The Online Safety Bill became the Online Safety Act (OSA) when it received royal assent earlier this month.
The OSA is a comprehensive (and indeed, complex) piece of legislation, with the noble aim of creating a safer digital environment. Ofcom – the UK’s telecoms regulator – is responsible for enforcing its provisions.
It seeks to change the current two-tier liability scheme when it comes to harmful online content. Until now, publishers of illegal content online (i.e., the users) were liable for disseminating it, but online platforms often had a means of avoiding responsibility.
Now, the OSA places the onus on platforms to take active steps to locate and remove harmful content from their sites, failing which, they could be subjected to hefty fines, as well as criminal sanctions for some senior managers if their company fails to comply with the legislation in specific circumstances..
Intermediary services, such as search engine services, can also be held liable under the act for enabling third-party content to be shared and disseminated online. Previously, such services were only liable if they were put on notice of the illegal content, and they failed to / refused to remove or de-index it. Essentially this shifts intermediary liability from being “reactive” (triggered by being put on notice of harmful content) to “proactive” (being required to put in place systems and processes to reduce the likelihood of harmful content appearing at all). This would be a huge sea change if the OSA is enforced as envisaged.
The new legislation covers user-to-user services, which include:
Other sites, such as those of news organisations, and their comment sections are exempt from the OSA’s remit.
Wide duties of care are placed on user-to-user services and search engines by the OSA, which focus on the procedures and systems service providers must have in place to ensure the safety of their users.
In practice, this means that service providers will need to conduct and publish risk assessments regarding harmful content on their sites and once identified, they will need to take steps to remove that content.
Three main categories of harmful content are covered:
*This won’t result in a spike of defamation cases, however, as defamation does not fall into category (1) illegal content.
Failing to comply with the OSA’s rules could result in companies facing fines of up to £18 million, or 10% of their global annual turnover (whichever is higher). Such companies’ CEOs and employees could also even be sentenced to jail time.
As above, Ofcom is in charge of enforcing the provisions of the Act and is publishing its new codes of practice in three phases.
It is given the power to impose fines of £18 million or 10% of a company’s global turnover (whichever is the highest) if it finds the company has failed in their duty of care. It also has powers to seek court-approved cessation orders to serve on service providers that it feels are failing in their duties of care.
Ofcom’s first round of guidance was published on the 9th of November, which explains: (1) who the rules apply to; (2) what they mean; (3) if they apply to a specific company and what they need to do; and (4) other important things companies should know now.
As anyone dealing with Ofcom knows, it is already overstretched, so this will be a significant addition to its responsibilities.
The fact that the OSA expects bigger platforms (including social media providers and online search engines) to monitor potentially harmful, but not illegal, content on their sites (insofar as the content can be considered harmful to children) has caused some controversy amongst free-speech activists. Such critics have argued that the power awarded to online platforms to rigorously moderate online content may result in over-censorship and therefore stifle free speech and legitimate expression of opinions. As above, the penalties platforms could face for failure to comply with the act are significant; therefore, there is a concern that platforms will err on the side of caution.
Furthermore, by far the most contentious provision in the act is Section 122. This has been widely interpreted as requiring service providers (such as WhatsApp) to “scan” users’ messages in order to detect any potentially illegal content. The concern with this is that it risks breaking end-to-end encryption. This could have the effect of compromising users’ privacy and weakening encryptions’ protections so much so that it could risk communications becoming vulnerable to hackers. There are also significant technical issues with this requirement. Indeed, many big tech companies have argued that a way to scan encrypted messages without breaking encryption itself doesn’t even exist. However, the Government has since stated that Ofcom will not use this power until it is actually possible to do so.
At the moment, it is yet to be seen how this will all play out in practice. While its aims are noble, many industry experts are sceptical as to whether it can be effectively enforced in practice. Ofcom has an almost Herculean task ahead of it and much will depend upon the willingness of the online services providers to work with Ofcom on implementation.
There are still many questions regarding the duties of care imposed by the OSA. There will undoubtedly be a significant amount of work for compliance teams, lawyers and more to ensure clients are compliant with the new rules.
This is by no means the end of the road when it comes to online safety regulation. As we all know, technology continues to evolve, social media keeps growing, and new harms will keep coming out of the woodwork.
At the moment, it will be important for service providers to start familiarising themselves with the OSA and the duties of care imposed on them to ensure they are prepared for the changes to come.