Online Harm: Child Protection
Freddie van Mierlo Excerpts(1 week, 1 day ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Julia Lopez
I have set out before what we were trying to achieve with the Online Safety Act and why certain things were in it and others were not. I do not want to go over that again.
The consequences of these design features are increasingly visible, including rising anxiety and low mood, poor sleep, shredded attention spans and cyber-bullying that follows children home.
Freddie van Mierlo (Henley and Thame) (LD)
When I was growing up, social media was genuinely social—we would spend our time on it speaking to our peers and classmates. I remember MSN Messenger and Facebook when it first arrived. Social media has evolved to become this addictive, content-driven place where we are fed information. Does the hon. Member think we should perhaps differentiate between social media platforms that are genuinely for peer-to-peer interaction and help young people, and those that just feed content to them?
Julia Lopez
I thank the hon. Member for that intervention—I went off on a nostalgia trip in my brain, thinking about MSN chatrooms and all the rest of it. That was a time when people were not really aware of the power of the internet, and the predatory behaviours subsequently started to become normalised and industrialised. Although it might be tempting to want to try to go back to that place, I do not know whether we can actually get there, but it is certainly something we can aim towards and aspire to. The hon. Gentleman has made an important point. The essence of social media does not involve bad intent; the problem that we are seeking to solve is the way in which it has been manipulated and changed over the years to amplify negative behaviour.
Freddie van Mierlo
What the hon. Member has just said suggests that she might actually support the Liberal Democrat policy of age-rating social media platforms. That might lead to a new ecosystem of genuinely peer-to-peer, lower-harm products, which would be a good thing for young people.
Julia Lopez
We think that the current priority is ensuring that under-16s are taken off harmful social media platforms, but I am sure that there is room for a market to develop, over time, that will not feature negative algorithms and activity, and that there is a world in which new products could retain the essence of positive social interaction.
Cyber Security and Resilience (Network and Information Systems) Bill (Seventh sitting)
Freddie van Mierlo ExcerptsTuesday 24th February 2026
(1 week, 1 day ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 24 February 2026 - (24 Feb 2026)
Freddie van Mierlo (Henley and Thame) (LD)
I rise to speak to new clauses 13 and 15, standing in my name.
New clause 13 would require the Secretary of State to publish, within 12 months, a comprehensive statement on how the Government intend to manage the risks of foreign interference in our critical systems. It calls for steps to be taken to assess the need for a digital sovereignty strategy. We need to know not just how we will fight cyber-threats but whose technology we will rely on to do it. The new clause would force the Government to set out a plan to explicitly assess risks in hardware, software and supply chains.
We should ask what is being done to support UK tech and home-grown cyber-security. We cannot claim to be serious about national resilience if the very infrastructure protecting our critical systems is outsourced abroad to vendors we cannot fully trust. New clause 13 would require the Government to explain how they intend to mitigate the risks associated with reliance on foreign technologies. It would also require the Government to assess the need to encourage and support the use of domestic technologies. That would turn cyber-security into an engine for growth. By identifying high-risk foreign vendors, and pivoting to trusted, home-grown alternatives, we could improve our security and create high-skilled jobs here in the UK. For those reasons, I will press new clause 13 to a vote.
I now turn to new clause 15. How can we be serious about national resilience when the very infrastructure protecting our critical systems could be entirely outsourced abroad? New clause 15 would ensure transparency and force the Government to look at the threat of foreign ownership. The threat to British democracy from foreign interference is clear and present. From Russian money flooding into politics, and Chinese surveillance and intimidation, to foreign oligarchs buying influence, our democratic institutions are under sustained attack. The previous Conservative Government failed the UK. They failed to take the threat posed by Russia seriously, they weakened the Electoral Commission and they allowed foreign money to distort our politics. They withdrew from international commitments at precisely the wrong moment.
This Government have made some welcome moves, but they do not go far enough. Over the last few years, we have seen a rise in cyber-attacks on critical infrastructure. Across the country, schools have closed, airports have been shut, local councils have been hacked and retail stores have been crippled. New clause 15 would require the Government to review the security risks posed by critical suppliers and essential service providers, and to flag which of those are linked to foreign states. It would also push the Government to evaluate whether current powers are sufficient to address these threats. I intend to push new clause 15 to a vote.
David Chadwick (Brecon, Radnor and Cwm Tawe) (LD)
In our previous sitting, the hon. Member for Runnymede and Weybridge set out clearly the cyber-threat posed by China, and argued that, through new clause 2, China should be explicitly recognised as a foreign power presenting a significant risk to the United Kingdom. He rightly highlighted the precedent in UK legislation for maintaining registers of hostile or high-risk state actors to protect national security. I agree that Parliament should be unequivocal in recognising the Chinese Communist party as a strategic cyber-threat, particularly given evidence of state-linked cyber-espionage, infrastructure compromise and the targeting of critical national infrastructure.
We have seen data from the Cabinet Office last week indicating that the Government plan to drastically reduce the integrated security fund spending on domestic cyber and tech to counter cyber-attacks. It will be cut from £113.3 million to £95 million by 2028-29, which is a reduction of 16%. Domestic spending to counter Russian threats in the same period will incur a drop of more than 20%. Those reductions leave us dangerously exposed and are in direct opposition to the Government’s promises to support the UK’s national security priorities. New clause 2 offers the chance to identify and monitor state actors that pose a threat to UK cyber-security.
