Online safety: A global regulatory overview

Recent years have seen dedicated online safety legislation and proposals come to the fore - such as the Digital Services Act in the EU, the Online Safety Act in the UK, the Online Safety Act in Australia and the Online Safety (Miscellaneous Amendments) Act in Singapore. Protection of children sits front and centre of many of these initiatives, and in Australia we have also seen legislation passed requiring social media platforms to prevent users under 16 accessing their services.

Other jurisdictions, such as South Africa, have adopted a hybrid approach, with the regulator developing industry codes of practice and operating a user-complaints scheme, alongside regulatory powers to issue directives of general application. Given the disparate federal / state dynamic in the US, along with the restrictive First Amendment in the US Constitution to protect freedom of speech, a key focus at the federal level has been around the protection of children (with the Children's Online Privacy Protection Act 2.0 (COPPA 2.0) and Kids Online Safety Act still going through the legislative process). Pending an all-encompassing piece of federal legislation, in the US the private sector continues to self-regulate as well, with big tech determining the content moderation balancing act and the US Supreme Court intervening, as appropriate.

In line with other regimes that regulate the borderless digital economy, common among the global online safety regulations is their extra-territorial scope. The primary focus of the many different regulatory frameworks around the world is to protect users residing or accessing the internet from a certain jurisdiction, regardless of the services’ location. This requires global online service providers to familiarise themselves, and comply with, a multitude of regulations. This is particularly challenging given the regulatory landscape comprises a fragmented international patchwork.

In response to this, and to support consistency, governments and regulatory authorities around the world are cooperating on a range of different topics, including aligning regulatory frameworks and enforcement in relation to online content. That said, there is still a recognition of the need for local nuance and that full alignment may not always be a realistic or practical option.

We saw this in 2019 with the Five Country Ministerial Statement on end-to-end encryption and public safety, and then in 2021 at the G7 Summit, which resulted in a Joint Ministerial Declaration by the UK, Canadian, French, German, Italian, Japanese, American and EU governments on internet safety principles to improve online safety. Since then, the Australian and UK governments have signed a joint Memorandum of Understanding (MoU) in February 2024 to strengthen bilateral cooperation to tackle online harms. While in October 2024, the US and UK governments signed an online safety agreement, which pledges closer co-operation, in particular, to keep children safe online. You can read about the focus areas of the MoUs on our Online Safety Series Hub.

While global cooperation is not entirely new in relation to online services (enforcement agencies around the world have historically been sharing intelligence in relation to child exploitation material, for example), we expect to see increasing cooperation from governments and regulatory authorities to deal with the challenges of a rapidly evolving digital ecosphere.

The legal frameworks for some jurisdictions contain only reactive requirements, such as take-down notices (that are aimed at removing individual pieces of content). However, other online safety regimes are moving towards requiring online service providers to undertake proactive measures to prevent and minimise online harm (including UK, Australia, Singapore and potentially the USA if certain bills come to pass). In Australia, for example, online service providers are required to take reasonable steps to minimise harm, which can include measures such as moderating content and investing in detection technologies. The UK imposes a similar requirement through introducing legal ‘duties of care’ for in-scope providers to take more responsibility for the safety of their users. To comply with those duties, service providers need to conduct certain risk assessments and implement systems, processes and measures to mitigate the risk(s) identified.

As a result, we are seeing a shift in accountability for online harms to the in-scope service providers.

Regulatory efforts in the space seek to capture a broad range of tech companies. Although analysis of the types of entities regulated in each jurisdiction is complex and does not translate to a simple comparison, there is significant overlap between the categories. The laws of Australia, UK, Singapore and EU, among other jurisdictions, apply to a wide range of online service providers including social media platforms, e-commerce services, internet service providers, and hosting and storage service providers. Whilst the broad UK concept of "user-to-user" services (such as messaging apps, dating apps, games with communication functionalities and other social media platforms on which users interact with each other's content) is not a standalone category of regulated entities in all jurisdictions, some jurisdictions, such as Australia, capture this concept across other categories of in-scope entities.

Either way, almost all layers of the internet stack are implicated. Although, the extent of obligations that apply tends to differ depending on the nature of the service (and, in some cases, the risk of online harms presented by that service).

Historically, online safety laws have focused on the regulation of illegal content in the more sinister corners of the internet, regulating areas such as child exploitation and terrorism content. However, countries like the US, Indonesia, Australia and the UK have sought to address at least some aspects of harmful (but not necessarily illegal) content, including cyber bullying, harassment or violent material. Some countries also prohibit misinformation and hoaxes through their online safety regimes.

Given the potential impact of online harms, it is no surprise that non-compliance brings with it an armoury of enforcement powers for regulators as the corresponding sting in the tail. Chief among those powers is the ability to issue GDPR-style fines at a percentage of global annual revenue for the most egregious breaches under both the UK (10%) and EU (6%) regimes, with significant financial penalties also being levied in other jurisdictions such as Australia and Singapore. Whilst orders to remove content and block access to non-compliant online services also feature in some jurisdictions, it is the potential threat of criminal liability for senior management in jurisdictions such as the UK and Singapore that has catapulted online safety to a board level issue.