30. Juli 2021
Download – Online Safety Bill – 6 von 6 Insights
The Online Safety Bill (OSB) will introduce a statutory duty of care on providers of certain user-to-user and search services, to protect their users from harm. It contains wide ranging and complex obligations, adopting a risk-based approach which may make it hard for providers to understand whether they are caught and what to do if they are.
Enter Ofcom, which will be overseeing and enforcing the regime – giving it significantly increased responsibilities and powers, not least of which is the ability to fine companies up to £18 million or 10% of qualifying revenue if they fail in their new duty of care.
Perhaps the starting point for the entire Online Safety regime is the requirement on Ofcom to carry out risk assessment profiles. First, risk of harm to individuals presented by regulated services must be identified, assessed and understood, considering levels and different kinds of risk posed by illegal content to UK individuals, and by harmful content to children and to adults.
Ofcom must then develop risk profiles for different types of regulated services based on the characteristics of the service including functionality, user base, business model, governance and systems. It will be required to produce guidance to accompany these profiles.
This is crucially important as it is against these risk profiles, that companies will need to self-assess to decide where they fit in and what they need to do.
In-scope businesses will be categorised by Ofcom according to the number of users of a service, its functionalities and the risk of harmful content spreading. The highest risk user-user services (most likely the largest social media companies) will be in Category 1, while other services will be placed into Categories 2A and B if they meet user and functionality criteria and the relevant conditions for categorisation set out in Annex 4.
It's Ofcom's job to establish and maintain a register of regulated services by category of services they consider likely to meet the respective category criteria. This means that it is Ofcom which makes the initial decision about in-scope service providers, although its decisions can be appealed.
Ofcom also has powers to impose fees on regulated service providers. Companies above a (to be determined) threshold based on global annual revenue will have to notify Ofcom and pay an annual fee. The threshold is likely to be high enough to mean this will only apply to a small number of businesses.
The Online Safety Bill places considerable emphasis on a risk-based approach. This makes sense given the vast array of content and services it potentially covers, but that also makes compliance a challenge. Again, it's Ofcom's job to demystify the process.
In addition to all sorts of guidance on, for example, risk profiles and elements like technology transfer assessments and enforcement powers (see below), Ofcom is required to produce Codes of Practice setting out steps to help providers of regulated services comply with their duties regarding terrorism content and CSEA (Child Sexual Exploitation and Abuse) content, as well as other aspects of compliance.
Until this additional material is produced, it is difficult for service providers to understand exactly what is required of them although the UK government published Interim Codes of Practice in December 2020. This is partly because the OSB itself is an extremely lengthy piece of legislation, but also because flesh needs to be added to the bones of the definitions and outline obligations. Hopefully, this is what Ofcom's guidance and Codes of Practice will provide in due course.
Where Ofcom has reason to believe a provider of a regulated service provider is not complying with its duties in relation to illegal terrorism or CSEA content, it can require the provider to use specific technology to help it identify and remove the content.
The process starts with Ofcom issuing a warning notice. The provider has a period of time in which to make representations, after which, Ofcom can issue the notice itself if necessary. Under the notice, the provider will be required to use specific technology accredited by Ofcom (or a body appointed by Ofcom). If the provider is already using it, then Ofcom can specify how to use it more effectively. It can also issue further technology notices requiring additional or alternative technology be used.
All notices must contain stipulated information and can last for up to 36 months. They can only place requirements on regulated services in the UK or as they impact UK users. Ofcom must publish guidance about use of technology notices, and an annual report about the exercise of its functions in relation to them, and setting out technology which meets or is being developed to meet required standards.
Ofcom has the power to request information from pretty much anyone it thinks can provide the information required to help it carry out or decide how to carry out its duties under the OSB. It may also require a relevant senior manager to be named.
There are various offences associated with failure to provide information or providing knowingly or recklessly false information. Named individuals can also commit offences and be liable for the company's failures.
Ofcom may also commission reports on compliance failures to help it understand risk and ways to mitigate that risk, and require interviews as part of investigations into compliance failures, which it can compel providers to participate in.
Ofcom has a wide range of enforcement powers under the legislation. These include:
Ofcom is required to publish details of enforcement actions, unless they are commercially sensitive or otherwise inappropriate for publication in Ofcom's opinion. It is also required to publish guidance on how it intends to use its enforcement powers.
Ofcom has several wider policy-focused duties to carry out as a result of the OSB.
It is required to set up an advisory committee on disinformation and misinformation to provide advice to Ofcom on dealing with those issues. It also has to carry out research and produce transparency reports summarising its conclusions on patterns and trends, steps considered to be good practice, and anything else relevant. This is in addition to its annual report and other reports it is required or chooses to make on online safety matters.
Finally, it has a duty to promote media literacy which involves identifying and taking any steps it thinks appropriate as well as, of course, producing guidance.
Ofcom's decisions are subject to appeal.
Eligible entities (to be determined under regulations) can also make a complaint to Ofcom that any feature of one or more regulated services or the conduct of service providers presents material risk of significant harm to users, freedom of expression, privacy or any other significant adverse effect.
Complaints can be made against a single regulated service or provider only where Ofcom considers the complaint is particularly important or relates to a particularly large number of users or members of the public.
Again, Ofcom will be required to publish guidance.
We're increasingly seeing legislation take a risk-based approach, particularly where complex technology or issues are involved and where a wide range of use cases are covered, from the GDPR to the EC's draft AI Regulation. The OSB follows the same approach.
This places a considerable burden on the appointed regulator (Ofcom in this case). This is partly administrative, but also policy-based, as guidance and Codes of Practice develop to help companies understand the nuance of compliance.
Ofcom has welcomed its new role, but there is no doubt it will add considerably to its workload given the scale and complexity of regulating not just illegal but also harmful online content.
To discuss the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications team.
von Xuyang Zhu
von Timothy Pinto
von Debbie Heywood
von mehreren Autoren