The register must also reflect the evolving nature of cyber-risk. Threats do not arise solely from formally hostile states, but also from jurisdictions where hostile cyber-actors operate at scale, using digital infrastructure to target UK systems and citizens. We have seen that in countries such as India and Nigeria, where organised cyber-criminal networks have run sophisticated international operations against the UK, exploiting cloud services and telecommunications infrastructure. In India, law enforcement has dismantled major cyber-crime hubs linked to international targeting, including operations specifically affecting large numbers of British victims.
In 2025, the National Crime Agency worked in partnership with India’s Central Bureau of Investigation to raid an organised crime group in Uttar Pradesh, which had targeted more than 100 UK citizens with pop-ups stating that their devices had been compromised, losing them more than £390,000. That is not only an unacceptable financial loss for our citizens, but a significant waste of resources. In Nigeria, long-established cyber-criminal networks continue to conduct large-scale digital fraud campaigns aimed at overseas targets including the United Kingdom. Interpol’s Operation Serengeti in 2025 tackled high-impact cyber-crimes in Nigeria and 17 other nations, arresting 1,209 suspects and recovering nearly $100 million that had been stolen through cyber-fraud.
Although these states might not be hostile in a geopolitical sense, hostile cyber-actors operating within their borders are none the less inflicting sustained harm and placing heavy burdens on our cyber-defence and law enforcement resources. I support the aims of new clause 2, but urge Ministers to ensure that the framework is flexible enough to capture not only hostile states but jurisdictions that consistently serve as bases for large-scale hostile cyber-activity. Data from the Cabinet Office shows that integrated security fund spending on Russia is set to fall over 20% between 2026 and 2029, which shows that the Government are not taking threats from Russia, or other hostile nations, seriously enough.
Freddie van Mierlo
I beg to move, That the clause be read a Second time.
The new clause would place a statutory duty on the Secretary of State to establish a support service dedicated to improving the resilience of small and medium-sized enterprises and, crucially, to provide them with assistance when the worst happens. SMEs are the backbone of our economy. Their growth and continue operation are essential to a strong economy. We heard evidence that even large corporations find it hard to justify the investment in cyber-security and resilience when faced with competing priorities and investment needs. It forms the rationale of the Bill putting this need on a statutory footing, but small and medium-sized businesses undoubtedly find it even harder to make the investments required in cyber-security.
I know from having worked in SMEs at the start of my career that companies experience growing pains and need support in navigating complex statutory requirements. It is not just support for SMEs before an attack takes place that the clause would provide for, but also after. For SMEs, a cyber-attack is not just a disruption; it can be an existential threat to their existence. The clause would ensure that when an SME is hit, they have access to the support they need.
Bradley Thomas
Given that the threshold for a significant impact event will likely be much lower for an SME than for a larger corporation, and while acknowledging and agreeing that SMEs are the backbone of the economy and make up the vast majority of companies that employ people in this country, how does the hon. Gentleman propose to strike the relevant balance between ensuring that SMEs are supported, and at the same time that they are not inundated and overwhelmed as a result of that significant impact threshold likely being much lower for SMEs?
Freddie van Mierlo
The thresholds have been set out in the new clause. Australia already provides support for small businesses during and after attacks. The clause would simply bring the UK up to speed with international partners, ensuring our businesses are not at a competitive disadvantage on cyber-security support. If Australia can support its SMEs, why can we not? It is only fair that if we are increasing the regulatory burden, the Government provide the support required to navigate it. I will press the new clause to a vote.
Dr Spencer
New clause 14, tabled by the hon. Member for Henley and Thame, addresses concerns regarding the capacity of SMEs to comply with their regulatory obligations, should they be brought within the scope of the Bill. That matter has been discussed on several occasions by the Committee. That is only right given that, according to figures provided by NCC Group, SMEs make up over 99% of businesses in the UK but too often lack the skills and budgets to implement proportionate cyber-protections, leaving them particularly exposed.
SME cyber assistance schemes akin to the one proposed by the new clause have been rolled out in Scotland on a limited basis and in Australia, where the Government are investing 8 million Australian dollars over three years to provide free person-to-person support for small businesses during and after a cyber-attack. Those schemes have enjoyed some success in hardening cyber-resilience among SMEs that have been able to access them. That can only be welcomed.
There is a case for looking more closely at whether regulation is the appropriate first step to address the cyber-resilience of the smallest organisations that might be brought within the scope of regulation, as legal compliance efforts could detract from already pressured operational defence budgets. In giving evidence to the Committee, Jill Broom of techUK called for strategies
“such as financial incentives, or…tax credits”––[Official Report, Cyber Security and Resilience (Network and Information Systems) Public Bill Committee, 3 February 2026; c. 18, Q20.]
to help SMEs improve their cyber-resilience, and techUK has suggested that funding or relief could be applied on a priority basis, with those working within the critical national infrastructure supply chain looked at first. In the light of those considerations, what analysis has the Minister’s Department conducted of the likely return on investment, in terms of sustainability and growth among smaller companies, of a cyber support service for UK SMEs?
The Chair
With this it will be convenient to discuss new clause 19—Vulnerability research: review of the merits of a statutory defence—
“(1) The Secretary of State must, within twelve months of the passing of this Act, review the extent to which an amendment to section 1 of the Computer Misuse Act, with the effect of introducing a statutory defence available to individuals undertaking ethical vulnerability research, would improve the security of the network and information systems of relevant bodies.
(2) A review under this section must consider whether a statutory defence would enable relevant bodies to improve the resilience of their network and information systems via enhanced vulnerability testing and research.
