(3 days, 14 hours ago)
Grand CommitteeThat the Grand Committee do consider the Communications Act 2003 (Disclosure of Information) Order 2024.
My Lords, this order was laid before the House on 9 September this year. The Online Safety Act lays the foundations of strong protection for children and adults online. I am grateful to noble Lords for their continued interest in the Online Safety Act and its implementation. It is critical that the Act is made fully operational as soon as possible, and the Government are committed to ensuring that its protections are delivered as soon as possible. This statutory instrument will further support the implementation of the Act by Ofcom.
This statutory instrument concerns Ofcom’s ability to share business information with Ministers for the purpose of fulfilling functions under the Online Safety Act 2023, under Section 393 of the Communications Act 2003. This corrects an oversight in the original Online Safety Act that was identified following its passage.
Section 393 of the Communications Act 2003 contains a general restriction on Ofcom disclosing information about particular businesses without consent from the affected businesses, but with exemptions, including where this facilitates Ofcom in carrying out its regulatory functions and facilitates other specified persons in carrying out specific functions. However, this section does not currently enable Ofcom to share information with Ministers for the purpose of fulfilling functions under the Online Safety Act. This means that, were Ofcom to disclose information about businesses to the Secretary of State, it may be in breach of the law.
It is important that a gateway exists for sharing information for these purposes so that the Secretary of State can carry out functions under the Online Safety Act, such as setting the fee threshold for the online safety regime in 2025 or carrying out post-implementation reviews of the Act required under Section 178. This statutory instrument will therefore amend the Communications Act 2003 to allow Ofcom to share information with the Secretary of State and other Ministers, strictly for the purpose of fulfilling functions under the Online Safety Act 2023.
There are strong legislative safeguards and limitations on the disclosure of this information, and Ofcom is experienced in handling confidential and sensitive information obtained from the services it regulates. Ofcom must comply with UK data protection law and would need to show that the processing of any personal data was necessary for a lawful purpose. As a public body, Ofcom is also required to act compatibly with the Article 8 right of privacy under the European Convention on Human Rights.
We will therefore continue to review the Online Safety Act, so that Ofcom is able to support the delivery of functions under the Act where it is appropriate. That is a brief but detailed summary of why this instrument is necessary. I should stress that it contains a technical amendment to deal with a very small legal aspect. Nevertheless, I will be interested to hear noble Lords’ comments on the SI. I beg to move.
My Lords, I thank the Minister for her introduction and for explaining the essence of the SI. We all have a bit of pride of creation in the Online Safety Act; there are one or two of us around today who clearly have a continuing interest in it. This is one of the smaller outcomes of the Act and, as the Minister says, it is an essentially an oversight. I would say that a tidying-up operation is involved here. It is rather gratifying to see that the Communications Act still has such importance, 21 years after it was passed. It is somewhat extraordinary for legislation to be invoked after that period of time in an area such as communications, which is so fast-moving.
My question for the Minister is whether the examples that she gave or which were contained in the Explanatory Memorandum, regarding the need for information to be obtained by the Secretary of State in respect of Section 178, on reviewing the regulatory framework, and Section 86, on the threshold for payment of fees, are exclusive. Are there other aspects of the Online Safety Act where the Secretary of State requires that legislation?
We are always wary of the powers given to Secretaries of State, as the noble Viscount, Lord Camrose, will probably remember to his cost. But at every point, the tyres on legislation need to be kicked to make sure that the Secretary of State has just the powers that they need—and that we do not go further than we need to or have a skeleton Bill, et cetera—so the usual mantra will apply: we want to make sure that the Secretary of State’s powers are proportionate.
It would be very useful to hear from the Minister what other powers are involved. Is it quite a number, were these two just the most plausible or are there six other sets of powers which might not be so attractive? That is the only caveat I would make in this respect.
My Lords, I begin with a comment that I hope will not be taken badly by either my noble friend the Minister or the large number of civil servants who have been involved in this Bill over the years. Colleagues may recall that the Bill took seven years to pass through the various processes and procedures of Parliament, including initial Green Papers and White Papers and then scrutiny by the Joint Select Committee, of which my noble friend opposite was also a member, and it seems slightly surprising and a bit odd that we are dealing with what seems to be an administrative oversight so late in the process. I do not expect a serious response from the Minister on that, but I wanted to put on the record that we are still very much aware of the fact that legislation has its faults and sometimes needs to be corrected, and we should perhaps be humble in expecting that the material we finally agree in Parliament is indeed the last word on things.
Having said that, I think I follow the noble Lord, Lord Clement-Jones, on this point: the subsequent legal analysis, which has identified a potential gap in provision on this instrument, tries to tidy it up but, in doing so, has left me a bit confused. I simply ask the Minister to make it clear to me when she responds that I am reading it correctly. The worry that has been exposed by this subsequent legal analysis is about the sharing of information when Ofcom is using its powers to address issues with the companies with which it has an engagement. Indeed, the whole purpose of the Bill is to ensure that companies are taking their burden of making sure that the Bill works in practice. There may be a deficiency in terms of what the Secretary of State has separate powers to do, but my confusion is that the Explanatory Memorandum says:
“The Secretary of State has several key functions relating to the implementation of the framework under the”
Online Safety Act. It is obviously sensible, therefore, that the sharing of information that Ofcom gathers is available for that. But is that all the powers of the Secretary of State or only the powers of the Secretary of State in relation to the Online Safety Act? The Explanatory Memorandum says:
“If Ofcom were not able to share business information relating to these areas”—
that is, the areas directly affected by the Online Safety Act—
“there is a risk that implementation and review of the framework could be delayed or ineffective”.
