Skip to main content

Data Protection Bill [HL]

Volume 785: debated on Monday 6 November 2017

Committee (2nd Day)

Relevant documents: 6th Report from the Delegated Powers Committee, 6th Report from the Constitution Committee

Clause 8: Child’s consent in relation to information society services

Amendment 18

Moved by

18: Clause 8, leave out Clause 8 and insert the following new Clause—

“Child's consent in relation to information society services

In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation to information society services)—(a) references to “16 years” are to be read as references to “13 years” provided that the information society service meets the minimum standards of age-appropriate design as determined by the Commissioner, and (b) the reference to “information society services” does not include preventive or counselling services.”

My Lords, I shall also speak to Amendments 19, 155, 156 and 157 and in so doing I thank the many noble Lords who have voiced their support, particularly the noble Baroness, Lady Harding of Winscombe, and the noble Lords, Lord Storey and Lord Stevenson of Balmacara, who have put their names to them. In Clause 8, the Government have chosen with nothing more than a tick of a box to treat a child of 13 as if they were an adult when in the digital environment, with the explanation that they are merely aligning legislation with the age used by popular sites. That cannot be right.

Children have special protections and privileges evident in our culture, embedded in our law and determined by our being signatory to the charter on the rights of the child. Collectively, the amendments affirm that a child is a child even online, a principle that is not sufficiently articulated in the Bill. I shall go to each amendment in turn.

Amendment 18 would make the consent of a child aged 13 to 16 lawful only when a service seeking that child’s consent meets,

“minimum standards of age-appropriate design”.

Amendment 19 would make consent given by a person with parental responsibility on behalf of a child under 13 lawful only when the service seeking the consent meets the,

“minimum standards of age-appropriate design”.

Passing these amendments would make it unlawful to seek a child’s consent or parental consent on a child’s behalf without providing a service that recognises the age of that child.

Amendment 155 would require the Information Commissioner to create guidance on age-appropriate design and take into account such matters as a child’s need for high privacy settings by default, not revealing their GPS location, using their data only to enable them to use a service as they wish and no more, and not automatically excluding them if they will not give up vast swathes of data however nicely you ask. If the commissioner so wished, it could also mean giving a child time off by not sending endless notifications during school hours or sleep hours and deactivating features designed to promote extended use; making commercially driven content, whether a vlogger or a direct marketing campaign, visible to and understood by a minor; and insisting on reporting processes with an end-point and a reasonable expectation of resolution. The amendment would require the commissioner to consult a wide group of stakeholders before coming to that decision and, crucially, sets out that she must also consult children, who are so often the first to adopt emerging technologies—early to spot the issues yet rarely asked to contribute meaningfully to how their needs might be met in the digital environment. Government has been widely criticised for not consulting children, so I wish to put on the record that where their views have been captured, children have consistently called for better privacy and data management, clearer guidance on content, transparent reporting strategies and greater visibility of how their data are shared and commoditised, calls which industry and government steadfastly choose to ignore. Amendments 156 and 157 would ensure that both Houses were able to scrutinise the guidance before it came into force.

The GDPR is the substantive law which the Bill supplements. While the GDPR acknowledges that children enjoy enhanced rights online, it says little about what this means in practice, and the majority of the provisions for children sit in the recitals, which, as we heard last week, are not binding. The limitations of Article 8 of the GDPR are pointed out by Professor Sonia Livingstone OBE, who writes that:

“article 8 of the GDPR is beginning to seem to me increasingly irrelevant. When kids tick the box the companies will then bear no responsibility to them by reason of their age”.

Meanwhile, John Carr OBE says:

“If you entice or allow 13 year-olds on your site, you must … treat them in a manner relevant to their age”.

Professor Livingstone and John Carr are arguably the most renowned experts in the field of childhood online. On this matter, they are joined by the NSPCC, Parent Zone, YoungMinds, the Anti-Bullying Alliance, the CHIS and the Children’s Commissioner—among many others—in supporting the amendments. The amendments provide clarity, allow our legislation to reflect our values, and are necessary to make industry respond to the needs of children.

When I first tabled Amendment 18, a number of people from the Government said to me, “Nice amendment, but it threatens compatibility with existing EU law and potentially our prospects for securing a post-Brexit adequacy agreement”. I see no cause for this anxiety. Article 8 of the GDPR provides that,

“the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years”.

The legal advice from a leading QC who specialises in this area is that,

“these amendments are consistent with the approach of the GDPR towards children in particular as set out in recital 38”.

He continues by saying that they are:

“consistent with the scheme of the GDPR to balance the lower age of consent with the addition of further protective measures in the form of age appropriate design”.

If the Government have a legal opinion to the contrary, the onus is on them to share it; otherwise, we should be discussing the amendments on their own merits.

The Minister is aware that I offered to discuss the amendments with the Government but that offer has yet to be taken up, so I was very surprised to read in the Sunday Telegraph yesterday a quote from the Minister, Matt Hancock, who said that,

“this amendment risks creating confusion and disproportionate legislation as part of the Data Protection Bill”.

I am uncertain what the Minister for Digital finds confusing. This is a straightforward amendment that simply recognises that a child of 13 is not the same as an adult, and that is as true in the digital world as it is in the analogue. I am somewhat concerned that his position has more to do with the conflict in his role between looking after tech and looking after the nation’s children. As for “disproportionate legislation”, again, I see no case. The Minister argues that he can deliver the same outcome within the Government’s recently announced internet safety strategy, but this strategy relies on industry’s negligible appetite for change, offers self-regulation as the method, takes a narrow definition of “childhood needs”, ignores the voices of children, and is utterly silent on the question of enforcement. ICT companies already subscribe to multiple voluntary standards and these have had next to no impact.

Year after year, we see an increase in the problems that young people face online. For example, even at the lowest level of ambition—the stated goal of preventing underage use—we still find that 78% of 10 to 12 year-olds have a social media account, when the joining age is 13. When the law firm Schillings translated Instagram’s 5,000-word terms and conditions into plain English so that young people could see what they were signing up to, it said—I paraphrase—“We may keep or share your personal information, including name, address, school, your likes and dislikes, your phone number, where you go, who your friends are, and any other information that you may share, including your birthday and who you are chatting to, including in private messaging”.

Self-regulation does not work. I am afraid that government policy is little more than putting the foxes in charge of guarding the henhouse. It is the duty of government to advocate on behalf of its citizens, particularly those who cannot advocate for themselves. In balancing the needs of tech and childhood, we must choose childhood because children cannot yet, and should not be expected to, look after themselves.

Before I sit down, I want briefly to answer three very specific points that noble Lords have raised with me. First, we are not calling for a higher age of consent because raising the age without placing conditions will inevitably mean that millions more children will be trespassers on sites where providers have been absolved of any responsibility towards their underage users. It is wrong to lock young people out. They must be invited to explore and participate in the digital world, but on terms that are designed to support their age and their established rights and freedom.

Secondly, is age-appropriate design achievable? Yes. The technology needed to deliver it already exists and is routinely used to tailor our online experiences. If the technology behind my Facebook account is sophisticated enough to personalise my home page with adverts specific to my purchasing preferences and a newsfeed specific to my interests, then it is sophisticated enough to be personalised to the needs of a 13 year-old. Subsection (6) of the proposed new clause inserted by Amendment 155 provides for transitional arrangements that would allow companies time to make the necessary changes. It is important to note that these standards would not affect the freedoms of adult users. It is entirely possible to vary the user experience. Personalisation is an industry norm.

Finally, is it not a matter for parents? Parental responsibility and guidance can never be replaced, but if devices are portable, services are designed for adults and community rules are not upheld, then parents do not have the tools to guide children in the digital environment. It is the responsibility of companies to provide age-appropriate services and of government to ensure that they do, so that parents and children are able to make positive choices.

It is imperative that children and young people are able to access a digital environment creatively, knowledgably and fearlessly. In helping them do so, we would be fulfilling the Government’s manifesto pledge to make the UK the best place in the world to be on line. I beg to move.

