Select Committee on Communications and Digital
Corrected oral evidence: Freedom of expression online
Tuesday 19 January 2021
4 pm
Members present: Lord Gilbert of Panteg (The Chair); Lord Allen of Kensington; Baroness Bull; Baroness Buscombe; Viscount Colville of Culross; Baroness Grender; Lord McInnes of Kilwinning; Baroness McIntosh of Hudnall; Baroness Quin; Baroness Rebuck; Lord Storey; Lord Vaizey of Didcot; The Lord Bishop of Worcester.
Evidence Session No. 6 Virtual Proceeding Questions 56 - 64
Witnesses
I: Dr David Erdos, Senior Lecturer in Law and the Open Society, University of Cambridge; Dr Edina Harbinja, Senior Lecturer in Media and Privacy Law, Aston University.
USE OF THE TRANSCRIPT
This is a corrected transcript of evidence taken in public and webcast on www.parliamentlive.tv.
17
Dr Erdos and Dr Harbinja.
Q56 The Chair: We will move on to our next witnesses, Dr David Erdos and Dr Edina Harbinja, who are two academics practising in relevant human rights fields. Dr Erdos is deputy director of the Centre for Intellectual Property and Information Law and a university senior lecturer in law and open society at Trinity Hall in Cambridge. Dr Harbinja is a senior lecturer in media and privacy law. Her principal areas of research and teaching are in relation to legal issues surrounding the internet and emerging technologies. I am sure there will be some very thoughtful contributions, which will also perhaps help us to dive into some of the technical and legal aspects of the questions we have been discussing.
Dr Erdos and Dr Harbinja, thank you very much indeed for joining us. The session will be broadcast online and a transcript will be taken. It is good of you to give up your time to be with us this afternoon. Can I ask you to say a very brief word of introduction each, to elaborate on the introduction I have given, make any points you would like to and give your overview of your perspective on the issue we are looking at, which is the right to freedom of expression online?
Dr Harbinja: Thank you very much, Lord Gilbert and the Committee, for the invitation. I feel privileged to be able to share my views on the topic with you today. As you have kindly said, I am a senior lecturer in media and privacy law at Aston University in Birmingham. I have been working in the area of technology law and regulation broadly for the past seven years as an academic and before that as a PhD student. My work also involves a lot of policy work. For example, I am on an advisory board of the Open Rights Group, which you have probably been working with a lot so far. I am also on the executive committee of the academic association BILETA, the British and Irish Law Education and Technology Association.
Within these two organisations, I have had an opportunity to lead some of the submissions, such as in the online harms consultations in the UK and the Digital Services Act consultations at the EU level. I am highly interested in what you are thinking and talking about, not just from the privacy and data protection perspective, which is my primary area of research, but also digital rights more generally and freedom of expression. I have also recently written a paper on online harms and the Government’s proposal with my colleague from the University of Leiden, Dr Mark Leiser, where we discuss and criticise the Government’s initial proposal, not the response that came late in December. I look forward to talking to you about this in more detail and answering your questions.
The Chair: We look forward to your evidence very much.
Dr Erdos: It is a great pleasure to be with you. As has already been said, I am an academic at the University of Cambridge. I am also deputy director of the Centre for Intellectual Property and Information Law, which is a centre within the Faculty of Law at Cambridge. My main area is data protection and personal information, including privacy but also issues like reputation, fairness, dignity online and internet regulation more generally.
I was asked to say a few things about the scope of the inquiry and some headline ideas. Broadly, online has been a great enabler of freedom of expression, but expressive activities have to be both free and responsible. Much expression and expressive activities have emerged in a context of irresponsibility, promoting many harms to individuals—privacy, data protection, reputation, piling on and criminal activity—and harms to society at large; we think of criminal activity, child abuse and terrorism. These harms to individuals and society overlap.
That lack of clear lines of responsibility has also led to an unclear and unstable position for different actors. We have seen that in the past few weeks in the debate about the different actors, users of platforms and platforms themselves, have. All our activities are subject to terms and conditions on platforms, which have been described, in their implementation, as lawless. That might go a bit far, but nevertheless there is a real issue there. It is quite difficult to work out who is responsible for what, for further processing activities, like enabling search, enabling that sort of piling on. No one individual can be responsible for that; maybe the platform is responsible to some extent. All this is taking place in a context of systemic and increasing surveillance, including by the private sector.
We need liberal but responsible expression to be enabled. Who should be responsible should depend on the nature of the service and the activity. That is incredibly broad but is the starting point for me.
The Chair: If you can nail that in detail, we will be making quite a lot of progress today.
