Motion to Approve
That the Paper laid before the House on 14 December 2017 be approved.
My Lords, the Digital Economy Act introduced the requirement for commercial providers of online pornography to have robust age-verification controls in place to prevent children and young people under the age of 18 accessing pornographic material. Before considering the specific points related to this debate, I want to remind the House why we introduced this requirement.
In the offline world, there are strict rules to prevent children accessing adult content, but the same is not true in the online world. A large amount of pornography is available on the internet in the UK for free, with little or no protection to ensure that those accessing it are old enough to do so. This is changing the way young people understand healthy relationships, sex and consent. A 2016 report commissioned by the Children’s Commissioner and the NSPCC makes this clear: over half of the children sampled had been exposed to online pornography by the age of 15; nearly half of boys thought pornography was “realistic”; and just under half wished to emulate what they had seen. The introduction of a requirement for age-verification controls is a bold step to tackle these issues and it demonstrates our commitment to making the UK the safest place in the world to be online.
Section 16 of the Digital Economy Act states that the Secretary of State may designate by notice the age-verification regulator, and may specify which functions under the Act the age-verification regulator should hold. I am therefore seeking this House’s approval to designate the British Board of Film Classification as the age-verification regulator. We believe that the BBFC is best placed to carry out this important role, because it has unparalleled expertise in this area.
The BBFC has been classifying films for cinema release since 1912 and video content since 1984. In doing so, it has established a trusted reputation for making difficult editorial judgments and giving consumers, particularly parents and children, clear information about age-appropriate content. Importantly, the BBFC is currently responsible for classifying adult material for sale offline, including judging when content should be rated R18 and therefore available for sale only in licensed sex shops. Moreover, the BBFC understands how new technology is changing the way people access content. It provides the current framework for filtering content on mobile networks, which has been highly successful in preventing children accessing pornography on their mobile phones.
It is clear, therefore, that the BBFC is the only organisation in the UK with the breadth of experience and expertise required to undertake the role of age-verification regulator. In this role, the BBFC will be responsible for identifying non-compliant websites and giving notice to the appropriate persons. Draft regulations defining who will be in scope were published alongside the then Digital Economy Bill. We expect to lay an updated draft before the House shortly. The particulars of the proposed designation set out the powers that the BBFC will be designated with to carry out this role; namely, the power to request information it requires in order to exercise its powers; the power to issue civil proceedings against non-compliant persons; the power to give notice to payment service providers or ancillary service providers to suspend their services to non-compliant persons; the power to direct internet service providers to block access to non-compliant material; and the freedom to exercise its powers proportionately and in a manner that prioritises child safety online.
In addition, there is an obligation on the BBFC to issue guidance on the age-verification arrangements that it will treat as compliant and the approach it will take to ancillary service providers. Following designation, this guidance will be laid before the House for approval. We are confident that, taken together, this approach gives the BBFC a range of powers that will provide a real incentive for pornography providers to comply with the requirements under the Digital Economy Act. I am pleased to report that the BBFC has engaged openly and constructively with DCMS from the beginning of this process and has made extensive preparations for the role, including developing the technical expertise and processes that will be necessary. It has undertaken engagement with relevant organisations, including representatives of the adult industry and the age-verification industry. In particular, it has established a charity working group to ensure that its approach is in line with child online safety goals.
In conclusion, we believe that the BBFC has the right attributes and experience to carry out the role of age-verification regulator. It is a highly respected organisation with unparalleled expertise in classifying content. I have every confidence in recommending it to the House as the age-verification regulator for online pornography. I beg to move.
My Lords, I have no great argument with the particulars and the designation of the BBFC as the age-verification regulator. Indeed, we had some debates on this. I know that we may have some differences with the Labour Front Bench, but we think that the BBFC is fit for this particular purpose and will carry out the job effectively. Conversations we have had have convinced us of that. Another aspect that is beginning to be unpacked is the appeals system. Although of course we put down amendments on the question of the independence of the age-verification regulator, we think that the appeals system being set up, which is qualified in the Act—we would have preferred it not to be qualified—will be fit for purpose as well.
I want to revert to something that may strike both the Minister and Members on the Labour Front Bench as rather déjà vu: the question of the specification of the type of age verification that is required, or not, by the age-verification regulator. When we talked about this issue in Committee—indeed, amendments on it were laid on 2 February 2017 in Committee and on 20 March on Report; my noble friend Lord Paddick had a particular role in that—we were very concerned on both occasions that the age-verification methods were not going to be specified in enough detail in the Bill. It did not appear that they would be specified in any great detail in the draft guidance.
