This blog post was first published by Law360.

In May 2021, the U.K. government published its draft Online Safety Bill. The bill evidences the U.K.'s attempt to establish itself as a global leader in regulating the internet, with the ambitious goal of making the U.K. "the safest place in the world to be online."¹

The bill has since been scrutinized by a U.K. parliamentary joint committee, which published its report in December 2021, recommending changes to strengthen the draft legislation.

The most significant of the committee's recommendations is the proposed inclusion of a new criminal safety controller offense, which imposes personal liability on senior managers of companies that repeatedly fail to comply with their obligations, where those failures result in a significant risk of serious harm to users.

This article considers whether the proposed extension of personal liability under the safety controller offense is likely to be an effective enforcement tool or a proportionate means of attributing criminal liability to individuals.

Proposed Regulation Under the Bill

The bill aims to prevent the spread of both illegal content — e.g., indecent images of children and material promoting terrorism — and legal but still harmful content — e.g., misinformation and offensive content, as well as content promoting self-harm.

The bill will create a new duty of care to protect users of search engines and user-to-user services with links to the U.K., together called regulated services. User-to-user services are online platforms that allow users to publicly post content and platforms that allow users to message each other online.

A Regulated Service is deemed to have links to the U.K. if it has a significant number of U.K. users, U.K. users form one of its target markets, or it is capable of being used in the U.K. and U.K. users would face a risk of harm from its content. Although there are a few types of service that are exempt under the bill, including text messaging services, many technology companies headquartered outside the U.K. will still fall within its scope.

This new duty of care will impose different requirements on different types of regulated services. All regulated services will have a duty to assess the risk of illegal content on their platform and take proportionate steps to mitigate the risks of harm posed by such content.

Regulated services that are likely to be accessed by children must also assess the risk of harm to children on their platform and take proportionate steps to mitigate these risks. The largest regulated services, known as Category 1 companies under the bill, will have further duties, including a responsibility to assess the risk of physical or psychological harm that legal content on their platforms poses to adults.

Such content could include, for example, misogynistic content that does not reach a threshold of criminality.

Penalties Under the Current Draft of the Bill

Ofcom, the U.K.'s communications regulator, will have its remit expanded dramatically under the bill to be responsible for uncovering, investigating and sanctioning breaches of the new duty of care. Given the scale and inherent complexities of online regulation, Ofcom's new role will be as challenging as it is important.

The bill gives Ofcom the power to bring civil enforcement actions against regulated services for noncompliance, with penalties including business disruption measures and fines of up to £18 million or 10% of global annual turnover.

There was much discussion in the run-up to the publication of the bill about whether it should also impose criminal liability for noncompliance.

Ultimately, the bill proposed three new criminal offenses, which are limited in scope: (1) failing to respond to an information request from Ofcom; (2) providing false information in response to such a request; and (3) providing encrypted information in response to such a request.

Criminal liability for these offences is imposed on both the Regulated Service and the senior manager who is named on the relevant information request.

More Proposed Personal Liability

The U.K. parliamentary joint committee's report proposed that the bill include a new criminal offense for senior managers. Under these proposals, each Regulated Service would appoint a senior manager, either at board level or reporting to the board, known as a safety controller.

The safety controller would be personally criminally liable for a Regulated Service's failure to comply with its obligations under the bill, where there is clear evidence of repeated and systemic failings that result in a significant risk of serious harm to users.

Potential Difficulties With the Safety Controller Offense

On first reading, this new safety controller offense appears to be a major departure from the criminal liability anticipated by the previous draft of the bill. In practice, however, the new offense is likely to prove a difficult enforcement tool to deploy effectively.

The proposed offense sets a high bar for the prosecution to clear: It must be established not only that the service provider failed to comply with its obligations, but also that there is clear evidence of repeated and systemic failings and that significant harm was caused to users.

It is likely that only repeat offenders that have failed to improve their conduct would be targeted. Establishing that significant harm was caused to users would also not be straightforward, as prosecutors would need to prove that the harmful content had reached users and that identifiable users had been seriously harmed by that content.

Back to the Drawing Board?

The need for the U.K. government to strike a balance between the protection of the public from harm and protection of freedom of expression, coupled with the need to preserve the U.K.'s reputation as an attractive place of business, remains as acute as it was when the bill was at the white paper stage.

The risk with the proposed new safety controller offense is that it proves to be neither an effective enforcement tool nor a proportionate means of attributing criminal liability. Parliament should be cautious before introducing it into the next draft of the bill.