Q57 Baroness Buscombe: I have a very simple question, but it is actually incredibly broad: how does privacy affect the freedom of expression? You have just said that the ideal is liberal but responsible expression. We have also been talking today with Lord Williams about how the genie left the bottle in the early days, the nascent days of online communication. I have just been thinking about the nascent Facebook, which of course was Oxford, Cambridge, Harvard and Yale. That was really not that long ago. Look at where you are today, David, at Cambridge; what a different situation we find ourselves in, where you are thinking about how we can recalibrate the whole issue of privacy. So many celebrated the opportunity for this expanded freedom of expression without thinking about privacy and the dangers that privacy would present. We have all been guilty of saying, “Freedom of expression is fantastic until it affects me and my privacy”. Over to you to respond to this rather broad question.
Dr Erdos: Thank you very much for it; it is a fascinating and critical one. Privacy can undergird certain forms of expression. You think of confidential communications. They are expressive and absolutely depend on a type of privacy. The growth of mass surveillance online, through predictive and manipulative services, including by private actors, is a real issue in terms of freedom of expression.
There is also a very clear conflict between privacy, privacy invasion and protecting personal data more generally, in the sense that people may make scurrilous allegations about others that are completely unfounded; that may spread in a viral way. Misleading things may be published. There are networks that rest, in their commodification of that, on the spread of that data, all without very much responsibility. Freedom of expression can represent an unreasonable intrusion into the protection of personal data in and of itself - when inappropriate material is disseminated or there are very damaging and untrue allegations – and also in the round. I talked about those issues of harassment in a way, but it is to do with the piling on; it is to do with the totalising nature of the online experience. Most of our experiences are now mediated through online. No one person is responsible, as I say, but maybe the platforms need to be more responsible.
Then there is the issue, which has got a lot of traction under the language of the right to be forgotten, of intrusion over time. No one wants to erase history, but, nevertheless, the permanent present, the inability to escape your past because of the way networks operate and the way in which information disseminates itself, is a real challenge to human flourishing. There is that aspect. It is especially challenging, not only because they are new actors in the picture—platforms themselves are in some sense new actors; they sit somewhere between publishers and intermediaries—but because of the growth of the amateur individual involved in all these activities. In a way, more problematic even than that, there is the anonymous amateur individual.
Quickly, to end, there is also an issue over new rationales for the spread of highly impactful freedom of expression. At least in the past, it used to be argued by the actors themselves that that dissemination was in the public interest. It was to serve the public as a collective body, maybe not the whole of society but a significant collective group. That is no longer the case. People are engaging in a lot of expressive activity without even themselves thinking that it necessarily serves some grand public interest. We have new rationales of self-expression pure and simple, and new rationales of the platforms producing services that are, in a sense, privatised services; they are not really trying to say they are for the public benefit, but nevertheless there is the sort of impact we used to only have when at least the person who was engaged in that activity thought it was of public interest.
Baroness Buscombe: Turning to you, Edina, your particular expertise on, for example, privacy of deceased individuals brings into stark reality the subject at hand.
Dr Harbinja: Thanks very much, Baroness Buscombe, for noting my niche area of expertise and something that is almost like my baby—the concept of post-mortem privacy. I will come back to that. I would like to start by agreeing in principle with David but also adding to the issues he has identified. In the jurisprudence of the European Court of Human Rights, privacy and free speech are often on the different sides of the scales. They need to be balanced against each other. In the convention, neither of the rights is more important, so they weigh equally in the convention. In every single case, they would be assessed differently and the limitations assessed according to the principles established in the jurisprudence.
In addition to that, it is not just about the conflict of those two rights. Those two rights also go hand in hand and help and support each other as pillars of democracy. The right to privacy gives us space and time to think, develop and flourish as human beings, and then develop those ideas that we can express on platforms and other different environments. When I am talking and thinking about platforms as a data protection and privacy lawyer, if I can label myself, which I do not really like to do, I do not attach much more weight to privacy and data protection than to freedom of expression. I see them as equally important and I like to argue for both and the umbrella of digital rights and human rights. In different contexts, cases and examples of types of illegal and harmful speech, these two rights will manifest themselves differently. David has given some really useful examples.
There is the example that you have kindly noted about my research and the privacy of the deceased. One could argue that if we, at some time in the future, as I am arguing, provide for the protection of privacy for deceased individuals and their personal data post-mortem for some time, that could interfere with free speech and, in particular, historical records, archives, et cetera. As in the previous example, there would need to be limitations, exceptions and values that this post-mortem privacy would be balanced against as well. I wanted to bring this to the table as well, so that we are not thinking about free speech and privacy as being almost enemies or always being on different sides of the scales.
Baroness Buscombe: Yes, absolutely. That is a point well made. Thank you.
Q58 Lord Allen of Kensington: You made a really good point, but we are trying to understand if the business models engineer a design that threatens users’ privacy and undermines that.
Dr Erdos: I have talked a little bit about how the platforms—or at least search engines, which are not really a platform but which sit in a similar way between an intermediary and also publisher—their business model is about spreading information, being the go-to point for information, maybe allowing expression that should be subject to rather more control. That said, platforms come in very many different shapes and sizes. One should not stretch that too far, because there are some platforms that engage in very significant moderation and controls on the spread of information, which can cause privacy issues, in that publication sort of way.
