Ofcom publishes Online Safety Roadmap
Online harms regulator Ofcom has revealed an Online Safety Roadmap, provisionally setting out its plans to implement the UK’s forthcoming web security regime.
The Online Safety Bill – which has handed committee stage within the House of Commons and is topic to modification because it passes by way of the remainder of the parliamentary course of – will impose a statutory “duty of care” on know-how corporations that host user-generated content material or permit individuals to speak, which means they might be legally obliged to proactively establish, take away and restrict the unfold of each unlawful and “legal but harmful” content material, reminiscent of little one sexual abuse, terrorism and suicide materials.
Failure to take action may end in fines of as much as 10% of their turnover by Ofcom, which was confirmed as the net harms regulator in December 2020.
The Bill has already been by way of quite a lot of adjustments. When it was launched in March 2022, for instance, quite a lot of prison offences have been added to make senior managers chargeable for destroying proof, failing to attend or offering false info in interviews with Ofcom, and for obstructing the regulator when it enters firm places of work for audits or inspections.
At the identical time, the federal government introduced it could considerably scale back the two-year grace interval on prison legal responsibility for tech firm executives, which means they might be prosecuted for failure to adjust to info requests from Ofcom inside two months of the Bill turning into regulation.
Ofcom’s roadmap units out how the regulator will begin to set up the brand new regime within the first 100 days after the Bill is handed, however is topic to vary because it evolves additional.
The roadmap famous that, upon Ofcom receiving its powers, the regulator will rapidly transfer to publish a spread of fabric to assist corporations adjust to their new duties, together with draft codes on unlawful content material harms; draft steering on unlawful content material danger assessments, kids’s entry assessments, transparency reporting and enforcement pointers; and session recommendation to the federal government on categorisation thresholds.
Targeted engagement
It may also publish a session on how Ofcom will decide who pays charges for on-line security regulation, in addition to begin its focused engagement with the highest-risk providers.
“We will consult publicly on these documents before finalising them,” it stated. “Services and different stakeholders ought to due to this fact be ready to start out partaking with our session on draft codes and danger evaluation steering in Spring 2023.
“Our current expectation is that the consultation will be open for three months. Services and stakeholders can respond to the consultation in this timeframe should they wish to do so. We will also have our information gathering powers and we may use these if needed to gather evidence for our work on implementing the regime.”
It added the primary unlawful content material codes are more likely to be issued round mid-2024, and that they’ll come into drive 21 days after this: “Companies will be required to comply with the illegal content safety duties from that point and we will have the power to take enforcement action if necessary.”
Types of service
However, Ofcom additional famous that whereas the Bill will apply to roughly 25,000 UK-based corporations, it units completely different necessities on various kinds of providers.
Category 1, for instance, can be reserved for the providers with the best danger functionalities and the best user-to-user attain, and comes with extra transparency necessities, in addition to an obligation to evaluate dangers to adults of authorized however dangerous content material.
Category 2a providers, in the meantime, are these with the best attain, and can have transparency and fraudulent promoting necessities, whereas Category 2b providers are these with doubtlessly dangerous functionalities, and can due to this fact have extra transparency necessities however no different extra duties.
Based on the federal government’s January 2022 impact assessment – during which it estimated that solely round 30 to 40 providers will meet the edge to be assigned a class – Ofcom stated within the roadmap that it anticipates most in-scope providers is not going to fall into these particular classes.
“Every in-scope user-to-user and search service must assess the risks of harm related to illegal content and take proportionate steps to mitigate those risks,” it stated.
“All services likely to be accessed by children will have to assess risks of harm to children and take proportionate steps to mitigate those risks,” stated Ofcom, including that it recognises smaller providers and startups don’t have the assets to handle danger in the best way the most important platforms do.
“In many cases, they will be able to use less burdensome or costly approaches to compliance. The Bill is clear that proportionality is central to the regime; each service’s chosen approach should reflect its characteristics and the risks it faces. The Bill does not necessarily require that services are able to stop all instances of harmful content or assess every item of content for their potential to cause harm – again, the duties on services are limited by what is proportionate and technically feasible.”
On how corporations ought to cope with “legal but harmful content”, which has been a controversial facet of the Bill, the roadmap stated “providers can select whether or not to host content material that’s authorized however dangerous to adults, and Ofcom can’t compel them to take away it.
“Category 1 firms must assess risks associated with certain types of legal content that may be harmful to adults, have clear terms of service explaining how they handle it, and apply those terms consistently. They must also provide ‘user empowerment’ tools to enable users to reduce their likelihood of encountering this content. This does not require services to block or remove any legal content unless they choose to do so under their terms of service.”
On 6 July 2022 – the identical day the roadmap was launched – Priti Patel revealed an modification to the Bill that may give powers to regulators to require tech corporations to develop or roll out new applied sciences to detect dangerous content material on their platforms.
The modification requires know-how corporations to make use of their “best endeavours” to establish and forestall individuals from seeing little one sexual abuse materials posted publicly or despatched privately; putting strain on tech corporations over end-to-end encrypted messaging providers.
Ministers argue that end-to-end encryption makes it tough for know-how corporations to see what’s being posted on messaging providers, though tech corporations have argued that there are different methods to police little one sexual abuse. “Tech firms have a responsibility not to provide safe spaces for horrendous images of child abuse to be shared online,” stated digital minister Nadine Dorries. “Nor should they blind themselves to these awful crimes happening on their sites.”
Critics, nonetheless, say the know-how might be topic to “scope creep” as soon as put in on telephones and computer systems, and might be used to observe different sorts of message content material, doubtlessly opening up backdoor entry to encrypted providers.
“I hope Parliament has a robust and detailed debate as to whether forcing what some have called ‘bugs in your pocket’ – breaking end-to-end encryption (unsurprisingly, others argue it doesn’t) to scan your private communications – is a necessary and proportionate approach,” said technology lawyer Neil Brown.
