Moved by Lord Parkinson of Whitley Bay
187: Clause 65, page 62, line 18, leave out from “service” to “down” in line 20 and insert “indicate (in whatever words) that the presence of a particular kind of regulated user-generated content is prohibited on the service, the provider takes” Member’s explanatory statementThis amendment makes a change to a provision about what the terms of service of a Category 1 service say. The effect of the change is to cover a wider range of ways in which a term of service might indicate that a certain kind of content is not allowed on the service.
My Lords, transparency and accountability are at the heart of the regulatory framework that the Bill seeks to establish. It is vital that Ofcom has the powers it needs to require companies to publish online safety information and to scrutinise their systems and processes, particularly their algorithms. The Government agree about the importance of improving data sharing with independent researchers while recognising the nascent evidence base and the complexities of this issue, which we explored in Committee. We are pleased to be bringing forward a number of amendments to strengthen platforms’ transparency, which confer on Ofcom new powers to assess how providers’ algorithms work, which accelerate the development of the evidence base regarding researchers’ access to information and which require Ofcom to produce guidance on this issue.
Amendment 187 in my name makes changes to Clause 65 on category 1 providers’ duties to create clear and accessible terms of service and apply them consistently and transparently. The amendment tightens the clause to ensure that all the providers’ terms through which they might indicate that a certain kind of content is not allowed on its service are captured by these duties.
Amendment 252G is a drafting change, removing a redundant paragraph from the Bill in relation to exceptions to the legislative definition of an enforceable requirement in Schedule 12.
In relation to transparency, government Amendments 195, 196, 198 and 199 expand the types of information that Ofcom can require category 1, 2A and 2B providers to publish in their transparency reports. With thanks to the noble Lord, Lord Stevenson of Balmacara, for his engagement on this issue, we are pleased to table these amendments, which will allow Ofcom to require providers to publish information relating to the formulation, development and scope of user-to-user service providers’ terms of service and search service providers’ public statements of policies and procedures. This is in addition to the existing transparency provision regarding their application.
Amendments 196 and 199 would enable Ofcom to require providers to publish more information in relation to algorithms, specifically information about the design and operation of algorithms that affect the display, promotion, restriction, discovery or recommendation of content subject to the duties in the Bill. These changes will enable greater public scrutiny of providers’ terms of service and their algorithms, providing valuable information to users about the platforms that they are using.
As well as publicly holding platforms to account, the regulator must be able to get under the bonnet and scrutinise the algorithms’ functionalities and the other systems and processes that they use. Empirical tests are a standard method for understanding the performance of an algorithmic system. They involve taking a test data set, running it through an algorithmic system and observing the output. These tests may be relevant for assessing the efficacy and wider impacts of content moderation technology, age-verification systems and recommender systems.
Government Amendments 247A, 250A, 252A, 252B, 252C, 252D, 252E and 252F will ensure that Ofcom has the powers to enable it to direct and observe such tests remotely. This will significantly bolster Ofcom’s ability to assess how a provider’s algorithms work, and therefore to assess its compliance with the duties in the Bill. I understand that certain technology companies have voiced some concerns about these powers, but I reassure your Lordships that they are necessary and proportionate.
The powers will be subject to a number of safeguards. First, they are limited to viewing information. Ofcom will be unable to remotely access or interfere with the service for any other purpose when exercising the power. These tests would be performed offline, meaning that they would not affect the services’ provision or the experience of users. Assessing systems, processes, features and functionalities is the focus of the powers. As such, individual user data and content are unlikely to be the focus of any remote access to view information.
Additionally, the power can be used only where it is proportionate to use in the exercise of Ofcom’s functions—for example, when investigating whether a regulated service has complied with relevant safety duties. A provider would have a right to bring a legal challenge against Ofcom if it considered that a particular exercise of the power was unlawful. Furthermore, Ofcom will be under a legal obligation to ensure that the information gathered from services is protected from disclosure, unless clearly defined exemptions apply.
The Bill contains no restriction on services making the existence and detail of the information notice public. Should a regulated service wish to challenge an information notice served to it by Ofcom, it would be able to do so through judicial review. In addition, the amendments create no restrictions on the use of this power being viewable to members of the public through a request, such as those under the Freedom of Information Act—noting that under Section 393 of the Communications Act, Ofcom will not be able to disclose information it has obtained through its exercise of these powers without the provider’s consent, unless permitted for specific, defined purposes. These powers are necessary and proportionate and will that ensure Ofcom has the tools to understand features and functionalities and the risks associated with them, and therefore the tools to assess companies’ compliance with the Bill.
Finally, I turn to researchers’ access to data. We recognise the valuable work of researchers in improving our collective understanding of the issues we have debated throughout our scrutiny of the Bill. However, we are also aware that we need to develop the evidence base to ensure that any sharing of sensitive information between companies and researchers can be done safely and securely. To this end, we are pleased to table government Amendments 272B, 272C and 272D.
Government Amendment 272B would require Ofcom to publish its report into researcher access to information within 18 months, rather than two years. This report will provide the evidence base for government Amendments 272C and 272D, which would require Ofcom to publish guidance on this issue. This will provide valuable, evidence-based guidance on how to improve access for researchers safely and securely.
That said, we understand the calls for further action in this area. The Government will explore this issue further and report back to your Lordships’ House on whether further measures to support researchers’ access to data are required—and if so, whether they could be implemented through other legislation, such as the Data Protection and Digital Information Bill. I beg to move.
My Lords, Amendment 247B in my name was triggered by government Amendment 247A, which the Minister just introduced. I want to explain it, because the government amendment is quite late—it has arrived on Report—so we need to look in some detail at what the Government have proposed. The phrasing that has caused so much concern, which the Minister has acknowledged, is that Ofcom will be able to
“remotely access the service provided by the person”.
It is those words—“remotely access”—which are trigger words for anyone who lived through the Snowden disclosures, where everyone was so concerned about remote access by government agencies to precisely the same services we are talking about today: social media services.
So I hope the House will forgive me for teasing out why this is important and why we need extensive safeguards. This is non-trivial. If you are out there running a service, the idea of a government agency having remote access to your systems is a big deal, and the fact that this has come so late compounds that fear because it feels like it is being snuck in.
Ofcom, as I am sure it will remind us, is independent, but in the last debate it was referred to as part of the UK Executive. We cannot have it both ways. I see the chairman of Ofcom shaking his head at that, but we have just had a debate at the heart of which was the notion that this part of the UK Executive would give guidance to part of the UK judiciary. What is sauce for the goose is sauce for the gander. Here, the concern is that Ofcom would be seen as part of the UK Executive having remote access to social media services run by independent companies; I think your Lordships can see why that triggers things.
We need to establish in this debate that what the Government have in mind for Ofcom—this independent regulator—is utterly different from what might be the case with, for example, a security service under the terms of investigatory powers legislation. On the face of it, it looks similar, so it is important that, if it is different as the Minister has started, and I think will continue, to argue, we establish exactly why it is different and how we can be confident that is different. Amendment 247B in my name and that of my noble friend was intended to be helpful to the Government as one way of trying to establish why this is different, by placing some limitations on the Bill.
There are two risks inherent in this notion of remote access. The first is that Ofcom is overintrusive. It has an oversight role, but we are not expecting Ofcom to run our social media services; we expect it to oversee social media services that run themselves. Clearly, remote access, if used in an overbearing way, could be excessively intrusive in relation to those services being able to do what they do. In one version of remote access, which I think the Minister has tried to tease out, it is an offline exercise done occasionally to check something in a quasi-academic way; in another form, Ofcom sits there with a dashboard of what is going on in these systems, just as the Government like to do in their own public services with health and other things. Ofcom with a dashboard looking at what is happening in real time is quite different, and I think would be seen as overbearing and excessively intrusive. I hope the Minister will be able to provide further assurances that that is not what they have in mind.
The second risk is that the access is used for purposes other than simply Ofcom’s purposes. I am certainly not a conspiracy theorist and, perhaps unusually in my community of tech people, I quite admire the people who have only first names and live in Cheltenham, because I think what they do does keep us safe. That is what we pay them to do: to be creative and find creative ways to access data under lawful authority, et cetera, fully respecting human rights. I have confidence that those I have met do that and they do a great job; but we pay them to be creative and find access to data, not to put up with barriers. A spy is gonna spy. If they know that there is a form of access to data, of course, their job is to look at whether that would be useful to them.
