Online Safety Act 2023 (Priority Offences) (Amendment) Regulations 2025
Lord Addington Excerpts(2 weeks, 4 days ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Innovation and Technology (Baroness Lloyd of Effra) (Lab)
My Lords, these regulations were laid before the House on 21 October this year. Before I proceed further, I draw the Committee’s attention to a correction slip issued for these regulations in October for minor drafting changes related to the date of the Sexual Offences Act 2003 in the Explanatory Notes and the order of words for the title of an offence inserted by paragraph 2 of the regulations.
The Government remain firmly committed to tackling the most serious and harmful online behaviours. This statutory instrument strengthens the Online Safety Act by designating new priority offences aimed at addressing cyber flashing and content that encourages self-harm. By doing so, we are ensuring that platforms take more proactive steps to protect users from these damaging harms.
Evidence shows that cyber flashing and material promoting self-harm are widespread and cause significant harm, particularly among younger age groups. In 2025, 9% of 18 to 24 year-olds reported experiencing cyber flashing and 7% encountered content encouraging self-harm in a four-week period. That equates to around 530,000 young adults exposed to cyber flashing and 450,000 to self-harm content. This is unacceptable.
Further, 27% of UK users exposed to cyber flashing reported significant emotional discomfort. There is also compelling evidence that exposure to self-harm content worsens mental health outcomes. A 2019 study found that 64% of Instagram users in the US who saw such content were emotionally disturbed by it. Another study in 2018 revealed that 8% of adults and 26% of children hospitalised after self-harming had encountered related content online. These figures underline that these are not marginal issues—they are widespread and deeply harmful.
As noble Lords will know, the Online Safety Act, which received Royal Assent on 26 October 2023, imposes strong duties on platforms and search services to protect users. Providers must assess the likelihood that their services expose users to illegal content or facilitate priority offences, and then take steps to mitigate those risks; these include safety by design measures and robust content moderation systems.
The Act sets out a list of priority offences for the purposes of illegal content duties. These represent the most serious and prevalent forms of online illegal activity. Platforms must take additional steps to address these offences under their statutory duties. This statutory instrument adds cyber flashing and content encouraging self-harm to the list of priority offences. Currently, these offences fall under the general illegal content duties. Without priority status, platforms are not required to conduct specific risk assessments or implement specific measures to prevent exposure to these harms; that is why we are adding them as priority offences.
Stakeholders have strongly supported these changes. Organisations such as the Molly Rose Foundation and Samaritans have long called for greater protection for vulnerable users. These changes will come into force 21 days after the regulations are made, following approval by both Houses. Ofcom will then set out in its codes of practice the measures that providers should adopt to meet their duties. Our updates to the Act’s safety duties will fully take effect when Ofcom makes these updates about measures that can be taken to fulfil the duties.
We expect Ofcom to recommend actions such as enhanced content moderation; improved reporting and complaints systems; and safety by design measures—for example, testing algorithms to ensure that illegal content is not being promoted. If providers fail to meet their obligations and fail to take proportionate steps to stop this vile material being shared on their services, Ofcom has strong enforcement powers to enforce compliance. These include powers to issue fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is higher.
This statutory instrument upgrades cyber flashing and self-harm content to priority status, reinforcing the Online Safety Act’s protections. Service providers will be required to take more proactive and robust action to detect, remove and limit exposure to these harmful forms of illegal content. This will help ensure that platforms take stronger steps to protect users, reduce the prevalence of these behaviours online and make the internet safer for all. I beg to move.
Lord Addington (LD)
My Lords, I hope this is one of those occasions when we agree that what is coming here is a good thing—something that is designed to deal with an evil and thus is necessary. I want just to add a bit of flesh to the bones.
If we have regulation, we must make sure—as we are doing now—that it is enforced. I congratulate the Government on the age-verification activities that were reported on this morning, but can we get a little more about the tone, let us say, with which we are going to look at future problems? The ones we have here—cyber flashing and self-harm—are pretty obviously things that are not good for you, especially for younger people and the vulnerable.