That said, most have been developed under a very small amount of capital investment for the sorts of activities they are engaged in. At a sheer practical level, that can pose all sorts of challenges for genuine control. That leads to the debate around whether platforms are really upholding what they say they are committed to.
There is another aspect, which is extraordinarily big and slightly separate from that. We live in the free internet, in a way, or at least the freemium internet, where it is not the norm to pay in hard cash for the service. The mining of personal data has, in many respects, become the quasi-currency and quasi-commodity for these platforms and for search engines. Essentially, people’s expressive activity is being turned into a marketable commodity to enable the profiling for prediction and manipulation. It often goes under the name of ad tech, but it is even broader than ad tech and more problematic than mere advertising.
That threatens privacy enormously. It can also threaten freedom of expression, as Edina suggested. If every expressive action you are engaged in is also going to result in commercial commodification and profiling of you, you may think twice about expressing yourself, and yet the other actor is not engaged in genuine expressive activity, except in a highly formalistic way; they are trying to make a profit off your data. Yes, the business model of platforms is hugely intrusive into individuals’ personal data.
Lord Allen of Kensington: Can I push back in terms of what we can do about it? That is their business model. We do not have any controls or morals. What can we do, as a Government or advisory panel?
Dr Erdos: When we were going through the GDPR negotiations—for what it is worth, as an independent person I was on the Ministry of Justice’s data protection advisory panel—I advocated for a slimmed-down version of all the different rules and regulations around sensitive data and consent, but actually enforcing those provisions. We have a whole set of provisions here, particularly on the back-end aspect. The freedom of expression raises huge challenges conceptually, but the on the back-end stuff we have all sorts of rules and regulations around cookie consent, sensitive data consent, legal bases for processing other sorts of data and control rights. They are not being properly implemented and regulated, I am afraid. I am not trying to blame any individuals.
We have had cookie rules, for example, for many years—2002 is the directive. There was a time period of maybe a couple of years where things had to be implemented, but even that means it has been many years. Sensitive data has been around as a concept for decades, in terms of very strict controls. The Open Rights Group is bringing a big case - Edina might want to comment on this - against the Information Commissioner failing to enforce the law relating to real-time bidders. We are talking about billions of requests for data in the UK every week, which the ICO has found, in a whole range of different ways, from sensitive data to the consent for the storage and gathering of information off your devices, do not meet the law, and yet there has been no use of any enforcement powers to change that.
We need to decide whether online is a governable space. The rules should be implementable, but then we must implement them. I am afraid that we have tended to pass a whole load of rules, some of which are not implementable. The bigger issue at a practical level is that we do not implement properly even the rules that are implementable and should be implemented. We seem to have become used to that as a reality.
Lord Allen of Kensington: That is a really good point and we should note that.
Q59 Viscount Colville of Culross: Good afternoon. Thanks very much for coming. David, I am very interested in you saying that we have this privacy law dealing with sensitive data but we do not have the implementation or regulation, and that in some cases it may not be implementable. If we had the law and the implementation of that law, would that be sufficient to protect our data, or do we need to do more than the GDPR, the regulations we have already?
Dr Erdos: It depends on the issues. If you are talking about the issues that the GDPR is principally concerned about—privacy and protecting personal data in and of itself and its processing—we have the framework. When I say it is inappropriate, to the extent it is inappropriate, it is probably mainly not inappropriate for the very large actors, which really should have the systems and capability in place to seriously comply with these provisions. Now we should be focusing a lot more on expecting them to do so. That is not to say that there are not some conceptual challenges in the law, and I spent quite a lot of time looking at some of them.
Consent is required when processing is very intrusive and done for purely commercial reasons. At the moment, it is required for profiling and probably should still be required for true profiling, where you are storing information on a device and taking the information off the device. On many websites, you will find hundreds of these programs are put into your computer simply by going to the homepage. Consent should be a good consent, withdrawable, freely given and properly informed. It should therefore be opt-in to be profiled in this intrusive way, not opt-out.
That is a challenge to the business model that has developed, but it is the law. We need to try to enforce it. If indeed it is utterly incompatible with the business model that we are not prepared to see change, clearly we will need to reform the law and reform people’s expectations. People’s expectations should be based on the broad parameters, at least with the big tech companies, that we have established. It would make quite a difference to people’s perception and reality of surveillance if these provisions were actually enforced.
Viscount Colville of Culross: Edina, what do you think? Is it all about the enforcement and implementation of the regulations we have, or are there extra things we ought to be thinking about?
