In its initial response to the White Paper published in February 2020, the government indicated that it was “minded” to appoint Ofcom as the regulator responsible for oversight of the new regime, to be primarily funded from industry. While consultation responses were “balanced” as to the benefits and risks of appointing a new body as against extending the powers of an existing one, the government has confirmed Ofcom as the regulator, emphasising that empowering an existing regulator would “help the timely introduction of the online harms regime”. As Ofcom’s name has been bandied around throughout the whole consultation, the decision to stick with an existing regulator isn’t in itself that surprising, although the Final Response does contain some eye-catching detail, including regarding the “teeth” that the regulator will have to bring companies into line.
Ofcom’s Role and Function
Ofcom’s role requires it to be both pro-active and reactive, with its list of functions including:
- Setting out what companies need to do to fulfil the duty of care, including through codes of practice
- Establishing a transparency, trust and accountability framework
- Requiring all in-scope companies to have effective and accessible mechanisms for users to report concerns and seek redress for alleged harmful content or activity online, infringement of rights, or a company’s failure to fulfil its duty of care
- Assessing and responding to super-complaints
- Establishing user advocacy mechanisms to understand users’ concerns and experiences
- Taking prompt and effective enforcement action in the event of non-compliance, when it is appropriate and proportionate
- Providing support to start-ups and small and medium-sized enterprises to help them fulfil their legal obligations in a proportionate and effective manner
- Promoting education and awareness-raising about online safety to empower users to stay safe online
- Undertaking and commissioning research to improve our understanding of online harms, their impacts on individuals and society and how they can be tackled
Further, Ofcom will have a duty to have regard to encouraging innovation, similar to that to which it is already subject under the Communications Act 2003. This will be covered further in an article later in the series.
Codes of Practice
Of its list of functions, perhaps most questions remain around how Ofcom will elaborate on the steps required for companies to fulfil their “duty of care” under the proposal. We have been told that it will do this by issuing codes of practice. Whereas the Online Harms White Paper appeared to have originally envisaged individual codes of practice for each harm, the government’s Final Response departs from this idea (subject to the exceptions of terrorist content and child sexual exploitation and abuse, in respect of which the Government has already published interim codes of practice).
Instead, Ofcom will have the power to decide which codes of practice to produce, with the government setting objectives for these codes in secondary legislation. The objective of the codes will be subject to debate and affirmative resolution in Parliament. Individual codes of practice will be subject to a negative resolution procedure, whereby they will become law unless action is taken to the contrary.
It would appear these oversight requirements will act as a counterweight to Ofcom’s discretion in this respect. The Online Harms White Paper was subject to some criticism of the suggestion that defining the “duty of care” should be left to a regulator rather than to parliament. Critics also levied that the initial proposal would grant the regulator an excessively blank canvass with regard to its enforcement duties. These criticisms appear to have been heeded by the government in building in the additional levels of parliamentary scrutiny. However, it may also lead some to question whether the higher level of government oversight might compromise the independence of Ofcom as regulator, although the government notes Ofcom’s founding legislation already provides it with a high degree of independence.
Enforcement
The “principles and objectives” for enforcement have not changed greatly between the initial response and the Final Response. Indeed, the initial response already telegraphed a number of enforcement tools, including blocking measures for more egregious breaches of the duty of care. The Final Response provides some further detail regarding those tools.
Overall Approach
The Final Response states that “the regulator will strongly encourage compliance with the regime in the first instance and provide clear grounds for any intervention and escalation. The focus will be on ensuring that companies have compliant systems and processes in place, rather than on specific pieces of content.” In the first instance, Ofcom will be able to issue directions for improvement and notices of non-compliance to companies that it perceives to be failing to uphold their duty of care. Following this, Ofcom has an escalating series of additional actions or measures that it can take against companies that remain in breach of their duty. While the language of “encouraging” companies into compliance will be welcomed by those transitioning from self-regulation to the new regime, Ofcom has been given some serious tools to deal with those companies who do not fall into line.
Fines
In order to “ensure the effective implementation of the regime”, Ofcom will be granted the power to issue eye-watering fines of up to £18 million or 10% of annual global turnover, whichever is greater. While the government states these fines are “in line” with the sorts of fines Ofcom already dishes out, when you consider the size of some of the companies likely to face the most burdensome obligations under this new regime, there is scope for some record-breaking penalties should Ofcom choose to impose the highest level of fine.
