Online Pornography (Commercial Basis) Regulations 2018

Debate between Earl of Erroll and Lord Clement-Jones
Tuesday 11th December 2018

(5 years, 11 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - -

My Lords, I want to say a few words before the summing up. We need to remind ourselves that the purpose of these regulations is to protect children, including those coming up to adulthood. We are trying to prevent them thinking that some fairly unsavoury habits that are not medically good for them are normal. That is the challenge. These websites have teaser adverts to try to get people drawn into pornography sites to buy harder-core or more detailed pornography. We are not trying to do anything about people who are willing to enter into a payment arrangement with the site but to make sure that children are stopped at the front end and are prevented from seeing the stuff that will give them the wrong impression about how you chat to a girl or a girl chats to a boy and how you behave with members of the same sex or the opposite sex in a sexual relationship. We need to be quite quick on this sort of stuff because if we are going to try to stop this being widespread we need to block it.

There is an awful lot of guff in this. It has taken a long time for these regulations to get here—we really expected them about a year ago. I do not know what DCMS has been doing during this time. I know it had some draft guidelines a long time ago, but perhaps they were so young that they were uneducated too and tried to learn about these things—I do not know.

The point about the adverts is they sit there in front. We are probably going to have buttons on the front of the website stating that people have to verify their age. That will take people off, probably to third-party sites which know them and anonymously verify that they are over 18 and that is when they can get into the website. However, the website is going to want to put something up for that first encounter. I wonder whether this is not an opportunity to think positively and perhaps put up something about understanding the beginning of a relationship and how you can get excited and go forward without going to the harder aspects which involve penetrative sex et cetera. There may be an opportunity there. That is a bit of a red herring because we are talking about the regulations, but it may be a positive thought for the future.

The thing that worries me particularly is paragraph 2.5 of the BBFC guidance which refers to sites that are,

“mostly frequently visited, particularly by children”,

and are,

“most likely to be sought out by children”.

Social media may not be marketed as carrying or giving access to pornography, but it does so on a huge scale. This one-third rule is very odd because it is easily abused. There are about 39 million UK users of Facebook, so do we say that if 12 million are putting up pornography that is okay because it is under the one-third threshold? Earnings would be very hard to measure, given Facebook’s turnover, so how are we going to do the one-third? It is very odd. The purpose of this is to protect children, so I do not think we should be having very high thresholds to let people get away with it.

There are two things that really worry me. Paragraphs 2.6, 2.7 and 2.8 of the guidance are on enforcement. It is going to be very slow. By the time the BBFC has sent out a warning and it is received, given another notification, published this, waited for the website to write back, et cetera, how long will it take? Websites that want to get round it will game the system. If they start doing that, the big websites—they are on side with this and want to help because they have got teenage children and are not paedophiles but are trying to sell adult pornography to adults and therefore want to help, believe it or not—will lose too much business; they will have to go with the flow and play the same game, in which case the whole thing will get wrecked.

If the Internet Watch Foundation, without a true legal basis, can get sites blocked immediately, why cannot we, with proper law? Everyone has had warnings about it. The whole of the industry around the world has apparently been talking about it for the past year. The BBFC has spoken at such events. Everyone knows, so I cannot understand why we cannot act more quickly and go live from day one. If anyone does not comply, that is bad luck. We could set up some pre-notification stating: “If you do not comply by tomorrow, you have had it”.

The other matter is the certification scheme, which is voluntary. A big hole is that because this is under a DCMS Bill, it could not touch privacy and data security. That is an ICO responsibility. The security of people’s data is regulated elsewhere, and the ICO has only recently started to show an interest in this, because it is overloaded with other things. There is now a memorandum of understanding between the BBFC and the ICO, which is very good. They could be brought together in a certification scheme. The BBFC cannot enforce data security and privacy, because that is an ICO responsibility, but a certification scheme could state that a site cannot be certified unless it complies with all the legal standards—both the Data Protection Act 2018, which the ICO is looking at, and the BBFC rules on age verification for websites and providers. That could be good.

If your Lordships want to know how to do it, I fear I shall give a plug for the British standard for which I chaired the steering group, BS 1296; it includes a whole section on how to do the GDPR stuff, as it was then called. We could not mandate it in the British standard because other standards mandate it, but that tells you how to do it.

