute, which brings together top academics from across the country into a collaborative research environment.
Q403 Kevin Brennan: Is there a problem with the visa system and specialists being able to come into the UK easily and specialise in visual effects, and so on, and undertake their work? That has been raised with us.
Sam Cannicott: This system is not something that my area covers.
Q404 Kevin Brennan: Maybe that is one for Ministers. I will come to the Minister on this. You will be aware that there is quite a lot of concern in the creative industries, which are under your responsibility as Minister, around how artificial intelligence could impact upon the creative industries’ equity. For example, as a union they are worried that copyright does not protect creatives against AI-generated reproductions of their likenesses or performances. As it becomes more mature, they are concerned that they will need greater protection.
As you know, there is also the issue that has been in front of Ministers about data mining and the potential, without permission or licensing, to take someone’s unique created work that is normally protected by the copyright structure we have in this country, which underpins our creative industries and makes them so successful. The Government’s proposal last year to permit data mining without any licensing, in order for AI to conduct its machine learning and so on, was a big threat to our creative industries and our copyright structure.
I think you have been in discussions with George Freeman, your ministerial counterpart. How have those discussions about all of this gone? What is your current thinking on it? Have you talked about it to people such as those in the music industry?
Julia Lopez: As you know, the Intellectual Property Office is something that comes within BEIS’s scope. There was this consultation launched, which I think probably surprised the IPO in terms of the level of concern that was expressed in the creative industries—something that I listened to very openly with some of my stakeholders in the creative industries and something that I have since raised with George Freeman, as the Minister, whose remit includes the IPO.
I am pretty confident that some of the options that were looked at by the IPO to try to create a more permissive environment for AI in this space will not be taken forward, but we are in a situation where I cannot quite announce that.
Q405 Kevin Brennan: Okay. That is not unreasonable, Minister. You are not in a position to announce that, but you have given us a fairly strong lean into where you think it will eventually land. Can you give us any clue as to when—not “soon, but at pace”, obviously—we might get an answer on this. As you know, there is genuine concern within the creative industries about the Government’s approach to this and the IPO.
Julia Lopez: I tried to reassure people in my portfolio, in relation to the creative industries, that I think that some of their concerns are not going to come to pass. I am currently drawing up the creative sector vision for where we want to take the creative industries up to 2030. That should be published soon, and you might see more on that in that document.
Kevin Brennan: When you say “soon”, are we talking in the next few months?
Julia Lopez: I would hope. The thing is that these things are not all within my control, but I would hope it would be before Easter.
Q406 Kevin Brennan: There are one or two slightly off-piste things I want to ask you before finishing. You are in charge of media as well as the creative industries, aren’t you? What is your reaction to the news that the Commissioner for Public Appointments has now recused himself from the review into the process that took place with the appointment of the chair of the BBC?
Julia Lopez: This is something that broke yesterday. I have been looking at the process in relation to what DCMS did and whether all the steps were followed correctly on process level. I spoke to the Permanent Secretary about that, and she was confident that we had taken every step that we should have to make sure that all of the rules around public appointments were very closely followed. If the Public Appointments Commissioner feels that he should not take forward the investigation that had been committed to, I am sure that is the right decision on his part.
Q407 Kevin Brennan: It is quite interesting because, as you may know, the Chairman of the BBC is going to appear before the Select Committee next week. I am a bit concerned now, Chair, that perhaps I should not participate in those proceedings because the reason that the Commissioner for Public Appointments gave in his letter to us—I don’t know if he has written to the Department or not—as to why he could not continue with his review was because he had met Mr Sharp on “previous occasions”, to quote his letter.
