In April 2019, the UK Government published its Online Harms White Paper and launched a Consultation. In February 2020, the Government published its initial response to that Consultation. In its 15 December 2020 full response to the Online Harms White Paper Consultation, the Government outlined its vision for tackling harmful content online through a new regulatory framework, to be set out in a new Online Safety Bill (“OSB”).

This development comes at a time of heightened scrutiny of, and regulatory changes to, digital services and markets. Earlier this month, the UK Competition and Markets Authority published recommendations to the UK Government on the design and implementation of a new regulatory regime for digital markets (see our update here).

The UK Government is keen to ensure that policy initiatives in this sector are coordinated with similar legislation, including those in the US and the EU. The European Commission also published its proposal for a Digital Services Act on 15 December, proposing a somewhat similar system for regulating illegal online content that puts greater responsibilities on technology companies.

Key points of the UK Government’s plans for the OSB are set out below.

Proposed Scope of Application:

  • The legislation will apply to companies:
  • whose services host user-generated content that can be accessed by users in the UK; and/or
  • that facilitate public or private online interaction between service users, one or more of whom is in the UK.
  • The legislation will impose a duty of care on a broad range of services including, but not limited to:
  • Social media services; consumer cloud storage sites; video sharing platforms; online forums; dating services; online instant messaging services; peer-to-peer services; video games which enable interaction with other users online; and online market places.
  • Search engines.
  • User -generated content encompassing organic and influencer ads posted on social media platforms or other services (including images or text posted from users’ accounts to promote a product, service or brand, and which may or may not be paid for).
  • Although services that play merely a functional role in enabling online activity, such as internet service providers, will be exempt from the duty of care, they will have duties to cooperate with the regulator on business disruption measures.
  • The legislation will exempt the following services from scope:
  • Any service where the risk of harm is sufficiently low that regulatory requirements would be disproportionate.
  • Advertisements placed on an in-scope service via a direct contract between an advertiser and an advertising service.
  • Business-to-business and email services.
  • Content published by a news publisher on its own site (e.g. on a newspaper or broadcaster’s website) and user comments on that content.
  • Harms resulting from: breaches of intellectual property rights; breaches of data protection legislation; fraud; breaches of consumer protection law; or cyber security breaches or hacking.

Different Expectations Depending on Activity:

The OSB will establish a two-tier system that distinguishes between obligations that apply to companies that offer “Category 1 services” and those that offer “Category 2 services”, with more onerous requirements on companies that offer Category 1 services.

[NB The Government anticipates that most services will be ‘Category 2 services’]

Whether a service falls into Category 1 will be determined through a three-step process:

  • Primary legislation will set out the relevant factors – the size of a service’s audience and the functionalities it offers (e.g., ability to share content widely).
  • Ofcom will provide advice to the Government on thresholds for each factor. On the basis of that advice, the Government will determine and publish thresholds for each of the factors.
  • Ofcom will assess and publish a register of all of the services which meet the required thresholds. (If a company believes its service has wrongly been designated as Category 1, then it can appeal to an appropriate tribunal.)

Ofcom will advise the Government if it considers a threshold change is necessary.

Definition of Harmful Content:

  • The OSB will set out a general definition of the harmful content and activity that is in scope of the regime.
  • A limited number of priority categories of harmful content will be set out in secondary legislation, which will cover:
  • criminal offences (including child sexual exploitation and abuse, terrorism, hate crime and the sale of illegal drugs and weapons);
  • harmful content and activity affecting children (such as pornography and violent content); and
  • harmful content and activity that is legal when accessed by adults but may be harmful to them (such as abuse and content about eating disorders, self-harm or suicide).
  • The legislation does not define what constitutes harmful content, and leaves ambiguity about online material that, while legal, may still be problematic (including, for example, whether the promotion of self-harm should be made illegal).

Duties on Companies:

  • All companies will be required to take action with regard to illegal content and activity.
  • All companies will be required to assess the likelihood of children accessing their services. If they assess that children are likely to access their services, they will be required to provide additional protections for children using them. This may include recommending the use of age assurance or verification technologies. [NB the process for enforcing this requirement is unclear]
  • All companies will have additional duties beyond the core duty of care, including providing mechanisms to allow users to report harmful content or activity (such as reporting child sexual exploitation and abuse identified on their services to a designated body) and to appeal the takedown of their content.
  • All companies will be required to address disinformation and misinformation that poses a reasonably foreseeable risk of significant harm to individuals (e.g., relating to public health). Where disinformation and misinformation present a significant threat to public safety, public health or national security, the regulator will have the power to act.
  • Only companies that offer Category 1 services will be required to take action with regards to legal but harmful content and activity accessed by adults.
  • Category 1 companies will be required to assess the reasonably foreseeable risk of causing significant physical or psychological harm to adults.
  • Category 1 companies will be required to make clear what type of ‘legal but harmful’ content is acceptable on their platforms in their terms and conditions and they will be responsible for transparent and consistent enforcement.
  • Category 1 companies will be required to publish transparency reports containing information about the steps they are taking to tackle online harms on those services. The Secretary of State will have the discretionary power to extend this obligation to companies beyond Category 1 companies.

