Written evidence submitted by the CBI (OSB0186)
The CBI welcomes the opportunity to submit evidence to the draft Online Safety Bill Pre-Legislative Scrutiny Committee. The CBI is the UK’s leading business organisation, speaking on behalf of 190,000 firms across all sizes, sectors, and regions of the economy that together employ around a third of the private sector workforce.
The CBI responded to the government’s Online Harms White Paper consultation, recognising the need for an effective regulatory regime that makes the UK the safest and best place to grow a digital business. Businesses are pleased that these proposals have now reached the legislative stage and look forward to engaging with the government and Parliament as they are implemented.
The digital economy is an important engine of UK growth and resilience.
Comprising a vibrant mix of companies from games and review websites to cloud services and social media, the digital economy is a powerhouse of UK growth and resilience. It is worth £150.6bn and is home to three million jobs. During the course of the pandemic, technology adoption has supported businesses to adapt operations, engage customers, and deliver new products and services, and supported adults and children to work, study, play safely from home, and connect with loved ones online.
The digital economy is a force for good, but the pace and scale of technological change have created significant challenges. Industry is committed to working with the government, parliamentarians, and regulators to tackle the range of online harms and seize the potential of digital technology.
As well as growth and jobs, the digital economy can play a major role in improving quality of life, helping to deliver innovative solutions to some of the biggest issues we face as a society from an ageing population to climate change. But industry is cognisant of the new channels for harmful behaviour that can be opened up online, whose scale and scope necessitates a range of different responses – with businesses, charities, regulators, and the government already taking action.
Firms are working to tackle online harm, whether individually (such as industry leader Jagex, a games company with clear safety features in its online game Runescape) or in partnership with others (for example, Facebook’s Journalism Project includes work with news publishers and non-profit organisations to combat misinformation, or the Online Safety Data Initiative looking to improve safety technologies). However, businesses recognise the seriousness of online harms and are pleased that these proposals have now reached the legislative stage after years of careful thinking and development. Firms recognise the central role that regulation must play in meaningfully improving user safety and experience.
For the UK to lead in industries of the future, we have to get this regulation right.
While the UK is ahead of the digital pack today, it cannot rest on its laurels. Sustaining the momentum of our flourishing digital economy, encompassing start-ups and scale-ups as well as multinational companies, could generate huge opportunities in the years to come. But, following the challenges of the pandemic, businesses are particularly sensitive to the difference in national operating environments as they decide where to locate, invest, and innovate.
The Online Safety Bill is an opportunity to put in place the architecture that reduces the risk of harmful content online, improves people’s trust in technology, and stimulates investment in innovation that respects people’s fundamental rights. It is also a novel and complex piece of legislation that needs to be carefully implemented. Businesses are committed to working with the government, Parliament, and OFCOM to make sure it’s a success. The stakes are high: ineffective and disproportionate regulation could undermine new entrants into the digital economy, dampen UK investment in the digital and creative sectors, and have minimal impact on improving public trust or online safety. And internationally, as other countries grapple with online harms and look to the UK, its solutions must be effective and balanced.
Following extensive industry engagement, the CBI has identified a number of areas of uncertainty or challenge for businesses in the draft Bill.
Businesses are facing uncertainty around key parts of the Bill, including definitions, scope, and responsibilities. Firms already designing tomorrow’s products and services need clarity as quickly as possible to ensure proposals can be implemented effectively and tackle harms sooner rather than later. This is particularly important for SMEs and start-ups, which are central to the UK’s digital economy and have fewer resources to cope with complex legislation or unintended consequences. Smaller firms will make up a large part of the 24,000 businesses in scope of the Bill.
In addition to more detailed comments below, the CBI has identified a number of overarching principles that should underpin this legislation:
- Proposals must embed principles of good regulation, prioritising proportionality, feasibility, and effectiveness. To be effective, feasible, and futureproof, businesses must be given clear and proportionate rules to follow and avoid double regulation. This will also support investor confidence in choosing the UK as a place for innovation and investment.
- Secondary legislation should be set out as soon as possible to give businesses time to adapt. Although businesses recognise the benefits that secondary legislation will provide for flexibility and long-term effectiveness of the online safety regime, fundamental parts of the Bill such as the types of harmful content in scope have been left to secondary legislation. The more information businesses can have the sooner, the better.
- The government should maintain the systems-based approach set out in the draft Bill. Businesses welcome the government’s approach based on companies having the right systems in place rather than individual cases of harm.