My understanding—not as a conspiracy theory but as a matter of fact as to how the law works—is that, under investigatory powers rules, they can issue secret warrants, appropriately signed off, to pretty much anyone to access data. The recipients of those warrants have to execute them and, under penalty of prosecution themselves, are not able to tell anyone they received the warrant. Ofcom is not exempt from that. That is a fact, and we should recognise it; so, were Ofcom to receive an appropriate warrant for data, my understanding is that it would not have a way to say no and would not even be able to tell us about it. The best way to protect against that—to protect against temptation for James from Cheltenham, who is doing his job—is to make sure that remote access does not include anything that would be remotely useful to the security services. The way that we will be able to understand that is through transparency.
The Minister began his comments by saying that transparency and accountability were critical, and that maxim also applies here. We also want to protect against Ofcom’s own overreach and against any downstream use of that data. It is essential, therefore, that we understand in quite a lot of detail exactly what this remote access does and does not entail, so we can make our minds up about whether this piece is being used in an appropriate way.
I hope that the Minister can build on assurances which he very helpfully started to give at the beginning of the debate about this information notice process. He said that there was nothing secret about the information notices. Again, I hope that we can reinforce that any platform that is concerned that remote access that it is being asked to provide is inappropriate can tell us all about it and, as the Minister said, challenge that. I hope also that individual complainants and the harshest critics of the Government and of the security services—and a lot of people in this world worry about these things who, when they read this debate or look at the amendment, will assume the worst—can see exactly what remote access has and has not been made available. Then also I hope that, as individual users—because it is all about our privacy, as social media users of one form or another—we will know that, when we hand our data over to the social media service, which correctly under the terms of this legislation is required to give Ofcom access and keep us safe, we will know exactly what that access entails and that it does not go further than we set out in the legislation.
The transparency piece is critical. Can the Minister say that the information notices in relation to remote access will never be withheld? It is an utterly different world from the investigatory powers world, where there are good reasons where things have to be kept secret. If the Minister can say that in that world nothing is secret about the fact of remote access, and if anybody who has concerns can get the information that they need to understand whether those concerns are genuine, or whether something much more benign is happening, that would be extremely helpful. The Minister mentioned judicial review by platforms. I get that but, if a platform feels that Ofcom, the regulator, is behaving in an overbearing way, I remain a little concerned that judicial review is quite a slow and painful process. As I understand it, it is more about whether it was legally correct to give the order than perhaps whether the substance of the order was appropriate.
We still need to know that the checks and balances are in place. If Ofcom, under a future leadership—I am sure not under its current leadership—were to take it upon itself to want to set up a dashboard to look at what was happening in every social media company in real time, and were taken by that spirit of madness at some future date, I hope that the companies would be able to raise concerns about that, because it is not what we intend to happen in this Bill. I hope that they would be able to do that in a more straightforward process than in a lengthy judicial review.
The Minister has a clear idea of the kind of reassurances that we are looking for. He teased out some of them in his opening comments, and I hope that he can make them even more strongly in his closing remarks.
My Lords, the noble Lord, Lord Allan of Hallam, hinted at the fact that there have been a plethora of government amendments on Report and, to be honest, it has been quite hard fully to digest most of them, let alone scrutinise them. I appreciate that the vast majority have been drawn up with opposition Lords, who might have found it a bit easier. But some have snuck in and, in that context, I want to raise some problems with the amendments in this group, which are important. I, too, am especially worried about that government amendment on facilitating remote access to services and equipment used to buy services. I am really grateful to the noble Lords, Lord Allan of Hallam and Lord Clement-Jones, for tabling Amendment 247B, because I did not know what to do—and they did it. At least it raises the issue to the level of it needing to be taken seriously.
The biggest problem that I had when I originally read this provision was that facilitating remote access to services, and as yet undefined equipment used by a service, seems like a very big decision, and potentially disproportionate. It certainly has a potential to have regulatory overreach, and it creates real risks around privacy. It feels as though it has not even been flagged up strongly enough by the Government with regard to what it could mean.
I listened to what the Minister said, but I still do not fully understand why this is necessary. Have the Government considered the privacy and security implications that have already been discussed? Through Amendment 252A, the Government now have the power to enter premises for inspection—it rather feels as if there is the potential for raids, but I will put that to one side. They can go in, order an audit and so on. Remote access as a preliminary way to gather information seems heavy-handed. Why not leave it as the very last thing to do in a dialogue between Ofcom and a given platform? We have yet to hear a proper justification of why Ofcom would need this as a first-order thing to do.
The Bill does not define exactly what
“equipment used by the service” means. Does it extend to employees’ laptops and phones? If it extends to external data centres, have the Government assessed the practicalities and security impact of that and the substantial security implications, as have been explained, for the services, the data centre providers and those of us whose data they hold?
I am also concerned that this will necessitate companies having very strongly to consider internal privacy and security controls to deal with the possibility of this, and that this will place a disproportionate burden on smaller and mid-sized businesses that do not have the resources available to the biggest technology companies. I keep raising this because in other parts of government there is a constant attempt to say that the UK will be the centre of technological innovation and that we will be a powerhouse in new technologies, yet I am concerned that so much of the Bill could damage that innovation. That is worth considering.
It seems to me that Amendment 252A on the power to observe at the premises ignores decentralised projects and services—the very kind of services that can revolutionise social media in a positive way. Not every service is like Facebook, but this amendment misses that point. For example, you will not be able to walk into the premises of the UK-based Matrix, the provider of the encrypted chat service Element that allows users to host their own service. Similarly, the non-profit Mastodon claims to be the largest decentralised social network on the internet and to be built on open-web standards precisely because it does not want to be bought or owned by a billionaire. So many of these amendments seem not to take those issues into account.
I also have a slight concern on researcher access to data. When we discussed this in Committee, the tone was very much—as it is in these amendments now—that these special researchers need to be able to find out what is going on in these big, bad tech companies that are trying to hide away dangerous information from us. Although we are trying to ensure that there is protection from harms, we do not want to demonise the companies so much that, every time they raise privacy issues or say, “We will provide data but you can’t access it remotely” or “We want to be the ones deciding which researchers are allowed to look at our data”, we assume that they are always up to no good. That sends the wrong message if we are to be a tech-innovative country or if there is to be any working together.
My final point is to be a bit more positive. I am very keen on the points made by the Minister on the importance of transparency in algorithms, particularly in Amendments 196 and 199. This raises an important point. These amendments are intended to mean that providers of user-to-user services and search services would have to include in their transparency report details about algorithms, so that we can see how they work, and these amendments particularly relate to illegal content and content that is harmful to children. I should like that being understood more broadly, because for me there is constant tension where people do not know what the algorithms are doing. When content is removed, deboosted, or whatever, they do not know why. More transparency there would be positive.
The Minister knows this, because I have written to him on the subject, but many women, for example, are regularly being banned from social media for speaking out on sex-based rights, and gender-critical accounts are constantly telling me and are discussing among themselves that they have been shadow banned: that the algorithms are not allowing them to get their points over. This is, it is alleged, because of the legacy of trans activists controlling the algorithms.
Following on from the point of the noble Lord, Lord Allan of Hallam, there is always a danger here of people being conspiratorial, paranoid and thinking it is the algorithms. I made the point in an earlier discussion that sometimes you might just put up a boring post and no one is interested, but you imagine someone behind the scenes. But we know that Facebook continues to delete posts that states that men cannot be women, for example.
I would like this to be demystified, so the more Ofcom can ask the companies to demystify their algorithmic decisions and the more users can be empowered to know about it, the better for all of us. That is the positive bit of the amendments that I like.
My Lords, the business of the internet is data. Whether it is a retail business, a media business or any other kind of business, the internet is all about data. The chiefs of our internet companies know more about noble Lords than anyone else—more than any government agency, your doctor and almost anyone—because the number of data points that big internet companies have on people is absolutely enormous, and they use them to very great effect.
