ICO News

The Information Commissions Office (ICO) earlier in the year presented draft internet censorship laws targeted at the commendable aim of protecting the personal data of younger website users. These rules are legally enforceable under the EU GDPR and are collectively known as The Age Appropriate Design Code.

The ICO originally proposed that website designers should consider several age ranges of their users. The youngest users should be presented with no opportunity to reveal their personal data and then the websites could relent a little on the strictness of the rules as they get older. It all sounds good at first read... until one considers exactly how to know how old users are.

And of course ICO proposed age verification (AV) to prove that people are old enough for the tier of data protection being applied.

ISO did not think very hard about the bizarre contradiction that AV requires people to hand over enough data to give identity thieves an orgasm. So the ICO were going to ask people to hand over their most sensitive ID to any websites that ask... in the name of the better protection of the data that they have just handed over anyway.

The draft rules were ridiculous, requiring even a small innocent site with a shopping trolley to require AV before allowing people to type in their details in the shopping trolley.

Well the internet industry strongly pointed out the impracticality of the ICO's nonsense ideas. And indeed the ICO released a blog and made a few comments that suggest it would be scaling back on its universal AV requirements.

The final censorship were delivered to the government on schedule on 23rd November 2019.

The industry is surely very keen to know if the ICO has retreated on its stance, but the ICO has now just announced that the publication date will be delayed until the next government is in place. It sounds that their ideas may still be a little controversial, and they need to hide behind a government minister before announcing the new rules.

The April 2019 Online Harms White Paper set out the Government's plan for world-leading legislation to make the UK the safest place in the world to be online.

The proposals, as set out in the White Paper were:

• A new duty of care on companies towards their users, with an independent regulator to oversee this framework.

• We want to keep people safe online, but we want to do this in a proportionate way, ensuring that freedom of expression is upheld and promoted online, and businesses do not face undue burdens.

• We are seeking to do this by ensuring that companies have the right processes and systems in place to fulfil their obligations, rather than penalising them for individual instances of unacceptable content.

• Our public consultation on this has closed and we are analysing the responses and considering the issues raised. We are working closely with a variety of stakeholders, including technology companies and civil society groups, to understand their views.

We are seeking to do this by ensuring that companies have the right processes and systems in place to fulfil their obligations, rather than penalising them for individual instances of unacceptable content.

Our public consultation on this has closed and we are analysing the responses and considering the issues raised. We are working closely with a variety of stakeholders, including technology companies and civil society groups, to understand their views.

Next steps:

• We will publish draft legislation for pre-legislative scrutiny.

• Ahead of this legislation, the Government will publish work on tackling the use of the internet by terrorists and those engaged in child sexual abuse and exploitation, to ensure companies take action now to tackle content that threatens our national security and the physical safety of children.

• We are also taking forward additional measures, including a media literacy strategy, to empower users to stay safe online. A Safety by Design framework will help start-ups and small businesses to embed safety during the development or update of their products and services.

For some bizarre reason the ICO seems to have been given powers to make wide ranging internet censorship law on the fly without needing it to be considered by parliament. And with spectacular incompetence, they have come up with a child safety plan to require nearly every website in Britain to implement strict age verification. Baldric would have been proud, it is more or less an internet equivalent of making children safe on the roads by banning all cars.

A trade association for news organisations, News Media Association, summed up the idea in a consultation response saying:

ICO's Age Appropriate Code Could Wreak Havoc On News Media 

Unless amended, the draft code published for consultation by the ICO would undermine the news media industry, its journalism and business innovation online. The ICO draft code would require commercial news media publishers to choose between their online news services being devoid of audience or stripped of advertising, with even editorial content subject to ICO judgment and sanction, irrespective of compliance with general law and codes upheld by the courts and relevant regulators.

The NMA strongly objects to the ICO's startling extension of its regulatory remit, the proposed scope of the draft code, including its express application to news websites, its application of the proposed standards to all users in the absence of robust age verification to distinguish adults from under 18-year olds and its restrictions on profiling. The NMA considers that news media publishers and their services should be excluded from scope of the proposed draft Code.

Attracting and retaining audience on news websites, digital editions and online service, fostering informed reader relationships, are all vital to the ever evolving development of successful newsbrands and their services, their advertising revenues and their development of subscription or other payment or contribution models, which fund and sustain the independent press and its journalism.

