UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.
On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers.
- Duty of care to users
The headline legal change is the proposed introduction of a duty of care to take reasonable steps to keep users safe and tackle illegal and harmful activity. This duty of care would cover a non-exhaustive list of harms, including those affecting children (such as exploitation and abuse) and those impacting society in general (such as terrorism). Below this would sit a number of codes of practice detailing how to comply with this duty, along with a series of more detailed obligations such as to provide regular, publicly available compliance reports, and to maintain a process for addressing user complaints which aligns with a set of mandatory requirements.
- Independent regulation
In terms of enforcement, the proposal is that an independent regulator would take the lead, working with existing agencies (such as the police) as required. Whether this regulator would be a new or existing body remains unclear (this is one of the open questions in the consultation), however the proposal is that it would be industry funded (for example, via an industry-wide levy). Proposed methods of enforcement range from the pro-active (a requirement to report on how compliance is being achieved), to the investigative (the power to request explanations as to how algorithms operate), the preventative (the ability to “disrupt business activities”, for example by blocking access to sites via internet service providers) and the punitive (fines for organisations and civil and/or criminal liability for senior managers).
The depth of regulation and extent of enforcement powers envisaged in the consultation would represent a sea-change in terms of the compliance burden and consequences of non-compliance for organisations operating in the online space that have previously been largely left to self-regulate. There are a number of questions to be addressed in order to understand the extent of this regulation and enforcement, some of which form the basis of the consultation. Among these questions are the following:
- Which organisations are in scope?
The proposals focus on the types of services and tools being offered — those that facilitate user-generated content or user interaction are in scope — rather than the nature of organisations. However, there is clearly a significant difference between a website offering a comments section at the bottom of a page and a dedicated media sharing platform. Similarly, startups and SMEs will be concerned about the extent of the compliance burden and their ability to meet this burden without compromising on innovation. The consultation refers to a “risk-based and proportionate approach” to enforcement, although this is likely to be of limited comfort unless and until this approach is borne out in more substantive terms. The consultation is also looking at enforcement powers to ensure a level playing field between organisations that have legal presence in the UK and those that operate entirely overseas, clearly implying that the new law will have extra-territorial effect and will apply to non-UK organisations, perhaps on a similar basis to the GDPR (e.g., where they offer their services to UK users).
- How onerous will the new “duty of care” be?
The consultation notes the limitations of the existing regulatory framework in the online space, such as that derived from the EU’s “e-Commerce Directive” whereby many organisations are effectively shielded from liability unless they are actually aware or ought to be aware of relevant content (as opposed to having a pro-active duty to identify such content). How far the new duty of care will deviate from the approach remains to be seen, and it is hoped that the codes of practice will flush this out. Clearly, the more onerous the duty, the greater the compliance burden and risk of enforcement action.
- How extensive will the new civil and criminal liability regime be?
Culture Secretary Jeremy Wright has suggested that fines for organisations should be comparable to those under GDPR (up to the greater of 4% of annual global turnover or €20 million), while the consultation cites the Senior Managers & Certification Regime in financial services as a potential reference point for determining senior managers’ liability. Liability of this nature is likely to focus the minds of the board members of these organisations. In addition, the consultation is looking at new mechanisms for enabling designated bodies (e.g., potentially consumer protection organisations) to channel complaints on behalf of consumers.
- How will the new regime interact with existing regulation?
In so far as the consultation targets means of “private” user interaction, a balance must be struck with privacy laws such as the Data Protection Act in the UK. The consultation acknowledges the difference between “one-to-one messaging” and a group of several hundred users. Equally, the consultation establishes a clear intention to penetrate beyond purely “public” interaction. Similar concerns arise in terms of other legislation, such as that in the e-commerce field. These issues will need to be addressed to provide clarity and certainty for organisations in scope.
The consultation is open to the public and responses will be accepted until 1 July 2019. In addition to considering a response, organisations potentially caught by the new regime should consider the steps they will likely need to take in order to comply. These steps will range from reviewing complaint processes and user terms to understanding at a more fundamental level how their online platforms (including elements such as algorithms) can accommodate the potential changes.