Written evidence submitted by Dr Amy Orben
Draft Online Harms Bill: Written Evidence Regarding Clause 101
Dr Amy Orben
University of Cambridge
Dr Amy Orben is a College Research Fellow at the University of Cambridge where she heads the Digital Mental Health Research Group. Her work focuses on the impact of social media use on adolescent mental health and has informed policy both in the UK and internationally. She has experienced first-hand how the lack of access to digital company data is severely curtailing our understanding of Online Harms and policy responses. However, the Online Harms Bill provides a unique opportunity to address this issue by not just asking OFCOM to report on such issues (Clause 101), but to give it powers to use GDPR UK to enable research to take place.
There is currently no adequate provision for researchers to gain access to data from digital technology companies to study their impact on society, meaning that there is little to no good quality evidence about a) what online harms are and b) what their impact is. This lack has been noted, for example, by the UK Chief Medical Officers when they failed to agree on concrete screen time guidelines for children and young people due to lack of high-quality evidence in 2019 (Hawkes, 2019; Murphy et al., 2019): “An appropriate mechanism for measuring children’s digital engagement needs to be developed, as well as longitudinal studies to assess the temporal relationship between screen time and health and development. Performing meaningful research will rely on provision of anonymised data from technology companies themselves.”
Digital companies have however been largely unwilling to provide external researchers access to data about what users are experiencing online, making it impossible for good quality and independent scientific studies to be completed on topics such as online harms, mental health, or polarisation. They have routinely cited privacy, IP and commercial issues when challenged about why they have not provided such important data to researchers, or when shutting down research endeavours in the space.
The Draft Online Harms Build includes Clause 101 which specifies that OFCOM will prepare a report about researchers’ access to information from technology companies, however this does not solve the issue and will just reiterate was previous reports have found. In the meantime, researchers will continue to fail to provide the necessary evidence to understand online harms, and to develop active policy solutions. However, with the Online Harms Bill and the new development of UK Data Legislation, there is a unique opportunity to set in stone a functioning system for researcher data access set out below.
UK data law, GDPR UK, currently presents an unused opportunity to ethically collect digital technology company data without the need to get consent or approval from digital technology companies themselves. Furthermore, this opportunity to provide the basic building blocks for crucial research to inform policy, could be further strengthened in the development of new UK Data Legislation to replace GDPR UK.
Article 15 (Right of Access): “The data subject shall have the right to obtain from the controller [the digital data company] confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data.”
Article 20 (Right of Portability): “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”
This means that users of digital services are allowed to access and receive a copy of their personal data and other supplementary information stored about them by digital companies. Research participants should therefore be able to request such data from digital companies and donate them to research.
There is a clear opportunity to use the foundations of GDPR UK or future UK Data Legislation to build world-leading research infrastructure that uses digital data donation from UK users to provide crucial evidence to scientists and policymakers. Such infrastructure would include a service that a) designs and implements ethical, legal and privacy best practices for data donation, b) liaises with digital technology companies to set up effective data-donation linkages, c) fully consents participants, d) sends data access requests on their behalf, e) securely links the data with other sources of research data (e.g., mental health questionnaires or household panel surveys).
The Support Needed
However, currently there is no functioning system that allows individuals or researchers to exercise those rights, and power truly transformational research in this space. Subject Access Requests to gain data from technology companies through GDPR are slow, cumbersome, and most often unsuccessful. I personally have been trying to gain access to my own personal Facebook data for most of this year and have had to write many emails, send a copy of my passport, provide Facebook with an email previously not linked to any of my accounts; and I have still not been successful. Digital technology companies are therefore currently not allowing individuals and researchers to use their rights under GDPR to engage in digital data donation.
To ensure this system is functional, scalable, and successful there will need to be a wide range of support (see list below). The Online Harms Bill should not just ask OFCOM to write a report on researcher data access (Clause 101) but issue a call for action. Firstly, it should put in writing that individuals have the right to request their data from technology companies and donate them to research, and that this should be enabled by the companies without undue barriers or delay. Secondly, it should give powers to OFCOM to support individuals and researchers who want to exercise those rights in the UK, including fining technology companies if they do not comply.
List of additional support needed:
a) Political: Political support for the data donation process to put pressure on digital technology companies to comply, as well as the further embedding of digital data donation to research in UK data legislation.
b) Policy: Including data donation to research in policy reports and ensuring the powers are strengthened – and not eroded – during the design of new UK data legislation to replace GDPR.
c) Legal: Pro-bono legal aid to understand the level of data access GDPR, or a new data legislation, would provide and how this could be enforced.
d) Technical: Technical support to design a blueprint of the data donation infrastructure system and how it could interface with digital technology companies, to support a large-scale funding application.
e) Financial: Start-up and long-term funding to support the digital donation infrastructure, which should be freely accessible to researchers internationally.
 Information Commissioner’s Office: With GDPR UK “Individuals have the right to access and receive a copy of their personal data, and other supplementary information.” Furthermore, GDPR UK’s “right to data portability allows individuals to obtain and reuse their personal data (…) to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.”