POSR0002
Written evidence submitted by Carnegie UK, Reset
Introduction
- This is a joint submission from Carnegie UK and Reset. We welcome the opportunity to submit this evidence into the PAC inquiry and would be happy to speak about it further with Committee officials and/or members. We note that the Permanent Secretary for the Department for Science, Innovation and Technology and the Ofcom Chief Executive are due to attend a hearing of the Committee on 26 October and suggest below a few specific questions that might be put to them during that discussion.
- About Carnegie UK: Carnegie UK has been at the forefront of the debate in the UK on digital regulation. We created the approach that underpins the Online Safety Bill, which is shortly to complete its Parliamentary passage: a statutory duty of care which focuses on systems and processes and is enforced by a regulator. Since 2018 we have been working with parliamentarians, civil society and the government to develop and refine proposals for online harm reduction. William Perrin (Carnegie UK Trustee) and Prof Lorna Woods (University of Essex) have given evidence on the Bill to numerous Parliamentary committees and were awarded OBEs for their work in 2020. Our work can be found here; and a dedicated resource page for our analysis and publications on the Online Safety Bill specifically is here.
- About Reset: Reset (www.reset.tech) seeks to improve the way in which digital information markets are governed, regulated and ultimately how they serve the public. We do this through supporting new public policies across a variety of areas including data privacy, competition, elections, content, security, taxation and education.
The NAO Report
- The NAO report identifies a number of important positives with regard to Ofcom’s preparedness for taking on its new role, which we highlight below, and raises some significant concerns which are largely within the Government’s hands to address. We feel there also may be some gaps in the analysis which will have a bearing on Ofcom’s approach to its new role, which the Committee might wish to explore when it has DSIT and Ofcom officials before it.
- From Carnegie UK’s experience, having tracked the development of the Online Safety Bill from its inception and engaged with Ofcom officials – at many different levels of seniority and in a variety of for a – during that time, we would agree with the NAO’s analysis that the regulator has:
- Used the delays to the legislative timetable to good effect in preparing to hit the ground running once it receives its powers at Royal Assent. Its research output so far (24 projects completed at the time of the NAO report, with a further 90 underway or planned) has been comprehensive and of high quality. The June 2022 roadmap and its updated version this year have been helpful in enabling stakeholders to understand in broad terms the forthcoming prioritisation of its work (those “more than 40 regulatory documents” that the NAO refers to) and the sequence of activities to expect from this autumn onwards.
Despite the uncertainties over the final shape of the legislation – which continued right up until ping-pong, with late Government concessions on, e.g., categorisation of small high-harm platforms, which has a direct effect on some of Ofcom’s early activities (see NAO report, para 1.11), Ofcom’s decisions on what will happen and when are broadly sound.
- Drawn constructively from its experience of regulating video-sharing platforms – and shared this experience in an engaging and accessible way (for example, Anna-Sophie Harling’s interview with the Parentzone podcast) – in the development of its framework for the risk-based approach required in this new regime.
- Recruited, amongst the 350 online safety group headcount at the time of the NAO report, a large number of expert staff from industry, civil society, research organisations and Government (NAO report, para 2.16). We would note, however, that this recruitment spree inevitably has a knock-on effect on the capacity and capability of many of the civil society organisations on which Ofcom will still be reliant during the implementation phase, for example to respond with expert evidence to its many consultations or to collaborate on research. The demands placed on these organisations are likely to be significant so – as per our response on managing expectations, below – a greater granularity from Ofcom in the details on implementation timings, response deadlines and the pipeline of reports due to emerge from its research programme will be beneficial here.
- Shown the value of the Digital Regulation Cooperation Forum in participating in joint pieces of research or horizon-scanning and in publishing MOUs with its key regulatory partners which set out the partnership working that will be taken forward. (NAO report, para 3.5, 3.6) As we set out below, greater measures to ensure regulatory coordination and sharing of information are a missed opportunity in the Bill.
- Of concern, at this stage on the critical path to implementation of the regime, are the NAO’s findings relating to:
- The lack of clarity regarding funding for 2024-25, given that the delays to the legislation mean that Ofcom will no longer begin to recover its online safety costs until 2025-6. We agree with the NAO recommendation that Ofcom needs urgently to establish how it will manage the financial risks presented by this situation.
- The questions raised about DSIT’s preparatory work on an evaluation framework (3.14); we support the NAO recommendation that DSIT needs to work with Ofcom to ensure that they have a coordinated approach to gathering data to support their complementary evaluation plans.