My Lords, I should draw the attention of the House to my interests in various digital organisations as set out in the register. I put my name to the amendments tabled by the noble Baroness, Lady Kidron, with a heavy heart, if I am honest. I have spent the past eight years running an internet service provider and arguing that competition is the route to delivering better services for consumers, and a large part of me would really like to believe that the fierce competition that exists among social media companies and other web applications would drive to the right outcomes for our children and for parents looking to protect their children, but the sad truth is that that is not the case. I have worked for and with many very well-meaning and talented people who lead these businesses, but the truth is that some of the largest companies in the world are simply not putting in place the most basic protections for our children. It is clear that our children are not protected. What is more, children say that themselves. They love social media platforms, but in research conducted by the Children’s Society, 83% of children said that they think that social media companies should do more to protect them, and we know that if we ask parents we get very similar statistics.

It is also clear that we know what could be done. It is no good saying we should set minimum standards if we do not have a sense of what those basic minimum standards would be. As the noble Baroness, Lady Kidron, has just set out, the children’s charities, led mainly on this by the NSPCC and the Anti-Bullying Alliance, are very clear about what some very basic standards would look like: the strongest privacy settings being default on for anyone under 18; geolocation turned off as a default if you are under 18; regular prompts about your privacy settings targeted in language that under-18s will understand; age being a required field when signing up for a service; and clear, transparent reporting processes if a child reports abusive behaviour on that platform in children’s language.

These are not difficult things, and I hope they are not contentious, yet they are not being done. We owe it to our children to step back and ask why these basic things are not being done. People attempted to argue that this is because these are small start-ups scrambling in the rush to build a tech business, but I am afraid the basic things I have just listed are by and large not done by the largest businesses on the planet, providing services to the vast majority of our children.

The second reason people argue these things are not being done is that these are global businesses that will develop only one, global, product and they cannot—they are terribly sorry—adjust for our children’s needs when they are working on their global technology road map. That is just not a good enough argument. In every other form of regulation the world over, good regulation begins in one geographical area and then spreads. We should not allow these large companies to tell us that because they are global they cannot engage with us locally. Actually, they are all learning that that is not true.

I suspect that the real reason we are not getting change is a very practical one, which is that every technology company in the world has a contended development pipeline, by which I mean they have more things they want to do to improve their product for their customers than they have the resource or capability to deliver. I say this having been a chief executive of a tech company: you spend your life trying to prioritise the list of ideas and innovations, and the harsh reality is that protecting children is not coming high enough up that contended technology stack in any of these businesses. That is probably not surprising, because children themselves will be asking for other things as well, and it is exactly why you need to have regulation.

We accept absolutely, almost as an act of faith, that minimum health and safety standards are necessary in the physical world and that factories have to meet basic regulatory standards. The digital world is no different. We know what those basic standards should be now. I am sure they will change over time, but we know enough to set them. Our children’s mental health is every bit as important as people’s physical health as they grow up. This is something that we have to face.

I hope your Lordships will forgive me if I am getting the procedures of the House wrong, but my noble friend Lady Lane-Fox asked me to add her voice to this debate. Although she is currently in her place, she says:

“I cannot be in my place for the length of the debate today but I would like to add my voice to the amendment. There is a clear need for more to be done to protect children and to ensure that they can realise the multiple benefits of engaging with the internet while recognising that they are not yet experienced users.

I welcome the opportunity to design accessible and clear services that help children to navigate around safely. As others may already have raised, designing for children is not technically difficult—the BBC has been doing it well online for many years, but it is right to ensure more services are as careful and do not shirk their responsibilities. As I raised in Second Reading, I would very much hope that the ICO will be given the necessary resources to be able to handle Baroness Kidron’s sensible suggestions alongside the other sizeable new areas of activity that they are being given in this Bill”.

Switching back to my own voice, I join the noble Baroness in being convinced of the good that the digital world can do, but as with all technology, we need to mould it to meet our needs, not vice versa, and it is high time we set out the basic safety requirements our children need. That is what this set of amendments intends to do, which is why I support it.

My Lords, as I have said on a number of occasions, my previous job for 40 years was a teacher, 20 of those as a head teacher. One of my prime responsibilities as a head teacher was the safeguarding of children in my school. That was the most important thing I did: to make sure they were safe, so that those primary-age children, aged from five to 11, and nursery as well, could enjoy their childhood and their parents could know that they were safe and enjoying their innocence.

The Government did a lot with their education policies about safeguarding. Anyone visiting the school had to be checked and double-checked and had to wear identification. Children who went out of school had to be escorted properly and correctly. As part of our personal and social health education, we made sure that young people themselves understood. Yet, when it comes to this area, we seem not to take the role as seriously as we should. I was reading the newspapers on the train from Liverpool this morning. I just could not believe the Times headline:

“Children as young as ten are sexting”.

The article says that,

“according to figures from the National Police Chiefs Council. In 2015-16, there were 4,681 cases”,

where children as young as 10 were either sending inappropriate messages or photographs to other pupils or receiving them. Imagine it was your daughter who at the age of seven or eight—and some of them are that young—was receiving inappropriate pictures from other pupils. How would you feel as a parent? Is that really protecting or safeguarding those children?

I do not want to speak at length in this debate; I think the noble Baronesses, Lady Kidron and Lady Harding, have said it all. It is not beyond our wit to do these simple things. I have seen for myself that self-regulation does not work. I hope that between now and Report the Government will put aside any feeling that, “We can’t do this because of the EU, because of our own lethargy, because of what we have said in the past or because it will create more regulation”. This is about children. Let us all agree that on Report we can agree these eminently sensible amendments.

My Lords, I support the amendments. I remind the House of my interests in relation to my work at TES, the digital education company.

The noble Baroness, Lady Kidron, and the others who have supported the amendment have given the Government a pretty neat way out of the problem that 13 as the age of consent for young people to sign up to “information society services”, as the Bill likes to call them, feels wrong. I have found that for many Members of your Lordships’ House, 16 feels like a safer and more appropriate age, for all the reasons that the noble Lord, Lord Storey, has just given in terms of defining when children are children. There is considerable discomfort about 13 in terms of where the Bill currently sits.

However, I think many noble Lords are realists and understand that to some extent the horse has bolted. Given the huge numbers of young people currently signing up to these services who are under 13, trying to pretend that we can find a way of forcing the age up to 16 from the accepted behavioural norm of 13 looks challenging. Yet we want to protect children. So the question is whether these amendments would provide that solution. That hinges on whether it is reasonable to ask the suppliers of information society services to verify age, and whether it is then reasonable to ask them to design in an age-appropriate fashion. From my experience, the answer to both is yes, it is. Currently, all you do is tick a box to self-verify that you are the age you are. If subsequently you want to have your data deleted, you may have to go through a whole rigmarole to prove that you are who you are and the age you say you are, but for some reason the service providers do not require the same standard of proof and efficacy at the point where you sign up to them. That is out of balance, and it is effectively our role to put it back into balance.

The Government themselves, through the Government Digital Service, have an exceedingly good age-verification service called, strangely, Verify. It does what it says on the tin, and it does it really well. I pay tribute to the GDS for Verify as a service that it allows third parties to use: it is not used solely by Government.

So age verification is undoubtedly available. Next, is it possible—this was explored in previous comments, so I will not go on about it—for age-appropriate design to be delivered? From our work at TES, I am familiar with how you personalise newsfeeds based on data, understanding and profiling of users. It is worth saying, incidentally, that those information society services providers will be able to work out what age their users are from the data that they start to share: they will be able to infer age extremely accurately. So there is no excuse of not knowing how old their users are. Any of us who use any social media services will know that the feeds we get are personalised, because they know who we are and they know enough about us. It is equally possible, alongside the content that is fed, to shift some aspects of design. It would be possible to filter content according to what is appropriate, or to give a slightly different homepage, landing page and subsequent pages, according to age appropriateness.

I put it to the Minister, who I know listens carefully, that this is an elegant solution to his problem, and I hope that he reflects, talks to his colleague the right honourable Matthew Hancock, who is also a reasonable Minister, and comes back with something very similar to the amendments on Report, assuming that they are not pressed at this stage.

My noble friend made a very strong case. The internet was designed for adults, but I think I am right in saying that 25% of time spent online is spent by children. A child is a child, whether online or offline, and we cannot treat a 13 year-old as an adult. It is quite straightforward: the internet needs to be designed for safety. That means it must be age appropriate, and the technology companies need to do something about it. I support the amendments very strongly.