The certification needs to be clear, otherwise there will be a whole lot of wishy-washy stuff. I am not sure that a voluntary scheme is a good idea, because the BBFC will have a lot of hard work trying to check sites that decide not to comply, so it will have to certify them by another method. That will be difficult.

However, at the end of the day, there is a lot of willingness between all the parties to try to get this to work. The world is watching us—quite a few other countries are waiting to see whether this will work here. That will help enormously. We should try to get a lot of cross-stakeholder information and co-operation, a round table of all interested parties from child protection all the way through to those running the adult sites. Perhaps some good could come out of that. Certainly, everyone wants to help the BBFC and DCMS, the parent body. Everyone wants to help the ICO. We would like to get this to work: there is a lot of good will out there if only we could get moving to make it work properly.

Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, we on these Benches want the regulations and draft guidance to come into effect. The child protection provisions are a significant element of the Digital Economy Act which, although not entirely in line with what we argued for during its passage, we supported in principle at the time and still do, while realising, as my noble friend Lord Paddick said, that they are not the conclusive answer to children’s access to pornography. As he also said, a number of areas need to be addressed in the course of today’s debate.

For a start, as several noble Lords said, it seems extraordinary that we are discussing these sets of guidance nearly two years after the Digital Economy Act was passed and nearly a year after the Government published their guidance to the regulator, the BBFC. What was the reason for the delay?

Next, there is the question of material that falls within the definition of being provided on a commercial basis under the Online Pornography (Commercial Basis) Regulations, the subject of today’s debate. Several noble Lords mentioned this. As drafted, they do not currently include social media or search engines and on these Benches, we regret that the Government have decided to carve out social media from the definition. This is a potentially significant loophole in the regime. It is important that it is monitored and addressed if it damages effectiveness. It is in particular a major concern that social media and search engines do not have any measures in place to ensure that children are protected from seeing pornographic images.

The Secretary of State’s guidance to the AV regulator asks the BBFC to report 12 to 18 months after the entry into force of the legislation, including commenting on the impact and effectiveness of the current framework and changes in technology which may require alternative or additional means of achieving the objectives of the legislation. In addition, under Section 29 of the Digital Economy Act, 12 to 18 months after the entry into force of the scheme, the Secretary of State must produce a report on the impact and effectiveness of the regulatory framework.

This is therefore a clear opportunity to look again at social media. The Government have made some reference to legislating on social media, but it is not clear whether they intend to re-examine whether the definition of commercial pornography needs to be broadened. Can the Minister assure the House that this will be dealt with in the internet safety White Paper, that the Secretary of State’s report will cover the level of co-operation by services such as social media and search engines, which are not obliged to take enforcement action on notification, and that, in doing so, it will firmly tackle the question of access by children to pornography via social media?

Next is the question of resources for the age-verification regulator. This is a completely new regime, and with fast-changing technology, it is vital that the BBFC, as the AV regulator, has the necessary financial resources and stable grant funding to meet the important child protection goals. Can the Minister assure us that the Government will keep resources available to the BBFC in its AV regulator role under review and undertake explicitly in the Secretary of State’s annual report to deal with the question of resources enabling the BBFC to carry out its work?

Next is the question of the BBFC having chosen to adopt a voluntary scheme. On these Benches, we welcome the voluntary scheme for age-verification providers referenced in annexe 5 to the draft Guidance on Age-verification Arrangements. In fact, it bears a striking resemblance to the scheme that we proposed when the Act was passing through Parliament, which would have ensured that a scheme involving third-party companies providing identity services to protect individual privacy and data security would be engaged. As I recall, the noble Earl, Lord Erroll, helped greatly in convening providers of digital identity schemes to show what was possible. I think he is still ahead of us today.

Our key objections were that what was originally proposed did not sufficiently protect personal privacy. The BBFC is to be congratulated on establishing the certification scheme. As I understand it, it already expects all the major providers to undertake the certification process. Furthermore, because the scheme is voluntary, these assessments will be for foreign-based as well as UK providers, which is a major achievement and could not be accomplished with a UK statutory scheme.

The key to the success of the voluntary scheme, however, is public awareness. I hope that the Minister can tell us what DCMS is doing to support the promotion of the BBFC’s kitemark in the three months before the scheme comes into effect.

