The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business
“Civil servants do their best to consider all implications, but there is always something they haven’t thought about,” Sue Turner OBE, AI and data governance and ethics specialist, told me.
“The fear is that companies will proactively over-censor themselves for fear of being censored by the regulator,” Jacquie Hughes, media policy and regulatory specialist, said.
The issue relates to two pieces of pending regulation, the Online Safety Bill (originally called the Online Harms Bill) in the UK and The Digital Services Act in the EU. The two bills will have repercussions for businesses and business owners who might consider that their business is as far removed from big tech as you can get.
Furthermore, as has been the case with GDPR, the impact of these two pieces of pending legislation will reach far beyond the continent of Europe. GDPR has been followed by a spat of regulations worldwide, such as the California Consumer Privacy Act (CCPA), the pending Personal Data Protection Bill in India, and LGBD in Brazil.
When GDPR came out, many specialists in the area argued it was primarily aimed at the regulation of big tech, but its impact on businesses, small and large, is there for all to see.
A guide to IT governance, risk and compliance — Information Age presents your complete business guide to IT governance, risk and compliance.
Legal but harmful
The most controversial area of the Online Safety Bill is ‘legal but harmful.’ The Bill requires companies to take on a duty of care with online content; and could result in heavy fines for companies or even criminal prosecution for its managers that fail to meet the requirements. But it creates ambiguity. Companies will be required to monitor and, if necessary, censor content that is legal but deemed harmful.
“Legal but harmful is the battleground. It’s why the joint committee which put forward recommendations for amending the Bill suggested getting rid of it and just sticking to clearly defined ‘illegal’ harms,” Hughes said.
“It leaves too much ambiguity and too much to judgement by individual companies,” she added.
Turner opined that the Bill might “put people off being creative.” She explained by giving an example of a company that was keen to interact with its community, encouraged more diverse views, and wanted discussion from which it could learn. In short, it wanted to do the things that most regulators, shareholders and the public would approve.
But the company became concerned that it might fall foul of the Online Safety Bill.
“There is the issue of legal but harmful. So how do you set up your guard rails?” asked Turner. She said: “This company is running away from it.
“And that is worrying as we want companies to have more diverse views.”
Why legal but harmful
This begs the question, precisely why is the government promoting legal but harmful and there is the thorny area of risk.
Clause 59 of the Bill is telling; it refers to “risk assessment duties for content that is legal but harmful.”
In other words, companies are being asked to apply a risk approach to their online safety, but this is riddled with ambiguity.
Hughes explained: “The government was keen to keep it in because it wanted to deal with the whole plethora of so-called harms.”
She warns that companies will remove content in advance rather than risk a fine afterwards.
She said: “Ofcom will have to consider lots of things such as volume of complaints, degree of harm, measures the company took to mitigate the harm whether they had good compliance measures, etcetera in place. But it’s not ideal. It is huge ambiguity.”
She added, somewhat pithily: “Judging psychological harm is just a minefield.”
The core issue here is another law, not a law defined by an Act of Parliament or Congress, but rather something more akin to a law of human nature or maybe of nature — the law of unintended consequences.
Regulators are trying to do the right thing; the Internet is becoming dangerous, but practice and theory are often quite different.
Turner warns of two levels of effect.
- Actual regulation stopping you from doing something you might otherwise have done.
- Opportunities lost; you might have thought of a creative use of AI, for example, a new way of running your business, but you don’t in case of what might happen.
She said: “There are a lot of good things with the Online Safety Bill, but medium-sized companies or non-specialists may lack core skills and might struggle to comply.”
So, lack of technical skills, at a time of well-publicised labour shortages, might be a key constraint, especially in the digital economy. Furthermore, these technical skills are not lacking in the big techs.
Regulation might be designed with big tech corporations in mind, but it might be the big techs with in-house expertise who can better manage regulations and understand and quantify the risk.
But the pending bills on online safety and digital services might be just the beginning.
Turner speculates that we might see regulations requiring the auditing of AI algorithmic systems, an area the UK government is already considering.
She said: “We have all got used to being audited on our financial position; it is second nature, but we may have to do this on how we use technology in our business; not just internally, but with suppliers.”
These are precisely the areas that big techs are better equipped to deal with.
Hughes warned that the Online Harms Bill “bites on every business using the Internet – and adds regulation to the space where it didn’t exist before. It makes every company responsible for the risks its service represents and makes lots of new activities unlawful.”
The Joint Committee on the Online Harms Bill says: “We recommend the Bill is restructured. It should set out its core objectives clearly at the beginning.”
Hughes said: “The government has deviated from the recommendations by still including ‘legal but harmful’ in the Bill.” The joint committee recommends removing that.
“Many companies have already taken pre-emptive action in advance of this Bill.
“Remember, it’s part of a package of regulations of businesses using the Internet that didn’t exist before, including setting up the digital marketing unit at the CMA, the children’s code, and all the ‘stuff’ coming out of Europe.
“Any business will no longer be able to use the Internet without consideration of these regulations.
“It’s trying to bring the online world in line with the offline world.”
Bank IT compliance: how financial services can stay compliant with regulations — Exploring strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards.
Global AI regulation? Possibly, and it’s starting in the EU — Lori Witzel, director of research for analytics and data management at TIBCO Software, explores the possible impact of the proposed EU legislation for AI on businesses.
What regulation means for digital interoperability — Following the recent introduction of the EU Digital Markets Act, Dominic Wellington, director of market intelligence at MongoDB, considers what regulation means for interoperability.