Written evidence submitted by Virgin Media O2 (OSB0127)

Executive Summary

Internet Service Providers and Online Safety

• Virgin Media O2 welcomes the opportunity to respond to the Draft Online Safety Bill Pre-Legislative Scrutiny Committee. We have been highly engaged in the policy development of online regulation since the publication of the Internet Safety Green Paper in 2017, and we are encouraged to see the proposals enter their legislative stage.
• For a long time, Internet Service Providers (ISPs) have been at the forefront of making the internet safer for UK users, particularly for children. Virgin Media provides parents with the tools to limit children’s access to sites with inappropriate content via our family-friendly broadband filters. Our filters are default on for all new customers, and Ofcom’s research shows that nine out of ten parents find network-level content filters useful.[1] Alongside other ISPs, we also work with Internet Watch Foundation to block access to child abuse imagery.
• The mobile industry has a longstanding process (approx. 15 years) in place to block access to commercial content that is deemed unsuitable for under-18s. This approach is in accordance with the industry code of practice[2].  The mobile operators set their filters using a framework prepared by the British Board of Film Classification (BBFC).  The BBFC Mobile Classification Framework is updated regularly to reflect evolving public attitudes and societal concerns.[3]
• Virgin Media was one of the founding members of Internet Matters in 2014 (alongside BT, Sky, and TalkTalk). Internet Matters providers parents and guardians with research, resources and expert advice to help children benefit from connected technology smartly and safely. O2 has a long-established partnership with the NSPCC, working with them to create guides such as Net Aware[4], that informs parents about the latest social networks, apps and games used by young people.
• However, the architecture of the internet has changed over recent years and the internet eco-system has become more complex. Increasingly, ISPs are not the sole gatekeeper of the internet and their capacity for intervention is more limited.
• It is necessary and appropriate that Government focuses its efforts on the parts of the internet where harm is most prevalent and most able to be stopped.

The Online Safety Bill

• Government’s goal is to make the UK the safest place to be online; the Online Safety Bill presents an opportunity to deliver on this ambition. The Draft Bill sets out a framework to create the conditions for a safer internet that will lessen the likelihood of users experiencing harm online and rebuild citizens’ trust in the internet.
• Establishing such a comprehensive and novel regulatory system for online safety is not a simple task, and it is important that the proposals are properly scrutinised prior to being implemented so the regulatory regime can be as effective as possible.
• Virgin Media O2 is supportive of the Duty of Care model set out in the Draft Bill: embedding flexibility into the primary legislation and prioritising the focus on systems and processes over content will protect against it becoming quickly outdated in the face of technological change.
• The role that has been carved out for access facility providers – impeding access to non-compliant regulated services following a court order – is appropriate only as a measure of last resort. It is vital that blocking access to services and their content is not undertaken lightly; it is an extreme step that should be reserved for the most serious of cases. Consistent and frequent use of access restriction orders will rightly be met with concerns about the erosion of digital freedoms.
• Furthermore, there are also technical limitations that preclude technical access restrictions from being the ultimate failsafe of the Online Safety regime. The increased adoption of encryption techniques prevents ISPs from seeing and managing traffic passing over their networks, which diminishes their ability to block or filter. There’s no simple technical solution to this, so Government and Ofcom must continue to work with a variety of players in the internet eco-system to ensure access restriction orders are applied holistically.
• Equally, it is vital that access facility providers are able to engage in the court process should Ofcom apply for an access restriction order; there needs to be an opportunity for them to challenge an order that they would be unable to deliver for technical or practical reasons.
• Similarly, the limitations of technical interventions strengthen the case for the inclusion of enhanced media literacy provisions. Whilst technical interventions should ensure the worst and most prevalent harms are removed, it is almost inevitable that users will eventually interact with content they find harmful. Thus, it is vital that users are equipped with the right tools to understand, interpret and deal with content and interactions online.
• There are many organisations working to improve media literacy, so whilst we support the duties placed on Ofcom to strengthen their own media literacy provision, it will be most productive to build upon the good work already happening. Ofcom can complement this by providing evaluations and performance tracking of third-party media literacy initiatives.