There is surely no justification for the ICO to attempt by way of a statutory age appropriate design code, to impose access restrictions fettering adults (and children's) ability to receive and impart information, or in effect impose 'pre watershed' broadcast controls upon the content of all currently publicly available, free to use, national, regional and local news websites, already compliant with the general law and editorial and advertising codes of practice upheld by IPSO and the ASA.

In practice, the draft Code would undermine commercial news media publishers' business models, as audience and advertising would disappear. Adults will be deterred from visiting newspaper websites if they first have to provide age verification details. Traffic and audience will also be reduced if social media and other third parties were deterred from distributing or promoting or linking titles' lawful, code compliant, content for fear of being accused of promoting content detrimental to some age group in contravention of the Code. Audience measurement would be difficult. It would devastate advertising, since effective relevant personalised advertising will be rendered impossible, and so destroy the vital commercial revenues which actually fund the independent media, its trusted journalism and enable it to innovate and evolve to serve the ever-changing needs of its audience.

The draft Code's impact would be hugely damaging to the news industry and wholly counter to the Government's policy on sustaining high quality, trusted journalism at local, regional, national and international levels.

Newspapers online content, editorial and advertising practices do not present any danger to children. The ICO has not raised with the industry any evidence of harm, necessitating such drastic restrictions, caused by reading news or service of advertisements where these are compliant with the law and the standards set by specialist media regulators.

The Information Commissioner's Office has a 'cunning plan'

Of course the News Media Association is making a strong case for its own exclusion from the ICO's 'cunning plan', but the idea is equally devastating for websites from any other internet sector.

Information Commissioner Elizabeth Denham was called to give evidence to Parliament's DCMS Select Committee this week on related matters, and she spoke of a clearly negative feedback to her age verification idea.

Her sidekick backtracked a little, saying that the ICO did not mean Age Verification via handing over passport details, more like one of those schemes where AI guesses age by scanning what sort of thing the person has been posting on social media. (Which of course requires a massive grab of data that should be best kept private, especially for children). The outcome seems to be a dictate to the internet industry to 'innovate' and find a solution to age verification that does not require the mass hand over of private data (you know like what the data protection laws are supposed to be protecting). The ICO put a time limit on this innovation demand of about 12 months.

In the meantime the ICO has told the news industry that age verification idea won't apply to them, presumably because they can kick up a hell of stink about the ICO in their mass market newspapers. Denham said:

We want to encourage children to find out about the world, we want children to access news sites.

So the concern about the impact of the code on media and editorial comment and journalism I think is unfounded. We don't think there will be an impact on news media sites. They are already regulated and we are not a media regulator.

She did speak any similar reassuring words to any other sector of the internet industry who are likely to be equally devastated by the ICO's 'cunning plan'.

In recent months we've been reviewing how personal data is used in real time bidding (RTB) in programmatic advertising, engaging with key stakeholders directly and via our fact-finding forum event to understand the views and concerns of those involved.

We're publishing our Update report into adtech and real time bidding which summarises our findings so far.

We have prioritised two areas: the processing of special category data, and issues caused by relying solely on contracts for data sharing across the supply chain. Under data protection law, using people's sensitive personal data to serve adverts requires their explicit consent, which is not happening right now. Sharing people's data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data.

We recognise the importance of advertising to participants in this commercially sensitive ecosystem, and have purposely adopted a measured and iterative approach to our review of the industry as a whole so that we can observe the market's reaction and adapt our thinking. However, we want to see change in how things are done. We'll be spending the next six months continuing to engage with the sector, which will give the industry the chance to start making changes based on the conclusions we've come to so far.

Open Rights Group responds

25th June 2019. See article from openrightsgroup.org

The ICO has responded to a complaint brought by Jim Killock and Dr Michael Veale in Europe's 12 billion euro real-time bidding adtech industry. Killock and Veale are now calling on the ICO to take action against companies that are processing data unlawfully.

The ICO has agreed in substance with the complainants' points about the insecurity of adtech data sharing. In particular, the ICO states that:

• Processing of non-special category data is taking place unlawfully at the point of collection

• [The ICO has] little confidence that the risks associated with RTB have been fully assessed and mitigated

• Individuals have no guarantees about the security of their personal data within the ecosystem

However the ICO is proceeding very cautiously and slowly, and not insisting on immediate changes, despite the massive scale of the data breach.

