My Lords, with the leave of the House I will repeat a Statement made by my right honourable friend the Secretary of State for DCMS in the other place earlier today. The Statement is as follows:
“Mr Speaker, I would like to make a Statement in relation to the implementation of age verification for online pornography. As the House knows, the Government announced that age verification for online pornography, under the Digital Economy Act, would come into force on 15 July 2019. It has come to my attention in recent days that an important notification process was not undertaken for an element of this policy, and I regret to say that this will delay the commencement date. I wanted to take the opportunity to come to the House as soon as possible to apologise for the mistake that has been made and explain its implications.
In autumn 2018, we laid three instruments before the House for approval. One of those instruments, the Guidance on Age Verification Arrangements, sets out standards that companies need to comply with. This should have been notified to the EU Commission in line with the technical standards and regulations directive, and it was not. Upon learning of this administrative oversight, I have instructed my department to notify this guidance to the EU and re-lay the guidance in Parliament as soon as possible. However, I expect that this will result in a delay in the region of six months.
As the House would expect, I want to understand how this occurred. I have therefore instructed my department’s Permanent Secretary to conduct a thorough investigation. That investigation will have external elements to ensure that all the necessary lessons are learned. Mechanisms will also be put in place to make sure that this cannot happen again. In the meantime, there is nothing to stop responsible providers of online pornography implementing age-verification mechanisms on a voluntary basis, and I hope and expect that many will do so.
The House will also know that there are a number of other ways in which the Government are pushing our objective of keeping young people safer online. The Online Harms White Paper sets out our plans for world-leading legislation to make the UK the safest place in the world to be online. Alongside the White Paper, we also published the social media code of practice under the 2017 Digital Economy Act, which gives guidance to providers of social media platforms on appropriate actions they should take to prevent bullying, and insulting, intimidating and humiliating behaviours on their sites. We will also publish interim codes of practice detailing steps that we expect companies to take to tackle terrorist content and online child sexual abuse and exploitation. These will pave the way for the new regulatory requirements.
We set out in the White Paper our expectations that companies should protect children from inappropriate content. We will produce a draft code of practice on child online safety to set clear standards for companies to keep children safe online, ahead of the new regulatory framework. During the consultation on the White Paper, we heard about the technical challenges associated with identifying the specific ages of users, and so I have commissioned new guidance, to be published in the autumn, about the use of technology to ensure that children are protected from inappropriate content online.
The new regulatory framework for online harms announced in the White Paper will be introduced as soon as possible, because it will make a significant difference to action taken by companies to keep children safe online. I intend to publish the government response to the consultation by the end of the year, and to introduce legislation as soon as parliamentary time allows after that, but I recognise that many Members of this House and people beyond it have campaigned passionately for age verification to come into force as soon as possible to ensure that children are protected from pornographic material they should not see. I apologise to them all for the fact that a mistake has been made which means that these measures will not be brought as soon as they and I would like.
But there are also those who do not want these measures to be brought in at all, so I make it clear that, although my Statement is an apology for delay, it is not a change of policy or a lessening of the Government’s determination to bring these changes about. Age verification for online pornography needs to happen, and I believe that it is the clear will of the House and those we represent that it should and that, in the clear interests of our children, it must”.
My Lords, I am grateful to the Minister for repeating the Statement made earlier. I have come, as is probably obvious from my dress, from a memorial service for the late Jeremy Heywood, former head of the British Civil Service and Cabinet Secretary. The theme of that wonderful event was the quality of the British Civil Service. Its skills and expertise are unparalleled in the modern world, and it is a true legacy of his work in that period. It is therefore rather sad to come from that to this, which appears to be an apologia for the work of civil servants. I assume that it is civil servants we are talking about here and not Ministers, although the Minister did not say that in the Statement. Honest mistakes happen, and I do not suggest that anything other than that is at stake here.
Having said that, it would be helpful to know more about what has been happening and how it will be progressed to make sure we learn from the mistakes. When was this error discovered? I note that the issue is about the technical standards and regulations directive; it does not say this in the Statement, but that was brought in in 2015, so we have had some four years of experience of it. I cannot believe that the Minister will say in response that the department has had no experience of that regulations directive, because it has passed a large number of regulations over the last few years, which we have enjoyed going through together. But it certainly means that the department is aware of the structure under which this regulations directive operates. It is therefore surprising that it was unable to meet the standard for the age verification for online pornography SI that we are talking about.
Secondly, as it does not say this in the Statement, I would be grateful if the Minister could confirm when the Secretary of State learned of this error. Could he give us some more details about how it came to pass?
