Cordery

Legal.Compliance.

UK Online Safety Bill

What’s this all about?

The Online Safety Bill (“the Bill”) was recently introduced before the UK Parliament. The Bill mainly aims at significantly regulating online content. This article looks at some of its highlights.

In a nutshell, what’s the Bill about?

In brief, the Bill creates a new statutory duty of care designed to make internet companies take greater responsibility for the safety of their users.   The UK Government has hailed its approach as risk based and proportionate.

The duty of care means that regulated service providers falling in scope will have a duty to take action to prevent content or activity on their services from causing significant physical or psychological harm to individuals. Service providers will also have to establish systems and processes to ensure compliance.

The UK’s telecoms regulator OFCOM (The Office of Communications) is the regulator who will oversee and enforce the regime, which will be funded through industry fees.

Who’s in scope?

The duty of care is imposed on providers of so-called “regulated services” – these are defined as (a) “a regulated user-to-user service or (b) a regulated search service that has (c) links with the United Kingdom and is not exempt”. This means as follows:

  • “User-to-user services” = an internet service which enable user content generated, uploaded or shared by a user of the service, to be encountered or shared with another user or users of the service. Here “content” means anything that can be communicated via the internet and “encountered” means that it “may” be experienced by at least one other user on that service;
  • “Regulated search engine services” = services that are or include search engines, including all services and functionality that enable a user to search websites and databases; and,
  • “Links with the United Kingdom” = a service will have links with the UK if: (i) it has a significant number of UK users; (ii) UK users form one of the target markets for the service (or the only target market); or, (iii) it is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by: in the case of a user-to-user service, user-generated content present on the service or (if the service includes a search engine) search content of the service; in the case of a search service, search content of the service from the content present on the service or via the search results.

For the sake of clarity, the regime has extra-territorial reach, i.e. it captures online services outside of the UK.

Are any services and content exempt?

Services and content that are exempt include those where, in the case of user-to-user services:

  • The only user-generated content is emails, SMS messages and/or MMS messages;
  • Only one-to-one live aural communications are enabled;
  • The service is a so-called “internal business service” (defined according to certain conditions, e.g. the user-to-user service or search service is an internal resource or tool for a business); and,
  • There is limited functionality such that users are only able to communicate through the service by posting or interacting (via emojis, yes/no voting or rating the content) with comments or reviews related to content published by the service provider.

Regulated content is defined as being, broadly speaking, user-generated content available to other users through the service, which excludes any such content that is:

  • Emails, SMS or MMS messages;
  • Comments and reviews on provider content;
  • One-to-one live aural communications; or,
  • News publisher content (essentially content generated by a recognized news publisher e.g. the BBC).

How are regulated service providers categorized?

Regulated service providers are categorized into so-called “Category 1” and “Category 2” services. Under separate future legislation, threshold conditions for the categories will be set: Category 1 concerns user-to-user services where the threshold conditions will be based on the number of users of the user-to-user part of the service, and functionalities of that part of the service; Category 2A concerns search engines where the threshold conditions will be based on the number of users of the search engine and any other factors relating to the search engine that the (UK) Secretary of State considers relevant; and, Category 2B concerns user-to-user services based on the number of users of the user-to-user part of the service, the functionalities of that part of the service, and any other factors relating to that part of the service that the (UK) Secretary of State considers relevant. OFCOM will publish and maintain a register of the companies concerned.

What are the duties of care?

There are two duty of care categories, each containing separate types of duties:

  • The safety duties = divided into: (a) the illegal content duty; (b) the child safety duty; and, (c) the adult safety duty; and,
  • The free speech duties = divided into: (a) the duty to protect freedom of expression and privacy; and, (b) the duty to protect content of democratic importance.

All service providers will be required to:

  • Take action with regard to the illegal content duty;
  • Assess the likelihood of children accessing their services, and, if this is likely, comply with the child safety duty; and,
  • Protect freedom of expression and privacy.

Only Category 1 services will be required to take action with regard to the adult safety duty. A number of other duties will apply to Category 1 service providers, aimed mainly at ensuring a balance between the implementation of the adult safety duty and the free speech duties.

What are the safety duties of care?