- Government departments must create a coherent package of technology policy and regulation to avoid a fragmented approach for business and support innovation. A joined-up approach across a number of initiatives and regulations is needed to tackle the full scale of online harms, including economic harms such as advertising fraud or copyright infringement. Businesses recognise the seriousness of harms across the digital economy – from CSEA to advertising scams, and want to work with policymakers to develop solutions that deliver the best results, quickly. A joined-up approach will also be key to support goals like innovation, which cannot be a footnote in the government’s approach to online safety.
Summary of recommendations
Theme 1: The regulatory model – scope, definitions, and duties of care
Regulation must give businesses clear and proportionate rules and responsibilities to follow. Parts of the draft Bill do not currently fulfil this aim, although businesses appreciate that secondary legislation will clarify some proposals.
There remains some uncertainty about which services and content are in scope of the draft Bill.
- Broadly, businesses welcome the focus of the draft Bill on user-to-user and search services and the exemption of services such as email, SMS, and MMS services, internal business services, and limited functionality services from scope. However, there remains some concern about the extent to which private messaging is in scope, for instance the justification for including some messaging services while SMS and email have been excluded from scope. Some of the services in scope are end-to-end encrypted channels, which firms do not believe should be undermined. Businesses are concerned that this may leave encryption open to regulatory challenge under this Bill, when there is a well-constructed framework for considering these issues under the Investigatory Powers Act.
- Businesses are concerned about the potential impact of the Bill on privacy. The Bill gives the regulator the power to impose ‘use of technology’ notices on service providers, which could require changes to their service, including greater surveillance of messages, without due consideration for privacy. In contrast, the Investigatory Powers Act includes a detailed process for taking privacy into account. The Bill should, for example, require OFCOM to seek specialist input on how privacy will be impacted by any use of these powers.
- The explanatory notes should define and explain what is classed as user-generated content. This definition should be proportionate and create clear boundaries to reduce an overly wide definition of UGC and limit duplicated regulation of the same content online. For example professional content could also be classed as user-generated content under the current definition, such as direct publishing by professional authors that is already subject to content licensing.
- Businesses recognise the sensitivity and seriousness of economic crime including advertising fraud. Although there is disagreement among firms about the most appropriate vehicle to do so, businesses are committed to addressing these harms. To effectively tackle the broad range and scale of online harm, the UK must have a joined-up and coherent policy and regulatory landscape (as recognised in the government’s recent Plan for Digital Regulation).
- To support policymakers, the CBI has set out current vehicles available to tackle economic crime and how each could be improved or refined, focussing on the OSB, Online Advertising Consultation, and Online Fraud Steering Group (OFSG). The CBI is not commenting on what might be the best vehicle to tackle economic crime but wants to highlight the pressing need for it to be tackled, current options available to government, and how such options might be refined or improved.
- Online Safety Bill: While the CBI has not taken a position on the inclusion of economic crime in the OSB, there are existing provisions on fraud that could be improved. Wider comments in relation to these points are expanded upon later in our response.
- Definitions of illegal content: The draft OSB does not specify illegal content beyond terrorism and CSEA, although the accompanying literature mentions other harms such as financial fraud (including romance scams and fake investment opportunities). Businesses are currently unclear about what the government means by ‘financial fraud’, which should be clarified and tied to a specific criminal definition.
- Priority illegal content: The CBI does not believe it is our role to define which harms should be a priority. There should be a rigorous, evidence-based approach to ensure businesses are given license to focus on the most serious harms first.
- The role of the regulator: depending on how the government decides to address economic crimes like advertising fraud, regulators like OFCOM would likely need to work closely with the FCA, including significant and systematic support.
- Online Advertising Consultation
- Publication: DCMS should look to publish the online advertising consultation as soon as possible.
- A joined-up landscape: Should the consultation recommend legislation around online advertising fraud, legislative timetables should attempt to run in parallel with the OSB, with a coherent policy framework to avoid a fragmented approach to tech policy and regulation.
- Online Fraud Steering Group (OFSG): The CBI greatly welcomes this industry-led initiative and highlights industry commitment to tackling online fraud collaboratively between technology and financial services companies, and law enforcement. In particular, the CBI welcomes the recent commitment from technology companies (facilitated by the OFSG) to support the Take Five to Stop Fraud campaign led by UK Finance. This will help the campaign to reach a wider audience and ensure consistency of messaging across industry sectors. Key features of the group that should be drawn out are:
- Open dialogue: The more dialogue between firms, the greater the chance of finding common ground and solutions to tackle online fraud. Firms have highlighted the importance of creating effective mechanisms for information sharing between financial services companies, technology platforms, and regulators.
- KPIs: The development of KPIs with cross-industry agreement on what a ‘successful’ reduction of online fraud looks like will showcase industry’s commitment to tackling online fraud. The CBI understand that metrics are currently being developed.
