Data Protection Bill [HL] Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Baroness Kidron
Main Page: Baroness Kidron (Crossbench - Life peer)Department Debates - View all Baroness Kidron's debates with the Department for Digital, Culture, Media & Sport
Monday 6th November 2017
(6 years, 5 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 66-II(Rev)(a) Amendment for Committee, supplementary to the revised second marshalled list (PDF, 55KB) - (6 Nov 2017)
Baroness Kidron
“Child's consent in relation to information society services
In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation to information society services)—(a) references to “16 years” are to be read as references to “13 years” provided that the information society service meets the minimum standards of age-appropriate design as determined by the Commissioner, and (b) the reference to “information society services” does not include preventive or counselling services.”
Baroness Kidron (CB)
My Lords, I shall also speak to Amendments 19, 155, 156 and 157 and in so doing I thank the many noble Lords who have voiced their support, particularly the noble Baroness, Lady Harding of Winscombe, and the noble Lords, Lord Storey and Lord Stevenson of Balmacara, who have put their names to them. In Clause 8, the Government have chosen with nothing more than a tick of a box to treat a child of 13 as if they were an adult when in the digital environment, with the explanation that they are merely aligning legislation with the age used by popular sites. That cannot be right.
Children have special protections and privileges evident in our culture, embedded in our law and determined by our being signatory to the charter on the rights of the child. Collectively, the amendments affirm that a child is a child even online, a principle that is not sufficiently articulated in the Bill. I shall go to each amendment in turn.
Amendment 18 would make the consent of a child aged 13 to 16 lawful only when a service seeking that child’s consent meets,
“minimum standards of age-appropriate design”.
Amendment 19 would make consent given by a person with parental responsibility on behalf of a child under 13 lawful only when the service seeking the consent meets the,
“minimum standards of age-appropriate design”.
Passing these amendments would make it unlawful to seek a child’s consent or parental consent on a child’s behalf without providing a service that recognises the age of that child.
Amendment 155 would require the Information Commissioner to create guidance on age-appropriate design and take into account such matters as a child’s need for high privacy settings by default, not revealing their GPS location, using their data only to enable them to use a service as they wish and no more, and not automatically excluding them if they will not give up vast swathes of data however nicely you ask. If the commissioner so wished, it could also mean giving a child time off by not sending endless notifications during school hours or sleep hours and deactivating features designed to promote extended use; making commercially driven content, whether a vlogger or a direct marketing campaign, visible to and understood by a minor; and insisting on reporting processes with an end-point and a reasonable expectation of resolution. The amendment would require the commissioner to consult a wide group of stakeholders before coming to that decision and, crucially, sets out that she must also consult children, who are so often the first to adopt emerging technologies—early to spot the issues yet rarely asked to contribute meaningfully to how their needs might be met in the digital environment. Government has been widely criticised for not consulting children, so I wish to put on the record that where their views have been captured, children have consistently called for better privacy and data management, clearer guidance on content, transparent reporting strategies and greater visibility of how their data are shared and commoditised, calls which industry and government steadfastly choose to ignore. Amendments 156 and 157 would ensure that both Houses were able to scrutinise the guidance before it came into force.
The GDPR is the substantive law which the Bill supplements. While the GDPR acknowledges that children enjoy enhanced rights online, it says little about what this means in practice, and the majority of the provisions for children sit in the recitals, which, as we heard last week, are not binding. The limitations of Article 8 of the GDPR are pointed out by Professor Sonia Livingstone OBE, who writes that:
“article 8 of the GDPR is beginning to seem to me increasingly irrelevant. When kids tick the box the companies will then bear no responsibility to them by reason of their age”.
Meanwhile, John Carr OBE says:
“If you entice or allow 13 year-olds on your site, you must … treat them in a manner relevant to their age”.
Professor Livingstone and John Carr are arguably the most renowned experts in the field of childhood online. On this matter, they are joined by the NSPCC, Parent Zone, YoungMinds, the Anti-Bullying Alliance, the CHIS and the Children’s Commissioner—among many others—in supporting the amendments. The amendments provide clarity, allow our legislation to reflect our values, and are necessary to make industry respond to the needs of children.