Dr Harbinja: I agree with what David has said. I would like to add a few more considerations there. In terms of privacy and data protection, because I think that is what you were referring to in your question, we have GDPR and the Data Protection Act 2018 now, post Brexit. The two main objections, in the context of your inquiry as well, would be the consent, which David has mentioned, and its conceptual deficiencies in looking at power imbalances between the platform and the individual. There is the question of whether we could actually ever really consent. Do we have the power? Do we have the right information? There are information asymmetries and all the other problems around consent.
Consent as a concept has been very controversial in the literature, particularly quite recently, related to the problems around manipulation and algorithmic decision-making. Also, article 22 on algorithmic decision-making in GDPR has been quite controversial and unclear. We still face problems with transparency and algorithmic transparency, the black box in algorithms, explainable AI and how law regulates that. That is not just from the perspective of privacy and data protection, but also wider issues around discrimination, manipulation in elections and commercial manipulations, as well as harms—if I use that vague term—to people’s autonomy, dignity and ability to act as a citizen in this online world, where we have this vast power imbalance and manipulations. They are based on the practices not just covered by GDPR and data protection as regulation, but need to be covered broadly with different areas of law. That is something that I will probably conclude later on, when the question is about what I would like to change.
Viscount Colville of Culross: Edina, it is so interesting that you are talking about the difficulties of consent. One of the suggestions that this Committee put forward in a previous report on digital regulation was that there should be maximum privacy and safety settings included in online services by default. Would that not go some way? If that was the default, people would have to opt out of that. That would help considerably with the consent issues, would it not?
Dr Harbinja: That would help and build on the privacy by design and default mechanisms in GDPR that need to be strengthened. It is not just privacy by design and designing those considerations in technology as they develop further in a way that we cannot even foresee at the moment. It is also building in human rights by design, as a lot of colleagues have argued; it is building not just privacy but freedom of expression and other human rights by design into technology, so that we do not do things ex post but rather ex ante, solving in the process of development of the technology.
Viscount Colville of Culross: David, what do you think about that? You have already raised the issue of consent and the idea that one should be able to opt in rather than opt out.
Dr Erdos: For very intrusive and purely commercial back-end processing, yes, but it is not the only necessary control there. There should be protection. The words “data protection” say that. It is about a culture of protection and the controller implementing that as well, including for less intrusive processing. I think Edina and I are agreeing on most of that.
On a broader culture, or even legal duty, of human rights by design, that is why I said that, if you are looking at the four corners of what the GDPR is trying to do, it may be what we should generally work with with big tech, but there are other considerations. If you look at, say, an obligation on platforms to safeguard freedom of expression, for the big, oligopolistic platforms that may now be necessary, but it would be a very new development. We have generally said that, if you own private property, you have the right, in principle, to decide who you allow and facilitate the expression of and who you do not want to facilitate the expression of. People can go elsewhere if you exclude them, whereas, if you are implicated in a direct tortious harm to somebody else, we have never taken the position that you can just say, “That is bad luck”. You have responsibilities.
Having said that, network effects in an oligopolistic expressive environment may well be enough to mean that we need a whole paradigm shift here. Putting that in law is a genuine paradigm shift. You can always argue on law, fair processing and unfair terms in consumer contract regulations. You can always say that the law somehow has already spoken, but it would be a fundamental shift to interpret or indeed enact law that says, “If you set up a platform, you have to facilitate certain forms of expression, whether you like it or not”.
Viscount Colville of Culross: That is fascinating. Thank you very much indeed.
Q60 The Chair: Can I pick up a little on that before we move on? As a layman, listening to you talk about these various aspects of law, it seems to me that we are jumping around over a whole range of aspects of law and bodies responsible for it, from human rights law, which seems to be the responsibility of the courts, to content regulation, which is the content regulator in this country, Ofcom, data regulation, which had, until recently, a big EU footprint but also our own data protection regulation, and competition law. Where does all this come together so that we take a societal view about what harms we are trying to address? Arguably, that is probably the role of Parliament. We can then bring together all these legal disciplines and all the tools in the regulatory toolbox to try to address them, rather than leave it to specialist areas of law and regulators or jurisdictions that only have a partial responsibility. Is that not part of what we have to try to address here?
Dr Harbinja: This is the most crucial question, definitely. It is something that I have been thinking and writing about for some time now. Not just in the UK but in the EU, US and around the globe, we have been looking at these areas of law quite separately, in silos. We have been looking at data protection separately from freedom of expression, consumer protection, competition law, constitutional and human rights law, criminal law, et cetera. We think that we have fixed one area and then, if I may use the word, it leaks on the other side where we have not fixed the other area of law. I do not think any country or supranational entity, such as the EU, has ever looked comprehensively at this in one package, or at least in a reform that would have a consistent course of consideration.
There are the areas of law you have mentioned, plus consumer protection law, importantly, and of course criminal law. In the UK, we are seeing the Law Commission looking at communication offences and harmful online content. We see your Committee looking at freedom of expression. We see the Government introducing the online safety Bill, plus thinking about data protection and adequacy decisions, potential competition law solutions, et cetera. What is missing is this umbrella approach to all the areas, pulling the strings together and thinking about that as a whole, as something that needs to be addressed comprehensively.
