Online Pornography: Age Verification
Earl of Erroll Excerpts(4 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Baroness Barran
The noble Lord is right that children are exposed to harmful pornography every day. I heard a statistic recently that half a million images are uploaded on to social media, I think, on a daily basis. If that is wrong, we will correct it. Shocking things are going on. The noble Lord will be aware that the original Digital Economy Act did not cover social media, so we really hope that this will be more comprehensive. We are doing a number of things in the meantime, such as sex and relationships education—helping children understand the impact of pornography—and we hope to introduce soon the age-appropriate design code, which was included in the Data Protection Act thanks to the noble Baroness, Lady Kidron.
The Earl of Erroll (CB)
Why is DCMS against protecting children from absorbing unsavoury sexual practices at a formative age? I do not understand why it wants to delay so much. Most adult websites are onside for doing something and adopting age-verification controls, as long as rivals are compelled to do so as well. There has been a lot of publicity about this in that world, I am assured. Over a year ago, I chaired BSI Publicly Available Specification 1296 on how to do this anonymously and check anyone’s age online, so it can also be used for other child-protection issues. It also worked with the Home Office online harms issues. It will protect people’s privacy, which is what everyone is worrying about. The Home Office is not charged with our children’s mental health. Equally, DCMS is not charged with data protection, which is what the BBFC has gone and done; that is the job of the ICO. We can sort all this out. The stuff is there; you just need to implement it. The other real problem—
A noble Lord
The Earl of Erroll
Okay, right. The question was right at the start. Several AV providers have spent a lot of money on implementing this and getting it all ready to go. Who is going to compensate them? A lot of money has been spent to get this ready in time.
Baroness Barran
I refute as firmly as possible any idea that DCMS is against protecting children; clearly, that could not be further from the truth. On the work that I know the noble Earl has done in relation to introducing more digital ways of establishing age verification, we are working actively with the industry on that and absolutely recognise the potential role that technology can play. Those costs are not wasted, because age verification will clearly be part of any solution going forward.
Age Verification
Earl of Erroll Excerpts(4 years, 10 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
Yes, we will take action as soon as possible. As I explained, after the three or four months with the EU in draft are up, we will immediately proceed with laying it before Parliament. The delay is then the 40 days that it has to lie. As soon as it gets through both Houses of Parliament, it will be in force. We certainly intend to go through with it as soon as possible. The noble Baroness might like to check Hansard. She said that it was an “unavoidable mistake”; I have to confess it was an avoidable mistake. We should have avoided it and should avoid it in future. I also confirm that this was a mistake and the delay is in no way related to privacy concerns. That does not mean we are not taking privacy seriously. The additional voluntary certification scheme is important. We take privacy seriously, but that was not the reason for the delay.
The Earl of Erroll (CB)
I also regret this and am very sad about it. We have already been waiting for two years. Talk about dragging feet on this; I cannot believe it takes so long. I do not understand what the problem is with the guidance on age-verification arrangements. I have read it again and it does not contain anything technical. It lays out some fairly obvious things in plain English; it talks about various aspects of this and ends up saying that the Government would like to set up a voluntary certification scheme. That is about it; there is no technical stuff in there at all, so I am not sure why this is being used as an excuse to delay further. Could it possibly be because the BBFC has just launched a certification scheme that is really only about data protection? That is not its job; it is deliberately excluded from the Digital Economy Act. Data protection is the job of the Information Commissioner’s Office, which can levy huge fines. The BBFC is meant to be worrying about age verification and the protection of children online. Why is its certification scheme not about that? Its scheme is very heavyweight on the GDPR—or DPA 2018—stuff. Does it, therefore, think it needs more time? Was this just an excuse to delay it a little further?
If the Government are to issue new guidance in the autumn, I hope they will look at the British Standard. I also hope they will talk to the age-verification providers. They know how to do this, and how to do it anonymously. This is why, looking at the guidance, the BBFC says that the websites should not do it themselves. People bounce off, get verified elsewhere and get an anonymous, encrypted token back to prove they have done it. There is no problem or technical glitch with this. The Home Office may need to start talking to people who know how to do it; this really worries me.
The certification scheme is a good idea, so the websites know that the age-verification providers are all covered correctly. You need the GDPR stuff in there, but can it please be primarily about age verification and not be ridiculously expensive? At the moment, we are looking at £20,000 a pop for the scheme that the BBFC is proposing. A proper scheme, using the BEIS guidance, through the UK Accreditation Service, would have done a proper accreditation for certification providers for a quarter of the price or less. The Government have wasted a lot of money setting this scheme up and a lot of other people will waste a lot of money trying to get certification. As it is not really for age verification, it gives no guarantees of safety. Why are the Government doing it this way? As the whole thing is voluntary anyway, and certification not compulsory, why are they still delaying. Why does the BBFC not just start enforcing on 15 July? People are not going to put in age verification. Why disadvantage yourself, at extra cost, when you have no reason to do so? The websites will not do it until the last minute. In the meantime, the age-verification providers, which are all ready to go, are suffering economically very badly as a result of this delay.
