October 11, 2016

Written evidence to House of Commons Public Bill Committee on the Digital Economy Bill

Who are we?

1. Open Rights Group (ORG) is the United Kingdom’s only campaigning organisation dedicated to working to protect the rights to privacy and free speech online. With 3,200 active supporters, we are a grassroots organisation with local groups across theUK. We believe people have the right to control their technology, and oppose the use of technology to control people.


2. Open Rights Group have several concerns in the following areas of the Bill. These include:

  • Risk of loss and online copyright infringement
  • Age verification for online pornography
  • Data sharing

Online Copyright Infringement

Previous consultation

3. The Government consulted on extending the maximum sentence for online copyright infringement from three to ten years. Following criticism from many interested parties including Open Rights Group, the Government has proposed an amendment to the currentoffence of online copyright infringement (Copyright, Designs and Patents Act 1988 Clause 107). The new offence has removed “prejudicial effect” from the definition of the current offence. The term “prejudicial effect” was criticised for being too vague.It has the potential to apply to non-commercial infringements including those where there was no intent to cause harm.

4. Unfortunately, the new formulation of the offence in Clause 26(2) creates similar problems:

“A person (“P”) who infringes copyright in a work by communicating the work to the public commits an offence if P knows or has reason to believe that communicating the work to the public will cause loss to the owner of the copyright, or will expose theowner of the copyright to a risk of loss.”

5. This definition is broader and open to wide interpretations that would bring low value, relatively minor infringements into the scope of criminal copyright charges and ten year sentences.

6. It is unfortunate that the language of the new offence was not subject to a public consultation process. Academics, lawyers and others have not been fully able to consider the rationale and impact of the language.

Problems with the proposed offence

7. Some of the specific issues with the proposed wording of online copyright infringement offences include the following.

“Risk of loss” is as vague as “prejudicial effect”

8. “Loss” in Clause 26 (2) is defined to include “a loss by not getting what one might get”. Thus risk of loss would appear to apply to any situation in which the accused has “reason to believe” that the communication to the public would expose the copyrightowner to the mere risk of lost revenue. 9. Once an image is shared on the web, the “risk of loss” is inherently present. The sharer is not only "causing a loss" by not paying licence fees but is also enabling the possibility of further copyingby unknown persons.10. We do not think this offence is intended to catch such casual infringements, but it appears that in practice it could. For instance, an individual could use or share a commonly-seen image, such as the well-known imageof a Vietnamese child suffering from Napalm burns (licensed by AP Images). They should be aware that such a well-known image is a copyrighted work, and that they are potentially depriving the copyright owner of income. As such they seem to fall squarelywithin Clause 26 (2) as they “have reason to believe” that publication would “cause a loss”. Furthermore, web publishing would create the risk of new infringements by others, a “risk of loss”.

11. Casual infringements such as these, whether knowing or not, are subject to normal private enforcement of rights where the copyright owner feels it is necessary. A clear distinction needs to be made between a) infringements which are wrong, and canbe addressed by normal copyright laws, and b) those which are very serious, and should attract criminal charges.

Lack of thresholds for “risk” and “loss”

12. Clause 26 (2) also lacks a threshold for significance of financial gain or loss. It is unclear to the public how significant the financial impact would be to make them liable to criminal charges. What might appear as serious loss to a small commercialrights holder might not appear so to a rights holder dominating the industry.13. The rights holder will be required to merely prove that the accused had the reason to believe that there was a risk of a loss of licence fee.

14. In this regard, filesharing would also become a criminal matter. We believe it is not the intention of the drafters to make filesharing criminal. However, a shared file, downloaded and uploaded on a peer-to-peer network, by definition creates a riskof further losses, as each future filesharer, copying the shared file, will be creating a new “risk of loss”. The new offence would therefore put teenage file-sharers in the spotlight as a particularly serious kind of copyright criminal.