Gaps in the analysis
Managing expectations
- The NAO report finds that “Ofcom has recognised a risk of stakeholders expecting immediate change on Royal Assent and has in place a communications strategy for managing these expectations and addressing misunderstandings about its role”. (NAO report para 1.16) It particularly refers to the fact that the regulator cannot act on individual pieces of content or on individual complaints. In its recommendations, the NAO specifically says this communication plan should also cover “Ofcom’s role during implementation to give confidence in the credibility of the new regime with the public, industry and others”. It also notes that it needs to “develop its plans to inform industry about its requirements, particularly ensuring data requests are coordinated and proportionate”.
- There is another aspect of expectation management which is missing here: the management of stakeholders in civil society who have campaigned – often over many years - for the Bill as a whole or for specific provisions within it. To each of those groups, their particular issue will – justifiably – be viewed as the overwhelming priority for Ofcom’s implementation phase. Notably the NAO did not include any representatives from civil society in its interviewee list for its report and the report is silent on whether the regulator has done sufficient mapping of that landscape to inform its stakeholder engagement plans or included these constituent groups in its communications plans. Failure to do so is likely to result in potentially quite public and noisy pressure on the regulator and also have a bearing on wider public confidence in the regulator’s credibility and competence.
What are Ofcom’s practical plans to manage this?
- A similar expectation management strategy is required for Parliamentarians, many of whom – particularly in the Lords – have also had to push the Government hard for concessions on the Bill or reassurances as to the implementation. It is also worth Ofcom bearing in mind that many of the debates on the Bill in both Houses have returned frequently to the issue of “take down” of content, particularly in the context of the most harmful occurrences. While Ofcom itself is clear in its messaging about the systemic nature of the regulatory framework, reiterating this will need to be a permanent part of its communications strategy, both for users of online services and for those who represent them in Parliament. In the closing debates on the Bill in both the Commons and the Lords, thoughts were already turning to implementation: given the unprecedented consensus on the shape of the legislation across all sides of the House, and the exhortations from the Opposition for the Government to get on with it – particularly given the protracted history of the Bill – this is also a constituency that Ofcom should be actively managing in order to build trust, engagement and transparency in the months and years ahead. What are Ofcom’s practical plans to manage this? How will DSIT support them in this role? Do the governance arrangements set out in part two cover this aspect of joint engagement and, where necessary, risk mitigation?
Ofcom’s ability to withstand Big Tech lobbying
- The NAO report mentions Ofcom’s plans for industry engagement, with a “dedicated supervision unit” set up with responsibility for “building and maintaining relationships with what Ofcom expects to be the 20 largest and riskiest service providers and promoting the compliance of small providers” (para 2.12). Later, the report says that “several industry representatives expressed concern about the potential burden of compliance and the demands this would place on their resources … Larger companies noted that, despite their size, their regulatory compliance resources were limited and greatly outnumbered by Ofcom’s resources. They also described receiving requests from Ofcom for information that would require significant effort to answer”. (para 3.10)
- It is not clear whether these “larger companies” are the same as the “20 largest and riskiest service providers” that will have the most attention from Ofcom, or are just larger than the “one-person business” that the NAO also reports feedback from in the paragraph quoted above. If the latter – and they are in effect SMEs – then those concerns are valid and have been well rehearsed during the Bill’s development, particularly through trade bodies such as COADEC (now the Start-Up Coalition). The regime’s proportionate, risk-based approach should provide the reassurances required here while its focus on safety-by-design should, in the long-term, ensure that any company designing or developing a service that is to be regulated by Ofcom would bake-in to their set-up measures which would meet the baseline requirements set out in the regime and thus reduce the compliance overheads.
- If, however, the "larger companies" quoted in para 3.10 above are among those who will fall into the “20 largest and most riskiest” for supervision by Ofcom, then this feedback is very telling and reflects one of the biggest risks to Ofcom’s ability to deliver effectively the online safety regime: industry lobbying. These are some of the biggest, richest companies in the world with vast resources that could be easily redirected to ensuring more than adequate regulatory compliance on the scale and quality that Ofcom requires. The fact that the NAO reports such concerns without comment or criticism reflects the challenge ahead for the regulator: the scale of the lobbying during the passage of the legislation will not let up once it has passed into law but will now be primarily targeted, but covertly, at Ofcom and the officials who engage with the companies concerned. Every piece of the regulatory jigsaw – codes, guidance, consultations, categorisation and risk assessment advice – will be contested with a view to diluting its effect and reducing the “compliance burdens” associated with it. What measures has Ofcom put in place to build resilience in its officials during this implementation phase and ensure that the design of the legislation, which has democratic legitimacy, is not watered down along the way? What has Ofcom learnt about tech company tactics in this regard from the first two years of overseeing the VSP regulatory regime and how will this prepare them in the new role?