The thresholds for categories of service should take into account both risk and reach.
- Businesses support the flexible approach taken by the government, giving regulated services duties corresponding with their identification as Category 1, Category 2A, or Category 2B companies depending on their number of users and functionalities (Category 1) or number of users and other relevant factors decided by the Secretary of State (Category 2A/2B) (schedule 4). A differentiated approach is feasible and appropriate, helping to ensure that firms aren’t forced to comply with disproportionate rules compared to the harm they risk introducing.
- However, businesses were disappointed not to see further detail about the Bill’s ‘threshold conditions’ or the factors that will be taken into account when deciding whether a business belongs in Category 1, 2A, or 2B. We would like to stress that industry is keen to see an approach based on both reach (i.e. the number of UK users) and risk (encompassing factors such as prevalence of harm or business model). The CBI believes that this would cement a more proportionate approach, for example by ensuring that an innovative start-up with a smaller reach or larger marketplace selling clothes weren’t overburdened with legislation more appropriate for companies with further reach and higher risk.
Duties of care must be as clear and effective as possible, without introducing conflicting requirements or overburdening smaller businesses.
- Duties of care are the government’s main regulatory mechanism for improving online safety, therefore must be as clear and effective as possible. The draft Bill sets out that all services will need to conduct risk assessments relating to illegal content and have duties about rights relating to freedom of expression and privacy, services that can be accessed by children will have to conduct ‘children’s risk assessments’, and Category 1 services have additional duties to protect adults from harmful content and protect ‘content of democratic importance’ and ‘journalistic content’. Given the complexities of the Bill, there is a real risk that different duties of care could introduce conflicting requirements for businesses. Firms would welcome a better understanding of how they should approach tensions, and whether the responsibility for resolving them lies with individual companies or with the regulator.
- Content of democratic importance and journalistic content: In particular, tensions could arise between services’ duty of care to their users and duties relating to content of democratic importance and journalistic content. For example, what if a journalist says something legal but harmful, or an MP complains about a post which claims to be journalism? To support them to make difficult decisions, businesses would value a better understanding of the aim of provisions surrounding democratically important content – for example, protecting MPs from abuse, safeguarding electoral advertising, or addressing unintentional misinformation.
- Risk assessments: Undertaking risk assessments are a core part of the duties of care, but firms note that the level of detail they require ahead of product launches and updates is substantial, and could prove particularly onerous for start-ups, scale-ups, and SMEs. The government must consider how this is likely to impact its broader ambitions on innovation and competition as set out by interventions such as the Innovation Strategy, National Data Strategy, and Digital Markets Unit – as well as harnessing the opportunity for safety technologies to reduce online harm, attract investment, and stimulate competition and positive digital innovation that respects fundamental rights, including children’s rights and wellbeing. The government should also consider how the Online Safety Bill risk assessments will coordinate with risk assessments made under the ICO’s Children’s Code (or Age Appropriate Design Code), which sets out 15 standards that online services need to follow to protect children’s data online. The government and OFCOM could consider measures such as:
- Specific support for smaller firms to help them comply with their obligations.
- A fast-track risk assessment process for priorities such as safety technologies.
- Consider the role of impact, rather than risk, assessments to incentivise positive innovation – for example, giving firms the opportunity to showcase the benefits of their platform or services that keep consumers safe and empower them to seize the opportunities that digital technologies offer - rather than just the risk.
- Alignment and streamlining between the Online Safety Bill and Children’s Code where appropriate.
- Transparency reporting and public-facing guidelines: Transparency reporting is a useful measure that can, formulated correctly, drive accountability, showcase best practice and help assess the effectiveness of measures to tackle online harm. However, reporting requirements must be flexible, consider commercial sensitivities and consider of the vast range of business models in the digital economy. Some business models may not easily lend themselves to reporting specific data as this hasn’t been built in at the engineering level. For many firms, re-engineering their products and services to comply with rigid transparency reporting criteria would be disproportionate.
The government should further develop proposals around illegal and legal but harmful content to give businesses clear definitions and scope.
- It is clear and proportionate to give companies a well-defined responsibility to remove content that is illegal and has a clear definition, for example terrorism, CSEA (Child Sexual Exploitation and Abuse), and hate crime. However, firms have concerns about the way ‘legal but harmful’ content such as cyberbullying has been addressed in the draft Bill.
- Illegal content: While it is clear and reasonable to ask companies to take action against illegal content, the draft Bill itself doesn’t specify illegal content beyond terrorism and CSEA, although the accompanying literature mentions racist hate crime and financial fraud such as romance scams and fake investment opportunities. Illegal content in the Bill should be tied to a specific criminal definition: for example, businesses are currently unclear about exactly what the government means by ‘financial fraud’.