Some of those effects are entirely benign. I completely endorse what the noble Baroness, Lady Fox, said. As a champion of innovation and business, I totally recognise the good that is done by the world’s internet companies to make our lives richer, create jobs and improve the world, but some of what they do is not good. Either inadvertently or by being passive enablers of harm, internet companies have been responsible for huge societal harms. I do not want to go through the full list, but when I think about the mental health of our teenagers, the extremism in our politics, the availability of harmful information to terrorists and what have you, there is a long catalogue of harms to which internet companies have contributed. We would be naive if we did not recognise.
However, almost uniquely among commercial businesses, internet companies guard access to that data incredibly jealously. They will not let you peek in and share their insights. I know from my experience in the health field that we work very closely with the pharmaceutical industry—there is a whole programme of pharmacovigilance that any pharma company has to participate in in order to explain, measure and justify the good and disbenefits of its medicines. We have no similar programme to pharmacovigilance for the tech industry. Instead, we are completely blind. Policy makers, the police and citizens are flying blind when it comes to the data that is held on us on both an individual and a demographic basis. That is extremely unusual.
That is why I really welcome my noble friend’s amendments that give Ofcom what seems to me to be extremely proportionate and thoughtful powers in order to look into this data, because without it, we do not know what is going on in this incredibly important part of our lives.
The role that researchers, including academic, civil society and campaigning researchers, play in helping Ofcom, policymakers and politicians to arrive at sensible, thoughtful and proportionate policy is absolutely critical. I pay enormous tribute to them; I am grateful to those noble Lords who have also done so. I am extremely grateful to my noble friend the Minister for his amendments on this subject, Amendments 272B and 272C, which address the question of giving researchers better access to some of this data. They would reduce the timeline for the review on data from 24 months to 18 months, which would be extremely helpful, and would changing “may” to “must”, which represents an emphatic commitment to the outcome of this review.
However, issues remain around the question of granting access to data for researchers. What happens to the insights from the promised review once it is delivered? Where are the powers to deliver the review’s recommendations? That gap is not currently served by the government amendments, which is why I and the noble Lord, Lord Clement-Jones, have tabled Amendments 237ZA, 237DB, 262AA and 272AB. Their purpose is to put in the Bill reasonable, proportionate powers to bring access to data for researchers along the lines that the research review will recommend.
The feelings on this matter are extremely strong because we all recognise the value here. We are concerned that any delay may completely undermine this sector. As we debated in Committee, there is a substantial and valuable UK sector in this research area that is likely to move lock, stock and barrel to other countries where these kinds of powers may be in place; for instance, in EU or US legislation. The absence of these powers will, I think, leave Britain in the dark and competitively behind other countries, which is why I want to push the Minister hard on these amendments. I am grateful for his insight that this matter is something that the Government may look to in future Bills, but those Bills are far off. I would like to hear from him what more he could do to try to smooth the journey from this Bill and this review to any future legislation that comes through this House in order to ensure that this important gap is closed.
My Lords, Amendments 270 and 272 are in my name; I thank the noble Lord, Lord Stevenson of Balmacara, for adding his name to them. They are the least controversial amendments in this group, I think. They are really simple. Amendment 270 would require Ofcom’s research about online interests and users’ experiences of regulated services under Clause 143 to be broken down by nation, while Amendment 272 relates to Clause 147 and would require Ofcom’s transparency reports also to be broken down in a nation-specific way.
These amendments follow on from our debates on devolution in Committee. Both seek to ensure that there is analysis of users’ online experiences in the different nations of the UK, which I continue to believe is essential to ensuring that the Bill works for the whole of the UK and is both future-proofed—a word we have all used lots—and able to adapt to different developments across each of the four nations. I have three reasons why I think these things are important. The first concerns the interplay between reserved and devolved matters. The second concerns the legal differences that already exist across the UK. The third concerns the role of Ofcom.
In his much-appreciated email to me last week, the Minister rightly highlighted that internet services are a reserved matter and I absolutely do not wish to impose different standards of regulation across the UK. Regarding priority offences, I completely support the Government’s stance that service providers must treat any content as priority illegal content where it amounts to a criminal offence anywhere in the UK regardless of where that act may have taken place or where the user is. However, my amendments are not about regulation; they are about research and transparency reporting, enabling us to understand the experience across the UK and to collect data—which we have just heard, so powerfully, will be more important as we continue.
I am afraid that leaving it to Ofcom’s discretion to understand the differences in the online experiences across the four nations over time is not quite good enough. Many of the matters we are dealing with in the online safety space—such as children, justice, police and education—are devolved. Government policy-making in devolved areas will increasingly rely on data about online behaviours, harms and outcomes. These days, I cannot imagine creating any kind of public policy without understanding the online dimension. There are areas where either the community experience and/or the policy approach is markedly different across the nations—take drug abuse, for example. No data means uninformed policy-making or flying blind, as my noble friend Lord Bethell has just said. But how easy will it be for the devolved nations to get this information if we do not specify it in the Bill?
In many of the debates, we have already heard of the legal differences across the four nations, and I am extremely grateful to the noble and learned Lord, Lord Hope of Craighead, who is not in his place, the noble Lord, Lord Stevenson of Balmacara, and the Minister for supporting my amendment last week when I could not be here. I am terribly sorry. I was sitting next to the noble Viscount, Lord Camrose, at the time. The amendment was to ensure that there is a legal definition of “freedom of expression” in the Bill that can be understood by devolved Administrations across the UK.
The more I look at this landscape, the more challenges arise. The creation of legislation around intimate abuse images is a good example. The original English legislation was focused on addressing the abusive sharing of intimate images after a relationship breakdown. It required the sharing to have been committed with the intent to cause harm, which has a very easy defence: “I did not mean to cause any harm”. The Scottish legislation, drafted slightly later, softened this to an intent to cause harm or being reckless as to whether harm was caused, which is a bit better because you do not need to prove intent. Now the English version is going to be updated in the Bill to create an offence simply by sharing, which is even better.
Other differences in legislation have been highlighted, such as on deepfakes and upskirting. On the first day of Report, the noble Baroness, Lady Kennedy of The Shaws, highlighted a difference in the way cyberflashing offences are understood in Northern Ireland. So the issue is nuanced, and the Government’s responses change as we learn about harmful behaviours in practice. Over time, we gradually see these offences refined as we learn more about how technology is used to abuse in practice. The question really is: what will such offences look like online in five years’ time? Will the user experience and government policy across the four nations be the same? I will not pretend to try to answer that, but to answer it we will need the data.
I am concerned that the unintended consequences of the Bill in the devolved Administrations have not been fully appreciated or explored. Therefore, I am proposing a belt and braces approach in the reporting regime. When we come to post-legislative scrutiny, with reports being laid before this Parliament and the devolved Administrations in Edinburgh, Cardiff and Belfast—if there is one—we will want to have the data to understand the online experiences of each nation. That is why my very little amendments are seeking to ensure that we capture this experience and that is why it is so important.
On Ofcom—my final point—I know the Minister has every confidence in Ofcom and rightly points out that it has a strong track record of producing data that is representative of people across the UK. I agree. Ofcom already does a great deal of research which is broken down into nation-specific reporting, particularly in broadcasting, but most of this is directly in relation to its obligations under the Communications Act and the BBC charter, which contains a specific purpose:
“To reflect, represent and serve the diverse communities of all of the United Kingdom’s nations and regions and, in doing so, support the creative economy across the United Kingdom”.
From my Scottish point of view, I am arguing—and I know that the Scottish advisory committee of Ofcom would agree with me—that its research and Ofcom’s reports, such as the annual Media Nations report, are linked to the way legislation is set up and then implemented by Ofcom.
Having ensured this for broadcasting and communications, why would we not want to do this for online safety? At last Tuesday’s meeting of the Communications and Digital Committee, on which I serve, we took evidence on a huge range of subjects from my noble friend the chairman of Ofcom and Dame Melanie Dawes. The noble Lord, Lord Grade, used all the usual words to describe this Bill—“complex”, “challenging”—and pointed out that it is a new law in a novel area, but he stressed that Ofcom comes to decisions outside the political arena based on research and evidence.