The Chair: As it happens, this Committee has a proposal on the table, which I shall not turn to now, but we recommended some time ago, at the regulatory end, something called a digital authority, which was to bring together all our regulators into a formal relationship with Parliament, to try to understand the complexity of these things, understand all the moving parts and work out all the different tools available to address them, rather than the most obvious precedent. We might send that proposal to both of you, as we published it at the time, and ask for your commentary on it, if you would be prepared to have a quick look at it and give us your thoughts.
Dr Erdos: I remember making a contribution, I think, to that inquiry, or certainly reading the report about the digital regulator.
I am not sure that we have ever really fixed any harm online. Indeed, we seem to be circling all the time and not really solving many of these issues. We need a coherent regulatory landscape, but we also need regulators who tackle serious problems, effectively regulate and deliver a result. That may require several regulators actually to all perform diligently a particular task. Many different regulators have been mentioned. The Information Commissioner has a role in protecting privacy, reputation and other issues connected to personal information being spread and processed, which have come up particularly with the right to be forgotten, the Google judgment over five years ago now, and the right to delist information from search engines.
The Leveson inquiry brought this up very significantly as well and suggested, very sensibly, that there needed to be an information commission, not an Information Commissioner, with different commissioners—there would be several—taking a topical approach. The issue is just too big now. You have so many issues, with the police, big tech, maybe health and also social media. The suggestion that there should be one commissioner who took a responsibility for these sorts of issues in media—and social media, I would add—was a very sensible one. Co-ordination through some kind of digital regulatory clearing house would also be absolutely fundamental.
The Chair: We will send you, as a refresher, our thoughts on that, which included thoughts on the role of Parliament in this to introduce some democratic accountability, so it is not just everything passed off to distant regulators. I will ask you, if you are able to, to give your time to review it and give us your comments. That would be really appreciated.
Q61 The Lord Bishop of Worcester: Thank you very much indeed for your evidence so far, which has been really helpful and interesting. I would like to turn to the question to the question of Government and state surveillance. You mentioned earlier, Edina, the way in which privacy and freedom of expression need to go hand in hand. The basic question is whether UK law adequately protects users from surveillance, or too much. There are those who would say too much. For example, David Cameron in 2015 pointed out that in the past it was always possible to read someone’s letter, listen to someone’s mobile communications, but, with end-to-end encryption, that is not the case. In October of last year, there was a joint statement by the UK, Australia, Canada, India, Japan, New Zealand and the United States, calling on technology companies to enable those committing serious crimes to be apprehended. Can I ask you about how you feel about surveillance by the state, in this country in particular?
Dr Harbinja: Thank you very much, Lord Bishop, for this important question. I touched upon the relationship between privacy and free speech in this context, as you rightly noted. This is very evident, because state surveillance might chill free speech as well as infringe privacy. It affects both human rights.
As a disclaimer, I am not claiming a particular vast expertise in state surveillance law, but I have some expertise and knowledge and have followed it in my policy and academic work. We have seen challenges to RIPA, the Regulation of Investigatory Powers Act, and then the Investigatory Powers Act being passed and then challenged again and again in front of the UK courts and the CJEU as well. I would tend to argue that surveillance laws here are still quite intrusive, in particular with regards to bulk surveillance and the collection of communications, metadata communications and traffic data, as noted in some of these judgments.
There is a series of cases that came in front of the CJEU. They include Watson and Tele2, Big Brother Watch in the European Court of Human Rights and the most recent one, Privacy International, just in October, in front of the CJEU, a little before Brexit, where the surveillance laws of this country have been challenged. Both the courts pointed to necessary requirements for these programmes to be compliant with Article 10 and Article 8 of the convention and the charter in the EU. Some of them are that it is about a serious crime, that the threat is either foreseeable or present and these programmes are time-limited. It cannot just be indiscriminate collection of data for any purpose, for any prevention of any crime, for any period of time.
I would like to end this by mentioning something that you are probably aware of, which is the uncertainty around the UK’s adequacy decision and whether the UK data protection regime will be deemed adequate by the European Union. This has now been postponed for a few months with the Brexit deal, but it will come into play quite soon. The European Commission will be asked to assess the adequacy of the data protection regime. Given that GDPR is reflected in the DPA, that will not be a problem, but the surveillance regime will also be scrutinised. There are some issues, as pointed out in those cases, and concerns that have been raised by academics and civil society groups that the surveillance regime might not be deemed adequate or equivalent to the standards the EU has in this area. There are problems in this area that will surface in particular with the adequacy decision that is forthcoming quite soon.