Next, there are the JCSI criticisms set out in its report on 28 November. This House rightly always takes the criticisms of the JCSI seriously, and the Minister set out a careful response to them. I do not always pray a government memorandum in aid, but the BBFC was following the Secretary of State’s guidance to the AV regulator. Under the terms of Section 27 of the Digital Economy Act, as a result of amendments in the Lords during its passage, the BBFC was charged with having regard to the Secretary of State’s guidance. The JCSI suggests that the BBFC could have chosen to ignore “incorrect” Secretary of State guidance, but that would have put it in an impossible position.

I shall not adumbrate all the different areas, but the inclusion of what was necessary in compliance with Section 27, the advice on best practice, the annexe setting out the voluntary scheme and the role of the ICO all seem to be helpful as part of the guidance and proportionate in terms of what the AV regulator prioritises.

There are a number of other aspects of these sets of guidance worthy of mention too. As we have heard, this age-verification framework is the first of its kind in the world, and there is international interest in it. Are the Government discussing with the BBFC what lessons there are in terms of encouraging robust AV for younger age groups and for other types of potentially harmful content? Will the Government use the expertise developed by the BBFC as the age-verification regulator in the internet safety White Paper?

Particulars of Proposed Designation of Age-Verification Regulator

Debate between Earl of Erroll and Lord Clement-Jones
Thursday 1st February 2018

(6 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, I have no great argument with the particulars and the designation of the BBFC as the age-verification regulator. Indeed, we had some debates on this. I know that we may have some differences with the Labour Front Bench, but we think that the BBFC is fit for this particular purpose and will carry out the job effectively. Conversations we have had have convinced us of that. Another aspect that is beginning to be unpacked is the appeals system. Although of course we put down amendments on the question of the independence of the age-verification regulator, we think that the appeals system being set up, which is qualified in the Act—we would have preferred it not to be qualified—will be fit for purpose as well.

I want to revert to something that may strike both the Minister and Members on the Labour Front Bench as rather déjà vu: the question of the specification of the type of age verification that is required, or not, by the age-verification regulator. When we talked about this issue in Committee—indeed, amendments on it were laid on 2 February 2017 in Committee and on 20 March on Report; my noble friend Lord Paddick had a particular role in that—we were very concerned on both occasions that the age-verification methods were not going to be specified in enough detail in the Bill. It did not appear that they would be specified in any great detail in the draft guidance.

Flash forward a year and I am afraid that nothing has changed. The Minister may remember that, back in January, the Select Committee on the Constitution said:

“We are concerned that the extent to which the Bill leaves the details of the age-verification regime to guidance and guidelines to be published by the as yet-to-be-designated regulator adversely affects the ability of the House effectively to scrutinise this legislation”.


We have not moved on a great deal. If we look at the details of what I have found—which appears to be the up-to-date draft of the government guidance on the age-verification regulator—under chapter 3, paragraph 4, there is this statement:

“The regulator is not required to approve individual age-verification solutions. There are various ways to age-verify online and the industry is developing at pace. Providers are innovating and providing choice to consumers”.


That is exactly the same wording as in the draft guidance last year and quoted by my noble friend Lord Paddick on 20 March. That is extremely disappointing. It appears that the age-verification regulator will play an incredibly light-touch role in the approval of the type of age-verification that takes place.

Of course, later in chapter 3—which is headed “Age-verification arrangements”—it describes,

“the expectation that age-verification services and online pornography providers should take a privacy by design approach as recommended by the ICO”.

I have the privacy by design guidance from the ICO in front of me and I must say, if I was an age-verification provider, I would not find it particularly onerous, in terms of requiring me to try to find an anonymised age-verification solution. I find the Government’s guidance, as per Section 27 of the Act, extremely disappointing. I very much hope that the Minister can explain whether the ICO will have a role in this, what the impact of privacy by design is, in terms of enforcement, and whether the ICO will have the ability to impose a privacy impact assessment—or even a data impact assessment—on the object of the age-verification regulator’s regulation. Perhaps at the same time the Minister can explain in this particular space the boundary between what the ICO is empowered to do and what the age-verification regulator will be doing.