(3) For the purposes of this section—
(a) ‘ethical vulnerability research’ means access, whether authorised or otherwise, to computer material with the intention of identifying vulnerabilities to cyber attacks, where—
(i) the research is aimed at enhancing the resilience of the network and information system of a relevant body or relevant bodies, and
(ii) the findings of the research are kept securely, shared only with those responsible for the security or resilience of the network and information system concerned, and shared solely for the purpose of enhancing the security or resilience of the network and information system concerned;
(b) ‘relevant bodies’ means operators of essential services, critical suppliers, digital service providers or managed service providers, as defined by the NIS Regulations.”
This new clause would require the Government to review whether the resilience of relevant organisations could be enhanced by introducing a statutory defence to s1 of the Computer Misuse Act, so that a person could be deemed not guilty if they engage in vulnerability research in the public interest.
Freddie van Mierlo
New clause 18 would place a duty on the Government to review within 12 months whether our over-30-year-old Computer Misuse Act is holding back the very cyber-resilience that the Bill seeks to build. The Government’s own impact assessment for the Bill identifies a key market failure: imperfect information. It states that businesses lack awareness of their own cyber-risks, leading to under-investment in security. We must ask why that information is imperfect. We believe that it is partly because the Computer Misuse Act 1990 prevents cyber-security professionals from undertaking legitimate public interest activity to identify those risks, so ethical hackers cannot provide the necessary information.
New clause 18 ties the review specifically to the security and resilience of network and information systems regulated by the Bill. It asks a simple question: does the Computer Misuse Act 1990 help or hinder the resilience of our critical infrastructure? For that reason, I wish to seek a vote on new clause 18.
Kanishka Narayan
My hon. Friend is absolutely right to recognise the shared sense on the principle of reforming the Computer Misuse Act. Although I am not in a position to give him a specific timeline, I absolutely take into account his recognition that the work needs to proceed at pace. Having held an industry engagement recently on specific proposals, with more than 75 attendees from a range of cyber-security organisations, the Home Office is now reviewing specific feedback as a particular proposal. The question is not whether we will reform the Computer Misuse Act, but simply how.
Freddie van Mierlo
I am grateful to the Minister for his reassurances on the ongoing review of the Computer Misuse Act. On that basis, I would like to say that I will withdraw the new clause.
Kanishka Narayan
I thank the shadow Minister for his recognition of our shared approach on this question. Reform of the Computer Misuse Act is led by the Home Office. I have given my personal commitment to ensuring that reform, but I will also write to him and members of the Committee with as much detail as possible on the timeline to ensure that we are moving fast on it.
In that spirit, I thank hon. Members for their work on this question of the amendment to the Computer Misuse Act and use this opportunity to thank you, Ms McVey, the entire Committee staff and hon. Members for their expertise and perhaps for their sense of fun as well. I thank all staff members, in particular the Bill team in the Department, which has been fabulous throughout the entire process.
Freddie van Mierlo
I beg to ask leave to withdraw the clause.
Clause, by leave, withdrawn.
Bill, as amended, to be reported.
Cyber Security and Resilience (Network and Information Systems) Bill (First sitting)
Freddie van Mierlo ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Emily Darlington (Milton Keynes Central) (Lab)
Q
David Cook: The original NIS regulations came out of a directive from 2016, so this is 10 years old now, and the world changes quickly, especially when it comes to technology. Not only is this supply chain vulnerability systemic, but it causes a significant risk to UK and global businesses. Ransomware groups, threat actors or cyber-criminals—however you want to badge that—are looking for a one-to-many model. Rather than going after each organisation piecemeal, if they can find a route through one organisation that leads to millions, they will always follow it. At the moment, they are out of scope.
The reality is that those organisations, which are global in nature, often do not pay due regard to UK law because they are acting all over the world and we are one of many jurisdictions. They are the threat vector that is allowing an attack into an organisation, but it then sits with the organisations that are attacked to deal with the fallout. Often, although they do not get away scot-free, they are outside legislative scrutiny and can carry on operating as they did before. That causes a vulnerability. The one-to-many attack route is a vulnerability, and at the moment the law is lacking in how it is equipped to deal with the fallout.
Jen Ellis: In terms of what the landscape looks like, our dialogue often has a huge focus on cyber-crime and we look a lot at data protection and that kind of thing. Last year, we saw the impact of disruptive attacks, but in the past few years we have also heard a lot more about state-sponsored attacks.
I do not know how familiar everyone in the room is with Volt Typhoon and Salt Typhoon; they were widespread nation-state attacks that were uncovered in the US. We are not immune to such attacks; we could just as easily fall victim to them. We should take the discovery of Volt Typhoon as a massive wake-up call to the fact that although we are aware of the challenge, we are not moving fast enough to address it. Volt Typhoon particularly targeted US critical infrastructure, with a view to being able to massively disrupt it at scale should a reason to do so arise. We cannot have that level of disruption across our society; the impacts would be catastrophic.
Part of what NIS is doing and what the CSRB is looking to do is to take NIS and update it to make sure that it is covering the relevant things, but I also hope that we will see a new level of urgency and an understanding that the risks are very prevalent and are coming from different sources with all sorts of different motivations. There is huge complexity, which David has spoken to, around the supply chain. We really need to see the critical infrastructure and the core service providers becoming hugely more vigilant and taking their role as providers of a critical service very seriously when it comes to security. They need to think about what they are doing to be part of the solution and to harden and protect the UK against outside interference.
David Cook: By way of example, NIS1 talks about reporting to the regulator if there is a significant impact. What we are seeing with some of the attacks that Jen has spoken about is pre-positioning, whereby a criminal or a threat actor sits on the network and the environment and waits for the day when they are going to push the big red button and cause an attack. That is outside NIS1: if that sort of issue were identified, it would not be reportable to the regulator. The regulator would therefore not have any visibility of it.
