final logo red (RGB)

 

Select Committee on Communications 

Corrected oral evidence:

The internet: to regulate or not to regulate?

Tuesday 1 May 2018.

4.40 pm

 

Watch the meeting 

Members present: Lord Gilbert of Panteg (Chairman); Baroness Bertin; Baroness Bonham-Carter of Yarnbury; The Lord Bishop of Chelmsford; Viscount Colville of Culross; Lord Goodlad; Lord Gordon of Strathblane; Baroness Kidron; Baroness McIntosh of Hudnall.

Evidence Session No. 3              Heard in Public              Questions 21 - 27

 

Witnesses

I: Myles Jackman, Legal Director, Open Rights Group; Javier Ruiz Diaz, Policy Director, Open Rights Group.

 

USE OF THE TRANSCRIPT

This is a corrected transcript of evidence taken in public and webcast on www.parliamentlive.tv.

 


Examination of witnesses

Myles Jackman and Javier Ruiz Diaz.

Q21            The Chairman: I am very pleased to welcome the second set of witnesses to our inquiry this afternoon. I remind you that the meeting is being broadcast online and a transcript is being taken.

We are asking whether a new and comprehensive strategic regulatory framework is or is not required for the internet. Our witnesses come from the Open Rights Group, a think tank that promotes freedom of speech and data protection. Would you introduce yourselves and, so that we get a sense of where you are coming from, tell us whether you think there is a need for a new regulatory framework; and, if so, the form it should take? Should it be selfregulation, coregulation or more direct regulation?

Myles Jackman: I am the legal director of the Open Rights Group, which, as you have heard, is predominantly a digital rights campaign with particular emphasis on privacy, data protection and free speech issues.

I am a solicitor advocate. I have a private practice—Hodge Jones & Allen LLP—and specialise in what I call obscenity law as a niche practice. As a practitioner, my area is almost exclusively criminal. I practised 10 years PQ and 18 years in the criminal justice system, but my interests today are clearly about freedom of expression.

Before answering the first question, one thing I would like to flag is the regulatory gaps that are already occurring with regard to age verification under the BBFC, which was supposed to come in at the beginning of last month. We see a gap between the BBFC’s remit to oversee age verification and the ICO’s ability to rectify problems with regard to mistakes or data loss and leaks, which perhaps I may be able to go into later. In this country, between 20 million and 25 million adults are likely to sign up to age verification in the first month. If data on age verification through various service providers is lost, breached or hacked, we are in a very dangerous situation which I suggest GDPR is insufficient to rectify. In the Ashley Madison hack, people committed suicide. For 20 million to 25 million adults in this country, it is a very serious concern. If legislation were considered in that area, we would be very supportive of it.

The other point I would like to make very swiftly is about necessity. Any form of regulation should be necessary and proportionate to the stated aims and perceived harms. I think we are in agreement that we are looking towards the lighter touch-end of coregulation. Self-regulation may create problems of recourse for users, and the heavier end of the spectrum may be far too difficult for freedom of expression.

Javier Ruiz Diaz: I am the policy director for the Open Rights Group. We work on the internet as a whole. We are not just a privacy organisation or a freedom of speech organisation. We try to represent a grass-roots membership. More than 50% of our support comes from individual donations. We do not claim to represent every internet user, but we think we provide a grass-roots perspective, combined with a high level of expertise. Many of our supporters are people you will find giving evidence to this Committee, such as software engineers, and many are at the top of companies. We try to balance perspectives.

On the regulatory framework, we do not think we should provide a completely new framework for the internet as a whole, first because the internet is too complex for one regulation. We sometimes conflate large platforms with the internet itself, which is simply a shared protocol for the interconnection of various private networks. When we talk about internet regulation, it probably needs to be a lot narrower. Secondly, right now clearly the driver is internet platforms, so we should probably focus on regulating them.

On the second question, we need to protect the open internet. Over the past two years, we have been hearing all sorts of proposals from the UK, the EU and the US for restrictions on content. We do not want to romanticise too much a mythical open internet that has never fully existed. We do not want to say that there are no problems, but at the same time we do not want to throw the baby out with the bathwater. We should recognise that the level of interoperability brought about particularly by the removal of liability in certain conditions, and the removal of the obligation for monitoring content from providers, has worked quite well in many contexts, although we can see limits.

Thirdly, on the question of online and offline, which was mentioned in the previous session, in the main, we take the position that we should have the same principles both online and offline. We need to be very understanding of how technology will shape the implementation of those principles. It is equally wrong to demand that something that works offline works exactly the same online—because it will not—as it is to say that the online world should create completely new rules. For us, things such as due process and respect for human rights should operate across the board.

