Supplementary written evidence submitted by Elizabeth Denham, Information Commissioner

The future of Internet Harms Regulation

Paper for the Digital, Culture, Media and Sport Committee

I welcome the opportunity to submit my overarching views on the future of internet regulation to the Digital, Culture, Media and Sport Committee (the Committee). This is an important and complex debate and the Committee’s inquiry into Disinformation and ‘Fake News’ is a key contribution to it. As a regulator already engaged in the area of internet regulation - with significant experience of regulating the tech giants; conducting standards and accountability regulation; and extra-territorial powers - I am also keen to ensure the Information Commissioner’s Office (ICO) plays its part in contributing to this important debate. I have sought to do this through engagement with government and civil society and through oral and written evidence to this Committee, the Science and Technology Committee, and the Lords Communication Committee.

It is important to acknowledge the depth and breadth of public concern around these issues. Our Information Rights Strategic Plan makes our first Strategic Goal “To increase the public's trust and confidence in how data is used and made available.” Currently people want to use the internet, and some feel they have no choice but to use the internet, but their acquiescence doesn’t represent trust. Our most recent Annual Track survey showed only 15% of UK adults have a high level of trust and confidence in how social media platforms store and use their personal data. The more trust is eroded, the greater anxiety people will feel about going online, resulting in detriment to those individuals and a gradual disengagement from the benefits the internet has to offer.

What are the main activities in relation to content and interaction online and how is it currently regulated?

It is ultimately a matter for government and Parliament to decide whether there is a need for additional regulation in the area of internet harms; whether this requires a new regulator to be established, and if so its shape and remit. But before doing this it is important to determine what the existing harms are, what activities on the internet are already regulated and therefore where the regulatory gaps lie.

The various harms are along a very wide spectrum, from material that might cause upset or offence to an individual - through child development and protection issues or misinformation/disinformation - to extremist or illegal content. Different experts and interest groups prioritise some of these harms over others, depending on their own experience and priorities. Joint research carried out by Ofcom and the ICO suggested that the main areas of concern for the public when online were:

• Harmful and illegal content;
• Data Privacy;
• Cyber Security and hacking; and
• Safe interaction with others.

Dealing with these in turn:

• ‘Data privacy’, and ‘Cyber security and hacking’ are already regulated through the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the ePrivacy Directive/ Privacy and Electronic Communications Regulations (PECR) (to be updated with the e-privacy Regulation) and the Network and Information Systems (NIS) Directive;
• ‘Illegal content’ is dealt with by existing law (with some of this law considered in the Law Commission’s recent analysis); and
• ‘Harmful content’ and ‘Safe interaction with others’ require further attention, and are addressed below.

A range of organisations – including tech companies, the voluntary sector, academic institutions and Think Tanks – are considering different aspects of this debate, which government and Parliament will want to consider in the round when developing policy in this area.

At this point it is helpful to outline some of the areas where there is already a ‘clear’ legal regulatory scope:

• Where personal data is processed, the ICO has a clear mandate, which covers transparency in the form of notice requirements, limitations on how personal data may be used, and a range of rights the individual has (e.g. to access, correct and move their data). Many of the internet services that are currently being discussed are reliant on personalised data profiles that have been developed over time; this processing of this data in our scope.
• Ofcom covers the broadcast of content from TV and radio that is played over the internet ‘on demand’.
• The Advertising Standards Authority (ASA) covers standards of advertising on the internet (but not political advertising).
• The Competition and Markets Authority (CMA) promotes competition for the benefits of consumers, including conducting market studies and investigations in markets where there may be competition and consumer problems.
• Many of the internet harms that rightly concern the public are already clearly illegal, such as the distribution of terrorist content or child pornography, or making threats to kill.

In some cases, the public is not aware of what is (and is not) currently regulated. Ofcom has highlighted that some people mistakenly assume it already regulates all online ‘broadcasts’ via platforms such as YouTube. Conversely, the Law Commission notes that when threats are made online they will often be covered by existing criminal law. Our enforcement activities resulting from the investigations covered in our Democracy Disrupted Report, and our subsequent update to you, addressed several situations where personal data collected online for one purpose was then misused for another purpose, a breach of the Data Protection Act 1998, which would remain a breach of the Data Protection Act 2018.

There appears to be consensus that any co-ordinated approach to internet harms must include activities to improve digital literacy, and this should include making the public more aware of their existing rights and protections. Improved digital literacy will go some way to addressing public anxiety without the need for additional regulation or regulators. There are already a number of initiatives on this, including at curriculum level in schools, but they are not coordinated and joined up. There is also an important role for internet companies to play here too.

