That this House regrets that the draft Protection of Children Codes of Practice for search services does not fully deliver the level of protection for children envisaged by the Online Safety Act 2023 due to regulatory gaps, accessibility challenges, and the consultation process failing adequately to address feedback from civil society organisations and victims’ groups.
Relevant document: 25th Report from the Secondary Legislation Scrutiny Committee (special attention drawn to the instrument).
My Lords, this is a regret Motion, and one of my regrets today is that we are debating it so long after it was tabled back in May this year. The Online Safety Act 2023 was born from tireless campaigning over a long period, and when I look around the Chamber, I see a number of those who were heavily engaged on that Act. The clear parliamentary intent was to create a safer digital environment. This House passed landmark legislation with the clear ambition to compel online platforms to take proportional measures to safeguard children from accessing or being exposed to harmful and inappropriate content and behaviour.
One of the key questions today, which many have continued to raise since I first put down the regret Motion, is: does the implementation of the Act match that ambition? The children’s codes of practice were intended to translate Parliament’s intent into practical reality; yet following scrutiny by the Secondary Legislation and Scrutiny Committee, extensive feedback from civil society organisations and analysis of emerging online harms, it is clear that in their current form these codes present significant shortcomings, hence this regret Motion. For example, the Molly Rose Foundation, founded following the death of 14 year-old Molly Russell, is deeply dismayed by the lack of ambition in these codes and states explicitly that it does not have confidence that the Online Safety Act will prevent a repeat of Molly’s death.
The Online Safety Act explicitly mandates that a higher standard of protection is provided for children than for adults. It demands that services are safe by design, yet the codes recommend only a limited number of measures that do little to address the fundamental design features and functionalities that facilitate or exacerbate harm to children. Specifically, the codes fail to address the harmful design features that platforms have embedded in their business models, features that prioritise engagement and monetisation over safety. These include scroll mechanisms that trap children in continuous content consumption, push notifications that constantly pull them back to platforms, loot boxes that exploit addictive behaviours, and algorithmic amplification that prioritises content designed to maximise engagement rather than well-being.
12:30 pm
The third issue is the question of structural flaws—the safe harbour problem. Perhaps the most urgent concern relates to the fundamental architecture of these codes. Ofcom initially described them as transformational yet subsequently characterised them as merely a first iteration. Was this what we envisaged when we passed the Online Safety Act? Ofcom’s codes provide a safe harbour to platforms that effectively mean that the codes act as a ceiling, not a floor, for their safety standards. This provides platforms for exactly the incentive we would wish to discourage—the incentive to do precisely what is mandated and nothing more.
The measures risk baking in the current industry response rather than incentivising safety by design or taking steps beyond the status quo. The regulatory mechanism mirrors what the largest platforms are already doing, setting a ceiling that disincentivises innovation beyond the status quo. Ofcom’s iterative approach has been criticised as being too slow and reactive, leaving a big gap in outcomes. Despite claiming that the protection provided by children’s codes are transformative and a game-changer, Ofcom has not produced any impact assessment to set out their likely effects, nor does it face any requirement to meet or report against specified harm reduction targets.
Ofcom acknowledges that not all individual risks have specific measures in the codes. A platform may identify new harmful trends through its mandatory risk assessments, new forms of grooming, emerging harms in virtual reality and the exploitation of artificial intelligence. Yet these risks are not covered by specific measures in the current iteration of the codes, and there is no immediate legal obligation for the platform to address them. This means that vulnerable children are left unprotected in the interim period until the next iteration is consulted on. This is unacceptable; we need urgent assurance that the Government are prepared to address this fundamental flaw, potentially by amending the Online Safety Act to close this loophole and ensure that safe by design is delivered in practice.
Then there is the specific decision to reduce protective measures regarding smaller services. Why should smaller sites become a safe harbour where harmful activity flourishes? At the risk of returning to our previous regret Motion on categorisation, we have all been clear that there should be the highest duty on sites that pose the greatest risks. Critics rightly ask why small sites should become a safe harbour where harmful activity flourishes.
Fourthly, there are the practical and accessibility challenges raised by the SLSC. It pointed out that the regulatory framework is complex to the point of opacity. Key documents run to over 600 pages, and this complexity makes it difficult to navigate and undermines accessibility for those trying to understand service providers’ duties. This is not merely an administrative inconvenience for platforms; it makes it harder for parents, victims and smaller organisations to understand their rights and effectively report concerns. The SLSC questioned how practical it is to expect children themselves to complain about harmful content, and it is unclear what further action children could take if a service provider simply rejects their complaint. These systems must be designed with a children-first approach to guarantee that they are truly accessible and effective.
