Written evidence submitted by Virgin Media O2 (OSB0127)
The Online Safety Bill
The role of Ofcom and Government
Summary of Recommendations:
Virgin Media O2 welcomes Government’s ambition to make the UK the safest place to be online and for the UK to be amongst the first countries to have a coherent, single regulatory framework to address online safety. We believe that some of the measures in the Draft Bill will go a long way to delivering on those ambitions. There are, however, limitations to the proposals put forward that need to be understood.
We are encouraged to see DCMS has acknowledged the technical challenges associated with blocking access to content due to the increased presence of DNS over HTTPS (DoH) and other encryption standards such as MASQUE, ECH and TLS 1.3. Under DoH, individual browsers and apps can set up their own servers, meaning web requests will go through these rather than ISPs’ servers. This results in ISPs being unable to see the traffic from those browsers and apps, which in turn prevents them from applying blocking and filtering. In the context of the online safety regime, DoH and other such encryption measures can prevent ISPs from effectively complying with access restriction orders.
There is currently no technical solution to this issue. Therefore, we support the Draft Bill’s expanded definition of access facility provider to include other parts of the internet ecosystem, such as application stores. For access restriction orders to be effective as a business disruption measure, Ofcom will need to engage across the internet eco-system more broadly and continue working with ISPs to understand the technical limitations.
Moreover, technical interventions, such as blocking, will not be the ‘silver bullet’ to eradicating online harms. Even if blocking is technically possible, it is a blunt tool and can result in legitimate content also being blocked and there will always be a limit to the extent that technical interventions can preclude users from experiencing harm online. Thus, they need to be complemented by broader efforts to improve media literacy and foster digital resilience amongst users. We are encouraged to see the inclusion of media literacy duties in the Draft Bill and expand on this later in our response.
The Duty of Care model is the most appropriate regulatory mechanism for the online safety regime; it strikes the right balance between placing obligations on providers of user-to-user services and search services without creating overly prescriptive legislation that would inevitably struggle to adapt with rapid technological change.
We do not believe that primary legislation seeking to outline specific content or types of services would be successful in creating safer digital spaces for the long-term. What constitutes harmful content can be subject to change and highly subjective; primary legislation is not the right place to attempt a definition. Similarly, the types of services and how users interact with those services can evolve at a rapid pace, with new apps or platforms emerging and gaining popularity quickly. Thus, using duties of care and focusing on systems and processes allows the legislation to be adaptable and, to some extent, future-proof.
However, the structural complexity of the Draft Bill makes it unclear how the different duties of care will interact. Regulated services will be given different duties of care depending on their categorisation (in descending order of risk: Category 1, 2A, and 2B), which in turn depends on threshold conditions set by the Secretary of State (using criteria such as the number of users and functionalities). We support the flexibility within the duty of care model, which can ensure regulated providers are subject to duties that are proportionate to their scale, but we believe there is opportunity for the duties to overlap and create tensions. Government should make it clearer as to how the duties interact in order to avoid potential confusion that would limit the efficacy of the regulations.
Services in Scope
Virgin Media O2 believes that the scope of the legislation is largely correct and it is proportionate that providers of user-to-user services or search services are the primary subjects of the regulatory duties. Likewise, we view the role for access facility providers in online safety regime as commensurate with their role in the wider internet eco-system. Yet, we would like to see further clarity in Draft Bill regarding the role of access facility providers during the process of Ofcom applying to the courts for an access restriction order.
Clause 93 details how Ofcom will be able to issue access restriction orders as part of its enforcement regime, which would require access facility providers to block users in the UK from accessing non-compliant service providers who fall under the Duty of Care responsibilities. We are pleased that this clause details that these orders can only be used as a measure of last resort, after a number of other business disruption remedies have been tried, and that Ofcom must apply to the courts before issuing an order.
However, as drafted, the clause does not specify what role, if any, access facility providers would play in the court order process. Section 93(3)(g) suggests that applications can be made ex parte, which is concerning given the wide-ranging requirements that could potentially be imposed on access providers under s93(3)(f) – but which are not clearly specified. We believe that there is an important role for access facility providers in providing information on what is technically achievable so that any access restriction order issued is practical, deliverable and does not lead to unintended consequences, such as innocent third parties’ legitimate content being restricted. Under the current wording, there is a risk that an access restriction order could be imposed on a provider which:
a) cannot be delivered, and that access facility provider would therefore be unable to carry out its legal duties; or
b) would lead to blocking the lawful, legitimate content of innocent third parties.
We request that Clause 93 is amended so that it specifically outlines a role for access facility providers in every application process and allows providers to challenge any order that they would be unable to deliver for technical or practical reasons.