I have to tell the Committee that I have met Mr Sharp on previous occasions. I met him when he appeared before this Committee. I met him at a BBC event. I met him at the BBC headquarters on one occasion, in fact, so I wonder whether that disqualifies me from being able to ask him questions next week at this Committee. Of course it doesn’t, because meeting someone on previous occasions is not a reason to recuse yourself from participating in a process. There must be some potential, as the wording says, perceived conflict of interest that could be at play here for somebody like the Commissioner for Public Appointments to have to go so far as to recuse himself from this process, obviously having thought about it for a week since he first announced his inquiry. Would you think that is a correct assessment of the situation on my part?
Julia Lopez: Like I say, I did not meet Mr Sharp until he was actually in post. I do not know anything in relation to the Public Appointments Commissioner’s dealings with Mr Sharp, other than what is in the public domain. In so far as you think I can shed light on this particular angle of questioning, I can say nothing more than I have already said.
Q408 Julie Elliott: I want to move on to reform of the Information Commissioner’s Office. The ICO engaged with national firms regulating connected tech. How will your planned reforms add to its international clout and firepower?
Julia Lopez: What we are trying to do is to add greater transparency and accountability to how the organisation functions, so it will have a chief executive. It will have a board, and it doesn’t currently have that. I think we are just bringing it into line with best practice in how an organisation is run. It will be a body that is increasing in power because of the scope of the things that it regulates. We want to make sure that it has the normal corporate functions in place.
Q409 Julie Elliott: DCMS has bundled the reform of the ICO structure with powers to set strategic objectives and salaries and veto codes of practice. That seems a very wide-ranging group of things to be doing all in one go.
Julia Lopez: I don’t think it is enormously radical as a set of proposals.
Q410 Julie Elliott: Well, I do. Less than half of the respondents to the consultation supported reform of the ICO. Were you surprised at that?
Julia Lopez: I would need to know more about the precise figure that has come through on that, because sometimes people have simply not answered the question or they have not expressed a strong view on it. It is different to whether there is direct opposition to it.
Q411 Julie Elliott: The information that we have been given is that more than half were not supportive of the reform. Many were concerned that it would undermine the ICO’s independence. That was a strong theme that went through, and yet you have decided to press ahead. Why have you decided to press ahead? It is almost like you have ignored the consultation.
Julia Lopez: No; the main person that it is important has confidence in the reforms is the Information Commissioner himself. I meet him regularly. This was a topic that we discussed as we were drawing up the—
Q412 Julie Elliott: Have you discussed the response to the consultation with the Commissioner himself?
Julia Lopez: We discussed the proposals about adding a level of Secretary of State power in this regard.
Julie Elliott: Have you discussed the response with the Commissioner? You did just say you had; you either have or you haven’t.
Julia Lopez: I am sure in the course of our discussions we discussed the consultation. Whether it was the specific response about—
Julie Elliott: It is quite unusual when a response to a consultation goes in one direction and you decide to still go ahead in the other direction. Have you talked about that to the Commissioner, and do you think it might threaten relationships with key stakeholders?
Julia Lopez: No, because there is a series of processes that would be in place about trying to have wider stakeholder engagement as to the strategic aims of the ICO. There is a whole series of things that would help set the strategic direction of the ICO including, as I say, stakeholder engagement, engagement with the board of the ICO and so on.
I think some of the concerns in relation to the Secretary of State’s role on strategic direction of the ICO have been slightly overblown. That is evidenced by the fact that the Information Commissioner himself is comfortable with the place that this has landed. It is something that I have discussed with him throughout, because I think having his support for our reforms throughout this process is incredibly important.
We have a very good relationship. I value his input and I am confident that this is not something that will undermine the independence of the regulator, which I think is key to making sure that he has international credibility. He does have a great deal of international credibility, and the UK as a whole does. I have noted a lot of the comments from previous panellists to this inquiry that our standing on these issues is very high.
Q413 Julie Elliott: I want to move onto a side issue. As you are here, I am taking the opportunity. As you know, a lot of what we have been talking about requires internet access. Currently, BT Openreach is about to increase the wholesale broadband cost by 11.1% in April of this year, which is CPI from October of last year. When the rules were drawn up to allow BT Openreach to do this, inflation was running at about 1.5%, so I think the idea of having inflation at 11.1% was not really considered. Do you think this rise should go ahead?