My Lords, I, too, support my noble friend Lady Kidron. Last week, with her and my noble friend Lord Best, I was able to attend a briefing session with the right honourable Karen Bradley, the Secretary of State. I found that very helpful. We were looking at the Green Paper on internet safety published on 11 October. It is curious that we are here in Committee talking about some of the same issues when that significant consultation is being undertaken by the Government. I hope that when the noble Lord, Lord Ashton of Hyde, comes to reply to the debate, he will say something about how the Government intend to synchronise the discussion of and consultation on the Green Paper that is under way with the moving horse of legislation that is proceeding through your Lordships’ House.

During our discussions last week, my noble friend raised again the duty to protect. I agree with what the noble Lord, Lord Knight, just said about this providing an elegant way forward. I guess that many of us would want to turn the clock back if that were possible, but we recognise that it is not, and this may well be, therefore, a better way to proceed. It is certainly one to which the Government should be giving considerable attention.

While I am on my feet, perhaps I may remind the noble Lord, Lord Ashton, of the amendment that I moved with my noble and learned friend Lady Butler-Sloss during the debate in April on the digital legislation. I particularly draw his attention to col. 40 on 20 March and the remarks made by his right honourable friend the Minister of State for Digital in the other place on 26 April, when he described the question of prohibited material and definitions, which we had argued should be consistent across varying media platforms. They both said that this was unfinished business that would be returned to. I have studied the Green Paper but have not been able to find the solution to that unfinished business, and wonder whether it will be addressed as the legislation proceeds.

Perhaps I may also ask the Minister about the protection of minors. It has been stated again and again, by all noble Lords who have participated so far, including the noble Lord, Lord Storey, that the protection of children should be a paramount consideration at all times. The Minister may recall the case, which I raised with the Secretary of State and in your Lordships’ House, of some young people who had visited suicide sites. I was horrified to learn from the headmaster of a school in Lancashire, where I arrived to distribute prizes, that a child who had visited a suicide site had taken their own life only that morning. What further protections are being provided to require service providers, for whom self-regulation is clearly not enough, to do rather more about that question?

It has been said that parents do not have a chance in this situation; that is absolutely right. As my noble friend Lady Hollins said, young people spend a vast amount of time on the internet. Many parents do not understand how it works. It is therefore crucial that we do all we can to place pressure on the service providers. I remind the House of the advice that Aristotle gave parents. He said that only a bad parent would place their children in the hands of a foolish storyteller. I fear that many of us, maybe inadvertently and without knowing the full consequences of placing our children in the hands of the Twittersphere and the digital world, with all the information that pours into their minds on a massive scale, have placed them into bad hands. We need to do more to protect them. This is what my noble friend is trying to do and I commend her amendment to the House.

My Lords, I support the aim of these amendments, as do other noble Lords who have spoken. They were extraordinarily well introduced, given the scope of what they are intended to achieve. As I said at Second Reading, I do not have the same authority and technical background in the industry as many noble Lords who have taken part, particularly the noble Baroness, Lady Harding. However, I have a legitimate question for the noble Baroness. The Minister, who will have heard the general support around the House, will also be aware of this. However good the intentions of the amendments—and I support their aims—it is difficult to regulate in a world in which technical capacity is international. As the noble Baroness, Lady Harding, said, these matters are rather low on the agendas of the major, global corporations which are responsible for producing the technology, delivering the content and organising the platforms that children may be accessing, appropriately or not. It is legitimate to ask, as she did, whether what we say and how we regulate in this country can be a beacon. I think she said that this could be the beginning of a geographical spread of better regulation. It would be pointless to ignore the fact that we are dealing not with an internal issue of domestic regulation as we would be with terrestrial broadcasting, but with global corporations, most of them based on the west coast of the United States, which do not necessarily even agree with the aims of these amendments—which I very certainly do.

My Lords, the intention for a minimum level of design to help children and their parents, set out in Amendments 18, 19, and 155, is indeed laudable and provides an excellent opportunity for us to debate the role of the Information Commissioner. However, I am concerned that these amendments continue legal uncertainty in a number of ways. The revised Clause 8, introduced by Amendment 18, would uphold the age of 13 as the age of digital consent—but only when a website,

“meets the minimum standards of age-appropriate design as determined by the Commissioner”.

Similarly, Amendment 19 seeks to ensure that sites which children under 13 are likely to visit have a certain minimum design to help children and parents. Details for establishing those standards are in Amendments 155, 156 and 157.

My first concern is how a consumer—a child or parent—will know whether a website meets the minimum standards and therefore which age of consent applies. Secondly, what would happen were a site not to meet the minimum standards set by the Information Commissioner but still used 13 as the age for when a parent is no longer required to consent to the use of the child’s data?

Thirdly, in relation to sites requiring parental consent under Amendment 19, it is not clear how parents should deal with websites that do not meet the minimum standards. If a website does not meet the minimum standards, will a parent’s consent to the processing of their child’s data be invalid?

None of the Amendments 155, 156 and 157 about establishing the guidelines on minimum standards seems to address these questions, or how the minimum standards will be enforced. Without any way to enforce the standards or clarity about situations where sites do not meet the standards, especially for parents, guidelines on minimum standards cannot offer any clear protection.

Amendment 20A proposes a review of Clause 8, including,

“an assessment of the efficacy of age verification processes for the purposes of gaining consent of children aged 13 years and over”,

and of the impact of this clause on the wider issues relating to the safety of children online. I welcome the intention of this amendment to allow reconsideration of the age at which children can consent to sharing their data online. However, I am not sure that it quite addresses the problem. While I am not saying that the digital age of consent absolutely has to be 16, I still do not see an evidence base for suggesting that it should be 13.

I struggle to see how any amendment can take us to where we need to be at the moment without requiring the generation, prior to the coming into force of this clause, of an evidence base to facilitate an informed determination of what the digital age of consent should be.

My Lords, we have to face the reality that children are going online at a younger and younger age, so anything that facilitates that and makes it work more sensibly is essential. We need to think about the interface with the right of erasure in Clause 44 and the clauses just after it. I am not sure whether parental consent is still required for this when someone is under 16. There have been problems where children or younger people have put images and other material online which they want removed but are far too embarrassed to tell their parents about them. The problem is that data processors are not allowed to remove them without parental consent, so the children do not tell their parents, the images stay there and a lot of trouble is caused. That area should be looked at in relation to these clauses and Clause 44. I would love to leave it to someone else to sort this out who is better qualified to deal with the legal position.

My Lords, I support this amendment and apologise to the Minister and the House for not being present at Second Reading as I was overseas. However, my noble friend Lady Jay more than adequately set out some of my concerns around Part 5 of the Bill. However, this is also a very important amendment. In the debate initiated by the noble Baroness, Lady Lane-Fox, on 7 September, the noble Baroness, Lady Kidron, said:

“There is an awkward tension in having a technology that is able to help us to confront our societal needs … and a corporate culture that aggressively balks at … long-term societal responsibilities”.—[Official Report, 7/9/17; col. 2118.]

In the end, that is precisely what this comes down to. The noble Baroness, Lady Harding, made a very important point a little earlier. She referred to barriers to entry being used by corporations to not do the things that they should do, and at the time they should do them.

Today is the 20th anniversary of my entering your Lordships’ House and, if I had to count the number of times I have been told that barriers to entry are the reason for not doing something, we would all be here all day. I well remember the noble Lord, Lord Oxburgh, who is in his place, and I having a meeting with the then Ministers for Energy and being told that “barriers to entry” were one reason that the large energy companies could not do the things that we suggested they might do at the time. Therefore the idea that the Silicon Valley companies have not reached a sufficient size or sophistication to be able to carry out the de minimis changes to their platforms—the effect of the amendment which the noble Baroness, Lady Kidron, set out so beautifully—is a nonsense. Please can the noble Lord, Lord Ashton, beg Matt Hancock, the Minister, to put to one side any more arguments about unacceptable barriers to entry being raised by this and indeed other amendments on the same subject?