- Priority illegal content: Businesses should be given license to focus on the most serious harms first. There is a need for a rigorous, evidence-based approach to decide which illegal content is a priority to ensure that the list doesn’t become unfeasibly or disproportionately long, causing firms to take less effective action as they spread themselves too thin to tackle all online harms at once within the wide-ranging new regime.
- Legal but harmful content: Businesses are particularly concerned about the broad definition of legal but harmful content in the draft Bill, which states that where there are ‘reasonable grounds to believe that the nature of the content is such that there is a material risk of the content having, or indirectly having, a significant adverse physical or psychological impact on an adult of ordinary sensibilities’ (section 46(3)), that content must be ‘dealt with’ – an ambiguous term (section 11(2)).
- It is disproportionate and undemocratic for businesses alone to make and enforce value judgements on legal but harmful content. Companies will be forced to decide the boundaries between unacceptable harm and freedom of expression, which is challenging given legal but harmful content is often heavily context-dependent with no legal definition of these harms or expert or clinical consensus on the action that should be taken. Including legal but harmful content in the Bill without accompanying definitions will lead to inconsistency of services, with some businesses allowing content that others won’t.
- The government must carefully consider how legal harms could be further defined in primary or secondary legislation, and the stakeholders it should consult with as it gathers evidence to define these harms and develop the codes of practice. The proposals as they stand could incentivise companies to take down all content that might be harmful. This is likely to have a detrimental impact on freedom of expression, leaving companies exposed to potential legal action on those grounds. Similarly, making companies responsible for making decisions on legal but harmful content could further erode public trust in businesses and technology.
Businesses welcome the flexibility allowed by codes of practice.
- Businesses welcome the flexibility offered by codes of practice, whereby they won’t be prescriptive if businesses are able to fulfil their duties of care through different steps. The CBI also understands that OFCOM will develop codes of practice through a consultative and multi-stakeholder process, which businesses strongly support and look forward to participating in. In some cases, it may make sense to include provisions about minimum statutory notice periods if a code of conduct is amended, replaced, or withdrawn.
Theme 2: The regulator – OFCOM’s powers and duties
The CBI has supported OFCOM as the right regulator for the online safety regime, with expertise in related issues and widely respected as an independent body – both of which are critical for the successful enforcement of the online safety regime. However, there is industry consensus that aspects of the regulator’s powers and duties need more clarity.
Businesses have strongly supported OFCOM as the right body to regulate online harms, but regulatory collaboration across all sectors involved in online safety remains pivotal.
- To be successful, OFCOM must be equipped with extensive resource and technical expertise. It must also have deep expertise in each of the illegal harms in scope and be equipped to work effectively with bodies that also have subject matter expertise in online safety.
- The regulator must have the networks that allow it to quickly and effectively work with other regulators that cover connected aspects of the digital economy, including the ICO given the Bill’s links with the Children’s Code. Industry welcomed the creation of the DRCF (Digital Regulation Cooperation Forum) as a positive step forward for regulatory dialogue in the digital arena, comprised of OFCOM, the CMA (Competition and Markets Authority), and the ICO. Firms have also welcomed government’s recently released Plan for Digital Regulation. These interventions must deliver on their coordinating function, including working in step with other regulators such as the FCA (Financial Conduct Authority).
- While businesses have strongly supported OFCOM as the right body to regulate online harms, its expertise does not lie in economic crime. With the scope and scale of the regulatory regime already ambitious, OFCOM is likely to need significant and systematic support from organisations like the FCA to avoid overlap and duplication if it is further expanded to include economic crimes like advertising fraud.
The government should clarify the balance of responsibilities between regulator, Parliament, and Secretary of State and restate the importance of regulatory independence.
- Firms would value a greater understanding of the balance of responsibilities between the different bodies in the ecosystem (namely the Secretary of State, Parliament, and OFCOM) and how their powers can and can’t be used. In particular, the CBI notes the significant powers given to the Secretary of State and Parliament in the draft Online Safety Bill: for example, the Secretary of State has the power to reject OFCOM’s recommendations on the threshold conditions for different categories of service (Schedule 4) and add to the list of illegal content (section 44(4)).
- Businesses underline the importance of regulatory independence and transparency. The potential for the Secretary of State to be able to exert a high degree of influence on the Bill without adequate checks and balances would be deeply concerning and could have a knock-on impact on the effectiveness and proportionality of the legislative regime. The independence of both the regulator and its guidance will depoliticise issues, retain regulatory stability, and build public trust in how online harms are being tackled. Measures to support the independence of the online safety regime include an evidence-based approach to the list of priority illegal content as outlined above, and full transparency if the Secretary of State departs from independent OFCOM advice.