Julia Lopez: I am not going to sit and dictate what companies—
Julie Elliott: No, but you must have an opinion.
Julia Lopez: As a Minister, my priority is to make sure that there is both stiff consumer competition in markets like this—
Julie Elliott: Wholesale broadband is not really competitive in this country, because Openreach provides broadband for all of the suppliers.
Julia Lopez: It is becoming more competitive on the basis that we have introduced much greater competition to that market. There is a massive challenge in relation to the market dominance of Openreach, because of the previous position held by BT. We are trying to introduce a great deal more competition into the—
Q414 Julie Elliott: That is a separate issue. There isn’t competition at the moment. Do you think that 11.1% is excessive?
Julia Lopez: As I say, what we are trying to do is make sure there is a good price for the consumer but also investment in the infrastructure. BT tells us that, to invest in good digital infrastructure, it needs to plough more money into this and that means that it has to increase its prices. Now I have challenged—
Julie Elliott: I have asked you a very straightforward question, Minister.
Julia Lopez: I would like to get around to answering the question. I have challenged BT Openreach about the prices that it has put forward. I have concerns about whether that price increase is justified and necessary. It said to me that it is having to carry a lot more data, and that it has to invest more in the infrastructure to make sure that we have the gigabit rollout. It is telling me that costs have increased substantially, in terms of procuring certain components and, therefore, that it believes its price rise is justified.
Now, I have concerns about whether it is, but the tools available to me are to make sure we have greater competition, so that there is a disincentive for unfair price increases but, also, so that we have good capital investment in the infrastructure that is going to underpin the competitiveness of our economy.
Q415 Julie Elliott: Ofcom’s wholesale fixed market review allows for a cost price increase lower than CPI, and one of the conditions that Ofcom can enforce is that of reasonable adjustment to BT Openreach’s proposed changes. Do you think that Ofcom should do that?
Julia Lopez: I am not the regulator. The regulator is there to—
Julie Elliott: No, but you must have an opinion.
Julia Lopez: I have just given you my opinion, which is that I have asked BT whether its price rise is justifiable. Its answer to me is that there are inflationary pressures, that it wants to invest in the network and that it has had to carry more data. It is for Ofcom, as the regulator, to determine whether that is justifiable.
Q416 Julie Elliott: What is your opinion on that?
Julia Lopez: I just set out that there is a balance here.
Q417 Julie Elliott: Has your Department done any impact assessment on what the effect would be of an 11.1% increase?
Julia Lopez: It is something that we are concerned about, and that we have raised with all of the different providers to try to turn them from price rises that are beyond what we think is justifiable. As the regulator, it is for Ofcom to determine whether those are fair increases and whether that breaches any terms under which these operators operate in the market.
Julie Elliott: Okay. Thank you.
Q418 Chair: Thank you, Julie. Minister, you made the point earlier—reasonably—that it is very difficult to answer general questions, so let me ask you a few specific ones. The PSTI Act provides the Secretary of State with powers to set security requirements and other duties of compliance. When are we going to see those?
Julia Lopez: We had a set of principles by which products should be designed securely. We put the top three of those in legislation in relation to no default passwords, having to make sure that you are clear to the consumer about how long software will be updated, and making sure that there is a mechanism through which you can report. Those would be the most impactful in terms of overall cyber security. Then there is a piece of work under way with industry at the moment about applying those.
We took a number of secondary powers in the Bill, so that basically we will keep an eye on how this market is developing, and if there are further requirements that we need to add into the market, we will do so. That piece of work will be unveiled in the coming months. We expect then to have a 12-month period by which manufacturers have to comply.
Q419 Chair: That 12-month period will not start for some months yet, from the sound of it.