NIS2 and the Bill talk about something being identified that is caused by or is capable of causing severe operational disruption. It widens the ambit of visibility and allows the UK state, as well as regulators, to understand what is going in the environment more broadly, because if there are trends—if a number of organisations report to a regulator that they have found that pre-positioning—they know that a malicious actor is planning something. The footprints are there.
Freddie van Mierlo (Henley and Thame) (LD)
Q
Jen Ellis: You have covered a lot of territory there; I will try to break it down. If you look at the attacks last year, all the companies you mentioned were investing in cyber-security. There is a difficulty here, because there is no such thing as being bullet-proof or secure. You are always trying to raise the barriers as high as you can and make it harder for attackers to be successful. The three attacks you mentioned were highly targeted attacks. The example of Volt Typhoon in the US was also highly targeted. These are attackers who are highly motivated to go after specific entities and who will keep going until they get somewhere. It is really hard to defend against stuff like that. What you are trying to do is remove the chances of all the opportunistic stuff happening.
So, first, we are not going to become secure as such, but we are trying to minimise the risk as much as possible. Secondly, it is really complex to do it; we saw last year the examples of companies that, even though they had invested, still missed some things. Even in the discussions that they had had around cyber-insurance, they had massively underestimated the cost of the level of disruption that they experienced. Part of it is that we are still trying to figure out how things will happen, what the impacts will be and what that will look like in the long term.
There is also a long tail of companies that are not investing, or not investing enough. Hopefully, this legislation will help with that, but more importantly, you want to see regulators engaging on the issue, talking to the entities they cover and going on a journey with them to understand what the risks are and where they need to get to. If you are talking about critical providers and essential services, it is really hard for an organisation—in its own mind or in being answerable to its board or investors—to justify spend on cyber-security. If you are a hospital saying that you are putting money towards security programmes rather than beds or diagnostics, that is an incredibly difficult conversation to have. One of the good things about CSRB, hopefully, is that it will legitimise choices and conversations in which people say, “Investing time and resources into cyber-security is investing time and resources into providing a critical, essential service, and it is okay to make those pay-off choices—they have to be made.”
Part of it is that when you are running an organisation, it is so hard to think about all the different elements. The problem with cyber-security—we need to be clear about this—is that with a lot of things that we ask organisations to do, you say, “You have to make this investment to get to this point,” and then you move on. So they might take a loan, the Government might help them in some way, or they might deprioritise other spending for a set period so that they can go and invest in something, get up to date on something or build out something; then they are done, and they can move back to a normal operating state.
Security is not that. It is expensive, complex and multifaceted. We are asking organisations of all sizes in the UK, many of which are not large, to invest in perpetuity. We are asking them to increase investment over time and build maturity. That is not a small ask, so we need to understand that there are very reasonable dynamics at play here that mean that we are not where we need to be. At the same time, we need a lot more urgency and focus. It is really important to get the regulators engaged; get them to prioritise this; have them work with their sectors, bring their sectors along and build that maturity; and legitimise the investment of time and resources for critical infrastructure.
Alison Griffiths (Bognor Regis and Littlehampton) (Con)
Q
David Cook: The legislation talks about secondary legislation, so it allows for an agile, flexible programme whereby organisations can be brought within scope very quickly if concerns make that necessary. What that leaves us with, though, is that although legislation can be changed quickly, organisations often cannot. Where there is a definition, as we see with NIS2, as to which entities are in scope, organisations can embark on a multi-year programme to get into a compliant position. They can throw money at it, effectively.
What this legislation talks about, through the secondary legislation, is bringing organisations into scope and mandating specific security controls or specific requirements on those organisations in terms of security, but while the law might come in over a weekend, organisational change will not necessarily follow. There is a potential issue there. I can see the benefit and attractiveness of secondary legislation being used to achieve that aim, but having a clearer baseline as to what that sort of scope might look like—it could be ramped up or down, and the volume could be turned up or down, depending on need—would be more helpful. Reducing scope while diverging from NIS2 might be a benefit in terms of the commercial reality, but it might be a misstep in terms of security and the long tail that it takes to get more secure.
Bradley Thomas
Q
Dr Sanjana Mehta: May I weigh in on the second question first? It is good to note that the definition of reportable incident has expanded in the current legislation. One of the concerns that the post-implementation reviews had from the previous regulatory regime was that the regulated entities were under-reporting. We note that the Bill has now expanded the definition to include incidents that could have an adverse impact on the security and operations of network and information systems, in addition to those incidents that are having or have had a negative impact.
While that is clear on the one hand—some factors have been provided, such as the number of customers affected, the geographical reach and the duration of the incident—what is not clear at the moment is the thresholds linked with those factors. In the absence of those thresholds, our concern is that regulated entities may be tempted to over-report rather than under-report, thereby creating more demand on the efforts of the regulators.
We must think about regulatory capacity to deal with all the reports that come through to them, and to understand what might be the trade-offs on the regulated entities, particularly if an entity is regulated by more than one competent authority. For those entities, it would mean reporting to multiple authorities. For organisations that are small or medium-sized enterprises, there is a real concern that the trade-offs may result in procedural compliance over genuine cyber-security and resilience. We call on the Government for immediate clarification of the thresholds linked to those factors.
Jill Broom: I would like to come in on that point. Our members would agree with it. Companies need to be clear about what needs to be reported, when it needs to be reported and where they need to report it. A bit of clarity is required on that, certainly around definitions. As Sanjana said, it is good to see that the definition is expanding, but definitions such as “capable of having” a significant impact remain unclear for industry. Therefore, we need a bit more clarity, because again, it means that we could risk capturing absolutely everything that is out there, and we really want to focus on: what is most important that we need to be aware of? Determining materiality is essential before making any report.
