Analysis of BBFC draft guidance on Age Verification

The BBFC have now published their draft guidance under the Digital Economy Act (DEA) with a consultation period until April 23rd.  The full documents are on their website

There are two sets of draft guidance, one on age verification, the other on ‘ancilliary providers’ (things like ISPs, social media companies or advertisers). For the moment this is  just looking at the first of these on age verification itself.

Responding to the BBFC consultation

The deadline is 23rd April 2018

Response email is DEA-consultation@bbfc.co.uk

Responses will be published but you can ask for the whole response, part of it or your name/contact details or organisation to be kept confidential.

It’s always better if people write their own responses rather than a cut and paste model response.

The law in a nutshell

This has ben widely covered before but just to keep people up to speed the DEA will require sites providing pornography to people in the UK to have a way of verifying that people are over 18. The also won’t be able to provide ‘extreme pornography’. The BBFC will be the regulator of this and will have power to issue compliance notices as notify people like ISPs and banking facility providers of non-compliance.  (The full legislation can be found here)

What the Guidance says in outline

The BBFC will adopt a ‘proportionate’ approach and aim to achieve the primary purpose of the Act – namely the protection of children.

The approach will fall into three stages

  1. Deciding which services it will investigate
  2. Assessing if they comply with the requirement to have some age verification arrangement and/or are not providing ‘extreme pornography’
  3. Deciding on the most effective course of enforcement action.

Which sites they will investigate

It’s pretty self evident that the BBFC won’t be examining every porn site, they themselves estimate there are around 1.5 million new pornographic URLs coming onstream every year! Their own evidence is that they would target the most popular websites. This is what the BBFC Chief Executive David Austin told the Committee considering the bill:

“As you all know, there is masses of pornography online. There are 1.5 million new pornographic URLs coming on stream every year. However, the way in which people access pornography in this country is quite limited. Some 70% of users go to the 50 most popular websites. With children, that percentage is even greater; the data evidence suggests that they focus on a relatively small number of sites.”

“We would devise a proportionality test and work out what the targets are in order to achieve the greatest possible level of child protection. We would focus on the most popular websites and apps accessed by children—those data do exist. We would have the greatest possible impact by going after those big ones to start with and then moving down the list.”

It would seem that the BBFC anticipate this being quite limited in scale as they only envisage recruiting “one or two extra people”

(Digital Economy Bill Committee, Second sitting, 11th Oct 2016

Their criteria for that would be:

  1. Most frequently visited (particularly by children) or most likely to be sought out by children because of media/social media attention)
  2. Have extreme pornographic material or
  3. Other child protection issues (include child porn)

Do they comply with the age verification provisions?

This is covered in more detail in Section 3 which sets out the criteria the BBFC will apply.

They set out criteria by which they will assess compliance and good practice in regard to privacy (see more on this below). They won’t provide a list of approved age-verification solutions but will assess individual arrangements and those which don’t meet the requirements will be treated as non-compliant.

Those criteria are set out in paragraphs 3(5) and 3(6). The only really notable point is that it won’t allow the use of an online payment method which doesn’t require the user to be over 16 (such as a debit card)

It is recommended (but not required) that pornography providers offer a choice of age verification solutions.

The BBFC will report the results of its assessments on their website

Enforcement action

The first stage would be to issue a ‘provisional determination’ of non-compliance with a ‘prompt timeframe’ for compliance.

If the situation is not remedied there will then be a (more formal) enforcement notice.

They would then have the power to notify payment service providers (ie banks and credit cards), ancillary service providers or ISPs. Notices to ISPs can require them to block people in the UK being able to access such sites.

In deciding what action to take they will take a case-by-case approach and aim to achieve the child protection goals. Basically they will look at what actions will make the relevant site compliant.

If the site then becomes compliant then any notices will be withdrawn. There will also be an appeal process.

Again details of all notices and appeals will be published on the BBFC website.

Privacy

This is IMO the weakest section and on one level the BBFC have nothing to say on this.

Or as the rather awesome Myles Jackman summed it up on twitter: “Don’t ask us; ask the ICO”

They recommend that AV providers adopt ‘good practice’ including collecting the minimum data and clear information for end users on data protection. Which is fine but the law already pretty much requires that.

They won’t have any formal consideration of privacy issues but will:

“During the course of this age-verification assessment, the BBFC will normally be able to identify the following in relation to data protection compliance concerns: failure to include clear information for end-users on data protection and how data is used; and requesting more data than is necessary to confirm age, for example, physical location information.”

If that happens they will inform the Information Commissioner’s Office (ICO) of those concerns but leave it up to them to investigate

Crucially it seems, under these guidelines, that they would continue regard an AV provider as meeting their requirements even if they fail to satisfy any privacy requirements.

There is a whole additional section (section 4) on the ICO which largely repeats the role that organisation already has and current data protection legislation. The only thing that appears specific to age-verification is at part 4(8):

“The ICO will promote good information rights practices in adult content providers by:

    1. providing support where appropriate to online pornography services regarding questions related to data protection and privacy matters in relation to age-verification
    2. agreeing a referral process with the BBFC, for use where data protection compliance concerns arise as part of assessment of age-verification effectiveness
    3. agreeing arrangements with the BBFC in a Memorandum of Understanding to be made publicly available”

Summary – The Good

Firstly there is a lot of transparency as to how the BBFC will operate this regime and it confirms that it will be a proportionate regime focussed on child protection and compliance with the law rather than internet censorship.