Finally, there is an important point, which was made before, about the role of private actors. The internet is nothing but the interconnection of lots of privately run infrastructures in the main, with exceptions in certain countries where states still have responsibility for telecommunications. When private actors are intermediaries, anything that gets enforced, whether it is public policy or the demands of other private actors, will have to go through another private actor. That means that companies have to make legal decisions potentially as to the application of human rights and balancing freedom of expression. It also means that the obligations of states to uphold fundamental rights can be weakened, because if a Government decide to censor a bit of content directly, they will have to apply human rights very clearly. If a Government nudge a private company to implement some form of content restriction, many people would argue that companies do not have the same responsibilities.

We would argue that private actors have some responsibilities, particularly providing a foreseeable environment for users. When Governments mandate restrictions, they should be a lot more up front about what they do, and should not try to corral internet companies into a room and threaten them with regulation or else, unless they do something. That is the worst of both worlds and it lowers the level of accountability.

Q22            Baroness Kidron: I want to ask you about what you have just said, to make sure that I understand it completely. It feels as though there is a bit of tension between one set of private actors, another set of private actors, the open internet and the intermediary platforms, about which I am about to ask you. My question, which I know you heard earlier, is about whether platforms are publishers or mere conduits, or do we have to think of them in a different way? In answering that question, could you also unravel whether you think there is too much power in some of the bigger private actors against the little ones, who might be the users, who are not represented by the Government in the way you set it out?

Javier Ruiz Diaz: It is absolutely clear that the concentration of power in a handful of mainly US companies has brought bad consequences across the board. As the previous panel said, it is a lot harder to know how to deal with it. One of the things we are concerned about is when we see removals, or it is said that we should deal with it through the removal of liability. That will affect the internet as a whole.

The North American view is that hosting protections do not apply to organisations as such. A platform is defined in the European context as a two-sided market, so there are users, who are like consumers, and there are advertisers, or people trying to sell or buy cars, and the platform is in the middle. Platform is the modern way of describing those organisations. I do not know whether there is any more modern term that we can use to describe them.

The fundamental point is that the liability protections do not attach to the organisation; they attach to individual bits of content and activity. If a newspaper is running an online discussion forum, some liability protections would be attached to the content produced by people commenting. Conversely, if a platform, such as Netflix, attaches its own content, at that point it will clearly stop being a host and will start becoming potentially a publisher, or something else. It is very important not to try to categorise platforms as a whole either as publishers or not. Protections are attached to specific activities, so we need to break down the activities and try to focus on each specifically.

The Chairman: Do you want to add anything, Mr Jackman?

Myles Jackman: I have nothing to add to that, because we prepared alternate questions. Forgive us.

Baroness Kidron: Well done. Can I ask the same question about design? We tend to concentrate on content, but the design of some of the interlocutors has a profound effect on the experience and behaviour of users, so I am interested in your perspective on the freedom of the user and how you deal with that tension.

Javier Ruiz Diaz: Design is obviously very important. One caveat in this context is that the design of a platform such as Facebook or Google is not like the design of a simple product. These platforms are running A/B testing all the time. There is a high probability that the results you get from your search will not be the same as the ones you got yesterday, or the ones that the next person will get. It is not that they are designed by committee, but there is no mastermind designing everything all the time. Apple and other companies may be a bit more centralised, but it can be quite hard to have a clear central vision of the design for such a large, complex system.

Baroness Kidron: Let me put the question another way and ask about the culture and principles of design.

Javier Ruiz Diaz: We are running a European-funded project on ethics in design. With various universities, we are looking specifically at that question, mainly in the context of internet of things products, which are a lot more manageable than designing Facebook or Google. Our approach is that you cannot have ethics as a single step where you say, “We are going to pass the ethics hurdle”, or, “We are going to have an ethical accord and do some rubber-stamping”. You need to embed ethics in day-to-day organisation, and try to become ethical and strive for excellence in everything you do.

A whole new branch of ethics and technology is now trying to move in that direction, rather than simply providing a checklist that the organisation will comply with, or simple processes that everyone can go through. That can be satisfactory, in the sense of making you feel good that you are ethical, but we believe that you need to become ethical; it has to be an ongoing process, and that is a lot harder.

Baroness Kidron: Can you answer this with yes or no, because I am running out of time? Do you believe that that ethical structure has to sit outside a regulatory structure? Once we have decided what they look like, who holds the ethics?

Javier Ruiz Diaz: We definitely would not want to see ethics in any form completely superseding regulation. What we hear from industry lobbies is, “Please don’t regulate us; let us run our own ethics”. There are ethics inside regulation and space for ethics outside, but there should definitely not be a substitution. It would be quite difficult to have any kind of official body mandating ethics as such. There are ethical committees at universities, for example. You can have specific interventions, and trying to create anything that involves rubber-stamping or a certificate can work, but it should be a process rather than a simple step.

