New regulatory framework for online operators?

What is the White Paper?

The government is proposing a new regulatory framework which will increase the responsibilities of operators to tackle harmful content and activities online. The proposals, set out in the Online Harms White Paper, will apply to any operator which allows users to share or discover user-generated content (UGC) or interact with each other online. It therefore covers a broad range of operators including social media platforms, press publishers that host UGC, cloud hosting providers and retailers who allow users to review products online.

Under the proposals, a new statutory duty of care will be imposed on operators, which will be overseen by an independent regulator. The regulator will set out how operators can comply with that duty of care in Codes of Practice. It will include obligations proactively to monitor or scan for certain tightly defined categories of illegal content. Failure to comply with the duty of care could lead to significant fines and individual liability for senior management. The net effect is that online operators will not be able to rely solely on the safe harbour provision in the e-Commerce Directive that they are merely acting as hosts to avoid liability for certain types of harmful content.

Given the scope of the proposed new regime and the potential sanctions involved, the White Paper should be carefully considered by all online operators. It is open for consultation until 1 July 2019.

Which operators are caught?

The new regime is proposed to apply to any operator which allows users to share or discover UGC or interact with each other online. This will include social media platforms, press publishers that host UGC, public discussion forums, sites that have communities, collaboration platforms, listings sites, sites selling personalised products, retailers that allow users to review products online, cloud hosting providers, file-sharing sites, instant messaging services and search engines. It is unclear whether internet service providers are intended to be covered. There is no definition of UGC.

The new regime will apply to any operator that provides services to UK users, irrespective of whether the operator has a legal presence in the UK. The types of operator and service caught by the new regime forms part of the consultation exercise.

What types of harm are covered?

The overriding aim of the new regime will be to tackle online content or activity that harms individual users, particularly children, or threatens the way of life in the UK. Illegal activity and content is covered as well as behaviours which are harmful but not necessarily illegal. There is no suggestion that any new illegal acts will be created. The White Paper includes an initial list of harmful content and activities that will be covered by the new regime as well as a list of harms that will be excluded. However, the list is not exhaustive or fixed and will be updated from time-to-time.

The initial list of harms are: child sexual exploitation and abuse; sexting of indecent images of under 18 year olds; terrorist/extremist content and activity; organised immigration crime; modern slavery; extreme and revenge pornography; harassment; cyberstalking, cyberbullying and trolling; hate crime; encouraging or assisting suicide; advocacy of self-harm; promotion of FGM; incitement of violence; sale of illegal goods/services (such as drugs and weapons); content illegally uploaded from prisons; coercive behaviour; intimidation; violent content; disinformation (but not misinformation); and access by children to pornography or inappropriate material. The types of harm covered are not part of the consultation exercise.

What harms are not covered?

The following are excluded: all harms to organisations as opposed to individuals (such as under competition law, for infringement of IP rights or fraud); harms that result directly from a breach of data protection legislation or breach of cybersecurity or hacking; and all harms suffered on the dark web. In addition, any requirements to scan or monitor for illegal content will not apply to private channels. The government is consulting on appropriate definitions for private communications and what measures should apply to these services.

What obligations are being proposed?

A new statutory duty of care will be imposed on operators to make them more responsible for the safety of their individual users and to prevent other individuals coming to harm as a direct consequence of activity or content on their services. The duty will apply to all harms covered by the new regime and will be to do what is 'reasonably practicable'. Compliance with this duty will be overseen and enforced by an independent regulator; a new cause of action is not being provided to individuals. The following key points arise in the White Paper:

• The regulator will set out how operators can comply with the duty of care in Codes of Practice. These will set out the systems, procedures, technologies and investment that operators will need to adopt or take to fulfil the duty of care.
• The new regime will ensure effective oversight of the take-down of illegal content and will introduce specific monitoring requirements for tightly defined categories of illegal content. These categories are not made express in the White Paper but appear to relate to terrorist activity, child sexual exploitation and abuse, hate crime and serious violence.
• Operators will be required to take action appropriate to the scale and severity of the harm in question. More stringent and specific requirements will be imposed for harms that are clearly illegal. Action will be assessed by the regulator according to the size and resources of the operator and the age of those at risk of harm.
• If operators wish to fulfil the duty of care by following a different procedure to that set out in the Codes of Practice, they will have to satisfy the regulator that the chosen approach will be equally or more effective in tackling harmful content and activities.
• Operator's terms and conditions will need to comply with the duty of care and Codes of Practice and be effectively and consistently enforced. They will need to be sufficiently clear and accessible including to children and vulnerable adults, where appropriate.
• Operators will be expected to have effective and easy-to-access user complaints and appeals procedures. The regulator will set minimum standards for these procedures. There will be a means for independent review of decisions made by operators, including potentially the power for designated bodies to make 'super complaints' to the regulator to defend the needs of users. The public will also have a right to report concerns to the regulator. The regulator will not determine individual disputes, but will have power to take enforcement action in appropriate circumstances.
• The regulator will have power to require annual transparency reports from operators, covering a number of issues including evidence of effective enforcement of the operator's own terms and conditions, the processes the operator has in place for reporting harmful content and the number of reports received and how many led to action. Transparency reports will be published. Failure to provide them will result in enforcement action. The regulator will also have power to request additional information from operators such as the impact of algorithms in selecting content.

Whilst Codes of Practice will not be established until the regulator is operational, the government expects operators to take action now to tackle harmful content and activity on their services. To support early action, high level obligations on operators are set out in the White Paper, as well as some specific obligations the government expects the regulator to include in Codes of Practice. For example, in relation to disinformation, the government expects the Code of Practice to include requirements to make content that has been disputed by reputable fact-checking services less visible to users, to use fact-checking services particularly during elections, to promote authoritative news sources, to make it clear when users are dealing with automated accounts, as well steps operators should take to sanction users who deliberately misrepresent their identity to spread and strengthen disinformation.

The government intends to publish interim codes of practice providing guidance relating to national security and the physical safety of children later this year.

What are the potential sanctions for breach of the duty of care?

The regulator will have a number of enforcement powers including the ability to impose significant civil fines and to publish public notices about the proven failure of operators to comply with standards. The government is consulting on a number of additional potential powers including disruption of business activities, ISP blocking and liability for individual senior management (which could extend to personal liability for civil fines or even criminal liability).

How will the new regime dovetail with the e-Commerce Directive?

According to the White Paper, the new framework will increase the responsibility of online operators in a way that is compatible with the e-Commerce Directive. Under that Directive, online operators that merely host (rather than create) content are protected from liability for illegal content unless and until they have notice of it (provided they act expeditiously to remove or disable access to it once on notice). Under the new regime, it will not be possible for online operators to rely solely on this safe harbour provision. In particular, they will have a duty to monitor or filter for certain content. Any Codes of Practice will have to be carefully worded to ensure that they do not amount to a general obligation to monitor, if that is possible.

Next steps

Operators should carefully review the proposals and consider responding to the consultation by the 1 July 2019 deadline. Legislation will be introduced when parliamentary time allows. However, certain interim Codes of Practice will be introduced later this year.

Going forwards, operators will want to consider such things as their terms and conditions, their complaints mechanisms, how affected users are dealt with, whether their black list/filters will need to be up-dated and whether they are meeting the expectations already set out in the White Paper and, if not, how they will meet them. Taylor Wessing is able to advise on the implications of and compliance with the new proposals.