The Statement says there is going to be a review. That is obviously right. There are two things I want to ask about that. First, it says, rather interestingly, that there will be “external elements”. I assume that does not mean they are going to meet outside in the park and do it in the sun, but could the Minister flesh that out a little? Are we talking here about a mixed group, including external independent persons, who will be able to bring objectivity to the arrangements? It would help if he could make that clear. Secondly, will the review be published when it is completed? With an error of this magnitude, which is going to cause so much difficultly, there is a case for that, so I would be grateful if the Minister could respond.
Behind all this, is there not a bigger question? The Statement hinted that there are those who feel that the way the Government are progressing in this matter is not right. It is based on an assumption that technology will operate in a way that it probably will not, and is based on an old-fashioned view about how technology will help us get to the point that we all want across this House and wider society, which is where children should not be exposed to pornography. The truth is that, although the Statement says that this set of regulations was due to come into force on 15 July, in fact that is a later date than was originally proposed, which was much earlier in the year. This is probably because the issue of the technology itself has not yet been clarified.
There is a wider question about that. The Statement falls into the mistake of equating age verification with action to prevent pornography coming before children. As the latter part of the Statement makes clear, a lot more needs to be done here. This particular regulation—although in no sense do I want to dilute our support for it—may prove not to be the most important element of what we are talking about. The draft code of practice on online child safety, engagement with companies and the new guidance that has been published are all very well, but the online harms White Paper, with its requirement for a duty of care to be placed on companies providing material for the internet, will be the one major step forward that surely will break the dam on this issue. We must focus on that.
Therefore, we should perhaps take time to reflect on whether we are pressing too hard for something that may not turn out to be the long-term solution, without giving the body—even though I think the BBFC is the wrong body—the powers to carry out the work of closing down sites and stopping money flowing to them. Nevertheless, we support the general aim and objective set out in the White Paper and wish to see it brought forward. Age verification is a surrogate for what we are trying to do. It will not solve the problem by itself. It has already been proved that it is easy to get round. Can the Minister confirm that he takes the broader point that there is more here than this particular issue?
My Lords, I too thank the Minister for repeating the Statement. This is unfortunate to say the least, and it means these AV requirements will be put in place nearly three years after the original Digital Economy Act was passed. If the Minister does the maths, he will find it has been three years since they were incorporated into the Act.
The noble Lord, Lord Stevenson, asked all the right questions and made a comment about the professionalism of our Civil Service. But I find it staggering that, if you recall, we had exactly the same situation with the Video Recordings Act when notification did not take place. We all had to come back here and re-pass aspects of that Act because that notification had not taken place. I do not understand why that experience was not engraved on every heart in the DCMS or Home Office. I think it was a Home Office requirement at the time, but I dare say the people themselves transferred to the DCMS subsequently. In those circumstances, will compensation be available to companies that have developed age-verification solutions and gone through the voluntary certification and assessment process in anticipation of the guidance going live this July? I would expect nothing less.
During the passage of the Digital Economy Act, we on these Benches agreed in principle with the concept of age verification for pornographic sites for the purposes of child protection, but we wanted greater safeguards in the Bill in terms of third-party verification and privacy. Sadly, that did not happen. My noble friend Lord Paddick and I argued in 2017 for statutory third-party age verification and queried that last year when the regulator was nominated as the BBFC.
What is the current level of voluntary operation of age-verification methods, in response to the guidance or as an independent action? Does any site operate a voluntary age-verification process? If so, are such processes now exclusively third party, which was the essence of our original amendment and why we felt that that was an important privacy aspect? Explicitly, what will be the procedure for the re-approval of the guidance? Will it be by the negative or the affirmative procedure?
My noble friend Lord Paddick argued last year for a much greater commitment to compulsory age-appropriate sex and relationship education for all children, including telling children what they should do if they encounter online pornography. That is an important other side of the coin. What resource is devoted to this increasingly important aspect of sex education? What difference will the new DNS over HTTPS protocol make to the eventual ability of the BBFC to enforce these requirements or to force internet service providers to comply?
The Secretary of State refers in the Statement to the implementation of the online harms White Paper, which is strongly related to the age-verification agenda. The Minister knows that we have reservations about over-hasty legislation; we believe that pre-legislative scrutiny would be wise and would iron out some of the scope and definitional problems. There are conflicting views about the width of the duty of care and, on the other hand, the dangers of being over-prescriptive. There are many voices still to be heard before we can be sure that the legislation will be sound. Is not a draft Bill the way forward?
There is no reason, however, why Ofcom should not be designated early after the end of the consultation—after all, it has the clout, the technological understanding, and experience in regulating content where it converges with technology, in using enforcement and information-gathering powers and in co-operating with other regulators. It could draw up the first code of practice on online safety, mentioned in the Statement.