My Lords, this has been a terrific debate on an important subject. We probably all agree that of all the issues that will come up on the Bill, we care about this one the most and would like to see it settled in a way that balances, as has been said, the wish for people to enjoy the use of the internet—which brings so much in so many different ways—with an appropriate regulatory structure that means that harm is prevented where it is appropriate to do so.

I was struck by what the noble Baroness, Lady Harding, said. Obviously, she is in a difficult position, speaking against her Government on a matter about which she has so much expertise and knowledge. However, she made the case so well that it is worth paying tribute to her for that. If we find a situation in any aspect of our public life where those responsible for an issue are unwilling or unable to deal with it appropriately, the public authorities have to take that step. We are in that situation—she made that clear so well.

Other arguments have been used today that were knocked back by the noble Baroness, Lady Kidron, when she spoke, but it is important to bear this in mind. There is no question here about us affecting our adequacy issues. This is definitely left to the government agencies in the countries involved to act on, and there is no issue here with regard to what we would say to the European Union should that be required in terms of adequacy, so we should not be dissuaded by that. As the recitals attached to the GDPR say, it is still a question of needing to balance the lower age of consent with the appropriate safeguards required. Age is one of those—it is important, but not the only one; capacity has also been raised before. However, we have the issue here about age, and there is a need for guidance around that.

The Government will not address the issue in any future sense. The internet strategy, which was referred to, is a bit of a red herring here, and, as we have heard, self-regulation, on which it is largely based, does not work. Therefore, action is probably required. As I said, if the industry will not do it, the public authorities should. We want this country to be the best place in the world to be online, and we want it to be safe to do so. If it is possible to design an age-appropriate environment, we should look very hard at that. The case that has been made today is incredibly important. The Government have a good sense of that from all around the Committee, as was said, and I hope they will be able to respond positively to it.

I will speak briefly to Amendment 20A, which picks up points made by the noble Baroness, Lady Howe. One issue that affects all those who wish to work in this area is the lack of information about what is happening on the ground: who is using what and how, with regard to time, effort and use of the internet? Amendment 20A, in my name, suggests to the Government that there is need at some point for a proper review which will require the companies to divest the information they currently have but which they do not share on information society services. Only then will the evidence of which the noble Baroness, Lady Howe, spoke, which will inform us as we go forward, be available. However, it should not stand in the way of the need to act in this way in this amendment, which I fully support.

My Lords, the noble Lord, Lord Stevenson, said that he hoped I had a sense of where the Committee is coming from. I very much have a sense of that. I know that child online safety is an issue that is taken seriously by all noble Lords in the House, and it has been the subject of much debate apart from today. I am therefore grateful to the noble Baroness and to all who contributed for introducing this important subject. I assure all noble Lords that we have an open mind. However, I will pour a bit of cold water because some issues, to which we may well come back, need to be thought about. I apologise to the noble Baroness, Lady Kidron, for the fact that we have not met. I thought that we were arranging a meeting. I have certainly talked to my noble friend Lady Harding about these amendments. However, I repeat not only to her but to every noble Lord that I am very happy to talk to anyone about these matters before Report, and I have no doubt that I will be talking to the noble Baroness before too long.

At Second Reading we heard a good deal about the need to improve online safety and concerns about the role that social media companies play in young people’s lives. The Government are fully committed to this cause. Our approach has been laid out in the Internet Safety Strategy Green Paper, published earlier this month. In that strategy, the Government detailed a number of commitments to improve online safety for all users and issued a consultation on further work, including the social media code of practice, the social media levy and transparency reporting. Although the Government are currently promoting a voluntary approach to work with industry, we have clearly stated in the strategy—and I repeat it now—that legislation will be introduced if necessary, and this will be taken forward in the digital charter.

The Government’s clear intention is to educate all users on the safe use of online sites such as social media sites. Again, this is set out in the strategy. This includes efforts targeted at children, comprising working with civil society groups to support peer-to-peer programmes and revised national curriculums. We believe that education is fundamental to safe use of the internet because it enables users to build the skills and resilience needed to navigate the online world and to be capable of adapting to the continuous changes and innovations that we see in this space.

The aim of these amendments is to allow information society services to make use of the derogation in the GDPR to set the age threshold at 13 only if sites comply with guidance on the minimum standards of age-appropriate design as set out by the Information Commissioner. Although the Government are sympathetic to their goal to raise the level of safety online, we have some questions about how it would work in practice and some fundamental concerns about its possible unintended consequences.

The noble Lord, Lord Storey, said that we should not rest our case on EU law. That is an enticing argument, especially from a Liberal Democrat, but I think that there is a sense of frustration there and I would not hold him to that. However, the fact is that, as we discussed last week, we are determined to ensure that we preserve the free flow of data once the UK leaves the EU.

I have to raise the issue of compliance with the GDPR, because we have a very real concern that these amendments are not compatible with it. The GDPR was designed as a regulation to ensure harmonisation of data protection laws across the EU. The nature of the internet and the transnational flow of data that it entails mean that effective regulations need international agreement. However, these amendments would create additional burdens for data controllers. Article 8 of the GDPR says that member states may provide by law for a lower age but it does not indicate that exercising this derogation should be conditional on other requirements. These amendments go further than permitted, creating a risk for our future trading relationships.

The noble Baroness mentioned that she had advice from a prominent QC. If she would care to share that with us, I would be happy to discuss it with her, and we will put that in front of our lawyers as well. I have an open mind on this but we think that there is an issue as far as the GDPR’s compatibility is concerned.

Amendment 155 would require the Information Commissioner to produce guidance on standards and design. The Information Commissioner will already be providing guidance on minimum standards to comply with the requirement not to offer services to under-13s without parental consent. Indeed, it will be the role of the commissioner to enforce the new law on consent. Although the guidance will not include details on age-appropriate design, this is not something that should be overlooked by government. However, tackling the problem of age-appropriate design is not just a data protection issue, and we should be very cautious about using this age threshold as a tool to keep children off certain sites. This is about their data and not the more fundamental question of the age at which children should be able to use these sites.

We need to educate children and work with internet companies to keep them safe and allow them to benefit from being online. Where there is clearly harmful material, such as online pornography, we have acted to protect children through a requirement for age verification in the Digital Economy Act 2017. The Government’s Internet Safety Strategy addresses a wide range of ways to protect the public online. While online safety, particularly for children, is very important, we should not be confusing this with the age at which parental consent is no longer required for the processing of personal data by online services. The Government have a clear plan of action.

I apologise to the Minister for interrupting. I am just interested in that confusion that he talks about. Perhaps I am incorrect, but I understand that images, for example, are data. There is a lot of concern about sexting and about platforms such as Snapchat and the sharing of data. Where is the confusion? Is it in the Government, or in the Chamber?

I do not think I mentioned confusion. What we are talking about in the Bill is purely data protection. We are talking about the age at which children can consent to information society services handling their data. What I think the noble Baroness, and a lot of Peers in the House, are talking about is keeping children safe online, which is more than just protection of their personal data.

I also apologise for interrupting but I have to support the noble Lord, Lord Knight. When I read out the list, I said that Instagram takes information such as your phone number, your birthday and who you are chatting with. That is data, so I come at this from a very clear position on children’s rights. I am very keen for children to be online. I agree with the noble Lord, Lord Knight, that we are beyond an age of consent, as he said on Second Reading. Consent is meaningless if you do not change the service on the other side of that consent. It is not simply about the bad things that happen. It is about abusing the entire data of a child when they are online. I hope that is helpful to put it back into scope of the Bill.

There may be some confusion now. I am not saying that children’s data is not important or that data protection for children is not important: clearly they are. However, the internet safety strategy addresses an overall, comprehensive range of measures that is about more than just data protection. We want to have a comprehensive strategy, which I am going to come to, to talk about safety. Nobody in their right mind is saying that we should not protect children, not only on the domestic front but internationally, as the noble Baroness, Lady Jay, said. Let me continue and I am sure all will become clear. If it does not, I am sure that the noble Baroness and others will cross-question me. If I have misunderstood what the noble Lord, Lord Knight, is getting at, I will look at Hansard and get back to him. I am sure we will come to this again.

