UK publishes draft Online Safety Bill

The U.K. government has published its long-trailed (child) “safety-focused” plan to regulate online content and speech.

The Online Safety Bill has been in the works for years — during which time a prior plan to require age verification for accessing online porn in the U.K., also with the goal of protecting kids from being exposed to inappropriate content online but which was widely criticized as unworkable, got quietly dropped.

At the time the government said it would focus on introducing comprehensive legislation to regulate a range of online harms. It can now say it’s done that.

The 145-page Online Safety Bill can be found here on the gov.uk website — along with 123 pages of explanatory notes and a 146-page impact assessment.

The draft legislation imposes a duty of care on digital service providers to moderate user-generated content in a way that prevents users from being exposed to illegal and/or harmful stuff online.

The government dubs the plan globally “groundbreaking” and claims it will usher in “a new age of accountability for tech and bring fairness and accountability to the online world”.

Critics warn the proposals will harm freedom of expression by encouraging platforms to over-censor, while also creating major legal and operational headaches for digital businesses that will discourage tech innovation.

The debate starts now in earnest.

The bill will be scrutinised by a joint committee of MPs — before a final version is formally introduced to Parliament for debate later this year.

How long it might take to hit the statute books isn’t clear but the government has a large majority in parliament so, failing major public uproar and/or mass opposition within its own ranks, the Online Safety Bill has a clear road to becoming law.

Commenting in a statement, digital secretary Oliver Dowden said: “Today the UK shows global leadership with our groundbreaking laws to usher in a new age of accountability for tech and bring fairness and accountability to the online world.

“We will protect children on the internet, crack down on racist abuse on social media and through new measures to safeguard our liberties, create a truly democratic digital age.”

The length of time it’s taken for the government to draft the Online Safety Bill underscores the legislative challenge involved in trying to “regulate the Internet”.

In a bit of a Freudian slip, the DCMS’ own PR talks about “the government’s fight to make the internet safe”. And there are certainly question marks over who the future winners and losers of the U.K.’s Online Safety laws will be.

Safety and democracy?

In a press release about the plan, the Department for Digital, Media, Culture and Sport (DCMS) claimed the “landmark laws” will “keep children safe, stop racial hate and protect democracy online”.

But as that grab-bag of headline goals implies, there’s an awful lot going on here — and huge potential for things to go wrong if the end result is an incoherent mess of contradictory rules that make it harder for digital businesses to operate and for internet users to access the content they need.

The laws are set to apply widely — not just to tech giants or social media sites but to a broad swathe of websites, apps and services that host user-generated content or just allow people to talk to others online.

In-scope services will face a legal requirement to remove and/or limit the spread of illegal and (in the case of larger services) harmful content, with the risk of major penalties for failing in this new duty of care toward users. There will also be requirements for reporting child sexual exploitation content to law enforcement.

Ofcom, the U.K.’s comms regulator — which is responsible for regulating the broadcast media and telecoms sectors — is set to become the U.K. internet’s content watchdog too, under the plan.

It will have powers to sanction companies that fail in the new duty of care toward users by hitting them with fines of up to £18 million or 10% of annual global turnover (whichever is higher).

The regulator will also get the power to block access to sites — so the potential for censoring entire platforms is baked in.

Some campaigners backing tough new internet rules have been pressing the government to include the threat of criminal sanctions for CEOs to concentrate C-suite minds on anti-harms compliance. And while ministers haven’t gone that far, DCMS says a new criminal offence for senior managers has been included as a deferred power — adding: “This could be introduced at a later date if tech firms don’t step up their efforts to improve safety.”

Despite there being widespread public support in the U.K. for tougher rules for internet platforms, the devil is the detail of how exactly you propose to do that.

Civil rights campaigners and tech policy experts have warned from the get-go that the government’s plan risks having a chilling effect on online expression by forcing private companies to be speech police.

Legal experts are also warning over how workable the framework will be, given hard to define concepts like “harms” — and, in a new addition, content that’s defined as “democratically important” (which the government wants certain platforms to have a special duty to protect).

The clear risk is massive legal uncertainty wrapping digital businesses — with knock-on impacts on startup innovation and availability of services in the U.K.

The bill’s earlier incarnation — a 2019 White Paper — had the word “harms” in the title. That’s been swapped for a more anodyne reference to “safety” but the legal uncertainty hasn’t been swapped out.

The emphasis remains on trying to rein in an amorphous conglomerate of “harms” — some illegal, others just unpleasant — that have been variously linked to or associated with online activity. (Often off the back of high-profile media reporting, such as into children’s exposure to suicide content on platforms like Instagram.)

This can range from bullying and abuse (online trolling), to the spread of illegal content (child sexual exploitation), to content that’s merely inappropriate for children to see (legal pornography).

Certain types of online scams (romance fraud) are another harm the government wants the legislation to address, per latest additions.