I have in front of me the same figures of those who have experienced disturbing reactions to seeing these things, especially if they did not want to see them. Self-harm is one of those things; it makes me wince even to think about it. Can we make sure that not only those in the industry but those outside it know that action will be taken? How can we report across more? If we do not have a degree of awareness, reporting and everything else gets a bit slower. How do we make sure that everybody who becomes a victim of this activity knows that it is going on?
It is quite clear that the platforms are responsible; everybody knows that. It is about knowing that something is going on and being prepared to take action; that is where we will start to make sure not only that this is unacceptable and action will be taken but that everybody knows and gets in on the act and reporting takes place.
I could go on for a considerable length of time, and I have enough briefing to do so, but I have decided that the Grand Committee has not annoyed me enough to indulge in that today. I congratulate the Minister, but a little more flesh about the action and its tone, and what we expect the wider community to do to make sure this can be enacted, would be very helpful here. Other than that, I totally welcome these actions. Unpleasant as it is that they are necessary, I welcome them and hope that the Government will continue to do this. We are always going to be playing a little bit of catch-up on what happens, but let us make sure that we are running fast and that what is in front of us does not get too far away.
Viscount Camrose (Con)
My Lords, as we have heard, this instrument amends Schedule 7 to the Online Safety Act 2023 to add cyber flashing and content encouraging self-harm to the list of priority offences. I thank the Minister for setting out some of the most alarming facts and figures associated with those offences.
As well as passing the Online Safety Act, which placed duties on social media sites and internet services to tackle illegal content, the previous Government outlawed cyber flashing and sharing or threatening to share intimate images without consent by amending the Sexual Offences Act 2003. We welcome the draft regulations, which we agree are in line with the Act’s overarching purpose to tackle harmful content online. As has been highlighted, young people are especially vulnerable to cyber flashing and content encouraging self-harm, and we must be proactive in tracking the trends of illegal activity, especially online, and its impact on UK users, to ensure that the law continues to be proportionate and effective.
We therefore support the move to categorise cyber flashing and content encouraging self-harm as priority offences under the Act rather than as relevant offences. We share the Government’s view that this will oblige services to remove such material as soon as they are made aware of it, as well as to prevent it appearing in the first place through risk assessments and specialised measures. However, I feel there are some broader issues that we should take into account, and I would be grateful if the Minister could comment on these.
First, on the use of VPNs, or virtual private networks, to override protections, my belief—I would welcome the Minister’s view on this—is that the Online Safety Act creates an obligation on platforms to prevent users gaining access to the wrong content for them, regardless of any technical workarounds they may be using. In other words, it is not a defence for a platform to claim that the user had deployed a VPN. Can the Minister confirm this? Needless to say, I am seeking not to downplay the VPN issue but merely to establish clearly where responsibility lies for addressing it.
Secondly, on the use of AI in ways that drive self-harm, obviously AI that assists in suicide ideation or less extreme forms of self-harm is subject to these controls. But where an AI that is not initially designed for a harmful purpose gradually takes on the role of, say, a psychotherapist or—I am told—in some cases a deity, the conditions become highly propitious for self-harm. Can the Minister comment on how the Act’s protections cover these emergent rather than designed properties? The noble Lord, Lord Addington, put this very well in his question too, and I look forward to hearing the Minister’s views on that.
Thirdly, and more generally, online harms are, of course, created faster than the rules that ban them, and a key part of Ofcom’s role is to monitor for gaps in the legislation as they emerge so that rules can adapt as needed. As far as the Government are aware now, what gaps has Ofcom identified so far in the existing legislation, if any?
We therefore support these regulations to strengthen the Online Safety Act, to better protect UK users from cyber flashing and content encouraging self-harms. We count on the Government to be proactive in ensuring that legislation is kept updated to tackle the changing ways in which unlawful content is proliferated and to be transparent about the way the Government and regulators balance the broader considerations mentioned. I look forward to the Minister’s response.
Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No. 2) Regulations 2025
Lord Addington Excerpts(1 month ago)
Grand CommitteeRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Parliamentary Under-Secretary of State, Department for Business and Trade and Department for Science, Innovation and Technology (Baroness Lloyd of Effra) (Lab)
Thank you very much. These draft regulations will be made under powers provided by the Product Security and Telecommunications Infrastructure Act 2022, also known as PSTI. The world-leading PSTI regulatory regime came into force on 29 April 2024. It better protects consumers, businesses and the wider economy from the harms associated with cyberattacks on consumer connectable products, such as mobiles, smart appliances and smart cameras.
The law does so by banning the use of universal default or easily guessable passwords, such as “admin123”, reducing one of the most commonly exploited vulnerabilities in connectable products. Manufacturers must also ensure that they are transparent about the minimum length of time for which they will provide the much-needed security updates that patch vulnerabilities. They must also publish information on how to report security vulnerabilities directly to them and provide status updates about the reported issues.
The PSTI Act was the world’s first legislation of its kind, but we are not alone in our commitment to improve the security of connected products. The UK advocates an industry-led, multi-stakeholder approach to standardisation, ensuring that technology and cyber standards are market driven, reflecting global best practices and delivering benefits for industry and citizens—contrasting with government-driven approaches, where standards are sometimes used to pursue political goals and ambitions.
Across the world, countries that share our values are taking action. Two such countries are Japan and Singapore. Japan’s Ministry of Economy, Trade and Industry launched the Japan cyber-security technical assessment requirements labelling scheme for IoT products —JC-STAR—in March 2025. Similarly, the Cyber Security Agency of Singapore launched its cybersecurity labelling scheme for consumer smart devices in March 2020. Both the Japanese and Singaporean labelling schemes require manufacturers to ensure that their products meet a set of baseline security requirements that are based on the global standards of the cybersecurity for consumer internet of things from the European Telecommunications Standards Institute, also known as ETSI EN 303 645. This is a standard that the UK developed in partnership with over 90 other countries and to which we aligned our own security requirements.
Officials have carefully reviewed the requirements of the schemes, and they both require unique passwords, vulnerability reporting and a period of product support. As such, products issued with a valid label under either scheme will therefore have an equivalent or greater level of cybersecurity than that required under the UK’s PSTI regime. There is, therefore, no security advantage in duplicating compliance processes for manufacturers that have already met these equivalent or higher security standards. Our focus is on removing undue burdens from businesses, reducing unnecessary costs and opening the door for UK businesses to succeed in markets around the world. Subject to the approval of this House, this draft instrument will establish two alternative routes for manufacturers of consumer connectable products to demonstrate compliance with the UK’s product security regime.
I shall move on to the amendments. Regulations 4 and 8 amend the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 to provide for deemed compliance with the requirement, under Section 9 of the 2022 Act, that relevant connectable products must be accompanied by a statement of compliance. Under new Regulation 4A of and new Schedule 2A to the 2023 regulations, a manufacturer will be deemed to have complied with this requirement where the relevant connectable product carries a valid label under Japan’s JC-STAR STAR-1 labelling scheme or a label under any level of the Singapore cybersecurity labelling scheme. Regulations 5 to 7 amend Schedule 2 to the 2023 regulations to provide for deemed compliance with the relevant security requirements set out in Schedule 1 to those regulations, where a manufacturer’s product carries either of these labels and where that label is valid. Regulation 3 inserts definitions of the Japan JC-STAR STAR-1 scheme and the Singapore cybersecurity labelling scheme into the 2023 regulations for the purposes of these deeming provisions.