The Bill sets out the safety duties of care that will apply to “user-to-user services” and to “search services”, as follows:

  • The Illegal Content Duty = this applies to all providers of regulated user-to-user services, requiring them to take action to prevent the use of their services for criminal activity. Illegal content is content which amounts to, amongst others: (a) a terrorism offence; (b) a child sexual exploitation or abuse offence; or, (c) another offence of which the victim or intended victim is an individual;
  • The Child Safety Duty = all providers of regulated services will be required to carry out an assessment to ascertain whether children are likely to access their services. Where the regulated service is likely to be accessed by children, the service provider must comply with the child safety duties. Content that is harmful to children must be assessed; and,
  • The Adult Safety Duty = the duty to protect adults’ “online safety” only applies to providers of Category 1 end-to-end services. The duty concerns content that is “harmful”, for example, trolling. “Content that is harmful content” includes content “of a kind which presents a material risk of significant harm to an appreciable number of adults in the United Kingdom”.

What do the safety duties require?

The safety duties require (amongst other things) the following (which may vary according to whether this is an illegal content duty, a child safety duty or an adult safety duty):

  • Conducting a risk assessment, which the Bill is quite prescriptive about in terms of content;
  • Notification to OFCOM where a risk assessment identifies the presence of harmful content;
  • Taking proportionate steps to mitigate and manage the risks of harm identified in a risk assessment;
  • Maintaining systems and processes that address the requirements of the duty;
  • Including details about various compliance aspects concerning the duty in question in the terms of service; and,
  • Maintaining appropriate, easy to use and transparent reporting and complaints mechanisms that allow a user to lodge complaints and appeal the removal of content or restriction of use of services.

What do the free speech duties require?

The free speech duties requirements include the following:

  • Duty to protect freedom of expression and privacy = all regulated service providers have a duty to protect freedom of expression and privacy when deciding on and implementing policies and procedures. Category 1 service providers must conduct (and maintain) an assessment of the impact that implemented policies and procedures have on users’ rights to freedom of expression and protection from privacy infringements; and,
  • Duty to protect content of democratic importance (Category 1 user-to-user services only) = this concerns content which is either: (a) news publisher content: or, (b) user generated content that is or appears to be intended to significantly contribute to democratic political debate in the UK. Category 1 service providers are required to operate their services using systems and processes designed to ensure that the importance of the free expression of content of democratic importance is taken into account when deciding how to treat such content; and,
  • Duty to protect journalistic content (Category 1 user-to-user services only) = this concerns content which is: (a) either news publisher content or regulated (user generated) content; (b) generated for the purposes of journalism; and, (c) UK linked (meaning where UK users form one of the target markets for the content [or the only target market], or the content is, or is likely to be, of interest to a significant number of UK users). Category 1 service providers are required to operate their services using systems and processes designed to ensure that the importance of the free expression of journalistic content is taken into account when making decisions about how to treat such content (whether to take it down or restrict access to it) and whether action should be taken against the user (giving them a warning or restricting access to the service).

What about fraudulent advertising?

A provider of a Category 1 service must operate the service using proportionate systems and processes designed to: (a) prevent individuals from encountering content consisting of fraudulent advertisements by means of the service; (b) minimize the length of time for which any such content is present; and, (c) where the service provider is alerted by a person to the presence of such content, or becomes aware of it in any other way, swiftly take down such content.

What about user identity verification?

A provider of a Category 1 service must offer all adult users of the service the option to verify their identity (if identity verification is not required for access to the service). The verification process may be of any kind (and in particular it need not require documentation to be provided). A provider of a Category 1 service must also include clear and accessible provisions in the terms of service explaining how the verification process works.

What about reporting child sexual exploitation and abuse content?

A UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the service provider reports all detected and unreported child sexual exploitation and abuse content present on the service to the National Crime Agency. A non-UK provider of a regulated user-to-user service must also operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked child sexual exploitation and abuse content present on the service to the National Crime Agency (and does not report to the National Crime Agency child sexual exploitation and abuse content which is not UK-linked).

A UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported child sexual exploitation and abuse content present on websites or databases capable of being searched by the search engine to the National Crime Agency. A non-UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked child sexual exploitation and abuse content present on websites or databases capable of being searched by the search engine to the National Crime Agency (and does not report to the National Crime Agency child sexual exploitation and abuse content which is not UK-linked).

A provider of a regulated user-to-user service or a regulated search service is a “UK provider” of the service if the provider is: (a) an individual or individuals who are habitually resident in the United Kingdom; or, (b) an entity incorporated or formed under the law of any part of the United Kingdom. Otherwise, a provider of a regulated user-to-user service or a regulated search service is a “non-UK provider” of the service.

Are there any communications offences?

