The U.K. Government recently introduced an updated draft of the Online Safety Bill (the “OSB”) to Parliament.  The OSB is the U.K.’s first significant piece of legislation regulating online behavior.  It proposes wide-ranging new obligations for social media companies and search engines and appoints Ofcom as their regulator.  It also creates new criminal offences for individuals relating to online harassment and abuse.

We wrote previously about parliamentary recommendations that a new “safety controller” criminal offence be introduced in the OSB. The Government has not included these proposals in the latest draft. Without the safety controller offense, the criminal sanctions that can be imposed on regulated services under the OSB are very limited, and the legislation clearly prioritizes civil sanctions.  This article considers Ofcom’s enforcement powers under the new draft of the OSB.

Limited criminal liability for regulated services

As discussed in our previous article, the safety controller offense would have made a senior manager at each regulated service personally criminally liable for their employer’s failure to comply with its obligations under the OSB, where there was clear evidence of repeated and systemic failings resulting in a significant risk of serious harm to users.  There would have been significant difficulties with enforcing this offence. It is therefore unsurprising that the Government rejected it in the latest draft of the OSB.

Jettisoning the safety controller offense means that the only criminal offenses that apply to regulated services in the new draft of the OSB are “information offenses”.¹  These criminalize failures to respond properly to an information request from Ofcom, including failing to attend an interview, destroying evidence, and providing false information. They create criminal liability for both the regulated service and the senior manager who is named in the information request.  The OSB’s new information offenses are similar to those that apply to financial service firms that fail to respond to information requests from the Financial Conduct Authority.²

In practice, the scope of the information offences is fairly narrow.  If a regulated service fails to comply with an information request, it will not commit an offense if it was not reasonably practicable to comply with the information request at the time, so long as it has since taken all reasonable steps to comply.  This means that prosecutions will probably be brought only where regulated services have deliberately avoided complying – for example, by hiding or destroying information. Simple delayed responses are unlikely to result in prosecution.

Prioritization of civil penalties

Ofcom is still given significant civil enforcement powers under the OSB.  It can impose business disruption measures and fines of up to £18 million or 10% of global annual turnover (whichever is higher) on regulated services that do not comply with their obligations. Regulated services’ obligations include taking proportionate steps to address illegal content online and protecting children from harmful content.  The largest regulated services must also take proportionate steps to protect adults from harmful but legal content, and to remove fraudulent advertisements from their platforms.

Conclusion

The limited scope of the information offences shows that the Government is prioritizing civil enforcement over criminal.  While the latest draft of the OSB does create some other new criminal offences, known as the “communications offenses”, these target internet users, rather than online platforms that host content. These new communications offences make it illegal to send or post harmful, false, or threatening communications online, and create a new offense of cyberflashing. 

Although the idea of wider criminal liability has been dispensed with, Ofcom has nonetheless been empowered to impose extremely large fines, which should focus the minds of senior managers of regulated services.  Imposing individual criminal liability on senior managers for failures of their employers would probably have been neither proportionate nor fair.

Moreover, the OSB is likely to mark the start of a comprehensive regulatory framework being put in place for social media companies and search engines in the U.K. It is therefore important at this early stage to encourage a culture of regulatory compliance and co-operation. Guidance on how to comply with the new rules should be prioritized over the imposition of civil penalties, and criminalization should be used only as a last resort.