Thursday 20th June 2019

(5 years, 5 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

Yes, we will take action as soon as possible. As I explained, after the three or four months with the EU in draft are up, we will immediately proceed with laying it before Parliament. The delay is then the 40 days that it has to lie. As soon as it gets through both Houses of Parliament, it will be in force. We certainly intend to go through with it as soon as possible. The noble Baroness might like to check Hansard. She said that it was an “unavoidable mistake”; I have to confess it was an avoidable mistake. We should have avoided it and should avoid it in future. I also confirm that this was a mistake and the delay is in no way related to privacy concerns. That does not mean we are not taking privacy seriously. The additional voluntary certification scheme is important. We take privacy seriously, but that was not the reason for the delay.

Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - -

I also regret this and am very sad about it. We have already been waiting for two years. Talk about dragging feet on this; I cannot believe it takes so long. I do not understand what the problem is with the guidance on age-verification arrangements. I have read it again and it does not contain anything technical. It lays out some fairly obvious things in plain English; it talks about various aspects of this and ends up saying that the Government would like to set up a voluntary certification scheme. That is about it; there is no technical stuff in there at all, so I am not sure why this is being used as an excuse to delay further. Could it possibly be because the BBFC has just launched a certification scheme that is really only about data protection? That is not its job; it is deliberately excluded from the Digital Economy Act. Data protection is the job of the Information Commissioner’s Office, which can levy huge fines. The BBFC is meant to be worrying about age verification and the protection of children online. Why is its certification scheme not about that? Its scheme is very heavyweight on the GDPR—or DPA 2018—stuff. Does it, therefore, think it needs more time? Was this just an excuse to delay it a little further?

If the Government are to issue new guidance in the autumn, I hope they will look at the British Standard. I also hope they will talk to the age-verification providers. They know how to do this, and how to do it anonymously. This is why, looking at the guidance, the BBFC says that the websites should not do it themselves. People bounce off, get verified elsewhere and get an anonymous, encrypted token back to prove they have done it. There is no problem or technical glitch with this. The Home Office may need to start talking to people who know how to do it; this really worries me.

The certification scheme is a good idea, so the websites know that the age-verification providers are all covered correctly. You need the GDPR stuff in there, but can it please be primarily about age verification and not be ridiculously expensive? At the moment, we are looking at £20,000 a pop for the scheme that the BBFC is proposing. A proper scheme, using the BEIS guidance, through the UK Accreditation Service, would have done a proper accreditation for certification providers for a quarter of the price or less. The Government have wasted a lot of money setting this scheme up and a lot of other people will waste a lot of money trying to get certification. As it is not really for age verification, it gives no guarantees of safety. Why are the Government doing it this way? As the whole thing is voluntary anyway, and certification not compulsory, why are they still delaying. Why does the BBFC not just start enforcing on 15 July? People are not going to put in age verification. Why disadvantage yourself, at extra cost, when you have no reason to do so? The websites will not do it until the last minute. In the meantime, the age-verification providers, which are all ready to go, are suffering economically very badly as a result of this delay.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

First, this is not an excuse for delaying. The legal advice that the BBFC has received, confirmed by the legal advice that my department has received, is that the guidance needs to be notified to the EU under the technical standards and regulations directive. The other two measures do not, so we are laying only the ones that we need to. I cannot give the noble Earl chapter and verse about the legal reasons today, but I can assure him there was no doubt about it. It was not even 50:50; it was absolutely correct. If there was any other way that we could have done it, without delaying it for this long, we would have done so.

We do not believe that money has been wasted in preparing this: we think that age verification is what Parliament asked for and what the majority of Members of both Houses want. That is the way it has been set up. Although it is technically quite difficult, it is not incompatible with the regulation of the ICO. The ICO, as the noble Earl rightly said, is responsible for data privacy and personal data breaches. The age-verification system is set up to comply with the GDPR and the Data Protection Act. The additional voluntary certification scheme—which is voluntary—is a further reassurance to users that even higher standards than the minimum standards of the GDPR apply. So I think it is correct that we continue with it.

As for why we are having to delay this measure, if we bring in age verification now, it will be unenforceable in UK law, because it will have been incorrectly proceeded with against EU law and against the technical standards and regulation directive. Unfortunately, we have concluded that there is no choice but to delay it.