My amendments just remind Ofcom that we need this research and evidence by nation. This Bill is so large, so wide-ranging, that Ofcom’s remit and functions are having to expand hugely to deliver this new regime. The noble Baroness, Lady Fox, reminded us last week that what Ofcom does comes from the legislation. It does not do things off its own bat. Ofcom already has a huge challenge on its hands with this Bill, and experience tells us that it is likely to deliver only what is specified—the “must do” bits, not the “nice to do” extras. There may be no differences in the online experiences across the nations of the UK, but the only way we can be sure is if we have the data for each nation, the transparency and all the research reporting. I urge the Minister to take my amendment seriously.
My Lords, I think that was a very good speech from the noble Baroness, partly because I signed her amendment and support it and also because I want to refer back to the points made earlier by the noble Lord, Lord Bethell, about research. I am speaking from the Back Benches here because some of what I say may not have been cleared fully with my colleagues, but I am hoping that they will indulge me slightly. If I speak from this elevated position, perhaps they will not hear me so well.
To deal with noble Lords in the order in which they spoke, I support the amendments tabled by the noble Lord, Lord Bethell, in relation to having a bit more activity in relation to the area where we have very good change of government policy in relation to access by researchers to data, and I am very grateful to the Minister for doing that. The noble Lord, Lord Bethell, made the point that there is perhaps a bigger question and a bigger story than can be done just by simply bringing forward the time of the report and changing “may” to “must”, although I always think “may” to “must” changes are important because they reflect a complete change of approach and I hope action will follow. The question about access by those who need data in order to complete their research is crucial to the future success of these regimes. That plays back to what the noble Baroness, Lady Fraser, was saying, which is that we need to have this not just in aggregate form but broken down and stratified so that we can really interrogate where this information is showing the gaps, the opportunities, the changes that are needed and the successes, if there are any, in the way in which we are working.
I support the amendments tabled by the noble Lord, Lord Bethell, because I think this is not so much a question of regulation or lawmaking in this Bill but of trying to engender a change of culture about the way in which social media companies operate. It will need all of us, not just the Government or the regulatory bodies, to continue to press this because this is a major sea change in what they have been doing until now. They are quite rightly protective of their business interests and business secrets, but that is not the same when the currency is data and our data is being used to create change and opportunity and their profits are based on exploiting our resources.
I go back to the points made by the noble Lord, Lord Moylan, in his opening amendment today about why consumer rights do not apply when monetary considerations are not being taken into account. Bartering our data in order to obtain benefits from social media companies is not the same as purchasing over the counter at the local shop—we accept that—but times have changed and we are living in a different world. Everything is being bought and sold electronically. Why is consumer law not being moved forward to take account of that so that the rights that are important to that, because they are the same, are being exploited? I leave that for the Minister to come back to if he wishes to do so from the Dispatch Box.
Moving on to the Scottish issues, the amendment, as introduced by the noble Baroness, is about transparency and data, but I think it hides a bigger question which I am afraid affects much of the legislation that comes through this House, which is that very often the devolution impact of changes in the law and new laws that are brought forward is always the last to be thought about and is always tacked on at the end in ways that are often very obscure.
I have one particularly obscure question which I want to leave with the Minister, completely unreasonably, but I think it just about follows on from the amendment we are discussing. It is that, towards the end of the Bill, Clause 53(5)(c) refers to the consent of the Secretary of State or other Minister of the Crown to crimes in Scottish or Northern Irish legislation when they enter the Online Safety Bill regime. This is because, as has been made clear, laws are changing and are already different in Scotland, Wales and Northern Ireland from some of the criminal laws in England and Wales. While that is to be welcomed, as the noble Baroness said, the devolved Administrations should have the right to make sure, in the areas of their control, that they have the laws that are appropriate for the time, but if they are different, we are going to have to live with those across the country in a way that is a bit patchwork. There need to be rules about how they will apply. I think the noble Baroness said that it would be right and proper that a crime committed in one territory is treated within the rules that apply in that territory, but if they are significantly different, we ought at least to understand why that is the case and how that has come about.
As I understand it—I have a note provided by Carnegie UK and it is always pretty accurate about these matters—the Secretary of State can consent to a devolved authority which wants to bring forward a devolved offence and include it in the online safety regime. However, it is not quite clear how that happens. What is a consent? Is it an Order in Council, a regulation, affirmative or negative procedure or primary legislation? We are not told that; we are just told that consent arrangements apply and consent can be given. Normally consents involve legislative authority—in its words, one Parliament speaking to another—and we are all becoming quite aware of the fact that the legislative consent required from Scotland, Northern Ireland or Wales is often not given, yet the UK Parliament continues to make legislation and it applies, so the process works, but obviously it would be much better if the devolved structures were involved and agreed to what was being done. This is different from the normal top-down approach. Where we already have a change in the law or the law is about to be changed in one of the devolved Administrations, how does that become part of the Online Safety Bill regime? I look forward to the Minister’s response. I did not warn him that I was giving him a very difficult question, and he can write if he cannot give the detail today, but we would like to see on the record how this happens.
If we are getting Statements to Parliament from the Secretary of State about provisional changes to the way in which the law applies in the devolved Administrations, are they going to be subject to due process? Will there be engagement with committees? What will happen if a new code is required or a variation in the code is required? Does that require secondary legislation and, if so, will that be done with the consent of the devolved Administration or by this Parliament after a process we are yet to see?
There is a lot here that has not been fleshed out. There are few very easy answers, but it would be useful if we could get that going. I will not go into more detail on the noble Baroness’s point that laws change, but I know that the Law Society of Scotland has briefed that at least one major piece of legislation, the Hate Crime and Public Order (Scotland) Act 2021, does not appear in Schedule 7 as expected. Again, I ask the Minister if he would write to us explaining the background to that.
These are very important issues and they do not often get discussed in the full process of our Bills, so I am glad that the noble Baroness raised them. She cloaked them in what sounded like a very general and modest request, but they reveal quite considerable difficulties behind them.
My Lords, before I talk to the amendments I had intended to address, I will make a very narrow point in support of the noble Baroness, Lady Fraser. About 10 years ago, when I started doing work on children, I approached Ofcom and asked why all its research goes to 24, when childhood finishes at 18 and the UNCRC says that a child needs special consideration. Ofcom said, “Terribly sorry, but this is our inheritance from a marketing background”. The Communications and Digital Committee later wrote formally to Ofcom and asked if it could do its research up to 18 and then from 18 to 24, but it appeared to be absolutely impossible. I regret that I do not know what the current situation is and I hope that, with the noble Lord, Lord Grade, in place it may rapidly change overnight. My point is that the detailed description that the noble Baroness gave the House about why it is important to stipulate this is proven by that tale.
I also associate myself with the remarks of the noble Lord, Lord Allan, who terrified me some 50 minutes ago. I look forward to hearing what will be said.
I in fact rose to speak to government Amendments 196 and 199, and the bunch of amendments on access to data for researchers. I welcome the government amendments to which I added my name. I really am delighted every time the Government inch forward into the area of the transparency of systemic and design matters. The focus of the Bill should always be on the key factor that separates digital media from other forms of media, which is the power to determine, manipulate and orchestrate what a user does next, see how they behave or what they think. That is very different and is unique to the technology we are talking about.
It will not surprise the Minister to hear that I would have liked this amendment to cover the design of systems and processes, and features and functionalities that are not related to content. Rather than labouring this point, on this occasion I will just draw the Minister’s attention to an article published over the weekend by Professor Henrietta Bowden-Jones, the UK’s foremost expert on gambling and gaming addiction. She equates the systems and processes involved in priming behaviours on social media with the more extreme behaviours that she sees in her addiction clinics, with ever younger children. Professor Bowden-Jones is the spokesperson on behavioural addictions for the Royal College of Psychiatrists, and the House ignores her experience of the loops of reward and compulsion that manipulate behaviour, particularly the behaviour of children, at our peril.
I commend the noble Lord, Lord Bethell, for continuing to press the research issue and coming back, even in the light of the government amendment, with a little more. Access to good data about the operation of social media is vital in holding regulated companies to account, tracking the extent of harms, building an understanding of them and, importantly, building knowledge about how they might be sensibly and effectively addressed.
