CONDUCT PROHIBITED WITHOUT A LICENCE

§ Mr. Nick Hawkins (Surrey Heath)

I beg to move amendment No. 3, in page 3, line 5l, at end insert— '(3A) Before making an order under subsection (3) which designates any of the activities specified it paragraph 5 of Schedule 2, which relate to the security of information which is held in electronic form, the Secretary of State sha11 lay a certificate before each House of Parliament stating that in his opinion the order complies with the provisions of European Directive 2000/31/EC (on certain legal aspects of information society services, in particular electronic commerce, in the internal market).'.

§ Mr. Deputy Speaker (Sir Alan Haselhurst)

With this it will be convenient to discuss amendment No. 2, in schedule 2, page 28, line 17, at end insert— '(5) This paragraph does not apply to the giving of advice in relation to the security of information which is held in electronic form.'.

§ Mr. Hawkins

Amendment No. 3 would require the Secretary of State, when introducing regulation of the information technology security sector, to state specifically that doing so does not conflict with the European directive on e-commerce. The issue, which we raised more than once in Commitee, relates to many concerns expressed by the Confederation of British Industry and others about whether regulation of the IT 46 security industry would conflict with the directive, which is designed to ensure a level playing field for the IT industry throughout Europe.

On 26 April, in response to the concerns that we had raised, the Minister said in Committee: I was aware of the directive in general, but not in detail, and if I have any further thoughts on its implications I will comment in the debate on schedule 2."—[Official Report, Standing Committee B, 26 April 2001: c.146.] As the Minister will recall, when we came to debate schedule 2, time was extremely short, owing to the operation of the Government's programme. The Minister therefore made no further reference to the directive. We shall press him to do so today, but in the meantime yet further serious concerns have been raised.

As recently as today, I have read the views of the important and influential group that was so involved in drawing attention to the Government's defects in connection with IR35. The Professional Contractors Group—the contractors' industry body, one of whose leading members happens to be a constituent of mine—says: We're very aware of this piece of legislation and understand that it is not intended to target IT contractors … We would he very surprised if the government attempted to bring IT contractors within the scope of this legislation. If they did we would object to it. More significantly still, the Professional Contractors Group goes on to say: Any government that talks about being joined-up but wants to treat a 21st century industry in the same simplistic way as its approach towards wheel-clampers and getting drunks out of bars effectively is not taking the IT industry seriously, and is making a mistake. Mr. Caspar Bowden, director of the Foundation for Information Policy Research, said: If the Home Office has no intention of wading into this area, why not grant an amendment? 5.15 pm

The Government are in trouble over this issue. On 26 April, when he was responding to our initial debate in Committee, the Minister mentioned the fact that, while sitting on a train, the Secretary of State for Trade and Industry had been badgered about the very obvious conflict between the European directive—to which the Government, in the form of the Department of Trade and Industry, have signed up—and this legislation. However, although the Government have accidentally caught the information technology industry in the Bill, they have thus far been very reluctant to acknowledge their mistake and to do something about it.

Chapter II, article 4 of the directive is very specific. It states: Member States shall ensure that the taking up and pursuit of the activity of an information society service provider may not be made subject to prior authorisation or any other requirement having equivalent effect. The directive specifically states that the provider "may not" be made subject to those matters, and its provisions are mandatory. Moreover, the directive—to which the Government have signed up the United Kingdom—is due to come into effect in February 2002. However, the CBI has made it clear that the Government's proposals in the Bill to require licensing of the information security industry—which is of course a key information society

47 service—would be directly contrary to the electronic commerce directive. Very fairly, in responding to our debate on 26 April, the Minister did not for a moment suggest that he could positively state that the provisions and the directive were not in conflict. Indeed, it had all quite clearly taken him by surprise.

A requirement, as proposed in the Bill, for members of the information security industry to obtain licences from a regulatory authority to enable them to operate clearly would constitute requiring "prior authorisation", thereby directly contravening the directive. That article of the directive is intended, among other things, to prevent member states from introducing regulation that would stem the much-needed supply of information technology professionals. The directive is therefore intended to prevent member states from doing precisely what the Government have been seeking to do—albeit perhaps initially by accident—in the Bill. As the provision is still in the Bill, we have tabled and moved our amendment to deal with that concern.

