You are using an outdated browser. Please upgrade your browser to improve your experience.
Online harm legislation
The regulatory regime is likely to apply to platforms that allow users to share or discover user-generated content or interact with each other online. This will clearly include many social media and photo/video sharing platforms, but could also cover gaming platforms, Cloud-based storage sites and other online services.
Whether private communication channels will be subject to some degree of regulation (and what is meant by "private channels") remains an open question.
Once implemented, the proposal is that the regulator (likely Ofcom) will take a risk-based approach: focusing initially on those platforms they perceive to pose the greatest risk of harm, either due to their size or known issues with their approach to preventing online harms.
Regulated platforms will have to comply with a statutory duty of care. This will require them to take reasonable steps to keep users (and other persons) safe from online harms. Firms will be required to take action that is proportionate to the severity and scale of the potential harm.
The focus of the regime will be on the systems and processes firms have in place, rather than considering individual pieces of content or individual complaints. Though firms will be required to have effective mechanisms to allow users to report harmful content and challenge takedown decision, the regulator will not adjudicate individual complaints.
The expectations of how platforms will fulfil their duty of care will differ for illegal content and content that is "not illegal but harmful":
|Illegal content||Legal (but harmful) content|
|Examples from the publication||Child sexual exploitation and abuse ("CSEA") material; terrorist content||Online bullying; intimidation in public life; self-harm; suicide imagery|
|Proposed requirement to comply with the duty of care||
To guide firms on how to comply with the duty of care, the regulator will publish detailed codes of practice on the systems, procedures, technologies and other measures firms should adopt to comply. If firms chose to comply in a different way, they will need to explain to the regulator on how their approach will deliver the same (or a better) outcome. To enable the framework to respond to emerging harms, there are unlikely to be codes of practice for every type of harmful content, but there will at least be codes on CSEA and terrorist content.
If firms fail to meet the duty of care, the regulator will have a range of sanctions at their disposal. This may include the power to impose civil fines (tied to metrics such as annual turnover or the volume of illegal material hosted), the power to require firms to rectify failings and possibly even powers to disrupt non-compliant platforms (including the potential for the regulator to require ISPs to block non-compliant websites). The proposal suggests that the regulator will use their powers in a tiered manner, only resorting to the most disruptive powers as a last resort.
The regime will likely include some kind of appeals mechanism against enforcement decisions, but its form is still being considered. Whether the regulator will accept "super-complaints" from certain designated bodies remains an open question, as does the issue of whether firms situated outside the UK will be required to appoint a "nominated representative" in the UK to assist in enforcing compliance with the regime.
One of the most controversial proposals in the Online Harms White Paper was the suggestion that firms may be required to nominate a senior executive with accountability for complying with the duty of care. Like the Senior Managers Regime in financial services, if the nominated executive did not take reasonable steps to ensure their firm complied with this duty, they could be personally liable for a civil fine (or possibly even criminal liability). Again, whether this proposal will be introduced remains an open question.
Once enacted, the proposals will also require regulated firms to take several other steps, including potentially being required to contribute to the costs of the regulator and producing annual transparency reports in a form determined by the regulator.
The regulator too will be expected to take other steps, including advising firms on how to comply with the duty of care, promoting innovation and child safety online, developing a framework on "safety by design" and reporting on its activities to the public and Parliament.
Over the coming months, the UK Government plans to continue taking iterative steps to develop the proposals. This will include:
The Government has emphasised its commitment to maintaining momentum and introducing the regime in the near future. The coming months will therefore be a crucial period for the industry and stakeholders to ensure they provide their input on the proposals.