My Lords, as the Online Safety Act sets out, the Secretary of State must set thresholds for three categories of service: category 1, category 2A and category 2B. The services that fall into each of these categories must comply with additional duties, with category 1 services having the most duties placed on them. These duties are in addition to the core duties which apply to all user-to-user and search services in scope, including illegal content duties and child safety duties.
All categorised services must comply with transparency reporting duties. They must also have terms on parents’ ability to access information about how their child used a service, in the tragic event that their child dies. Category 1 and 2A services also have additional duties to tackle paid-for fraudulent advertising. They will also have to comply with enhanced risk assessment and record-keeping duties.
The most additional obligations will fall on category 1 services. These are the services with the most users, and which spread content easily, quickly and widely. To the extent it is proportionate to do so, category 1 services must give adults more choice about who they interact with and the content they see. That includes suicide, self-harm and hate-inciting content. Additionally, category 1 services must protect journalistic and news publisher content and content of democratic importance. The duties will also hold these companies to account over their terms of service, making sure that they keep the promises they make to their users.
The Act requires that specific factors must be taken into account by the Secretary of State when deciding the thresholds for each category. The threshold conditions for user-to-user services, categories 1 and 2B, must be set on user numbers, functionalities and any other characteristics or factors related to the user-to-user part of the service the Secretary of State deems relevant. For category 2A, they must be set on the number of users of the search engine, plus any other factors or characteristics.
For category 1, the key consideration is the likely impact of the number of users of the user-to-user part of the service and its functionalities on how quickly, easily and widely regulated user-generated content is disseminated by means of the service. For category 2A, the key consideration is the likely impact of the number of users of the search engine on the level of risk of harm to individuals from search content that is illegal or harmful to children. For category 2B, the key consideration is the likely impact of the number of users of the user-to-user part of the service and its functionalities on the level of risk of harm to individuals from illegal content and content that is harmful to children disseminated by means of the services.
These considerations formed the basis of Ofcom’s independent research and advice, published in March last year, which the Secretary of State had to consider when setting threshold conditions. Once in force, these regulations will enable Ofcom to set up a public register of categorised services, which it expects to publish this summer. Ofcom will then consult on the remaining draft codes of practice and guidance, where relevant, for the additional duties.
7:30 pm
I understand that some disagree with this and I have, like many others, heard the horrifying stories about these sites. I share the noble Lord’s sentiment that we must stop vulnerable people falling victim to them, but I assure those in this House that these types of services will not be overlooked by the legislation. All regulated user-to-user and search services, including small but risky ones, will be subject to the existing illegal content duties and, where relevant, the child safety duties. The categorisation thresholds do not change that.
I was pleased to see Ofcom set out, in September last year, its targeted approach to tackling small but risky services. This included a dedicated supervision task force and a commitment to move to rapid enforcement action where necessary. The task force’s purpose is to respond effectively, promptly and proportionately to new or growing harms and risks, focusing on the most credible and high-severity issues, where it can have the greatest impact. I am confident that the regulatory framework, alongside this bespoke task force, will work to keep all UK citizens safe online. Of course, the Government will not hesitate to act where needed to keep people safe.
I must stress that the Secretary of State will keep these thresholds under review. Under Section 178 of the Act, he must review how effective the regulatory framework is two to five years after key provisions of the Act come into force. This will be published as a report and laid before Parliament. If there is evidence that the categories have become outdated, he will look at updating the thresholds where possible or reviewing the legislation where needed.
I hope I have addressed noble Lords’ concerns, but I look forward to all their contributions on this very important debate.
At end insert “but that this House regrets that the Regulations do not impose duties available under the parent Act on small, high-risk platforms where harmful content, often easily accessible to children, is propagated; calls on the Government to clarify which smaller platforms will no longer be covered by Ofcom’s illegal content code and which measures they will no longer be required to comply with; and calls on the Government to withdraw the Regulations and establish a revised definition of Category 1 services.”
My Lords, I am very pleased to see the Minister back in her place. I thank her for her introduction to this statutory instrument. Her disappointment at my tabling this regret amendment is exceeded only by my own disappointment at the SI. However, I hope that she will provide the antidote to the Government’s alarming tendency to pick unnecessary fights on so many important issues—a number of them overseen by her department.
Those of us who were intimately involved with its passage hoped that the Online Safety Act would bring in a new era of digital regulation, but the Government’s and Ofcom’s handling of small but high-risk platforms threatens to undermine the Act’s fundamental purpose of creating a safer online environment. That is why I am moving this amendment, and I am very grateful to all noble Lords who are present and to those taking part.
