Mishcon de Reya page structure
Site header
Main menu
Main content section

Online 'harm': how does the Online Safety Bill compare to our existing UK health and safety regime?

Posted on 23 March 2022

Safe use of social media and the internet has been thrust into the spotlight once again with the publication of the Online Safety Bill on 17 March 2022. The aim of the Bill is to 'protect children from harmful content such as pornography and limit people's exposure to illegal content, while protecting freedom of speech'. The idea of protecting particular groups of people in this way will not be unfamiliar to those with knowledge of UK regulation. Raising awareness of proactive safety compliance in the UK has been on the agenda for over 40 years. The health and safety regulatory regime, through the eyes of the Health and Safety at Work etc. Act 1974 (HSWA) and enforced by the Health and Safety Executive, has centred around the importance of not waiting for actual harm to occur but instead mitigating the risk of harm and limiting liability before an incident occurs.

The Online Safety Bill is designed to protect against online risk and harm, with a particular focus on children and vulnerable people. Any business that hosts user-to user content (e.g. enables users to post their own content, which may be encountered by others, or interact with each other online) and has sufficient links to the UK would have a 'duty of care' towards relevant persons. It seems likely that this duty would have been created with the current UK health and safety legislation in mind to some extent. Businesses in scope of the Bill, if it passes into law, will therefore be held accountable and must take steps to tackle illegal content on their services. This may also sound familiar – the HSWA places similar obligations on businesses to ensure that they secure the health and safety of all employees and non-employees through the conduct of their work activities.

Businesses whose services host user-to-user content, such as images and videos or allow online discussion between users through messaging or comments (around 25,000 businesses could be in scope of the Bill according to Government estimates) would therefore need to identify if they would be required to meet new obligations under the Bill, and more importantly, assess how they should meet those obligations. A direct comparison of certain sections of the new Bill and the HSWA may clarify the situation further – businesses in scope would find themselves as potential 'duty holders'.

The Online Safety Bill

The Health & Safety at Work etc. Act 1974

  • Definition of 'harm': 'physical or psychological harm'.
  • Definition of 'hazard' – anything that can cause harm; the potential to cause harm, including ill-health and injury, damage to property, plant, products or the environment, production losses or increased liabilities" (Managing for health and safety - HSE HSG65, third edition)
  • The duties applying to businesses in scope of the Bill will depend on whether they are Category 1 providers (likely to be the large social media platforms and similar services) or are otherwise in scope of the Bill.  The duties include:
    • Tackling and removing illegal content
    • Preventing children from accessing inappropriate content (e.g. porn or violence)
    • Protecting adults from 'legal but harmful' content (only applies to the largest, highest-risk platforms – Category 1 services)
  • The Act applies to all business sectors that carry out workplace activities, on or off their own premises.
  • Focus on the harmful effect of a message or content, as opposed to simply assessing whether there is indecent or offensive content.
  • Focus on risk of harm and the impact on relevant persons, rather than any actual harm suffered. Also consider ISO 45003 – guidance for managing psychosocial risk, in that a business must identify the conditions, circumstances and workplace demands that may have the potential to impair the psychological health and well-being of employees.
  • Businesses will need to have appropriate systems and processes in place, ensuring that this is a proactive way to manage harm and risk, in addition to dealing with individual pieces of content. They will need to put in place systems and processes which allow users/affected persons to report specified types of content and activity, and establish an easy to use complaints procedure.
  • Businesses will have to have regard to the importance of protecting users' legal rights to freedom of expression and privacy when implementing safety policies and procedures. Category 1 providers will also need to ensure their systems and processes are designed to ensure the importance of free expression of content of democratic importance and journalistic content are taken into account when making decisions about content. Category 1 providers must also offer optional user verification and user empowerment tools.
  • Risk assessments will need to be prepared to detail how the relevant business services might expose users to illegal and harmful content and how they will address that risk.  Once a year, Ofcom must also give every provider of a relevant service a notice which requires the provider to produce a report about the service (a “transparency report”).
  • Businesses must have suitable policies and practices in place, to demonstrate a proactive approach to health and safety management and advised not to wait for an incident to happen.
  • Legal duty to assess the risks to the health and safety of employees and non-employees to which they are exposed while they are at work or affected by business activities. Must secure their health and safety "so far as reasonably practicable".
  • Regulator – Ofcom
  • Regulator – Health and Safety Executive
  • Businesses that fail to comply would face fines of up to £18 million or 10% of annual global turnover, whichever is higher, and the regulator could also apply to court for certain business restricting measures such as blocking access to non-compliant services.
  • Criminal sanctions on executives / senior managers if they do not respond to requests for information.
  • UK Health & Safety Sentencing Guidelines indicate that fines for large organisations (turnover of £50 million or more) that are highly culpable and expose relevant persons to a significant risk of harm can face fines up to £10 million. Individual directors or senior managers that have committed a failing by way of consent, connivance or attributable to their neglect could face an unlimited fine and/or up to 2 years in prison and could be disqualified from being a director for up to 15 years. Businesses could face additional enforcement action, forcing them to improve conditions or preventing them from continuing with their work activities (prohibition or improvement notices).

The above table shows that the Government is not strictly trying to re-invent the wheel by introducing the Online Safety Bill – the way the Government wants to protect people online appears similar to the way businesses already seek to protect people in the workplace. This makes sense, since the HSWA is heralded as one of the most effective pieces of safety legislation in Europe to date. However, one of the criticisms of the Bill is that it is likely to struggle to adequately address all of the different 'harm' scenarios it is trying to prevent. The HSWA tries its best to provide an overarching but general duty to secure the health and safety of all relevant persons, but relies on specific regulations to address specific harm, such as the risk of harm from exposure to hazardous substances (the Control of Substances Hazardous to Health Regulations 2002) or the risk of harm from construction site activities (the Construction (Design and Management) Regulations 2015). There may be some benefit in taking a leaf out of the HSWA's book to allow certain issues to be specifically catered for in associated regulations (for example, there is a power in the Bill to make regulations to set out what constitutes 'harmful content') instead of having an all-encompassing tool to prevent online harm, thereby making compliance more manageable.

This Bill demonstrates a robust approach by the UK Government in respect of online safety, giving it the importance that it deserves. This is reminiscent of the messaging released a few years ago from the Government around the importance of businesses understanding both their corporate and individual health and safety responsibilities and the need to lead health and safety 'from the top'. However, the significant criminal penalties imposed as a consequence for failing to be proactive and compliant within both of these regulatory regimes suggest that a preventative approach must be key to managing the risk of online harm, but there is still a lot to be ironed out before this Bill becomes law. Safety, be it online or otherwise, is likely to remain a key topic of discussion for businesses and their directors and senior managers for some time if they wish to avoid scrutiny from the regulators.

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else