Dr Erdos: Edina has covered many of the points. It is an absolutely vast subject, so you could have several sessions just on this. It is also a very specialist subject in many ways. It goes beyond the issue of bulk surveillance. There is a genuine issue over bulk surveillance and people can take different views, particularly when the criminal offences are extremely serious, in terms of what it is trying to prevent.
There are a lot of other issues. I am struck by the interim codes, admittedly not currently therefore legally enforceable, which were published in the government response to the consultation on the White Paper recently on child abuse and terrorism. There are many admirable suggestions and very important issues, but a whole host of data issues: complex international data transfers, reporting arrangements going largely to the United States in one case, which might be appropriate but raises issues around all these things about which jurisdiction, why and when, in terms of harms. There are issues to do with the use of automated technology to make decisions about individuals and their behaviour, again for very admirable purposes, but, nevertheless, raising profound issues.
We have a plethora of different regulators and bodies in this area. Is there a regulator that is tasked with delivering effective, balanced regulation and is accountable for that? There possibly is in some areas, but in other areas probably not. One might think that, with this commission proposal for the Information Commissioner’s Office, you might have one commissioner who was responsible for these very specialist issues, which require ongoing scrutiny and confidence, rather than a sporadic interest in a particular issue, followed by not quite radio silence but maybe less attention for quite some time. There are problems in the regulation side of things and we can probably all agree with some of that.
When you get into the issue of bulk surveillance and serious crime, like terrorism, in a way then you get into a normative debate more than an issue of practical considerations.
Q62 Lord Vaizey of Didcot: This is a very interesting discussion and shows the need for co-ordination on the almost impossible route through to dealing with these problems. Developing on from the debate about state surveillance, state surveillance has a different feel, to a certain extent, in a democratic society than in an autocratic society. That also goes to another niche issue, which is this debate about anonymity online, which we also raised with our previous witness. Sitting in a democratic society, my hunch would be that people should not be anonymous online. Anonymity on social media encourages the trolling and appalling behaviour that is exhibited online. There are plenty of anecdotes that, when these trolls are actually confronted, they are extraordinarily embarrassed by their behaviour and would not dream of behaving like that in any other sphere in which they operate. Anonymity online if you are posting a critique of an autocratic regime, where, if your identity is discovered, it could lead to some serious harm, is quite another matter. Should anonymity be simply left to the platforms, or is this a place where the UK Government could have a say?
Dr Erdos: We need to distinguish between true anonymity—literally being unaware who someone is—and pseudo-anonymity, where the network knows who the person is but it is not made public. Both forms, anonymity and pseudo-anonymity, play some important roles. I would even say, in a democratic and relatively free society, there is a role for pseudo-anonymity at least. Many people are very much implicated in effects, legitimate and illegitimate, that may flow from expressive activity. They may want to freely express opinions about certain workplaces, certain social practices or just the nature of their life, and would not want to be tracked and profiled for the rest of their life on that basis. There is a broader role for pseudo-anonymity. It is not about anonymity being curtailed, but it is about ensuring that responsible expression is facilitated, not irresponsible expression.
Lord Vaizey of Didcot: Pseudo-anonymity is where the platform knows who you are.
Dr Erdos: Yes, that would be pseudo-anonymity. If you are facilitating expression and arranging expression where the original publisher is identified and realistically can be held responsible for any harms, it is much more acceptable for you to say, “I am merely, in a way, processing on their behalf. I am facilitating their expression on their behalf”.
If you are actually not doing that but are facilitating expressive activity by the fully anonymous, or even the pseudo-anonymous but you are not willing to share any of those details, you are engaged in a very different expressive activity. At least after harms are pointed out to you, or you have been put on notice about the general nature of quite systemic harms, you should be responsible for tackling them, because you have chosen to facilitate that, from the perspective of the public anyway, “anonymous” expression. It is about ensuring that there is still a context of responsibility for that expression. I would not call it curtailing anonymity. I would just call it having effective responsibility.
Dr Harbinja: Thank you, Lord Vaizey, for this important question. I again tend to agree with David and have some additional comments. As you said, you live in a democratic society and you might not personally have the need for anonymity. There might be individuals, even in this society, that, for example, belong to subcultures that are legitimate and not doing anything illegal or unlawful, for example artistic, musical or some other preferences, that might not be comfortable with sharing that with the world. They would like to engage online with a different identity or remain anonymous because of this need to keep some of parts of their identities secret. There is also that consideration.
If we look across the pond, in the American jurisprudence at the Supreme Court, I would like to point to this quote from one of the cases: “Anonymity is a shield from the tyranny of the majority”. That is important to note even for democratic societies and obviously for non-democratic and autocratic societies.
I would note two sets of interests that I would like the Committee to think about in this context of anonymity. Interests of the speaker include interests to maintain their privacy, so now we are again talking about privacy, but also an interest of freedom of expression. Their free speech would be, in theory, chilled or curtailed if they had to disclose their identity. On the other hand, we have interests of the audience. These interests can be similar. Similarly, the audience would like free speech to flourish and other individuals not to be stifled and chilled in their speech. On the other hand, the audience also has the interest of transparency. That is where we arrive at some problems with anonymity, in particular when it comes to important issues of public interest.