I am sorry to have to be disappointing in that respect, but I think that as part of the wider landscape—a matter we discussed last year—where we have got to is not particularly satisfactory if the general purpose of the age-verification regulator is to make sure that age-verification really works and that there is not the access for young people to these pornography sites that the Act was designed to prevent.

Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - -

My Lords, I want to say a few words. I was quite involved in this issue when it was going through as part of our consideration of the Digital Economy Act. The Digital Policy Alliance, of which I am chairman, has had a working group on age verification for several years, looking at whether there are available solutions and encouraging people to develop them. I am pleased to tell the noble Lord, Lord Clement-Jones, that there are some solutions out there. I will explain something about that.

The only thing I want to say is that the Act received Royal Assent on 28 April, I think, so it has taken a very long time to get this guidance in place. That is a bit of a worry and a bit of a disappointment. I seem to remember that there was an intention to try to have enforcement within a year, otherwise there would be a huge great gap in the meantime. We are trying to protect children after all; that was the whole point of this. Waiting for a year—it will probably now be longer—is an awfully long time not to have protection in place.

I am very glad that the BBFC is finally about to get some teeth, get into operation and do something about this, which I am sure it will do extremely well. I know that it has been consulting an awful lot with a lot of different people from all the different sides, from child protection right through to the adult industry. The interesting thing is that quite a lot of the adult industry is happy to help and to co-operate, because it does not want children wasting its time. It is not in the job of trying to pervert children, but of trying to sell adult content to adults, so it is willing to co-operate. The world is watching. There is apparently now a willingness to realise that this will happen and to co-operate to a large extent.

The noble Lord, Lord Clement-Jones, has put his finger on the point about age-verification methods: they have to work and to do various things. I say to him, though, that there is a difference between the bit that is checking the attribute—the age—and the bit about privacy, which is not identifying who the person is to a website and to a casual visitor to that website. It would be career-limiting were it to be found out that the noble Lord himself was visiting an adult content site, even though it would be totally legal for him to do so. Therefore, it is important to ensure that privacy happens at that point, which is the ICO’s part. It is not the ICO’s job to say how age verification should be done. That is a different job.

In fact, we have developed, along with the British Standards Institution, a publicly available specification, PAS 1296, which should be coming out quite soon. It has been around the houses several times and has been revised. That should allow it to be possible for an organisation to see for itself how well it is doing. It might be that an industry body should be set up that can check whether age-verification providers are doing something in alignment with the PAS, which goes into great detail about how you can do these things and make sure that it can be privacy enforcing. The privacy side is left up to the GDPR, but it is mentioned in there as well.

Those are the main points that I wanted to make. It is time to get on with this. It is a huge leap forward. As I said, the world is watching. A whole lot of good will is out there to get this done properly. I look forward to seeing the final draft regulations, which will probably do the job.

Data Protection Bill [HL]

Debate between Earl of Erroll and Lord Clement-Jones
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - - - Excerpts

My Lords, I rise briefly to support the noble Baroness, Lady Neville-Rolfe, in her amendment. She made a very good case. Current fee proposals really are very flawed. Clause 132, “Charges payable to the Commissioner by controllers”, states:

“The Secretary of State may by regulations require controllers to pay charges of an amount specified in the regulations to the Commissioner”.


That, compared to the existing regime of registration, seems far more arbitrary and far less certain in the way it will provide the resources that the Minister, in a very welcome fashion, pledged to the noble Lord, Lord Puttnam. It is far from clear on what basis those fees will be payable. Registration is a much sounder basis on which to levy fees by the Information Commissioner, as it was from the 1998 Act onwards.

I wish to be very brief; this has already been brought up. The Minister prayed in aid the fact that there are already some 400,000 data controllers and it was already getting out of hand. If the department—indeed, if the ICO—is going to be in contact with all those it believes to hold data as data controllers, it will have to have some kind of records. If that is not registration, I do not know what is. The department has not really thought through what the future will be, or how the Information Commissioner will secure the resources she needs. I hope that there is still time for the Minister to rethink the approach to the levying of future tariffs.

Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - -

I just want to ask briefly whether small organisations will also include clubs and societies. I do not know whether that has been dealt with before. For instance, I am the chief of Clan Hay and we have a Clan Hay society. It does not make money, but it has membership lists and branches abroad. I discussed it with the ICO before this came up, and it thought we would definitely have to comply. I hope we will be covered as a small organisation.