Quite how egregious a breach of the duty will have to be in order to merit such a fine remains to be seen, but their inclusion in Ofcom’s list of powers acts as a signal of intent from the government as to how seriously it is taking the need to police harms online.
Disruption of business activities
As outlined in the White Paper, Ofcom will have the power to disrupt business activity. These measures have been split into Level One and Level Two measures, with the latter being reserved for “serious failures of the duty of care”. Level One measures will include the ability to take action that “make[s] it less commercially viable for a non-compliant company to provide services to UK users”, as well as enabling Ofcom to require companies to withdraw access to key services, enforceable through a court order if necessary. No further detail is provided on how these measures will work.
The Level Two measures include one of the more controversial aspects of the Online Harms White Paper, the power for Ofcom to get a blocking injunction against companies who have seriously failed in upholding their duty of care. While there were strong voices warning that such measures were excessive, they have survived into the Final Response. Nevertheless, this gives rise to questions as to how such injunctions will be utilised, something on which there is relatively little detail in the response. Ofcom will be required to get a court order for such sanctions in order to “safeguard freedom of expression”. There are other issues to consider, not least the general requirements that such measures be necessary, effective and proportionate.
Information Gathering Powers
Although this topic was not responded to directly in the initial response to the Online Harms White Paper, Ofcom will be given some additional powers to bolster its investigations into companies it suspects are not in compliance with the regulatory framework. There are several of particular note. Where there are “reasonable grounds” to suggest a company is not compliant, Ofcom will be able to enter companies’ premises to access documentation, data and equipment to check if the company is taking sufficient measures. While the details of this investigative power are yet to be confirmed, it could represent a significant tool for Ofcom, particularly if such measures could be taken without notice.
Further, the Final Response indicates that Ofcom will be able to request information not only from companies in scope but from third parties as well. While the detail around the information gathering powers is limited, the Final Response does highlight the need for Ofcom to take a “proportionate” approach to such actions.
Senior Management Liability
Another area of the White Paper which was the subject of strong debate were plans to make senior management personally liable for failure to comply with the regulator’s codes of practice, with critics highlighting the potential impact on the attractiveness of the UK tech sector. However, the government has reserved the right to introduce criminal sanctions for senior managers “who fail to respond fully, accurately, and in a timely manner, to information requests from the online harms regulator”. Such powers will not be introduced until at least two years after the regulation comes into effect. Although envisaged as a measure of last resort, this is unlikely to pacify those who consider the imposition of criminal liability for managers draconian.
Enforcement in the International Context
The Final Response states that “it will be possible for the regulator to take enforcement action against any company, irrespective of where it is based in the world, if it provides services to UK users that are in scope of the online harms regime”. As we have noted previously, the scope of the Online Safety Bill is designed so as to include any company that hosts user generated content accessible in the UK or facilitates online interactions between users (one or more of whom is in the UK).
As part of this, the proposal in the White Paper that companies should have a “nominated representative” in the UK or EEA to assist the regulator in taking action against those companies based outside that area has been removed, with the government heeding concerns from some respondents about the costs and operational issues that would be faced by smaller businesses in particular.
While the international nature of online communications of course drives the logic of international enforcement provisions and objectives, what Ofcom’s role in such international enforcement could be remains unclear. There are inherent practical difficulties making companies not present in the UK comply with such enforcement measures, particularly those that do not have any assets in the UK. These issues may be compounded by different approaches to the regulation of online material that are taken in different jurisdictions. It is not difficult to imagine US courts, for example, being sympathetic to challenges to enforcement orders based on the First Amendment in respect of “harmful” rather than illegal content. Given that a number of the companies who will fall within the scope of the Online Safety Bill are likely to be based in the US this is a potential issue to which the Final Response has not provided an answer, although the government does note that “[it] is working closely with many of our international partners to address [the] shared challenge in order to work towards common approaches to tackling online harms”
Where are we now?
The Final Response provides some welcome clarity regarding the role of Ofcom in enforcing compliance with the newly established duty of care. While the selection of Ofcom as regulator was not a complete consensus choice, its position as an established body with substantial experience regulating communications makes it slightly more predictable than opting for an entirely new body. Its enforcement powers indicate that the government means business in terms of forcing compliance with the new Online Safety framework. However, legislators will still have some work left to do to sharpen the new regulator’s “teeth”.