Debates between Earl of Erroll and Lord Stevenson of Balmacara during the 2017-2019 Parliament

Wed 13th Dec 2017
Data Protection Bill [HL]
Lords Chamber

Report: 2nd sitting (Hansard): House of Lords

Particulars of Proposed Designation of Age-Verification Regulator

Debate between Earl of Erroll and Lord Stevenson of Balmacara
Thursday 1st February 2018

(6 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - -

My Lords, I want to say a few words. I was quite involved in this issue when it was going through as part of our consideration of the Digital Economy Act. The Digital Policy Alliance, of which I am chairman, has had a working group on age verification for several years, looking at whether there are available solutions and encouraging people to develop them. I am pleased to tell the noble Lord, Lord Clement-Jones, that there are some solutions out there. I will explain something about that.

The only thing I want to say is that the Act received Royal Assent on 28 April, I think, so it has taken a very long time to get this guidance in place. That is a bit of a worry and a bit of a disappointment. I seem to remember that there was an intention to try to have enforcement within a year, otherwise there would be a huge great gap in the meantime. We are trying to protect children after all; that was the whole point of this. Waiting for a year—it will probably now be longer—is an awfully long time not to have protection in place.

I am very glad that the BBFC is finally about to get some teeth, get into operation and do something about this, which I am sure it will do extremely well. I know that it has been consulting an awful lot with a lot of different people from all the different sides, from child protection right through to the adult industry. The interesting thing is that quite a lot of the adult industry is happy to help and to co-operate, because it does not want children wasting its time. It is not in the job of trying to pervert children, but of trying to sell adult content to adults, so it is willing to co-operate. The world is watching. There is apparently now a willingness to realise that this will happen and to co-operate to a large extent.

The noble Lord, Lord Clement-Jones, has put his finger on the point about age-verification methods: they have to work and to do various things. I say to him, though, that there is a difference between the bit that is checking the attribute—the age—and the bit about privacy, which is not identifying who the person is to a website and to a casual visitor to that website. It would be career-limiting were it to be found out that the noble Lord himself was visiting an adult content site, even though it would be totally legal for him to do so. Therefore, it is important to ensure that privacy happens at that point, which is the ICO’s part. It is not the ICO’s job to say how age verification should be done. That is a different job.

In fact, we have developed, along with the British Standards Institution, a publicly available specification, PAS 1296, which should be coming out quite soon. It has been around the houses several times and has been revised. That should allow it to be possible for an organisation to see for itself how well it is doing. It might be that an industry body should be set up that can check whether age-verification providers are doing something in alignment with the PAS, which goes into great detail about how you can do these things and make sure that it can be privacy enforcing. The privacy side is left up to the GDPR, but it is mentioned in there as well.

Those are the main points that I wanted to make. It is time to get on with this. It is a huge leap forward. As I said, the world is watching. A whole lot of good will is out there to get this done properly. I look forward to seeing the final draft regulations, which will probably do the job.

Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara (Lab)
- Hansard - - - Excerpts

My Lords, are we not back in familiar territory? We seem to spend a lot of time on these important issues, first on the Digital Economy Act, then substantial work, discussion, debate and thinking in the debates on the Data Protection Bill. I will disappoint the noble Lord, Lord Clement-Jones, by agreeing with most of what he said. He has a good point about where the boundaries between privacy and the processes described in the Digital Economy Act come to bear. There is room for a variety of approaches here. This is not an easy issue to address. I am not going to go back over the ground he covered—I look forward to hearing what the Minister will say about that—so I will go into some constitutional issues.

I have two general questions that might be important as we continue with this. One was touched on by the noble Earl, Lord Erroll, in his concluding remarks. Is it not the case that, when the Data Protection Bill, which brings in the GDPR, becomes an Act in May, we have inserted into it a requirement that those who operate on data subjects’ information relating to age have to do so in a way that is age-appropriate, otherwise the design has to change? In a sense, is this not the other half of the equation about blocking those who provide material by requiring those who are preparing and disseminating material to have it in a way that will not lead to the problems that were discussed so graphically about what happens to children, who we want to protect, who stumble across material that should be behind an age-verification system? In that sense, age-verification seems to be a bit like shutting doors after horses have bolted. We have to get the design right. If it is right, there will be no such question about people stumbling on to things, because if they go through an ISP or any form of social media provision, such as Facebook and similar arrangements, their progress would be age-designed and could be managed that way. Can the Minister reflect on that? He may well argue that this is the sort of thing that needs to be addressed by a yet to be established data ethics commission. He would probably be right.

