Online Safety Act 2023 (Qualifying Worldwide Revenue) Regulations 2025
Debate between Lord Leong and Viscount Camrose
Viscount Camrose (Con)
My Lords, this statutory instrument forms a key part of the regulatory framework underpinning the Online Safety Act 2023, a significant and necessary piece of legislation that forms part of my party’s legacy in government. I am very proud of the small contribution that I made to its passage through your Lordships’ House. That Act’s core aim is to make the online world safer, particularly for children and vulnerable users—an aim that all of us in this Committee support fully.
That said, let me make a brief point; it does not go directly to this instrument but it is, I think, a point worth making. I am concerned by how controversial the Bill seems to have become in certain quarters—indeed, much more controversial than it deserves to be. Part, though not all, of that is perhaps due to the previous Secretary of State’s rather aggressive rebuttal of some of the claims made about it. So I express my hope and wish that the new Secretary of State will be more emollient in his debate in order to carry people with him, because it is so important that the public come along with the Bill.
This instrument sets out how Ofcom will calculate the qualifying worldwide revenue of regulated service providers. As the Minister has outlined, this matters for two reasons: first, to determine Ofcom’s fees and, secondly, to establish maximum penalties for breaches of up to 10% of global revenue or £18 million, whichever is higher.
Most notable, of course, is the use of worldwide revenue as the basis for both fees and penalties. Although this ensures consistency and deters underreporting, the concern was raised during the public consultation that it can prove disproportionate for providers with only limited UK operations. I hope that, when he comes to speak, the Minister can give a bit more clarity on this point. Has a formal assessment been carried out in this specific area? What safeguards exist to prevent excessive penalties in cases of genuine error?
There is also the question—the noble Lord, Lord Stevenson of Balmacara, set this out clearly so I will not go into it much—of the interpretation of terms such as “just and reasonable”, particularly in revenue apportionment and currency conversion. Consistent application will of course be critical. How will disagreements be resolved and what guidance will providers receive?
I would also be grateful for clarification on Regulation 4(3)(b), which refers to
“parts where search content may be encountered (in the case of search services and combined services)”.
Ofcom has indicated that both “search” and “user to user” can include the functionality of AI chatbots. I am pleased that it has clarified this point but, if that is so, it raises an important issue: in cases where an entity is to be fined for an unsafe AI chatbot, which service is considered referable? Is it the chatbot service itself, or is the chatbot to be considered an amalgam of a user-to-user service and a search service?
If it is to be just the chatbot service—these are, of course, increasingly being used as search services—many of them generate very little revenue. In fact, AI is frequently loss making for many of the large organisations operating in this space. Could their qualifying worldwide revenue, at least as defined, be negative in such cases? If so, how would that be treated under the regime?
Of course, we welcome the exemption for services with under £10 million in UK referable revenue—we feel that that is a sensible threshold—but are the Government willing to review it if evidence shows that it is deterring legitimate or public interest platforms from entering or remaining in the UK market?
These regulations are a necessary step. They must be implemented fairly, not just for the global giants but for those trying to do the right thing. In closing, I thank the Minister for stepping in at short notice to guide us through this—it was no doubt a not wholly welcome surprise. I hope that the Government will have plans in place to monitor the regime’s impact actively and closely to ensure that Ofcom’s guidance is transparent and consistent and that they will remain open to adjusting thresholds or definitions if unintended consequences should arise.
Lord Leong (Lab)
I thank all noble Lords, especially my noble friend Lord Stevenson, the noble Baroness, Lady Humphreys, and the noble Viscount, Lord Camrose, for their valuable contributions to this debate. The noble Viscount, Lord Camrose, should be really proud of his legacy in taking the Online Safety Act through Parliament. It is due to him that we are now implementing these regulations.
I shall now respond to the various questions raised by noble Lords and to the Secondary Legislation Scrutiny Committee in its report on this instrument. The total amount of fees collected must not exceed the annual cost of Ofcom’s exercise of its online safety regulation functions. The cost may vary from year to year. Ofcom’s expected annual costs for online safety services for 2025-26 are close to £92 million, which includes regulatory activities and what Ofcom calls common costs, which are its running costs, allocated to all sectors that it regulates. Ofcom’s annual costs will vary depending on the level of regulatory activity undertaken in any given year, and those for online safety for 2026-27 will be published in the 2027 tables. Ofcom’s duties under the Act are extensive, and this will allow it to deliver effectively.