Flash forward a year and I am afraid that nothing has changed. The Minister may remember that, back in January, the Select Committee on the Constitution said:
“We are concerned that the extent to which the Bill leaves the details of the age-verification regime to guidance and guidelines to be published by the as yet-to-be-designated regulator adversely affects the ability of the House effectively to scrutinise this legislation”.
We have not moved on a great deal. If we look at the details of what I have found—which appears to be the up-to-date draft of the government guidance on the age-verification regulator—under chapter 3, paragraph 4, there is this statement:
“The regulator is not required to approve individual age-verification solutions. There are various ways to age-verify online and the industry is developing at pace. Providers are innovating and providing choice to consumers”.
That is exactly the same wording as in the draft guidance last year and quoted by my noble friend Lord Paddick on 20 March. That is extremely disappointing. It appears that the age-verification regulator will play an incredibly light-touch role in the approval of the type of age-verification that takes place.
Of course, later in chapter 3—which is headed “Age-verification arrangements”—it describes,
“the expectation that age-verification services and online pornography providers should take a privacy by design approach as recommended by the ICO”.
I have the privacy by design guidance from the ICO in front of me and I must say, if I was an age-verification provider, I would not find it particularly onerous, in terms of requiring me to try to find an anonymised age-verification solution. I find the Government’s guidance, as per Section 27 of the Act, extremely disappointing. I very much hope that the Minister can explain whether the ICO will have a role in this, what the impact of privacy by design is, in terms of enforcement, and whether the ICO will have the ability to impose a privacy impact assessment—or even a data impact assessment—on the object of the age-verification regulator’s regulation. Perhaps at the same time the Minister can explain in this particular space the boundary between what the ICO is empowered to do and what the age-verification regulator will be doing.
I am sorry to have to be disappointing in that respect, but I think that as part of the wider landscape—a matter we discussed last year—where we have got to is not particularly satisfactory if the general purpose of the age-verification regulator is to make sure that age-verification really works and that there is not the access for young people to these pornography sites that the Act was designed to prevent.
My Lords, I want to say a few words. I was quite involved in this issue when it was going through as part of our consideration of the Digital Economy Act. The Digital Policy Alliance, of which I am chairman, has had a working group on age verification for several years, looking at whether there are available solutions and encouraging people to develop them. I am pleased to tell the noble Lord, Lord Clement-Jones, that there are some solutions out there. I will explain something about that.
The only thing I want to say is that the Act received Royal Assent on 28 April, I think, so it has taken a very long time to get this guidance in place. That is a bit of a worry and a bit of a disappointment. I seem to remember that there was an intention to try to have enforcement within a year, otherwise there would be a huge great gap in the meantime. We are trying to protect children after all; that was the whole point of this. Waiting for a year—it will probably now be longer—is an awfully long time not to have protection in place.
I am very glad that the BBFC is finally about to get some teeth, get into operation and do something about this, which I am sure it will do extremely well. I know that it has been consulting an awful lot with a lot of different people from all the different sides, from child protection right through to the adult industry. The interesting thing is that quite a lot of the adult industry is happy to help and to co-operate, because it does not want children wasting its time. It is not in the job of trying to pervert children, but of trying to sell adult content to adults, so it is willing to co-operate. The world is watching. There is apparently now a willingness to realise that this will happen and to co-operate to a large extent.
The noble Lord, Lord Clement-Jones, has put his finger on the point about age-verification methods: they have to work and to do various things. I say to him, though, that there is a difference between the bit that is checking the attribute—the age—and the bit about privacy, which is not identifying who the person is to a website and to a casual visitor to that website. It would be career-limiting were it to be found out that the noble Lord himself was visiting an adult content site, even though it would be totally legal for him to do so. Therefore, it is important to ensure that privacy happens at that point, which is the ICO’s part. It is not the ICO’s job to say how age verification should be done. That is a different job.
In fact, we have developed, along with the British Standards Institution, a publicly available specification, PAS 1296, which should be coming out quite soon. It has been around the houses several times and has been revised. That should allow it to be possible for an organisation to see for itself how well it is doing. It might be that an industry body should be set up that can check whether age-verification providers are doing something in alignment with the PAS, which goes into great detail about how you can do these things and make sure that it can be privacy enforcing. The privacy side is left up to the GDPR, but it is mentioned in there as well.