Blanket curtailing of anonymity is definitely not something I would argue for. Online, there is space for platforms that would endorse anonymity and that would be appropriate places where this should be allowed, and perhaps other platforms where this would not be appropriate. There should be nuance in this approach.
Q63 Baroness Grender: Thank you so much for an absolutely fascinating session so far. Thank you, Edina, for saying that you were holding back a little bit about an answer to what we would like to see as a Committee. Thank you, because almost every answer you have given has been very rich with suggestions about that, so, to both of you, that is brilliant. I am going to push you slightly and ask you to walk in our shoes for a second, if indeed any of us are wearing shoes right now. Our job, as the unelected bit of Parliament, is to challenge ourselves to be quite robust about change. It might be a paradigm shift version of change, David, as you described earlier. What is the substantive change that looks round the corner, right now, and needs to absolutely ensure that we are ahead of the situation, rather than constantly playing catch-up? What are the fundamental changes that you would recommend right now as part of the recommendations that we produce at the end of this particular process? It can be just one if you like.
I noticed that both of you—David in particular—were saying that there are current laws that are implementable. Therefore, is it sanctions? In a post-pandemic environment, where there is no money, where do you throw the resource? Edina, you mentioned black-box transparency. That is very important, but how on earth a state or a Government can implement that is very hard to say. Give us some suggestions about some of the robust challenges and changes that we can introduce.
Dr Harbinja: Thank you very much for your comments. I am really glad that you found our contributions helpful so that the session was useful to the Committee. As I said at the beginning, I would argue for certain changes. I tend to agree with David that we have quite a few mechanisms that need to be enforced with greater capacities on the regulatory side, for the ICO for example, or for Ofcom, if Ofcom is going to be the new Ofweb, the web regulator, et cetera, and greater collaboration and co-operation between the regulators.
I would like to see imminently regulation that would require a greater transparency from the platforms: transparency in their algorithms, in their data use, in how they prioritise information and in how they recommend information and design features for users to interact with. I would also like to see, if possible, access by researchers to the data. As researchers, we have struggled to access from the platforms, when we have tried, meaningful data that we can then process for the purpose of different projects, recommendations and development of policies and technologies, so it is about transparency.
I mentioned human rights impact assessment at the beginning for any technology, ideally at the development stage or design stage. There is something that I somehow failed to mention today, but you talked about it in your previous evidence session. It is interoperability. It is something that is discussed widely in the European Union, within the Digital Services Act proposal, and here as well. There is the need to have these platforms communicate and talk to each other, so that users can easily either switch between those or not be locked into those. This is something that is very difficult, because obviously it involves buy-in from the companies, convincing them, and there are costs, et cetera. It is an essential consideration from the competition law perspective, but also from the perspective of consumer protection and some of the issues that we mentioned.
Finally, there should be independent audits of the platforms that would be performed annually, for example. The Digital Services Act proposal at the EU includes that requirement. This is still a draft and it will take at least five years for this to come into force in the EU. Potentially, the UK has an opportunity to pass some of these measures before, refine them and make them work. I am not sure if the Committee can recommend this or what the approach would be, but what we discussed before with Lord Gilbert was this coherent and comprehensive approach to different areas of law that are concerned, not just free speech or human rights.
Dr Erdos: Whatever one thinks of Brexit, and many of us have not been desperately convinced overall, in a way this process provides an opportunity for the UK to lead. One of the rationales the Information Commissioner always used to put forward for inaction was there was a one-stop shop. We are not the lead regulator. We are not the main regulator for these activities. Now we have left the European Union, there is no one-stop shop. The shop is the Information Commissioner and it is to enforce some of these laws we have been talking about. We have also talked about Ofcom, where there is not that kind of system in all areas, in most areas anyway.
We are still coming back to the fundamental challenge of whether there is a will to enforce the framework and whether it can be enforced. I come back to what I said at the beginning, the Committee should be trying to develop a framework for responsible expression and a framework for regulating for responsible expression. That means that the regulators themselves have to be responsible for delivering a result. The guidance that the Information Commissioner’s Office produced on the responsibilities of social networking and online platforms for not even terms and conditions but moderation and responding to derogatory, unfair, inaccurate postings was in 2013. The evidence that there has been effective enforcement of that has been absent.
We need effective regulators. The Open Rights Group case, which is going to the tribunal, trying to get a mechanism by which regulators like the Information Commissioner’s Office can be held to account in terms of delivering a result, is extremely important precisely for that reason. If you are going to have that you need regulators who do have a defined task. There is a big debate going on around exactly what has been given or is going to be given to Ofcom and what will remain or is within the purview of the Information Commissioner.
