UK Online Safety Bill, coming next year, will propose fines of up to 10% of annual turnover for breaching duty of care rules

The U.K. is moving ahead with a populist but controversial plan to regulate a wide range of illegal and/or harmful content almost anywhere online such stuff might pose a risk to children. The government has set out its final response to the consultation it kicked off back in April 2019 — committing to introduce an Online Safety Bill next year.

“Tech platforms will need to do far more to protect children from being exposed to harmful content or activity such as grooming, bullying and pornography. This will help make sure future generations enjoy the full benefits of the internet with better protections in place to reduce the risk of harm,” it said today.

In an earlier partial response to the consultation on its Online Harms white paper ministers confirmed the U.K.’s media regulator, Ofcom, as its pick for enforcing the forthcoming rules.

Under the plans announced today, the government said Ofcom will be able to levy fines of up to 10% of a company’s annual global turnover (or £18 million, whichever is higher) on those that are deemed to have failed in their duty of care to protect impression eyeballs from being exposed to illegal material — such as child sexual abuse, terrorist material or suicide-promoting content.

Ofcom will also have the power to block non-compliant services from being accessed in the U.K. — although it’s not clear how exactly that will be achieved (or whether the legislation will seek to prevent VPNs being used by Brits to access blocked internet services).

The regulator’s running costs will be paid by companies that fall under the scope of the law, above a threshold based on global annual revenue, per the government, although it’s not yet clear where that pay-bar will kick in (nor how much tech giants and others will have to stump up for the cost of the oversight).

The online safety “duty of care” rules are intended to cover not just social media giants like Facebook but a wide range of internet services — from dating apps and search engines to online marketplaces, video sharing platforms and instant messaging tools, as well as consumer cloud storage and even video games that allow relevant user interaction.

P2P services, online forums and pornography websites will also fall under the scope of the laws, as will quasi-private messaging services, according to a government press release.

That raises troubling questions about whether the legal requirements could put pressure on companies not to use end-to-end encryption (i.e. if they face being penalized for not being able to monitor robustly encrypted content for illegal material).

“The new regulations will apply to any company in the world hosting user-generated content online accessible by people in the UK or enabling them to privately or publicly interact with others online,” the government writes in a press release.

The rules will include different categories of responsibility for content and activity — with a top tier (category 1) only applying to companies with “the largest online presences and high-risk features,” which the government said is likely to include Facebook, TikTok, Instagram and Twitter.

“These companies will need to assess the risk of legal content or activity on their services with ‘a reasonably foreseeable risk of causing significant physical or psychological harm to adults’. They will then need to make clear what type of ‘legal but harmful’ content is acceptable on their platforms in their terms and conditions and enforce this transparently and consistently,” it said.

Category 1 companies will also have a legal requirement to publish transparency reports about the steps they are taking to tackle online harms, per the government’s PR.

While all companies that fall under the scope of the law will be required to have mechanisms so people can easily report harmful content or activity while also being able to appeal the takedown of content, it added.

The government believes that less than 3% of U.K. businesses will fall within the scope of the legislation — adding that “the vast majority” will be Category 2 services.

Protections for free speech are also slated as being baked in — with the government saying the laws will not affect articles and comments sections on news websites, for example. 

The legislation will contain provisions to impose criminal sanctions on senior managers (introduced by parliament via secondary legislation). On this the government added that it will not hesitate to use the power if companies fail to take the new rules seriously (such as by not responding “fully, accurately and in a timely manner” to information requests from Ofcom).

Commenting on the plans in a statement, digital secretary Oliver Dowden said: “I’m unashamedly pro tech but that can’t mean a tech free for all. Today Britain is setting the global standard for safety online with the most comprehensive approach yet to online regulation. We are entering a new age of accountability for tech to protect children and vulnerable users, to restore trust in this industry, and to enshrine in law safeguards for free speech.

“This proportionate new framework will ensure we don’t put unnecessary burdens on small businesses but give large digital businesses robust rules of the road to follow so we can seize the brilliance of modern technology to improve our lives.”

In another supporting statement, home secretary Priti Patel added: “Tech companies must put public safety first or face the consequences.”