The role of Ofcom and Government

• We welcome Ofcom’s appointment as the regulator for the online safety regime. Ofcom is uniquely positioned to undertake this role and should be able to draw on its expertise from regulating the broadcast and telecoms industries.
• Ofcom’s powers need to be proportionate and targeted. An example of where this is not the case are its information gathering powers, which presently apply to any organisation involved in the online safety regime. This should be tempered by the inclusion of a proportionality requirement that allows providers to ask for clarification from Ofcom on why information notice has been issued and to agree reasonable timings for delivering on a notice.
• It is vital that Ofcom is independent from Government in executing its role as online safety regulator and that there are appropriate checks and balances in place to ensure the regulator can be appropriately challenged and held accountable. Both of these are integral to the proper functioning of a regulatory regime. However, we believe that more can be done to ensure these important features are embedded into the novel online safety regime.

Summary of Recommendations:

• Clause 93 should be amended so that it specifically outlines a role for access facility providers in every application process and allows providers to challenge any order that they would be unable to deliver for technical or practical reasons.
• Clause 70 should be amended to include a proportionality requirement, allowing providers to seek clarity from Ofcom on why an information notice has been issued and to agree reasonable timings for delivering on a notice. We believe the information provisions set out in the Communications Act 2003 (s135, 136, and 137) set a useful precedent and give this degree of proportionately.
• Clause 33 (1) (a) should be removed from the Bill. We submit that the proper vehicle for Government policy to influence and shape the Online Safety regime is via a Statement of Strategic Priorities, which allows Government to set objectives for Ofcom without involving itself in how the regulator carries out its work
• The committee should seek further clarity on the nature of the guidance that the Secretary of State can issue to Ofcom under section 113(1)(a) and question whether it undermines the independence of the regulator.
• The committee should consider the benefits of allowing regulated providers to lodge merit-based appeals rather than judicial review.
• Clause 103 should be amended to include a responsibility for the online safety regulator to proactively track the performance of online media literacy initiatives. 

Objectives

• Will the proposed legislation effectively deliver the policy aim of making the UK the safest place to be online?

Virgin Media O2 welcomes Government’s ambition to make the UK the safest place to be online and for the UK to be amongst the first countries to have a coherent, single regulatory framework to address online safety. We believe that some of the measures in the Draft Bill will go a long way to delivering on those ambitions. There are, however, limitations to the proposals put forward that need to be understood.

We are encouraged to see DCMS has acknowledged the technical challenges associated with blocking access to content due to the increased presence of DNS over HTTPS (DoH) and other encryption standards such as MASQUE, ECH and TLS 1.3. Under DoH, individual browsers and apps can set up their own servers, meaning web requests will go through these rather than ISPs’ servers. This results in ISPs being unable to see the traffic from those browsers and apps, which in turn prevents them from applying blocking and filtering. In the context of the online safety regime, DoH and other such encryption measures can prevent ISPs from effectively complying with access restriction orders.

There is currently no technical solution to this issue. Therefore, we support the Draft Bill’s expanded definition of access facility provider to include other parts of the internet ecosystem, such as application stores. For access restriction orders to be effective as a business disruption measure, Ofcom will need to engage across the internet eco-system more broadly and continue working with ISPs to understand the technical limitations.

Moreover, technical interventions, such as blocking, will not be the ‘silver bullet’ to eradicating online harms. Even if blocking is technically possible, it is a blunt tool and can result in legitimate content also being blocked and there will always be a limit to the extent that technical interventions can preclude users from experiencing harm online. Thus, they need to be complemented by broader efforts to improve media literacy and foster digital resilience amongst users. We are encouraged to see the inclusion of media literacy duties in the Draft Bill and expand on this later in our response. 

• Is the “duty of care” approach in the draft Bill effective?
• Does the Bill deliver the intention to focus on systems and processes rather than content, and is this an effective approach for moderating content? What role do you see for e.g. safety by design, algorithmic recommendations, minimum standards, default settings?

The Duty of Care model is the most appropriate regulatory mechanism for the online safety regime; it strikes the right balance between placing obligations on providers of user-to-user services and search services without creating overly prescriptive legislation that would inevitably struggle to adapt with rapid technological change.