The UK’s Department for Science, Innovation and Technology signed MoUs on working towards co-operation on cybersecurity—including the possibility of mutual recognition of our respective consumer internet of things cybersecurity regimes—with Singapore and Japan, on 23 October and 5 November respectively. When both MoUs come into effect, UK businesses will benefit from streamlined access to the Japanese and Singaporean labelling schemes, boosting their product credibility and market appeal in those regions.
Cybersecurity is not just a technical issue; it is a strategic priority. By aligning with like-minded nations and reducing unnecessary barriers to trade, we are strengthening our digital resilience, supporting UK businesses and protecting consumers. The UK must continue to lead by example by championing the global adoption of cybersecurity standards and advancing mutual recognition, which are vital parts of establishing a trusted global supply chain of connected products.
This instrument will extend and apply to the whole of the United Kingdom and will have practical effect throughout the United Kingdom. I hope that the Committee will recognise the importance of these regulations. I beg to move.
Lord Addington (LD)
My Lords, I have some sympathy for the Minister, with this being her first time going into something like this. This is not an area that I usually cover. Acronym hell may not be here, but you can see it from the edge of this debate.
Basically, we are talking about something that makes trade easier and compatible. The instrument talks about making sure that things are safer in the current digital age. That is all to the good, but I have a couple of questions. How are we doing ongoing equivalence and oversight? How are we looking to make sure that we stay in touch with the regimes? How much are foreign regimes being monitored to make sure that this is all ongoing and happening?
Also, what about the economic quantification? That is an important way of asking how practical it is, especially for smaller users and consumers in this field. Are we doing anything to make sure that it is practical and will work if you are an SME? That is very important because we may have made a wonderful thing that looks great on paper and in theory—probably on a computer screen, in this case—but how will it work in practice? How are we going to monitor that on the way through?
Of course, a degree of congratulation is in order to any Government who make trade easier. How will this measure be used to make trade easier? Can the Minister give an example of how trade will be done more easily? I am struggling for the right word, but how will we make our regime more compatible with other regimes? Our biggest trading partner is still the European Union. How will our regime be more compatible with the EU’s? These are just a few things I hope the Minister will clarify when she responds.
Lord Hunt of Wirral (Con)
My Lords, I join the noble Lord, Lord Addington, in welcoming the Minister to her first appearance in Grand Committee. What better example could she have of the way in which things can develop in this place where there is agreement on all sides? She may have felt on Monday that it was not possible to reach agreement on the matters before us then, when she played a prominent part. Although the House of Lords has expressed its views strongly, I still think there is room for agreement, which I very much hope will follow. Having said that, perhaps I may set an example of what can be done and say that I approach this statutory instrument in a constructive spirit because we support cybersecurity protections for consumers.
The UK consumer device security regime, which was introduced under the previous Government, set an important international benchmark. As more of our daily lives depend on connected devices, it is vital that products are secure by design and that consumers are protected from avoidable vulnerabilities. These regulations provide a practical amendment to the existing framework through recognising Singapore’s cybersecurity labelling scheme and Japan’s Japan JC-STAR STAR-1 as equivalent to our baseline. They remove unnecessary duplication for manufacturers, while at the same time maintaining consumer safety. Where trusted partners meet high standards—rooted, as the noble Baroness has just pointed out, in the same ETSI framework underpinning the UK regime—it is reasonable to avoid repeat testing and reduce barriers to trade. Therefore, we do not oppose the SI but, rather like the noble Lord, Lord Addington, I have a number of questions. I hope the Minister will be able to clarify a few points.
My first question is similar to that of the noble Lord, Lord Addington. How will the Government monitor ongoing equivalence? The Singaporean and Japanese schemes may evolve. If their requirements then diverge from the UK’s baseline, what mechanism will be used to reassess or revoke recognition? If they move too far in the wrong direction, what will we do? As the noble Lord pointed out, this is particularly important for small and medium-sized enterprises that need some certainty about the way in which these regulations will be enforced. Secondly, on enforcement, where a product enters the UK market with a foreign label, will our regulators have access to the evidence underpinning that certification? What steps will be taken if a certified product is later found to contain vulnerabilities? Finally, while the impact is assessed as below the threshold for a full assessment, can the Minister share any indicative estimates of the expected benefits to business, whether in reduced compliance costs or faster access to market?