Lord Ashton of Hyde
I do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.
Baroness Kidron
I also apologise for interrupting but I have to support the noble Lord, Lord Knight. When I read out the list, I said that Instagram takes information such as your phone number, your birthday and who you are chatting with. That is data, so I come at this from a very clear position on children’s rights. I am very keen for children to be online. I agree with the noble Lord, Lord Knight, that we are beyond an age of consent, as he said on Second Reading. Consent is meaningless if you do not change the service on the other side of that consent. It is not simply about the bad things that happen. It is about abusing the entire data of a child when they are online. I hope that is helpful to put it back into scope of the Bill.
Lord Ashton of Hyde
There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.
We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.
It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.
First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.
Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.
Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.
Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.
Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.
I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.
Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.
In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.
There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.
Baroness Kidron
I thank everyone who has contributed to this fantastically supportive debate with their very interesting comments. I am grateful to the Minister for saying that he is sure that we will return to this issue.
I am going to try to tackle a couple of points, but I do not have the organising skills with all my pieces of paper to pick up on what all noble Lords have said. I think there is a bit of a muddle in the Room about this approach, which is aimed deliberately at all data controllers. Those people who have for many years been designing with children in mind will have less far to go to meet the regulations than the people who have not been thinking about children at all. I am deliberately saying that it is a data question; I believe it to be one. This is not supposed to be in the gift of a few big companies; these amendments are supposed to deliver what children deserve and need in the digital environment. It is excellent that it is in a data environment, because it becomes a price of doing business. To the people who have misunderstood the point, we are saying that it will be unlawful to process data unless you provide these services—and, when that is the case, just watch the gold rush toward smart age verification. If children’s data is being processed unlawfully, we would expect there to be some sort of enforcement. I admit to the Minister that our amendment could perhaps do with a bit more work on enforcement and what that might look like.
Secondly, I want to make a point about resilience and education. I believe we are about to discuss education, which is an enormous component of online safety and resilience for children. But we must not make the mistake of thinking that children have to adapt to the needs of data controllers; it is data controllers who must meet the needs of children. That is what these amendments are about. I am absolutely committed to working with the Government, because all their public pronouncements on this subject are in that direction. We have to make it work, so that at least some of the work is done on the other side of the equation. I am unhappy about it being put in the context of getting a few big companies paying for some digital champions. In fact, I was very concerned that the Secretary of State chose to announce the internet safety strategy alongside Facebook, which has a programme it charges schools for that also teaches young people to be very good Facebook users. Before we get to that point, arm in arm with some of these people, we must first work out what our standards are. That is the role of this House. It may not be outsourced to Silicon Valley; that is not appropriate.
On data controllers raising the age, it is worth noting that nearly 3 billion people are online and one-third of them are under the age of 18. That is not a marginal group; that is a huge group. I find it hard to believe that data controllers will abandon that consumer group, just because we have asked them to behave a little better and be a little more moderate in the data they are taking. Again, regulatory compliance is a cost of doing business. Every business has it; this is just another example. I want to discuss this issue with the noble Baroness, Lady Howe, and write to her. She made some excellent points; some of them were perhaps on the misunderstanding of whether such compliance was for everybody or just some sites. I absolutely support her on the question of evidence and evidence-based legislation in this area; I do an immense amount of research work with children and academics. I agree with her, and will write to her in detail because her points were so specific.
Finally, I hope that the Minister, Matt Hancock, will forgive me for quoting him one more time. He said that the Bill’s purpose was to give,
“consumers confidence that Britain's data rules are fit for the digital age in which we live”.
I do not think that having millions of young kids in the United Kingdom treated as adults is a fit outcome for the digital age. I welcome the noble Lord’s clear sign that he is willing to talk to us. I will definitely be doing that. I hope he will also show me his legal opinion, as well as wanting to see mine. With that, I beg leave to withdraw the amendment.
Lord Knight of Weymouth
My Lords, does the Minister agree with the noble Lord, Lord Storey, that PSHE would be the most appropriate way to educate young people about data rights? If so, I note that the Secretary of State, Justine Greening, has today announced that Ian Bauckham will lead the review on how relationship and sex education for the 21st century will be delivered. Can the Minister, who is clearly prepared to think about this appointment today, ask whether it is within his scope to think about how data rights education may be delivered as part of that review, and whether the review will draw on the work of the previous person who reviewed the delivery of PSHE, Sir Alasdair Macdonald, the last time Parliament thought that compulsory SRE was a good idea?