The Government’s position is rendered even more baffling by their explicit awareness of the risks. Last September, the Secretary of State personally communicated concerns to Ofcom about the proliferation of harmful content, particularly regarding children’s access. Despite this acknowledged awareness, the regulatory framework remains fundamentally flawed in its approach to platform categorisation.
The parliamentary record clearly shows that cross-party support existed for a risk-based approach to platform categorisation, which became enshrined in law. The amendment to Schedule 11 from the noble Baroness, Lady Morgan—I am very pleased to see her in her place—specifically changed the requirement for category 1 from a size “and” functionality threshold to a size “or” functionality threshold. This modification was intended to ensure that Ofcom could bring smaller, high-risk platforms under appropriate regulatory scrutiny.
Subsequently, in September 2023, on consideration of Commons amendments, the Minister responsible for the Bill, the noble Lord, Lord Parkinson—I am pleased to see him in his place—made it clear what the impact was:
7:45 pm
What account did the Government and Ofcom take of the interaction and interrelations between small and large platforms, including the use of social priming through online “superhighways”, as evidenced in the Antisemitism Policy Trust’s latest report, which showed that cross-platform links are being weaponised to lead users from mainstream platforms to racist, violent and anti-Semitic content within just one or two clicks?
The solution lies in more than mere technical adjustments to categorisation thresholds; it demands a fundamental rethinking of how we assess and regulate online risk. A truly effective regulatory framework must consider both the size and the risk profile of platforms, ensuring that those capable of causing significant harm face appropriate scrutiny regardless of their user numbers and are not able to do so. Anything less—as many of us across the House believe, including on these Benches—would bring into question whether the Government’s commitment to online safety is genuine. The Government should act decisively to close these regulatory gaps before more harm occurs in our increasingly complex online landscape. I beg to move.
My Lords, I thank the Minister for her engagement on this issue, not just with me but with Members across the House. It has been very much appreciated, including when she was not here because she was dealing with her own health issues.
When I talk about what we do here in the House of Lords, one of the great successes I point to is the scrutiny that we gave to the Online Safety Act. We did it in a cross-party way, eventually managing to persuade the Government, as well as Ofcom, about the changes that were needed. Those changes were then taken back to the House of Commons, and Ministers there conceded them. As a result of that working together, we ended up with a much stronger Bill that will do much to protect vulnerable and young people and those most at risk of harmful content online. So it is a matter of great regret that, the first time we are debating a statutory instrument of substantive interest under this Act, we—all of us, I suspect—have to say that we are deeply disappointed by the drafting that we have seen.
On 19 July 2023, I moved a very small amendment and was grateful to the House for its support. I said at the time that one change of one word—from “and” to “or”—made for a small but powerful amendment. The noble Lord, Lord Clement-Jones, set out brilliantly and comprehensively why that change was so important, so in the time available, I will not repeat what he said. The House clearly voted for change and the Minister’s own party supported that change, for which I was deeply grateful.
The other interesting thing is that Ofcom said to me that it did not object to that change. However, in its note today—I am sure that it sent the note to other Members—Ofcom talked about the harms-based approach that it is following when recommending to the Government how they should legislate under the Act. But that harms-based approach rings hollow when—through Ofcom’s interpretation, which it has given to the Government—it has ridden roughshod over looking at the risk of the small but high-harm platforms.
My Lords, I remind the House of my interests, particularly as chair of 5Rights and as adviser to the Institute for Ethics in AI at Oxford. I wholeheartedly agree with both the previous speakers, and in fact, they have put the case so forcefully that I hope that the Government are listening.
I wanted to use my time to speak about the gap between the Act that we saw pass through this House and the outcome. What worries me the most is how we should understand the purpose of an Act of Parliament and the hierarchy of the instructions it contains. I ask this because, as the noble Lord, Lord Clement-Jones, and the noble Baroness, Lady Morgan, have already said, the Government of the day, with the express support of Members of this House, including the Front Bench of the Labour Party, agreed that categorisation would be a question of risk or size, not simply size. That was the decision of the House, it was supported in the other place, and it is in the text of the Act. So, it would be useful to understand, in the view of His Majesty’s Government, whether the text of an Act and, separately, a statement made by a Minister from the Dispatch Box, have any authority. If they do, I cannot understand how Ofcom is allowed to overturn that, or how the Secretary of State, without taking action to amend the Act, has been able to allow it to do so.