In summary, international co-operation on cyber standards is vital and these regulations represent a sensible step in that direction. We support the intention to streamline compliance while upholding robust protections for UK consumers. However, continued oversight and clarity from the Government will be essential to ensure confidence in the system as it develops. I look forward to hearing the Minister’s response.
Watchdogs (Industry and Regulators Committee Report)
Lord Addington Excerpts(1 year, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Addington (LD)
My Lords, when I put my name down for this debate, I suspected I would learn more than I imparted to the House. What dragged me towards this debate—that moment when you take that rare parliamentary step of getting out of your own little corner—was that, when I looked at the title, I remembered my experience many decades ago when I was the baby on the then water Bill. Indeed, when I explained this to my noble friend Lord Teverson, he asked whether I was on some sort of day release or child workforce project for Parliament.
I remember being told at the time that the regulator would work and would cover everything, but we have discovered that it did not. The noble Lord, Lord Cromwell, has pulled that apart for us and shown that the regulator did not have the structure, the incentive or the vision to do anything about it, but we did not know that. The regulator just jogged on, doing its inadequate job and delivering on its original remit, and no one paid any attention until it was too late—until we had people making reports to the press, which then made their way to Parliament, and by that point you are often basically playing catch up and mend. The conclusion that I have come to is that the difference between a regulator and red tape is that the work is the same and you decide whether it is red tape or useful regulation.
There are many other regulatory bodies. As my noble friend Lord Clement-Jones pointed out, there is some debate about how many we have. Surely that is something that Parliament could sort out. Is it 90 or 200? Is there some subset below 90? Surely that is something to find out.
The central idea of an office for regulatory performance is a crucial one. It would be a much better way of allowing Parliament to see what was not working. If you have to come and report to Parliament, you will find out.
When it comes to regulation or red tape, I do not think that many people in either House are basically evil and out to get everybody else. They may have different views and objectives but if you can say, “Something isn’t working, so please do it differently”, you stand a good chance of somebody engaging. It is just one of those things that happens. The noble Lord, Lord Holmes, pointed out something that we have not really looked at, because we did not really understand it until comparatively recently, and when it comes to new areas we have to do something. Also raised in this report is: do not just stick something into an existing body, if it has not got the structure to handle it, because everybody is panicked.
Having looked at this report, I think it seems awfully like common sense to anybody who has been around Parliament for a while. If you do not know that something has gone wrong and it is not in the press, Parliament will not discuss it, so the regulatory framework carries on until something catastrophic happens and there is real public failure, or until it becomes politically desirable or fashionable for the party in power to address it. Those things are both probably undesirable, because somebody comes through and makes sweeping changes that may not make it any good, or they are responding to a disaster.
Surely some form of reporting on how things are managed is very sensible. I hope that when the noble Baroness, Lady Jones of Whitchurch, replies she will say that she is looking at this favourably. It does not have to be this scheme, but there should be something that reports back and lets us know how efficient things are. We are not asking for some revolution here, just for better monitoring of our current system.
Code of Practice on Fair and Transparent Distribution of Tips
Lord Addington Excerpts(1 year, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
The Minister of State, Department for Business and Trade (Lord Johnson of Lainston) (Con)
My Lords, just so that everyone is clear about these measures, “tips” covers all tips, gratuities and service charges. The code of practice will give legal effect to standards in the allocation and distribution of tips and transparency surrounding the keeping of records and the retention of written tipping policies.
As I am sure all noble Lords are aware, an initial draft of the code was published in December and updated following a public consultation. I say, on behalf of the department, that we are extremely grateful for all those businesses, workers and other stakeholders who provided helpful responses to the consultation. All those responses have been carefully considered. It is important to stress that many thousands—the vast majority, in fact—of hospitality venues, bars and clubs behave extremely well with tips. It is a crucial component of encouraging people to work in the hospitality sector, which is what we absolutely need in this country.