Role and Duty of Ofcom:

  • The Government has confirmed that Ofcom will be the online harms regulator.
  • Ofcom will have the power to impose fines of up to £18m, or 10% of global revenue (whichever is higher), on companies for failing to stop illegal and harmful content from reaching their online users.
  • Ofcom will have the power to enforce the fines and will have the power to block non-compliant services from being accessed in the UK.
  • If the deterrent of fines and other punishments does not work, Ofcom will have the power to impose criminal sanctions against senior managers for repeat offences.
  • Ofcom will also have a range of specific powers, including (but not limited to):
  • establishing codes of practice for companies;
  • requiring companies to use automated technology to identify illegal child sexual exploitation and abuse or terrorist content or activity on their services, including, where proportionate, on private channels; and
  • intervening if disinformation and misinformation present a significant threat to public safety, public health or national security.
  • Ofcom will set out how companies can fulfil their duty of care in codes of practice, including with regards to private communications and limiting the ability for anonymous adults to contact children. Ofcom will consult on the content of the codes.
  • If the deterrent of fines and other punishments does not work, Ofcom will have the power to impose criminal sanctions against senior managers for repeat offences.
  • Ofcom’s costs will be paid by companies falling under the scope of the law, above a (yet to be determined) threshold based on global annual revenue.

What is Not Envisaged in the OSB:

The UK Government has expressly reserved some elements from the OSB:

  • Any requirement to force services to break their encryption to reveal the contents of messages.
  • Any requirement to retain child sexual exploitation and abuse data [NB the government is considering whether to introduce this requirement through alternative legislation].
  • Any requirement for companies to retain data relating to terrorist content and activity— although the government expects companies to report to law enforcement where they consider there is a threat to life or risk of imminent attack.

Next Steps:

  • The text of the OSB is expected to become available in 2021, and we anticipate that it will enter into law in the second half of the year.
  • The Government expects the Law Commission to produce recommendations concerning the reform of the criminal offences relating to harmful online communications (for example, cyber-flashing and ‘pile-on’ harassment) in early 2021. The Law Commission is currently consulting on its proposals.
  • The Secretary of State will undertake a review of the effectiveness of the regime 2 – 5 years after its entry into force.
  • The Government will produce voluntary best practice guidance for internet infrastructure service providers that is separate from the online harms regime.
  • The Government will publish Interim Codes of Practice to provide guidance for companies on tackling terrorist activity and online child sexual exploitation prior to the introduction of legislation.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Thomas Reilly Thomas Reilly

Ambassador Thomas Reilly, Covington’s Head of UK Public Policy and a key member of the firm’s Global Problem Solving Group and Brexit Task Force, draws on over 20 years of diplomatic and commercial roles to advise clients on their strategic business objectives.

Ambassador…

Ambassador Thomas Reilly, Covington’s Head of UK Public Policy and a key member of the firm’s Global Problem Solving Group and Brexit Task Force, draws on over 20 years of diplomatic and commercial roles to advise clients on their strategic business objectives.

Ambassador Reilly was most recently British Ambassador to Morocco between 2017 and 2020, and prior to this, the Senior Advisor on International Government Relations & Regulatory Affairs and Head of Government Relations at Royal Dutch Shell between 2012 and 2017. His former roles with the Foreign and Commonwealth Office included British Ambassador Morocco & Mauritania (2017-2018), Deputy Head of Mission at the British Embassy in Egypt (2010-2012), Deputy Head of the Climate Change & Energy Department (2007-2009), and Deputy Head of the Counter Terrorism Department (2005-2007). He has lived or worked in a number of countries including Jordan, Kuwait, Yemen, Libya, Iraq, Saudi Arabia, Bahrain, and Argentina.

At Covington, Ambassador Reilly works closely with our global team of lawyers and investigators as well as over 100 former diplomats and senior government officials, with significant depth of experience in dealing with the types of complex problems that involve both legal and governmental institutions.

Ambassador Reilly started his career as a solicitor specialising in EU and commercial law but no longer practices as a solicitor.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Marty Hansen Marty Hansen

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade…

Martin Hansen has represented some of the world’s leading information technology, telecommunications, and pharmaceutical companies on a broad range of cutting edge international trade, intellectual property, and competition issues. Martin has extensive experience in advising clients on matters arising under the World Trade Organization agreements, treaties administered by the World Intellectual Property Organization, bilateral and regional free trade agreements, and other trade agreements.

Drawing on ten years of experience in Covington’s London and DC offices his practice focuses on helping innovative companies solve challenges on intellectual property and trade matters before U.S. courts, the U.S. government, and foreign governments and tribunals. Martin also represents software companies and a leading IT trade association on electronic commerce, Internet security, and online liability issues.