There is some concern that current policies are driving us into a world where age verification will be required for all kinds of access other than to pornography. That seems to be the implication of the Secretary of State’s remarks about technical challenges associated with identifying the specific age of companies’ users. Is that the intention? We need to be extremely wary of the consequences of that. That must be fully debated before we go further on age-verification requirements.
My Lords, I thank both noble Lords for their sensible comments and repeat our apology. The noble Lord, Lord Stevenson, commented on the memorial service for Lord Heywood and the quality of the Civil Service, so I agree that it is unfortunate that we are today bringing forward this Statement. I want to make it clear that Ministers, not civil servants, are responsible for the department. Both the Secretary of State and I take our responsibilities seriously. I take this opportunity to pay tribute to the civil servants—nearly all the time, though not in this case—and to say that they work extremely hard to protect children. They are absolutely committed and work flat out—I shall come to the online harms White Paper—so the responsibility lies fairly and squarely with Ministers.
The noble Lord, Lord Stevenson, asked how we learned and when. We were informed early last week—on 11 June, I think. A letter from the BBFC was written on 11 June; the Secretary of State was informed on Friday 14 June. Earlier this week he asked civil servants to tell him what the implications were and whether we could do anything to get age verification in place earlier. He then came before the other House today, as soon as possible, to apologise and explain what had happened.
The noble Lord rightly said that we have had experience of the technical standards and regulations directive. The department notified the Act but not the regulations that fell under it. Again, it was a mistake and we are making sure that it will not happen again.
In connection with making sure that it does not happen again, the noble Lord asked about “external elements”. By that, we mean that the review will include people from outside the department to make sure that there is an independent view. I cannot confirm whether it will be published—I will have to go back to the department to ask that.
As for technology, there have been delays. We need to make sure that the technology is effective and that privacy is taken into account. Obviously, the third-party age verifiers are subject to the new privacy law under the GDPR. One reason for the delay was to make sure that the additional voluntary certification scheme is up and running. I say in answer to the noble Lord, Lord Clement-Jones, that sites were expecting to have to be ready to comply with the requirement on 15 July. There has been no voluntary compliance before that; I am not surprised by that. With sites having been prepared to do it on 15 July, we would expect them to bring it in within the timescale of roughly six months—to which I shall come in a minute. We do not anticipate any compensation being paid, because sites were expected to do it on 15 July. They may have a little more time, but our intention is that they should do it as soon as possible. We will bring back the same regulations, because we have to bear in mind that this is about protecting children who accidentally stumble on pornography that they would not be able to stumble on in the offline world. We are concerned to get this in place as soon as possible, which is why we are very disappointed with our mistake.
The broader point made by both noble Lords was that this is a limited measure. We have always acknowledged that; it is for commercial sites. There are other areas in which children can come across pornography, such as social media sites, even though that is not their primary business. That is where online harms will come in. The noble Lord, Lord Clement-Jones, asked about pre-legislative scrutiny. We are very much in a cleft stick here. We of course understand the benefits of pre-legislative scrutiny, but we have to move as quickly as we can to correct some of the problems, particularly in respect of things that are already illegal such as child sexual exploitation and terrorism. However, the noble Lord would not expect me to make a commitment on that when the consultation has not even finished; no doubt, he will respond to the consultation to make his point.
The noble Lord, Lord Clement-Jones, mentioned the Video Recordings Act, where it is true that notification did not place under the old technical services directive. That was 25 years ago, in 1984, and it was corrected in 2010. So the noble Lord is right that there was a similar mistake 25 years ago. We will take measures to ensure that, whether in 25 years, two years, or one year, it will not happen again. I acknowledge that this has happened before, albeit some time ago.
The procedure on the guidance now is that it has to be laid before the EU for three months in draft form. If the EU makes some comments on it, it may have to stay for another month. After that period, it will have to be laid before the House, under the negative procedure, as the House has already agreed. That means we have to allow 40 days for any noble Lord to pray against it. It will take roughly six months to get through both Houses at the end of the up-to-four-month period.
There are several technical issues about the enforceability of the policy—not the policy itself. We also have to take this into account for the online harms White Paper. A suite of enforcement options is available. For example, the regulator can use payment providers and ancillary service providers to enforce the regulations, but these have to come in first and that is what we have had to delay.
My Lords, the Minister is well aware of my long-standing support for this age-verification regime and will not be surprised to learn how disappointed I am to hear about this delay. This means that more innocent children will be able to accidentally stumble across pornography, which, research has shown, will have harmful effects on their well-being. This is a huge price to pay for an unavoidable mistake. While I accept the Minister’s assurance that this is a DCMS administrative error, I would be grateful for confirmation that, as soon as the necessary processes have been undertaken with the Commission, the Government will announce the entry into force of this new regime.