Those are the main points that I wanted to make. It is time to get on with this. It is a huge leap forward. As I said, the world is watching. A whole lot of good will is out there to get this done properly. I look forward to seeing the final draft regulations, which will probably do the job.
My Lords, are we not back in familiar territory? We seem to spend a lot of time on these important issues, first on the Digital Economy Act, then substantial work, discussion, debate and thinking in the debates on the Data Protection Bill. I will disappoint the noble Lord, Lord Clement-Jones, by agreeing with most of what he said. He has a good point about where the boundaries between privacy and the processes described in the Digital Economy Act come to bear. There is room for a variety of approaches here. This is not an easy issue to address. I am not going to go back over the ground he covered—I look forward to hearing what the Minister will say about that—so I will go into some constitutional issues.
I have two general questions that might be important as we continue with this. One was touched on by the noble Earl, Lord Erroll, in his concluding remarks. Is it not the case that, when the Data Protection Bill, which brings in the GDPR, becomes an Act in May, we have inserted into it a requirement that those who operate on data subjects’ information relating to age have to do so in a way that is age-appropriate, otherwise the design has to change? In a sense, is this not the other half of the equation about blocking those who provide material by requiring those who are preparing and disseminating material to have it in a way that will not lead to the problems that were discussed so graphically about what happens to children, who we want to protect, who stumble across material that should be behind an age-verification system? In that sense, age-verification seems to be a bit like shutting doors after horses have bolted. We have to get the design right. If it is right, there will be no such question about people stumbling on to things, because if they go through an ISP or any form of social media provision, such as Facebook and similar arrangements, their progress would be age-designed and could be managed that way. Can the Minister reflect on that? He may well argue that this is the sort of thing that needs to be addressed by a yet to be established data ethics commission. He would probably be right.
This leads on to my second point. There were quite a lot of unfinished strands to the debate when we discussed these issues during the passage of the Digital Economy Act. I am sure that the noble Lord, Lord Clement-Jones, will agree with this point. We still have a problem in being certain about where the boundary will be between commercial and non-commercial services. We also have a difficulty on the question of extreme pornography. The working assumption is that we are talking about material that is operated commercially but not on a personal basis and that it is illegal for that material to be made available through the processes that are being arranged. We were also told that that needed further work and that the department would be carrying out a consultation and would report at a later stage. The easy question is: how is that going? Do we have any timescales? Do not say “soon”, please. The more difficult question is: how does that all fit together in trying to have a comprehensive package? I do not necessarily expect a full answer, but it is something to mark for future debate and discussion.
Those are my general questions, but I have two particular questions for the noble Lord. I still argue, and I will continue to argue, that it is not appropriate for the Government to give statutory powers to a body that is essentially a private company. The BBFC is, as I have said before—I do not want to go into any detail—a company limited by guarantee. It is therefore a profit-seeking organisation. It is not a charity or body that is there for the public good. It was set up purely as a protectionist measure to try to make sure that people responsible for producing films that were covered by a licensing regime in local authorities that was aggressive towards certain types of films—it was variable and therefore not good for business—could be protected by a system that was largely undertaken voluntarily. It was run by the motion picture production industry for itself.
Out of that has come statutory responsibilities for video and DVDs. It is interesting that the BBFC has continued to operate in the film world without any statutory authority, although it is often regarded as having it. We are building a problem for some future date if we do not try to address this issue and make sense of what is obviously a good thing to happen: the classification for information purposes of material that might be come across by people seeking to watch films or videos, whether in theatres or online. That is an important function that I will defend, but if it is that important it should be done by the Government, not by a private company under licence. That would just build up difficulties.
To take a very simple example, the organisation and structure of the BBFC is not what you would find if it had been established under royal charter as a body operating in the public interest. It has an operation split between functions that face towards consumers and a council and management for which details are obscure. A company that made £1.3 million profit last year, and which has reserves of £14 million, is obviously in a different category from that which would operate in the public interest. Ultimately, the processes that the Government are saying have attracted them to appointing it are, because it is singular, not necessarily the ones that one can see in place. It is true that it consults on its guidance, but it does so in a relatively infrequent way that could be looked at differently. Although it has some responsibilities, it does not have a way to engage with the education sector, which might be more appropriate if the organisation responsible for this was in government. We all know that education is key to how people should be taught things that they should be aware of before they go to see products. That is my general concern, which I have expressed before. I do not need a full response today but I am glad it is on the record again that there are concerns about it.