Lord Ashton of Hyde
First, this is not an excuse for delaying. The legal advice that the BBFC has received, confirmed by the legal advice that my department has received, is that the guidance needs to be notified to the EU under the technical standards and regulations directive. The other two measures do not, so we are laying only the ones that we need to. I cannot give the noble Earl chapter and verse about the legal reasons today, but I can assure him there was no doubt about it. It was not even 50:50; it was absolutely correct. If there was any other way that we could have done it, without delaying it for this long, we would have done so.
We do not believe that money has been wasted in preparing this: we think that age verification is what Parliament asked for and what the majority of Members of both Houses want. That is the way it has been set up. Although it is technically quite difficult, it is not incompatible with the regulation of the ICO. The ICO, as the noble Earl rightly said, is responsible for data privacy and personal data breaches. The age-verification system is set up to comply with the GDPR and the Data Protection Act. The additional voluntary certification scheme—which is voluntary—is a further reassurance to users that even higher standards than the minimum standards of the GDPR apply. So I think it is correct that we continue with it.
As for why we are having to delay this measure, if we bring in age verification now, it will be unenforceable in UK law, because it will have been incorrectly proceeded with against EU law and against the technical standards and regulation directive. Unfortunately, we have concluded that there is no choice but to delay it.
Ofcom: RT News Channel
Earl of Erroll Excerpts(5 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
I completely agree with the noble Lord. That is why I said in my initial Answer that it is right for Ofcom to make decisions without government interference.
The Earl of Erroll (CB)
My Lords, the Minister is right that Ofcom is not responsible to the Government. but am I right in saying that it is responsible to Parliament?
Lord Ashton of Hyde
I am not sure; I do not know whether it is responsible in a statutory sense but of course ultimately Parliament can decide what it wants. The main point is that, in a democratic society such as ours, the regulator of the news and of broadcasters should not be linked to government, especially the Executive. That is the situation we have now and I believe that it is working well.
Online Pornography (Commercial Basis) Regulations 2018
Earl of Erroll Excerpts(5 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
The Earl of Erroll (CB)
My Lords, I want to say a few words before the summing up. We need to remind ourselves that the purpose of these regulations is to protect children, including those coming up to adulthood. We are trying to prevent them thinking that some fairly unsavoury habits that are not medically good for them are normal. That is the challenge. These websites have teaser adverts to try to get people drawn into pornography sites to buy harder-core or more detailed pornography. We are not trying to do anything about people who are willing to enter into a payment arrangement with the site but to make sure that children are stopped at the front end and are prevented from seeing the stuff that will give them the wrong impression about how you chat to a girl or a girl chats to a boy and how you behave with members of the same sex or the opposite sex in a sexual relationship. We need to be quite quick on this sort of stuff because if we are going to try to stop this being widespread we need to block it.
There is an awful lot of guff in this. It has taken a long time for these regulations to get here—we really expected them about a year ago. I do not know what DCMS has been doing during this time. I know it had some draft guidelines a long time ago, but perhaps they were so young that they were uneducated too and tried to learn about these things—I do not know.
The point about the adverts is they sit there in front. We are probably going to have buttons on the front of the website stating that people have to verify their age. That will take people off, probably to third-party sites which know them and anonymously verify that they are over 18 and that is when they can get into the website. However, the website is going to want to put something up for that first encounter. I wonder whether this is not an opportunity to think positively and perhaps put up something about understanding the beginning of a relationship and how you can get excited and go forward without going to the harder aspects which involve penetrative sex et cetera. There may be an opportunity there. That is a bit of a red herring because we are talking about the regulations, but it may be a positive thought for the future.
The thing that worries me particularly is paragraph 2.5 of the BBFC guidance which refers to sites that are,
“mostly frequently visited, particularly by children”,
and are,
“most likely to be sought out by children”.
Social media may not be marketed as carrying or giving access to pornography, but it does so on a huge scale. This one-third rule is very odd because it is easily abused. There are about 39 million UK users of Facebook, so do we say that if 12 million are putting up pornography that is okay because it is under the one-third threshold? Earnings would be very hard to measure, given Facebook’s turnover, so how are we going to do the one-third? It is very odd. The purpose of this is to protect children, so I do not think we should be having very high thresholds to let people get away with it.