We do not believe that primary legislation seeking to outline specific content or types of services would be successful in creating safer digital spaces for the long-term. What constitutes harmful content can be subject to change and highly subjective; primary legislation is not the right place to attempt a definition.  Similarly, the types of services and how users interact with those services can evolve at a rapid pace, with new apps or platforms emerging and gaining popularity quickly. Thus, using duties of care and focusing on systems and processes allows the legislation to be adaptable and, to some extent, future-proof.

However, the structural complexity of the Draft Bill makes it unclear how the different duties of care will interact. Regulated services will be given different duties of care depending on their categorisation (in descending order of risk: Category 1, 2A, and 2B), which in turn depends on threshold conditions set by the Secretary of State (using criteria such as the number of users and functionalities). We support the flexibility within the duty of care model, which can ensure regulated providers are subject to duties that are proportionate to their scale, but we believe there is opportunity for the duties to overlap and create tensions. Government should make it clearer as to how the duties interact in order to avoid potential confusion that would limit the efficacy of the regulations.

Services in Scope

• The draft Bill applies to providers of user-to-user services and search services. Will this achieve the Government's policy aims? Should other types of services be included in the scope of the Bill?

Virgin Media O2 believes that the scope of the legislation is largely correct and it is proportionate that providers of user-to-user services or search services are the primary subjects of the regulatory duties. Likewise, we view the role for access facility providers in online safety regime as commensurate with their role in the wider internet eco-system. Yet, we would like to see further clarity in Draft Bill regarding the role of access facility providers during the process of Ofcom applying to the courts for an access restriction order.

Clause 93 details how Ofcom will be able to issue access restriction orders as part of its enforcement regime, which would require access facility providers to block users in the UK from accessing non-compliant service providers who fall under the Duty of Care responsibilities. We are pleased that this clause details that these orders can only be used as a measure of last resort, after a number of other business disruption remedies have been tried, and that Ofcom must apply to the courts before issuing an order.

However, as drafted, the clause does not specify what role, if any, access facility providers would play in the court order process. Section 93(3)(g) suggests that applications can be made ex parte, which is concerning given the wide-ranging requirements that could potentially be imposed on access providers under s93(3)(f) – but which are not clearly specified. We believe that there is an important role for access facility providers in providing information on what is technically achievable so that any access restriction order issued is practical, deliverable and does not lead to unintended consequences, such as innocent third parties’ legitimate content being restricted. Under the current wording, there is a risk that an access restriction order could be imposed on a provider which:

a)      cannot be delivered, and that access facility provider would therefore be unable to carry out its legal duties; or

b)      would lead to blocking the lawful, legitimate content of innocent third parties.

We request that Clause 93 is amended so that it specifically outlines a role for access facility providers in every application process and allows providers to challenge any order that they would be unable to deliver for technical or practical reasons.

The role of Ofcom

• Is Ofcom suitable for and capable of undertaking the role proposed for it in the draft Bill?
• Are Ofcom’s powers under the Bill proportionate, whilst remaining sufficient to allow it to carry out its regulatory role? Does Ofcom have sufficient resources to support these powers?

Virgin Media O2 welcomes the appointment of Ofcom as the regulator for the online safety regime. We believe Ofcom is uniquely positioned to take on this role thanks to its experience in content regulation through regulating the broadcast industry and its expertise in how the internet is architected through regulating the telecoms industry. The expertise and experience will be invaluable in what is largely uncharted territory. However, despite its suitability for the role, we have concerns about the expansion of Ofcom’s information gathering powers.

In Virgin Media’s 2019 response, we noted that one of Ofcom’s current statutory duties is to draw up the broadcasting code, covering standards in programmes, sponsorship, fairness and privacy. This has led to Ofcom developing a detailed understanding of UK audiences’ approach to acceptable content standards, balancing the needs and expectations of audiences, commercial operators and preserving freedom of speech. In particular, it has a long history of adjudicating on content standards complaints, creating consistency in decision making and helping industry have confidence in the decision-making process. We believe such experience will be useful for navigating the novel online safety regulatory regime.