We have a clear plan of action to raise the level of safety online for all users, as set out in the internet safety strategy. We are consulting on a new code of practice for the providers of online social media platforms, as required by the Digital Economy Act. That will set best practice for platform providers in offering adequate online protection policies, including minimum standards. Approaching the problem in this way as a safety matter, rather than a data protection matter, ensures we can tackle the problem while avoiding a debate over whether we are compliant with the GDPR. The internet safety strategy also outlines the Government’s promotion of “Think safety first” for online services. This will aim to educate and encourage new start-ups and developers to ensure that safety and privacy are built into their products from the design phase. Examples of this type of approach include having robust reporting mechanisms for users. We are looking at whether extra considerations should be in place on devices that are registered as being used by a child.

It is essential that we take a careful and considered approach to affecting the design standard of online services. Making overly complex or demanding requirements may result in negative consequences. Let me explain why. Amendments 18 and 19 essentially offer website operators a stark choice. Websites will need to either invest in upgrading standards and design or withdraw their services for use by under-16s. This is dangerous for the following reasons.

First, it could cause a displacement effect where children move to less popular platforms that would potentially not comply with such requirements—the noble Baroness, Lady Jay, talked about foreign sites. It is often more difficult to monitor these services and to ensure they have the basic protections that we expect from more legitimate sites. Platforms comply either because they are responsible or because they believe that the regulator will take enforcement action against them. Platforms hosted overseas may not always comply, because to do so would reduce the volume of users and potential monetisation, and the risk of enforcement action may be low.

Secondly, it is likely that young people, particularly those who already use these sites, may lie about their age to circumvent restrictions. This could have negative consequences for the prosecution of online grooming and underage sex: teenagers would be vulnerable to the assumption that they are over 16; adults could use this as a defence for their conduct; and sites may not be as accountable for the content that children are exposed to. This is not an imaginary problem. There have been cases of acquittal at trial, where men have had sexual relations with underage girls after meeting them on sites for over-18s only, using their presence on the site as a defence for believing them to be adults.

Thirdly, circumvention may be sought through the use of mechanisms to anonymise—I am having a problem with my pronunciation too—the use of the internet. Young people may adopt anonymising tools such as VPNs to access non-UK versions of the sites. This would make it more difficult for law enforcement to investigate, should they be exploited or subject to crime.

Fourthly, there is already in place a variety of legislation to safeguard children. Any change brought in through this Bill would have potential ramifications for other statutes. Altering how children make use of online service providers would need to be carefully worked through with law enforcement agencies to ensure that it did not damage the effectiveness of safeguarding vulnerable people.

Fifthly, these amendments do not just apply to social media services. A broad range of online services would be affected by this proposal, from media players to commerce sites. The kinds of services that would be caught by this amendment include many that develop content specifically for young people, including educational materials, not to mention the wider impact on digital skills if children are forced offline.

I move on now to more practical considerations. I am concerned that the amendments as drafted, while an elegant proposal, could serve to create confusion about what sites have to do. We know that the GDPR will apply from 25 May, and I am not convinced that this will allow enough time for the commissioner to consult on the guidance, prepare it, agree it and lay it before Parliament, and for companies to be compliant with it. Online service providers will need to adhere to the new requirements from May 2018, and may have existing customers that the new provisions will apply to. They will need some time to make any necessary changes in advance. Even with the transition period available in the amendment, this would lead to considerable uncertainty and confusion from online services about the rules they will have to follow come May. This could result in the problems that I have already laid out.

Finally, the Information Commissioner has raised a technical point. These amendments would apply only where consent is the lawful basis for processing data. Children also have access to online services where the data controller relies on a contractual basis or vital interests to offer services, rather than reliance on consent. Therefore, the amendments may have less reach than seems to be envisaged and are likely to lead to confusion as to which services the requirements apply to.

In summary, in spite of our appreciation of the aims of these amendments, we have concerns. They may prove dangerous to the online safety of children and young people. Creating unnecessary and isolated requirements runs the risk of being counterproductive to other work in this space. There needs to be some serious and detailed discussion on this before any changes are made. Furthermore, the technical and legal drafting of the amendments remains in question.

There is no doubt that further work needs to be done in the online safety space to ensure the robust and sustainable protection of our children and young people online. We have demonstrated commitment to this through the work on the internet safety strategy and the Digital Economy Act. We are working on these issues as a matter of priority, but strongly believe that it is better to address them as a whole rather than pursue them through the narrow lens of data protection. We need to work collaboratively with a wide range of stakeholders to ensure that we get the right approach. The noble Baroness, Lady Kidron, for example, was among those who attended the parliamentarians’ round table on the internet safety strategy, which she mentioned, hosted by the Secretary of State last week. We are engaged on this issue and are not pursuing the work behind locked doors. These specific amendments, however, are not the right course of action to take at this time.

My Lords, the Minister has just referred to the round table. He will recall that I mentioned in my remarks the issue of definitions and suicide sites that were raised during that round table last week. Can he tell the House any more about that?

I was not at the round table, and I am afraid that I would require some notice to answer that question. I am certainly happy to write to the Committee about that. I had not forgotten; I just do not have an answer.

Given the arguments that I have laid out, I would like to reassure the House that this issue remains high priority. The noble Lord, Lord Knight, asked whether GOV.UK’s Verify site could be used for age verification. Verify confirms identity against records held by mobile phone companies, HM Passport Office, the DVLA and credit agencies, so it is not designed for use by children. We will continue to work with interested parties to improve internet safety, but in a coherent and systematic way. For the moment, and in anticipation of further discussions, I ask the noble Baroness to withdraw her amendment.

I now move to Amendment 20A from the noble Lords, Lord Stevenson and Lord Kennedy, on the requirement for a review of Clause 8. Again, the Government agree with the spirit of this amendment in ensuring that the legislation we are creating offers the protections that we desire. However, there are a few issues that we would like to address.

First, it is government practice to review and report in cases of new legislation like this. Bringing about a mandatory report in this case is therefore unnecessary. Furthermore, prescribing the specific content of such a report at this stage is counterproductive. This is especially true given the complex and wide-ranging nature of child online safety and the work being conducted by the Government in this space.

Secondly, on timings, as noble Lords are aware, we must comply with the GDPR from 25 May next year, by which time the Bill must be passed. I am concerned, therefore, that to require a review to be published within 12 months of the Bill passing would not leave sufficient time to produce a meaningful report. Companies need the time to bring in new mechanisms to be compliant with the regulation. For data to be created and collected, time must be given for the sites to be tested and used following the new regulations. This will allow for the comparison of robust data and that which will reflect other work around online safety, which is still being developed. For those reasons, I ask the noble Lords not to press their amendments.

I do not think that the Minister answered the point made by my noble friend Lady Jay on extraterritoriality—a word that I know he will want to use. Also, before the noble Baroness, Lady Kidron, replies, the main thrust of the Minister’s points was that government action on a code and on the digital charter would take most of the issues away. He relied on that in terms of his main argument. But am I right in saying that the code that has been consulted on is voluntary and that there will be no statutory basis for the digital charter? I would be grateful if he could help us on those two points.

I am happy to confirm those two points. On extraterritoriality, I agree with the noble Baroness that it is difficult to control. Commercial sites are easier—an example of which is gambling. We can control the payments, so if they are commercial and cannot pay people, they may well lose their attractiveness. Of course, the only way to solve this is through international agreement, and the Government are working on that. Part of my point is that, if you drive children away to sites located abroad, there is a risk in that. The big, well-known sites are by and large responsible. They may not do what we want, but they will work with the Government. That is the thrust of our argument. We are working with the well-known companies and, by and large, they act responsibly, even if they do not do exactly what we want. As I say, however, we are working on that. The noble Baroness is right to say that, if we drive children on to less responsible sites based in jurisdictions with less sensible and acceptable regimes, that is a problem.

Could the Minister help me with any information he might have about when the GDPR was drawn up? It must have been envisaged when Article 8 was put together that some member states would go with something different—be it 13, 16, or whatever. The issue of foreign powers must have been thought about, as well as verifying age, parental consent, or the verification of parental identity to verify age. Article 8 just talks about having to have parental sign-off. These issues of verification and going off to foreign powers must have been thought about when the article was being put together in Europe. Does he have any advice on what they thought would be done about this problem?