Yes. The Bill provides for offences for sending three sorts of communications:

  1. A harmful communication = where a person sends a message and at the time of sending it there was a real and substantial risk that it would cause harm to a likely audience, and, the person intended to cause harm to a likely audience, and, the person has no reasonable excuse for sending the message;
  2. A false communication = where a person sends a message which conveys information that the person knows to be false, and, at the time of sending it, the person intended the message, or the information in it, to cause non-trivial psychological or physical harm to a likely audience, and, the person has no reasonable excuse for sending the message;
  3. A threatening communication = where a person sends a message which conveys a threat of death or serious harm, and, at the time of sending it, the person intended an individual encountering the message to fear that the threat would be carried out, or was reckless as to whether an individual encountering the message would fear that the threat would be carried out.

Sending a message includes by use of electronic means – a provider of an internet service by means of which a communication is sent, transmitted or published is not regarded as a person who sends a message. The above offences have extra-territorial effect, but only if the act is done by a UK individual. The above offences can also be committed by a corporate entity.

Will there be any codes of practice?

Yes. OFCOM is required to prepare codes of practice, including setting out the recommended steps for compliance with relevant duties. Where applicable, a failure by a service provider to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings in a court or tribunal. Generally-speaking, where a service provider has taken the recommended compliance measures described in the relevant code of practice they will be treated as complying with the duty. OFCOM will also produce guidance for applicable service providers to assist them in complying with certain duties.

What about transparency reporting?

OFCOM is required to establish a register of Category 1, 2A and 2B services, according to threshold conditions. These service providers will have to produce annual transparency reports to OFCOM in relation to each service that they provide. The report must contain information as requested by OFCOM in a notice. OFCOM is also required to prepare transparency reporting guidance.

What about fees?

OFCOM may require a provider of a regulated service to pay a fee in respect of a so-called “charging year”. Where OFCOM require a provider of a regulated service to pay a fee in respect of a charging year, the fee is to be equal to the amount produced by a computation: (a) made by reference to: (i) the provider’s qualifying worldwide revenue for the qualifying period relating to that charging year, and (ii) any other factors that OFCOM consider appropriate; and, (b) made in the manner that OFCOM consider appropriate.

What about regulatory enforcement and penalties?

Ofcom will have a number of enforcement powers including:

  1. To require information (via an official notice) including from user-to-user services and search engines;
  2. To require a regulated service provider to name, in their response to a given notice, an individual who the provider considers to be a senior manager of the entity and who may be expected to be in a position to ensure compliance with the requirements of the notice – this individual carries compliance liability;
  3. Appoint a so-called “skilled person” (i.e. an expert) to inspect a service providers’ systems (or require the provider to appoint a skilled person), where OFCOM considers that this is necessary in order to identify or assess a compliance failure, or in order to understand the nature and level of risk for failure to comply and ways to mitigate that risk. The service provider will be liable for the payment, directly to the skilled person, of the skilled person’s remuneration and expenses relating to the preparation of the skilled person’s report;
  4. Investigate certain compliance failures;
  5. To require interviews concerning compliance failure;
  6. To enter premises, carry out inspections, and audits;
  7. To issue notices for compliance failure, including with regard to child sexual exploitation and abuse content requiring content to be taken down; and,
  8. To impose fines for compliance failure of up to £18 million or 10% of global revenue.

What’s next?

The Bill will now make its way through the UK legislative pipeline. There is a lot at stake with the Bill which is highly ambitious and in some respects controversial and so it be expected that it will generate a lot of parliamentary debate and lobbying, and may be subject to many proposed amendments. So, it may be a little while until it becomes law and enters into force. Note also that proposed legislation in the EU in the form of the proposed Digital Services Act, which has some similarities to the UK Online Safety Bill, is steadily making its way through the EU legislative pipeline.

Takeaways

Whatever the final version of the law, there will be plenty of compliance work to do for those organizations which fall in scope (notably measures, policies, terms of service and risk assessments etc. – note that what has been referred to in this article only scratches the surface of the detail of the compliance requirements) so start preparing for this including budgeting for the resources that will be needed. Also, brief the Board, and, keep track of the progress of the Bill.

Resources

We report about data protection and privacy issues here https://www.corderycompliance.com/category/data-protection-privacy/

For our other news please see here https://www.corderycompliance.com/news/.

The UK Online Safety Bill can be found here https://bills.parliament.uk/bills/3137.

For more about OFCOM see here https://www.ofcom.org.uk/home

For more information please contact André Bywater or Jonathan Armstrong who are commercial lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.