The second point here, which was touched on by the noble Lord, Lord Clement-Jones, is that I still worry about the question of appeals in relation to this new age-verification system. In the Digital Economy Bill we applied considerable pressure to try to get a separate regulator appointed as the appeals body; indeed, we suggested that Ofcom would be appropriate for that. That was not successful at the time, and now we have a situation where the BBFC is the organisation of first instance but also the body for appeals. In the document before us there is considerable detail about how it will do that. I do not object to the way that that is proceeding, but I do not think it is right that the body is both judge and jury in its own case. For films, there is already an appeals system against the BBFC’s classifications but it comes under local authorities, and it is outside the control of the BBFC to run it. For videos, the independent Video Appeals Committee had a long and distinguished presence, before video disappeared, in relation to the decisions that it made. So the body itself already accepts in some senses that it should not be both the first-instance court and the appeals court, but that is not the way that the Government are going. I look forward to hearing the Minister’s response.
My Lords, I am grateful to the noble Lords, Lord Stevenson and Lord Clement-Jones. There is a sense of déjà vu from the Digital Economy Act; we are continuing some of the discussions that we had then, and I am happy to do so. However, it is important to bear in mind what we are doing today, which is designating the BBFC. I hope we will come to other issues in the coming weeks. I will get into the definition of “soon” later.
I apologise for interrupting the Minister. Perhaps he can explain why we are not doing this all in one fell swoop. It seems rather bitty. The draft guidance seems to be on the web, and certainly it seems to be all there, so why are we not trying to deal with this in a holistic way?
The answer is that until the regulator is designated, it cannot issue guidance.
My Lords, I was thinking of the government guidance.
We have the government guidance that the Secretary of State has issued. The important issue, which I was going to come to in answering the noble Lord’s question, is that this is a series of steps that involves consultation and then issuing guidance. Until the regulator is designated, it cannot begin to consult or issue guidance. It is a sequential process. There is no question that we want to get on with this; we are not trying to delay it. We are conscious that this needs to be done as soon as possible, and I will come to the steps that might explain that further.
The noble Lord, Lord Clement-Jones, was asking about how the system is going to operate and the level of detail. As I said, the Secretary of State’s guidance to the regulator is there for as and when it is designated, but then the regulator is required to publish its guidance on the age-verification arrangements that it will treat as compliant. So, as I was saying, once the BBFC has been designated, that draft guidance will be laid before Parliament. The noble Lord will be able to raise his objections or queries then, when he has seen the guidance that the regulator itself has made. Until that happens, it cannot either consult or lay the guidance. Parliament can then scrutinise it. That will involve the affirmative procedure in both Houses, so that will be an appropriate point to debate the issues.
We have absolutely understood the need for things like privacy. We understand that it is important to outline those issues and priorities in the Secretary of State’s guidance to the regulator, as and when it is designated. It is then up to the regulator to get into the detail of what it will consider compliant. There is no question that it will choose a particular method. It will set criteria. There will not just be one system, for example; it will make sure that its criteria are clear in the guidance. As I say, we will have a chance to debate that.
The noble Earl, Lord Erroll, talked about when the powers are going to come into force. As I said, we want to do that as quickly as possible. In fact the current Secretary of State said it was his ambition to complete it within a year, although that is going to be difficult. We want to get it right; we want the process of consultation and guidance to be done properly. Of course, there was the small matter of purdah and an election in the way. Now, however, if this House approves the regulator today, we will be well on the way to doing that, and we are definitely trying to do it as quickly as possible.
We take data protection and privacy very seriously. The age verification arrangements should be concerned with verifying only age, not identity; we absolutely agree with that. Providers of age-verification controls will be subject to data protection laws—the GDPR—from 25 May, and the BBFC will work with the Information Commissioner’s Office to ensure that its standards are met by age verification providers, particularly with regard to security, data minimisation and privacy by design. So the ICO is there to uphold the law and enforce data protection law and the GDPR. To go further on that point, the noble Lord, Lord Clement-Jones, mentioned the relationship. The BBFC and the ICO are going to agree a memorandum of understanding to ensure and clarify how they are going to work together and separate their various responsibilities.