The CBI has also pointed out that, when considering the conflict between the electronic commerce directive and the legislation, consideration should be given also to article 3 of the electronic commerce directive, which aims to free up the internal market for information society services by requiring member states to avoid any measures that might restrict the freedom to provide information society services from another Member State. As the CBI has pointed out, regulating the information security industry in the United Kingdom would be very difficult to do without putting practitioners outside the United Kingdom at a disadvantage—which would obviously contravene article 3 of the directive.

When we raised the issue on 26 April, there was no doubt that the Home Office had not had an opportunity fully to consider the matter. However, the Minister promised that he and his officials would do so. We shall look with interest to see whether they have done so. Nevertheless, those who are commenting on our debates—particularly, as I said in Committee, the journalists on Computer Weekly—are describing the issue, as last Friday's Computer Weekly headline did, as the Last chance to prevent licensing threat to IT consultants".

§ Mr. Miller

Come on.

§ Mr. Hawkins

The hon. Gentleman may disagree with the learned editors of Computer Weekly, but I think that I prefer their expert judgment to his sedentary comment.

Our amendment No. 2 would go further than amendment No. 3 by entirely excluding IT security consultants from the legislation. We say that given the botched nature of the consultation and the hurried way in which the Government have conducted all their dealings in respect of this legislation, the Minister and his officials should ask themselves whether the IT security sector should be included in the Bill at this stage. If the Minister wants to include it after the Bill is enacted, he can always do so by way of amending schedule 2 through a regulation taken under the affirmative resolution procedure, which would ensure that there was proper parliamentary 48 scrutiny. We expect to hear some very firm answers from the Minister today. The IT security consultants will look very carefully at the Government's response.

The sector is one of our success stories. I know that from my experience prior to entering the House in 1992 and from the growth in IT security since then. I used to deal with those involved in IT security in financial services and banking and I know that it has been a UK success story. Our IT security consultants are regarded as among the most skilful and best in the world. We do not want the Government to damage their future opportunities, particularly through carelessness and inadvertence. If the Minister gets this wrong, he will be under huge pressure. The Government have already given themselves one self-inflicted wound over 1R35 and destroyed a great deal of their credibility with consultants in the IT field. Labour Members know that perfectly well. The Government have, suffered huge embarrassment over IR35 and it is no doubt one reason why they will lose the general election. However, I hope that even at this eleventh hour the Minister will concede that our amendments Nos. 3 or 2 would improve the matter dramatically and we look forward to hearing whether the hon. Gentleman will at long last see sense on this very important matter.

§ Mr. Miller

I want briefly to respond to a couple of points that were made by the hon. Member for Surrey Heath—via Blackpool—(Mr. Hawkins). This afternoon we have already identified the fact that definitions are rather difficult. Indeed, we have discussed whether or not the hon. Member for Buckingham (Mr. Bercow) is oleaginous, but I will not get drawn down that route. I tried to make this point right at the end of our proceedings in Committee, at column 229 on 1 May, but unfortunately owing to the timetable of our proceedings I was cut short in my prime. Let me try again for the benefit of the hon. Member for Surrey Heath.

It is not that there is no problem. The hon. Gentleman was absolutely right to identify the problem, but he failed to point out the fact that the Minister has offered a solution. The hon. Gentleman needs to respond to Caspar Bowden, Computer Weekly, the Confederation of British Industry and others, is I have responded to people who have contacted me, that the solution lies in secondary legislation.

Let me explain to the hon. Gentleman why his amendment fails badly and would severely damage the Bill. Let me say, in the spirit of the way in which the Committee was conducted, that there is broad cross-party agreement on the principles behind the Bill, but amendment No.2 includes the phrase "held in electronic form". That must refer both to the intellectual property that is digitalised and held in electronic form and to the physical medium. It is impossible to separate the two. The amendment must therefore refer to both.