The role of Ofcom
Virgin Media O2 welcomes the appointment of Ofcom as the regulator for the online safety regime. We believe Ofcom is uniquely positioned to take on this role thanks to its experience in content regulation through regulating the broadcast industry and its expertise in how the internet is architected through regulating the telecoms industry. The expertise and experience will be invaluable in what is largely uncharted territory. However, despite its suitability for the role, we have concerns about the expansion of Ofcom’s information gathering powers.
In Virgin Media’s 2019 response, we noted that one of Ofcom’s current statutory duties is to draw up the broadcasting code, covering standards in programmes, sponsorship, fairness and privacy. This has led to Ofcom developing a detailed understanding of UK audiences’ approach to acceptable content standards, balancing the needs and expectations of audiences, commercial operators and preserving freedom of speech. In particular, it has a long history of adjudicating on content standards complaints, creating consistency in decision making and helping industry have confidence in the decision-making process. We believe such experience will be useful for navigating the novel online safety regulatory regime.
However, the Draft Bill confers extensive and wide-ranging powers to Ofcom to issue information notices to organisations involved in any part of the online safety regulatory process – including a provider of an access facility (Clause 70). Access facility providers do not fall under the Duty of Care model and their role within the ecosystem set out in the Draft Bill is confined to business disruption measures, which are to be used as a last resort. We question why access facility providers have been included in these measures and would welcome guarantees that this power will not be used disproportionately by Ofcom.
This could be achieved by adding a proportionality requirement to the legislation, allowing providers to seek clarity from Ofcom on why an information notice has been issued and to agree reasonable timings for delivering on a notice. We believe the information provisions set out in the Communications Act 2003 (s135, 136, and 137) set a useful precedent and give this degree of proportionately. We believe Clause 70 should mirror these provisions. This will also ensure that there is consistency in the way that Ofcom approaches information gathering across its different regulatory functions.
Virgin Media O2 believes that independence and accountability of regulators are key tenets of a well-functioning regulatory regime. There needs to be a balance between ensuring that the regulator is free from undue political influence with the need for democratic accountability. We submit that the Draft Bill overextends powers to Government to involve itself in how the regulator carries out its work. We also believe companies subject to regulation should play an important role in ensuring the accountability of the regulator.
Politics is integral to and permeates the work of regulatory agencies. Frequently, the reason that regulation emerges stems from the political need to balance public welfare and the interest of economic activity; the Online Safety regime exemplifies this clearly. Yet, despite this relationship, we believe regulators need to be insulated from highly mutable, short-term political agendas. Government’s predilection to adapt rules in response to the immediate political context or short-term political considerations can create an unstable regulatory environment that becomes detrimental to the regulated industry’s ability to invest and operate.
The role of Government in shaping a regulatory regime should be to provide long-term strategic objectives that define what the regulator should achieve. The Draft Bill provides a mechanism to do this; under Clause 109, the Secretary of State has the power to set a Statement of Strategic Priorities (SSP). The SSP presents an opportunity to guide Ofcom by setting out a limited number of clear and measurable priorities against which Parliament and other bodies can measure its progress. We view this as the correct vehicle for Government policy to shape the Online Safety regulator’s objectives.
However, Government should not dictate to the regulator how these objectives are achieved. Ofcom’s formal independence from Government is enshrined under Article 8 of the European Framework Directive, which has now been transposed into UK law. This legislation requires that:
“national regulatory authorities shall act independently and objectively, including in the development of internal procedures and the organisation of staff, shall operate in a transparent and accountable manner in accordance with Union law, and shall not seek or take instructions from any other body in relation to the exercise of the tasks assigned to them under national law implementing Union law.”
Yet, within the Draft Bill there are multiple examples of powers conferred to the Secretary of State that we fear undermine the independence of the regulator. In one such instance, the Draft Bill requires Ofcom to produce codes of practices that set out recommended steps for providers of regulated services to fulfil compliance with their relevant duties, which must be submitted to the Secretary State, who must then lay them before parliament (s32(1) and (2)). However, under section 33(1)(a) the Secretary of State can direct Ofcom to revise the code of practice, before laying it in front of parliament, to ensure it “reflects government policy”. Whilst subsection 2 seeks to put in place checks against these powers, we believe it is inappropriate that the codes of practice can be modified to reflect government policy. The codes of practice are a mechanism for Ofcom to advise companies on how to comply with their duties, and we view the Secretary of State having the power to amend them as straying into the territory of dictating to Ofcom how to perform its role as regulator. Therefore, we believe that the committee should seek further clarity from Government on and consider the removal of Clause 33(1)(a) from the Bill.
Additionally, under Clause 113(1)(a) the Secretary of State can give guidance to Ofcom regarding the “exercise of their functions under this Act”. Again, we view this as an overstep of the Secretary of State’s power, as we do not believe Government should be involved in telling Ofcom how to exercise its powers under the Act. We ask that the committee should seek further clarity regarding what this guidance will encompass.