In terms of the where and the how, we are also in favour of a single reporting platform, because that reduces friction around the process, and it allows businesses, ultimately, to know exactly where they are going. They do not need to report here for one regulator and there for another. It is a streamlined process, and it makes the regime as easy as possible to deal with, so it helps incentivise people to act upon it.
I have another point to add about the sequencing of alignment with other potential regulation. We know that, for example, the Government’s ransomware proposals include incident-reporting requirements, and they are expected to come via a different legislative vehicle. We need to be careful not to add any additional layers of complexity or other user journeys into an already complex landscape.
Freddie van Mierlo
Q
Secondly, Dr Mehta, you spoke earlier about what is not in scope in this legislation. I am particularly interested in the fact that local government is not included in it, because it has a critical role in electoral services and in local and national democracy. What do you think are the threats from leaving local government out of scope?
Jill Broom: I think that generally, our members would always call for alignment, where possible, in any kind of legislation that spans the geographies. But we understand that the Bill focuses on a particular sector—the critical national infrastructure in the UK—and we welcome the intent of it.
Dr Sanjana Mehta: On sectoral scope, with the way that the Bill is currently drafted, there is obviously flexibility to introduce new sectors, and to bring in more provisions and guidance through secondary legislation and additional guidance. That being said, our recommendation is certainly to expand the sectoral scope at this stage by bringing in public administration.
There are a number of key reasons for that. First, public administration needs to be role model of good cyber-security to the rest of the economy. I think it was the 2025 state of digital government review that pointed out that the risk of cyber-attacks on Government is critical. You mentioned local government, but there are also central Government Departments that hold and process vast amounts of personal and sensitive information; I think, for example, DWP administered £288 billion of benefits over the past year. More than 23 million people claimed some sort of benefits from DWP and, in responding to those claims, DWP must have processed huge amounts of very sensitive medical and financial information on individuals. We think it is an omission to leave it out, and we recommend that the Government consider bringing it into scope.
Lincoln Jopp (Spelthorne) (Con)
Q
Stuart McKean: I do not think the cyber-criminal really cares, to be blunt. They will attack anywhere. You can, of course—
Freddie van Mierlo
Q
Dr Ian Levy: In October 2025, we had an incident that had quite a widespread impact. We have engaged with regulators around the world, including multiple regulators in the UK, to explain what happened. We published, quite transparently, what had happened during the incident and afterwards. Explaining how the part of the organisation that had built that particular system works is very time-consuming. It is also almost certainly out of date by the time we have finished. In that particular case, it was something called a “race condition”, which is a well understood computer-science hard problem. No amount of regulation or legislation would have made a difference, because it was a race condition, and they are incredibly hard to find in software.
I think that regulating outcomes is the right answer, and making sure that we are doing due diligence, and that our view of appropriate risk management is broadly the same as yours, without making us a national security entity. That is the challenge. How we run our business is not really relevant; it is the outcomes that matter.
Matt Houlihan: It is increasingly important that businesses, parliamentarians and Government officials work together on these issues. As we said earlier, the pace of change in terms of the technology, and indeed the business environment—at both the UK and global levels—is moving very quickly. Having that exchange of information will be important.
It is important—from an international business point of view—that regulation is as aligned as is practicable with the other jurisdictions that a lot of the companies here will be working in. That will not only benefit companies that are headquartered elsewhere and operate in the UK; it will benefit UK-headquartered companies that are looking to expand abroad. It must also be proportionate and targeted. I think that at the nub of your question, there is clearly a need, going forward, for strong co-operation and the sharing of expertise and experiences.
Cyber Security and Resilience (Network and Information Systems) Bill (Second sitting)
Freddie van Mierlo ExcerptsTuesday 3rd February 2026
(1 month ago)
Public Bill CommitteesRead Full debate Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 View all Cyber Security and Resilience (Network and Information Systems) Bill 2024-26 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 3 February 2026 - (3 Feb 2026)
Freddie van Mierlo (Henley and Thame) (LD)
Q
Ian Hulme: Certainly from an ICO perspective, many IDSPs that we currently regulate are operating across boundaries. From our perspective, the focus is on the outcome. If they have operations in other jurisdictions that are providing services into the UK, our focus is on the outcome and getting to understand the UK side of things more than anything else.
Natalie Black: This is a challenge for us every day. Many of the companies that we regulate have a footprint in the UK or multiple footprints around the world. The issue is in making sure that the UK requirements are as clear as possible to give them no excuse to argue exceptionalism. That is why we really welcome the opportunity to get into the detail through secondary legislation, which will be very important in holding all the companies to account that we think need to be held to account.
The Chair
That brings us the end of the allotted time for the Committee to ask questions. On behalf of the Committee, I thank our witnesses for their evidence.
Examination of Witness
Chung Ching Kwong gave evidence.
Oral Answers to Questions
Freddie van Mierlo Excerpts(9 months, 2 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Freddie van Mierlo (Henley and Thame) (LD)
For three years, the Marsh lock horsebridge in Henley has been closed. The bridge connects Henley to Shiplake and is an integral part of the Thames path national trail. The petition I present today, which has more than 6,000 signatories and was started by nine-year-old Claudia Fennell, who is in the Gallery today, calls for the bridge to be reopened. I welcome news from the Environment Agency that money has been identified to begin design work, but it is only partial funding, and the future is still uncertain.