Copyright trolls

15. We are concerned that the new offence would make it harder for courts to direct firms asking for copyright payments to avoid mention of possible criminal copyright infringement in the letters they send to alleged peer-to-peer file-sharing infringers. Goldeneye, for instance, send letters to account holders when evidence of sharing pornographic movies is detected. Although this evidence is often flimsy and may be directed to the wrong person, there is pressure to pay up, through embarrassment and worry 1.

16. Currently, these “copyright trolls” can be told to withhold threats of criminal action as “prejudicially affect” ought not to apply to individuals sharing copyrighted files. The language in this legislation could make the situation worse, as criminalcopyright infringement is plausible as “loss” and “risk of loss” are present.

Suggestions for improvement

17. Despite the Bill having added elements of the required intent and restricting gain and loss to mean financial gain, the wording still makes sentencing for online copyright infringement unjustifiably broad.18. We suggest changes to Clause26 in order to exclude small scale non-commercial infringers:

19. 1) “Causing loss” or creating a “risk of loss” should be removed from the Bill as it is insufficiently serious for a criminal penalty.

20. The following section should be removed:

 “A person (“P”) who infringes copyright in a work by communicating the work to the  public commits an offence if P knows or has reason to believe that communicating  the work to the public will cause loss to the owner of the copyright, or will exposethe  owner of the copyright to a risk of loss.”

21. 2) Alternatively, if the Bill retains “risk” and “loss”, a threshold for significance must be put in place to narrow them both down.

22. For instance, the loss could be defined as “commercial scale”, which is the international standard in copyright treaties for criminal infringements. The risk element could be defined as “substantial risk”. Together, they could read as “substantialrisk of commercial scale loss”. This would make it harder to claim that individual, casual infringements could attract threats of criminal action.

Age Verification

23. We believe the aim of restricting children’s access to inappropriate material is a reasonable one; however placing age verification requirements on adults to access legal material throws up a number of concerns which are not easily resolved.24.Our concerns include: whether these proposals will work; the impact on privacy and freedom of expression; and how pornography is defined.

Lack of privacy safeguards

25. New age verification systems will enable the collection of data about people accessing pornographic websites, potentially across different providers or websites. Accessing legal pornographic material creates sensitive information that may be linkedto a real life identity. The current wording of the draft Bill means that this data could be vulnerable to the “Ashley Madison-style” leaks.

26. MindGeek (the largest global adult entertainment operator) estimates there are 20 to 25 million adults in the UK who access adult content regularly. That is over 20 million people that will have to reveal attributes of their identity to a pornographywebsite or a third party company.

27. Current proposals2 for age-verification systems suggest using people's emails, social media accounts, bank details, credit and electoral information, biometrics and mobile phone details. The use of any of this information exposes pornography website users to threats of data mining, identity theft and unsolicited marketing.

28. The currently proposed age-verification systems have minimal regard for the security of the data they will collect.

29. The Bill does not contain provisions to secure the privacy and anonymity of users of pornographic sites. These must be included in the Bill, not merely in guidance issued by the age-verification regulator. They should ensure that the age-verificationsystem, by default, must not be able to identify a user to the pornographic site by leaving persistent data trails. The user information that pornography websites are allowed to store without additional consent should be strictly limited.

Will age verification work?

30. The objective of these proposals is child safety rather than age verification. Policy makers should not measure success by the number of adults using age verification. It is highly likely that children will be able to continue accessing pornographicmaterial, meaning that the policy will struggle to meet its true goal.

31. The Bill does not outline an effective system to administer age verification. It sets out a difficult task to regulate foreign pornography publishers. This will be difficult to enforce. Even if access to pornographic material hosted abroad is blockedin the UK, bypassing website blocks is very easy - for example through the use of VPNs. Using VPNs is not technically difficult and could easily be used by teenagers to circumvent age verification.

32. Young people will still be able to access pornographic materials through some mainstream social media websites that are not subject to age verification, and from peer-to-peer networks.