Julia Lopez: No, because we have to make sure that the industry is ready and able to enact those requirements. I think it is fair to give importers, product designers and so on the time to be able to develop those products accordingly.
Q420 Chair: Presumably, once you develop those products, you need an enforcement regime. Who are you thinking of running that? Is it the ICO?
Julia Lopez: It is the Office of Product—Erika?
Erika Lewis: Safety and Standards, OPSS.
Julia Lopez: I am sorry; there are so many acronyms in my job. It is just so difficult. Yes, it is the Office of Product Safety and Standards.
Q421 Chair: It is a regulator called OOPSS—you could not make it up, really. How specific of the remit will that office be? Is it connected tech plus lots of other things, or is it a general product safety office?
Julia Lopez: It already has existing activities that it undertakes, so this will be in addition to its existing activities in relation to products in other parts of the market.
Q422 Chair: What happens to devices that are already on the market now before these new requirements come in? Will they be covered by it, or will they be exempt?
Julia Lopez: I believe they are exempt.
Chair: They are exempt?
Julia Lopez: They are exempt, yes. These are all issues that were thrashed out during the passage of the Bill. To then have retrospective product requirements, it is just a very difficult—
Q423 Chair: I can see the practical difficulties, but that is an obvious weakness in any system.
The regime focuses—and indeed lots of discussion this morning has focused—on connected devices. We have heard evidence that the device networks and the cloud service are another potential source of weakness. Will those sorts of areas be addressed in the regime?
Julia Lopez: Not in the PSTI regime. There are other interventions you can make in relation to data infrastructure, for instance, which is something that we are actively looking at, at the moment.
Q424 Chair: Do you have the powers to do that at the moment?
Julia Lopez: It depends on which intervention you are talking about. There is a range of different vulnerabilities and challenges. For instance, we talked earlier about how you address the vulnerabilities in the 5G network, which we have taken power to do under the Telecommunications (Security) Act. We have different powers now to prevent certain types of investment in key technologies that would create vulnerabilities. Then, in terms of data infrastructure, we are looking at: are there vulnerabilities here and, if there are, do we need to take any action in relation to data infrastructure as well?
Q425 Chair: Is there any thought that you might need further primary legislation to deal with the data infrastructure issues that are not addressed in the PSTI?
Julia Lopez: As a broad principle, we are always looking at vulnerabilities in any part of this whole space. Is there a vulnerability because we do not have enough skilled people to tackle some of these issues? Is there a vulnerability in the infrastructure we are using? Is there a vulnerability in the products that we are using? Therefore, we are always open to the possibility of legislating.
What tends to happen is that we monitor all of these aspects of cyber security, and if we think that there is a concern we talk to the NCSC about it. The regulated industry may potentially come up with a code for how people should operate. If that is not working, we look to legislate. What we try to do is take steps before legislation is necessary, but we are always open to the idea that you might require primary legislation to close down any particular gaps in your arsenal.
Q426 Chair: I am just conscious of the point that we all agree that these network issues are going to be the next thing. We pass the PSTI Bill and eventually we will get the security requirements out of that. It feels slightly fuzzy. We all know this problem is coming, but you cannot say how you think the Government are going to deal with it.
Julia Lopez: There is a range of different angles to the problem. One of the things that we are concerned about is whether the NIS regulations cover managed service providers, which we found could be a potential vulnerability in relation to some of the cyberattacks. Your knowledge of these issues develops as the environment in which you are operating develops. I do not think we are complacent about this. We basically keep constantly watching to see where the vulnerabilities in any system are. Then if we believe there is enough cause to take action, that is what we do.
Q427 Chair: We have to hope the Government are capable of machine learning, really.
Julia Lopez: The challenges of governing in this very fluid space are substantial. I think you know, as a former Cabinet Minister or CDL, that this is a challenging area.
Chair: Yes, indeed. Okay, we have reached the end of this session. Minister Lopez, Erika Lewis and Sam Cannicott, thank you very much for joining us this morning.