Online Safety Bill – freedom of expression and privacy

Auteur

Timothy Pinto

Senior counsel

Londres

Freedom of expression and privacy

There is a duty on all user-to-user and search services, when deciding on and implementing safety measures and policies, to have regard to the importance of protecting:

users' right to freedom of expression within the law, and
users from a breach of any statutory provision or rule of law concerning privacy.

This is only a duty to have regard to these fundamental rights. Therefore, if a service provider can show that it has considered them at the appropriate time, it will probably have complied in this regard. Good record keeping (or at least a tick box) when making decisions which may affect users' free speech or privacy may help to demonstrate that the duty has been fulfilled.

The OSB does not explain what freedom of expression within the law means. The explanatory notes merely say this includes the common law; the law must be English law. Service providers will need to know what that law is to be able to have regard to it.

There is a substantial body of case law in England (and the ECHR which the English courts must consider under the Human Rights Act 1998) about the nature and value of freedom of expression, including that:

"Article 10 [ECHR] is applicable, subject to paragraph 2, not only to 'information' or 'ideas' that are favourably received or regarded as inoffensive or as a matter of indifference, but also to those that offend, shock or disturb" (Socialist Party v Turkey (1998)).
"…free speech includes not only the inoffensive but the irritating, the contentious, the eccentric, the heretical, the unwelcome and the provocative provided it does not tend to provoke violence. […] From the condemnation of Socrates to the persecution of modern writers and journalists, our world has seen too many examples of state control of unofficial ideas. A central purpose of the European Convention on Human Rights has been to set close limits to any such assumed power"… "'freedom only to speak inoffensively is not worth having'" (Sedley LJ in Redmond-Bate v DPP (1999)).

Furthermore, Article 10 ECHR includes the freedom to hold, impart and receive information, opinions and ideas. Therefore, it is not only the potential right of the poster to post their content which comes into play, but also the rights of the community of users as a whole to receive the content, which forms part of this fundamental right.

As for the duty to have regard to the importance of protecting users from a breach of privacy (whether statutory or otherwise) , the purpose is likely to protect users and their content from being spied on and interfered with by the service providers and action taken against them for example. Since privacy includes laws on the processing of personal data, it will cover the rights and remedies of users under data protection law (eg under the UK GDPR and Data Protection Act 2018).

The right of privacy under Article 8 ECHR includes "correspondence" and can potentially include content posted online, depending on such things as whether the poster has a reasonable expectation of privacy.

Of course, some user-to-user communications will be deliberately public, but others might be private communications to one person or to a small group. In any event, User Generated Content (UGC) will also fall within the UK GDPR and Data Protection Act 2018 as it is likely to be personal data. To be able to have regard to privacy, service providers will therefore need to understand the relevant laws, including the tort of misuse of private information and data protection law.

The OSB also includes an obligation on Ofcom to state in its annual report the steps it has taken and the processes it has operated to ensure its online safety functions have been exercised in a manner compatible with Articles 8 and 10 ECHR.

Category 1 services

There are additional duties on Category 1 service providers:

to carry out and publish assessments on the impact of their safety measures and policies on users' rights of freedom of expression and privacy and to keep them up to date, and
to specify in a public statement the positive steps taken in response to their impact assessments to protect users' rights of freedom of expression and privacy.

Content of democratic importance

Category 1 service providers have additional duties to protect political speech, in particular "content of democratic importance" (CDI). CDI is content that:

is news publisher content or regulated user-generated content, and
is, or appears to be, specifically intended to contribute to democratic political debate in the UK or a part of the UK.

The key question for the second condition is whether the content appears to be intended to contribute to democratic political debate.

It is bound to cover debate about party politics and promoting or opposing political parties and national or local government policies. But how wide does it go? And what about more extreme views? Would a controversial remark calling for immigration from certain countries to be banned contribute to democratic political debate or be so antithetical to democratic values that it does not even fall within the definition (notwithstanding the broad scope of the right of freedom of expression)? If the former, Category 1 services have certain duties (see below).

To be considered CDI appears to require that the debate happens in the UK but would cover debate over non-UK politics (eg US politics), however the wording is ambiguous.

If the second condition is satisfied, then most content will be caught since the definition of "regulated user-generated content" is broad. This refers to any UGC which is not exempt (like user comments and reviews on content produced and published by the service provider).

News publisher content is either content directly generated on the service by a recognised news service, or user content reproducing this content in full (eg a user reproducing in full a news publisher's article or recording).