If the amendment were accepted, it would be impossible to distinguish between companies that should be regulated and companies that need not fall within the scope of the Bill. Indeed, it could possibly mean that provision of security to a firm with a computer—and that would cover an awful lot of firms—would not require a licence under the Bill. Clearly, that is not the intention and I accept that the hon. Member for Surrey Heath is not trying to wreck the Bill, but the logic of his position is flawed.

49 It is right to draw attention to the problem, but the solution is obvious and was presented to the Standing Committee. I am sure that my hon. Friend the Minister will restate that solution when he responds to the debate, and thereby put at rest the minds of the many people in the computer industry with whom I have close contact. It is wrong to try to instil fear in an important sector of the industry with a scare story such as this.

I urge the hon. Member for Surrey Heath to withdraw the amendment, which could damage the spirit of the Bill. Debate should turn to the extremely difficult question of defining, in the context of this Bill and of future legislation, the difference between the medium in which data are held and the information itself. That matter will crop up in many debates in the next Parliament. However, I am sure that the Opposition by that time will have a new leader, and that the hon. Members for Surrey Heath and for Buckingham (Mr. Bercow) will be supporting a new tone of Toryism.

§ Mr. Simon Hughes (Southwark, North and Bermondsey)

I apologise to the hon. Member for Surrey Heath (Mr. Hawkins) for not being here for his opening remarks, although I did manage to hear them. The announcement of the dissolution of Parliament meant that I was trying to organise Home Office business with the Government and the two Houses of Parliament.

I shall be brief. I agree that we must uphold and develop Britain's e-commerce industry and information technology sector. We must not frighten people in the sector, or allow unfair regulations and controls to drive the industry out of the country at a time when it is doing well. We must be careful that we do not legislate in part and in haste, and repent much more fully and at leisure.

Liberal Democrat Members share the Government's view that it would be wrong for the Bill to sweep in and regulate the information technology and e-commerce sectors. Some issues cannot easily be accommodated in the context of a regulatory system, even if that is an opt-in system. Those issues arise from the legislation covering data protection and the regulation of investigatory powers, which have been dealt with in other Bills.

We need to understand the Home Office's approach to this matter, and the relevance of the interests that other Departments—such as the Department of Trade and Industry—have in it. The right hon. Member for Walsall, South (Mr. George) said earlier that we need proper harmonisation and co-ordination to avoid sending the wrong signal by legislating unwisely.

If I thought that there was a clear doubt about the subject—and if I had not been satisfied by the Minister's assurances—I would be sympathetic to the amendment. The Conservative party is perfectly right to raise the issue. The hon. Member for Ellesmere Port and Neston (Mr. Miller) and I disagree only to this extent; I do not think that the Conservatives are unfairly raising an issue, and they are not frightening people It is perfectly proper to raise the issue and to get the position on the record. We always need a balance in this place between getting certainty in legislation on the one hand and not making legislation so long that every eventuality is covered on the other.

I understand and sympathise with the genesis of the Conservative proposals, but I am relieved to say that they are not necessary. The Bill adequately deals with the 50 issue. I will be keen to hear the Minister confirm, as he did in Committee, that the Government are not excluding the IT industry from their consideration and that it is on the agenda. Will the Minister confirm that the Government will make sure that there are no adverse consequences of early action?

§ Mr. Bercow

That is a veritable masterpiece, even by the high standards that the hon. Gentleman has set over a long period. [Interruption.] The Minister of State is chuntering from a sedentary position, to no obvious effect. It is welcome to have the hon. Member for Southwark, North and Bermondsey's reassurance about the good intentions of the Conservative party in this matter, but his speech has highlighted the problem. He says that he agrees with the Government that it is not intended to regulate the IT sector-but that is precisely the point. There is an apparent disparity—in the intention and, so far, in expressed words—between the stance of the Home Office on the one hand and that of the DTI on the other. It is about that that we are arguing.