There are two things that really worry me. Paragraphs 2.6, 2.7 and 2.8 of the guidance are on enforcement. It is going to be very slow. By the time the BBFC has sent out a warning and it is received, given another notification, published this, waited for the website to write back, et cetera, how long will it take? Websites that want to get round it will game the system. If they start doing that, the big websites—they are on side with this and want to help because they have got teenage children and are not paedophiles but are trying to sell adult pornography to adults and therefore want to help, believe it or not—will lose too much business; they will have to go with the flow and play the same game, in which case the whole thing will get wrecked.
If the Internet Watch Foundation, without a true legal basis, can get sites blocked immediately, why cannot we, with proper law? Everyone has had warnings about it. The whole of the industry around the world has apparently been talking about it for the past year. The BBFC has spoken at such events. Everyone knows, so I cannot understand why we cannot act more quickly and go live from day one. If anyone does not comply, that is bad luck. We could set up some pre-notification stating: “If you do not comply by tomorrow, you have had it”.
The other matter is the certification scheme, which is voluntary. A big hole is that because this is under a DCMS Bill, it could not touch privacy and data security. That is an ICO responsibility. The security of people’s data is regulated elsewhere, and the ICO has only recently started to show an interest in this, because it is overloaded with other things. There is now a memorandum of understanding between the BBFC and the ICO, which is very good. They could be brought together in a certification scheme. The BBFC cannot enforce data security and privacy, because that is an ICO responsibility, but a certification scheme could state that a site cannot be certified unless it complies with all the legal standards—both the Data Protection Act 2018, which the ICO is looking at, and the BBFC rules on age verification for websites and providers. That could be good.
If your Lordships want to know how to do it, I fear I shall give a plug for the British standard for which I chaired the steering group, BS 1296; it includes a whole section on how to do the GDPR stuff, as it was then called. We could not mandate it in the British standard because other standards mandate it, but that tells you how to do it.
The certification needs to be clear, otherwise there will be a whole lot of wishy-washy stuff. I am not sure that a voluntary scheme is a good idea, because the BBFC will have a lot of hard work trying to check sites that decide not to comply, so it will have to certify them by another method. That will be difficult.
However, at the end of the day, there is a lot of willingness between all the parties to try to get this to work. The world is watching us—quite a few other countries are waiting to see whether this will work here. That will help enormously. We should try to get a lot of cross-stakeholder information and co-operation, a round table of all interested parties from child protection all the way through to those running the adult sites. Perhaps some good could come out of that. Certainly, everyone wants to help the BBFC and DCMS, the parent body. Everyone wants to help the ICO. We would like to get this to work: there is a lot of good will out there if only we could get moving to make it work properly.
Lord Clement-Jones (LD)
My Lords, we on these Benches want the regulations and draft guidance to come into effect. The child protection provisions are a significant element of the Digital Economy Act which, although not entirely in line with what we argued for during its passage, we supported in principle at the time and still do, while realising, as my noble friend Lord Paddick said, that they are not the conclusive answer to children’s access to pornography. As he also said, a number of areas need to be addressed in the course of today’s debate.
For a start, as several noble Lords said, it seems extraordinary that we are discussing these sets of guidance nearly two years after the Digital Economy Act was passed and nearly a year after the Government published their guidance to the regulator, the BBFC. What was the reason for the delay?
Next, there is the question of material that falls within the definition of being provided on a commercial basis under the Online Pornography (Commercial Basis) Regulations, the subject of today’s debate. Several noble Lords mentioned this. As drafted, they do not currently include social media or search engines and on these Benches, we regret that the Government have decided to carve out social media from the definition. This is a potentially significant loophole in the regime. It is important that it is monitored and addressed if it damages effectiveness. It is in particular a major concern that social media and search engines do not have any measures in place to ensure that children are protected from seeing pornographic images.
The Secretary of State’s guidance to the AV regulator asks the BBFC to report 12 to 18 months after the entry into force of the legislation, including commenting on the impact and effectiveness of the current framework and changes in technology which may require alternative or additional means of achieving the objectives of the legislation. In addition, under Section 29 of the Digital Economy Act, 12 to 18 months after the entry into force of the scheme, the Secretary of State must produce a report on the impact and effectiveness of the regulatory framework.
This is therefore a clear opportunity to look again at social media. The Government have made some reference to legislating on social media, but it is not clear whether they intend to re-examine whether the definition of commercial pornography needs to be broadened. Can the Minister assure the House that this will be dealt with in the internet safety White Paper, that the Secretary of State’s report will cover the level of co-operation by services such as social media and search engines, which are not obliged to take enforcement action on notification, and that, in doing so, it will firmly tackle the question of access by children to pornography via social media?
