The government’s Online Harms White Paper proposes a new online safety framework, to be implemented, overseen and enforced by “an independent regulator” with “effective enforcement powers”. However, the details of who this regulator will be and what enforcement powers it will possess are still rather sketchy. Will it be a new or existing body? How will its responsibilities fit into the existing system? What powers will it have to enforce the new regime? This article looks at the current options on the table, as well as the potential problems.
What would the regulator’s responsibilities be?
The regulator is a central plank of the proposed new framework. It will be responsible for overseeing and enforcing companies’ compliance with the new statutory duty: to take reasonable steps to keep users safe and to combat illegal and harmful activity on their services. Any company that allows users to share user-generated content or to interact with each other online will be within the regulator’s remit. (See our other articles for more information on which harms and companies may be in scope).
The regulator will be charged with establishing how companies should comply with the duty of care, by developing codes of practice and other guidance. (Although, the Home Secretary will have final sign-off on the codes relating to terrorist activity and child sexual exploitation). It will also be expected to help to raise awareness of online safety (e.g. by commissioning research), and promote the development and adoption of safety technologies (e.g. by providing support to start-ups and SMEs). It will be asked to take a “risk-based” and “proportionate” approach to enforcement.
Who would be the new regulator?
This is yet to be decided. The White Paper suggests two options: (1) Setting up a new dedicated regulator from scratch; or (2) Extending the responsibilities of an existing regulator.
Option 1 could provide a clearly-focussed body with a distinct remit, but would lead to increased set-up time and costs. Option 2 could take advantage of established resource and expertise, but the choice would be complicated, as this new remit would need to be compatible with existing responsibilities. The broadcasting regulator, Ofcom, is likely to be the front runner in the event Option 2 is chosen.
Regardless of which body ends up with the responsibility, a key challenge will be attracting the digital and tech expertise required to be able to operate effectively in the industry – something that can sometimes be conspicuously lacking in parliamentarians’ efforts to scrutinise the activities of tech companies.
The intention is for the regulator to become fully funded by industry in the medium term; the options being explored include charges or a levy on in-scope companies.
What powers should the regulator have?
The regulator’s core powers will be familiar from other regulatory regimes. They will include, for example, naming and shaming companies that fail to meet the required standards, and issuing civil fines for proven breaches.
However, several more distinctive powers are also being considered:
- Senior management liability – holding individuals personally accountable for major breaches of the statutory duty, and imposing civil fines or even criminal liability. This is a tactic used in the compliance regimes applicable in the financial services sector.
- Disruption of business activities – in the case of an extremely serious breach, such as failing to prevent terrorist activity on a service, forcing third parties to withdraw services so that e.g. the service no longer appears in search engine results, app stores or on social media platforms.
- ISP Blocking – apparently an option of last resort, where a company has committed serious and repeated violations with respect to illegal harms, this would effectively mean that a service would not be accessible in the UK (though there are fairly commonplace technical workarounds available).
- Nominated representatives – requiring non-UK companies, in certain circumstances, to appoint a UK or EEA-based ‘nominated representative’. This move is taken from the GDPR playbook and is designed to combat the enforcement challenge presented by the global nature of the digital economy.
Companies would be able to seek judicial review of the regulator’s decisions, whilst potential statutory appeal mechanisms, such as appeals to a tribunal, are still being explored.
Criticism of the proposals
Responses from several interested parties have argued that these proposals leave an awful lot to the regulator’s discretion. The concept of ‘harm’ is nebulous and the list of harms in scope has deliberately been designated as ‘non-static’. Some see this as effectively giving the regulator the power to decide what it considers harmful and then to use its (potentially very significant powers) to unilaterally ban it, with clear consequences for freedom of speech and rule of law principles. By way of example, the Internet Association’s response to the White Paper argues that “the current proposal risks allowing a regulator to limit access to legitimate information in an opaque and arbitrary manner, in effect banning speech without openly declaring it unlawful“.
One of the answers to this criticism is the application of some level of parliamentary scrutiny. The Paper suggests, for example, that parliament could be required to approve the finalised codes of practice developed by the regulator. But this remains a far cry from outlawing clearly defined and specific harms by presenting a bill to parliament, which is then debated and approved.
It remains to be seen whether more certainty and oversight can be incorporated as the proposals are developed, and whether these concerns will be allayed.
The Online Harms consultation
The consultation following the release of the White Paper is still on-going and the questions include those relating to the regulator’s responsibilities, funding and powers. Responses can be submitted here until 1 July 2019.
You can see all the content from our Online Harms White Paper series here.