This post is the second part of two posts on the draft Online Safety Bill. In my first post, here, I detailed the mechanics of the proposed bill in detail. This post will summarise some of the civil society responses since the publication of the draft bill, attempting an evaluation of how reasonable those responses are in light of the available information.
Does the bill go too far?
A recent report on freedom of expression online from the House of Lords, ‘Free for All? Freedom of Expression in the Digital Age’ (found here), recommends that the draft bill drops the duty to protect adults from contentious “legal but harmful” content. As detailed in the previous post, “category 1” services would have a duty under the draft bill to identify how their systems could cause adults to come into contact with user-generated content that is legal but nonetheless considered harmful. Further to that duty, they would be required to take steps to proportionately mitigate against the risk of exposure to that harmful content. Given the possibility to adverse impacts on freedom of expression, especially from the potential of overzealous policing of this provision by category 1 services to avoid liability, this has become one of the most controversial elements of the current draft bill.
The House of Lords report recommends that s. 11, implementing the adult safety duty, be dropped from the draft bill. As things stand, there are two ways in which content can be caught by the adult safety duty. Under s.46(2), the relevant secretary of state can designate by regulation certain types of content as “priority content”. Second, under s.46(3 – 5), content for which there is a “material risk” of having “significant adverse physical or psychological impact on an adult of ordinary sensibilities” is also considered “content that is harmful to adults”. Category 1 services must take steps to proportionately mitigate against the likelihood of adults using their service to come into contact with these types of content.
The dust has settled since the government released its draft Online Safety Bill. Now is therefore a good time to evaluate its aims, methods, and potential impacts, which we will do so in this two-part post. The first post will have a look at the overall architecture of the bill, discussing what it is trying to do and how it is trying to do it. The second post will survey responses to the bill from academics and civil society campaigners, discussing whether the bill does too much or not enough.
The general strategy of the Online Harms Bill is to place duties on “regulated services”, requiring them to identify and mitigate system level risks of harm to their users. This post will focus on the meaning of “regulated services”, and the various duties that the Online Harms Bill places them under. As things stand, the bill would give significant powers to Ofcom, which would act as a regulator and enforcer of the various duties created under the bill. This first post will conclude with a look at the new powers that would be given to OFCOM under the bill.
The bill would apply to “regulated services”. The definition of regulated services is found in section 3: regulated services are either “user-to-user services” or “search services” which “have links to the United Kingdom” and which are not exempt.
The first important thing to note is the broadness in the drafting of all these definitions. A service has links to the UK if it has a significant number of users in the UK, if UK users are a target market, or if there are “reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK” using the service. Thus, territorially, a very wide number of online services could be caught.
A “user-to-user service” (since publication of the draft bill generally called a ‘U2U’ service in commentary), defined in section 2, is a service which allows users to share user generated content with other users. The definition excludes content generated by the site itself, and content shared by those employed by the service.
This is a widely defined provision. Obviously intended to catch large social media organisations like Facebook, Twitter, Instagram and TikTok, it is nonetheless drafted broadly enough to also include smaller blogs, websites for shopping, online gaming sites and other categories of online platform which hosts user generated content.
However, the exact nature of how those sites will be regulated will be dependent on their classification by OFCOM as category 1 or 2A/2B services. Category 1 is reserved for services with greater functionality and larger user bases, and services classified as such are subject to stricter duties, which will be explained in the duties section; machinery for classification is currently found in Schedule 4 of the bill.
Some exceptions apply, but these are tightly drafted. Functions such as email and SMS/MMS services, limited functionality services (such as services where users can only comment on site generated content), internal services such as intranets, and public bodies in the exercise of a public function are exempt. Exemptions can be found in Schedule 1; per s.3(8), the Secretary of State can amend the exempt services found there.
“Search services” are defined as services providing an internet search engine that are not U2U services. Much of the same duties apply to search and U2U services, so these will be largely dealt with together.
The CJEU ruled on Tuesday that Directive 2002/58/EC (‘the Directive’) precludes national legislation from ordering telecommunication companies to transfer data in a “general and indiscriminate” manner to security agencies, even for purposes of national security. This is following a challenge by Privacy International to UK security agencies over their practices of collecting bulk communications data (BCD).