Service providers whose qualifying worldwide revenue is at or above a revenue threshold that we are discussing, and which these regulations will allow Ofcom to consult on and set, will need to pay approximately 0.02% to 0.03% of their qualifying worldwide revenue in fees. The Secretary of State will determine the threshold figure, having taken advice from Ofcom, which recommends a threshold of £250 million. If implemented, that means that only the largest companies will be in scope of fee paying. For example, a company with a qualifying worldwide revenue of £250 million can expect fees to constitute something like £50,000 to £75,000, using the formula of 0.02% to 0.03%.
Ofcom has robust enforcement powers available to use against companies that fail to fulfil their duties and will be able to issue enforcement decisions. That is in response to a question posed by my noble friend Lord Stevenson. This includes non-payment of fees, which is explicitly covered under Section 141 of the Online Safety Act.
Ofcom’s authority to collect fees is set up, as I said earlier, under Section 84 of the Act. Its authority to collect penalties is also set up under Schedule 13. If a provider of a regulated service does not pay its fee to Ofcom in full, Ofcom may give the provider a penalty notice specifying the outstanding sum and a date on which it must be paid. It may also bring legal proceedings for the recovery of the whole or part of the amount due.
I will write to my noble friend Lord Stevenson on the issue of Ofcom’s future receipts being lower than its costs.
Mathematical Sciences
Debate between Lord Leong and Viscount Camrose
Lord Leong (Lab)
The noble Lord makes a very interesting point. We have to get children to be interested in maths, to love maths and not to be scared of maths. We are putting a lot of money towards the various mathematical societies and learned societies. For the maths hubs, we have invested £185 million to get more teachers and students into maths. We have to do more, and we will continue to do more.
Viscount Camrose (Con)
My Lords, compared with just one year ago, far more tech leaders are coming to the view that the skill of coding may already be redundant thanks to AI. Whether or not they are right, if we take that as just one example of rapid technology-driven change, does the Minister agree that whatever our plans to develop maths skills, they need to be much more agile and adaptive than they currently are? If so, how can that be brought about?
Lord Leong (Lab)
I thank the noble Viscount for that. I am sure he is aware that DSIT supports STEM talent partners; for example, over £100 million of funding has been committed to quantum skills programmes between 2024 and 2033. Our AI upskilling fund has been providing up to £10,000 for SMEs in the professional and business sector to deliver employee training. Everything has to start from somewhere, so we are spending the money to get people upskilled in the latest technology, whether it is coding or something else.
Data (Use and Access) Bill [HL]
Debate between Lord Leong and Viscount CamroseTuesday 21st January 2025
(7 months, 3 weeks ago)
Lords ChamberRead Full debate Data (Use and Access) Act 2025 View all Data (Use and Access) Act 2025 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 57-I Marshalled list for Report - (17 Jan 2025)
Viscount Camrose (Con)
I thank the noble Baroness, Lady Kidron, for leading on this group, and the noble Lord, Lord Clement-Jones, for his valuable comments on these important structures of data communities. Amendments 2, 3, 4 and 25 work in tandem and are designed to enable data communities, meaning associations of individuals who have come together and wish to designate a third party, to act on the group’s behalf in their data use.
There is no doubt that the concept of a data community is a powerful idea that can drive innovation and a great deal of value. I thank the noble Lord, Lord Clement-Jones, for cataloguing the many groups that have driven powerful thinking in this area, the value of which is very clear. However—and I keep coming back to this when we discuss this idea—what prevents this being done already? I realise that this may be a comparatively trivial example, but if I wanted to organise a community today to oppose a local development, could I not do so with an existing lawful basis for data processing? It is still not clear in what way these amendments would improve my ability to do so, or would reduce my administrative burden or the risks of data misuse.
I look forward to hearing more about this from the Minister today and, ideally, as the noble Baroness, Lady Kidron, said, in a briefing on the Government’s plan to drive this forward. However, I remain concerned that we do not necessarily need to drive forward this mechanism by passing new legislation. I look forward to the Minister’s comments.
Amendment 42 would require the Information Commissioner to draw up a code of practice setting out how data communities must operate and how data controllers and processors should engage with these communities. Amendment 43 would create a register of data communities and additional responsibilities for the data community controller. I appreciate the intent of the noble Baroness, Lady Kidron, in trying to ensure data security and transparency in the operation of data communities. If we on these Benches supported the idea of their creation in this Bill, we would surely have to implement mechanisms of the type proposed in these amendments. However, this observation confirms us in our view that the administration required to operate these communities is starting to look rather burdensome. We should be looking to encourage the use of data to generate economic growth and to make people’s lives easier. I am concerned that the regulation of data communities, were it to proceed as envisaged by these amendments, might risk doing just the opposite. That said, I will listen with interest to the response of noble Lords and the Minister.