33. As with ISP and mobile phone filters, age verification may prevent young children from accidentally finding pornographic material but it is unlikely to restrict a tech-savvy teenager.

Discrimination against sexual minorities and small business

34. The age verification systems will impose disproportionate costs on small publishers. No effective and efficient age verification system has been presented and it is very likely the costs imposed on smaller publishers will cause them to go out of business 3 .

35. Smaller publishers of adult materials often cater for sexual minorities or people with special needs. The costs associated with implementing age verification systems threaten the existence of these sites and thus the ability of particular groupsto express their sexuality by using the services of smaller pornographic publishers.

36. It is unclear whether adults will trust age verification systems, especially if they appear to identify them to the sites. It is possible that there will be a dissuasive effect on adults wishing to receive legal material. This would be a negativeimpact on free expression, and would be likely to disproportionately impact people from sexual minorities.

Definition of pornographic material

37. The definitions of pornographic material included in the Bill are much broader than what is socially accepted as harmful pornography. The Bill not only covers R18 materials typically described as “hardcore pornography”, which offline can only be acquiredin licensed sex shops, but also 18-rated materials of a sexual nature. The boundaries of 18 classification are dynamic and reflect social consensus on what is acceptable with some restrictions. Today this would include popular films such as Fifty Shadesof Gray. This extension of the definition of pornography to cover all “erotic” 18 rated films also raises questions as to why violent - but not sexual - materials rated as 18 should then be accessible online.

38. Hiding some of these materials or making them more difficult to access puts unjustifiable restrictions on people's freedom of expression. Placing 18-rated materials beyond the age-verification wall under the same category as hardcore pornography willdiscourage people from exploring topics related to their sexuality.

Suggestions for improvement

39. The online age verification proposed in the Bill is unworkable and will not deliver what Government set out to do. We urge the Government to find more effective solutions to deliver their objectives on the age verification. The online age verificationshould be dropped from the Bill in its current version. 40. The updated version of age verification should incorporate:

41. 1) Privacy safeguards

The regulator should have specific duties to ensure the systems are low risk. For instance, Age verification should not be be in place unless privacy safeguards are strong. Any age verification system should not create wider security risks, for instanceto credit card systems, or through habituating UK Internet users into poor security practices.

42. Users of adult websites should have clarity on the liability of data breaches and what personal data is at risk.

42. 2) Safeguards for sexual minorities

Requirements should be proportionate to the resources available and the likelihood of access by minors. Small websites that cater for sexual minorities may fall under the commercial threshold.

43. 3) Remove 18-rated materials from the definition of pornographic materials

Placing all materials of a sexual nature under the definition of pornography is not helpful and will greatly increase the impact of these measures on the human right to impart and receive information, including of older children and young adults.

Data Sharing

Open Policy Making Process

44. We have been extensively involved in the process of Open Policy Making on data sharing and we commend the Cabinet Office for carrying out the exercise. While we are supportive of the effort, we do not fully agree with the outcomes of that processand have summarised our concerns in a consultation response.

45. The aims of the Bill are laudable – improving public services, fighting fraud, reducing debt and improving statistics – and some of the proposed measures are in better shape, particularly the chapter on statistics. In many other cases, however, thediscussions of the Open Policy Making process are not fully reflected and should not be used by Government to unduly smooth the Bill's passage through Parliament.

Recommendation to remove Part 5 of the Bill

46. Our recommendation is that this part of the Bill should be removed and reintroduced as a broader separate Bill on Data Sharing between Public Bodies at a later stage, for three reasons.

47. 1) The Law Commission carried out a scoping report on Data Sharing between Public Bodies4 in 2014 that found that there was widespread confusion, as the law in this area was very complex, and recommended a full law reform project to “modernise, simplify and clarify” the statutory provisions and review the common law. The current Bill only adds to this confusion by creating haphazard new avenues. A new Bill is needed to streamline the data sharing landscape, putting citizens at the centre with increased transparency and controls that create the trust required for the next generation of data driven public services.