It is essential to get a clear answer from the Minister about the status of the text of the Act, because this is a pattern of behaviour where the regulator and government appear to be cherry-picking which bits of the Online Safety Act are convenient and ignoring those they consider too difficult, too disruptive, or—I really hope not—too onerous for tech companies. Ofcom has similarly determined not to observe the provisions in the OSA about functionalities contained throughout the Act; for example, at Sections 9(5), 10(4) and 11(6)—I could go on; on extended use, at Section 11(6)(f); and on the requirement to consider the needs of children in different age groups which, like functionalities, run through the Act like a golden thread.
20 of 67 shown
In laying these regulations before Parliament, the Secretary of State has considered Ofcom’s advice and decided to follow it. I know that this decision will not please everyone, so let me set out why it was made.
Ofcom’s research concluded that, as the number of users of a service increases, so does how widely content spreads. The statutory consideration of category 1 under the Act is
“how easily, quickly and widely regulated user-generated content is disseminated by means of the service”.
Therefore, it was concluded that user numbers should not be ignored. Setting thresholds for category 1 that take into account the size and reach of services is also essential to make sure we avoid inadvertently categorising hundreds of small, low-risk services.
I turn now to the regret amendment that the noble Lord, Lord Clement-Jones, has tabled before the House. It is disappointing that a regret amendment has been tabled. I understand that it is because of the noble Lord’s view that risk should be the main consideration for category 1. He would ideally like to see so-called “small but risky” services, such as small suicide forums, brought into scope.
I also want to acknowledge that the successful amendment from the noble Baroness, Lady Morgan, made it possible to create threshold combinations by reference only to functionalities and any other factors or characteristics. However, in practice this was difficult to do at the time.
In setting the threshold conditions, the Secretary of State must act within the legal framework, which means he still must consider easy, quick and wide dissemination of user-generated content for category 1. He must also act within the powers afforded to him in setting the thresholds, which does not allow for sub-delegation to outside parties, such as coroners or Ofcom.
Unintended consequences were considered, including unintentionally categorising hundreds of small, low-risk services. I want to be very clear through this that the Government did consider options to bring small but risky services into scope, including those proposed by many thoughtful people on this complicated issue, but ultimately a workable and robust condition for capturing small but risky services was not found.
“I am grateful to my noble friend Lady Morgan of Cotes for her continued engagement on the issue of small but high-risk platforms. The Government were happy to accept her proposed changes to the rules for determining the conditions that establish which services will be designated as category 1 or 2B services. In making the regulations, the Secretary of State will now have the discretion to decide whether to set a threshold based on either the number of users or the functionalities offered, or on both factors. Previously, the threshold had to be based on a combination of both”.—[Official Report, 19/9/23; col. 1339.]
I do not think that could be clearer.
This Government’s and Ofcom’s decision to ignore this clear parliamentary intent is particularly troubling. The Southport tragedy serves as a stark reminder of the real-world consequences of inadequate online regulation. When hateful content fuels violence and civil unrest, the artificial distinction between large and small platforms becomes a dangerous regulatory gap. The Government and Ofcom seem to have failed to learn from these events.
At the heart of this issue seems to lie a misunderstanding of how harmful content proliferates online. The impact on vulnerable groups is particularly concerning. Suicide promotion forums, incel communities and platforms spreading racist content continue to operate with minimal oversight due to their size rather than their risk profile. This directly contradicts the Government’s stated commitment to halving violence against women and girls, and protecting children from harmful content online. The current regulatory framework creates a dangerous loophole that allows these harmful platforms to evade proper scrutiny.
The duties avoided by these smaller platforms are not trivial. They will escape requirements to publish transparency reports, enforce their terms of service and provide user empowerment tools. The absence of these requirements creates a significant gap in user protection and accountability.
Perhaps the most damning is the contradiction between the Government’s Draft Statement of Strategic Priorities for Online Safety, published last November, which emphasises effective regulation of small but risky services, and their and Ofcom’s implementation of categorisation thresholds that explicitly exclude these services from the highest level of scrutiny. Ofcom’s advice expressly disregarded—“discounted” is the phrase it used—the flexibility brought into the Act via the Morgan amendment, and advised that regulations should be laid that brought only large platforms into category 1. Its overcautious interpretation of the Act creates a situation where Ofcom recognises the risks but fails to recommend for itself the full range of tools necessary to address them effectively.