These practical challenges include immediate concerns about implementation. The widespread use of virtual private networks by children and young people risks rendering age assurance measures ineffective. What is the Government’s response to that? Concerns remain that age assurance systems may pose a data protection or privacy threat to users. Crucially, civil society organisations are concerned that both Ofcom and the ICO have not stipulated a clear approach as to how age assurance methods will be evaluated for compliance with data protection. There are concerns also that important content, such as political debate, educational sites and information sites like Wikipedia and support forums dealing with LGBTQ+ rights or sexual health are being inappropriately age gated on social media. We raised this as a major risk during the passage of the Act. What is the Government’s response?
I return to the harms and the scale of emerging threats that these regulatory gaps leave unaddressed. The Child Online Harms Policy Think Tank has highlighted emerging threats that the codes do not adequately address. These are not hypothetical harms—they are happening now. In virtual reality environments, children as young as nine are entering 18-plus virtual rooms. Instances of virtual groping and sexual assault have been documented. The VIRAC project found that grooming is a top risk, with half of young participants reporting strangers asking for personal images or details. Anonymity features in these immersive platforms encourage offenders and complicate identification, policing and moderation, and the high level of immersion makes harassment, hate speech and exposure to harmful adult content far more impactful than in traditional online spaces. Yet it remains unclear how the Online Safety Act will adequately address these challenges, particularly given its focus on content rather than the contact and conduct risks that dominate in virtual reality platforms.
I could mention the threat from artificial intelligence. It is projected that 90% of all online content will be AI generated by the end of 2025. AI-powered systems can inadvertently or deliberately expose children to inappropriate content, encourage risky behaviours and enable new forms of targeted exploitation. This represents a fundamental shift in how children are being exploited online. Young people are increasingly vulnerable to becoming both victims and perpetrators of cybercrime.
The draft codes form an essential part of the new online safety regime, but the criticisms that have been made are completely justified. These codes are too cautious; they fail to incorporate civil society expertise; and they are undermined by the safe harbour provision and an incremental approach that leaves gaps, which leave children vulnerable. Can the Minister confirm what timescale has been agreed with Ofcom for the revision of these codes? We must have assurance on the approach to future consultations and scrutiny, ensuring that Parliament is kept fully informed of progress in closing these dangerous regulatory gaps. We also need confirmation that future risk assessments will be required to consider not just content but also contact, conduct and contract risks—the full range of harms that children face.
The ambition of the Online Safety Act demands robust, comprehensive and urgent action. We cannot afford to leave children exposed to known risks in the digital world while we wait for a gradual, reactive regulatory process to catch up. I beg to move.
My Lords, I thank the noble Lord, Lord Clement-Jones, for initiating this debate, and I agree with almost everything he has just said.
I applaud the enormous work that Ofcom has put into creating and implementing the children’s codes. I am pleased to hear that they have already led to a huge reduction in children online accidentally stumbling on pornography and other harmful materials. However, I fear, as the noble Lord has just said, that the rules-based nature of the codes specifies narrow recommended measures rather than incentivising desired outcomes and encouraging the platforms to implement mitigations to children’s harms which go beyond these codes. This is particularly the case with live-streaming, which, according to Ofcom’s own finding, is a risky functionality. The regulator’s register of risk says that live-streaming can be a risk for several kinds of harm to children; it specifies the real-time sharing of suicide and self-harm content.
When Dame Melanie Dawes came before the Communications and Digital Committee, on which I have the privilege to serve, she said that Ofcom had implemented mitigations to live streaming for under 18s. The measures stopped them from using likes, switches off screen capture and prohibits comments on their feeds. This has the beneficial effect of stopping any adult who might consider grooming a child from interacting and encouraging the child user to take further action. However, it still exposes children to potential harms from adult predators. Surely, the best option would be to stop children from using the functionality, or at least introduce some age-appropriate design that limits usage to 16 to 18 year-olds. I know that Ofcom regards such a ban, or even age-appropriate design, as being too punitive for a service that is used by under 18 year-olds, but it would achieve the aim of the Online Safety Act, which is to protect children from harm.
My Lords, I thank the noble, Lord, Lord Clement-Jones, for bringing this regret Motion. He gave a tour de force of all the reasons why we should regret that these codes are not more ambitious. I too wholeheartedly support the Online Safety Act and, once again, it is a privilege to be with the tech team across the aisles that has worked on this legislation for a very long time. I do not in any way want to diminish the substantial work that Ofcom has done on this. It is a ground-breaking piece of legislation, as the noble Lord, Lord Clement-Jones, said. There is a huge amount of work to implement it and I would not want in any way to slow down that implementation. I regret, however, that these codes are not more ambitious.
