The Online Safety Bill (the “OSB”) is back on the UK Government’s legislative agenda, this time with an important update relating to criminal liability of senior managers. Following some political wrangling, back-bench MPs have successfully pressured the Government to expand the scope of criminal liability for senior managers of regulated services that fail to protect children online.
A change of approach
We wrote previously about the OSB’s proposed narrow scope of criminal liability for senior managers. In the bill’s previous iteration, senior managers were criminally liable only if their company failed properly to respond to information requests from the regulator, Ofcom.
By mid-January 2023, however, the issue of senior manager criminal liability in the OSB had become a hot topic for MPs, and a proposed amendment had gained the backing of nearly 50 back-bench MPs. This amendment would have created criminal liability for senior managers where the regulated service failed to comply with safety duties in the OSB that aim to protect children online, and where the offence was committed with a senior manager’s “consent or connivance” or if it was “attributable to [their] neglect”.
Under pressure, the Government confirmed in a statement on 17 January 2023 that the next draft of the OSB will include expanded criminal liability for senior managers.
What will criminal liability in the new OSB look like?
The amended senior manager criminal liability clauses of the OSB have not yet been put forward, but the Government’s statement provides some clues as to what these might look like.
First, the statement confirmed that the updated OSB will introduce liability for senior managers who “have consented or connived in ignoring enforceable requirements, risking serious harm to children”. The idea of “serious harm” is new; the back-benchers' amendment did not specify the level of harm required to trigger criminal liability. Notably, while “consented or connived” is taken from the back-benchers’ amendment, the Government’s statement does not mention “neglect”.
Second, the statement asserts that the new amendment will be based on the Irish Online Safety and Media Regulation Act 2022 (the “Irish Act”). Under the Irish Act, an appointed “Online Safety Commissioner” can determine that a regulated company has not complied with binding “online safety codes” and issue a notice specifying the steps that the company must take to rectify its non-compliance. Senior managers can be held personally criminally liable for the company’s failure to comply with the terms of this notice.1
Considering the provisions of the Irish Act alongside the Government’s statement, it appears that the updated OSB may impose criminal liability for senior managers only in cases where Ofcom has expressly directed a regulated service to change its conduct, and a senior manager has been responsible for the regulated service’s failure to do so.
This pending amendment, should it take the form anticipated by the Government’s statement, would be a material change for the OSB, as it would impose criminal liability on senior managers of regulated services that fail to comply with the central tenet of the legislation, which is to protect children online. The OSB had previously planned to impose only civil penalties for such failures.
However, it seems that the bar for personal criminal liability in the OSB will remain high, as the updated draft is likely to focus on deliberate, rather than negligent, conduct of senior managers. The Government’s indication that personal criminal liability will be imposed when regulated services’ conduct is committed with the “consent or connivance” of a senior manager mirrors language commonly used in other UK legislation, for example the Theft Act 19682, the Bribery Act 20103, and the Fraud Act 20064. “Consent and connivance” has previously been interpreted to require that the senior manager knew or inferred the material facts that constituted the offence by the company, and nonetheless agreed to the company’s conduct.5 Other legislation6 has included language that also establishes personal liability where the company’s criminal conduct is “attributable to any neglect” of the senior manager, but the Government has suggested that the OSB will not include this language. This indicates that the OSB may aim to target bad actors who deliberately fail to engage with Ofcom in respect of online harms.
As discussed in a previous post, civil fines can often offer a more proportionate and effective sanction than imposing personal criminal liability when seeking to encourage regulatory compliance. The OSB is an important piece of legislation that will cover new ground in terms of regulating online services in the UK. Its priority should be facilitating regulated services’ compliance with wide-ranging new obligations and encouraging a constructive engagement between Ofcom and the regulated services. Imposing criminal liability on senior managers may not be an effective way of doing this.