Lord in Waiting/Government Whip (Lord Leong) (Lab)
My Lords, I rise to speak to Amendments 2, 3, 4, 25, 42 and 43. I thank the noble Baroness, Lady Kidron, and the noble Lord, Lord Clement-Jones, for these amendments on data communities, which were previously tabled in Committee, and for the new clauses linking these with the Bill’s clauses on smart data.
As my noble friend Lady Jones noted in Committee, the Government support giving individuals greater agency over their data. The Government are strongly supportive of a robust regime of data subject rights and believe strongly in the opportunity presented by data for innovation and economic growth. UK GDPR does not prevent data subjects authorising third parties to exercise certain rights on their behalf. Stakeholders have, however, said that there may be barriers to this in practice.
I reassure noble Lords that the Government are actively exploring how we can support data intermediaries while maintaining the highest data protection standards. It is our intention to publish a call for evidence in the coming weeks on the activities of data intermediaries and the exercise of data subject rights by third parties. This will enable us to ensure that the policy settings on this topic are right.
In the context of smart data specifically, Part 1 of the Bill does not limit who the regulations may allow customers to authorise. Bearing in mind the IT and security-related requirements inherent in smart data schemes, provisions on who a customer may authorise are best determined in the context of a specific scheme, when the regulations are made following appropriate consultation. I hope to provide some additional reassurance that exercise of the smart data powers is subject to data protection legislation and does not displace data rights under that legislation.
There will be appropriate consultation, including with the Information Commissioner’s Office, before smart data schemes are introduced. This year, the Department for Business and Trade will be publishing a strategy on future uses of these powers.
While the smart data schemes and digital verification services are initial examples of government action to facilitate data portability and innovative uses of data, my noble friend Lady Jones previously offered a meeting with officials and the noble Baroness, Lady Kidron, to discuss these proposals, which I know my officials have arranged for next week—as the noble Baroness indicated earlier. I hope she is therefore content to withdraw her amendment.
Viscount Camrose (Con)
My Lords, I will speak to Amendments 11 and 13 in my name and that of my noble friend Lord Markham. The national underground asset register contains the details of all underground assets and apparatus in England, Wales and Northern Ireland, or at any rate it will do as it goes forward. This includes water pipes, electricity cables, internet cables and fibres—details of the critical infrastructure necessary to sustain the UK as we know it.
Needless to say, there are many hostile actors who, if they got their hands on this information, would or could use it to commit appalling acts of terror. I am mindful of and grateful for the Government’s assurances given in Committee that it is and will be subject to rigorous security measures. However, the weakest link in cyber defence is often third-party suppliers and other partners who do not recognise the same level of risk. We should take every possible measure to ensure that the vital data in NUAR is kept safe and shared only with stakeholders who have the necessary security provisions in place.
For this reason, I have tabled Amendment 11, which would require the Secretary of State to provide guidance to relevant stakeholders on the cybersecurity measures which should be in place before they receive information from NUAR. I do not believe this would place a great burden on government departments, as appropriate cybersecurity standards already exist. The key is to ensure that they are duly observed.
I cannot overstate the importance of keeping this information secure, but I doubt noble Lords need much convincing on that score. Given how frighteningly high the stakes are, I strongly urge the most proactive possible approach to cybersecurity, advising stakeholders and taking every possible step to keep us all safe.
Amendment 13, also tabled in my name, requires the Registrar-General to make provisions to ensure the cybersecurity of the newly digitised registers of births, still-births, and deaths. There are a great many benefits in moving from a paper-based register of births and deaths to a digitised version. People no longer have to make the trip to sign the register in person, saving time and simplifying the necessary admin at very busy or very difficult points in people’s lives. It also reduces the number of physical documents that need to be maintained and kept secure. However, in digitising vast quantities of personal, valuable information, we are making a larger attack surface which will appeal to malign actors looking to steal personal data.
I know we discussed this matter in Committee, when the noble Baroness the Minister made the point that this legislation is more about a digitisation drive, in that all records will now be digital rather than paper and digital. While I appreciate her summary, I am not sure it addresses my concerns about the security risks of shifting to a purely digital model. We present a large and tempting attack surface, and the absence of paper back-ups increases the value of digital information even more, as it is the only register. Of course, there are already security measures in place for the digital copies of these registers. I have no doubt we have back-ups and a range of other fallback opportunities. But the same argument applies.