The umbrella “harms” framing makes the U.K. approach distinct to the European Union’s Digital Service Act — a parallel legislative proposal to update the EU’s digital rules that’s more tightly focused on things that are illegal, with the bloc setting out rules to standardize reporting procedures for illegal content; and combating the risk of dangerous products being sold on e-commerce marketplaces with “know your customer” requirements.

In a response to criticism of the U.K. bill’s potential impact on online expression, the government has added measures which it said today are aimed at strengthening people’s rights to express themselves freely online.

It also says it’s added in safeguards for journalism and to protect democratic political debate in the U.K.

However, its approach is already raising questions — including over what look like some pretty contradictory stipulations.

For example, the DCMS’ discussion of how the bill will handle journalistic content confirms that content on news publishers’ own websites won’t be in scope of the law (reader comments on those sites are also not in scope) and that articles by “recognised news publishers” shared on in-scope services (such as social media sites) will be exempted from legal requirements that may otherwise apply to non journalistic content.

Indeed, platforms will have a legal requirement to safeguard access to journalism content. (“This means [digital platforms] will have to consider the importance of journalism when undertaking content moderation, have a fast-track appeals process for journalists’ removed content, and will be held to account by Ofcom for the arbitrary removal of journalistic content,” DCMS notes.)

However the government also specifies that “citizen journalists’ content will have the same protections as professional journalists’ content” — so exactly where (or how) the line gets drawn between “recognized” news publishers (out of scope), citizen journalists (also out of scope) and just any old person blogging or posting stuff on the internet (in scope… maybe?) is going to make for compelling viewing.

Carve outs to protect political speech also complicate the content moderation picture for digital services — given, for example, how extremist groups that hold racist opinions can seek to launder their hate speech and abuse as “political opinion”. (Some notoriously racist activists also like to claim to be “journalists”…)

DCMS writes that companies will be “forbidden from discriminating against particular political viewpoints and will need to apply protections equally to a range of political opinions, no matter their affiliation”.

“Policies to protect such content will need to be set out in clear and accessible terms and conditions and firms will need to stick to them or face enforcement action from Ofcom,” it goes on, adding: “When moderating content, companies will need to take into account the political context around why the content is being shared and give it a high level of protection if it is democratically important.”

Platforms will face responsibility for balancing all these conflicting requirements — drawing on Codes of Practice on content moderation that (the government assures us) will respect freedom of expression and which will be set out by Ofcom — but also under threat of major penalties being slapped on them by Ofcom if they get content decision calls wrong.

Interestingly, the government appears to be looking favorably on the Facebook-devised “Oversight Board” model, where a panel of humans sit in judgement on “complex” content moderation cases — and also discouraging too much use of AI filters which it warns risk missing speech nuance and over-removing content. (Especially interesting given the U.K. government’s prior pressure on platforms to adopt AI tools to speed up terrorism content takedowns.)

“The Bill will ensure people in the UK can express themselves freely online and participate in pluralistic and robust debate,” writes DCMS. “All in-scope companies will need to consider and put in place safeguards for freedom of expression when fulfilling their duties. These safeguards will be set out by Ofcom in codes of practice but, for example, might include having human moderators take decisions in complex cases where context is important.”

“People using their services will need to have access to effective routes of appeal for content removed without good reason and companies must reinstate that content if it has been removed unfairly. Users will also be able to appeal to Ofcom and these complaints will form an essential part of Ofcom’s horizon-scanning, research and enforcement activity,” it goes on.

“Category 1 services [the largest, most popular services] will have additional duties. They will need to conduct and publish up-to-date assessments of their impact on freedom of expression and demonstrate they have taken steps to mitigate any adverse effects. These measures remove the risk that online companies adopt restrictive measures or over-remove content in their efforts to meet their new online safety duties. An example of this could be AI moderation technologies falsely flagging innocuous content as harmful, such as satire.”

Another confusing-looking component of the plan is that while the bill includes measures to tackle what it calls “user-generated fraud” — such as posts on social media for fake investment opportunities or romance scams on dating apps — fraud that’s conducted online via advertising, emails or cloned websites will not be in scope, per DCMS, as it says “the Bill focuses on harm committed through user-generated content”.

Yet since internet users can easily and cheaply create and run online ads — as platforms like Facebook essentially offer their ad targeting tools to anyone who’s willing to pay — then why carve out fraud by ads as exempt?

It seems a meaningless place to draw the line. Fraud where someone paid a few dollars to amplify their scam doesn’t seem a less harmful class of fraud than a free Facebook post linking to the self-same crypto investment scam.

In short, there’s a risk of arbitrary/ill-thought through distinctions creating incoherent and confusing rules that are prone to loopholes. Which doesn’t sound good for anyone’s online safety.

In parallel, meanwhile, the government is devising an ambitious pro-competition ex ante regime to regulate tech giants specifically. Ensuring coherence and avoiding conflicting and/or overlapping requirements between that framework for platform giants and the Online Safety legislation’s wider digital harms rules is a further challenge.