However, the Draft Bill confers extensive and wide-ranging powers to Ofcom to issue information notices to organisations involved in any part of the online safety regulatory process – including a provider of an access facility (Clause 70). Access facility providers do not fall under the Duty of Care model and their role within the ecosystem set out in the Draft Bill is confined to business disruption measures, which are to be used as a last resort. We question why access facility providers have been included in these measures and would welcome guarantees that this power will not be used disproportionately by Ofcom.

This could be achieved by adding a proportionality requirement to the legislation, allowing providers to seek clarity from Ofcom on why an information notice has been issued and to agree reasonable timings for delivering on a notice. We believe the information provisions set out in the Communications Act 2003 (s135, 136, and 137) set a useful precedent and give this degree of proportionately. We believe Clause 70 should mirror these provisions. This will also ensure that there is consistency in the way that Ofcom approaches information gathering across its different regulatory functions.

• Are there systems in place to promote, transparency, accountability, and independence of the independent regulator?
• How much influence will a) Parliament and b) The Secretary of State have on Ofcom, and is this appropriate?
• Does the draft Bill make appropriate provisions for the relationship between Ofcom and Parliament? Is the status given to the Codes of Practice and minimum standards required under the draft Bill and are the provisions for scrutiny of these appropriate?

Virgin Media O2 believes that independence and accountability of regulators are key tenets of a well-functioning regulatory regime. There needs to be a balance between ensuring that the regulator is free from undue political influence with the need for democratic accountability. We submit that the Draft Bill overextends powers to Government to involve itself in how the regulator carries out its work. We also believe companies subject to regulation should play an important role in ensuring the accountability of the regulator.

Politics is integral to and permeates the work of regulatory agencies. Frequently, the reason that regulation emerges stems from the political need to balance public welfare and the interest of economic activity[5]; the Online Safety regime exemplifies this clearly. Yet, despite this relationship, we believe regulators need to be insulated from highly mutable, short-term political agendas. Government’s predilection to adapt rules in response to the immediate political context or short-term political considerations can create an unstable regulatory environment that becomes detrimental to the regulated industry’s ability to invest and operate.

The role of Government in shaping a regulatory regime should be to provide long-term strategic objectives that define what the regulator should achieve. The Draft Bill provides a mechanism to do this; under Clause 109, the Secretary of State has the power to set a Statement of Strategic Priorities (SSP). The SSP presents an opportunity to guide Ofcom by setting out a limited number of clear and measurable priorities against which Parliament and other bodies can measure its progress. We view this as the correct vehicle for Government policy to shape the Online Safety regulator’s objectives.

However, Government should not dictate to the regulator how these objectives are achieved. Ofcom’s formal independence from Government is enshrined under Article 8 of the European Framework Directive, which has now been transposed into UK law[6]. This legislation requires that:

“national regulatory authorities shall act independently and objectively, including in the development of internal procedures and the organisation of staff, shall operate in a transparent and accountable manner in accordance with Union law, and shall not seek or take instructions from any other body in relation to the exercise of the tasks assigned to them under national law implementing Union law.”

Yet, within the Draft Bill there are multiple examples of powers conferred to the Secretary of State that we fear undermine the independence of the regulator. In one such instance, the Draft Bill requires Ofcom to produce codes of practices that set out recommended steps for providers of regulated services to fulfil compliance with their relevant duties, which must be submitted to the Secretary State, who must then lay them before parliament (s32(1) and (2)). However, under section 33(1)(a) the Secretary of State can direct Ofcom to revise the code of practice, before laying it in front of parliament, to ensure it “reflects government policy”. Whilst subsection 2 seeks to put in place checks against these powers[7], we believe it is inappropriate that the codes of practice can be modified to reflect government policy. The codes of practice are a mechanism for Ofcom to advise companies on how to comply with their duties, and we view the Secretary of State having the power to amend them as straying into the territory of dictating to Ofcom how to perform its role as regulator. Therefore, we believe that the committee should seek further clarity from Government on and consider the removal of Clause 33(1)(a) from the Bill.

Additionally, under Clause 113(1)(a) the Secretary of State can give guidance to Ofcom regarding the “exercise of their functions under this Act”. Again, we view this as an overstep of the Secretary of State’s power, as we do not believe Government should be involved in telling Ofcom how to exercise its powers under the Act. We ask that the committee should seek further clarity regarding what this guidance will encompass.

