24 May 2021
Radar - May 2021 – 1 of 3 Insights
The government has published the draft Online Safety Bill but can it deliver on what was promised?
Tackling online harms has become a priority around the world but this involves dealing with a wide range of issues arising not only from illegal activity, but also from activity which is lawful but harmful. What exactly is harmful content and how to do you tackle it without infringing on free speech?
Having set out its approach to legislation in this area in December 2020 as we discussed here, the UK government has now published its long-awaited Online Safety Bill. As expected, it introduces a statutory duty of care on certain online providers to protect their users from harm. The regime will be overseen by Ofcom which will have a range of enforcement powers, including to fine businesses up to the greater of £18 million or 10% of annual revenue.
If you are a provider of:
as defined in the draft legislation, you can now start to prepare.
Duties will be determined by the nature of the content and activity of the business in terms of whether it is illegal, harmful to children, or legal when accessed by adults but still harmful.
Businesses will be classed into categories according to the number of users of a service, its functionalities, and the risk of harmful content spreading. The largest social media companies are likely to fall into Category 1, with most other businesses in scope being classed as Category 2. Category 2A will be assessed by reference to a regulated search service's number of UK users, and Category 2B will depend on a user-to-user service's number of UK users and its functionalities. The conditions for categorisation are listed in Annex 4.
While the draft legislation does provide more detail than was previously available, it will be supplemented by Codes of Practice to be developed by Ofcom, as well as secondary legislation which will further stipulate what constitutes harmful content. The definitions in the Bill of harmful content, whether to children or adults, remain vague and will not be particularly helpful to service providers trying to prepare for the impact of the legislation.
There is considerable emphasis on protecting children (under-18s) online with different obligations for providers of user-to-user services "likely to be accessed by children". This is the same language used in the ICO's Age Appropriate Design or Children's Code - it covers not only services targeted at children, but those likely to be accessed by them and requires a similar risk-assessment exercise.
In fact, a risk-based approach is prevalent throughout the Bill, alongside transparency, reporting and record-keeping requirements. This places a considerable compliance burden on regulated services but also has the benefit of allowing some flexibility to account for different business models and levels of risk.
The debate will continue as to whether the Bill sufficiently protects freedom of speech and expression, and whether it is sensible to place decision making about what content is harmful and how to mitigate risk largely in the hands of the service providers themselves.
Given the difficulties in determining when content is harmful and to whom, even with yet to be published supplementary Codes of Practice and secondary legislation, it remains to be seen whether the legislation is workable, and how much of an impact it will have, positive or otherwise.
This is a significant (and at 145 pages, a lengthy) piece of legislation so here are some of the highlights. Please also join us at our webinar on 25 May when we'll be discussing the impact of the Bill in more detail.
The Bill covers:
A range of exempted services are set out in Schedule 1, and include:
Journalistic content including on news publisher websites, is explicitly protected under the 'freedom of speech' provisions which also cover personal rights to freedom of expression and privacy, and content of democratic importance.
The Bill will apply to the whole of the UK and to services based outside the UK where users in the UK are affected. The duties of care only apply to the design and operation of the service in the UK and to users in the UK.
Illegal content is defined as any regulated content in relation to a user-to-user service which amounts to a relevant offence, or any content in relation to a regulated search service that amounts to a relevant offence.
What constitutes regulated content is defined as UGC subject to exemptions for:
UGC in relation to a user-to-user service, is defined as content:
This includes content generated by means of software, bots or other automated tools.
Most of the elements mentioned here are as further explained or defined.
This is defined in section 45 as content which is regulated content (UGC subject to exceptions) and which is designated as content harmful to children by secondary legislation or which:
There are exceptions and further elements to the definition.
As set out in section 46, the criteria for assessment are similar to those for assessing when content is harmful to children but by reference to an adult of ordinary sensibilities.
All regulated user-to-user services will have the following duties:
Category 1 services have additional duties including:
All regulated search services have the following duties:
Where the search service is likely to be accessed by children, they must also comply with the additional duties relating to harmful content likely to be accessed by children.
Businesses must put in place systems and processes to assess and mitigate risk to individuals and to improve user safety in relation to the different types of content. Part of this will involve assessing whether or not a service is likely to be accessed by children.
As with the GDPR, compliance is an ongoing process and documenting compliance via risk assessments, in addition to the various record-keeping obligations, is a central pillar of the Bill.
Regulated businesses will be required to set up mechanisms allowing users to report harmful content and to appeal against takedown of content. Category 1 and 2 services will also be required to publish transparency reports setting out the measures they have taken to tackle online harms.
Ofcom will be required to establish a register of services meeting Category 1 and 2 thresholds.
Companies above a threshold based on global annual revenue will have to notify Ofcom and pay an annual fee. The threshold is likely to be high enough to mean this will only apply to a small number of businesses.
Ofcom is required to produce Codes of Practice on terrorist and CSEA content, and on aspects of compliance with relevant duties.
As regulator, Ofcom has a range of enforcement powers, including issuing 'use of technology' warnings and notices requiring use of particular technology to assist with compliance, business disruption measures, and, ultimately, significant fines. Senior managers may be criminally liable for failure to comply with information requests.
The Bill now begins its path to enactment at which point a range of measures will come into force immediately, while others will be brought in by secondary legislation.
The legislation is sure to be the subject of debate but given the size of the government's majority in Parliament, its progress is likely to be relatively smooth, although it is unclear how long it will take to achieve Royal Assent.
24 May 2021