My concern here is that, when making a concession, the Government most often reach for a review at some time in the future. In the case of research, the future is too late. We are at an inflection point right now, at which digital tech may or may not overwhelm our job market and our understanding of what is real and what is not. It has the potential for societal and technological change that is both beneficial and harmful, but at such a scale that it will certainly transform society as we understand it before 18 months or two years—the point at which the review is triggered and then takes place.
I feel passionately that, in the context of where we are now and the game of catch-up we have been playing for the last couple of decades, it should not be left to the companies to decide what is or is not in the public arena. As a minimum, independent research would allow the regulator to better understand the operation of social media platforms. More broadly, it would keep our universities on a level playing field—as a number of noble Lords have commented—and, maybe most importantly, ensure that the regulator, academia and civil society have a seat at the table of the future of tech.
For that reason, I again ask the Government, as a minimum, to accept the shorter date that was proposed or perhaps to think again before Third Reading.
My Lords, I associate myself with my noble friend Lady Fraser of Craigmaddie’s incredibly well-made points. I learned a long time ago that, when people speak very softly and say they have a very small point to make, they are often about to deliver a zinger. She really did; it was hugely powerful. I will say no more than that I wholeheartedly agree with her; thank you for helping us to understand the issue properly.
I will speak in more detail about access to data for researchers and in support of my noble friend Lord Bethell’s amendments. I too am extremely grateful to the Minister for bringing forward all the government amendments; the direction of travel is encouraging. I am particularly pleased to see the movement from “may” to “must”, but I am worried that it is Ofcom’s rather than the regulated services’ “may” that moves to “must”. There is no backstop for recalcitrant regulated services that refuse to abide by Ofcom’s guidance. As the noble Baroness, Lady Kidron, said, in other areas of the Bill we have quite reasonably resorted to launching a review, requiring Ofcom to publish its results, requiring the Secretary of State to review the recommendations and then giving the Secretary of State backstop powers, if necessary, to implement regulations that would then require regulated companies to change.
I have a simple question for the Minister: why are we not following the same recipe here? Why does this differ from the other issues, on which the House agrees that there is more work to be done? Why are we not putting backstop powers into the Bill for this specific issue, when it is clear to all of us that it is highly likely that there will be said recalcitrant regulated firms that are not willing to grant access to their data for researchers?
Before my noble friend the Minister leaps to the hint he gave in his opening remarks—that this should all be picked up in the Data Protection and Digital Information Bill—unlike the group we have just discussed, this issue was discussed at Second Reading and given a really detailed airing in Committee. This is not new news, in the same way that other issues where we have adopted the same recipe that includes a backstop are being dealt with in the Bill. I urge my noble friend the Minister to follow the good progress so far and to complete the package, as we have in other areas.
My Lords, it is valuable to be able to speak immediately after my noble friend Lady Harding of Winscombe, because it gives me an opportunity to address some remarks she made last Wednesday when we were considering the Bill on Report. She suggested that there was a fundamental disagreement between us about our view of how serious online safety is—the suggestion being that somehow I did not think it was terribly important. I take this opportunity to rebut that and to add to it by saying that other things are also important. One of those things is privacy. We have not discussed privacy in relation to the Bill quite as much as we have freedom of expression, but it is tremendously important too.
Government Amendment 247A represents the most astonishing level of intrusion. In fact, I find it very hard to see how the Government think they can get away with saying that it is compatible with the provisions of the European Convention on Human Rights, which we incorporated into law some 20 years ago, thus creating a whole law of privacy that is now vindicated in the courts. It is not enough just to go around saying that it is “proportionate and necessary” as a mantra; it has to be true.
This provision says that an agency has the right to go into a private business with no warrant, and with no let or hindrance, and is able to look at its processes, data and equipment at will. I know of no other business that can be subjected to that without a warrant or some legal process in advance pertinent to that instance, that case or that business.
My noble friend Lord Bethell said that the internet has been abused by people who carry out evil things; he mentioned terrorism, for example, and he could have mentioned others. However, take mobile telephones and Royal Mail—these are also abused by people conducting terrorism, but we do not allow those communications to be intruded into without some sort of warrant or process. It does not seem to me that the fact that the systems can be abused is sufficient to justify what is being proposed.
My noble friend the Minister says that this can happen only offline. Frankly, I did not understand what he meant by that. In fact, I was going to say that I disagreed with him, but I am moving to the point of saying that I think it is almost meaningless to say that it is going to happen offline. He might be able to explain that. He also said that Ofcom will not see individual traffic. However, neither the point about being offline nor the point about not seeing individual traffic is on the face of the Bill.
When we ask ourselves what the purpose of this astonishing power is—this was referred to obliquely to some extent by the noble Baroness, Lady Fox of Buckley—we can find it in Clause 91(1), to which proposed new subsection (2A) is being added or squeezed in subordinate to it. Clause 91(1) talks about
“any information that they”— that is, Ofcom—
“require for the purpose of exercising, or deciding whether to exercise, any of their online safety functions”.
The power could be used entirely as a fishing expedition. It could be entirely for the purpose of educating Ofcom as to what it should be doing. There is nothing here to say that it can have these powers of intrusion only if it suspects that there is criminality, a breach of the codes of conduct or any other offence. It is a fishing expedition, entirely for the purpose of
“exercising, or deciding whether to exercise”.
Those are the intrusions imposed upon companies. In some ways, I am less concerned about the companies than I am about what I am going to come to next: the intrusion on the privacy of individuals and users. If we sat back and listened to ourselves and what we are saying, could we explain to ordinary people—we are going to come to this when we discuss end-to-end encryption—what exactly can happen?
Two very significant breaches of the protections in place for privacy on the internet arise from what is proposed. First, if you allow someone into a system and into equipment, especially from outside, you increase the risk and the possibility that a further, probably more hostile party that is sufficiently well-equipped with resources—we know state actors with evil intent which are so equipped—can get in through that or similar holes. The privacy of the system itself would be structurally weakened as a result of doing this. Secondly, if Ofcom is able to see what is going on, the system becomes leaky in the direction of Ofcom. It can come into possession of information, some of which could be of an individual character. My noble friend says that it will not be allowed to release any data and that all sorts of protections are in place. We know that, and I fully accept the honesty and integrity of Ofcom as an institution and of its staff. However, we also know that things get leaked and escape. As a result of this provision, very large holes are being built into the protections of privacy that exist, yet there has been no reference at all to privacy in the remarks made so far by my noble friend.
I finish by saying that we are racing ahead and not thinking. Good Lord, my modest amendment in the last group to bring a well-established piece of legislation—the Consumer Rights Act—to bear upon this Bill was challenged on the grounds that there had not been an impact assessment. Where is the impact assessment for this? Where is even the smell test for this in relation to explaining it to the public? If my noble friend is able to expatiate at the end on the implications for privacy and attempt to give us some assurance, that would be some consolation. I doubt that he is going to give way and do the right thing and withdraw this amendment.
My Lords, the debate so far has been—in the words of the noble Baroness, Lady Fox—a Committee debate. That is partly because this set of amendments from the Government has come quite late. If they had been tabled in Committee, I think we would have had a more expansive debate on this issue and could have knocked it about a bit and come back to it on Report. The timing is regrettable in all of this.
That said, the Government have tabled some extremely important amendments, particularly Amendments 196 and 198, which deal with things such as algorithms and functionalities. I very much welcome those important amendments, as I know the noble Baroness, Lady Kidron, did.
I also very much support Amendments 270 and 272 in the name of the noble Baroness, Lady Fraser. I hope the Minister, having been pre-primed, has all the answers to them. It is astonishing that, after all these years, we are so unattuned to the issues of the devolved Administrations and that we are still not in the mindset on things such as research. We are not sufficiently granular, as has been explained—let alone all the other questions that the noble Lord, Lord Stevenson, asked. I hope the Minister can unpack some of that as well.