48. 2) The Government has stressed that privacy is a key element of these reforms, and the proposals in the Bill rely heavily in the protections afforded by the Data Protection Act (DPA). We had explained in our consultation response that we believedmore specific safeguards needed to be contained within the Bill. We also expressed that the new EU General Data Protection Regulation - and particularly the specific exemptions for public sector bodies - should be looked in more detail to understandwhether they could weaken the assumption from Government that a general data protection regime provides sufficient safeguards. Since the vote to leave the European Union we simply do not know what data protection regime will be in place when the DigitalEconomy Bill becomes law, and we fail to see how in this context Parliament can satisfy itself that the Bill will balance the needs of government with the privacy of citizens.

49. 3) This Part of the Bill has many serious deficiencies that would require some serious effort to amend if it was a standalone Bill, let alone bolted on to a much broader omnibus legislation on completely different matters, all highly technical andcomplex. Below we highlight some of these problems.

Public services covered and definition of well-being need to be tested

50. Chapter 2 on public services correctly attempts to restrict the scope of sharing to Government activities that improve citizens' well-being - and Parliament should test that the definition employed is robust enough - but the safeguards in the Billare not strong enough. For example, onwards disclosure is not allowed unless “required or permitted by any enactment” (s 33(2)(a) page 31 line 19), which can be very broad and impossible to foresee.

Codes of practice are weak and safeguards unclear

51. The expectation throughout this Part of the Bill is that clearer safeguards will be contained in various codes of practice, but there is only an obligation to “have regard” to these codes. Safeguards – on stigmatisation, reuse, opt outs, transparency,time limits, etc. - should be mentioned in the face of the Bill and detailed in a single clearly enforceable Code of Practice for all data sharing activities.

Extension of fraud and debt powers on a ministerial nod

52. Chapters 3 and 4 on fraud and debt were extensively discussed in the Open Policy Making process, where the conclusion was that these highly intrusive measures needed to be piloted, as there seemed to be a lack of agreement on their effectiveness andsocial impacts. The Bill sets out time limits on these powers, but fails to provide clarity and proper scrutiny over their potential extension, with Ministers allowed to simply nod them through under criteria at their sole determination, thus “markingtheir own homework”. Parliament should be involved in any such extension.

Unclear debt outcomes

53. The need for clarity on the expected outcomes is particularly acute on debt. The information sharing provisions in the Bill are not capable of cancelling or prioritising existing debt to more than one department. Therefore, wider changes to how thedata of potentially very vulnerable people is handled may be necessary to ensure that benefits to the collective public purse are delivered with fairness. This has never been explained. The potential role of the Debt Market Integrator should be scrutinised.

Bulk unconstrained civil registration

54. Chapter 2 provides very broad powers for the sharing of civil registration for any public body's functions, without any restrictions other than those expressly provided in other legislation. Ministers have presented this chapter as a way of improvingelectronic government transactions by avoiding the need for paper certificates to be circulated, which indeed is a good thing. However we have been told unequivocally that the power is intended for bulk data sharing of the full civil register. The sharingof these common identifiers across government has the whiff of ID Cards by stealth.

55. The Government has tried to assure civil society that the intention is not to use civil registration data to link datasets as the basis of a Continental national identity scheme but has failed to provide robust cases for why bulk sharing powers arerequired. For these reasons, bulk powers should be removed. A consent based power, where citizens can request the sharing of individual records would be enough to improve e-government.

1. http://www.bbc.co.uk/news/technology-34842863

2. http://dpatechgateway.co.uk

3. http://pandorablake.com/blog/2016/9/adult-provider-network-problems-digital-economy-bill

4. https://www.gov.uk/government/publications/data-sharing-between-public-bodies-a-scoping-report