Data Protection Bill [HL]

Debate between Earl of Erroll and Lord Stevenson of Balmacara
Report: 2nd sitting (Hansard): House of Lords
Wednesday 13th December 2017

(6 years, 11 months ago)

Lords Chamber
Read Full debate Data Protection Act 2018 View all Data Protection Act 2018 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 74-II Manuscript amendment for Report (PDF, 72KB) - (13 Dec 2017)
Lord Stevenson of Balmacara Portrait Lord Stevenson of Balmacara
- Hansard - - - Excerpts

My Lords, I can be brief, I hope. Amendment 41A builds on a discussion held in Committee. We were trying to articulate, perhaps not very successfully but with some justification, the nature of the relationship between data subjects and data controllers when data is passed across for processing and use by that data controller. At that time my thinking was stimulated by work that we had read and heard about in relation to the idea that a person’s data could be given a personal copyright. That would open up to data subjects who are giving data to data controllers the rights that come with copyright ordinarily, such as a limited time—quite a long time, though—in which they have ownership and therefore are licensing their data for use. That could be subject to remuneration, as is very often the case in the creative industries where copyrights are used; they are used on a licensed basis for which remuneration is returned. If that were the case, one might also question whether copyright should be time-limited. That would put an end to the question of whether data subjects could withhold or retract their information in some sense, or rectify it so that it would not, therefore, be archived or go forward into other activities.

Since that time, a surprisingly large number of people have contacted me about this and offered advice and thoughts—not all of it helpful, I have to say. There seems to be a certain feeling that personal copyright is not the way to go forward on this, although I am still quite attracted to it. However, in that process I got a very interesting set of communications around the idea of data subjects becoming controllers of their own data; in other words, personal data controllers. This is a difficult concept. It seems to suggest that two characteristics are existing in the same time and space. Of course, the force will be with us when we get to this, but I am not sure I quite understand how it would happen. I think the problem has come because of the timeframe in which the GDPR was created. Preliminary debates took place in 2012 to 2014, and the GDPR dates from 2016 and will come in in 2018. We are talking about six to eight years since the original thinking, which is a very long time in cyberspace.

We have found that technology has moved ahead of us and the issue raised by this amendment, if I may be so bold as to suggest it, is that we will have to think quite hard about how individual data is used by data controllers, in the context not just of the Bill, but of the way in which the technology is moving. I fully expect the Minister to say that this is a blue-sky issue that needs to be picked up and looked at. Warm words will be offered and even a smile or two might glance its way across the Chamber to me and I will sit down in a miasma of happiness as a result, but the truth is that we need expertise and advice—this is not an easy concept, even if the force is with us. We will need to think harder about all these issues, including the points we have been talking about in terms of algorithms and automated use, in the context of people’s advancing rights and use of their data. It calls for a data ethics commission. The subject will come up again and I am sure that we will return to it on day three of Report, but in the interim I beg to move.

Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - -

My Lords, this amendment has a lot of merit. For some time I have been discussing with certain people who know an awful lot about this, as has the noble Lord, the concept of agency: having control over your own information. It is a very important concept because the GDPR and the Bill are all about data processors looking after your stuff for you, but the real issue is having control over things that affect you. Why, if people are using it to make money out of you or on your behalf, should you not sell them that control in return for better access?

There are many issues around this that might suit a modern world in which your data can be useful, but to you, so that data processors do not just mine it and use it for their own purposes—you have control over it. This amendment has a lot of merit because it gives a foundation for us to start researching this. There is no compulsion here, but it could move us down a line whereby the data subject—the person in the street— suddenly gets some control over what happens when people research things for their own good. We are going to have to give away our location and other things to use most of these apps, so why can we not also control that and decide how to sell it to other people and benefit from it ourselves?