I want to express some gratitude, too, because the Minister and his officials took the trouble to give us a briefing about remote access issues, alongside Ofcom. Ofcom also sent through its note on algorithmic assessment powers, so an effort has been made to explain some of these powers. Indeed, I can see the practical importance, as explained to us. It is partly the lateness, however, that sets off what my noble friend Lord Allan called “trigger words” and concerns about the remote access provisions. Indeed, I think we have a living and breathing demonstration of the impact of triggers on the noble Lord, Lord Moylan, because these are indeed issues that concern those outside the House to quite a large degree.
I really think the Minister will have to take us through the safeguards again, and there are some he has already mentioned: the limits to the information that can be viewed, and the fact that this is done offline in operation but is limited to functionalities rather than content. He did mention that it was privacy-protecting, that it was justifiable only where proportionate, that the fact that Ofcom is accessing remotely can be made public, that it is challengeable, and that Ofcom cannot disclose information obtained. These are non-trivial powers which require a non-trivial response and a great deal more explanation, particularly, as my noble friend said, on how they differ from those in the Investigatory Powers Act; otherwise, I think concerns will continue. That is the reason for my noble friend’s Amendment 247B, which attempts to place further safeguards.
Amendments 237ZA, 272AB and 262AA, tabled by the noble Lord, Lord Bethell, and spoken to by the noble Baronesses, Lady Harding and Lady Kidron, and the noble Lord, Lord Stevenson, are really important. Of course, we welcome the tweak to Clause 148 that the Minister has introduced today but, as all noble Lords have said, this does not take us far enough. At the risk of boring the House to death, as usual, I will refer to the original Joint Committee report again. We keep returning to this because it does set out a great deal of sense.
There are three areas I want to mention. The Joint Committee said at the time:
“We heard from Dr Amy Orben, College Research Fellow at Emmanuel College, University of Cambridge, that lack of access to data is ‘making it impossible for good quality and independent scientific studies to be completed on topics such as online harms, mental health, or misinformation’”.
In another paragraph, the report says:
“We heard there is evidence that social media usage can cause psychological harm to children, but that platforms prevent research in this area from being conducted or circulated”.
Then we actually heard from Meta. It said:
“One of the things that is a particular challenge in the area of research is how we can provide academics who are doing independent research with access to data really to study these things more deeply”.
On all sides, there is a need for teeth when it comes to access for independent researchers.
Our recommendation was very clear; it was not just a recommendation that this should be reviewed but that there should be these powers. Obviously, the Minister has agreed to a compromise, in terms of a report on access, but he really should go further and have default powers, so that the Government can institute the access that is required for researchers, as a result of that report. So far, with the amendments today, the Minister is not strengthening the Bill, because there is no way for Ofcom to compel compliance with the guidance or any incentive for companies to comply with any guidance that is produced.
I very much hope that the Minister will take on board what the noble Lord, Lord Bethell, had to say, in a very eloquent way. If he cannot do it here and now on Report, I very much hope that he will come back with a proposal at Third Reading. As the noble Baroness, Lady Harding, said, we have done this in virtually every other case where there is a report. As we have seen, the Minister has agreed to have a review or a report, and then the backstop powers are in place. That is not the case with this, and it should be.
My Lords, I just want to reinforce what my noble friend Lord Bethell said about the amendments to which I have also put my name: Amendments 237ZA, 266AA and 272E. I was originally of the view that it was enough to give Ofcom the powers to enforce its own rulings. I have been persuaded that, pace my noble friend Lord Grade, the powers that have been given to Ofcom represent such a huge expansion that the likelihood of the regulator doing anything other than those things which it is obliged to do is rather remote. So I come to the conclusion that an obligation is the right way to put these things. I also agree with what has been said about the need to ensure that subsequent action is taken, in relation to a regulated service if it does not follow what Ofcom has set out.
I will also say a word about researchers. They are a resource that already exists. Indeed, there has been quite a lot of pushing, not least by me, on using this resource, first, to update the powers of the Computer Misuse Act, but also to enlarge our understanding of and ability to have information about the operation of online services. So this is a welcome move on the part of the Government, that they see the value of researchers in this context.
My noble friend Lord Moylan made a good point that the terms under which this function is exercised have to have regard to privacy as well as to transparency of operations. This is probably one of the reasons why we have not seen movement on this issue in the Computer Misuse Act and its updating, because it is intrinsically quite a difficult issue. But I believe that it has to be tackled, and I hope very much that the Government will not delay in bringing forward the necessary legislation that will ensure both that researchers are protected in the exercise of this function, which has been one of the issues, and that they are enabled to do something worth while. So I believe the Minister when he says that the Government may need to bring forward extra legislation on this; it is almost certainly the case. I hope very much that there will not be a great gap, so that we do not see this part of the proposals not coming into effect.
My Lords, we have had an important debate on a range of amendments to the Bill. There are some very important and good ones, to which I would say: “Better late than never”. I probably would not say that to Amendment 247A; I would maybe say “better never”, but we will come on to that. It is interesting that some of this has come to light following the debate on and scrutiny of the Digital Markets, Competition and Consumers Bill in another place. That might reinforce the need for post-legislative review of how this Bill, the competition Bill and the data Bill are working together in practice. Maybe we will need another Joint Committee, which will please the noble Lord, Lord Clement-Jones, no end.
There are many government amendments. The terms of service and takedown policy ones have been signed by my noble friend Lord Stevenson, and we support them. There are amendments on requiring information on algorithms in transparency reports; requiring search to put into transparency reports; how policies on illegal content and content that is harmful for children were arrived at; information about search algorithms; and physical access in an audit to view the operations of algorithms and other systems. Like the noble Baroness, Lady Kidron, I very much welcome, in this section anyway, that focus on systems, algorithms and process rather than solely on content.
However, Amendment 247A is problematic in respect of the trigger words, as the noble Lord, Lord Allan, referred to, of remote access and requiring a demonstration gathering real-time data. That raises a number of, as he said, non-trivial questions. I shall relay what some service providers have been saying to me. The Bill already provides Ofcom with equivalent powers under Schedule 12—such as rights of entry and inspection and extensive auditing powers—that could require them to operate any equipment or algorithms to produce information for Ofcom and/or allow Ofcom to observe the functioning of the regulated service. Crucially, safeguards are built into the provisions in Schedule 12 to ensure that Ofcom exercises them only in circumstances where the service provider is thought to be in breach of its duties and/or under a warrant, which has to have judicial approval, yet there appear to be no equivalent safeguards in relation to this power. I wonder whether, as it has come relatively late, that is an oversight that the Minister might want to address at Third Reading.
The policy intent, as I understand it, is to give Ofcom remote access to algorithms to ensure that service providers located out of the jurisdiction are not out of scope of Ofcom’s powers. Could that have been achieved by small drafting amendments to Schedule 12? In that case, the whole set of safeguards that we are concerned about would be in place because, so to speak, they would be in the right place. As drafted, the amendment appears to be an extension of Ofcom’s information-gathering powers that can be exercised as a first step against a service provider or access facility without any evidence that the service is in breach of its obligations or that any kind of enforcement action is necessary, which would be disproportionate and oppressive.
Given the weight of industry concern about the proportionality of these powers and their late addition, I urge the Minister to look at the addition of further safeguards around the use of these powers in the Bill and further clarification on the scope of the amendment as a power of escalation, including that it should be exercised as a measure of last resort, and only in circumstances where a service provider has not complied with its duty under the Bill or where the service provider has refused to comply with a prior information notice.
Amendment 247B is welcome because it gives the Minister the opportunity to tell us now that he wants to reflect on all this before Third Reading, work with us and, if necessary, come back with a tightening of the language and a resolution of these issues. I know his motivation is not to cause a problem late on in the Bill but he has a problem, and if he could reflect on it and come back at Third Reading then that would be helpful.
I welcome the amendments tabled by the noble Lord, Lord Bethell, on researcher access. This is another area where he has gone to great efforts to engage across the House with concerned parties, and we are grateful to him for doing so. Independent research is vital for us to understand how this new regime that we are creating is working. As he says, it is a UK strength, and we should play to that strength and not let it slip away inadvertently. We will not get the regime right first time, and we should not trust the platforms to tell us. We need access to independent researchers, and the amendments strike a good balance.