Category 1 service providers have the following duties regarding CDI:

to operate proportionate systems and processes to ensure that the importance of the free expression of CDI is considered when making decisions about content and users,
to ensure these systems and processes for decision making about content and users apply in the same way to a diversity of political opinion, and
to specify in their terms of service the policies and processes which consider CDI.

It may not be straightforward for service providers to ensure that their systems and decision making apply in the same way to a diversity of political opinion. For example, should they treat online discussions in favour of arguably xenophobic/nationalistic political parties in the same way as mainstream centrist parties who are anti-discrimination?

Category 1 service providers also have a duty to ensure their terms of service are applied consistently in relation to content which they "reasonably consider" is of democratic importance.

Service providers will probably need a list of principles to try to ensure they treat diverse parties the same way by reference to the principles. They will also need be careful to be consistent with what they allow or take down.

Journalistic content

Category 1 service providers have additional duties related to journalistic content. This is defined as content which is:

news publisher content or regulated user-generated content,
generated for the purposes of journalism, and
UK-linked (ie UK users are targeted, or the content is likely to be of interest to a significant number of UK users).

What is content generated for the purposes of journalism? Does it only mean "news-related material" which is defined for part of the definition of a "recognised news publisher"? That applies to material consisting of news, opinions or information about current affairs and gossip about celebrities, other public figures or other persons in the news.

Journalistic content is likely to be wider than that, as journalism generally encompasses more than news, current affairs and gossip about public figures. It is not clear whether or the extent to which it includes citizen journalism (posts by individuals who are not professional journalists making information available to the public about current events – eg when they happen to be present when an earthquake, terrorist attack or riot takes place or just providing information or comment about current affairs ). The UK ICO's draft Code on Journalism and data protection says the more something resembles the activities traditionally carried out by the mainstream media or other clear sources of journalism, the more likely it is to be journalism. The same is likely to be the case in the context of online safety. This issue may be expanded in the Codes of Practice and/or by court cases.

The duties include:

to operate proportionate systems and processes to ensure the importance of the free expression of journalistic content is taken into account when making decisions about content and users
regarding a decision to take down content or take action against a user, to make a dedicated and expedited complaints procedure available to a person who considers the content to be journalistic content and who is the user who uploaded it or created the content in the UK
to ensure that if a complaint about the take down of, or action against a user concerning, journalistic content is upheld, the content is swiftly reinstated and/or action against the user reversed
to specify in the terms of service how journalistic content is identified and considered, and the policies for handling complaints about this content.

Like with CDI, the obligation regarding journalistic content when making decisions on whether to take down content or take action against users is to ensure that service providers properly consider the importance of the free expression of journalistic content. Again, good record keeping before and at the decision-making stage may help demonstrate the obligation has been fulfilled.

Codes of Practice

The Codes of Practice – which Ofcom must produce and issue with recommended steps for compliance with the relevant duties – will need to address the duties concerning freedom of expression, privacy, CDI and journalistic content. In the course of preparing the Codes, Ofcom must consult with various persons who represent different interests and/or have certain expertise. This includes persons whom Ofcom considers have relevant expertise in equality issues and human rights, including the right to freedom of expression under Article 10 ECHR and privacy under Article 8 ECHR.

Are fundamental rights and freedoms sufficiently protected?

The Bill ensures that freedom of expression and privacy and, for Category 1 services, CDI and journalistic content, are given attention. Whether this is enough to protect these fundamental rights may depend on the Codes of Practice and ultimately on the service providers in question.

The key test will be whether these rights are sufficiently protected at the decision-making stage in relation to potential action against allegedly illegal and allegedly legal but harmful content, as well as against the users who posted it.

The obligations to "have regard to" these rights or ensure they are "taken into account" do not seem onerous. Weighed up against the duties to protect children and adults from harm, it is possible that freedom of expression and user privacy will take second place in at least borderline cases. Service providers will need to have a good understanding of these fundamental rights to uphold them, especially in the face of offensive but legal content.

It is not clear why CDI and journalistic content are only given protection within Category 1 services. Perhaps it was thought that smaller platforms do not have the resources to cope with these additional duties or the power and influence to make a big difference. However, genuine political speech and journalism should arguably be adequately protected across the board, not only on the bigger platforms. Having said that, as these types of speech are manifestations of the right of freedom of expression – to which the duties apply across all services – the distinctions may be academic.