I cannot give the noble Lord chapter and verse on what the European bureaucrats were thinking when they produced the article, but age verification is not really the issue on this one, because it is extremely difficult to verify ages below 18 anyway. Although one can get a driving licence at 17, it is at the age of 18 when you can have a credit card. As I say, the issue here is not age verification—rather, it is about how, when we make things too onerous, that has the potential to drive people away on to other sites which take their responsibilities less seriously. That was the point I was trying to make.

My Lords, the Minister was kind enough to respond to the point I sought to make about the extraterritorial nature of all this, which of course goes way beyond individual sites to corporate ownership, the issue that I am most concerned about. I am glad that the Government are having conversations with, or at least dealing with, what he describes as the most responsible players in this market. None the less, we are dealing with a global environment in which most countries, not just a few rogue countries, have a very different environment and understanding of the culture and nature of the regulation of broadcasting than we do in this country. We have had a very particular and sophisticated way of dealing with terrestrial broadcasting for several generations. The real problem lies in addressing how we can translate some of those values and regulatory formats into the global internet age.

I take that point completely. So that I get it right, it would be best if I write to the noble Baroness about what we are doing. I am afraid that I cannot recall whether it is the G8, the G20 or whatever. Ownership is obviously a key point as well, so I will write to the noble Baroness on those points.

I thank everyone who has contributed to this fantastically supportive debate with their very interesting comments. I am grateful to the Minister for saying that he is sure that we will return to this issue.

I am going to try to tackle a couple of points, but I do not have the organising skills with all my pieces of paper to pick up on what all noble Lords have said. I think there is a bit of a muddle in the Room about this approach, which is aimed deliberately at all data controllers. Those people who have for many years been designing with children in mind will have less far to go to meet the regulations than the people who have not been thinking about children at all. I am deliberately saying that it is a data question; I believe it to be one. This is not supposed to be in the gift of a few big companies; these amendments are supposed to deliver what children deserve and need in the digital environment. It is excellent that it is in a data environment, because it becomes a price of doing business. To the people who have misunderstood the point, we are saying that it will be unlawful to process data unless you provide these services—and, when that is the case, just watch the gold rush toward smart age verification. If children’s data is being processed unlawfully, we would expect there to be some sort of enforcement. I admit to the Minister that our amendment could perhaps do with a bit more work on enforcement and what that might look like.

Secondly, I want to make a point about resilience and education. I believe we are about to discuss education, which is an enormous component of online safety and resilience for children. But we must not make the mistake of thinking that children have to adapt to the needs of data controllers; it is data controllers who must meet the needs of children. That is what these amendments are about. I am absolutely committed to working with the Government, because all their public pronouncements on this subject are in that direction. We have to make it work, so that at least some of the work is done on the other side of the equation. I am unhappy about it being put in the context of getting a few big companies paying for some digital champions. In fact, I was very concerned that the Secretary of State chose to announce the internet safety strategy alongside Facebook, which has a programme it charges schools for that also teaches young people to be very good Facebook users. Before we get to that point, arm in arm with some of these people, we must first work out what our standards are. That is the role of this House. It may not be outsourced to Silicon Valley; that is not appropriate.

On data controllers raising the age, it is worth noting that nearly 3 billion people are online and one-third of them are under the age of 18. That is not a marginal group; that is a huge group. I find it hard to believe that data controllers will abandon that consumer group, just because we have asked them to behave a little better and be a little more moderate in the data they are taking. Again, regulatory compliance is a cost of doing business. Every business has it; this is just another example. I want to discuss this issue with the noble Baroness, Lady Howe, and write to her. She made some excellent points; some of them were perhaps on the misunderstanding of whether such compliance was for everybody or just some sites. I absolutely support her on the question of evidence and evidence-based legislation in this area; I do an immense amount of research work with children and academics. I agree with her, and will write to her in detail because her points were so specific.

Finally, I hope that the Minister, Matt Hancock, will forgive me for quoting him one more time. He said that the Bill’s purpose was to give,

“consumers confidence that Britain's data rules are fit for the digital age in which we live”.

I do not think that having millions of young kids in the United Kingdom treated as adults is a fit outcome for the digital age. I welcome the noble Lord’s clear sign that he is willing to talk to us. I will definitely be doing that. I hope he will also show me his legal opinion, as well as wanting to see mine. With that, I beg leave to withdraw the amendment.

Amendment 18 withdrawn.

Clause 8 agreed.

Amendment 19 not moved.

Amendment 20

Moved by

20: After Clause 8, insert the following new Clause—

“Education for children of school age relating to the rights of data subjects

(1) Upon the passing of this Act, the Secretary of State must make arrangements for all children of school age to receive education relating to the rights of data subjects, appropriate to their age.(2) For the purposes of subsection (1) “the rights of data subjects” must include—(a) rights under this Act and other Acts and Regulations relating to data protection and privacy,(b) security of personal data, and(c) other matters related to the understanding and exercise of rights under this Act and other Acts and Regulations relating to data protection.”

My Lords, the second pillar of protection of children and young people is education. In my view, that would be achieved through personal, social and health education. The noble Baroness, Lady Massey, has championed this issue for as long as I have been in the House of Lords.

One of the sad casualties of the last general election was the then Schools Minister, Edward Timpson, who was very keen that not only relationship and sex education would become a compulsory part of the curriculum, but PSHE would be part of the curriculum of all schools. Indeed, last year I asked an Oral Question on the subject. The then education Whip, now the Leader of the House, the noble Baroness, Lady Evans, said she thought it important that PSHE is taught in schools. Sadly, she missed two little words: in “all” schools and for “all” children. That has been the nagging issue. It is a question of not just having the subject, but ensuring it is taught in all schools, whether academies, free schools, independent schools or whatever, for the well-being of all our children.

On 24 October 2017 the Education Select Committee published the Government’s response to the joint report by the Education and Health Committees, Children and Young People’s Mental Health—the Role of Education. In response to the recommendation that,

“schools should include education on social media as part of PSHE, including educating children on how to assess and manage the risks of social media and providing them with the skills and ability to make wiser and more informed choices about their use of social media”,

the Government responded:

“All young people should have access to a curriculum that ensures they are prepared for adult life in modern Britain. Personal, Social, Health and Economic education … Relationships Education, and Relationships and Sex Education … help to provide pupils with the key knowledge and skills to ensure that they can keep themselves safe, develop healthy and positive relationships, maintain good mental health, build resilience and successfully navigate the changing world in which they are growing up”.

The Children and Social Work Act 2017 gives the Secretary of State the power to make PSHE or elements therein mandatory, subject to careful consideration. It has also given a duty to the Secretary of State to make relationships education in primary and relationships and sex education in secondary mandatory in all schools. The department will be conducting a thorough and wide-ranging engagement process on the scope and content of these subjects, considering school practice and quality of delivery to determine the content of the regulations and statutory guidance. Sadly, that consultation has slipped further behind the promised date originally given.

The Government response continues:

“The engagement process will seek evidence from schools and teachers, parents and pupils; experts in safeguarding and child wellbeing; subject experts; voluntary organisations and other interested parties; and other government departments and public sector bodies. This will consider what should be taught at a high-level whilst maintaining flexibility for schools in how best to deliver these subjects as part of a broad and balanced curriculum. We will set out more details in due course about the engagement process and the work to consider age appropriate subject content”.

This looks very much like kicking a very important can a long way down the road. As I have said, we have waited so long for government to act on these matters, yet we are caught up in the sorts of processes which Governments seem to want. As yet, we have no commitment from the Government that the Secretary of State will use the power to make PSHE a statutory subject.

It is not just the Education Select Committee which says these things. The House of Lords Communications Committee called in its Growing Up with the Internet inquiry report for the rollout of an ambitious programme of digital literacy training which would feature in a statutory PSHE curriculum. Encouragingly, the Government’s own internet safety strategy Green Paper states that they will “carefully consider” whether to introduce statutory PSHE.

We are therefore at an important time. By agreeing this amendment, we can ensure that PSHE will be the vehicle by which these issues can be taught to all children in all schools. I hope that when we come to Report the Minister will be able to report that that will be the case. I beg to move.