We look forward to the Minister deploying his listening ear, particularly to what the noble Baroness, Lady Harding, had to say on backstop powers. When he said in his opening speech that he would reflect, is he keeping open the option of reflecting and coming back at Third Reading, or is he reflecting only on the possibility of coming back in other legislation?
The noble Baroness, Lady Fraser, raised an important issue for the UK regulator, ensuring that it is listening to potential differences in public opinion in the four nations of our union and, similarly, analysing transparency reports. As she says, this is not about reserved matters but about respecting the individual nations and listening to their different voices. It may well be written into the work of Ofcom by design but we cannot assume that. We look forward to the Minister’s response, including on the questions from my noble friend on the consent process for the devolved Administrations to add offences to the regime.
My Lords, I am grateful to noble Lords for their contributions in this group. On the point made by the noble Lord, Lord Knight of Weymouth, on why we are bringing in some of these powers now, I say that the power to direct and observe algorithms was previously implicit within Ofcom’s information powers and, where a provider has UK premises, under powers of entry, inspection and audit under Schedule 12. However, the Digital Markets, Competition and Consumers Bill, which is set to confer similar powers on the Competition and Markets Authority and its digital markets unit, makes these powers explicit. We wanted to ensure that there was no ambiguity over whether Ofcom had equivalent powers in the light of that. Furthermore, the changes we are making ensure that Ofcom can direct and observe algorithmic assessments even if a provider does not have relevant premises or equipment in the UK.
I am grateful to the noble Lord, Lord Allan of Hallam, for inviting me to re-emphasise points and allay the concerns that have been triggered, as his noble friend Lord Clement-Jones put it. I am happy to set out again a bit of what I said in opening this debate. The powers will be subject to a number of safeguards. First, they are limited to “viewing information”. They can be used only where they are proportionate in the exercise of Ofcom’s functions, and a provider would have the right to bring a legal challenge against Ofcom if it considered that a particular exercise of the power was done unlawfully. Furthermore, Ofcom will be under a legal obligation to ensure that the information gathered from services is protected from disclosure, unless clearly defined exemptions apply.
These are not secret powers, as the noble Lord rightly noted. The Bill contains no restriction on services making the existence and detail of the information notice public. If a regulated service wished to challenge an information notice served to it by Ofcom, it would be able to do so through judicial review. I also mentioned the recourse that people have through existing legislation, such as the Freedom of Information Act, to give them safeguards, noting that, under Section 393 of the Communications Act, Ofcom will not be able to disclose information that it has obtained through its exercise of these powers without the provider’s consent unless that is permitted for specific, defined purposes.
The noble Lord’s Amendment 247B seeks to place further safeguards on Ofcom’s use of its new power to access providers’ systems remotely to observe tests. While I largely agree with the intention behind it, there are already a number of safeguards in place for the use of that power, including in relation to data protection, legally privileged material and the disclosure of information, as I have outlined. Ofcom will not be able to gain remote access simply for exploratory or fishing purposes, and indeed Ofcom expects to have conversations with services about how to provide the information requested.
Furthermore, before exercising the power, Ofcom will be required to issue an information notice specifying the information to be provided, setting out the parameters of access and why Ofcom requires the information, among other things. Following the receipt of an information notice, a notice requiring an inspection or an audit notice, if a company has identified that there is an obvious security risk in Ofcom exercising the power as set out in the notice, it may not be proportionate to do so. As set out in Ofcom’s duties, Ofcom must have regard to the principles under which regulatory activities should be proportionate and targeted only at cases where action is needed.
In line with current practice, we anticipate Ofcom will issue information notice requests in draft form to identify and address any issues, including in relation to security, before the information notice is issued formally. Ofcom will have a legal duty to exercise its remote access powers in a way that is proportionate, ensuring that undue burdens are not placed on businesses. In assessing proportionality in line with this requirement, Ofcom would need to consider the size and resource capacity of a service when choosing the most appropriate way of gathering information, and whether there was a less onerous method of obtaining the necessary information to ensure that the use of this power is proportionate. As I said, the remote access power is limited to “viewing information”. Under this power, Ofcom will be unable to interfere or access the service for any other purpose.
In practice, Ofcom will work with services during the process. It is required to specify, among other things, the information to be provided, which will set the parameters of its access, and why it requires the information, which will explain the link between the information it seeks and the online safety function that it is exercising or deciding whether to exercise.
As noble Lords know, Ofcom must comply with the UK’s data protection law. As we have discussed in relation to other issues, it is required to act compatibly with the European Convention on Human Rights, including Article 8 privacy rights. In addition, under Clause 91(7), Ofcom is explicitly prohibited from requiring the provision of legally privileged information. It will also be under a legal obligation to ensure that the information gathered from services is protected from disclosure unless clearly defined exemptions apply, such as those under Section 393(2) of the Communications Act 2003—for example, the carrying out of any of Ofcom’s functions. I hope that provides reassurance to the noble Lord, Lord Allan, and the noble Baroness, Lady Fox, who raised these questions.
I am grateful to the Minister. That was helpful, particularly the description of the process and the fact that drafts have to be issued early on. However, it still leaves open a couple of questions, one of which was very helpfully raised by the noble Lord, Lord Knight. We have in Schedule 12 this other set of protections that could be applied. There is a genuine question as to why this has been put in this place and not there.
The second question is to dig a little more into the question of what happens when there is a dispute. The noble Lord, Lord Moylan, pointed out that if you have created a backdoor then you have created a backdoor, and it is dangerous. If we end up in a situation where a company believes that what it is being asked to do by Ofcom is fundamentally problematic and would create a security risk, it will not be good enough to open up the backdoor and then have a judicial review. It needs to be able to say no at that stage, yet the Bill says that it could be committing a serious criminal offence by failing to comply with an information notice. We want some more assurances, in some form, about what would happen in a scenario where a company genuinely and sincerely believes that what Ofcom is asking for is inappropriate and/or dangerous and it wants not to have to offer it unless and until its challenge has been looked at, rather than having to offer it and then later judicially review a decision. The damage would already have been done by opening up an inappropriate backdoor.
A provider would have a right to bring a legal challenge against Ofcom if it considered that a particular exercise of the remote access power was unlawful. I am sure that would be looked at swiftly, but I will write to the noble Lord on the anticipated timelines while that judicial review was pending. Given the serious nature of the issues under consideration, I am sure that would be looked at swiftly. I will write further on that.
Before the Minister sits down, to quote the way the Minister has operated throughout Report, there is consensus across the House that there are some concerns. The reason why there are concerns outside and inside the House on this particular amendment is that it is not entirely clear that those protections exist, and there are worries. I ask the Minister whether, rather than just writing, it would be possible to take this back to the department, table a late amendment and say, “Look again”. That has been done before. It is certainly not too late: if it was not too late to have this amendment then it is certainly not too late to take it away again and to adopt another amendment that gives some safeguarding. Seriously, it is worth looking again.
I had not quite finished; the noble Baroness was quick to catch me before I sat down. I still have some way to go, but I will certainly take on board all the points that have been made on this group.
The noble Lord, Lord Knight, asked about Schedule 12. I will happily write with further information on that, but Schedule 12 is about UK premises, so it is probably not the appropriate place to deal with this, as we need to be able to access services in other countries. If there is a serious security risk then it would not necessarily be proportionate. I will write to him with further details.
I am grateful to the Minister for giving way so quickly. I think the House is asking him to indicate now that he will go away and look at this issue, perhaps with some of us, and that, if necessary, he would be willing to look at coming back with something at Third Reading. From my understanding of the Companion, I think he needs to say words to that effect to allow him to do so, if that is what he subsequently wants to do at Third Reading.
I am very happy to discuss this further with noble Lords, but I will reserve the right, pending that discussion, to decide whether we need to return to this at Third Reading.
Amendments 270 and 272, tabled by my noble friend Lady Fraser of Craigmaddie, to whom I am very grateful for her careful scrutiny of the devolved aspects of the Bill, seek to require Ofcom to include separate analyses of users’ online experiences in England, Wales, Scotland and Northern Ireland in the research about users’ experiences of regulated services and in Ofcom’s transparency reports. While I am sympathetic to her intention—we have corresponded on it, for which I am grateful—it is important that Ofcom has and retains the discretion to prioritise information requests that will best shed light on the experience of users across the UK.
