Connected devices | Security by design
Following the release of a voluntary Code of Practice in October 2018, the government opened a further consultation (which closed in June 2019) to make some or all of the Code mandatory. The results of the consultation are awaited but it is expected that the following will become mandatory:
- Passwords must be unique and not resettable to a default factory password.
- Manufacturers will need to be explicit about the minimum length of time a product will receive security updates.
- Manufacturers will need to have a public point of contact for issues to be reported to as part of a Vulnerability Disclosure Policy.
We are also expecting a mandatory labelling scheme to inform consumers whether security features have been implemented and how long security updates will be provided. This will operate on a voluntary basis initially.
Increased market surveillance across the EU for non-food products
On 20 June, an EU Regulation (2019/2010) was adopted that aims to strengthen market surveillance powers, improve coordination across member states and increase enforcement across the majority of non-food products.`
In particular, there is a specific requirement for a manufacturer based outside of the EU to identify a person (natural or legal) who is responsible for providing compliance information and cooperating with the market surveillance authorities.
EU Fitness Check Report on chemicals legislation
The European Commission has released its Fitness Check report on chemicals legislation (excluding REACH) as part of its REFIT programme. The Report examined over 40 pieces of legislation covering the entire life cycle of chemicals including their application and use in products.
The overall conclusion is that the legislation is fit for purpose but there are areas of weakness, particularly in implementation and enforcement, and the communication of hazard and safety information.
Brexit: product standards and safety marking
The House of Commons Library has released a briefing paper in preparation of Brexit. It is already known that the “CE Mark” will be replaced with a “UKCA” mark, but in addition, the EU will no longer recognise UK notified bodies. Therefore products sold in the EU under notified body approval will need to ensure that the notified body is based in the EU27.
In the UK, the government intends to rename notified bodies as “approved bodies” and businesses will only be able to apply the UKCA mark and sell their products in the UK if (where applicable) the product has been assessed and approved by a UK approved body.
We have seen an increased focus in enforcement of the Timber Regulations (EU 995/2010), which prevents illegally harvested timber and timber products from being placed on the market. The Regulations also impose requirements to have a defined due diligence and risk assessment process in place. This applies to a number of wooden products including furniture, frames, casks, barrels and packing crates.
“Made in Germany”
YouGov recently conducted an interesting poll to understand consumer perception of “Made in” statements for different countries. Consumers have the most positive reaction to products made in Germany, with Italy and UK coming second and third respectively. China has the most negative perception.
In Focus | Regulatory powers and trends
Who are the regulators?
The primary regulators are Trading Standards and the Office for Product Safety and Standards (OPSS). However, there are a number of sector-specific regulators for particular types of products, for example the MHRA will regulate medical devices.
Generally, most product-related issues are dealt with by Trading Standards at local authority level and National Trading Standards for wider market issues.
Do they have powers to compel businesses to hand over documents?
Regulators can compel the business to provide documents, although the regulator is often limited to taking copies (not originals), providing reasonable photocopying or printing facilities are available, unless the original version of the document is evidence in itself. Regulators can also request copies of electronic documents which can be accessed from any premises they visit.
Do they conduct dawn raids?
An authorised enforcement officer is entitled to entry to a premises although this should be at a reasonable hour.
Are they able to bring criminal prosecutions (and do they do so)?
Yes. Prior to a prosecution being commenced, there will usually be engagement with the business. If the issue is relatively minor and the business agrees to make a change then the matter may not proceed to prosecution. If there is a product recall or withdrawal, that is often considered sufficient penalty.
Prosecutions in this space tend to be for wilful disregard of the law or for extremely serious safety issues.
Do they bring prosecutions against individuals?
Provisions exist for personal prosecution, including of directors and senior managers of companies. Personal prosecutions are more common where there are sole traders or small businesses.
Is there a self-reporting / leniency regime?
There is a requirement to notify regulators where a product poses a safety risk but there is no formal self-reporting/leniency regime. However, a positive and cooperative approach with a regulator is generally beneficial.
Are there any plans to introduce new powers (or use existing powers differently)?
The OPSS will shortly be able to enforce under the General Product Safety Directive in addition to existing legislation (see below).
Are there any areas of new technology that are a particular focus of regulatory attention?
There is an increased focus on IoT connected devices and new requirements being put in place to ensure security by design (as discussed above under Key Issues).
National Trading Standards has a separate e-crime unit that focusses on online scams, misleading websites, subscription traps and online shopping frauds.
How has the digital transformation affected the regulators’ own behaviours?
Regulators have increased their surveillance of the online world and new technology products that are coming on to the market. This has led to consolidation of experience within particular regulators and the setting up of focussed teams.
Dates for the diary
23 July 2019
Consumer Rights Act 2015 (Enforcement) (Amendment) Order 2019 takes effect. This extends the enforcement powers of the OPSS to the General Product Safety Regulations 2005.
31 October 2019
In the event of a no deal Brexit on this day, the new UKCA mark (which replaces the CE mark) will become law. Products sold in the UK with a CE mark will be permitted to be sold for a “time-limited period” (although how long this will be has not been specified). It would be prudent to start planning for the introduction of this mark in new labelling designs.
There is one exception where the UKCA mark will apply from Brexit Day. This is where a product is certified by a UK notified body and is being sold in the UK.
1 January 2020
From 1 January 2020, a Unique Formula Identifier is required under the CLP Regulation on the label of products with mixtures classified as hazardous.
26 May 2020
Medical Devices Regulation fully applies.
1 January 2021 and 16 July 2021
EU Regulation 2019/1020 on increased market surveillance across the EU for non-food products comes into effect from 16 July 2021, with the exception of certain provisions that come into effect from 1 January 2021.