Q23            Viscount Colville of Culross: You heard the previous witnesses refer to the need for platforms to have more responsibility for the way they host and moderate content, so that they are fairer and more transparent. What is your view on that? Mr Diaz, from the other side, you said we do not want the regulators locking internet companies into a darkened room and threatening them. Do you think that the processes being used at the moment by law enforcement agencies and other bodies, such as the Internet Watch Foundation, are working? Are they fair and transparent enough, and what else could be done to make them work better?

Myles Jackman: Those are questions I have prepared. With regard to the first part of the question about processes, accountability and fairness, we have significant concerns that they do not appear transparent, fair and accountable. It may be an appearance, but for fairly obvious reasons, these platforms require swift action, and moderation has to be light touch in those terms.

Our concerns are that it almost becomes a proxy for right and wrong. Perhaps I could use the example of nipples on Facebook. If you are not aware of it, I am sorry I have to go into this. Fourteen is the standard age for Facebook, but for adults over the age of 18 male nipples are perfectly acceptable; female nipples are verboten; and Facebook is very confused about trans-nipples during transition. My point is that containing nipples almost becomes a proxy for adult content when it is not, if you see what I mean.

The next point is that there is essentially a contractual issue where the people who want to seek redress are not getting it directly from the platform in question. A good example of that is the Vietnamese girl napalm photograph that was initially only brought to public attention through the press. If you have traction, you can get redress, but the problem is that it is virtually of no precedent value whatsoever; in other words, unless we are talking about that picture of the Vietnamese napalm girl, in which case there is a judgment, it does not apply across the spectrum.

We also have concerns about tone, context and nuance. Anyone who is attempting to moderate should be able to identify sarcasm and irony, which clearly will be problematic, at this time, for algorithms, but we appreciate that platforms operating at speed must have some level of hard and fast rules. We do not know enough about how their systems work and operate, what criteria they use, who has specifically decided the criteria and who arbitrates in a borderline case, such as the image of the Vietnamese girl.

If I may move on to law enforcement, from an obscenity law perspective I was thinking predominantly about what I call proactive police law enforcement and reactive police law enforcement, among the other forms it takes. Earlier reference was made to indecent images of children, which I assume we all agree should have no place, but, tragically, sites, including Facebook, are capable of hosting that material.

As you may be aware, hash values in metadata should be able to track those images, so, if someone were foolish enough to upload such an image to Facebook in any capacity and in any form, it should be identified. Under the Protection of Children Act 1978, in this country there is clearly some form of law enforcement effectiveness. It becomes less effective with slightly lower-level offences, such as the extreme pornography offence under the Criminal Justice and Immigration Act or Obscene Publications Act offences and so on. The material might be adult, and arguably consensual, but it is only reported to police; it is not proactively sought.

The problem areas we find are the Counter Terrorism Internet Referral Unit, CTIRU, and the Police Intellectual Property Crime Unit, PIPCU. They have some very specific issues we have rubbed up against and not found satisfactory answers to. Data about CTIRU’s operation are so scarce to us that it is impossible to assess its systems, to see how accountable and transparent they are. Based on that, we would have to come to the conclusion that they are certainly not transparent. There is accountability within the police, but it is difficult to assess to what extent it is evaluated and effective outcomes are either agreed or disagreed on, and for fairness, in the criminal justice sense of fairness, that cannot be true.

The other thing is PIPCU’s infringing websites list that it shares with advertisers to stop piracy online. The list is secret. Police say that they do not force advertisers to do anything, but the restriction on freedom that suggests is that the advertisers are contacted and feel that they must respond to those inquiries.

The IWF, which I think was the formal part of the question, is arguably more transparent, but none the less accountability becomes complicated. There is an Article 10 issue at play there, I think. I hope I have addressed some of the points as swiftly as possible.

Viscount Colville of Culross: Do you think more could be done? We heard last week about problems with the take-down regime; it is not standardised enough and it is not clear enough how it should work and where responsibility should lie. Do you think more could be done to develop that?

Myles Jackman: For the purposes of clarity, if we are talking not about indecent material but about normal material, shall we say, absolutely, yes. There should be a notice and counter-notice process whereby the user can challenge and is notified. If I might extrapolate, I suggest that it should go as far as blocking orders. If something is blocked, I should know it has been blocked, particularly if it is my site, as happened under the adult filter; my obscenity lawyer site was temporarily filtered out. Other people told me that. My point is that you do not know you have been filtered out, which is particularly problematic if you are a business owner and do not realise why you are not getting business. Clearly, notice and counternotice are very necessary. Another point that should be given very serious consideration is right to appeal.

Viscount Colville of Culross: How might that right to appeal work? What form would it take?

