Particulars of Proposed Designation of Age-Verification Regulator Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport
Thursday 1st February 2018

(6 years, 9 months ago)

Lords Chamber
Read Full debate Read Hansard Text Read Debate Ministerial Extracts
In conclusion, we believe that the BBFC has the right attributes and experience to carry out the role of age-verification regulator. It is a highly respected organisation with unparalleled expertise in classifying content. I have every confidence in recommending it to the House as the age-verification regulator for online pornography. I beg to move.
Lord Clement-Jones Portrait Lord Clement-Jones (LD)
- Hansard - -

My Lords, I have no great argument with the particulars and the designation of the BBFC as the age-verification regulator. Indeed, we had some debates on this. I know that we may have some differences with the Labour Front Bench, but we think that the BBFC is fit for this particular purpose and will carry out the job effectively. Conversations we have had have convinced us of that. Another aspect that is beginning to be unpacked is the appeals system. Although of course we put down amendments on the question of the independence of the age-verification regulator, we think that the appeals system being set up, which is qualified in the Act—we would have preferred it not to be qualified—will be fit for purpose as well.

I want to revert to something that may strike both the Minister and Members on the Labour Front Bench as rather déjà vu: the question of the specification of the type of age verification that is required, or not, by the age-verification regulator. When we talked about this issue in Committee—indeed, amendments on it were laid on 2 February 2017 in Committee and on 20 March on Report; my noble friend Lord Paddick had a particular role in that—we were very concerned on both occasions that the age-verification methods were not going to be specified in enough detail in the Bill. It did not appear that they would be specified in any great detail in the draft guidance.

Flash forward a year and I am afraid that nothing has changed. The Minister may remember that, back in January, the Select Committee on the Constitution said:

“We are concerned that the extent to which the Bill leaves the details of the age-verification regime to guidance and guidelines to be published by the as yet-to-be-designated regulator adversely affects the ability of the House effectively to scrutinise this legislation”.


We have not moved on a great deal. If we look at the details of what I have found—which appears to be the up-to-date draft of the government guidance on the age-verification regulator—under chapter 3, paragraph 4, there is this statement:

“The regulator is not required to approve individual age-verification solutions. There are various ways to age-verify online and the industry is developing at pace. Providers are innovating and providing choice to consumers”.


That is exactly the same wording as in the draft guidance last year and quoted by my noble friend Lord Paddick on 20 March. That is extremely disappointing. It appears that the age-verification regulator will play an incredibly light-touch role in the approval of the type of age-verification that takes place.

Of course, later in chapter 3—which is headed “Age-verification arrangements”—it describes,

“the expectation that age-verification services and online pornography providers should take a privacy by design approach as recommended by the ICO”.

I have the privacy by design guidance from the ICO in front of me and I must say, if I was an age-verification provider, I would not find it particularly onerous, in terms of requiring me to try to find an anonymised age-verification solution. I find the Government’s guidance, as per Section 27 of the Act, extremely disappointing. I very much hope that the Minister can explain whether the ICO will have a role in this, what the impact of privacy by design is, in terms of enforcement, and whether the ICO will have the ability to impose a privacy impact assessment—or even a data impact assessment—on the object of the age-verification regulator’s regulation. Perhaps at the same time the Minister can explain in this particular space the boundary between what the ICO is empowered to do and what the age-verification regulator will be doing.

I am sorry to have to be disappointing in that respect, but I think that as part of the wider landscape—a matter we discussed last year—where we have got to is not particularly satisfactory if the general purpose of the age-verification regulator is to make sure that age-verification really works and that there is not the access for young people to these pornography sites that the Act was designed to prevent.

Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - - - Excerpts

My Lords, I want to say a few words. I was quite involved in this issue when it was going through as part of our consideration of the Digital Economy Act. The Digital Policy Alliance, of which I am chairman, has had a working group on age verification for several years, looking at whether there are available solutions and encouraging people to develop them. I am pleased to tell the noble Lord, Lord Clement-Jones, that there are some solutions out there. I will explain something about that.

The only thing I want to say is that the Act received Royal Assent on 28 April, I think, so it has taken a very long time to get this guidance in place. That is a bit of a worry and a bit of a disappointment. I seem to remember that there was an intention to try to have enforcement within a year, otherwise there would be a huge great gap in the meantime. We are trying to protect children after all; that was the whole point of this. Waiting for a year—it will probably now be longer—is an awfully long time not to have protection in place.

I am very glad that the BBFC is finally about to get some teeth, get into operation and do something about this, which I am sure it will do extremely well. I know that it has been consulting an awful lot with a lot of different people from all the different sides, from child protection right through to the adult industry. The interesting thing is that quite a lot of the adult industry is happy to help and to co-operate, because it does not want children wasting its time. It is not in the job of trying to pervert children, but of trying to sell adult content to adults, so it is willing to co-operate. The world is watching. There is apparently now a willingness to realise that this will happen and to co-operate to a large extent.

