The proposals in the online harms white paper
The white paper proposes a new statutory framework for internet companies. It proposes that a duty of care should be established “to make companies take more responsibility for the safety of their users and tackle harm caused by content or activity on their services”, and that compliance with the duty will be overseen and enforced by an independent regulator. The regulator would set out in codes of practice how companies can fulfil their new legal duty.
Central to the proposed new regulatory framework will be developing a “culture of transparency, trust and accountability”, with companies likely to be required to provide annual transparency reports outlining the prevalence of harmful content on their platforms and the measures taken to address them. These reports will be published online by the regulator, allowing users and parents to make informed decisions about internet use.
The regulator’s proposed enforcement powers will include the issuing of fines, and the government is consulting on what powers should be available in the most serious cases. Proposals include imposing liability on individual members of companies’ senior management, and even blocking non-compliant services in this jurisdiction, which the paper describes as “an enforcement action of last resort”. These are broad proposals, and it is important that further thought is given to the effects they may have on the way in which internet use develops.
There appears to be little resistance from the big tech companies to the idea of being regulated. In fact, for some time now there seems to have been a recognition that regulation is likely to be both necessary and useful. That has already been seen in the US, where the big tech companies have been lobbying Congress for a national privacy statute. And here, in anticipation of the white paper, those companies wrote to ministers in February to set out their thoughts on how regulation in this jurisdiction might work. They argued that regulation should:
- be targeted at specific harms, using a risk-based approach that recognises that different harms need different solutions;
- provide flexibility to adapt to changing technologies, different services and evolving societal expectations;
- maintain the intermediary liability protections that enable the internet to deliver significant benefits for consumers, society and the economy;
- be technically possible to implement, noting that smaller internet companies have less capability to implement significant technological solutions;
- provide clarity and certainty for consumers, citizens and internet companies, e.g. as to the kinds of content and behaviour that are acceptable online; and
- recognise the distinction between public and private communication, ensuring it does not enable the surveillance of private communications.
In a recent article published in the Washington Post, Mark Zuckerberg stated that the internet needs new rules, specifically in the areas of harmful content, election integrity, privacy and data portability, and he argued for “a more active role for governments and regulators”. In relation to harmful content, he stated that Facebook has created an independent body to enable people to appeal Facebook’s decisions. Acknowledging that “internet companies should be accountable for enforcing standards on harmful content”, he also proposed that a third party body should “set standards governing the distribution of harmful content and to measure companies against those standards”. This chimes with the approach that the government is proposing.
Some representatives of smaller tech companies believe it is no surprise that the large tech companies have come down in favour of regulation since, they say, it is only the large tech companies that have the resources to comply with the new regime, leaving the smaller companies most vulnerable to enforcement action. Yet that concern is something which the big tech companies themselves raised in their letter, and it is also a point which the white paper meets head on, It said: “To ensure a proportionate approach and avoid being overly burdensome, the application of the regulatory requirements and the duty of care model will reflect the diversity of organisations in scope, their capacities, and what is technically possible in terms of proactive measures”.
The problems with the proposed new 'duty of care'
If some form of regulation seems to be largely uncontroversial, the proposed duty of care is more complicated. The creation of a specific statutory duty of care is a highly unusual thing in itself and is not a step which has been, or should be, taken lightly.
In general, the law of negligence has developed incrementally through case law. There are some limited examples of a duty of care being imposed on a statutory basis, for example in relation to occupiers’ liability, but these were created to address specific anomalies rather than to forge new legal frontiers. The duty of care being proposed is more vague. It relates to all harms addressed in the white paper, i.e. content which is illegal and content which is legal but harmful, with more stringent requirements applying to the former.
What seems to be being proposed is that a company will be in breach of the duty of care if it fails to comply with the codes of practice which the regulator will publish. Those codes will set out “the systems, procedures, technologies and investment, including in staffing, training and support of human moderators, that companies need to adopt to help demonstrate that they have fulfilled their duty of care to their users”. So it is apparently envisaged that where there has been some sort of systemic failing on the part of a company to meet the requirements set out in the codes of practice then this will amount to a failure to fulfil the duty of care.
However, it is not clear whether or how this really alters the position for an individual who wishes to bring a claim in the courts based on content on an internet company’s service. The duty does not seem to give rise to a new cause of action enabling individuals to bring claims in negligence against internet companies for hosting content to which they object. However, the white paper does envisage that “the regulatory model will provide evidence and set standards which may increase the effectiveness of individuals’ existing legal remedies”.
This section of the white paper refers specifically to currently available negligence and breach of contract claims, but then states that “if the regulator has found a breach of the statutory duty of care, that decision and the evidence that has led to it will be available to the individual to use in any private action”. It is unclear whether the government has really thought this aspect of the proposals through.
The interaction between the new regime and the existing safe harbours is also unclear. It is notable that the white paper states that “the new regulatory framework will increase the responsibility of online services in a way that is compatible with the EU’s e-Commerce Directive”, though it does appear to anticipate “mandating specific monitoring that targets where there is a threat to national security or the physical safety of children”.