I know the noble Lord, Lord Stevenson, is not entirely happy with some of the arrangements; we debated some of them on the Digital Economy Bill. He also mentioned definitions and said one of the things that the regulator—that is, the BBFC if it is designated—will have to do is regulate the definition of extreme pornography that is unlawful even if it has age verification in place. That is not really the subject of debate today. Noble Lords will have an opportunity to discuss that when the regulations come—
I know the Minister was struggling with the wording there but this is really quite important. I thought he might have suggested that it would be up to the BBFC to define what was or was not permissible to view. I hope he is not saying that. I imagine the assumption is that there is a law of obscenity. Obviously it is interpreted through the courts in a way that is not entirely consistent in every case, but the law has to be the law and it must not be up to the BBFC to change the definitions.
The noble Lord is absolutely right, and I apologise if I misled anyone. It is not the BBFC’s job to determine what is lawful. It is meant to implement the law. The debate that I think we will have when the regulations come to this House will be on the decisions that will have been taken on what is pornography available for commercial purposes. The definition of what is unlawful will be under the extreme pornography definition within the existing Act.
Leading on from that, I remember from the debates that the trouble was that the Obscene Publications Act was not aligned with the CPS guidance or with various other things. I presume therefore that some work will be done on this in the near future, otherwise I suspect that the BBFC will get into trouble. At the same time, because age verification may come into this too, presumably we will also try to align the internet stuff, which is what we have been talking about in the Digital Economy Act—broadcast, which is regulated differently, and video on demand, which I think is Ofcom’s responsibility at the moment. We really do not want different rules across all of those, so I hope we are going to get on with that.
We debated this extensively during the passage of the Digital Economy Bill. Parliament agreed with the very clear definition of extreme pornography, which is based on the Criminal Justice and Immigration Act 2008. That is what it will opine on. The primary legislation—the Digital Economy Act—requires the Secretary of State to consult on the impact and effectiveness of the regulatory framework, including the definitions used, within 18 months of the powers coming into force. That will be the time to do it. What I meant about it not being the subject of debate today is that this regulation is very clearly to define the regulator, and we say it should be the BBFC. I am not trying to duck the issues that are still there, but they will come back and I am sure I will have to deal with them—unless I am late for something.
The other issue mentioned by the noble Lord, Lord Stevenson—which I fear we will not agree on today—is the structure of the BBFC. He did say that he did not want a full response; I will just say that the BBFC is set up as an independent non-governmental body with a corporate structure, but it is a not-for-profit corporate structure. We have agreed funding arrangements for the BBFC for the purposes of the age-verification regulator. The funding is ring-fenced for this function. We have agreed a set-up cost of just under £1 million and a running cost of £800,000 for the first year. No other sources of funding will be required to carry out this work, so there is absolutely no question of influence from industry organisations, as there is for its existing work—it will be ring-fenced. As far as surplus is concerned, it is relatively common for non-profit organisations to keep a surplus and to do things such as investing in major projects or equipment. We think that, because the BBFC has been doing a similar job and making very difficult judgments on these things since 1912, it is the most suitable body.
We are content—and the previous Secretary of State was satisfied—that, with this structure, including the appeals structure, we have done our best to ensure that the arrangements will be sufficiently independent. I am thankful to the noble Lord, Lord Clement-Jones, for his support on that. There will be an independent appeals panel, which will not include the regulator, the Government or the affected industries. The BBFC will play no part in deciding the chair or membership of the independent appeals panel; this will be the role of the independent appointments board, so there is a clear division between the BBFC and appointments board, which will ensure its independence. Interestingly, the BBFC in its other role has had remarkably few appeals. Since 1985, there has been a total of 21 appeals, nine of which were ruled in the BBFC’s favour, nine against, and the remaining three were withdrawn. Since 2007, no appeals have been made to the BBFC.
I think I have addressed most of the issues raised. The noble Lord, Lord Stevenson, mentioned some of the more philosophical issues on this—I agree with him; the data ethics body may be a place for that—and I can assure noble Lords that we will come back to some of these more difficult issues. In the meantime, to go back to where I started, today’s job is only to designate the BBFC as the regulator. I hope that, after what I have said, the House will agree that it is the best body to take on the role, and I therefore beg to move.