My remarks will, very briefly, focus on the first group of concerns that the noble Lord, Lord Clement-Jones, focused on: insufficient protections and the lack of ambition in them. I will specifically focus on whether these codes really allow for age-appropriate experiences. Any parent or grandparent knows that what is appropriate for a 13 year-old is very different from what is appropriate for a 17 year-old. Yet, sadly, although Ofcom recognises that user-to-user services should
“consider children in different age groups”,
there is little or no guidance on what they should actually consider. As we are learning, unless those things are specified in detail, the safe harbour provision just means that the user-to-user services do not really need to do it at all. As a result, it is highly unlikely that these codes will produce user-to-user services that are age appropriate for 13 year-olds relative to 17 year-olds. Even more fundamentally, they will not address the millions of under-13s using social media platforms that even those providers themselves admit are only appropriate for 13 year-olds and above.
12:45 pm
20 of 58 shown
Ofcom will require platforms only to reduce the frequency with which children are shown certain forms of harmful content, such as dangerous stunts, rather than demanding they stop recommending it altogether. Several platforms have persuaded the regulator that content moderation is not technically feasible, leading Ofcom to require only “proportionate alternatives” such as preventing access to group chats where primary priority content has been identified, which the Molly Rose Foundation anticipates is highly likely to be gamed by the industry. Measures that could have helped, such as enabling children to provide feedback on algorithmic recommendations, appear to have been watered down and are now effectively left to the platform’s discretion.
The codes fail adequately to require safety by design or to require companies to take specific actions to address high-risk functionalities such as live streaming, despite Ofcom highlighting them in its register of risks. Civil society organisations such as Internet Matters have expressed disappointment that key recommendations on parental controls were not included as specific duties. There is a notable lack of reference to media literacy, which is essential for equipping families to support children’s safety. Concerns surrounding complex issues such as child-on-child harms were raised in consultation, yet these recommendations were not taken forward. The fundamental problem regarding pornography is not just access, but that the pornography itself is extreme, depicting acts that could not be legally published in offline formats such as DVDs. The regulator’s proposed measures for recommender systems are seen as having misdiagnosed the core problem, focusing narrowly on demotion of illegal content rather than addressing the amplification of lawful but cumulatively harmful content.
The second key issue is the failure of process. It is a matter of great concern that civil society organisations and victims’ groups felt that they were not listened to during consultation. These groups draw on the lived and often traumatic experience of victims and survivors, and they report that fundamental issues that they flagged remain unaddressed. There is a suggestion that Ofcom may have given greater weight to industry concerns than to the voices of safety advocates. Ofcom has explicitly confirmed that it has made no quantitative assessment or modelling of the societal costs and impacts of harmful online content. The quantified financial costs to businesses of compliance are given disproportionate weight compared to the immense potential impact of harm on individuals and the wider economic and societal costs.
In addition, I would ask the regulator to address established pathways to harm that end in live streams, even if they do not begin there, in particular the specific threat profile of “com groups”, where children are identified and contacted via other functionalities and then moved to live streams, where they are often coerced into horrific actions. These and other upstream measures will protect children from these harms. It may be a good idea to look at introducing time delays between an account being set up and being allowed to start a live stream. Some services, such as LiveMe, have already banned children from live-streaming on their apps. My additional fear is that, even when services go beyond the thresholds set out in the Act, there is no rollback provision to stop them reneging on such beneficial actions.
My other area of concern is the use of VPNs by children, as the noble Lord, Lord Clement-Jones, just raised. A huge rise in their use was reported when the codes were first introduced. Internet Matters estimated that, of the under-18s, one in 10 was using VPNs. The fear was that they were going on to VPNs to access harmful content, which the codes had prevented them reaching. Ofcom has said that it is uncertain why there is a big increase in use. Many children claim that they need the VPN because the internet connection at their school is bad and it is a way of improving access to the internet. I wonder why, if this is the case, the rise in VPN use should coincide with the introduction of the children’s code. If there had been a problem with school connections, surely that issue would have been raised prior to the code’s adoption.
The Children’s Commissioner, in her August report, called for the Government to
“explore options to ensure children aren’t able to use VPNs to avoid the age assurance process”.
This could be achieved by
“amending the Online Safety Act to bring in an additional provision which would require VPN providers in the UK to put in place Highly Effective Age Assurance … and prevent them from accessing pornographic sites”.
Can the Minister tell the House whether any such measures are being considered?
At the very least, there should be an education programme for parents who, in many cases, enhance the policing of their children’s use of VPNs by understanding their possible misuses. For instance, when they are asked to pay for children’s access to the VPN app, they should interrogate the need for this access. Surely general advice for safety protection could be given to parents, as happens with parental control of video games.
I know that Ofcom is carrying out research into why children are using VPNs. It is a welcome step, but I must ask why this was not anticipated and research carried out earlier. I am pleased with the greatly improved safety environment for children introduced with these codes, but the internet is a dangerous place. I therefore ask the Minister to ensure that it is a safe place for our children in all its functionalities.