Myles Jackman: We are talking in such broad terms that it is difficult.

Viscount Colville of Culross: Not obscenity.

Myles Jackman: It would not be in an obscenity motion, because clearly there is a preexisting criminal framework for that. What I am talking about is blocking for other purposes—for example, PIPCU and intellectual property infringement material. There should be a notice on sites such as that, and manufacturers and the site owner should be able to challenge it. That is where the appeal process should come into play. At the moment, we have very little idea how that operates substantively.

Baroness Kidron: You came out shooting, saying there should be no regulation, but, if you have a right of appeal and all these processes, where does it all sit?

Myles Jackman: I thought I said that we wanted light-touch coregulation.

Baroness Kidron: That would include universal standards, take-down standards and that sort of thing.

Myles Jackman: Absolutely.

Javier Ruiz Diaz: It could even go further. Content that may be illegal could arise in many contexts. Going through the courts eventually would be the preferred course of action, but a lot of content is dealt with under terms and conditions, as was mentioned. There is a question as to whether content should be dealt with by terms and conditions when you are dealing with illegality, which is fundamental for CTIRU, where they use terms and conditions to take down material of a terrorist nature or of use to terrorists.

If we restrict ourselves to terms and conditions, there is an issue right now in that companies’ internal processes are even worse than anything we have heard before from CTIRU. There is absolutely no transparency. We had to mediate between Turkish Facebook users when the main protest website for the equivalent of the Arab spring, the Gezi Park protests, was taken down by Facebook. They had no recourse. We were contacted by Turkish activists. We went through to Facebook in Ireland and organised a conference call so that Turkish activists could talk to Facebook. Clearly, that is not satisfactory. There is a huge gap.

We need much stronger due process for internal take-downs in companies. At some point, we think it would be worth exploring some form of arbitration, in the same way that if I disagree with my plumber I can go to an arbitration body. We do not want in any way to weaken the rule of law. Our position on that is clear; it is not to say that website take-downs should not go through the courts, but when it comes to decisions based purely on the terms and conditions of social media platforms internally, it would be an improvement in the current situation to have some form of external arbitration.

The Chairman: Your external arbitration would be in the coregulatory framework that you are advocating.

Javier Ruiz Diaz: It could be part of a coregulatory framework, although in this case it could even fall below the regulatory framework. We would want it to be stronger, with as many teeth as possible, but it would be an arbitrator, not a full court. Obviously, you should always be able to go to court. In theory, you always can go to court within the limitations of costs and actual opportunity.

We looked at oversight. At the moment, we mainly know about content take-downs by companies from the reporting of those companies. Such reports tend to be at international level, so Google in the US would do it internationally. They may give a bit more detail, but we think there is a need for more oversight, possibly even within countries, to try to understand how companies themselves take down material. In particular, we find huge discrepancy between the many thousands of items that CTIRU claims it takes down per year, and the very few in internet companies’ own reports, so there is a need to tally those figures.

Q24            Lord Gordon of Strathblane: The Government’s digital charter states that one of the key guiding principles is that people should understand the rules that apply to them when they are online, yet earlier this afternoon a witness quoted alarmingly high statistics of people who simply did not know. How do we remedy that?

Myles Jackman: It does not have to be through a regulatory regime per se; in other words, tragically, we are suggesting that age verifications cannot perform. People will only learn the importance of digital privacy afterwards.

Lord Gordon of Strathblane: When it is too late.

Myles Jackman: Absolutely. To develop that point briefly, that is why we suggest that, in the limited circumstances of higher-level intrusive private data, GDPR is not quite sufficient. If there are between 20 million and 25 million adults whose information can be hacked fairly easily, we are probably looking at many tragic suicides and people feeling ostracised from communities—everything you would not want to happen from the internet. I hope we can avoid that. I can certainly see a basic information or leaflet-type website to understand your rights, particularly under GDPR, as it is so current and a lot of people are working on it; but if you are not a data controller you might not even consider the issue, so I entirely agree that it is difficult to educate and enlighten people as to their rights.

Lord Gordon of Strathblane: As someone who recently downloaded new terms and conditions on my app, I find it difficult enough to make my fingers small enough to press the right button, let alone read the contents. Surely, there is a way round this. Terms and conditions could be verified by an external body; I do not want to use the word “regulator” because it gets you quite excited. It could provide a kitemark indicating that the terms and conditions are reasonable. For all I know, I could be signing away my house to Facebook or Google.

Myles Jackman: Sadly, that is quite a common experience. I agree. I find it very difficult, even as a lawyer, to go through those terms and conditions. Jurisprudence coming out of the commercial courts and so on is increasingly towards comprehensible terms and conditions.

Lord Gordon of Strathblane: How do we do it?