Next is the question of resources for the age-verification regulator. This is a completely new regime, and with fast-changing technology, it is vital that the BBFC, as the AV regulator, has the necessary financial resources and stable grant funding to meet the important child protection goals. Can the Minister assure us that the Government will keep resources available to the BBFC in its AV regulator role under review and undertake explicitly in the Secretary of State’s annual report to deal with the question of resources enabling the BBFC to carry out its work?
Next is the question of the BBFC having chosen to adopt a voluntary scheme. On these Benches, we welcome the voluntary scheme for age-verification providers referenced in annexe 5 to the draft Guidance on Age-verification Arrangements. In fact, it bears a striking resemblance to the scheme that we proposed when the Act was passing through Parliament, which would have ensured that a scheme involving third-party companies providing identity services to protect individual privacy and data security would be engaged. As I recall, the noble Earl, Lord Erroll, helped greatly in convening providers of digital identity schemes to show what was possible. I think he is still ahead of us today.
Our key objections were that what was originally proposed did not sufficiently protect personal privacy. The BBFC is to be congratulated on establishing the certification scheme. As I understand it, it already expects all the major providers to undertake the certification process. Furthermore, because the scheme is voluntary, these assessments will be for foreign-based as well as UK providers, which is a major achievement and could not be accomplished with a UK statutory scheme.
The key to the success of the voluntary scheme, however, is public awareness. I hope that the Minister can tell us what DCMS is doing to support the promotion of the BBFC’s kitemark in the three months before the scheme comes into effect.
Next, there are the JCSI criticisms set out in its report on 28 November. This House rightly always takes the criticisms of the JCSI seriously, and the Minister set out a careful response to them. I do not always pray a government memorandum in aid, but the BBFC was following the Secretary of State’s guidance to the AV regulator. Under the terms of Section 27 of the Digital Economy Act, as a result of amendments in the Lords during its passage, the BBFC was charged with having regard to the Secretary of State’s guidance. The JCSI suggests that the BBFC could have chosen to ignore “incorrect” Secretary of State guidance, but that would have put it in an impossible position.
I shall not adumbrate all the different areas, but the inclusion of what was necessary in compliance with Section 27, the advice on best practice, the annexe setting out the voluntary scheme and the role of the ICO all seem to be helpful as part of the guidance and proportionate in terms of what the AV regulator prioritises.
There are a number of other aspects of these sets of guidance worthy of mention too. As we have heard, this age-verification framework is the first of its kind in the world, and there is international interest in it. Are the Government discussing with the BBFC what lessons there are in terms of encouraging robust AV for younger age groups and for other types of potentially harmful content? Will the Government use the expertise developed by the BBFC as the age-verification regulator in the internet safety White Paper?
Lord Ashton of Hyde
I had not forgotten that. It would obviously be difficult for me to commit to finding the necessary time but I will take that back to the department. I am not sure that it is currently within the plans of the Chief Whip to bring forward that legislation but I will ask. I understand the point that is being made but, as I said, the issue may well be covered within the review. I am afraid I cannot go any further than that tonight.
As for ancillary service providers, the BBFC and the DDCMS have been engaging with several companies. They have already agreed to act, as doing so is in line with their current terms of service. Therefore, we are optimistic that the voluntary approach will work, and of course that will be reviewed.
The right reverend Prelate, the noble Earl, Lord Erroll, and others talked about the rationale for choosing one-third of content as the appropriate threshold. During the passage of the Bill, it was established that the focus should be on commercial pornography sites and not on social media. There were good reasons for that but I do not want to revisit them—that is what was decided. The one-third threshold was regarded as proportionate in introducing this new policy where sites make pornography available free of charge. However, websites that market themselves as pornographic will also be required to have age verification, even if less than a third of the content is pornographic.
A third is an arbitrary amount. It was discussed and consulted on, and we think that it is a good place to start on a proportionate basis. We will keep this matter under review and, as I said, it will be one of the obvious things to be taken into account during the 12 to 18-month review. The noble Lord, Lord Morrow, asked how it will be measured. It will be measured by assessing the number of pieces of content rather than the length of individual videos. It will include all pornographic images, videos and individual bits of content, but the point to remember is that the threshold is there so that a decision can be made on whether it is reasonable for the regulator to assume that pornographic content makes up more than one-third of the entire content. This will be done by sampling the various sites.
The noble Earl, Lord Erroll, asked about ISP blocking and suggested that everyone would try to game the system to get out of meeting the requirements. That is not what we believe. The BBFC has already engaged with ISPs and we are confident that this will be an effective sanction. The wording in the guidance indicates that the regulator should take a “proportionate approach”. However, we are grateful for the noble Earl’s help. I am sure that he will also help during the review and later in the process when it comes to online harms. I see that he wants to help now.