I accept the general point, but, to pull up the point made by the noble Lord, Lord Clement-Jones, is this an open invitation for Ofcom to share information that does not relate to its powers in relation to the Online Safety Act with the Secretary of State and, therefore, something for the Secretary of State to take on as a result of a slightly uncertain way of doing it? Are there are any restrictions to this power as set out in that paper? I could mention other points where it comes up, but I think my point is made.
The noble Lord, Lord Clement-Jones, also touched on the point that this is a power for Ofcom to share with the Secretary of State responsible for Ofcom, which is fair enough, but, as the Explanatory Memorandum points out:
“There are also certain functions relating to definitions conferred on Scottish and Welsh Ministers and Northern Ireland departments”—
presumably now Ministers—which may also be “relevant persons” of the Act, but we are not given much on that, except that
“these are unlikely to require business information for their exercise”.
I would like a bit more assurance on that. Again, that might be something for which the department is not prepared and I am quite happy to receive a letter on it, but my recollection from the discussions on the Online Safety Bill in this area, particularly in relation to Gaelic, was that there were quite a lot of powers that only Scottish Ministers would be able to exercise, and therefore it is quite possible that business activities which would not be UK-wide in their generality and therefore apropos of the Secretary of State might well be available to Ofcom to share with Scottish Ministers. If it is possible to get some generic points about where that is actually expected to fall, rather than simply saying that it is unlikely to require business information, I would be more satisfied with that.
My Lords, I thank the Minister for setting out this instrument so clearly. It certainly seems to make the necessary relatively simple adjustments to fill an important gap that has been identified. Although I have some questions, I will keep my remarks fairly brief.
I will reflect on the growing importance of both the Online Safety Act and the duty we have placed on Ofcom’s shoulders. The points made by the noble Lord, Lord Clement-Jones, about the long-standing consequential nature of the creation of Ofcom and the Communications Act were well made in this respect. The necessary complexity and scope of the work of Ofcom, as our online regulator, has far outgrown what I imagine was foreseeable at the time of its creation. We have given it the tasks of developing and enforcing safety standards, as well as issuing guidance and codes of practice that digital services must follow to comply with the Act. Its role includes risk assessment, compliance, monitoring and enforcement, which can of course include issuing fines or mandating changes to how services operate. Its regulatory powers now allow it to respond to emerging online risks, helping to ensure that user-protection measures keep pace with changes in the digital landscape.
In recognising the daily growing risk of online dangers and the consequent burdens on Ofcom, we of course support any measures that bring clarity and simplicity. If left unaddressed, the identified gap here clearly could lead to regulatory inefficiencies and delays in crucial processes that depend on accurate and up-to-date information. For example, setting appropriate fee thresholds for regulated entities requires detailed knowledge of platform compliance and associated risks, which would be challenging to achieve without full data access. During post-implementation reviews, a lack of access to necessary business information could hamper the ability to assess whether the Act is effectively achieving its safety objectives or whether adjustments are needed.
That said, I have some questions, and I hope that, when she rises, the Minister will set out the Government’s thinking on them. My first question very much picks up on the point made—much better than I did—by the noble Lord, Lord Stevenson of Balmacara. It is important to ensure that this instrument does not grant unrestricted access to business information but, rather, limits sharing to specific instances where it is genuinely necessary for the Secretary of State to fulfil their duties under the Act. How will the Government ensure this?
Secondly, safeguards, such as data protection laws and confidentiality obligations under the Communications Act 2003, must be in place to guarantee that any shared information is handled responsibly and securely. Do the Government believe that sufficient safeguards are already in place?
Thirdly, in an environment of rapid technology change, how do the Government plan to keep online safety regulation resilient and adaptive? I look forward to hearing the Government’s views on these questions, but, as I say, we completely welcome any measure that increases clarity and simplicity and makes it easier for Ofcom to be effective.
I thank noble Lords for their valuable contributions to this debate. It goes without saying that the Government are committed to the effective implementation of the Online Safety Act. It is critical that we remove any barriers to that, as we are doing with this statutory instrument.
As noble Lords said—the noble Viscount, Lord Camrose, stressed this—the Online Safety Act has taken on a growing significance in the breadth and depth of its reach. It is very much seen as an important vehicle for delivering the change that the whole of society wants now. It is important that we get this piece of legislation right. For that purpose, this statutory instrument will ensure that Ofcom can co-operate and share online safety information with the Secretary of State where it is appropriate to do so, as was intended during the Act’s development.
On specific questions, all three noble Lords who spoke asked whether the examples given were exclusive or whether there are other areas where powers might be given to the Secretary of State. The examples given are the two areas that are integral to implementation. We have not at this stage identified any further areas. The instrument would change to allow sharing only for the purposes of fulfilling the Secretary of State’s functions under the Online Safety Act—it does not go any broader than that. I think that answers the question asked by the noble Viscount, Lord Camrose, about whether this meant unlimited access—I assure him that that is not the purpose of this SI.
My noble friend Lord Stevenson asked whether this relates only to the powers under the OSA. Yes, the instrument allows Ofcom to share information it has collected from businesses only for the purposes of fulfilling the Secretary of State’s functions under the Act.
On the question of devolution, the powers of Scottish, Northern Ireland and Welsh Ministers primarily relate to the power to define the educational establishments for the purpose of Schedule 1 exemptions. There are also some consultation provisions where these Ministers must be consulted, but that is the limit of the powers that those Ministers would have.
I am conscious that I have not answered all the questions asked by the noble Viscount, Lord Camrose, because I could not write that quickly—but I assure him that my officials have made a note of them and, if I have not covered those issues, I will write to him.
I hope that noble Lords agree with me on the importance of implementing the Online Safety Act and ensuring that it can become fully operational as soon as possible. I commend these regulations to the Committee.