I take this opportunity to also put on the record my regret at the closure of events organiser Henley Swim due to the sewage crisis, and to express my concern about the pending strike action by lock keepers.
The EA must be given the resources needed to keep our river thriving economically and safe for all users. The petitioners therefore request that
“the House of Commons urge the Government to take immediate action to encourage the Environment Agency to repair and reopen Marsh Lock Horsebridge.”
Following is the full text of the petition:
[The petition of residents of the United Kingdom,
Declares that Marsh Lock Horsebridge should be repaired and reopened; notes that an online petition on the issue was started by Claudia Fennell; notes the online petition on this issue has received over 6,000 signatures; notes the petition is supported by the former Mayor and the Deputy Mayor of Henley; further notes that the bridge has been closed since May 2022; notes that the bridge is an important part of the constituency community and impacts the mental and physical health of residents; notes that residents are currently unable to access the Thames path to Shiplake and numerous swimming spots; and further notes that local businesses reliant on the footfall from walkers and river-goers have been badly affected.
The petitioners therefore request that the House of Commons urge the Government to take immediate action to encourage the Environment Agency to repair and reopen Marsh Lock Horsebridge.
And the petitioners remain, etc.]
[P003067]
Data (Use and Access) Bill [Lords]
Freddie van Mierlo Excerpts(9 months, 3 weeks ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Victoria Collins
Thank you for calling me, Madam Deputy Speaker, and for your patience regarding my earlier intervention. I am very passionate about all elements of the Bill.
On Second Reading, I said:
“Data is the new gold”—[Official Report, 12 February 2025; Vol. 762, c. 302.]
—a gold that could be harnessed to have a profound impact on people’s daily lives, and I stand by that. With exponential advances in innovation almost daily, this has never been truer, so we must get this right.
I rise today to speak to the amendments and new clauses tabled in my name specifically, and to address two urgent challenges: protecting children in our digital world and safeguarding the rights of our creative industry in the age of artificial intelligence. The Bill before us represents a rare opportunity to shape how technology serves people, which I firmly believe is good for both society and business. However, I stand here with mixed emotions: pride in the cross-party work we have accomplished, including with the other place; hope for the progress we can still achieve; but also disappointment that we must fight so hard for protections that should be self-evident.
New clause 1 seeks to raise the age of consent for social media data processing from 13 to 16 years old. We Liberal Democrats are very clear where we stand on this. Young minds were not designed to withstand the psychological assault of today’s social media algorithms. By raising the age at which children can consent to have their data processed by social media services, we can take an important first step towards tackling those algorithms at source. This is a common-sense measure, bringing us in line with many of our European neighbours.
The evidence before us is compelling and demands our attention. When I recently carried out a safer screens tour of schools across Harpenden and Berkhamsted to hear exactly what young people think about the issue, I heard that they are trapped in cycles of harmful content that they never sought out. Students spoke of brain rot and described algorithms that pushed them towards extreme content, despite their efforts to block it.
The evidence is not just anecdotal; it is overwhelming. Child mental health referrals have increased by 477% in just eight years, with nearly half of teenagers with problematic smartphone use reporting anxiety. One in four children aged 12 to 17 have received unwanted sexual images. We know that 82% of parents support Government intervention in this area, while a Liberal Democrat poll showed that seven in 10 people say the Government are not doing enough to protect children online.
Freddie van Mierlo (Henley and Thame) (LD)
I welcome new clause 1, tabled by my hon. Friend. Does she agree that raising the age of consent for processing personal data from 13 to 16 will help reduce the use of smartphones in schools by reducing their addictiveness, thereby also improving concentration and educational performance in schools?
Victoria Collins
That is exactly what is at the heart of this matter—the data that drives that addictiveness and commercialises our children’s attention is not the way forward.
Many amazing organisations have gathered evidence in this area, and it is abundantly clear that the overuse of children’s data increases their risk of harm. It powers toxic algorithms that trap children in cycles of harmful content, recommender systems that connect them with predators, and discriminatory AI systems that are used to make decisions about them that carry lifelong consequences. Health Professionals for Safer Screens—a coalition of child psychiatrists, paediatricians and GPs— is pleading for immediate legislative action.
This is not a partisan issue. So many of us adults can relate to the feeling of being drawn into endless scrolling on our devices—I will not look around the Chamber too much. Imagine how much more difficult it is for developing minds. This is a cross-party problem, and it should not be political, but we need action now.
Let me be absolutely clear: this change is not about restricting young people’s digital access or opposing technology and innovation; it is about requiring platforms to design their services with children’s safety as the default, not as an afterthought. For years we have watched as our children’s wellbeing has been compromised by big tech companies and their profits. Our call for action is supported by the National Society for the Prevention of Cruelty to Children, 5rights, Healthcare Professionals for Safer Screens, Girlguiding, Mumsnet and the Online Safety Act network. This is our chance to protect our children. The time to act is not 18 months down the line, as the Conservatives suggest, but now. I urge Members to support new clause 1 and take the crucial steps towards creating a digital world where children can truly thrive.
To protect our children, I have also tabled amendment 45 to clause 80, which seeks to ensure that automated decision-making systems cannot be used to make impactful decisions about children without robust safeguards. The Bill must place a child’s best interests at the heart of any such system, especially where education or healthcare are concerned.
We must protect the foundational rights of our creators in this new technological landscape, which is why I have tabled new clause 2. The UK’s creative industries contribute £126 billion annually to our economy and employ more than 2.3 million people—they are vital to our economy and our cultural identity. These are the artists, musicians, writers and creators who inspire us, define us and proudly carry British creativity on to the global stage. Yet today, creative professionals across the UK watch with mounting alarm as AI models trained on their life’s work generate imitations without permission, payment or even acknowledgment.