The Earl of Erroll
It is not the ISPs that I am worried about; it is the websites that will game the system on notification, appeals and so on. That is the bit that will take a long time.
Pornographic Websites: Age Verification
Earl of Erroll Excerpts(5 years, 6 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Ashton of Hyde
The noble Lord is of course right that age verification itself is not the only answer. It does not cover every possibility of getting on to a pornography site. However, it is the first attempt of its kind in the world, which is why not only we but many other countries are looking at it. I agree that sex education in schools is very important and I believe it is being brought into the national curriculum already.
The Earl of Erroll (CB)
Why is there so much wriggle room in section 6 of the guidance from the DCMS to the AV regulator? The ISP blocking probably will not work, because everyone will just get out of it. If we bring this into disrepute then the good guys who would like to comply probably will not; they will not be able to do so economically. All that was covered in British Standard PAS 1296, which was developed over three years. It seems to have been totally ignored by the DCMS. You have spent an awful lot of time getting there, but you have not got there.
Lord Ashton of Hyde
One of the reasons this has taken so long is that it is complicated. We in the DCMS, and many others, not least in this House, have spent a long time discussing the best way of achieving this. I am not immediately familiar with exactly what section 6 says, but when the statutory instrument comes before this House—it is an affirmative one to be discussed—I will have the answer ready for the noble Earl.
Particulars of Proposed Designation of Age-Verification Regulator
Earl of Erroll Excerpts(6 years, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones (LD)
My Lords, I have no great argument with the particulars and the designation of the BBFC as the age-verification regulator. Indeed, we had some debates on this. I know that we may have some differences with the Labour Front Bench, but we think that the BBFC is fit for this particular purpose and will carry out the job effectively. Conversations we have had have convinced us of that. Another aspect that is beginning to be unpacked is the appeals system. Although of course we put down amendments on the question of the independence of the age-verification regulator, we think that the appeals system being set up, which is qualified in the Act—we would have preferred it not to be qualified—will be fit for purpose as well.
I want to revert to something that may strike both the Minister and Members on the Labour Front Bench as rather déjà vu: the question of the specification of the type of age verification that is required, or not, by the age-verification regulator. When we talked about this issue in Committee—indeed, amendments on it were laid on 2 February 2017 in Committee and on 20 March on Report; my noble friend Lord Paddick had a particular role in that—we were very concerned on both occasions that the age-verification methods were not going to be specified in enough detail in the Bill. It did not appear that they would be specified in any great detail in the draft guidance.
Flash forward a year and I am afraid that nothing has changed. The Minister may remember that, back in January, the Select Committee on the Constitution said:
“We are concerned that the extent to which the Bill leaves the details of the age-verification regime to guidance and guidelines to be published by the as yet-to-be-designated regulator adversely affects the ability of the House effectively to scrutinise this legislation”.
We have not moved on a great deal. If we look at the details of what I have found—which appears to be the up-to-date draft of the government guidance on the age-verification regulator—under chapter 3, paragraph 4, there is this statement:
“The regulator is not required to approve individual age-verification solutions. There are various ways to age-verify online and the industry is developing at pace. Providers are innovating and providing choice to consumers”.
That is exactly the same wording as in the draft guidance last year and quoted by my noble friend Lord Paddick on 20 March. That is extremely disappointing. It appears that the age-verification regulator will play an incredibly light-touch role in the approval of the type of age-verification that takes place.
Of course, later in chapter 3—which is headed “Age-verification arrangements”—it describes,
“the expectation that age-verification services and online pornography providers should take a privacy by design approach as recommended by the ICO”.
I have the privacy by design guidance from the ICO in front of me and I must say, if I was an age-verification provider, I would not find it particularly onerous, in terms of requiring me to try to find an anonymised age-verification solution. I find the Government’s guidance, as per Section 27 of the Act, extremely disappointing. I very much hope that the Minister can explain whether the ICO will have a role in this, what the impact of privacy by design is, in terms of enforcement, and whether the ICO will have the ability to impose a privacy impact assessment—or even a data impact assessment—on the object of the age-verification regulator’s regulation. Perhaps at the same time the Minister can explain in this particular space the boundary between what the ICO is empowered to do and what the age-verification regulator will be doing.
I am sorry to have to be disappointing in that respect, but I think that as part of the wider landscape—a matter we discussed last year—where we have got to is not particularly satisfactory if the general purpose of the age-verification regulator is to make sure that age-verification really works and that there is not the access for young people to these pornography sites that the Act was designed to prevent.