Myles Jackman: Short, brief points. I agree with your broad proposition about an independent body arbitrating terms and conditions, particularly privacy policies, with the ability to understand that a privacy policy may be changed at a later date, to use age verification as an example. There is an opportunity for regulatory capture for an actor; MindGeek is the owner of approximately 90% of the adult tube sites on the internet, and it could simply capture the British market of adult content consumers, or even globally, and then change its privacy policy six months or a year down the line, as Facebook has continued to do, by adding widgets and so on.

Lord Gordon of Strathblane: But surely there should be somebody stopping them changing their policy like that.

Myles Jackman: That was an example I was using to substantiate the point. Forgive me if it did not come across as clearly as I hoped.

The Chairman: You advocate coregulation. You think somebody should be doing these regulatory things. What do you mean by co-regulation?

Javier Ruiz Diaz: When it comes to information around privacy, we already have a very clear regulatory framework with the Information Commissioner. When we were here a few months ago talking to a Committee about artificial intelligence, there was a big discussion as to the role of different regulatory bodies. In general, our approach would be to make the most of the bodies we already have before we start building new ones. That would be our general principle.

It is important to understand the difference between terms and conditions in establishing some form of contractual relationship, and saying that now other relationships are ruled through that contract. We believe that in most cases it would be a one-sided contract, probably not fair and possibly unenforceable. There is a difference between that and the previous policy, which is highly regulated under Article 13 of the general data protection regulation.

Lord Gordon of Strathblane: I am not a lawyer, but you said it would be a one-sided contract, probably not fair and unenforceable. Why would it be unenforceable?

Javier Ruiz Diaz: If both sides cannot agree, it could be hard to enforce.

Lord Gordon of Strathblane: But if I have signed a contract with somebody, surely it is enforceable. I speak as a layman.

Myles Jackman: Might I suggest that there is arguably an imparity of bargaining power between an enormous corporation such as Facebook and individuals such as ourselves? It has been suggested that withdrawal from a platform means that other platforms may take up the slack, but ultimately your choice may be either to be able to engage or not. There will be people for whom Facebook simply is the internet. In short, it is their portal, their gateway; that is how they understand information on the internet. That concerns us somewhat and it needs to be remedied.

Javier Ruiz Diaz: The important thing to understand is that certain things are regulated under data protection. Terms and conditions can be a very broad range of things. It could be how companies use your information, or assignment of intellectual property could be an issue. Use of data is fairly well defined in the GDPR, so companies need to start sticking to the letter of GDPR as much as possible.

Lord Gordon of Strathblane: You think that bit of the GDPR is adequate.

Javier Ruiz Diaz: In providing a baseline, yes. Articles 13 and 14 of GDPR give a baseline for the information that should be provided. Obviously, we think it is not enough.

Baroness Kidron: I want to pick up your point about the split. Do you think there might be a role for consumer law around terms and conditions rather than data law? The GDPR was developed in a period when we thought of consent as the key factor, but in the world of smart cities, smart cars, smart fridges and smart everything, the idea of consent is somewhat redundant, because we just walk through it all. You might be very good people to tell us something about that on the record.

Javier Ruiz Diaz: In one of his last bits of work, the outgoing European Data Protection Supervisor, Peter Hustings, defined a framework for the regulation of big data. He proposed that data protection, consumer regulation and competition should work in unison, mainly because there were issues about consent and even about whether some data is identifiable enough to be protected under data protection.

We think there is a huge role for consumers. We have campaigned for full implementation in the Data Protection Bill of Article 80(2) of GDPR, which would give consumer organisations, such as the Open Rights Group, power to take independent action without the need to be instructed. We are also pushing for stronger class action powers. It is not just the idea of consumer action; we need the crafting of consumer protection itself to complement regulation and accountability.

On consent, most privacy advocates nowadays are moving a bit away from consent, mainly because in the US it is constructed as a way to get people to part with their information and to gather data. Most people now say they want to see systems where data is minimised, which is another principle in law. In particular, we want to see in law that consent should be attached to meaningful, real choices. If you do not have a choice to part with your data, you should refuse consent. That is the way it should work, but it is not always the way it actually works.

For example, right now if you use Facebook, you get a big pop-up that will drive you through certain questions. The way the dialogue is constructed nudges you towards agreeing with everything it says there. Somewhere else in the terms and conditions, Facebook says that its use of your data is in order to provide you with a service, which is more or less a contractual relationship. In that context, you do not have a choice; consent is removed. The real level of consent Facebook gives you is very unclear.

Baroness Bertin: Can I bring you back to the point about balance and ethics? I hear what you are saying about an open and free internet, but clearly there have been some unintended consequences, and no one would disagree with that. Will we ever find a resting place on that? We heard recently from the Metropolitan Police Commissioner that social media—Twitter—were leading directly in some cases to gang murders. Is that a consequence of an open internet, or should something be done about such things?