This is particularly important in respect of small, high-risk sites, such as suicide and self-harm sites, or sites which propagate racist or misogynistic abuse, where the extent of harm to users is significant. The Minister, I hope, will have seen the recent letter to the Prime Minister from a number of suicide, mental health and anti-hate charities on the issue of categorisation of these sites. This means that platforms such as 4chan, 8chan and Telegram, despite their documented role in spreading harmful content and co-ordinating malicious activities, escaped the full force of regulatory oversight simply due to their size. This creates an absurd situation where platforms known to pose significant risks to public safety receive less scrutiny than large platforms with more robust safety measures already in place.
The Government’s insistence that platforms should be “safe by design”, while simultaneously exempting high-risk platforms from category 1 requirements based solely on size metrics, represents a fundamental contradiction and undermines what we were all convinced—and still are convinced—the Act was intended to achieve. Dame Melanie Dawes’s letter, in the aftermath of Southport, surely gives evidence enough of the dangers of some of the high-risk, smaller platforms.
Moreover, the Government’s approach fails to account for the dynamic nature of online risks. Harmful content and activities naturally migrate to platforms with lighter regulatory requirements. By creating this two-tier system, they have, in effect, signposted escape routes for bad actors seeking to evade meaningful oversight. This short-sighted approach could lead to the proliferation of smaller, high-risk platforms designed specifically to exploit these regulatory gaps. As the Minister mentioned, Ofcom has established a supervision task force for small but risky services, but that is no substitute for imposing the full force of category 1 duties on these platforms.
The situation is compounded by the fact that, while omitting these small but risky sites, category 1 seems to be sweeping up sites that are universally accepted as low-risk despite the number of users. Many sites with over 7 million users a month—including Wikipedia, a vital source of open knowledge and information in the UK—might be treated as a category 1 service, regardless of actual safety considerations. Again, we raised concerns during the passage of the Bill and received ministerial assurances. Wikipedia is particularly concerned about a potential obligation on it, if classified in category 1, to build a system that allows verified users to modify Wikipedia without any of the customary peer review.
Under Section 15(10), all verified users must be given an option to
“prevent non-verified users from interacting with content which that user generates, uploads or shares on the service”.
Wikipedia says that doing so would leave it open to widespread manipulation by malicious actors, since it depends on constant peer review by thousands of individuals around the world, some of whom would face harassment, imprisonment or physical harm if forced to disclose their identity purely to continue doing what they have done, so successfully, for the past 24 years.
This makes it doubly important for the Government and Ofcom to examine, and make use of, powers to more appropriately tailor the scope and reach of the Act and the categorisations, to ensure that the UK does not put low-risk, low-resource, socially beneficial platforms in untenable positions.
There are key questions that Wikipedia believes the Government should answer. First, is a platform caught by the functionality criteria so long as it has any form of content recommender system anywhere on UK-accessible parts of the service, no matter how minor, infrequently used and ancillary that feature is?
Secondly, the scope of
“functionality for users to forward or share regulated user-generated content on the service with other users of that service”
is unclear, although it appears very broad. The draft regulations provide no guidance. What do the Government mean by this?
Thirdly, will Ofcom be able to reliably determine how many users a platform has? The Act does not define “user”, and the draft regulations do not clarify how the concept is to be understood, notably when it comes to counting non-human entities incorporated in the UK, as the Act seems to say would be necessary.
The Minister said in her letter of 7 February that the Government are open to keeping the categorisation thresholds under review, including the main consideration for category 1, to ensure that the regime is as effective as possible—and she repeated that today. But, at the same time, the Government seem to be denying that there is a legally robust or justifiable way of doing so under Schedule 11. How can both those propositions be true?
Can the Minister set out why the regulations, as drafted, do not follow the will of Parliament—accepted by the previous Government and written into the Act—that thresholds for categorisation can be based on risk or size? Ofcom’s advice to the Secretary of State contained just one paragraph explaining why it had ignored the will of Parliament—or, as the regulator called it, the
“recommendation that allowed for the categorisation of services by reference exclusively to functionalities and characteristics”.
Did the Secretary of State ask to see the legal advice on which this judgment was based? Did DSIT lawyers provide their own advice on whether Ofcom’s position was correct, especially in the light of the Southport riots?
How do the Government intend to assess whether Ofcom’s regulatory approach to small but high-harm sites is proving effective? Have any details been provided on Ofcom’s schedule of research about such sites? Do the Government expect Ofcom to take enforcement action against small but high-harm sites, and have they made an assessment of the likely timescales for enforcement action?
The draft statutory instrument is based on the number of users, and this House in its amendment made it very clear that, with harmful platforms, it is not just about the number of users they have but absolutely about the content, the functionalities and the risks that those sites will raise.
As the noble Baroness set out, Ofcom is relying on paragraph 1(5) of Schedule 11, looking at
“how easily, quickly and widely regulated user-generated content is disseminated by means of the service”.