On harms online and the back-end processing, we have not talked about the age-appropriate design code, which overlaps many of these different areas. Ofcom will only have criminal law to enforce in the duty of care in most cases, apart from for category one services; I am still unclear what category one services will include. It is still very unclear what the non-legal harms are, which I am not desperately in favour of, because I would prefer to concentrate on what we have decided is illegal and getting that right. There may well still be a big role for the Information Commissioner, certainly in back-end processing and even as regards protecting privacy like the right to be forgotten, delisting online and things like this. Whatever the demarcation of responsibility is, it should be clear, and regulators should be responsible for delivering effective results to the UK public.
Baroness Grender: You have both talked about enforcement. I am not sure that you have given us enough granular on the how of enforcement. If you have further thoughts on that, it would be very helpful if you felt you could follow that up with written evidence.
The Chair: We will be writing to our witnesses on the issue of co-ordinated regulation. We will ask you at the same time to provide an answer to Baroness Grender, if you will be kind enough.
Q64 Baroness Bull: Thank you to you both for everything you have given us today. I want to finish by turning our gaze outwards, beyond these shores, to look at international comparators and best practice. David, you said in response to Baroness Grender’s question that the UK can lead. In reality, how possible is it to address these issues in isolation, or is international collaboration essential in order to do it properly? If so, what does that co-operation look like? Could you perhaps wrap into that where the UK might be looking, in terms of good and bad examples, particularly taking into account the cultural context here in this country?
Dr Erdos: I know people have different opinions and understandings of Brexit, and I do not want to get into that debate, but one sadness of it for me is that international co-operation is extremely important. It needs to be in a context where countries have common norms and are willing to co-operate together. The European framework, at its best, provided that. There are things like the European Data Protection Board. Their attempts to regulate platforms and search engines, both with their front-end—we talked about delisting—and with their back-end processing and profiling, are probably the best we have, in terms of international co-operation actually delivering results, and yet we have left that. It is a challenge.
To be fair, at the moment other forms of international collaboration are much looser. They are much more about building good will. We have talked about interoperability, but generally there are just common understandings through debate and dialogue. That is where we are at on broader frameworks. We are going to have to just live with that, while trying to seek friends and support for our general approach. There are interesting things going on, even beyond the European Union, within the context of countries that we have very longstanding cultural and historical ties with. In Australia, there is the eSafety Commissioner, which has been around for a number of years. There is also the Privacy Commissioner’s role in beginning to tackle some issues to do with reputation and privacy evasion online. They are very interesting.
Moving back into the European Union framework, where we can still co-operate, the role of agencies like the Spanish Data Protection Agency in bringing to the fore some of these issues over many years is admirable. We should retain a dialogue with our European counterparts. We have some frameworks for doing that, like the Council of Europe, which has been mentioned.
Baroness Bull: As you say, that relationship-building takes time, which is one of the challenges.
Dr Harbinja: Again, I tend to agree with David and what he has said. In terms of a broader general international co-operation at the UN or a similar level, I am not optimistic, given the vast differences in cultures in the protection of human rights and the freedom of expression in particular. I cannot see the common ground at the UN or a wider international level at all. I am being very blunt here.
I see common ground and opportunities to collaborate with the European Union. I have mentioned the Digital Services Act proposal that was published in the same week in December as the Government’s response to the online harms consultations and the announcement of the Online Safety Bill. A Bill has not been published yet. We are expecting it this year. Those two statutes will tackle similar, if not the same, issues. I definitely see scope and some overlaps there, but also divergences. Conversation in that space would be very important. In the Digital Services Act proposal, for example, I see the definition of very large platforms as platforms with 45 million users and more. What is missing in our proposal is this differentiation between platforms and very large platforms that have additional responsibilities in the European Union’s proposals, such as independent audit, transparency requirements, as I mentioned, et cetera. I definitely see the scope for collaboration there.
In terms of good and bad examples, you have previously discussed the German NetzDG and the fake news Act in France as not so good examples. They are examples that have faced some problems in enforcement and are not considered excellent. In terms of the Australian approach, privacy culture there is very different. Australia does not have an adequacy decision with the European Union, so privacy protection is at a much lower level than the European Union. It leaves us with trying to collaborate still, given Brexit and everything that happened, but still building those partnership and relationships, so that we almost have bargaining power against the platforms, if I can say it straightforwardly.
The Chair: Dr Harbinja, Dr Erdos, thank you both very much indeed. It has been a very useful and comprehensive session, with some very thoughtful technical answers to some of the legal issues but also some thoughts about some of the wider issues we need to be addressing as a Committee, which we will find very useful. You have both generously agreed to review some other materials for us and to respond to Baroness Grender on her follow-up question, which we would appreciate. Thank you both very much indeed for your time today and for giving your time for that additional evidence. Good afternoon to you.