It is important that we know that the Government intend to resolve this issue as soon as possible. We need to hear that time and time again. I would also be grateful for reassurance that this delay is in no way related to underlying privacy concerns that I know are being put forward by groups opposed to age verification in principle. I have met the BBFC and age-verification providers and believe that their additional protections are robust. Will the Minister confirm that the BBFC still has the full support of the Government for this certification, which was developed with the support of the department? Can the Minister please reassure me, all the people who have supported this regime and the children who will suffer, that he will take action to protect them as soon as possible?
Yes, we will take action as soon as possible. As I explained, after the three or four months with the EU in draft are up, we will immediately proceed with laying it before Parliament. The delay is then the 40 days that it has to lie. As soon as it gets through both Houses of Parliament, it will be in force. We certainly intend to go through with it as soon as possible. The noble Baroness might like to check Hansard. She said that it was an “unavoidable mistake”; I have to confess it was an avoidable mistake. We should have avoided it and should avoid it in future. I also confirm that this was a mistake and the delay is in no way related to privacy concerns. That does not mean we are not taking privacy seriously. The additional voluntary certification scheme is important. We take privacy seriously, but that was not the reason for the delay.
I also regret this and am very sad about it. We have already been waiting for two years. Talk about dragging feet on this; I cannot believe it takes so long. I do not understand what the problem is with the guidance on age-verification arrangements. I have read it again and it does not contain anything technical. It lays out some fairly obvious things in plain English; it talks about various aspects of this and ends up saying that the Government would like to set up a voluntary certification scheme. That is about it; there is no technical stuff in there at all, so I am not sure why this is being used as an excuse to delay further. Could it possibly be because the BBFC has just launched a certification scheme that is really only about data protection? That is not its job; it is deliberately excluded from the Digital Economy Act. Data protection is the job of the Information Commissioner’s Office, which can levy huge fines. The BBFC is meant to be worrying about age verification and the protection of children online. Why is its certification scheme not about that? Its scheme is very heavyweight on the GDPR—or DPA 2018—stuff. Does it, therefore, think it needs more time? Was this just an excuse to delay it a little further?
If the Government are to issue new guidance in the autumn, I hope they will look at the British Standard. I also hope they will talk to the age-verification providers. They know how to do this, and how to do it anonymously. This is why, looking at the guidance, the BBFC says that the websites should not do it themselves. People bounce off, get verified elsewhere and get an anonymous, encrypted token back to prove they have done it. There is no problem or technical glitch with this. The Home Office may need to start talking to people who know how to do it; this really worries me.
The certification scheme is a good idea, so the websites know that the age-verification providers are all covered correctly. You need the GDPR stuff in there, but can it please be primarily about age verification and not be ridiculously expensive? At the moment, we are looking at £20,000 a pop for the scheme that the BBFC is proposing. A proper scheme, using the BEIS guidance, through the UK Accreditation Service, would have done a proper accreditation for certification providers for a quarter of the price or less. The Government have wasted a lot of money setting this scheme up and a lot of other people will waste a lot of money trying to get certification. As it is not really for age verification, it gives no guarantees of safety. Why are the Government doing it this way? As the whole thing is voluntary anyway, and certification not compulsory, why are they still delaying. Why does the BBFC not just start enforcing on 15 July? People are not going to put in age verification. Why disadvantage yourself, at extra cost, when you have no reason to do so? The websites will not do it until the last minute. In the meantime, the age-verification providers, which are all ready to go, are suffering economically very badly as a result of this delay.
First, this is not an excuse for delaying. The legal advice that the BBFC has received, confirmed by the legal advice that my department has received, is that the guidance needs to be notified to the EU under the technical standards and regulations directive. The other two measures do not, so we are laying only the ones that we need to. I cannot give the noble Earl chapter and verse about the legal reasons today, but I can assure him there was no doubt about it. It was not even 50:50; it was absolutely correct. If there was any other way that we could have done it, without delaying it for this long, we would have done so.
We do not believe that money has been wasted in preparing this: we think that age verification is what Parliament asked for and what the majority of Members of both Houses want. That is the way it has been set up. Although it is technically quite difficult, it is not incompatible with the regulation of the ICO. The ICO, as the noble Earl rightly said, is responsible for data privacy and personal data breaches. The age-verification system is set up to comply with the GDPR and the Data Protection Act. The additional voluntary certification scheme—which is voluntary—is a further reassurance to users that even higher standards than the minimum standards of the GDPR apply. So I think it is correct that we continue with it.
As for why we are having to delay this measure, if we bring in age verification now, it will be unenforceable in UK law, because it will have been incorrectly proceeded with against EU law and against the technical standards and regulation directive. Unfortunately, we have concluded that there is no choice but to delay it.