The ruling could throw up roadblocks to a post-Brexit “adequacy” agreement over the UKs data protection regime. Adequacy is granted to data protection regimes to confirm that they conform to the data protection standards of GDPR, and thus that companies may move data about EU data subjects outside of the EU to those regimes. Recently, the adequacy rating of the US “Privacy Shield” was invalidated by the Schrems II judgment. This ruling could prove to be an analogous issue for the UK’s adequacy rating at the end of the transition period.
The CJEU has ruled, in a first for that regulation, that the use of “Zero Tariff” contracts are inconsistent with its “Open Internet” regulation (Regulation 2015/2120). The regulation “aims to establish common rules to safeguard equal and non-discriminatory treatment of traffic in the provision of internet access services and end users’ rights”. Its intention is to legally establish the principle of ‘Net Neutrality’, whereby internet access providers are prohibited from giving preferential treatment (for example, limiting access or increasing traffic speeds) to specific websites and users.
The issue in this case was whether zero tariff contracts offered by Telenor, an Hungarian internet access provider, contravened net neutrality regulation. Zero tariff contracts provide data allowances to their users, (1 GB, for instance), which the consumer is allowed to use as they please. On running out of data, typically internet access would be stopped. However, in its two zero tariff contracts, called MyChat and MyMusic, certain websites and applications did not run down the data allowance. Furthermore, even once the data allowance had been used up, the same websites and applications could still be accessed, although otherwise no internet access was provided.
The Court of Appeal, overturning a Divisional Court decision, has found the use of a facial recognition surveillance tool used by South Wales Police to be in breach of Article 8 of the European Convention on Human Rights (ECHR). The case was brought by Liberty on behalf of privacy and civil liberties campaigner Ed Bridges. The appeal was upheld on the basis that the interference with Article 8 of the ECHR, which guarantees a right to privacy and family life, was not “in accordance with law” due to an insufficient legal framework. However, the court found that, had it been in accordance with law, the interference caused by the use of facial recognition technology would not have been disproportionate to the goal of preventing crime. The court also found that Data Protection Impact Assessment (DPIA) was deficient, and that the South Wales Police (SWP), who operated the technology, had not fulfilled their Public Sector Equality Duty.
In response to a legal challenge brought by the Joint Council for the Welfare of Immigrants (JCWI), the Home Office has scrapped an algorithm used for sorting visa applications. Represented by Foxglove, a legal non-profit specialising in data privacy law, JCWI launched judicial review proceedings,, arguing that the algorithmic tool was unlawful on the grounds that it was discriminatory under the Equality Act 2010 and irrational under common law.
In a letter to Foxglove from 3rd August on behalf of the Secretary of State for the Home Department (SSHD), the Government Legal Department stated that it would stop using the algorithm, known as the “streaming tool”, “pending a redesign of the process and way in which visa applications are allocated for decision making”. The Department denied that the tool was discriminatory. During the redesign, visa application decisions would be made “by reference to person-centric attributes… and nationality will not be taken into account”.
The Human Rights Committee, reviewing NHSX’s current digital contact tracing app architecture, has recommended that the government’s current privacy assurances are not sufficient to protect data privacy and that legislation must be passed to ensure that. This echoes Professor Lilian Edwards’ call for primary legislation to ensure privacy rights are protected. These recommendations are given special significance NHSX’s choice to adopt the controversial and arguably less secure “centralised” model (an explanation of the different contact tracing models and Prof Edwards’ suggested legislation can be found here).
Latest news: GCHQ has published a detailed blog article which seeks to explain (and defend) the new NHS contact tracing app, which the Government regards as the key to a controlled exit from lockdown.
Coronavirus presents a serious threat to society, legitimising the collection of public health data under Article 9:2 (g) of GDPR regulations, which allows the processing of such data if “necessary for reasons of substantial public interest”. Some of this collection will take the form of contact tracing apps, which have been used in containing the spread of coronavirus in countries such as Singapore.
They work by broadcasting a bluetooth signal from a smartphone which is picked up by other smartphones (and vice versa), meaning that if one user contracts coronavirus, those who have been in contact with that user can be effectively warned and given further advice to stop the spread.