Baroness Kidron
I support the amendment. I was on the House of Lords Communications Committee, to which the noble Lord just referred. We recommended that digital literacy be given the same status as reading, writing and arithmetic. We set out an argument for a single cross-curricular framework of digital competencies—evidence-based, taught by trained teachers—in all schools whatever their legal status.
At Second Reading, several noble Lords referred to data as the new oil. I have been thinking about it since: I am not so certain. Oil may one day run out; data is infinite. What I think we can agree is that understanding how data is gathered, used and stored, and, most particularly, how it can be harnessed to manipulate both your behaviour and your digital identity, is a core competency for a 21st-century child. While I agree with the noble Lord that the best outcome would be a single, overarching literacy strategy, this amendment would go some small way towards that.
Lord Puttnam
My Lords, I add my voice to that of the noble Baroness, Lady Kidron. President Clinton memorably said that the first step in solving a problem is recognising there is one. If anyone does not believe there is one, we rehearsed some of it in the previous debate; I would also advise them to watch two very recent TED Talks by Zeynep Tufekci and Sam Harris. If, having seen these, they can convince themselves there is not a serious and urgent problem, then their judgment is very different from mine.
I will speak for a couple of moments on this because I regard it as a very significant issue. Karl Marx—who knew a thing or two—said that if you change the dominant mode of production that underpins a society, the social and political structure will change, too. I believe we have changed the fundamental mode of production that underpins society. It is now called digital. We have to address that and we are not addressing it anything like seriously enough. There are two issues I would like to raise, and if there is a note of frustration in my voice, I apologise.
In 2003, through very torturous processes in this House, we managed to persuade the then Labour Government to impose a duty on Ofcom—and I spend most of my life defending Ofcom—which was very clear; it was laid out by the noble Baroness, Lady Jay, at Second Reading. Ofcom was given the specific duty of promoting media literacy. The wording was that Ofcom was required,
“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”,
and,
“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.
Fifteen years later, in respect of these duties, Ofcom has wholly failed. By taking a very narrow, technical view of its responsibility, it has done almost nothing to promote notions of digital literacy in the electronic media. If we are not careful, the same will happen in the digital world. The noble Baroness, Lady Lane-Fox, used a much better phrase than “digital literacy”. She used the phrase “digital understanding” in a recent debate in your Lordships’ House. That is really what this is about.
To emphasise something that the noble Baroness, Lady Kidron, said, this is all about data. Ten days ago in Los Angeles, Lachlan Murdoch—who I think also knows a thing or two about this business—said the following:
“We’re in the beginning of an incredible transformation … we’re in the first months of something that will have a multi-decade life and future. Businesses that have large data sets and robust data sets will be the companies that win in the future”.
Every company in Silicon Valley and every communications company in the world knows that. This is why this is such a fundamental issue.
To my delight and surprise, the Italians appear to have picked up on this. In the New York Times of 18 October there is a long piece about a new law that was passed on 31 October by the Italian parliament that entirely acknowledges that young people have to have a far greater understanding of the modes of information, the nature of information and the ramifications of information than is presently the case. Some 8,000 schools in Italy are now receiving instructions on how to get across to children the seriousness and importance of, first, the manner in which they give and use their data and, secondly, the means by which they are informed.
Finally, in a very recent book Move Fast and Break Things by Jonathan Taplin, a man I happen to know, he says:
“Part of our role as citizens is to look more closely at the media surrounding us, think critically about its effects, and whose agenda is being promoted”.
I put it to your Lordships that every single front page of every newspaper over the past four months has made this extraordinarily evident. In the words of the noble Baroness, Lady Lane-Fox, we are “sleepwalking” into a situation over which we have little control and of which the companies that do have control are not taking sufficient notice. As proved by the Communications Act 2003, you can crunch out the best possible wording and it is still possible for that wording to have absolutely no lasting effect on society as a whole.