New clause 2 would ensure that operators of web crawlers and AI models comply with existing UK copyright law, regardless of where they are based. This is not about stifling innovation; it is about ensuring that innovation respects established rights and is good for everyone. Currently, AI companies are scraping creative works at an industrial scale. A single AI model may be trained on thousands of copyrighted works without permission or compensation.
The UK company Polaron is a fantastic example, creating AI technology to help engineers to characterise materials, quantify microstructural variation and optimise microstructural designs faster than ever before. Why do I bring up Polaron? It is training an AI model built from scratch without using copyright materials.
Protection of Children (Digital Safety and Data Protection) Bill
Freddie van Mierlo ExcerptsFriday 7th March 2025
(11 months, 3 weeks ago)
Commons ChamberRead Full debate Protection of Children (Digital Safety and Data Protection) Bill 2024-26 View all Protection of Children (Digital Safety and Data Protection) Bill 2024-26 Debates Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Freddie van Mierlo (Henley and Thame) (LD)
When I was growing up, we were first becoming aware of the digital world. On coming home from school, I would log in to MSN Messenger, check MySpace, carefully arrange the 10 top friends on that platform, and check out online games. Now those early tools have been honed to be as addictive as possible. Social media is a space for unchecked bullying and a place for predators to hide. I got my first phone aged 13, but the most advanced technology on it was an FM radio. Today, phones are not phones at all—they are supercomputers in our pockets. No parent wants their child to be left out, and once that first child in a class gets a phone, the floodgates open. We must give schools and parents tools to overcome that collective action problem.
Ben Coleman (Chelsea and Fulham) (Lab)
Will the hon. Gentleman join me in congratulating the Fulham boys school in my constituency, which was the first school in the country to replace smartphones with brick phones? As a result, it has seen pupils become more engaged, better social interactions and improved classroom behaviour. Does he agree that that school sets an example for the country to follow?
Freddie van Mierlo
I happily join the hon. Gentleman in congratulating that school.
Unfortunately, what we have seen today is a tragedy of the Commons, with the weakening of this legislation. We could not, even in this Chamber, overcome the collective action problem to deliver tougher regulation—which we need to stop the misuse of technology and keep the next generation safe—rather than reviews and a promise to plan research. I am happy to see other Members contributing to the conversation, but I note that Reform Members, including the hon. Member for Clacton (Nigel Farage), have decided not to grace us with their presence. If they cared so much about the protection of our children, they would be here.
In conversations with friends who have school-age children, I have learned of apps, such as Roblox, that allow any person to open a conversation with another user of the game. I also heard from campaigners that even Spotify can be used to share explicit images and conduct online grooming. I have spoken to parents in Henley and Thame who are distraught that their children were groomed by predators through social media. When they reported the crime to the police, they were told that nothing could be done because a virtual private network had been used. Technology is constantly evolving and we must stay informed of its developments. Parents must be informed of the risks facing children who use social media.
There is a way forward. We are all aware that social media companies are making huge profits from their activity. Introducing a social media levy to increase tax on those companies is an obvious choice. The money collected from the tax could then be used to support children by funding mental health services. Social media is having a detrimental impact on the wellbeing of children. The least we can do is use its profits to mitigate some of the damage.
The digital age of consent must be increased to 16. The age of 13 is too young for a child to consent to the collection, processing and storing of their data. The change would not ban children under 16 from using social media, but it would force social media companies to make applications safer and child-friendly for those under 16. My daughter is just 14 months old, but she is already being targeted by shows that seek to manipulate babies’ brains to avoid losing their attention. That shows just how pernicious the online space has become, and as a father I fear what it will look like in 10 years’ time. We must act.
Catherine Fookes
Thank you so much for giving way. Do you agree that, although this point has not come across in the debate, we all meet the most incredible young people every day in our constituencies, and we must congratulate them on the amazing things they do—
Madam Deputy Speaker (Judith Cummins)
Order. I remind hon. Members that interventions must be very short at this point, and please do not to refer to each other as “you”.
Freddie van Mierlo
I join the hon. Lady in congratulating young people on their work.
I say as a father that we must act now to reduce the harm caused to two current generations of children and never expose future generations to those harms.
Data (Use and Access) Bill [Lords]
Freddie van Mierlo ExcerptsWednesday 12th February 2025
(1 year ago)
Commons ChamberRead Full debate Data (Use and Access) Act 2025 View all Data (Use and Access) Act 2025 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 64-I Marshalled list for Third Reading - (4 Feb 2025)
Peter Kyle
Of course, we should have had this Bill two years ago. We have seen enormous progress on AI technology since then. I have been at the Paris summit for the past few days, and I saw where this technology is heading. Huge advances in the power of AI and the move towards artificial general intelligence are happening faster than anybody imagined. I cannot guarantee that this Bill will be sound for time immemorial, but I can say that it is fit for the moment in which we are living.
I reassure my hon. Friend that all our regulators have been tasked with assessing how non-frontier AI, as applied throughout the economy and society, will impact the sectors they regulate. The Department for Science, Innovation and Technology is offering assistance, where needed, as we assess the impact across our society.
My hon. Friend refers to a general-purpose technology, and it will therefore be applied and deployed in different parts of the economy and society in very different ways. We must make sure that, as a society, we deploy it safely. Once we ensure that the technology is safe, we can embrace it and explore all the opportunities that it offers.
Freddie van Mierlo (Henley and Thame) (LD)
It is hard to imagine a dataset in which it is more important to maintain confidentiality than patient data. This Bill makes changes to the Health and Social Care Act 2012. Can the Secretary of State guarantee that there are no changes to patient confidentiality?
