On 30th November I emailed the letter shown below to the Information Commissioner.
You will recall a little over a year ago (19th August 2020), on your behalf Steve Wood replied to a letter I sent to you. My letter had outlined concerns about the ICO not enforcing UK GDPR laws in respect of the systematic and persistent processing of children’s data by commercial pornography web sites. I referred to the Age-Appropriate Design Code (AADC) and to other grounds on which I thought the ICO ought to act.
In relation to the AADC Mr Wood replied
“The primary harms to children in this case are content harms, delivered by a service that, because of its adult nature, is not captured by the intent of the AADC.”
An AADC which cannot encompass age-inappropriate outcomes probably needs to be renamed. But this is anyway an odd reading of the intent of the code
s.123 (1) DPA, 2018 says
“The Commissioner must prepare a code of practice which contains such guidance as the Commissioner considers appropriate on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.” (emphasis added)
A great deal of evidence shows porn sites are in fact being accessed by large numbers of children and as things stand today this is likely to continue for years to come.
Mr Wood suggested it would be absurd to think porn sites could be “made appropriate for use by…. children” and I agree. But the point is, in such egregious cases, with a specially protected class of data subjects, porn sites should not be processing children’s data at all and the ICO should tell them to stop.
Recital 38 of the UK GDPR explains why children are in a special position
“Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
Staying with the AADC a while longer, on the ICO’s web page explaining the AADC, we are told the AADC can apply
“…even if (children) are not your target audience…”
To remove all possible doubt, further down on the same page there is this
“… in practice… most for-profit online services are… covered by the (AADC). This includes…
any websites offering… goods or services to users over the internet…
If your online service is likely to be accessed by children under the age of 18, even if it’s not aimed at them, then you are probably covered by the code.”
Notwithstanding the above, as I pointed out in my original letter to you , dated 22nd June 2020, the AADC is not the sole basis on which the ICO could and should act.
Article 5 (1) of the UK GDPR says
“Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject”
In the ICO’s guidance “fairly” is explained in the following terms
“In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually.”
In the “At a glance guide” the notion of fairness is further elaborated
“You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.”
As Recital 38 suggests, none of the highlighted words make any sense unless they are understood to refer to the consequences of the data processing to which a child is subjected.
I hope you will agree data processing cannot be a hermetically sealed, self-regarding and eternal loop where the “nature” of the content, referencing its real-world impact or consequences, are relentlessly disregarded. To this extent Mr Wood’s interpretation is a misreading of the law.
Even if I am wrong about that, deliberately or recklessly collecting and using data for a purpose which will result in known and significant harms to a child offends against fundamental data processing principles.
Amongst other things there is an implied if not direct element of misrepresentation and a concomitant lack of transparency.
In terms of the lawful bases for data processing, in the case of porn and children there can be no consent, neither can any of the other lawful bases be applied. For all these reasons the actions of the porn companies can only be viewed as being outwith the GDPR and in major ways which have no bearing at all on the AADC, even as Mr Wood appears to understand it. See also the “aggravating factors” listed in the ICO’s “Regulatory Action Plan”.
There are porn sites which wish to introduce age verification to ensure they are not processing children’s data unlawfully. They want to operate legitimately, but they feel their aspirations are being thwarted by the lack of any apparent or meaningful threat on the near horizon in relation to those sites which, encouraged by the ICO’s inactivity, for as long as possible will do nothing to keep children out. The “wannabe legitimate” porn sites see no material advantage to going first or early. On the contrary they are convinced less fastidious rivals would simply and quickly pick up their customers and revenues.
This latter point has been further amplified and underlined in an article which appeared at the weekend in The Sunday Times where the Children’s Commissioner is quoted as follows
“I met with some of the biggest porn companies and challenged them on age verification. As long as all adult sites have to have age verification put on them, they would be comfortable to go forward with that. They basically said, ‘Make us do it’. I was pleased with that.”
As indicated in Mr Wood’s letter, you may be concerned about the possibility of extra-territorial enforcement in relation to your existing powers. However, you will be aware Mastercard recently withdrew payment services from Pornhub. This prompted Pornhub to delete over two-thirds of its content as it sought to restore its ability to collect revenues via that channel.
Mastercard has since specifically said it would not allow a site to take payments from the UK if a UK statutory regulator informed them the site was operating unlawfully. I am sure services such as search engines, advertisers, advertising agencies and web hosting companies would respond similarly. This shows, were the ICO to act, it would not be alone in seeking to bring recalcitrant sites into line with UK law and norms. It would create a powerful and urgent incentive, an incentive which, as we have seen, would be welcomed by “some of the biggest porn companies”.
By its failure to act the Government is violating the human rights of children and parents. Moreover, in a recent (and still unreported) case Mrs Justice Whipple, as she then was, observed that there is a gap in the Online Safety Bill in relation to porn (“pornography” is not mentioned) and a gap in relation to the timescales within which such a gap might be closed and become operative. As stated earlier, as things stand children could be exposed to porn for years to come, hence the importance of creating the “urgent incentive”.
Furthermore, you will note Mrs Justice Whipple placed no legal reliance on the Online Safety Bill. Neither should the ICO. I appreciate you have a number of competing priorities, and you must make operational decisions based on the resources available to you, but I am sure you will agree that for the vast majority of people in the UK there is no higher priority than the protection of children.
You remain the only person in the country with the power to act to protect another generation of children from the distorting impact of open access to pornography with all the dreadful and now well-documented effects we know that has on society, particularly in respect of violence towards women and girls.
I ask you to reconsider your decision not to act against pornography web sites.