NHSX, the body responsible for setting NHS data usage policy and best practice, has been developing a contact tracing app which is currently undergoing effectiveness trials at RAF Leeming. As it stands, the app either tells you “You’re okay now” or “You need to isolate yourself and stay at home”. It seems likely that this or a similar app will be rolled out over the UK in the coming months.
The Fisheries Bill 2020, part of the government’s core legislative program on post-Brexit environmental policy, is currently in the House of Lords at committee stage, and is expected to receive royal assent in the coming months (although exactly when is subject to how successfully the House of Lords can adapt to meeting via Microsoft Teams). It would establish Britain’s departure from the Common Fisheries Policy (CFP) on January 1st 2021, and sets out how fishing rights would work post transition period and CFP.
Given the passion that fishing rights raise, you might be forgiven for thinking that they were absolutely essential to the functioning of the UK and EU economies. In fact, fishing accounts for around 0.1% of both. A joke going around environmental blogs is that green bills are like buses – none come when you need them, then they all arrive at once. Perhaps for the Environment and Agriculture Bills – discussed by me here and here. But the Fisheries Bill feels more like the Brexit Bus than a local routemaster. It promises the repatriation of sovereign powers and gains in the millions by taking back control of our waters, while hiding potential losses in the billions, if issues with fishing rights derail trade negotiations – a slim but real possibility.
Even the most entrenched remainer, however, would have to recognise the multiple failures of the CFP. It has been plagued by mismanaged quotas and outsized lobbying interests since its inception, and it has clearly favoured certain member states over others. The Fisheries Bill has as such been largely well received by environmental groups, such as Greener UK, who comment that the “focus on climate change and sustainability is very helpful”. I’ll start with what the bill actually says, then discuss the EU negotiation position and conclude with a few comments about what the legislation may mean for the future relations.
Good news from the crisis front, although I’m afraid not the one we’re all thinking of: the government’s Agriculture Bill, which sets out its major post-Brexit agricultural policy, has recently passed committee stage and will soon (coronavirus permitting) be presented to the House of Lords. It shows ambition from the government to develop a post-Brexit agriculture policy with laudable commitments to harnessing the power of farmers to help address the climate crisis, and helps to address issues such as food security. Along with the Environment Bill, discussed here, it constitutes some of the core legislation aimed at achieving the government’s Net Zero by 2050 goal.
The government’s haunting refrain, since their 2018 ‘Health and Harmony’ consultation on post-Brexit agricultural policy, has been “public money for public goods”. The bill puts this into practice by giving the secretary of state power to dismantle the subsidy schemes of the Common Agricultural Policy (CAP) and replace it with the Environmental Land Management Scheme (ELMS). Under this scheme, farmers will be awarded for specific activities with ‘public goods’: good practices that further environmental goals in areas such as biodiversity and soil health that the market does not sufficiently incentivise.
On 26th February, parliament held its second reading of the government’s revised Environment Bill 2020, setting out its agenda for environmental reform and governance post-Brexit. It would provide the secretary of state with powers to create new regulations on air quality, water usage, waste disposal and resource management, biodiversity, and environmental risk from chemical contamination, and would create a new non-departmental public body, the Office for Environmental Protection (OEP), as an environment watchdog. The government describes it as the most “radical” environmental legislation to date, and sees the bill as paramount to ensuring both its 25 Year Environment Plan and its Net Zero Carbon Emissions by 2050 goal.
The bill faced criticism both from parliament and from environmental groups. Greener UK, a coalition of 13 major environmental organisation, has said that as it stands, the bill “[would] not achieve what is has promised”, criticising it for lacking ambition and including no legal requirements for the government to prevent backsliding on EU environmental regulation. MPs, both Conservative and Labour, specifically criticised the lack of ambition in air quality. Others criticised the proposed structure of the OEP as being insufficiently independent of the government to match the ambitions of the bill to create “a world-leading environmental watchdog that can robustly hold the Government to account”.
The Bill in Brief
The bill, as it stands, is divided into eight sections, which can be grouped into three major areas: giving the secretary of state the power to amend regulations in areas of environmental concern, legally enshrining biodiversity targets, and creating an environmental watchdog called the Office of Environmental Protection. All three are intimately tied to Brexit, with the government intending to use the bill to “transform our environmental governance once we leave the EU”.
This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.