Jim Killock said:

The ICO's conclusions are strong and very welcome but we are worried about the slow pace of action and investigation. The ICO has confirmed massive illegality on behalf of the adtech industry. They should be insisting on remedies and fast.

Dr Michael Veale said:

The ICO has clearly indicated that the sector operates outside the law, and that there is no evidence the industry will correct itself voluntarily. As long as it remains doing so, it undermines the operation and the credibility of the GDPR in all other sectors. Action, not words, will make a difference--and the ICO needs to act now.

The ICO concludes:

Overall, in the ICO's view the adtech industry appears immature in its understanding of data protection requirements. Whilst the automated delivery of ad impressions is here to stay, we have general, systemic concerns around the level of compliance of RTB:

• Processing of non-special category data is taking place unlawfully at the point of collection due to the perception that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires).
• Any processing of special category data is taking place unlawfully as explicit consent is not being collected (and no other condition applies). In general, processing such data requires more protection as it brings an increased potential for harm to individuals.
• Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards.
• There appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law more broadly (and specifically as regards the ICO's Article 35(4) list). We therefore have little confidence that the risks associated with RTB have been fully assessed and mitigated.
• Privacy information provided to individuals lacks clarity whilst also being overly complex. The TCF and Authorized Buyers frameworks are insufficient to ensure transparency and fair processing of the personal data in question and therefore also insufficient to provide for free and informed consent, with attendant implications for PECR compliance.
• The profiles created about individuals are extremely detailed and are repeatedly shared among hundreds of organisations for any one bid request, all without the individuals' knowledge.
• Thousands of organisations are processing billions of bid requests in the UK each week with (at best) inconsistent application of adequate technical and organisational measures to secure the data in transit and at rest, and with little or no consideration as to the requirements of data protection law about international transfers of personal data.
• There are similar inconsistencies about the application of data minimisation and retention controls.
• Individuals have no guarantees about the security of their personal data within the ecosystem.

The Information Commissioner's Office has for some bizarre reason have been given immense powers to censor the internet.

And in an early opportunity to exert its power it has proposed a 'regulation' that would require strict age verification for nearly all mainstream websites that may have a few child readers and some material that may be deemed harmful for very young children. Eg news websites that my have glamour articles or perhaps violent news images.

In a mockery of 'data protection' such websites would have to implement strict age verification requiring people to hand over identity data to most of the websites in the world.

Unsurprisingly much of the internet content industry is unimpressed. A six weerk consultation on the new censorship rules has just closed and according to the Financial Times:

Companies and industry groups have loudly pushed back on the plans, cautioning that they could unintentionally quash start-ups and endanger people's personal data. Google and Facebook are also expected to submit critical responses to the consultation.

Tim Scott, head of policy and public affairs at Ukie, the games industry body, said it was an inherent contradiction that the ICO would require individuals to give away their personal data to every digital service.

Dom Hallas, executive director at the Coalition for a Digital Economy (Coadec), which represents digital start-ups in the UK, said the proposals would result in a withdrawal of online services for under-18s by smaller companies:

The code is seen as especially onerous because it would require companies to provide up to six different versions of their websites to serve different age groups of children under 18.

This means an internet for kids largely designed by tech giants who can afford to build two completely different products. A child could access YouTube Kids, but not a start-up competitor.

Stephen Woodford, chief executive of the Advertising Association -- which represents companies including Amazon, Sky, Twitter and Microsoft -- said the ICO needed to conduct a full technical and economic impact study, as well as a feasibility study. He said the changes would have a wide and unintended negative impact on the online advertising ecosystem, reducing spend from advertisers and so revenue for many areas of the UK media.

An ICO spokesperson said:

We are aware of various industry concerns about the code. We'll be considering all the responses we've had, as well as engaging further where necessary, once the consultation has finished.

Elizabeth Denham, Information Commissioner Information Commissioner's Office,

Dear Commissioner Denham,

Re: The Draft Age Appropriate Design Code for Online Services

We write to you as civil society organisations who work to promote human rights, both offline and online. As such, we are taking a keen interest in the ICO's Age Appropriate Design Code. We are also engaging with the Government in its White Paper on Online Harms, and note the connection between these initiatives.

Whilst we recognise and support the ICO's aims of protecting and upholding children's rights online, we have severe concerns that as currently drafted the Code will not achieve these objectives. There is a real risk that implementation of the Code will result in widespread age verification across websites, apps and other online services, which will lead to increased data profiling of both children and adults, and restrictions on their freedom of expression and access to information.