My Lords, does the Minister agree with the noble Lord, Lord Storey, that PSHE would be the most appropriate way to educate young people about data rights? If so, I note that the Secretary of State, Justine Greening, has today announced that Ian Bauckham will lead the review on how relationship and sex education for the 21st century will be delivered. Can the Minister, who is clearly prepared to think about this appointment today, ask whether it is within his scope to think about how data rights education may be delivered as part of that review, and whether the review will draw on the work of the previous person who reviewed the delivery of PSHE, Sir Alasdair Macdonald, the last time Parliament thought that compulsory SRE was a good idea?

I support the amendment. I was on the House of Lords Communications Committee, to which the noble Lord just referred. We recommended that digital literacy be given the same status as reading, writing and arithmetic. We set out an argument for a single cross-curricular framework of digital competencies—evidence-based, taught by trained teachers—in all schools whatever their legal status.

At Second Reading, several noble Lords referred to data as the new oil. I have been thinking about it since: I am not so certain. Oil may one day run out; data is infinite. What I think we can agree is that understanding how data is gathered, used and stored, and, most particularly, how it can be harnessed to manipulate both your behaviour and your digital identity, is a core competency for a 21st-century child. While I agree with the noble Lord that the best outcome would be a single, overarching literacy strategy, this amendment would go some small way towards that.

My Lords, I add my voice to that of the noble Baroness, Lady Kidron. President Clinton memorably said that the first step in solving a problem is recognising there is one. If anyone does not believe there is one, we rehearsed some of it in the previous debate; I would also advise them to watch two very recent TED Talks by Zeynep Tufekci and Sam Harris. If, having seen these, they can convince themselves there is not a serious and urgent problem, then their judgment is very different from mine.

I will speak for a couple of moments on this because I regard it as a very significant issue. Karl Marx—who knew a thing or two—said that if you change the dominant mode of production that underpins a society, the social and political structure will change, too. I believe we have changed the fundamental mode of production that underpins society. It is now called digital. We have to address that and we are not addressing it anything like seriously enough. There are two issues I would like to raise, and if there is a note of frustration in my voice, I apologise.

In 2003, through very torturous processes in this House, we managed to persuade the then Labour Government to impose a duty on Ofcom—and I spend most of my life defending Ofcom—which was very clear; it was laid out by the noble Baroness, Lady Jay, at Second Reading. Ofcom was given the specific duty of promoting media literacy. The wording was that Ofcom was required,

“to bring about, or to encourage others to bring about, a better public understanding of the nature and characteristics of material published by means of the electronic media”,


“to bring about, or to encourage others to bring about, a better public awareness and understanding of the processes by which such material is selected, or made available, for publication by such means”.

Fifteen years later, in respect of these duties, Ofcom has wholly failed. By taking a very narrow, technical view of its responsibility, it has done almost nothing to promote notions of digital literacy in the electronic media. If we are not careful, the same will happen in the digital world. The noble Baroness, Lady Lane-Fox, used a much better phrase than “digital literacy”. She used the phrase “digital understanding” in a recent debate in your Lordships’ House. That is really what this is about.

To emphasise something that the noble Baroness, Lady Kidron, said, this is all about data. Ten days ago in Los Angeles, Lachlan Murdoch—who I think also knows a thing or two about this business—said the following:

“We’re in the beginning of an incredible transformation … we’re in the first months of something that will have a multi-decade life and future. Businesses that have large data sets and robust data sets will be the companies that win in the future”.

Every company in Silicon Valley and every communications company in the world knows that. This is why this is such a fundamental issue.

To my delight and surprise, the Italians appear to have picked up on this. In the New York Times of 18 October there is a long piece about a new law that was passed on 31 October by the Italian parliament that entirely acknowledges that young people have to have a far greater understanding of the modes of information, the nature of information and the ramifications of information than is presently the case. Some 8,000 schools in Italy are now receiving instructions on how to get across to children the seriousness and importance of, first, the manner in which they give and use their data and, secondly, the means by which they are informed.

Finally, in a very recent book Move Fast and Break Things by Jonathan Taplin, a man I happen to know, he says:

“Part of our role as citizens is to look more closely at the media surrounding us, think critically about its effects, and whose agenda is being promoted”.

I put it to your Lordships that every single front page of every newspaper over the past four months has made this extraordinarily evident. In the words of the noble Baroness, Lady Lane-Fox, we are “sleepwalking” into a situation over which we have little control and of which the companies that do have control are not taking sufficient notice. As proved by the Communications Act 2003, you can crunch out the best possible wording and it is still possible for that wording to have absolutely no lasting effect on society as a whole.

My Lords, my name is also on this amendment. It is a great pleasure to follow the noble Lord, Lord Puttnam, who has championed these issues for 20 years or more. It is worth while having a reality check for ourselves. One of the good things about the House of Lords is a certain continuity. I was in this House for the Data Protection Act 1998, which we are now reviewing, and for the Communications Act to which the noble Lord, Lord Puttnam, referred, and I served on his committee. We had no idea what revolution was coming our way. Indeed, in the Communications Committee, we were asked not to look at the internet; it was for the future. If we think about what has happened in those 20 years, what on earth is going to happen in the next 20, when we are reliably told we are on the verge of a fourth industrial revolution driven by data?

We were quietly asked by the noble Baroness, Lady Kidron, not to include this amendment in the previous group in case the whole thing became hijacked by a debate about education, and she was shrewd in that, but it was useful that she pointed out—I love this point—that data literacy should be as important as the three Rs as a core competency for the 21st-century child. If we are going to achieve that, we have to get out of the silo mentality: “It’s not our job, it’s the Information Commissioner’s job”; “It’s the Department for Education’s job”; “It’s DCMS’s job”. Somebody has to take responsibility for what we are saying because it is one of the great challenges.

There is a danger, particularly in a House of this age group, that we overestimate the capacity of the young. We all have our anecdotes about our grandchildren or our children being able to work the gadgets that we cannot work, but that does not mean that they have the competence or the maturity to make proper rational, responsible decisions about some of the factors that come within their ambit with this new technology. My noble friend Lord Storey referred earlier to a story in today’s paper about the increase in sexting among young children. We also know the extent of cyberbullying that goes on between children and about the naivety of children in being willing to reveal personal information online. Navigating the digital world is very complex.

The noble Lord, Lord Lexden, is in his place, and I am always worried about quoting history, but when the reform Act was passed in 1867, somebody said, “We now must educate our masters”, and that brought about the Elementary Education Act 1870. Nobody can now be in any doubt about the enormity of the task of preparing the whole population, but especially our children, to handle the new powers that are coming down the track at us. Educating for digital is one of the most important tasks facing us. I enjoyed and appreciated the way the noble Baroness, Lady Kidron, delivered her amendments. She made the point that that education is not to make this generation of children able to fit into the needs of Silicon Valley; it is to give them the power to make sure that Silicon Valley responds to their needs as citizens. That is the task that this amendment is trying to promote.

My Lords, I will speak briefly to support this amendment and particularly what the noble Lord, Lord McNally, has just said. We are asking our children to take on a whole set of responsibilities for which we, let alone they, are not prepared. The social consequences of social media and how to handle them produce enormous stresses on friendship. As for where this amendment is directed, there are also the consequences for children in the way their data are gathered and used, which we do not understand. The House of Lords can now track where each of us was geographically over the last month. It is all on our phones. A complete record is kept unless you happen to have turned it off. When did we give permission for that? If we cannot handle it, how can we expect our children to be able to handle it?

It is also quite clear that the sort of middle-range teenagers—14 and 15 year-olds, boys in particular—are living in a world of extreme pornography, in quality and content, that is quite unprecedented. What effects we can expect that to have on relationships between the genders when they get through to university and life afterwards I do not know. We cannot abrogate our responsibility to make sure that children are looked after properly and that we are not exposing them to amoral companies—I am not aware that any of these companies have a deep moral sense, whatever they may claim. We entrust their upbringing and education to that, but we care very much about their mental health, their sense of society, their sense of relationship to each other and the qualities that they will bring to the world as young people. We ought to be doing something about it in schools. We probably need a bit of thought as to what that should be, but we absolutely should not be doing nothing.

My Lords, I am very sorry for interrupting the noble Lord, Lord McNally, as what he had to say was very apposite and appropriate. I thought at one stage that he was going to say that he had been around for the passing of the first reform Act as well as everything else he was talking about, but I must have misheard him.

