Effective enforcement
We had raised concerns previously about this, in particular the requirement to “comply or explain”. This seems to work better now – OFCOM can assess whether compliance is in breach of duty or not.[1] The record-keeping duties also have been expanded both as regards providers which are following a code[2] and those which seek to use “alternative measures”[3]. This should facilitate enforcement. While there are obligations on service providers to review compliance,[4] it is unclear what their internal consequence of finding defective compliance is. While OFCOM may ask for this documentation under its enforcement powers, service providers do not need to provide this to OFCOM as a matter of course; again that presumably is the role of transparency reporting.
The useful table in Clause 111 now sets out clearly the enforceable requirements. Apart from the change in formatting, we see the new user empowerment provisions and the linked user identity verification provision, the fraudulent advertising obligations in clauses 34 and 35, the obligation to report CSEA content to the NCA and the obligations on providers of pornographic content being included as enforceable requirements. These changes reflect new substantive obligations. Even under the draft Bill, risk assessments were enforceable requirements. The Bill, however, clarifies that this means insufficient risk assessments can constitute a failure in duty as well as a failure to do a risk assessment at all.
The OSB extends the ‘skilled persons’ provision. As was the case in the draft OSB, OFCOM may appoint a skilled person or require providers so do. This latter provision[5] will allow OFCOM to bring in skilled talent when required (and paid for by the company[6]) which is sensible resource management in a tight skills market. Additionally, however, service providers are required to give the skilled person assistance[7], which is an ‘enforceable requirement’ for the purposes of clause 111.
The fulcrum of OFCOM’s enforcement is the “confirmation decision”.[8] These are issued after notices (“provisional notices of contravention”) allowing a service to correct behaviour in relation to obligations listed in clause 111.[9] In confirmation decisions, OFCOM can direct service providers to take specified steps to comply with a notified requirement or to remedy a failure to comply with one such.[10] A requirement to take steps can be immediate.[11] OFCOM can back requirements (with seemingly the exception of immediate requirements) up in court, including through an injunction.
There are specific provisions relating to “proactive technology”[12], a new concept introduced by the Bill.[13] The significance of these provisions is not that OFCOM can now do something that it could not under the draft Bill – its ability to specify steps there was relatively unconstrained[14] – but rather that there have been constraints introduced, presumably in the service of the right to privacy or confidentiality, as well as differentiating between content harmful to adults and the other two categories of harmful content.
As mentioned above, there is now an explicit confirmation decision for risk assessments, the central part of the regime.[15] This allows OFCOM to take action if it thinks a service provider has not satisfied its duty on the basis that risks that OFCOM has identified are not effectively mitigated or managed. So it does not seem to target directly the process of risk assessment but seems concerned with risk management. It still seems to be a step forward from the draft Bill. There is also a separate provision dealing with compliance with the children’s access assessments, which is also new; having clarity around these foundational elements of the system is an improvement.
From confirmation decisions flow measures to enforce. These include fining (with more detail now than in the draft) and business disruption measures. OFCOM has to apply to a court for business disruption measures. The starting point seems to be service restriction orders[16] – these apply to people who provide services (“ancillary service”) (such as banking, search visibility, advertising[17]) in relation to a failure on the part of a regulated service provider to comply with an enforceable requirement; time-limited Interim Service Restriction Orders[18] – for urgent, high-harm cases; Access Restriction Orders, where Service Restriction Orders are not likely to work and are mainly directed at ISPs and App Stores; and Interim, time-limited Access Restriction Orders (clause 126).
[1] Clause 45(6), and implicit in wording ‘seeks to comply’ in cl 45(5) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[2] Clause 20(3); 30(3) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[3] Clause 20(4)-(5); 30(4)-(5) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[4] Clause 20(6); 30(6) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[5] Clause 88(4)(a) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[6] Clause 88(7) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[7] Clause 88(6) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[8] Clause 112 et seq https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[9] Clause 110 https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[10] Clause 113 https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[11] Clause 113(5) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[12] Defined at clause 184 as “content moderation technology”, “user profiling technology” and “behaviour identification technology” each with their own sub-definition. https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[13] Clause 116 https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[14] See Clause 83 draft OSB
[15] Clause 114 https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[16] Clause 123 https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[17] Clause 123(12) https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf
[18] Clause 124 https://publications.parliament.uk/pa/bills/cbill/58-02/0285/210285.pdf