The ICO contends that age verification is not a silver bullet for compliance with the Code, but it is difficult to conceive how online service providers could realistically fulfil the requirement to be age-appropriate without implementing some form of onboarding age verification process. The practical impact of the Code as it stands is that either all users will have to access online services via a sorting age-gate or adult users will have to access the lowest common denominator version of services with an option to age-gate up. This creates a de facto compulsory requirement for age-verification, which in turn puts in place a de facto restriction for both children and adults on access to online content.

Requiring all adults to verify they are over 18 in order to access everyday online services is a disproportionate response to the aim of protecting children online and violates fundamental rights. It carries significant risks of tracking, data breach and fraud. It creates digital exclusion for individuals unable to meet requirements to show formal identification documents. Where age-gating also applies to under-18s, this violation and exclusion is magnified. It will put an onerous burden on small-to-medium enterprises, which will ultimately entrench the market dominance of large tech companies and lessen choice and agency for both children and adults -- this outcome would be the antithesis of encouraging diversity and innovation.

In its response to the June 2018 Call for Views on the Code, the ICO recognised that there are complexities surrounding age verification, yet the draft Code text fails to engage with any of these. It would be a poor outcome for fundamental rights and a poor message to children about the intrinsic value of these for all if children's safeguarding was to come at the expense of free expression and equal privacy protection for adults, including adults in vulnerable positions for whom such protections have particular importance.

Mass age-gating will not solve the issues the ICO wishes to address with the Code and will instead create further problems. We urge you to drop this dangerous idea.

Yours sincerely,

Open Rights Group
Index on Censorship
Article19
Big Brother Watch
Global Partners Digital

New proposals to safeguard children will require everyone to prove they are over 18 before accessing online content.

These proposals - from the Information Commissioner's Office (ICO) - aim at protecting children's privacy, but look like sacrificing free expression of adults and children alike. But they are just plans: we believe and hope you can help the ICO strike the right balance, and abandon compulsory age gates, by making your voice heard.

The rules cover websites (including social media and search engines), apps, connected toys and other online products and services.

The ICO is requesting public feedback on its proposals until Friday 31 May 2019. Please urgently write to the consultation to tell them their plan goes too far! You can use these bullet points to help construct your own unique message:

• In its current form, the Code is likely to result in widespread age verification across everyday websites, apps and online services for children and adults alike.

• Age checks for everyone are a step too far. Age checks for everyone could result in online content being removed or services withdrawn. Data protection regulators should stick to privacy. It's not the Information Commissioner's job to restrict adults' or children's access to content.

• With no scheme to certify which providers can be trusted, third-party age verification technologies will lead to fakes and scams, putting people's personal data at risk.

• Large age verification providers will seek to offer single-sign-in across a wide variety of online services, which could lead to intrusive commercial tracking of children and adults with devastating personal impacts in the event of a data breach.

This is the biggest censorship event of the year. It is going destroy the livelihoods of many. It is framed as if it were targeted at Facebook and the like, to sort out their abuse of user data, particularly for kids.

However the kicker is that the regulations will equally apply to all UK accessed websites that earn at least earn some money and process user data in some way or other.  Even small websites will then be required to default to treating all their readers as children and only allow more meaningful interaction with them if they verify themselves as adults. The default kids-only mode bans likes, comments, suggestions, targeted advertising etc, even for non adult content.

Furthermore the ICO expects websites to formally comply with the censorship rules using market researchers, lawyers, data protection officers, expert consultants, risk assessors and all the sort of people that cost a grand a day.

Of course only the biggest players will be able to afford the required level of red tape and instead of hitting back at Facebook, Google, Amazon and co for misusing data, they will further add to their monopoly position as they will be the only companies big enough to jump over the government's child protection hurdles.

Another dark day for British internet users and businesses.

The ICO write in a press release

Today we're setting out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children, when they process their personal data.

Parents worry about a lot of things. Are their children eating too much sugar, getting enough exercise or doing well at school. Are they happy?

In this digital age, they also worry about whether their children are protected online. You can log on to any news story, any day to see just how children are being affected by what they can access from the tiny computers in their pockets.

Last week the Government published its white paper covering online harms.

Its proposals reflect people's growing mistrust of social media and online services. While we can all benefit from these services, we are also increasingly questioning how much control we have over what we see and how our information is used.