Javier Ruiz Diaz: We should really focus on the problems as narrowly as possible. The statement that Twitter has led to a murder is very broad, and it is quite important to see how exactly the use of Twitter contributed, and what elements were Twitter as Twitter, and not—

Baroness Bertin: They are not allowed to cool off; they go crackers online and suddenly it has fallen out into the streets and ended in a knifing. Presumably, that is why she said that.

Javier Ruiz Diaz: In that context, it is important to understand what could have been done differently. What is specific about that particular platform compared with an argument in a pub that escalates into violence? We understand that there are issues around the internet, and what was said in the previous session around the removal of inhibitions.

Baroness Bertin: That is a key point, is it not?

Javier Ruiz Diaz: It is critical. There is quite a lot of research. We are not experts on online communications and the psychological effects. Clearly, we can see that the level of abuse, particularly of women, on Twitter is unacceptable. What features of Twitter would you change? Then it becomes a matter of design. It is quite a complex question and it is hard to solve with a simple silver bullet. In order to deal with such questions, which are completely legitimate, I am afraid you need to get into the detail.

Baroness Bertin: We have talked about ethics, design and all the rest of it. Are ethics going to win over profits?

Lord Gordon of Strathblane: There is always a first.

Javier Ruiz Diaz: The ethics would have to stretch beyond the data aspects and into wider corporate issues. In the US, there was a big drive to introduce ethics in the corporate world after the Enron scandal. Unfortunately, it seems that it has mainly generated a whole industry of ethics advisories for large corporations rather than real ethical change. I agree that it is a fundamental, large problem.

Q25            Baroness Bonham-Carter of Yarnbury: I want to pick up on what Lord Gordon mentioned earlier: people’s lack of awareness as to what can happen to them when they use the internet. A report by Doteveryone showed that 83% of those surveyed were unaware that information can be collected about them. What information should online platforms provide to users?

By the way, I wish the Bishop had come in with his brilliant question about the definition of a platform, but we do not have time to go into that. I hope you heard his question in the earlier session about the use of personal data and how it should be presented. Picking up on something slightly tangential, which we were talking about last week, how about the misuse of a person’s reputation falsely to sell things online? That is a slightly different question, but I wanted to get them both in because we do not have much time.

Javier Ruiz Diaz: As I said before, GDPR is the baseline for the information that should be provided, and that particular aspect is fairly prescriptive. There are a couple of issues. One raised earlier was about rights relating to data portability. It is not specifically about information, but more about the wider framework.

Companies will now let you download your data from their websites. You can go to Google or Facebook and download a lot of the information they have, not everything but quite a lot. The problem is that you cannot do much with it, so there are questions about interoperability and getting companies to accept data and find common formats. That will be important. It will be really challenging for Facebook, because it is very complex, with sections such as news and chat.

Another problematic issue is the use of the information, particularly around automated decision-making, profiling or algorithms where it can be quite a challenge to explain what is being done. It is fairly easy for companies to tell you, “We collect this data and we generally use it for marketing”. When it comes to explaining how they will provide it to serve your particular app, we think they should strive for maximum transparency, but we should be aware that there are substantial challenges in making that practical.

Baroness Bonham-Carter of Yarnbury: You accept that it is complicated and that there are challenges, but, to pick up what the Chairman said, what is the resolution?

Javier Ruiz Diaz: Purely on information, we ran a project to look at privacy policies and information rights under GDPR. I am afraid that the solution is to keep up the pressure. It will be quite iterative. If someone raises the bar and other companies develop best practice, we should try to get other companies to follow suit. In this case, we need bottom-up pressure, so we need citizens to be better informed, a stronger civil society able to put more pressure on companies, and regulators to be more involved and take action against companies. There is no simple solution. You have to come at it from all those different places.

The Chairman: Mr Jackman, do you want to deal with the second part of the question?

Myles Jackman: I do not want to put words into your mouth, but what I heard was that we need a specific offence for that type of activity. Was that what you were getting at?

Baroness Bonham-Carter of Yarnbury: No. There is something we cannot mention specifically, but it is very much about somebody’s reputation being misused falsely to sell products.

Myles Jackman: To my mind, the element of falsehood would seem to attract criminal liability almost immediately.

Baroness Bonham-Carter of Yarnbury: It does not seem to have helped people who have found themselves in that circumstance.

Myles Jackman: Unfortunately not; I agree, but that is my point about GDPR and the sort of CCTV element of restoration after the fact. I would say that GDPR in the circumstances I have defined is insufficient, simply because it is such a huge intrusion into privacy. Arguably, reputational misuse is equally a privacy intrusion above and beyond mere factual detail. Certainly, I agree with you on the point that it is something that needs to be considered in greater detail.

