The end of "self-regulation": UK to introduce world first statutory duty of care to combat harmful online content

In a world first, the UK Government yesterday unveiled plans to introduce tough new measures requiring social media companies and technology firms, among others, to protect online users. Chief among the proposals is a statutory duty of care for online service providers to take reasonable steps to protect users from harmful content, with those within scope facing substantial fines (and individual liability for members of senior management) where the duty is breached. The proposed online safety framework signals the end of self-regulation, and demonstrates the UK Government's clear intention to take comprehensive action to tackle harmful online content.

After much speculation, the UK Government published its long awaited Online Harms White Paper yesterday. The White Paper puts forward ambitious plans for a "world-leading" package of online safety measures to help keep UK users, particularly children, safer online, as well as "support innovation and a thriving digital economy". Home Secretary Sajid Javid stated that  despite "...repeated calls to action, harmful and illegal content – including child abuse and terrorism – is too readily available online". Digital Secretary Jeremy Wright further noted that voluntary actions from the industry to tackle online harms have not been applied consistently or gone far enough; the era of self-regulation is therefore over.

The key proposals set out in the White Paper include the following:

Statutory duty of care: The White Paper introduces a statutory duty of care requiring those organisations within scope (see below) to take more responsibility for the safety of their users; taking reasonable steps to keep users safe and prevent others coming to harm as a direct consequence of content or activity on their services. More stringent obligations apply in relation to certain unlawful harms, particularly where there is a threat to national security (such as terrorist activity) or the physical safety of children.

Independent regulator: Compliance with the duty of care will be monitored by an independent regulator, and the Government is currently considering whether this should be a new regulator or an existing one (such as Ofcom). The regulator will implement, oversee and enforce the new regulatory framework, as well as publish codes of practice setting out how to fulfil the new legal duty. The Government anticipates that the regulator will be cost neutral to the public sector – it will be industry funded in the medium term and the Government is exploring options such as fees, charges or a levy on those organisations whose services fall within the scope of the proposals, to put the regulator on a more sustainable footing.

Substantial fines and personal liability for senior managers: The regulator will have a range of enforcement powers, including the power to issue substantial fines. The Government are consulting on further enforcement powers including to impose liability on individual members of senior management (this could include personal liability for civil fines or could even extend to criminal liability), dispute the business activities of non-compliant companies and block non-compliant services.

Codes of practice: The codes of practice developed by the independent regulator will include an outline of the systems, procedures, technologies and investment that companies need to adopt to help demonstrate they have fulfilled their duty of care to their users. There will be a strong expectation that organisations will follow the guidance set out in these codes. If they chose not to, organisations will need to explain and justify to the regulator how their alternative approach will effectively deliver the same or greater level of impact – an approach with which organisations will already be familiar from other codes of conduct, such as the ICO's code of practice on data sharing.

Organisations will need to be able to show that they are fulfilling their duty of care. Relevant terms and conditions will be required to be sufficiently clear and accessible, including to children and other vulnerable users. The regulator will assess how effectively these terms are enforced as part of any regulatory action, elevating the potential importance of these terms and an organisation's compliance with them (where historically these have been of little significance to regulators).

Transparency reporting: The White Paper introduces a requirement on organisations to publish annual transparency reports, outlining the prevalence of harmful content on their platforms and what counter-measures they are adopting to address these.

Complaint response: As part of the new duty of care, the Government will expect organisations within scope of the proposals to have easy-to-access user complaints functions and respond to users' complaints within an appropriate timeframe.

Safety by design: The White Paper suggests implementing a new "Safety by Design" framework to help companies consider and incorporate online safety features in new apps and platforms from inception. This echoes other existing concepts such as that of "privacy by design" and "security by design" enshrined in the EU GDPR.

Broad scope: The new regulatory framework is intended to be wide-reaching , applying across a variety of online platforms and services and defined with reference to the services provided by the companies, rather than a specific business model or sector. It is expected to apply to all companies that provide services or tools that allow, enable or facilitate users to share or access user-generated content or interact with each other online. The scope will include social media platforms, public discussion forums, messaging services and search engines, retailers that allow users to review products online, along with non-profit organisations, file sharing sites and cloud hosting providers. Any requirement to scan or monitor content for tightly defined categories of unlawful content will not apply to private channels, reflecting the recognised importance of privacy. The regime also applies to companies of all sizes - from start-ups and SMEs to other organisations such as charities.

To address the global nature of both the digital economy and many of the companies in scope, the framework is expected to apply to companies that provide services to UK users. The regulator's powers will be designed to allow enforcement action against companies without a legal presence in the UK. The Government is considering requiring companies based outside the UK to appoint a UK or EEA-based nominated representative (akin to the concept of a nominated representative under the GDPR).

Risk-based and proportionate approach: The application of the regulatory requirements, however, is expected to reflect the diversity of organisations in scope, their capabilities and what is technically possible in terms of proactive measures. The Government states that it will minimise excessive burdens, particularly on small businesses and civil society organisations. The regulator will also take a risk-based and proportionate approach across the broad range of business types. This would involve an initial focus on companies that pose the biggest and clearest risk of harm to users, either because of the scale of the platforms or because of known issues with serious harms. The proportionate approach will also be enshrined in the legislation by making clear that companies must do what is "reasonably practicable".

The White Paper recognises the challenge of helping to shape an internet that is open and vibrant, but also protect users from harm. With this in mind, the regulator will have a legal duty to pay due regard to innovation, and to protect users' rights online, being particularly mindful not to infringe privacy and freedom of expression.

Yesterday's White Paper complements a number of recent national and EU-level initiatives to strengthen digital regulation. These include recent publication of the House of Lords Select Committee on Communications report on regulating the digital environment (March 2019) and the House of Commons Digital, Culture, Media and Sport Select Committee report concerning disinformation and 'fake news' (February 2019). At the EU-level, the European Commission has long supported initiatives to foster a trustful, lawful and innovation-driven ecosystem around online platforms in the EU. Online platforms have unsurprisingly remained a key strand of the Commission's Digital Single Market strategy and, among others, last year the Commission issued a Recommendation on measures to tackle unlawful content online and has published a Code of Practice and an Action Plan against disinformation.

Hayley Brady, Head of Media and Digital (UK) at HSF, commented:

"Online platforms are an important part of our digital economy. The UK Government's latest proposal to tackle harmful content online will no doubt be welcomed by a number of players in the industry, moving beyond self-regulation and instead providing clearer, consistent standards and oversight for regulating online content, reinforced by potential enforcement action.

Whilst the UK Government appears to be the first to attempt to address a comprehensive plethora of online harms in one coherent framework, the regulatory scrutiny of online platforms / social media aligns with wider trends beyond just the UK. These include calls for tighter regulation of online content to place it on more of an even keel with "offline" content, as well as a universal push towards online platform providers being required to take on more responsibility for the user-generated content on their platforms."

Publication of the White Paper launched the start of a 12-week consultation period and the Government is particularly interested to hear from industry, civil society, think tanks, campaigners and representatives in relation to the proposed framework. At the end of the consultation period (on 1 July 2019), the Government will prepare responses to the consultation and will set out the action it plans to take in developing final proposals for legislation.

Whilst a promising step in the right direction to ensure the UK is the "safest place in the world to be online" (one of the aims of the White Paper), it remains to be seen whether the proposed regulatory framework adequately strikes the age-old balance between ensuring sufficient accountability and oversight of online platforms, whilst also supporting the growth of digital business and innovation. As much of the detail will be set out in the codes of conduct to be developed by the proposed independent regulator (with stakeholder input), watch this space.

Authors