This was first published by RPC in October 2023.
It will be important for officers and directors of tech companies to familiarise themselves with these provisions and consider what steps can be taken to ensure personal and corporate compliance.Background
The OSA seeks to improve user safety online by ensuring illegal content and content that is harmful to children is identified and removed by search engines and providers of user-to-user services. The legislation will require companies to implement appropriate procedures and processes to tackle such content and will grant extensive powers to the new online safety regulator, Ofcom, to oversee and enforce the new rules.What are these criminal offences?
The OSA does not introduce wholesale criminal liability for directors of in-scope services, but it provides that senior managers may be held criminally liable for a company's failure to comply with the legislation in specific circumstances. These include offences for failing to comply with information and audit notices, offences committed under the Act by the body corporate but with the consent, connivance or neglect of a company officer, and, in certain circumstances, offences for failing to comply with a children’s online safety duty.Information and audit offences
One of Ofcom's new powers is the ability to issue an "information notice" to a regulated entity requiring that entity to provide Ofcom with information needed for the purpose of exercising any of its online safety functions. Information notices can be wide in scope and may require the relevant entity to provide Ofcom with information about the use of the service by a particular named individual or information requested by a senior coroner in relation to the investigation into the death of a child. A provision has been added more recently to the Bill which enables Ofcom to also prepare a report in connection with the investigation into the death of a person.
A service provider will commit an offence for: (a) failing to comply with the notice, (b) knowingly or recklessly providing false information in response to it, (c) intentionally providing encrypted information which Ofcom cannot understand, or (d) intentionally suppressing, destroying or altering information.
Ofcom may require the company receiving the information notice to name in its response a senior manager who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice. An individual will be a “senior manager” if they play a significant role in making decisions about how the entity’s relevant activities are to be managed or organised, or they are involved in the actual managing or organising of the entity’s relevant activities.
Where any of the offences at (a) to (d) above are committed by the company, and a senior manager has failed to take all reasonable steps to prevent the offence from being committed, that senior manager will also commit an offence. It is hoped that further guidance on what "reasonable steps" should be taken by senior managers will be provided by Ofcom in due course.
The same applies to senior managers who fail to ensure compliance with audit notices issued by Ofcom without a reasonable excuse, knowingly or recklessly provide false information in response to an audit notice, or suppress, destroy, or alter information with the intention of preventing Ofcom from being provided with the information as it was before the alteration.
Finally, corporate officers could face two years’ imprisonment for knowingly or recklessly making false reports to the National Crime Agency about child sexual exploitation and abuse on their services.
Failure to keep children safe online
The OSA also creates criminal sanctions for corporate officers where an offence is committed by the body corporate either with the consent or connivance of the corporate officer or owing to their neglect. The definition of “officer” is very wide, and includes a company director, manager, associate, secretary or other similar officer, or a person purporting to act in any such capacity.
A significant amendment to the legislation introduced criminal liability for individual officers if, through their consent, connivance or neglect, the company fails to comply with a confirmation decision requiring it to take steps to ensure it acts in accordance with a child safety duty in the OSA. The upshot is that individual directors could face up to 2 years' imprisonment for alleged failure to prevent children from encountering harmful content even where they are not directly responsible for moderation decisions or the response to Ofcom's confirmation decision.
The relevant children’s safety duties include the requirement to prevent children of any age encountering primary priority content that is harmful to children, which includes pornographic content and content which encourages, promotes or provides instructions for suicide, deliberate self-injury or an eating disorder. It also includes the requirement to protect children in certain age groups judged to be at risk of harm from other content that is harmful to children.
Senior managers can take some comfort in the fact that they will be given advanced warning if Ofcom deems the service provider to be failing in respect of a child safety duty; first, through an investigation and provisional notice of contravention (to which they can provide submissions in response) and then via a subsequent confirmation decision (which they can appeal). That said, enforcing children’s safety duties is likely to be an aspect of the new legislation in respect of which Ofcom will come under significant pressure to take action. As a result, tech companies and their senior managers are likely to face heavy scrutiny in this area.
Why is this important?
This legislation will fundamentally change the criminal and regulatory landscape for tech companies in the UK and will introduce personal criminal liability in relation to a key focus of the OSA: child online safety. The consequences of non-compliance for both the corporate entity and for individuals are extremely serious and should be grappled with as soon as possible in order to ensure compliance once the OSA comes into force.In-scope services should consider who may be deemed an "officer" and "senior manager" of the company under the OSA to understand to whom personal liability could attach. Companies should also undertake a detailed review of their processes and practices currently in place relating to children's online safety and should implement any necessary adaptations now, to ensure they are well-equipped to engage robustly with the regulator in relation to any investigations or provisional notices once the OSA becomes law.