The Earl of Erroll (CB)
My Lords, I want to say a few words. I was quite involved in this issue when it was going through as part of our consideration of the Digital Economy Act. The Digital Policy Alliance, of which I am chairman, has had a working group on age verification for several years, looking at whether there are available solutions and encouraging people to develop them. I am pleased to tell the noble Lord, Lord Clement-Jones, that there are some solutions out there. I will explain something about that.
The only thing I want to say is that the Act received Royal Assent on 28 April, I think, so it has taken a very long time to get this guidance in place. That is a bit of a worry and a bit of a disappointment. I seem to remember that there was an intention to try to have enforcement within a year, otherwise there would be a huge great gap in the meantime. We are trying to protect children after all; that was the whole point of this. Waiting for a year—it will probably now be longer—is an awfully long time not to have protection in place.
I am very glad that the BBFC is finally about to get some teeth, get into operation and do something about this, which I am sure it will do extremely well. I know that it has been consulting an awful lot with a lot of different people from all the different sides, from child protection right through to the adult industry. The interesting thing is that quite a lot of the adult industry is happy to help and to co-operate, because it does not want children wasting its time. It is not in the job of trying to pervert children, but of trying to sell adult content to adults, so it is willing to co-operate. The world is watching. There is apparently now a willingness to realise that this will happen and to co-operate to a large extent.
The noble Lord, Lord Clement-Jones, has put his finger on the point about age-verification methods: they have to work and to do various things. I say to him, though, that there is a difference between the bit that is checking the attribute—the age—and the bit about privacy, which is not identifying who the person is to a website and to a casual visitor to that website. It would be career-limiting were it to be found out that the noble Lord himself was visiting an adult content site, even though it would be totally legal for him to do so. Therefore, it is important to ensure that privacy happens at that point, which is the ICO’s part. It is not the ICO’s job to say how age verification should be done. That is a different job.
In fact, we have developed, along with the British Standards Institution, a publicly available specification, PAS 1296, which should be coming out quite soon. It has been around the houses several times and has been revised. That should allow it to be possible for an organisation to see for itself how well it is doing. It might be that an industry body should be set up that can check whether age-verification providers are doing something in alignment with the PAS, which goes into great detail about how you can do these things and make sure that it can be privacy enforcing. The privacy side is left up to the GDPR, but it is mentioned in there as well.
Those are the main points that I wanted to make. It is time to get on with this. It is a huge leap forward. As I said, the world is watching. A whole lot of good will is out there to get this done properly. I look forward to seeing the final draft regulations, which will probably do the job.
Lord Stevenson of Balmacara (Lab)
My Lords, are we not back in familiar territory? We seem to spend a lot of time on these important issues, first on the Digital Economy Act, then substantial work, discussion, debate and thinking in the debates on the Data Protection Bill. I will disappoint the noble Lord, Lord Clement-Jones, by agreeing with most of what he said. He has a good point about where the boundaries between privacy and the processes described in the Digital Economy Act come to bear. There is room for a variety of approaches here. This is not an easy issue to address. I am not going to go back over the ground he covered—I look forward to hearing what the Minister will say about that—so I will go into some constitutional issues.
I have two general questions that might be important as we continue with this. One was touched on by the noble Earl, Lord Erroll, in his concluding remarks. Is it not the case that, when the Data Protection Bill, which brings in the GDPR, becomes an Act in May, we have inserted into it a requirement that those who operate on data subjects’ information relating to age have to do so in a way that is age-appropriate, otherwise the design has to change? In a sense, is this not the other half of the equation about blocking those who provide material by requiring those who are preparing and disseminating material to have it in a way that will not lead to the problems that were discussed so graphically about what happens to children, who we want to protect, who stumble across material that should be behind an age-verification system? In that sense, age-verification seems to be a bit like shutting doors after horses have bolted. We have to get the design right. If it is right, there will be no such question about people stumbling on to things, because if they go through an ISP or any form of social media provision, such as Facebook and similar arrangements, their progress would be age-designed and could be managed that way. Can the Minister reflect on that? He may well argue that this is the sort of thing that needs to be addressed by a yet to be established data ethics commission. He would probably be right.
Lord Ashton of Hyde
The noble Lord is absolutely right, and I apologise if I misled anyone. It is not the BBFC’s job to determine what is lawful. It is meant to implement the law. The debate that I think we will have when the regulations come to this House will be on the decisions that will have been taken on what is pornography available for commercial purposes. The definition of what is unlawful will be under the extreme pornography definition within the existing Act.