From ministerial comments it would seem that this is not the intention of the Act:

“[Kevin Brennan]: …..concerns have been raised in the press that the new clauses go beyond a backstop power to block sites to under-18s and could be used in practice to extend internet censorship to adults. The Government need to be clear whether that is the intention of the new clauses.

[Matt Hancock (Minister)]: I have also seen those reports. I think that they misread the Bill. That is neither our intention, nor our understanding of the working of the new clauses.”

An important part of that proportionate regime is the idea of a ‘provisional determination of non-compliance’. That will allow sites to be put ‘on notice’ that they don’t comply and have chance to put things right. With any sort of regulation there will always be circumstances of organisations that are unwittingly non-compliant and would be rather unjust for them to face potential action for a misinterpretation. There could do with being greater clarity on this though (see below)

There is also some clarity on what Age-verifiers will need to include in their services and it does seem that the BBFC will publish details of which AV providers meet the requirements of the Act. That is important as it will be substantially easier for sites to comply with these rules if there is clear guidance that ‘providers A, B and C’ all comply with the rules’ and they can pick a suitable provider. If each site were to have to make their own assessment of whether an AV provider was compliant it would create a substantial workload – and one for which they may not have the relevant skills.

A clear statement that AV mechanisms should be concerned with confirming age not identity is also welcome though quite limited.

It is good to see a recommendation that sites offer a choice of AV providers.

The commitment of the BBFC to publishing notices about compliance and enforcement on their website is also to be welcomed as a transparency move.

Summary – The Bad

AV systems

There is a shortage of clear and explicit requirements of what Age Verification should require to be compliant with the act. In particular there is no mention of the recently published Standard on Age Verification (https://shop.bsigroup.com/ProductDetail?pid=000000000030328409) which would seem to be a good starting point. (FWIW Neil Brown seems to think the consultation goes ‘way beyond the issues considered in the PAS.’ – https://twitter.com/neil_neilzone/status/978179380215189504)

On that subject that standard is only available for purchase. In the interests of transparency it would be sensible to produce a public domain standard that could be widely available.

Notices and enforcement

One particular concern for pornography providers would be that once the issue of them being non-compliant has been flagged up their ‘ancillary’ providers would ‘run to the hills. IE credit card firms could withdraw their services or advertisers withdraw their advertising. That could happen even if a a site has remedied any problems and is now compliant.

To that end the ‘informal’ notice process could be important but it is important that this is a private conversation between the BBFC and the site concerned. That would be consistent with a proportionate approach and focussing on child protection by compliance rather than censorship. Where a short but reasonable timescale is given for a site to make them compliant it wouldn’t provide a way in to abuse the intention of the act.

It should be made clear that there will be a confidential ‘informal notice’ process which will not be made public or involve a notice to ancillary providers or ISPs.

It is good to see a recommendation that sites offer a choice of AV providers.

Privacy

The consultation is very weak on this. If an AV provider appears not to comply with privacy and data security requirements it should not be one that the BBFC is suggesting is compliant with the act. At the very least there should be a clear commitment to making any privacy concerns public before an AV provider is said to be compliant.

Rather than a recommendation the BBFC should make their points in para 3(7) of the consultation a requirement rather than just a recommendation which would give this bit some real teeth.

There is also a problem as to how the ICO will take enforcement action against any breaches. As it stands AV services can be located outside the UK (and indeed outside the EU) which makes enforcement much harder. Post Brexit even enforcement in the EU may become hard so AV providers should be required to be UK registered companies with servers in the UK. Pre-Brexit that may not be possible under EU law (indeed without looking it up I’m pretty certain it isn’t!) but it should certainly be a post-Brexit requirement.

There is quite a bit more that needs looking at in terms of the legal basis for keeping information and just what would constitute “clear information for end users on data protection”.

AV providers should also be required to notice the BBFC of any changes to their privacy policies or terms of use. Already MindGeeks AgeID service states there is no obligation to inform users of changes to their privacy policy – https://www.ageid.com/misc/privacypolicy_en.pdf (at least one lawyer things this is not compliant with GDPR and possibly the DPA!)

Details kept by AV providers

The act only requires that providers of pornographic material, “secures that, at any given time, the material is not normally accessible by persons under the age of 18.” That really only needs them to have a suitable system in place, not to be able to demonstrate than any particular individual had been certified as over 18.

That doesn’t seem to require that AV providers keep logs of access by individuals to particular sites as there would be no requirement to evidence that they had established that a particular person was over 18. A clear statement that AV providers aren’t required to keep logs of site(s) accessed by individuals would be a very strong privacy and security measure as the best way of securing against data breaches is not to hold data in the first place

One of the big concerns about AV providers is the data that they hold would have a ‘honeypot’ quality for hackers. If the only data they hold is that person X had registered to prove their age that would be much less sensitive information than a list of websites visited by a prominent politician or premiership footballer in that last month/three months/eternity.

Disclaimer.  This analysis is not written by someone legally qualified.  People with legal qualifications who have commented on this are Myles Jackman and Neil Brown.  If you need advice on the implications of this for you personally you should get qualified legal advice.