1.The Committee has asked the Department for Digital, Culture, Media and Sport (“the Department”) for a memorandum on the following points:
i) “Indicate the paragraphs in the document which provide the guidance that the age-verification regulator is required to publish under section 25(1)(a) of the Digital Economy Act 2017.”
ii) “2. Explain why the document includes—
(a) the Parts headed
“2. The BBFC’s Approach and Powers under Part 3 of the DEA”, and
“4. Data Protection and the Information Commissioner’s Office”, and
(b) paragraph 11 of Part 3 and Annex 5;
and how they meet the requirements of section 25(1)(a) of the Digital Economy Act 2017.”
2.The Department’s response to the Committee’s query is set out below.
3.In response to the first point, as the Committee will be aware, section 25(1)(a) states that the regulator must publish guidance about the types of arrangements for making pornographic material available that the regulator will treat as complying with section 14(1) of the Digital Economy Act. The Secretary of State does not have the power to modify or approve this guidance.
4.That guidance is in Part 3, paragraphs 5 and 6 of the draft guidance.
5.In paragraph 5, the BBFC have set out the criteria on age-verification arrangements which they will treat as complying with Section 14(1) of the DEA:
“A) An effective control mechanism at the point of registration or access to pornographic content by the end-user which verifies that the user is aged 18 or over at the point of registration or access.
B) Use of age-verification data that cannot be reasonably known by another person, without theft of fraudulent use of data or identification documents nor readily obtained or predicted by another person.
C) A requirement that either a user age-verify each visit or access is restricted by controls, manual or electronic, such as, but not limited to, password or personal identification numbers. A consumer must be logged out by default unless the positively opt-in for their log in information to be remembered.
D) The inclusion of measures which authenticate age-verification data and measures which are effective at preventing use by non-human operators including algorithms.”
6.The guidance then goes on, in paragraph 6, to give examples of features, which in isolation, do not comply with the section 14(1) requirement. They include:
“A) Relying solely on the user to confirm their age with no cross-checking of information, for example by using a ‘tick box’ system or requiring the user to only input their date of birth.
B) Using a general disclaimer such as ‘anyone using this website will be deemed to be over 18’
C) Accepting age-verification through the use of online payment methods which may not require a user to be over 18. (For example, the BBFC will not regard confirmation of ownership of a Debit, Solo or Electron card or any other card where the card holder is not required to be 18 or over to be verification that a user of a service is aged 18 or over.)
D) Checking against publicly available or otherwise easily known information such as name, address and date of birth.”
7.The Secretary of State produced Guidance to the AV Regulator which was laid before Parliament and Section 27(3) of the DEA states that ‘the regulator must have regard to the guidance’. A draft of this Guidance was made available during the passage of the Digital Economy Bill.
8.Paragraph 3.3 of the Guidance from the Secretary of State to the AV Regulator states that:
“the Secretary of State considers that rather than setting out a closed list of age-verification arrangements, the regulator’s guidance should specify the criteria by which it will assess, in any given case, that a person has met with this requirement. The regulator’s guidance should also outline good practice in relation to age verification to encourage consumer choice and the use of mechanisms which confirm age, rather than identity.”
9.It is important that the BBFC guidance does not lock in a set of arrangements which would prevent innovation and development in the fast moving age-verification industry. This is an area where the regulator needs flexibility and the ability to respond nimbly to advances.
10.Our view is that the BBFC’s draft Guidance on age verification arrangements fulfils the requirements of the Act and shows regard to this Guidance from the Secretary of State in respect to these points.
11.In response to your second query, the guidance includes the section on the “BBFC’s Approach and Powers under Part 3 of the Digital Economy Act” as the regulator considered that it was important that their guidance set out the wider context in which they will carry out regulation of this policy. As such, the inclusion of the introduction and the material in Section 2 strengthens the guidance.
12.The guidance on age verification arrangements also includes the section on “Data Protection and the Information Commissioner’s Office” as this addresses paragraph 3.7 of the Guidance from the Secretary of State to the AV Regulator which states that:
With regards to privacy, the age-verification regulator’s guidance should include:
13.It is crucial that users are able to verify their age in a way that protects their privacy. Our view is that the BBFC’s draft Guidance on age verification arrangements shows regard to this Guidance from the Secretary of State in respect to these points.
14.Finally, paragraph 11 of Part 3 and Annex 5 refer to the Voluntary Certification Scheme which will test providers of age verification solutions against an even higher standard than that offered by the GDPR. This scheme will ensure that consumers are able to choose age verification solutions with the most robust data protection conditions. These aspects were included further to 3.7 of the Guidance from the Secretary of State on the privacy considerations.
Department for Digital, Culture, Media & Sport
20 November 2018
Published: 30 November 2018