The Earl of Erroll
Leading on from that, I remember from the debates that the trouble was that the Obscene Publications Act was not aligned with the CPS guidance or with various other things. I presume therefore that some work will be done on this in the near future, otherwise I suspect that the BBFC will get into trouble. At the same time, because age verification may come into this too, presumably we will also try to align the internet stuff, which is what we have been talking about in the Digital Economy Act—broadcast, which is regulated differently, and video on demand, which I think is Ofcom’s responsibility at the moment. We really do not want different rules across all of those, so I hope we are going to get on with that.
Data Protection Bill [HL]
Earl of Erroll ExcerptsWednesday 10th January 2018
(6 years, 3 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-III Third marshalled list for Report (PDF, 153KB) - (8 Jan 2018)
Lord Clement-Jones (LD)
My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:
“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.
That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.
I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.
The Earl of Erroll (CB)
I just want to ask briefly whether small organisations will also include clubs and societies. I do not know whether that has been dealt with before. For instance, I am the chief of Clan Hay and we have a Clan Hay society. It does not make money, but it has membership lists and branches abroad. I discussed it with the ICO before this came up, and it thought we would definitely have to comply. I hope we will be covered as a small organisation.
Lord Carlile of Berriew (CB)
My Lords, I have been involved from time to time in the creation of very small charities of a local nature, or have been involved in advising such organisations. I strongly support Amendment 106 moved by the noble Baroness. There is a real danger that, unless the ICO produces clear and simple pro formas that can be filled in quickly and easily by such organisations, they will be put off forming such charities, and local communities will thereby be deprived of great advantages that would be created by local citizens, which is something I understand the Government wish to encourage.
Data Protection Bill [HL]
Earl of Erroll ExcerptsWednesday 13th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Stevenson of Balmacara
My Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.
Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.
We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.
The Earl of Erroll (CB)
My Lords, this amendment has a lot of merit. For some time I have been discussing with certain people who know an awful lot about this, as has the noble Lord, the concept of agency: having control over your own information. It is a very important concept because the GDPR and the Bill are all about data processors looking after your stuff for you, but the real issue is having control over things that affect you. Why, if people are using it to make money out of you or on your behalf, should you not sell them that control in return for better access?
There are many issues around this that might suit a modern world in which your data can be useful, but to you, so that data processors do not just mine it and use it for their own purposes—you have control over it. This amendment has a lot of merit because it gives a foundation for us to start researching this. There is no compulsion here, but it could move us down a line whereby the data subject—the person in the street— suddenly gets some control over what happens when people research things for their own good. We are going to have to give away our location and other things to use most of these apps, so why can we not also control that and decide how to sell it to other people and benefit from it ourselves?
Baroness Kidron (CB)
I, too, support the amendment. I raised this issue at Second Reading and pointed to the work of the ethics committee of the IEEE, which has done a lot of work on this. This is not as blue sky as the noble Lord suggested; this is indeed the direction of travel.
Data Protection Bill [HL]
Earl of Erroll Excerpts(6 years, 4 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Puttnam (Lab)
My Lords, I add my voice in congratulating the noble Baroness, Lady Kidron, on her amendment and on the way it was presented. I will try to add additional value to the discussion. I, along with the noble Baronesses, Lady Harding, Lady Shields, and Lady Lane-Fox, have spent a lot of the time—in my case, 20 years—defending and promoting the tech industry. I believe in the tech industry and in its educational capacity and many of the developments it can produce. I also have many friends in the tech industry, which makes it doubly difficult. That is why I find it so difficult to understand why they are not part of this.
One reason, which is important but which has not been mentioned, is that these are the UK subsidiaries of major global businesses. When well-meaning people in the UK look at this problem and would probably like to address it, they get barked at down the phone by someone who has no conception of the strength of feeling in this House or in the UK and Europe, and so they do not get a sympathetic hearing. By passing this amendment, this House can send a message back to the west coast of the United States to say, “I’m very sorry—your values do not prevail here. We’re looking for something different: a tech industry that supports, enhances and encourages the type of society that we all want to be part of”. It is important to get that message back.
It is not just us saying that. David Brooks, the eminent journalist for the New York Times, ended his piece on 20 November by saying:
“Tech will have few defenders on the national scene. Obviously, the smart play would be for the tech industry to get out in front and clean up its own pollution”.
That is the intelligent view. The tech industry I have promoted and believe in will get out in front and understand the signal that is being sent from this House, and will begin to do something about it. It will be quite surprising what they can do, because in a sense we may well be helping the senior executives in Europe to get their message back to the west coast of the United States. That is one important reason why I support the amendment.
The Earl of Erroll (CB)
My Lords, I cannot add much to what the noble Baroness, Lady Kidron, said when she took us on her concise comprehensive canter through her amendments, but I will mention two things.