There are, however, some who have not behaved appropriately, and this code will ensure that there is an appropriate framework around which they now must operate. Law-abiding, legitimate processes will also be properly codified. We have also published a response to the consultation, setting out in more detail the feedback that we have received and the changes that have been made.
I have some technical points in conclusion. The updated code was laid before Parliament on Monday 22 April, pursuant to Section 9 of the Employment (Allocation of Tips) Act 2023, and approved by the House of Commons on Tuesday 14 May. The code contains summaries of the key intentions of the Act. It details the scope of the measures and provides further information on the need to maintain fairness in the allocation and distribution of tips and the need to uphold transparency in the handling of tips.
It was not the Government’s intention that certain hospitality venues should re-engineer their tips process and describe them as “brand fees” or some other charge that could circumvent the principle that, when consumers believe that they are giving a gratuity to an individual member of staff, it goes to them rather than to the corporation that controls the venue. We have been in touch on some of the most high-profile cases and will continue to keep a close watch on them.
The code subsequently expands on how to resolve conflicts which arise between employers and workers, including impartial advice and assistance in resolving problems through ACAS and eventual escalation to an employment tribunal. Following approval by this House, the code of practice and the other remaining measures in the tipping Act will come into force on Tuesday 1 October, thus, I hope, cementing this Government’s reputation as a true friend to all waiters, waitresses and hospitality workers across this country. I beg to move—and keep the tip.
Lord Addington (LD)
My Lords, it is a pity that we have to do this, but it is good that we have done it. I am glad that it has happened.
Lord Leong (Lab)
My Lords, I thank the Minister for introducing this code of practice, and the noble Lord, Lord Addington, for his contribution.
How often do we find ourselves in this situation? It is the end of a busy week and we are sitting among friends and colleagues in a beautiful venue, talking about the usual things—politics, the weather, or how unusually this week those two things have combined to make the news. As things inevitably draw to a close, our little group is presented with a Bill, which, after a bit of haggling and discussion, we agree on. So then we come to the matter of tips—or, more specifically, the draft Code of Practice on Fair and Transparent Distribution of Tips.
The hourly rates of pay in hospitality jobs are rarely fantastic, especially before Labour’s national minimum wage, but they are often boosted considerably by tips. Although we do not have such a strong tipping culture as, say, the United States or many countries on the continent, tipping is nevertheless a considerable element of the hospitality economy. The prospect of tips encourages staff to provide a better service, and tips enable diners and drinkers to show their appreciation for the people serving them. Tips are symbolic of a very human connection: even when a meal may cost more than the student waiter may earn in a single shift, we see and acknowledge those who provide the service that makes our time enjoyable. There has always been an implicit understanding that, when we add a tip to the bill, our money will go to those doing the front-line work and often the lowest-paid jobs, on hourly, variable part-time wages.
Although essentially transactional, tips oil the wheels of the industry. However, as we move more and more to a cashless society and tips become electronic digits on a card machine instead of notes in a jar on the bar, the transaction moves further away from the human and there is a risk that this direct connection is lost. Good employers in the sector value their staff and know that, if their customers have a positive experience, they are more likely to return. Treating staff well and honouring the connection between customer and server that a tip represents are important in retaining good staff, but some restaurant owners, and many high street restaurants and bars, have begun to see tips as part of their income stream and not a payment to their employees.
Even before Covid, hospitality was a tough business, operating on the finest of margins. The pandemic, more people working from home and the cost of living crisis have had an enormous impact on the sector, especially the night-time economy. The temptation for owners not to pass on tips is understandable, but the people who deliver the service also face the challenges of rising costs and fewer shifts. Many will always be dependent on tips as a crucial part of their income. It is wrong for this to be denied them.