But that paragraph says that the Secretary of State “must take into account” those things, not that the Secretary of State is bound solely by those criteria. Our criticism tonight of the statutory instrument is not just about the fact that Ofcom has chosen to take those words—I would say that Ofcom in not objecting to my amendment was being disingenuous if it already knew that it was going to rely on that sub-paragraph; the bigger question for the noble Baroness tonight is the fact that the Secretary of State did not have to accept the advice that Ofcom gave them.
The noble Lord, Lord Clement-Jones, talked, as no doubt others will, about the risk and the harm that we have seen from platforms. We will talk about the fact that for the Southport victims it needed only one person to be radicalised by a site that they were looking at to cause untold misery and devastation for families. This House voted recently on the harm caused by deepfake pornographic abuse. Again, it does not take many people to utterly ruin a victim’s life, and what about those platforms that promote suicide and self-harm content? It is not sufficient to say that this Act will impose greater burdens on illegal content. We all know from debates on the Act that there is content which is deliberately not illegal but which is deeply harmful both to victims and to the vulnerable.
As Jeremy Wright MP said in the debate on these regulations in Committee in the House of Commons, the Government are going to want or need these category 1 powers to apply to smaller, high-harm platforms before too long. Indeed, the Government’s own strategic statement published last year specifically says:
“The government would like to see Ofcom keep this approach”—
that is, the approach it has to small, risky services—
“under continual review and to keep abreast of new and emerging small but risky services, which are posing harm to users online”.
The Government and the Secretary of State already know that there are small but high-harm platforms causing immense risk which will not be caught by these regulations. As we have also heard, the flight therefore to these small, high-harm, risky platforms absolutely will happen as those who want to punt out harmful content seek to find platforms that are not bound by the most stringent regulations.
I will stop there because I know that others wish to speak. I will support the regret amendment tonight should the noble Lord, Lord Clement-Jones, decide to put it to a vote. It has taken far too long to get to this point. I understand the Government’s desire to make progress with these regulations, but the regret amendment states that it
“calls on the Government to withdraw the Regulations and establish a revised definition of Category 1 services”.
I ask the Minister to take that opportunity, because these regulations absolutely do not reflect the will of this House in that amendment. That is a great source of disappointment given the cross-party work that we all did to make sure the Online Safety Act was as comprehensive as it could be.
Ofcom’s own illegal harms register risk management guidance states that
“certain ‘functionalities’ stand out as posing particular risks because of the prominent role they appear to play in the spread of illegal content and the commission and facilitation of … offences”.
Ofcom then says its regulatory framework is intended to ensure service providers put in place safeguards to manage the risks posed by functionalities. It lists end-to-end encryption, pseudonymity and anonymity, live-streaming, content recommender systems, and, quite rightly, generative AI, all as functionality that it considers to be high risk. Specifically in relation to grooming, functionalities Ofcom considers risky include network expansion prompts, direct messaging, connection lists and automated information displays.
Despite acknowledgement that functionalities create heightened risk, a clear statement that addressing risk forms part of its regulatory duties, and the clearly expressed intent of Parliament and the wording of the Act, Ofcom has failed to comprehensively address functionalities both in the published illegal harms code and the draft children’s code, and it has chosen to overrule Parliament by ignoring the requirement in Schedule 11 to consider functionalities in determining which services should be designated as category 1 services.
Meanwhile, paragraph 4(a)(vii) of Schedule 4 is crystal clear in its objective of the Act that user-to-user services
“be designed and operated in such a way that … the different needs of children at different ages are taken into account”.
Ofcom has chosen to ignore that. Volume 5 of its draft children’s code says
“our proposals focus at this stage on setting the expectation of protections for all children under the age of 18”.
Any child, any parent and anyone who has spent time with children knows that five and 15 are not the same. The assertion from Ofcom in its narrative about the children’s code is blinding in its stupidity. If common sense cannot prevail, perhaps 100 years or more of child development study that sets out the ages and stages by which children can be expected to have the emotional and intellectual capacity to understand something could inform the regulator—and similarly, the age and stage by which we cannot expect a child to understand or have the intellectual capacity to deal with something.
The whole basis of child protection is that we should support the children on their journey from dependence to autonomy because we know that they do not have the capacity to do it for themselves in all contexts, because of the vulnerabilities associated with ages and development stages. Ofcom knows that the Act says that it should reflect this but somehow feels empowered to ignore or overrule the will of Parliament and, just as with categorisation, the Government appear to condone it.