The first is in response to the noble Lord, Lord Arbuthnot, who is right to say that enforcement is essential, particularly because it is international—the internet is international. We faced this with Part 3 of the Digital Economy Act in trying to prevent children getting pornography. One of the things that became apparent is that the payment services providers are good on this sort of thing, and if it looks right and the community agrees it, they will withdraw payment services from people who do not comply. As most websites are out there to make money, if they cannot get the money in, they quickly come into line. So there may be some enforcement possibilities in that area, as it ends up being international.
The other thing we noticed is that the world is watching us in Britain because we are leading on a lot of these things. If we can make this effective, I think other countries will start to roll it out, which makes it much easier to make it effective. It is a big question because at the end of the day we are trying to balance the well-meaning desire of the developers and those producing these apps, who want to deliver a ubiquitous, useful utility everywhere, with the protection of the young. That is a difficult thing to do, which is why this has to remain flexible. We have to leave it up to someone who is very wise to get us there. If we get it right, this could be a very good step forward.
Lord Best (CB)
My Lords, I rise in support of these amendments, as if any further support were needed. I speak as the Member of your Lordships’ House who chaired your Communications Committee when we produced our report, Growing Up With the Internet. My noble friend Lady Kidron was a most distinguished member of the committee and greatly helped us in formulating our recommendations. Alongside support for parents and schools and other measures, the committee sought government intervention in curbing the poor practices of the organisations providing content and delivering the internet’s services to children, especially through social media. This group of amendments takes forward that central theme from the committee’s report, and I thank my noble friend and congratulate her on her foresight and tenacity in pursuing this. I also thank the Minister, backed by his Secretary of State, for supporting these amendments today.
The underlying significance of the amendments is that they establish a process for government—for society—to intervene in determining the behaviour of those responsible for internet services that can have such a huge impact on the lives of our children. In particular, the new process will cover the activities of huge global companies such as Facebook and Google, among the most prosperous and profitable organisations on the planet, which have the power, if only they would use it, to ensure the safety and well-being of children online. The process set in train by these amendments involves empowering the Information Commissioner to set the standards that all the key players will be expected to adopt or face significant sanctions. The amendments mark a necessary shift away from depending on good will and purely voluntary self-regulation. They represent a breakthrough in holding to account those mighty corporations based far away in Silicon Valley, to which the noble Lord, Lord Puttnam, made reference, and others closer to home. It is good to see major organisation such as Sky and TalkTalk supporting such a change, alongside the major charities such as the NSPCC.
Your Lordships’ Communications Committee and the whole House owe a huge debt of gratitude to my noble friend Lady Kidron for so diligently taking forward the arguments that have led to the significant change which these amendments herald. I know that the committee, as well as all those concerned with the safety and well-being of the nation’s children, will greatly welcome this big step towards ensuring better behaviour from all the relevant commercial enterprises. I suggest that this is a major step in protecting not just children in the UK but children around the world as the value of this kind of intervention becomes recognised, as the noble Earl, Lord Erroll, mentioned. The amendments get my fulsome support.
Data Protection Bill [HL]
Earl of Erroll ExcerptsMonday 11th December 2017
(6 years, 4 months ago)
Lords ChamberRead Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Second marshalled list for Report (PDF, 176KB) - (11 Dec 2017)
The Earl of Erroll (CB)
My Lords, I will say a couple of things on this in full support of the proposition made by the noble Baroness, Lady Neville-Jones. These issues are very complicated. We tend to try to brush them aside and hope that they will be dealt with by the person who is enforcing and regulating. But that can be dangerous, because they will find it very difficult as well, and sometimes, if you do not have the intention in the Bill, it may just not happen.
This is important because, although I fully support the intention and objectives of the GDPR in the Data Protection Bill in front of us, which is there for all the right reasons, we have to be careful not to throw out the baby with the bathwater. This is one of those instances where, in trying overzealously to introduce a rules-based system in a complex world and a complex society, you find unexpected consequences. Some of them cannot be defined terribly easily in regulation, but I think it would be wise to put this in an amendment.
We in this House tend to think in principle much more than another place. To try to deal with this in another place when it gets there may be unwise in case they run out of time. It would be good to put something in the Bill in this House at Third Reading, if the Minister were so minded, and I would wholeheartedly support that.
Lord Patel (CB)
My Lords, I have already spoken on this at length and I do not intend to repeat myself, but I support the amendment from the noble Baroness, Lady Neville-Jones. This is a very important database. It is not just national but international, and it is difficult to collect. That is why I am glad that an accommodation has been made to support the amendment.