An important countervailing force to the powers afforded to Government is Parliament’s ability to scrutinise decisions. We acknowledge that the Bill requires the Secretary of State to lay certain decisions or documents before Parliament (such as the SSP or Ofcom’s codes of practice), but there are instances whereby Parliament’s scrutiny powers are not sufficient. For example, clause 39(2)(e) of the Draft Bill excludes from scope “one-to-one live aural communications”, which is clarified as meaning aural communications happening in real time which are not accompanied by written messages, videos, or visual images; for example, live voice calls over an internet service.
However, should the Secretary of State think it appropriate to repeal this exclusion, due to the risk of harm presented to individuals, they would have the power to do so via regulations subject to affirmative procedure (under s39(13)). Bringing into scope private one-to-one aural communications of the Online Safety regime would be a significant step with huge ramifications for the privacy rights of citizens, as well as technical challenges for those providers of regulated services and the access facility providers who may be called upon to enforce an action restriction order. Arguably, such a decision requires more parliamentary scrutiny and debate than affirmative procedure for secondary legislation allows.
Another key form of regulatory accountability is derived from the ability to challenge the regulator, such as through lodging appeals. Ofcom’s decisions have historically been subject to an appeal “on the merits” of a case. Virgin Media O2 has viewed this as a vital check on Ofcom’s decisions and power; having this recourse has shored up confidence for investment decisions in the telecoms industry. However, the Digital Economy Act 2017 changed the standard of appeal: “The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review”. The Draft Bill is consistent with the Digital Economy Act in this respect, stating that the Upper Tribunal must decide the appeal by applying the same principles as would be applied by the High Court on an application of judicial review (s104(5)(a) and s105(4)(a)).
Judicial review hinges on the lawfulness of a decision rather than whether the substance of a decision or action taken by the regulator is reasonable. We do not believe this standard of appeal provides the same level of check against a regulator’s power, and in turn does not promote the optimal level of accountability. Whilst Virgin Media O2 would not be classified as a regulated provider and therefore not be able to make an appeal, we view it as a matter of principle that the country’s regulatory regimes strike the right balance between protecting consumers and competitive markets with making the UK an attractive place for businesses.
We support the extension of Ofcom’s existing media literary duties to encompass online safety under Clause 103 in the Draft Bill. It is vital that individual users are empowered to navigate digital spaces, including the potential risks and harms that they will invariably encounter in those spaces. Technical interventions can and will protect users from harms, but there are limitations to what they can achieve alone, especially in light of how pervasive connectivity is in people’s everyday lives. Therefore, building digital resilience must be an integral part of the online safety regime.
We support the requirement on Ofcom to carry out, commission and encourage educational initiatives to improve the media literacy. However, we believe it is important that Ofcom does not duplicate efforts and should work with existing and well-established organisations operating in this area, such as Internet Matters – a trusted and expert organisation supported by a broad coalition across the tech ecosystem. Since its inception seven years ago, Internet Matters has become one of the most recognizable organisations operating in this area (second only to the NSPCC) and 80% of parents say Internet Matters is one of the first places they would go for online safety advice.
In addition to complementing these organisations through its own initiatives, Ofcom can support them through insights into effective initiatives. In Virgin Media’s response to the Online Harms White Paper in 2019, we called for the appointed regulator to track behavioral change resulting from safety and resilience initiatives. There were no existing organisations tracking behaviour change of online users to monitor what educational programmes were most effective; in our view having this data and research would allow industry to more efficaciously direct resources into initiatives that had meaningful and long-term impact on improving media literary. Therefore, whilst we are encouraged to see the duty on Ofcom to produce guidance about the evaluation of media literacy initiatives and actions, we think this could be expanded to include a responsibility for the online safety regulator to proactively track the performance of these initiatives.
22 September 2021
 Ofcom, Children and parents: media use and attitudes report 2019, pg.32. [4 February 2020] https://www.ofcom.org.uk/__data/assets/pdf_file/0023/190616/children-media-use-attitudes-2019-report.pdf
 UK Code of Practice for the self-regulation of content on mobile phones, V3 (2013)
 Jodi L. Short, ‘The politics of regulatory enforcement and compliance: Theorizing and operationalizing political influences’, Regulation & Governance, 15 (2021)
 Electronic Communications and Wireless Telegraphy (Amendment) (European Electronic Communications Code and EU Exit) Regulations 2020
 Subsection (2)(a) stipulates that the direction given by the Secretary of State cannot require Ofcom to include a particular step to be recommended to be taken by a provider of regulated services and subsection (2)(b) requires the Secretary of State to provide a reason for the modification.
 Digital Economy Act 2017, s87 (4) (2).
 Internet Matters, Together for a better internet: Impact report 2019/20, pg.6. https://www.internetmatters.org/wp-content/uploads/2021/03/Internet-Matters-Impact-Report-2019-2020.pdf