Privacy & Information Security Law Blog

Social media platforms, file hosting sites, discussion forums, messaging services and search engines in the UK are likely to come under increased pressure to monitor and edit online content after the UK Department of Digital, Culture, Media and Sport (“DCMS”) announced in its Online Harms White Paper (the “White Paper”), released this month, proposals for a new regulatory framework to make companies more responsible for users’ online safety. Notably, the White Paper proposes a new duty of care owed to website users, and an independent regulator to oversee compliance.

The White Paper sets out the UK Government’s response to growing public concern about illegal and harmful content online. Key harms that the Government seeks to address include the use of platforms to spread terrorist propaganda, facilitate child sexual exploitation, undermine democracy, promote gang culture, enable harassment and bullying and the hosting of content relating to self-harm and suicide.

The Government proposes a new regulatory framework, with clear standards, that will help companies to “ensure [the] safety of users while protecting freedom of expression.” It will establish a new duty of care, and an independent regulator to oversee and enforce this duty. The regulator will be required to publish codes of practice explaining how companies should meet the new standard of care, and will have the power to issue substantial fines and impose liability, including on senior managers. That said, the regulator’s primary objective will be to encourage effective and efficient remedial action, rather than to levy punitive fines. Accordingly, the regulator could demand annual transparency reports from companies, detailing the harmful material published on their platforms and explaining the steps they are taking to respond. These transparency reports would be published.

The White Paper emphasizes that the intention is for the regulator to take a proportionate approach, and that companies will only need to take the steps that are “reasonably practicable” to protect their users. It also clarifies that scanning or monitoring of content for illegal content would not apply to private channels of communication, though what is considered “private” is not yet defined.

Underscoring the fact that this initiative is focused on individuals, harm to organizations will be excluded from the scope of the new regulatory framework. Further, harms suffered by individuals as a result of a breach of data protection legislation, or cybersecurity breaches, will be excluded on the basis that they are already covered by other regulatory frameworks (e.g., the Data Protection Act 2018). Harms suffered by individuals on the dark web (rather than the open web) would also be excluded.

The proposal is likely to generate considerable, widespread debate. The consultation period is now open, concluding at 11:59pm on July 1, 2019. Responses and comments may be made online at: https://dcms.eu.qualtrics.com/jfe/form/SV_5nm7sPoxilSoTg9. DCMS will also host a series of workshops to gather evidence and opinion from interested parties.