The noble Lord, Lord Clement-Jones, has put his finger on the point about age-verification methods: they have to work and to do various things. I say to him, though, that there is a difference between the bit that is checking the attribute—the age—and the bit about privacy, which is not identifying who the person is to a website and to a casual visitor to that website. It would be career-limiting were it to be found out that the noble Lord himself was visiting an adult content site, even though it would be totally legal for him to do so. Therefore, it is important to ensure that privacy happens at that point, which is the ICO’s part. It is not the ICO’s job to say how age verification should be done. That is a different job.

In fact, we have developed, along with the British Standards Institution, a publicly available specification, PAS 1296, which should be coming out quite soon. It has been around the houses several times and has been revised. That should allow it to be possible for an organisation to see for itself how well it is doing. It might be that an industry body should be set up that can check whether age-verification providers are doing something in alignment with the PAS, which goes into great detail about how you can do these things and make sure that it can be privacy enforcing. The privacy side is left up to the GDPR, but it is mentioned in there as well.

Those are the main points that I wanted to make. It is time to get on with this. It is a huge leap forward. As I said, the world is watching. A whole lot of good will is out there to get this done properly. I look forward to seeing the final draft regulations, which will probably do the job.

--- Later in debate ---
Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

My Lords, I am grateful to the noble Lords, Lord Stevenson and Lord Clement-Jones. There is a sense of déjà vu from the Digital Economy Act; we are continuing some of the discussions that we had then, and I am happy to do so. However, it is important to bear in mind what we are doing today, which is designating the BBFC. I hope we will come to other issues in the coming weeks. I will get into the definition of “soon” later.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

I apologise for interrupting the Minister. Perhaps he can explain why we are not doing this all in one fell swoop. It seems rather bitty. The draft guidance seems to be on the web, and certainly it seems to be all there, so why are we not trying to deal with this in a holistic way?

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

The answer is that until the regulator is designated, it cannot issue guidance.

Lord Clement-Jones Portrait Lord Clement-Jones
- Hansard - -

My Lords, I was thinking of the government guidance.

Lord Ashton of Hyde Portrait Lord Ashton of Hyde
- Hansard - - - Excerpts

We have the government guidance that the Secretary of State has issued. The important issue, which I was going to come to in answering the noble Lord’s question, is that this is a series of steps that involves consultation and then issuing guidance. Until the regulator is designated, it cannot begin to consult or issue guidance. It is a sequential process. There is no question that we want to get on with this; we are not trying to delay it. We are conscious that this needs to be done as soon as possible, and I will come to the steps that might explain that further.

The noble Lord, Lord Clement-Jones, was asking about how the system is going to operate and the level of detail. As I said, the Secretary of State’s guidance to the regulator is there for as and when it is designated, but then the regulator is required to publish its guidance on the age-verification arrangements that it will treat as compliant. So, as I was saying, once the BBFC has been designated, that draft guidance will be laid before Parliament. The noble Lord will be able to raise his objections or queries then, when he has seen the guidance that the regulator itself has made. Until that happens, it cannot either consult or lay the guidance. Parliament can then scrutinise it. That will involve the affirmative procedure in both Houses, so that will be an appropriate point to debate the issues.

We have absolutely understood the need for things like privacy. We understand that it is important to outline those issues and priorities in the Secretary of State’s guidance to the regulator, as and when it is designated. It is then up to the regulator to get into the detail of what it will consider compliant. There is no question that it will choose a particular method. It will set criteria. There will not just be one system, for example; it will make sure that its criteria are clear in the guidance. As I say, we will have a chance to debate that.

The noble Earl, Lord Erroll, talked about when the powers are going to come into force. As I said, we want to do that as quickly as possible. In fact the current Secretary of State said it was his ambition to complete it within a year, although that is going to be difficult. We want to get it right; we want the process of consultation and guidance to be done properly. Of course, there was the small matter of purdah and an election in the way. Now, however, if this House approves the regulator today, we will be well on the way to doing that, and we are definitely trying to do it as quickly as possible.

We take data protection and privacy very seriously. The age verification arrangements should be concerned with verifying only age, not identity; we absolutely agree with that. Providers of age-verification controls will be subject to data protection laws—the GDPR—from 25 May, and the BBFC will work with the Information Commissioner’s Office to ensure that its standards are met by age verification providers, particularly with regard to security, data minimisation and privacy by design. So the ICO is there to uphold the law and enforce data protection law and the GDPR. To go further on that point, the noble Lord, Lord Clement-Jones, mentioned the relationship. The BBFC and the ICO are going to agree a memorandum of understanding to ensure and clarify how they are going to work together and separate their various responsibilities.

I know the noble Lord, Lord Stevenson, is not entirely happy with some of the arrangements; we debated some of them on the Digital Economy Bill. He also mentioned definitions and said one of the things that the regulator—that is, the BBFC if it is designated—will have to do is regulate the definition of extreme pornography that is unlawful even if it has age verification in place. That is not really the subject of debate today. Noble Lords will have an opportunity to discuss that when the regulations come—