Also commenting, Ofcom CEO Dame Melanie Dawes welcomed its new broader oversight remit, adding in a statement that: “Being online brings huge benefits, but four in five people have concerns about it. That shows the need for sensible, balanced rules that protect users from serious harm, but also recognise the great things about online, including free expression. We’re gearing up for the task by acquiring new technology and data skills, and we’ll work with Parliament as it finalises the plans.”

The government has said it will publish Interim Codes of Practice today to provide guidance for companies on tackling terrorist activity and online child sexual exploitation prior to the introduction of legislation — which is unlikely to make it into law before late 2021 at the earliest to allow adequate time for parliamentary debate and scrutiny.

And while a noisy political push to “protect kids” online can expect to enjoy plenty of tabloid-level support, the wide-ranging application of the duty of care rules the government is envisaging — with large swathes of the U.K.’s tech sector set to be impacted — means ministers can expect to attract plenty of homegrown criticism too, from business groups, entrepreneurs and investors and legal and policy experts, including over specific concerns about knock-on impacts on privacy and security.

Its plan to push ahead with an Online Safety Bill that will impact scores of smaller digital businesses, instead of zeroing in on the handful of platform giants that are responsible for generating high volumes of harms, has already attracted criticism from the tech sector.

Coadec, a digital policy group that advocates for startups and the U.K. tech sector, branded the plan “a confusing minefield” for entrepreneurs — arguing it will do the opposite of fostering digital competition, counteracting other measures recently announced by the government in response to concerns about market concentration in the digital advertising sphere.

“Last week the Government announced a new unit within the CMA [Competition and Markets Authority] to promote greater competition within digital markets. Days later they have announced regulatory measures that risk having the opposite effect,” said Dom Hallas, Coadec’s executive director in a statement. “86% of UK investors say that regulation aiming to tackle big tech could lead to poor outcomes that damage tech startups and limit competition — these plans risk being a confusing minefield that will have a disproportionate impact on competitors and benefit big companies with the resources to comply.”

“British startups want a safer internet. But it’s not clear how these proposals, which still cover a huge range of services that are nowhere near social media from ecommerce to the sharing economy, are better targeted than the last time government published proposals nearly a year and a half ago,” he added. “Until the Government starts to work collaboratively instead of consistently threatening startup founders with jail time it’s not clear how we’re going to deliver proposals that work.”

One gap in the government’s proposal is financial harms — with issues such as fraud and the sale of unsafe goods explicitly excluded from the framework (as it says it wants the regulations to be “clear and manageable” for businesses and to avoid the risk of duplicating existing rules).

Some “lower-risk” services may also be exempt from the duty of care requirement, per the government, to avoid the law being overly burdensome.

Email services will also not be in scope, it confirmed.

And while it says some types of advertising will be in scope (such as influencer ads posted on social media) ads placed on an in-scope service via a direct contract between an advertiser and an advertising service (such as Facebook or Google Ads) will be exempt because “this is covered by existing regulation” — which looks set to let the adtech duopoly off the harmful ads hook without good clear reason.

After all, existing U.K. regulations do not seem to have done much to stem the tide of crypto scam ads running on Facebook (or served via Google’s ad tools) in recent years — which led to a campaign by a consumer advice personality to get Facebook and other companies to clean up their act, for example.

Consumer group Which? has criticized the lack of government attention to financial scams in the Online Safety Bill. In a response statement, Rocio Concha, its director of policy and advocacy, said: “It’s positive that the government is recognising the responsibility of online platforms to protect users, but it would be a big missed opportunity if online scams were not dealt with through the upcoming bill. Our research has shown the financial and emotional toll of scams and that social media firms such as Facebook and search engines like Google need to do much more to protect users.

“We look forward to the detail and hope to see a clear plan to give online platforms greater responsibility for fraudulent content on their sites, including having in place better controls to prevent fake adverts from appearing, so that all users can be confident that they will truly be safe online.”

European Union lawmakers are due to unveil their own pan-EU policy package to regulate illegal and harmful content later today — but the Digital Services Act will tackle the sale of illegal goods online as well as proposing to harmonize rules for reporting troublesome content on online services.