My noble friend and other noble Lords should be reassured that Ofcom has a strong track record of using this discretion to produce data which are representative of people across the whole United Kingdom. Ofcom is committed to reflecting the online experiences of users across the UK and intends, wherever possible, to publish data at a national level. When conducting research, Ofcom seeks to gather views from a representative sample of the United Kingdom and seeks to set quotas that ensure an analysable sample within each of the home nations.
It is also worth noting the provisions in the Communications Act 2003 that require Ofcom to operate offices in each of the nations of the UK, to maintain advisory committees for each, and to ensure their representation on its various boards and panels—and, indeed, on the point raised by the noble Baroness, Lady Kidron, to capture the experiences of children and users of all ages. While we must give Ofcom the discretion it needs to ensure that the framework is flexible and remains future-proofed, I hope that I have reassured my noble friend that her point will indeed be captured, reported on and be able to be scrutinised, not just in this House but across the UK.
I am grateful to the Minister for giving way. My premise is that the reason Ofcom reports in a nation-specific way in broadcasting and in communications is because there is a high-level reference in both the Communications Act 2003 and the BBC charter that requires it to do so, because it feeds down into national quotas and so on. There is currently nothing of that equivalence in the Online Safety Bill. Therefore, we are relying on Ofcom’s discretion, whereas in the broadcasting and communications area we have a high-level reference to insisting that there is a breakdown by nation.
We think we can rely on Ofcom’s discretion, and point to its current practice. I hope that will reassure my noble friend that it will set out the information she seeks.
I would be grateful if the Minister could repeat that immediately afterwards, when I will listen much harder.
Just to echo what the noble Baroness was saying, may we take it as an expectation that approaches that are signalled in legislation for broadcasting and communications should apply pari passu to the work of Ofcom in relation to the devolved Administrations?
Yes, and we can point to the current actions of Ofcom to show that it is indeed doing this already, even without that legislative stick.
I turn to the amendments in the name of my noble friend Lord Bethell and the noble Lord, Lord Clement-Jones, on researchers’ access to data. Amendment 237ZA would confer on the Secretary of State a power to make provisions about access to information by researchers. As my noble friend knows, we are sympathetic to the importance of this issue, which is why we have tabled our own amendments in relation to it. However, as my noble friend also knows, in such a complex and sensitive area that we think it is premature to endow the Secretary of State with such broad powers to introduce a new framework. As we touched on in Committee, this is a complex and still nascent area, which is why it is different from the other areas to which the noble Lord, Lord Clement-Jones, pointed in his contribution.
The noble Baroness, Lady Harding, made the point that in other areas where the Minister has agreed to reviews or reports, there are backstop powers; for instance, on app stores. Of course, that was a negotiated settlement, so to speak, but why can the Minister not accede to that in the case of access for researchers, as he has with app stores? Indeed, there is one other example that escapes me, which the Minister has also agreed to.
We touched on the complexity of defining who and what is a researcher and making sure that we do not give rise to bad actors exploiting that. This is a complex area, as we touched on in Committee. As I say, the evidence base here is nascent. It is important first to focus on developing our understanding of the issues to ensure that any power or legislation is fit to address those challenges. Ofcom’s report will not only highlight how platforms can share data with researchers safely but will provide the evidence base for considering any future policy approaches, which we have committed to doing but which I think the noble Lord will agree are worthy of further debate and reflection in Parliament.
The benefit of having a period of time between the last day of Report on Wednesday and Third Reading is that that gives the Minister, the Bill team and parliamentary counsel the time to reflect on the kind of power that could be devised. The wording could be devised, and I would have thought that six weeks would be quite adequate for that, perhaps in a general way. After all, this is not a power that is immediately going to be used; it is a general power that could be brought into effect by regulation. Surely it is not beyond the wit to devise something suitable.
We do not think that six weeks is enough time for the evidence base to develop sufficiently, our assessment being that to endow the Secretary of State with that power at this point is premature.
Amendment 262AA would require Ofcom to consider whether it is appropriate to require providers to take steps to comply with Ofcom’s researcher access guidance when including a requirement to take steps in a confirmation decision. This would be inappropriate because the researcher access provisions are not enforceable requirements; as such, compliance with them should not be subject to enforcement by the regulator. Furthermore, enforcement action may relate to a wide variety of very important issues, and the steps needed should be sufficient to address a failure to comply with an enforceable requirement. Singling out compliance with researcher access guidance alone risks implying that this will be adequate to address core failures.
Amendment 272AB would require Ofcom to give consideration to whether greater access to data could be achieved through legal requirements or incentives for regulated services. I reassure noble Lords that the scope of Ofcom’s report will already cover how greater access to data could be achieved, including through enforceable requirements on providers.
Amendment 272E would require Ofcom to take a provider’s compliance with Ofcom’s guidance on researcher access to data into account when assessing risks from regulated services and determining whether to take enforcement action and what enforcement action to take. However, we do not believe that this is a relevant factor for consideration of these issues. I hope noble Lords will agree that whether or not a company has enabled researcher access to its data should not be a mitigating factor against Ofcom requiring companies to deal with terrorism or child sexual exploitation or abuse content, for example.
On my noble friend Lord Bethell’s remaining Amendments 272BA, 273A and 273B, the first of these would require Ofcom to publish its report on researchers’ access to information within six months. While six months would not be deliverable given other priorities and the complexity of this issue, the government amendment to which I have spoken would reduce the timelines from two years to 18 months. That recognises the importance of the issue while ensuring that Ofcom can deliver the key priorities in establishing the core parts of the regulatory framework; for example, the illegal content and child safety duties.
Just on the timescale, one of the issues that we talked about in Committee was the fact that there needs to be some kind of mechanism created, with a code of practice with reference to data protection law and an approving body to approve researchers as suitable to take information; the noble Baroness, Lady Kidron, referred to the DSA process, which the European Union has been working on. I hope the Minister can confirm that Ofcom might get moving on establishing that. It is not dependent on there being a report in 18 months; in fact, you need to have it in place when you report in 18 months, which means you need to start building it now. I hope the Minister would want Ofcom, within its existing framework, to be encouraging the creation of that researcher approval body and code of practice, not waiting to start that process in 18 months’ time.
I will continue my train of thought on my noble friend’s amendments, which I hope will cover that and more.
My noble friend’s Amendment 273A would allow Ofcom to appoint approved independent researchers to access information. Again, given the nascent evidence base here, it is important to focus on understanding these issues before we commit to a researcher access framework.
Under the skilled persons provisions, Ofcom will already have the powers to appoint a skilled person to assess compliance with the regulatory framework; that includes the ability to leverage the expertise of independent researchers. My noble friend’s Amendment 273B would require Ofcom to produce a code of practice on access to data by researchers. The government amendments I spoke to earlier will require Ofcom to produce guidance on that issue, which will help to promote information sharing in a safe and secure way.
To the question asked by the noble Lord, Lord Allan: yes, Ofcom can start the process and do it quickly. The question here is really about the timeframe in which it does so. As I said in opening, we understand the calls for further action in this area.
I am happy to say to my noble friend Lord Bethell, to whom we are grateful for his work on this and the conversations we have had, that we will explore the issue further and report back on whether further measures to support researchers’ access to data are required and, if so, whether they can be implemented through other legislation, such as the Data Protection and Digital Information (No.2) Bill.
Before the Minister sits down—he has been extremely generous in taking interventions—I want to put on record my understanding of his slightly ambiguous response to Amendment 247A, so that he can correct it if I have got it wrong. My understanding is that he has agreed to go away and reflect on the amendment and that he will have discussions with us about it. Only if he then believes that it is helpful to bring forward an amendment at Third Reading will he do so.
Yes, but I do not want to raise the hopes of the noble Lord or others, with whom I look forward to discussing this matter. I must manage their expectations about whether we will bring anything forward. With that, I beg to move.
Amendment 187 agreed.
Amendment 188 not moved.
Clause 67: Interpretation of this Chapter