The government should provide greater clarity on the procedure for information gathering and enforcement.
- It is appropriate and proportionate for the regulator to have a range of tools to enforce the new online safety regime. Businesses would welcome further clarity on aspects of the enforcement and information gathering process.
- Information gathering powers: The draft Bill gives OFCOM information gathering powers that would apply to access facility providers like ISPs (Internet Service Providers). However, it is currently unclear what information OFCOM would request, and firms would value a better understanding of this. Additionally, ISPs believe that the draft Bill should be updated to allow them to challenge information requests or ask for longer deadlines to fulfil them. This would be a more proportionate approach, as well as reflecting other legislation like the Communications Act 2003 so giving OFCOM consistency in the way it approaches information gathering across its different regulatory remits.
- Business disruption measures: While regulators like OFCOM and the ICO are effective without business disruption measures such as ISP blocking, businesses can see a role for these in the gravest circumstances where there is systemic failure to address online harms and an immediate threat of serious harm.
- Given their radical nature, businesses support proposals in the draft Bill stating that business disruption measures such as access restriction orders are subject to a court order and are a last resort. Firms emphasise the need for a clear legal basis and process before pursuing these measures. Access facility providers would welcome further information around what the court process entails, whether they are able to play an active role in it, and the exact requirements of what an access restriction order can cover. The government should look to include this in Online Safety Bill.
- Liability of corporate officers: The government must carefully consider the impact that introducing criminal liability for senior executives could have on the attractiveness of the UK as a location for top talent and the best place to start and grow a digital business.
OFCOM’s new powers and duties must be jointly funded through a proportionate business and government partnership
- Industry funding must be proportionate, based on relevance to the regulator’s work and taking insight from Ofcom’s existing funding models.
Businesses welcome provisions on media literacy in the draft Online Safety Bill and the Online Media Literacy Strategy.
- Businesses strongly welcome the Online Safety Bill’s clauses on media literacy, which is an area where many firms are already taking action. User education and empowerment cannot be a footnote in the government’s approach to online safety, which requires positive action as well as regulatory levers. Rather than chasing the technology, the government must consider people’s behaviour, supporting digital literacy and education efforts to embed positive online citizenship.
- In our response to the Online Harms White Paper, the CBI called for government and regulator coordination to make existing initiatives greater than the sum of their parts. Businesses were therefore pleased to see the government’s recent Online Media Literacy Strategy, outlining key aims including coordination, awareness-raising, and facilitation and funding. Industry is committed to supporting the government and regulators as these plans are taken forward, including with DfE and Ofsted.
Theme 3: Commencement and implementation
The Online Safety Bill distils years of thought, discussion, and debate. Reflecting the scale and range of online harms, it is rightly a comprehensive and wide-ranging piece of legislation – but, equally, novel, lengthy, and complex. The Bill’s implementation process must acknowledge this.
The government and OFCOM should develop a multi-year, multi-step implementation plan that accounts for the complexity of the Bill.
- Given its complexities, businesses would value a multi-step implementation process that allows them to show progress on resource-intensive proposals. As outlined above, firms have welcomed the flexibility the Bill allows for them to take different approaches to the ones set out in codes of practice. Similar discretion on the time different businesses might take to implement different measures would also be helpful. For example, a code of practice could set out which steps are more urgent than others to support companies (particularly start-ups and SMEs) who are dealing with the wide-ranging new regime. This would make a big difference for product development and launches.
- As already stated, businesses should be directed to tackle the most serious harms first to support meaningful action. The Bill’s impact could be diluted if businesses try to implement everything at once but are unable to do so effectively.
Building on its leadership at the G7, the government could provide further detail on how the UK will coordinate internationally on online safety.
- The digital economy is global: companies operate across jurisdictions, online harms cross borders, and governments around the world are considering how to tackle common challenges. Countries should look to share best practice as well as identifying gaps, pinch points, and areas of divergence, with international coordination vital to ensure that the regulatory environment UK businesses are operating in doesn’t competitively disadvantage them compared to international businesses located elsewhere.
- Businesses welcomed the UK leadership showcased at the G7, where countries emphasised the importance of international multistakeholder cooperation, involving governments, industry, academia, civil society, and other stakeholders. The government’s recent Plan for Digital Regulation also places an important focus on international cooperation. Businesses are eager to work with the government and OFCOM to build on these principles and develop opportunities for international outreach and dialogue.
28 September 2021