This has been a good debate, which has tended to range rather widely, mainly because it is so important we get this right. I confidently expect the Minister to respond by saying that this is a very good idea but he lacks the power to be able to give any response one way or another because it lies in the hands of one of his noble friends. That of course is the problem here, that we have another linked issue. Whitehall is useless at trying to take a broader issue that arises in one area and apply it in another. Education seems to be one of the worst departments in that respect. I mean that, as it has come up time and again: good ideas about how we need to radicalise our curriculum never get implemented because there seems to be an innate inability in the department to go along with it. It may well be that the changes to the structure of education in recent years have something to do with that. It is good to see in the second line of this amendment that this would apply to “all children” irrespective of the type of school or type of organisational structure that school is in, so that it applies to everyone. We support that.

However, two worries remain that still need to be looked at very hard, and the noble Lord who just spoke was on the point here. Do we have the skills in the schools to teach to the level of understanding that we are talking about? I suspect that we do not. If so, what are we going to do about that? Thirdly, I suspect that our kids are way ahead of us on this. They have already moved across into a knowledge and understanding of this technology that we cannot possibly match. Teaching them to go back to basics, as has been the case in previous restructuring of the curriculum, is not the right way. We need a radical rethink of the overall curriculum, something which is urgent and pressing. It is raised, interestingly enough, in a number of publications that are now appearing around the industrial strategy. If we do not get this right, we will never have a strategy for our industries that will resolve all the issues we have with improving productivity. I hope the Minister will take this away.

My Lords, I am grateful to the noble Lord, Lord Storey, whose long experience in education I acknowledge, and to all noble Lords who have contributed. I could not agree more about the importance of children and young people fully understanding how their data is collected, stored and used. That is why the Government have already taken steps to ensure that key aspects of data protection are taught in maintained schools. In 2014 we established a new and more rigorous national computing curriculum covering ages five to 16. It is compulsory in maintained schools in England and sets an ambitious benchmark that autonomous academies and free schools can use and improve on.

The new computing curriculum was developed by industry experts and includes safety, which helps to give children the tools that they need to make sensible choices online. I say to the noble Lord, Lord Puttnam, and my noble friend Lord Lucas that they were a bit pessimistic about what we are doing; we are certainly not doing nothing, as my noble friend implied. Children are taught how to use technology safely, respectfully and responsibly; how to recognise unacceptable behaviour; and how to report concerns about content and contact. Importantly, the curriculum also includes keeping personal information private and protecting their online identity and privacy, both of which are important parts of data protection. All schools can choose to teach children about data collection, storage and usage as part of these topics.

I also say to the noble Lord, Lord Puttnam, that the digital economy is actually not doing too badly; it is growing at twice the rate of the rest of the economy. The Government are spending to improve skills at all levels, including at PhD level, to prevent social exclusion. So we get the issues that he is talking about, and in my answer to the debate of the noble Baroness, Lady Lane-Fox, I outlined some of the things that we are doing.

I accept entirely that the economic drivers for the digital economy are being handled quite well. I am suggesting that the societal end of that debate is not keeping pace with the commercial and that, if we allow too great a disconnect to occur between societal impacts and commercial success, we will reap a very unfortunate harvest. The Minister was good enough to see me last week, together with an official from the Department for Education. I am not pretending for a moment that nothing is being done, but I am suggesting that there is nothing like enough urgency in trying to correct the societal aspects of this issue.

I take that point. I also understand the difference that the noble Baroness, Lady Lane-Fox, highlighted between digital skills and digital understanding, and we need to address that. One of the issues that the data ethics body is going to look at is how society deals with these technical problems, albeit that they are changing incredibly fast.

I have talked about younger pupils. Older pupils are also taught citizenship as part of the national curriculum. That equips pupils to take their place in society as active and responsible citizens, including providing them with the knowledge and skills that they need to think critically and to research and interrogate evidence. These vital skills help our children understand how their data can be used and why data protection is important.

Amendment 20 would require the Secretary of State for Education to make changes to the current maintained schools national curriculum, and would create new requirements for independent schools and academies. In our view, now is not the time to make further changes to these subjects. We need to allow schools to fully embed the new curriculum in order to provide a period of stability for schools so that they can focus on ensuring that pupils are taught this new curriculum well, including the new aspects on data protection.

Having said that, we are not complacent. We realise that companies’ use of data in the online world is increasingly complex and that we need to support children to understand that. The changes introduced in the Children and Social Work Act 2017 represent a step change in education on online safety. For the first time it will be compulsory for all primary-aged children at school in England to be taught relationships education, and all secondary-school children will be taught relationships and sex education. In addition, we will carefully consider whether also to make personal, social, health and economic education compulsory in all schools.

The noble Lord, Lord Knight, took my lines to a certain extent. I was going to confirm that the Department for Education confirmed today that it has begun its engagement with stakeholders. This is a point that has come up before: that will help it reach evidence-based decisions on the content. I can tell the noble Lord that the head teacher who is running it will advise the Department for Education on what will be included in relationships and sex education and PSHE, whether it should be compulsory and, if so, what content may be included. It will be live to online issues and include what children need to know to be safe online, beyond what is already in the computing curriculum.

The Government will ensure that these new compulsory subjects in England address the challenges experienced by young people online and are seeking views to work out exactly what this should cover and how best to do so. The Department for Education will support schools to ensure that content is pitched at the right level for each school year and builds knowledge as children grow up. Engagement and consultation will help us to get the detail right.

My department, DCMS, and the Department for Education are working together on the online safety aspects of these subjects. We will work with partners, including social media and technology companies, subject experts, law enforcement—

I thank the Minister for giving way. Is he suggesting that the aim should be to adapt children to the realities of the online world and the internet service providers, rather than to adapt the providers to the needs of children?

I am not an expert on education, but I do not think that “adapting” children is a recognised educational aspiration. We are trying to make children aware of the issues involved in the online world. We all accept that they are technically skilful, but they may not have the maturity to make the right decisions at certain times in their lives. As I said, we are trying to pitch it so that, as children develop, they are introduced to different things along the way. I hope that that answers the noble Baroness.

We are working with social media and technology companies, subject experts, law enforcement, English schools and teaching bodies to ensure these subjects are up to date with how children and young people access content online and the risks they face. We will also consider how best to support schools in the delivery of these new subjects. It is important to note that education on data processing does not exist in a vacuum but is viewed as a part of a wider programme of digital learning being promoted to improve user awareness of online safety and build digital capability. As such, we think that legislation focusing solely on data processing would risk detracting from the broader issues being tackled.

I am grateful to noble Lords for their amendment: it has prompted an interesting debate and raised issues which have gone beyond data protection, on which of course we are concentrating in the Bill. I hope that I have reassured the noble Lord that the Government take the issue of educating young people seriously, particularly in data protection matters. Not only do they already feature in the curriculum but we are considering how we might strengthen this teaching as a key part of our wider online safety work. With that reassurance, I hope that the noble Lord will feel able to withdraw the amendment.

I am very grateful for the Minister’s helpful reply and to noble Lords who have contributed to this debate. I do not particularly like the phrase “digital literacy”: I much prefer “digital understanding”. I always understood that the fourth “r” was religion, so perhaps, with a small “r”, this is a religion for some of these large tech companies.

I can accept everything the Minister said, with the exception of two points. He said that these things are happening in the maintained sector. However, over 70% of our secondary schools are no longer in the maintained sector and they can choose whether or not to follow the programmes that he has suggested. Free schools are also increasing in number and, again, they do not have to take any part in this activity if they do not want to.

I agree with the Minister that this is not a discrete package where you tick the box when you have done it. It has to be part of a wider programme which goes through all aspects of learning. I also agree with the noble Lord, Lord Stevenson, who raised the question of whether we have the skills in our schools. It is not just digital issues: we do not have teachers for A-level maths or physics but we do not stop doing maths or physics. This might ensure that we actually started training teachers to work in this area.

I am grateful for the Minister’s helpful reply and look forward to considering this again on Report. I beg leave to withdraw the amendment.

Amendment 20 withdrawn.

Amendment 20A not moved.

Clause 9: Special categories of personal data and criminal convictions etc data

Amendment 21 not moved.

House resumed.