Proactive cybersecurity provisions are required, taking into account the added value of these registers and the ever-evolving threat we face from cybercriminals. I will listen with great interest to the thoughts of other noble Lords and the Minister.
Lord Leong (Lab)
My Lords, I thank the noble Viscount, Lord Camrose, and the noble Lord, Lord Markham, for these amendments. Clause 56 forms part of NUAR provisions. The security of NUAR remains of the utmost importance. Because of this, the Government have closely involved a wide range of security stakeholders in the development of NUAR, including the National Protective Security Authority and security teams from the asset owners themselves. Providing clear acceptable user and usage policies for any digital service is important. As such, we intend to establish clear guidance on the appropriate usage of NUAR, including what conditions end users must fulfil before gaining access to the service. This may include cybersecurity arrangements, as well as personal vetting. However, we do not feel it appropriate to include this in the Bill.
Care must be taken when disclosing platform-specific cybersecurity information, as this could provide bad actors with greater information to enable them to counter these measures, ultimately making NUAR less secure. Furthermore, regulations made in relation to access to information from NUAR would be subject to the affirmative procedure. As such, there will be future opportunities for relevant committees to consider in full these access arrangements, including, on an individual basis, any security impacts. I therefore reassure noble Lords that these measures will ensure that access to NUAR data is subject to appropriate safeguards.
Data (Use and Access) Bill [HL]
Debate between Lord Leong and Viscount CamroseTuesday 3rd December 2024
(9 months, 1 week ago)
Grand CommitteeRead Full debate Data (Use and Access) Act 2025 View all Data (Use and Access) Act 2025 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-I(a) Amendments for Grand Committee (Supplementary to the Marshalled List) - (3 Dec 2024)
Viscount Camrose (Con)
My Lords, this sequence of amendments is concerned with the publication and availability of guidance. Decision-makers are individuals responsible for deciding if a person has satisfied the conditions for authorisation to receive customer or business data. They may publish guidance on how they intend to exercise their functions. Given the nature of these responsibilities, these individuals are deciding who can receive information pertaining to individuals and businesses. The guidelines which set out how decisions are taken should be easily accessible and the best place for this is on their websites.
Following on from this point, Amendment 12 would require this guidance to be reviewed annually and any changes to be published, again on decision-makers’ websites, at least 28 days before coming into effect. This would ensure that the guidelines are fit for purpose and provide ample time for people affected by these changes to review them and act accordingly.
Amendments 13 and 14 seek to create similar requirements for enforcers—that is, a public authority authorised to carry out monitoring or enforcement of regulations under this part. Again, given the nature of these responsibilities, the guidelines should be easily accessible on the enforcer’s website and reviewed annually, with any changes published, again on their website, at least 28 days before coming into effect. This will, once again, ensure that the guidelines are fit for purpose and provide ample time for people affected by these changes to review them and act accordingly.
Finally, Amendment 15 would require the Secretary of State or the Treasury to provide guidance on who may be charged a fee under Clause 6(1) and to review it annually. Ensuring the regular review of guidelines will ensure their effectiveness, and the ready availability of guidelines will ensure that they are used and observed. I therefore believe that these amendments will be of benefit to the functioning of the Bill and should be given consideration by the Minister.
Lord Leong (Lab)
My Lords, I thank the noble Viscount, Lord Camrose, for those amendments. I will cover the final group of amendments to Part 1, dealing with smart data guidance.
On Amendments 11, 12, 13 and 14, which relate to the publishing of the guidelines, I am pleased to confirm that Clause 5(4) clarifies that regulations may make provisions about the providing or publishing of business data. This includes the location where they should be published, including, as the noble Viscount suggests, the website of the responsible person.
Furthermore, Clause 21 clarifies that regulation may make provision about the form and manner in which things must be done. That provision can be used to establish appropriate processes around the sharing of information and guidance, including its regular update, publication and sharing with the relevant person.
Amendment 15 refers to the amount of fee charged and how it should be determined. The power is already broad enough to allow the information to be reviewed as and when necessary, but to mandate that the review must take place at least once a year may be a bit restrictive. For these reasons, I ask the noble Viscount not to press his amendments.
Viscount Camrose (Con)
I thank the noble Lord for his answers. I understand what he says, although I would be grateful if either he or the noble Baroness, Lady Jones, could summarise those points in writing because I did not quite capture them all. If I understand correctly, all the concerns that we have raised are dealt with in other areas of the Bill, but if they could write to me then that would be great. I beg leave to withdraw the amendment.