Q26            Baroness McIntosh of Hudnall: You heard the earlier discussion about competition law. The issue is about the scale of these platforms as they have grown over a very short period of time, and the way the current arrangements for regulating competitiveness in any market can or should be applied. Can they be applied, or should something else be developed that can be applied to these platforms? Is there anything about the fact that we are about to exit the European Union that will make us more vulnerable to being at a disadvantage?

Javier Ruiz Diaz: One of the fundamental problems with competition law is that we do not have a good definition of what the market is. Facebook and Google are giants in their advertising market share. There is no social media monopoly category or search. You can see statistics about search, but it is not well defined.

The other problem is that they are not really abusing their power to hike prices. On the contrary, in the short term they give you very good value for money because their services tend to be free. It is quite hard to square short-term benefits with long-term detriments in this context.

The third problem is that the US is the space where competition action should take place, and the US simply has no interest in breaking up these companies because they give their country a huge amount of soft power and influence around the world. It would be against US national interest to break up Facebook or Google at this point. Maybe it will happen at some point in the future, but right now it is unthinkable.

As was said before, competition law is not perfect; it tends to come in after problems have happened, rather than preventing them, and the remedies for individuals can be either non-existent or difficult. They have to go through several hoops to get a benefit at the end.

These companies are technology monopolies. They are created in various forms—for example, intellectual property and rights in the case of Microsoft. There are economies of scale and vendor lock-in. Anyone who has dealt with public procurement on Oracle has horror stories about the vendor lock-in that Oracle imposes on people. There are data silos and network effects; the network effect is one of the most fundamental.

Digital likes simple solutions, and once a simple solution is found, in general, there is a tendency just to use that. We see that in open protocols, such as the actual internet protocol, which itself is an open solution, or email. On the other side, there are closed platforms. There is a choice. If we want a simple single solution, do we want it to be an open protocol that any company can use, or do we want it to be a closed platform? The measures should be aimed at introducing much higher levels of interoperability.

A question was asked earlier about how to break up Facebook. The idea of breaking in the sense of breaking an oil monopoly in the 1930s does not work in the same way for a technology company. You might be able to break up certain subsidiaries and say they cannot buy Instagram or things like that. There is a big question about the merging of databases, and that must definitely be tackled. We did some work with the Transatlantic Consumer Dialogue on that area, and there is some work, mainly in Germany, on data and mergers. When it comes to the natural growth of companies, the main thing to do is to try to promote interoperability and to move as much as possible towards open protocols and avoid platforms.

Lord Goodlad: What do you think the effect will be on regulation of the internet of the United Kingdom leaving the European Union?

Javier Ruiz Diaz: We have one specific question and a general concern. The specific question relates to Article 15 of the e-commerce directive, which more or less forbids the general monitoring of internet content by platforms, hosts or mirror conduits. That article does not transpose the e-commerce regulations. The three previous articles are more or less verbatim, but that article simply disappears. The UK Government have argued that that principle was implicit in UK law in the past.

We see similar things with the IP enforcement directive, which was not implemented either, so there will be a big problem the day after Brexit. The repeal Bill will not incorporate things that are not there, so that is something that should be fixed. If we had to make one concrete recommendation, it would be to bring that into statute before Brexit, or at the time of Brexit; otherwise, there will be divergence in the regulatory frameworks of the UK and Europe. Despite Brexit, the expectation is that, in theory, in the short term things should continue as they are, but clearly they will not.

More generally, we think there will be pressure towards deregulation. We are worried about whether, institutionally, DCMS and Parliament have the capacity to deal with a post-Brexit world. We think it will be quite challenging.

The Chairman: Do you have reason to believe that DCMS has no capacity from your dealings with it, or is it just a general anxiety?

Javier Ruiz Diaz: It is from dealing with DCMS. We do a lot of work for Brussels; we are part of a European network of civil rights organisations. Looking at the amount of work on legislation and the volume of things coming from Brussels, and thinking about that being translated into a UK position is quite scary. We look at both sides.

To give you an idea, GDPR faced more than 3,000 amendments, and the telecoms package looks something like that. There is simply no way that the UK Parliament can deal with 3,000 amendments. They would not go through. The systems for going through amendments line by line are just not there. People complain about the power of lobbyists in Brussels. To be honest, quite a lot of the lobbying is necessary because it means that external input is taken into account at the time of making laws. It also means that long-term and broader impacts can be taken into account, rather than short-term political considerations, which unfortunately seems to be the case for most legislation in the UK, despite the best efforts of the House of Lords in trying to provide a counterbalance. If we are honest, you do not have the resources that people in the European Parliament have as regards the number of assistants and access to legal expertise. It will be a challenge for the UK to continue legislating at the same level of quality as it has enjoyed until now from Brussels.