However, there are still a number of internet harms which do not appear to be fully addressed by existing law and regulation. These include:

• Online harmful (but currently legal) conduct of one person to another, or many people to one person. This may include online abuse of the individual (including bullying, and having many people ‘pile on’ to one person and abuse them), and also inappropriate (but currently legal) behaviour to vulnerable individuals such as children. Tech firms often attempt to address this through having channels to flag problematic behaviours, and something through automated moderation of interactions.
• Publishing harmful or offensive (but currently legal) user generated content, especially where is could be consumed by vulnerable individuals such as children. Tech firms often attempt to address this through content moderation, using a mix of artificial intelligence filtering and human content moderation.
• Addictive design, leading to excessive screen time or other addictive behaviour. This has become a greater focus through the ‘time well spent’ movement, but has not been a focus of the tech firms until recently, unless it related to an offline addictive trait (e.g. gambling, where the Gambling Commission plays a role).

The ICO’s experience of regulating activities online.

The ICO has responsibility for regulating the use of personal data. This horizontal regulatory remit means we are already regulating in areas of activity across the internet. Where the regulation of the internet involves personal data, we have a role to play. We have well established engagement with the tech giants such as Facebook (including WhatsApp and Instagram), Google and Twitter, and have undertaken actions against Facebook, WhatsApp and Google in recent years. The new enhanced powers and sanctions in the GDPR and Data Protection Act 2018, including extraterritorial powers, means that we will be able to continue to hold the tech firms to account for how they are handling citizens’ data online.

We also have relevant experience in relation to Google (and other search engines) and the ‘Right to be Forgotten’ principle. Under this mechanism, individuals make the initial request to Google for search engine results to be delisted. If the individual is not satisfied with the outcome of this request, they can complain to the ICO for adjudication, which involves a careful balance between the rights to freedom of expression and privacy. We have ruled on 1,676 cases since 2014.  The ICO was key in leading work to develop and agree detailed criteria and guidelines for search engine delisting at an EU level.

Other areas of relevance include the requirement for us to produce and have oversight of an age appropriate design statutory code of practice for the protection of children online under the Data Protection Act 2018. The code, which is understood to be a world first, is currently under consultation. In addition, we are currently developing a framework for explainable artificial intelligence, and building an approach to auditing algorithms.

Of course, our work in adjacent online activities already brings us into contact with other regulators and government bodies, and I am pleased with our level of co-ordination. We already work very closely with Ofcom, as well as organisations including the British Board of Film Classification (BBFC), the Electoral Commission, the ASA and the National Cyber Security Centre (NCSC), whenever the scope of our work has overlapped.

Principles of future internet regulation.

The breadth and complexity of the challenges facing us means that any solution will be multifaceted, with different approaches best suited to addressing different harms. In developing an approach, I believe it would be helpful to draft a series of guiding principles that can support the design of any additional law and regulation. These principles could include agreeing that any future regime should:

• Address the specific internet harms where gaps have been identified.
• Acknowledge that harms online are just as great as offline and the same rules should apply.
• Recognise that cumulatively, online non-criminal harms (e.g. the impact on someone’s mental health) can be as significant as criminal harms because of the scale and scope of the potential activities.
• Ensure that any regulation has a justified and proportionate impact on freedom of expression.
• Recognise that we live in a liberal society that respects people’s basic freedom – including online - and acknowledge there are limits to the extent that regulation and legislation can mitigate harms.
• Maintain and improve vulnerable people’s rights and protection, especially those of children.
• Acknowledge that, without a very substantial injection of resources and headcount, it is unlikely that any regulator would be able to directly handle the volume of individual complaints that are likely to be generated (either directly or in an ombudsman role), particularly in relation to user generated content and online interaction.
• Integrate the tech companies into the solution, recognising that they are generating revenue from the users using their platforms and should contribute to address these problems, and also that they have the scale and technologies to address many of these issues.
• Build a framework that binds tech companies, both as platforms and intermediaries to put systems in place, good governance, accountability systems and safety by design.
• Make these systems transparent to the public and the regulator, with strong signals for the public about quality and the delivery of fair outcomes.
• Develop solutions that are scalable, and can cover both new entrants and established players, without creating barriers to entry for new entrants.
• Move at a pace that respects the urgency felt by the public to address these issues (whilst ensuring that any new regulation remains thoughtfully designed and proportionate), creating a framework which can be simply explained to the public and helps restore trust and confidence in the internet.

Of course, this list cannot be seen as complete or conclusive at this time – but may serve as a contribution to the current debate, and perhaps help identify commonality between different viewpoints and propositions being discussed.

I hope these comments are useful to the Committee. I remain at the Committee’s disposal should you have further questions regarding this important matter.

Elizabeth Denham

Information Commissioner

November 2018