An important countervailing force to the powers afforded to Government is Parliament’s ability to scrutinise decisions. We acknowledge that the Bill requires the Secretary of State to lay certain decisions or documents before Parliament (such as the SSP or Ofcom’s codes of practice), but there are instances whereby Parliament’s scrutiny powers are not sufficient. For example, clause 39(2)(e) of the Draft Bill excludes from scope “one-to-one live aural communications”, which is clarified as meaning aural communications happening in real time which are not accompanied by written messages, videos, or visual images; for example, live voice calls over an internet service.

However, should the Secretary of State think it appropriate to repeal this exclusion, due to the risk of harm presented to individuals, they would have the power to do so via regulations subject to affirmative procedure (under s39(13)). Bringing into scope private one-to-one aural communications of the Online Safety regime would be a significant step with huge ramifications for the privacy rights of citizens, as well as technical challenges for those providers of regulated services and the access facility providers who may be called upon to enforce an action restriction order. Arguably, such a decision requires more parliamentary scrutiny and debate than affirmative procedure for secondary legislation allows.  

Another key form of regulatory accountability is derived from the ability to challenge the regulator, such as through lodging appeals. Ofcom’s decisions have historically been subject to an appeal “on the merits” of a case.[8] Virgin Media O2 has viewed this as a vital check on Ofcom’s decisions and power; having this recourse has shored up confidence for investment decisions in the telecoms industry. However, the Digital Economy Act 2017 changed the standard of appeal: “The Tribunal must decide the appeal, by reference to the grounds of appeal set out in the notice of appeal, by applying the same principles as would be applied by a court on an application for judicial review”.[9] The Draft Bill is consistent with the Digital Economy Act in this respect, stating that the Upper Tribunal must decide the appeal by applying the same principles as would be applied by the High Court on an application of judicial review (s104(5)(a) and s105(4)(a)).

Judicial review hinges on the lawfulness of a decision rather than whether the substance of a decision or action taken by the regulator is reasonable. We do not believe this standard of appeal provides the same level of check against a regulator’s power, and in turn does not promote the optimal level of accountability. Whilst Virgin Media O2 would not be classified as a regulated provider and therefore not be able to make an appeal, we view it as a matter of principle that the country’s regulatory regimes strike the right balance between protecting consumers and competitive markets with making the UK an attractive place for businesses.

• Are the media literacy duties given to Ofcom in the draft Bill sufficient?

We support the extension of Ofcom’s existing media literary duties to encompass online safety under Clause 103 in the Draft Bill. It is vital that individual users are empowered to navigate digital spaces, including the potential risks and harms that they will invariably encounter in those spaces. Technical interventions can and will protect users from harms, but there are limitations to what they can achieve alone, especially in light of how pervasive connectivity is in people’s everyday lives. Therefore, building digital resilience must be an integral part of the online safety regime.

We support the requirement on Ofcom to carry out, commission and encourage educational initiatives to improve the media literacy. However, we believe it is important that Ofcom does not duplicate efforts and should work with existing and well-established organisations operating in this area, such as Internet Matters – a trusted and expert organisation supported by a broad coalition across the tech ecosystem. Since its inception seven years ago, Internet Matters has become one of the most recognizable organisations operating in this area (second only to the NSPCC) and 80% of parents say Internet Matters is one of the first places they would go for online safety advice.[10]

In addition to complementing these organisations through its own initiatives, Ofcom can support them through insights into effective initiatives.  In Virgin Media’s response to the Online Harms White Paper in 2019, we called for the appointed regulator to track behavioral change resulting from safety and resilience initiatives. There were no existing organisations tracking behaviour change of online users to monitor what educational programmes were most effective; in our view having this data and research would allow industry to more efficaciously direct resources into initiatives that had meaningful and long-term impact on improving media literary. Therefore, whilst we are encouraged to see the duty on Ofcom to produce guidance about the evaluation of media literacy initiatives and actions, we think this could be expanded to include a responsibility for the online safety regulator to proactively track the performance of these initiatives.

22 September 2021