§ Mr. Hughes

In amendment No. 2, the Conservatives are seeking to exclude for all time from the Bill advice in relation to security and information that is held in electronic form. The Government have said that the Bill is a rolling programme; this is a framework Bill. It is not compulsory, and people can opt into it. Some of us have argued that the Bill should have been compulsory for some sectors. I also understand that sectors move quickly. The Minister will know that I have concerns about accountancy firms that were not doing security work at all but now are and which have fallen within the remit of the Bill.

The central criticism of the amendment is that it shuts the door for all time on the matter. That is not reasonable. If an appropriate agreement can be made, there is logic in having everybody who does security work included. No matter which party is in power following the 7 June election, nobody will suddenly sweep the IT industry into the regulations. We have had a perfectly proper debate about an important sector. We may not need to include this type of information in legislation. If we do, we ought to try to identify all the relevant sectors. We would then have a great list in the legislation, and that is not necessary.

§ Mr. Charles Clarke

In broad terms, I agree entirely with my hon. Friend the Member for Ellesmere Port and Neston (Mr. Miller) and the hon. Member for Southwark, North and Bermondsey (Mr. Hughes), because their analysis is correct. I am looking forward to fighting the general election campaign if the Leader of the Opposition chooses IR35 as the slogan behind which he hopes to unite Conservative voters throughout the country so as to sweep the Conservatives to power.

As the hon. Member for Southwark, North and Bermondsey said, it is reasonable to raise the issue addressed in the amendments. However, the case is not strengthened by arguing that it is on a par with the fixed penalty notice debate that we had on earlier legislation, and that was a trivial point made by the individual who argued the case to the hon. Member for Surrey Heath (Mr. Hawkins). Nor do I accept the adjectives that the hon. Gentleman used. The Bill is not careless, inadvertent,

51 botched or over-hasty, either in relation to the IT sector or more generally. The process, from consultation to White Paper to legislation, has allowed a wide contribution from wide interests to the crafting of the Bill.

Amendment No. 3 requires any order designating as licensable conduct the activities of IT security consultants to be preceded by a certificate stating that the order complies with the electronic commerce directive 2000/31/EC, which is designed to ensure the free movement of information society services between EU member states. It relates to the provision of remunerated services at a distance by electronic means and at the individual request of a recipient of services. Services provided in the physical presence of the provider and recipient are not covered, even if they involve the use of electronic devices.

Article III of the directive, about which I was questioned, is about the cross-border provision of information society services, and article IV prohibits the taking up and pursuit of the activity of an information society service provider being made subject to prior authorisation or any other requirement having equivalent effect. Article IV does not apply, however, to prior authorisation schemes that are not specifically targeted at information society services, so it would be unlikely to affect the application of this Bill.

Nevertheless, the Home Office would clearly need to consider very carefully the implications of the directive if it intended to introduce regulation of IT security consultants under the provisions of this Bill, but—and here I take the point made by the hon. Member for Southwark, North and Bermondsey—as we do not intend to, we will not have to address the issue in the way suggested by amendment No. 3.

Amendment No. 2 is more substantive. We recognise that part of the information technology sector has been concerned about what application, if any, the Bill will have to it. Specifically, the sector is concerned that the Government want to regulate it under the Bill. We discussed the point in Committee at some length, and we said that the definition of "security consultant" used in schedule 2 is deliberately broad. That is because we want it to remain usable in the face of changing security systems, in particular those making use of technology. It is in that context that the hon. Member for Southwark, North and Bermondsey and my hon. Friend the Member for Ellesmere Port and Neston are right to say that we must draft the Bill and implement it in a way that is sensitive to how the industry may develop.

The term "security consultant" means someone advising on the taking of security precautions in relation to any risk to property or to the person". The licensing requirements under that definition will, as with all parts of the Bill, be brought into effect in due course by implementing regulations, and those regulations will need to specify exactly which security consultancy activities are licensable. Activities that are not specified will not be licensable.