Peter Kyle
I am pleased to give the hon. Member that assurance.
Data reform could not be more urgent or more necessary. Governments have spent years waxing lyrical about the immense promise of technology.
Telegraph Poles: Birmingham
Freddie van Mierlo Excerpts(1 year, 2 months ago)
Westminster HallRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
Chris Bryant
Let me be 100% clear: where there is existing infrastructure—ducts under the road or whatever —that can be used. In fact, it should be used and different companies should collaborate to make that happen. I am 100% clear that existing infrastructure should and must be used.
There are a few caveats, as the companies themselves would advance. Sometimes people think there is a duct when there is only a cable that has been laid straight into the mud underneath. Alternatively, the pavement might now be so full of different things, including gas connections, water connections, electricity connections and so on, that there is no space for anything else to be ducted through, or the duct sleeve is so full that nothing else can be put in and another sleeve cannot be put in either. I know that is quite a long set of caveats, but those are the realities of the situation.
The commercial reality is that inserting a new duct—that is, digging up the road and putting everything underground —might be very attractive to everybody in the community, but it is nine or 10 times more expensive than putting things on poles. If we want commercial operators to roll things out, there are certain situations where there are going to be poles. I cannot hide that from anybody; it is a simple reality.
As I was saying earlier, the cabinet siting and pole siting code of practice was issued in November 2016. It sets out guidance on best practice relating to deployment, encouraging operators to site apparatus responsibly and to engage proactively with local authorities and the local community. However, some of the things that I have seen being put in—including by Brsk; not often by many other operators—are clearly in the middle of a pathway or driveway, or in other places that are completely inappropriate.
As I understood it in our meeting last week, and indeed in the exchange of letters after that meeting, Brsk committed to change its policy in such situations. At that meeting, Brsk also undertook to engage in far more proper consultation with people. It will not just put up a sign saying, “We are about to put a pole here,” and then put a pole up the next day; it will engage in proper consultation, which means going door to door and explaining things to people. In many areas, Brsk will bring the local community together for a public meeting.
One Member who came to that meeting with Brsk last week said that there had been such a public meeting in their constituency. It had been very effective and people understood the quid pro quo, which was that if there was no means of doing something by ducting, there would have to be poles; if people did not want poles, they would not get the roll-out of fibre; and other operators were not operating in that field. People said, “Okay, well in that set of circumstances, we still want this roll-out to happen, so we will live with poles.” I think most people can live with that model, but even when that is agreed, we still have to make sure that we do not put poles in the middle of someone’s driveway or where they will obstruct people and not meet the requirements of the disability measures in the Equality Act 2010.
As I said earlier, I know the industry has been working together closely. It is not easy or simple to get commercial operators that have their own investors and shareholders in competition with one another to sit down to agree a new guide and a new code of practice, so I pay tribute to everybody at the Independent Networks Co-operative Association for engaging in that way. The vast majority of the altnet companies engaged in that activity are absolutely determined. They want to take the community with them because they want to be able to sell their product, and because they are responsible players in the market. I pay tribute to them where they have managed to do that.
As Brsk knows, we will hold its feet to the fire on all the commitments that it has made in private meetings with me, in the meetings with MPs that we held last week, and in writing. Before it starts rolling out in a particular area, it needs to explore far more thoroughly what ducting might be available, which might be through BT Openreach or Virgin. It will consult properly in a local area where people lobby and argue that the siting of a pole is particularly inappropriate. It will look at moving it in so far as it possibly can.
Freddie van Mierlo (Henley and Thame) (LD)
Does the Minister agree that the siting of poles is particularly important when we consider national landscapes? It needs to take into account the broader context. Does he also agree that, where local communities are willing to engage with operators and local authorities to fund undergrounding, that would be a good approach?
Chris Bryant
That is the first time that anybody has come to me and said that a local community would fund the ducting, which is an expensive business. All sorts of competition issues might then arise. I am hesitant to advance a yes or a no to that, because one would have to explore whether that was in effect a state subsidy, how that would be provided and what kind of contract there would be for maintenance of the duct—I can foresee all sorts of problems. I am not trying to be a part of the blob, but simply to be as clear as I can about what is possible and what is not.
The hon. Member makes an important point about the desirability of poles in areas of natural beauty and whether we can or cannot have poles. I have seen many different instances—I have tried to go through as many of them as possible as a Minister—such as where people thought the issue was about a duct that somebody was refusing to use, and it turns out it is not a duct at all but a cable laid in sand, so I am quite hesitant about holding forth on where we can or absolutely cannot have a pole.
In case anybody thinks I am being nimbyish, I have poles in my street, and I am about to have another set of poles in my street. I am relatively chilled about that, but I fully understand the issue where someone has never had a pole in their street. Part of the area’s beauty is that it looks remarkably like it did in the 18th or 19th century, and people want to preserve it that way. The downside is that commercially they will probably not get gigabit-capable and fibre-based broadband, which might be more of a problem for the community than having the poles.
I think I have exhausted the subject, unless anybody else wants to have a go at me. I pay tribute to my hon. Friend the Member for Birmingham Edgbaston. I am sure that we will return to the issue as many times as necessary if Brsk refuses to fulfil its promises. I believe that when we sat down with the senior management, they were sincere and honest in the commitment that they were making, and that they did not have as full an understanding of people’s feelings in some communities as they needed to have. As I promised my favourite MP—I cannot say that too often—I will hold the company’s feet to the fire throughout.
Question put and agreed to.