- A further area of pressure from regulated services will be via litigation. While a certain amount of legal challenge is an expected part of the way in which the limits and boundaries of the regime will be tested, particularly once Ofcom starts its enforcement action, it could also be an easy, parallel lobbying route for well-funded tech companies should they wish to test Ofcom’s resilience (and resources) via Judicial Reviews and slow down implementation and enforcement. Has Ofcom considered previous examples of such tactics by industry in other regulatory regimes and, if so, how will this inform their approach?
Departmental reorganisations
- The NAO report references the fact that a major Machinery of Government change took place earlier this year, with digital policy moving from DCMS to the newly formed DSIT. It is silent on whether these changes materially affected the civil service relationship with the regulator during this period or on how the joint sponsorship of Ofcom (now split between DCMS on broadcasting and broadband and DSIT on online safety) will be effective and/or is reflected in the emerging governance arrangements.
- A further consideration here is the impact of a General Election – expected within the next 15 months – and how both the political instability during that period and the impact of purdah when it is eventually called, will impact on Ofcom’s decisions and publication schedule and/or its ability to rely on Ministerial engagement when required. A further consideration is the potential for further Departmental reorganisations under a new Government to impact on its forward programme of work. How far has Ofcom factored in contingency for this into their planned programme of work? Where do they feel the biggest risks from the wider political context lie in the next 18 months?
The impact of Government policy and legislative decisions that will directly impact Ofcom’s work.
- We note that the scope of the Committee’s inquiry prevents the scrutiny of “the Bill’s contents itself, nor any policy decisions relating to it”. We feel, however, that there are three specific areas where the Government made policy decisions during the course of the Bill’s passage that have a direct consequence on the subject under consideration here and which the Committee might wish to probe further when its witnesses appear before it:
- Research: the NAO report sets out the scale of the research programme that Ofcom has undertaken, with 24 reports already published and 90 more to come. Ofcom does not have the capacity to deliver this alone. At the recent UK Internet Governance Forum, its Director of Market Intelligence Ian Macrae gave a presentation on “Building the Evidence Base for Online Safety” and acknowledged that – given the scale of the challenge – they are going to have to do much more in partnership with other research organisations, possibly publishing annual calls for input and engagement from third parties and investing more in monitoring those collaborations rather than on undertaking all the research themselves. However, in answer to a question on research partnerships and collaborations, Macrae also referenced the provisions in the Online Safety Bill on researcher access to data [clause 163, Lords Report version] and said “if I'm being honest haven’t gone as far as I’d have liked .. we haven’t got the level of requirements on platforms for researcher access and what that means is platforms making their data available to researchers.” (comments at 30:09). Do DSIT and Ofcom officials agree with this analysis? What representations were made to Ministers during the course of the Bill’s passage to make the case for supporting Lord Bethell’s amendment to enable greater civil society researcher access to company data as one of the routes that would assist Ofcom to do its job?
- Media literacy: the NAO report references the fact (at para 3.3) that Ofcom used research, carried out under its existing Communications Act 2003 media literacy powers, to good effect during the passage of the Bill to build up the evidence base for the online safety regime. Yet the Government chopped and changed the media literacy provisions within the Bill – taking them out at Commons Committee stage, before putting them back in again at Lords Report stage. How much did this affect Ofcom’s preparedness and its planning for what it might be able to undertake in its roadmap?
- Regulatory coordination: The NAO report mentions Ofcom’s effective collaboration via the Digital Regulation Cooperation Forum with industry said to have “appreciated these efforts and held the outputs in positive regard”. (para 3.6). The report also mentions Ofcom’s participation in the Global Online Safety Regulators Network, which “enables online safety regulators to share information, experience and best practice”. (para 3.7) However, there is an anomaly in the Online Safety regime which states that “Ofcom may co-operate with an overseas regulator, including by disclosing online safety information to that regulator" for a number of purposes (clause 115) but there is no parallel provision that applies to its cooperation with domestic regulators. At Carnegie UK, we have long argued that this should be rectified, a position Lord Clement-Jones supported through his tabled amendment at Lords Report. Does Ofcom believe that it has the powers it needs to ensure effective information-sharing between itself and domestic regulators to deliver its duties under the online safety regime? If not, what further measures need to be put in place to facilitate this?
October 2023