It is our fundamental principle to ensure that the Bill is targeted at those specialist providers of security services whom we have indicated we want to regulate, and that the provisions do not inadvertently catch groups that are not 52 relevant to our policy aims. I tried to put the position of IT security consultants in relation to the Bill beyond doubt on Second Reading and in Committee. In the light of the remarks made in Computer Weekly, I should like the IT industry to take careful note of what I said in Committee: I should like it to be clear to the industry and the Committee that the information security consultancy industry is not under threat of licensing at a future date under this Bill."—[Official Report, Standing Committee B, 1 May 2001; c. 230.] I made it clear that the Department of Trade and Industry will consult the IT industry on the extent and effectiveness of existing precautions and on whether further action is required. I look forward to seeing the results, because the Government believe that there are issues that need to bo explored in relation to confidence in the information security consultancy industry. The business has a vital role to play in protecting the new economy from vandalism and other forms of crime.

Consideration of the Bill has started a valuable debate about how information security consultants may match or exceed the levels of confidence that the Bill will create for other security contractors. The Government's position is absolutely clear and the principles that we set out, of legislating with the industry following proper consultation on an evolving basis, are encapsulated in our approach to the IT security industry.

The amendments are helpful in enabling us to elaborate and clarify an important area of concern, but I urge the hon. Member for Surrey Heath to withdraw amendment No. 3, on the basis the assurances that I have given. I urge hon. Members not to follow those in the IT security industry who have used exaggerated language about the threat that the Bill might present to the e-business world. That world has absolutely nothing to fear from it.

§ Mr. Hawkins

I am afraid that the Minister has not persuaded me and, far more importantly, has completely failed to persuade the experts at the Confederation of British Industry. He has repeated yet again that what he is offering is simply further consultation by his friends at the Department of Trade and Industry on the secondary legislation, but the CBI said: Consultation on secondary legislation creates more problems, doesn't solve them. The proposal by the Home Office Minister, Charles Clarke MP, to have the DTI consult on licensing the industry does not help matters. It simply obliges the DTI to carry out a consultation in which all affected parties—the industry itself and its users—are likely to say that regulation is unnecessary. Given that there has been no demand for regulation in the first place, is this a worthwhile use of the DTI's and industry's time and resources? The Minister said Mat we should not suggest that the industry got dragged into the Bill by inadvertence, but the CBI said: Legislative accident, so no consultation:—The IT security industry has fallen under this legislation in an unexpected and accidental way, and this only became apparent during the Bill's passage through the House of Lords. Because of this, the IT security industry and its users had no participation in the consultation that led to the White Paper CM 4254 and the draft legislation itself. The Minister's two arguments have been comprehensively demolished by the leading experts.

§ Mr. Clarke

I will not pursue all the hon. Gentleman's points. For clarification, in the event that a criminal individual or organisation sought to develop a presence in the IT security industry in order to undermine companies' 53 security, is he suggesting that there should be no process for looking into the people involved and no application of the general principle of the Bill?

§ Mr. Hawkins

We are saying that there has been no demand for such regulation and that to use a blunt instrument that is intended to deal with the admitted abuses of cowboy wheelclampers and nightclub bouncers to hit a sophisticated e-business is quite wrong.

The Government have recently been criticised for failing to take user interests into account in the Regulation of Investigatory Powers Act 2000.

§ Mr. Clarke

Will the hon. Gentleman give way?

§ Mr. Hawkins

No, I have already given way to the Minister once and I am coming to an end.

The hon. Member for Ellesmere Port and Neston (Mr. Miller), who is chuntering from a sedentary position, accused the Opposition of indulging in scare stories, but I remind him and other hon. Members that the headlines are written not by us but by those experts in the industry who have considered the Committee proceedings and who have found the Minister's attempted reassurances in Committee and on Second Reading completely unconvincing. They do not think that the problem has gone away at all.

5.45 pm

I am grateful to the hon. Members for Ellesmere Port and Neston and for Southwark, North and Bermondsey (Mr. Hughes) for suggesting that they think that we were right to raise this issue, but we go further; we think that we are acting on behalf of one of the United Kingdom's most important industries. The Government have inappropriately used the blunt instrument of the Bill to try to hit a successful industry that was never intended to be caught, so I am determined to press the amendment to a Division.