Q27            The Chairman: I will finish by asking a general question. We have told you the premise of our inquiry, which is to balance freedom of expression with the perceived need to regulate the internet and how we go about it. Could you tell us what freedom of expression means to you, and whether generally in society freedom of expression and freedom of speech is under threat?

Myles Jackman: I was taking notes and I wrote down “perceived need” as part of your question. Forgive me for reiterating that. Freedom of expression is absolutely fundamental to me as an individual. I have reasons for that. As well as being interested in obscenity, as was noted in the Guardian a couple of years ago I am a practising BDSMer; I have an interest in alternative sexuality. Therefore, I have a distinct interest in both privacy and freedom of expression and my ability to express my sexuality without imposing on anyone else, or infringing anyone else’s consent; so, on a personal level it absolutely resonates with me.

From a historical perspective, I would have said it was the fundamental right on which I view our democracy as being built, if I had to choose one thing in isolation. Reference was made to my coming in all guns blazing, but the fear of regulation is that freedom of expression will be curtailed in different ways. That may be minority sexual communities or it may simply be people’s ability to communicate, as we are seeing under the age verification regime. The Lord Bishop of Chelmsford mentioned ATVOD and the AVMS regulations. There was a very small chilling effect under that, in which you might be interested: abuse of regulation. Under ATVOD, there was a duty to investigate, if notification was received of a site not complying with the ODPS regulations.

A dominatrix dropped in about 80 of her competitors, saying that they were not in any way complying with the regulatory regime. What is interesting to me about this in broader terms is that the vast majority of these were one-woman-band private producers, often with children or other dependants, essentially working flexible hours from home. Of those 80 or 90, only two challenged it: UCSC and Pandora Blake—The Urban Chick Supremacy Cell and Dreams of Spanking—and won, and I believe ATVOD is no more because we were successful in that.

That individual shut down about 80 businesses that were absolutely essential to the people who held them. They simply received a notice letter. I hope this is a broader point. Individuals who do not necessarily have recourse to a particularly high level of technical or legal expertise may receive a notice letter and be terrified. All those who shut down their businesses said the same thing: “We’ve got kids; we have a family life and we need to retain our privacy”. That was a clear example of abuse of the regulatory regime for commercial advantage, so I am afraid there is another issue.

The Chairman: That is interesting. You have illustrated, from a personal point of view and from the point of view of your organisation, the importance of freedom of expression. Clearly, any regulation has to be balanced against that. Do you think that in society freedom of speech generally is under threat and not sufficiently respected? Is that a contextual problem in which we are now operating?

Myles Jackman: The internet has given the vast majority of average citizens, who would not have had the opportunity to express themselves and be listened to, a huge freedom beyond their wildest comprehension. If that is restricted in certain ways, and certain communities—not exclusively sexual communities—and individuals feel that it is curtailed, there is the very strong risk of threat to free expression in that regard.

The Chairman: Mr Ruiz Diaz, do you think society takes freedom of expression sufficiently seriously?

Javier Ruiz Diaz: Freedom of expression is one of those things that you do not miss until you lose it. In general, we take it for granted, but we are dealing with a complex interrelationship of various rights. Freedom of expression and privacy are very important, and both are connected. You can add freedom of association. We should not look at human rights in isolation. When we have problems we should try to narrow things down, but we should see how all those different rights play together.

We should not restrict our analysis to a pure rights framework, particularly when it could be seen as some sort of ceiling, whereby as long as you tick the box you have done what you need to. We see it as the flourishing of human life, with people using technology to develop themselves to the fullest. In that sense, human rights are very necessary and they all play together. We should not say, “Have we ticked the box on dealing with freedom of expression?” It is about using those rights to provide a springboard.

Lord Gordon of Strathblane: I do not know whether you are a limited company, or what form of funding you have. Do you produce an annual report and, if so, can you send it to us?

Javier Ruiz Diaz: We will. At the moment, the majority of our funding comes from individual supporters.

Lord Gordon of Strathblane: It is not the funding, but an annual report. Clearly, you operate not just in Britain but in other countries, and it would be interesting to find the scope of that.

The Chairman: If you could send us the report, we would find it a useful piece of information.

Javier Ruiz Diaz: We will, and we are happy to supply any other information.

Baroness Kidron: The freedom that you beautifully described has to be set against, presumably, the freedoms of others, such as the women on Twitter you described earlier. Can I have your agreement to that on the record?

Javier Ruiz Diaz: Of course. The complexity is that it is not just freedom but the value of human life as a whole.

The Chairman: Thank you very much for giving evidence. It has been a very interesting session for us. We are embarking on a very wide-ranging inquiry, and today we have had a wide range of evidence to inform us. Thank you.