There has to be a balancing act: protecting people online while embracing the opportunities that digital innovation brings.

And when it comes to children, that's more important than ever. In an age when children learn how to use a tablet before they can ride a bike, making sure they have the freedom to play, learn and explore in the digital world is of paramount importance.

The answer is not to protect children from the digital world, but to protect them within it.

So today we're setting out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children, when they process their personal data. Age appropriate design: a code of practice for online services has been published for consultation.

When finalised, it will be the first of its kind and set an international benchmark.

It will leave online service providers in no doubt about what is expected of them when it comes to looking after children's personal data. It will help create an open, transparent and protected place for children when they are online.

Organisations should follow the code and demonstrate that their services use children's data fairly and in compliance with data protection law. Those that don't, could face enforcement action including a fine or an order to stop processing data.

Introduced by the Data Protection Act 2018, the code sets out 16 standards of age appropriate design for online services like apps, connected toys, social media platforms, online games, educational websites and streaming services, when they process children's personal data. It's not restricted to services specifically directed at children.

The code says that the best interests of the child should be a primary consideration when designing and developing online services. It says that privacy must be built in and not bolted on.

Settings must be "high privacy" by default (unless there's a compelling reason not to); only the minimum amount of personal data should be collected and retained; children's data should not usually be shared; geolocation services should be switched off by default. Nudge techniques should not be used to encourage children to provide unnecessary personal data, weaken or turn off their privacy settings or keep on using the service. It also addresses issues of parental control and profiling.

The code is out for consultation until 31 May. We will draft a final version to be laid before Parliament and we expect it to come into effect before the end of the year.

Our Code of Practice is a significant step, but it's just part of the solution to online harms. We see our work as complementary to the current initiatives on online harms, and look forward to participating in discussions regarding the Government's white paper.

The proposals are now open for public consultation:

The Information Commissioner is seeking feedback on her draft code of practice Age appropriate design -- a code of practice for online services likely to be accessed by children (the code).

The code will provide guidance on the design standards that the Commissioner will expect providers of online 'Information Society Services' (ISS), which process personal data and are likely to be accessed by children, to meet.

The code is now out for public consultation and will remain open until 31 May 2019. The Information Commissioner welcomes feedback on the specific questions set out below.

You can respond to this consultation via our online survey , or you can download the document below and email to ageappropriatedesign@ico.org.uk .

lternatively, print off the document and post to:

Age appropriate design code consultation
Policy Engagement Department
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Comment: Entangling start ups in red tape

See article from adamsmith.org

Today the Information Commissioner's Office announced a consultation on a draft Code of Practice to help protect children online.

The code forbids the creation of profiles on children, and bans data sharing and nudges of children. Importantly, the code also requires everyone be treated like a child unless they undertake robust age-verification.

The ASI believes that this code will entangle start-ups in red tape, and inevitably end up with everyone being treated like children, or face undermining user privacy by requiring the collection of credit card details or passports for every user.

Matthew Lesh, Head of Research at free market think tank the Adam Smith Institute, says:

This is an unelected quango introducing draconian limitations on the internet with the threat of massive fines.

This code requires all of us to be treated like children.

An internet-wide age verification scheme, as required by the code, would seriously undermine user privacy. It would require the likes of Facebook, Google and thousands of other sites to repeatedly collect credit card and passport details from millions of users. This data collection risks our personal information and online habits being tracked, hacked and exploited.

There are many potential unintended consequences. The media could be forced to censor swathes of stories not appropriate for young people. Websites that cannot afford to develop 'children-friendly' services could just block children. It could force start-ups to move to other countries that don't have such stringent laws.

This plan would seriously undermine the business model of online news and many other free services by making it difficult to target advertising to viewer interests. This would be both worse for users, who are less likely to get relevant advertisements, and journalism, which is increasingly dependent on the revenues from targeted online advertising.

The Government should take a step back. It is really up to parents to keep their children safe online.

Offsite Comment: Web shake-up could force ALL websites to treat us like children

15th April 2019. See article from dailymail.co.uk

The information watchdog has been accused of infantilising web users, in a draconian new code designed to make the internet safer for children.

Web firms will be forced to introduce strict new age checks on their websites -- or treat all their users as if they are children, under proposals published by the Information Commissioner's Office today.

The rules are so stringent that critics fear people could end up being forced to demonstrate their age for virtually every website they visit, or have the services that they can access limited as if they are under 18.