The criminal law has long been used to give regulatory schemes teeth. In recent years there has been a heightened focus and demand in some quarters for senior managers in regulated industries to face personal investigation and meaningful criminal sanctions, including the threat of prison sentences.
The Online Safety Bill (currently at the Committee stage in the House of Lords) is the latest example. If enacted, it will impose criminal liability on senior managers as a means of encouraging corporate compliance with the duties created by the proposed online regulatory framework. But is holding senior managers criminally liable for their organisations’ regulatory failings the right approach in the field of online safety?
The proposed regulatory regime
At present, most providers offering online user-to-user and search services operating in the United Kingdom (UK) are not subject to any regulation concerning user safety. The Bill proposes a new statutory duty of care, supported by a regulatory framework, to make these providers responsible for the safety of their users and to tackle harm caused by content or activity made available on their services.
This regulatory framework will be enforced by an independent regulator, The Office of Communications (Ofcom), and will apply to providers that allow their users to discover user-generated content or interact with other users online.
The Bill gives Ofcom the power to compel providers to disclose information and to require an individual from the provider to attend an interview; powers of entry and inspection; and the power to require a provider to undertake, and pay for, a report from a skilled person.
In respect of non-compliance, Ofcom will also have the power to impose enforcement notifications (which may set out the steps required to remedy a contravention) and financial penalties of up to £18 million or 10% of qualifying worldwide revenue, whichever is greater.
In the most serious cases of non-compliance, Ofcom will be able to seek a court order imposing business disruption measures, which may require third parties (such as businesses offering payment or advertising services, or Internet Service Providers) to withdraw, or impede access to, the services they supply to the non-compliant providers.
As the Bill currently stands, only named senior managers of the non-compliant providers can be prosecuted in respect of a failure to respond to Ofcom information notices. When an information notice is issued to a provider, Ofcom will be able to require the provider to name a senior manager responsible for complying with the notice.
The named senior manager, as well as the provider itself, would commit a criminal offence if the provider did not comply with the notice and the named individual had not taken all reasonable steps to make sure the provider did not commit that offence (clause 99).
This use of criminal powers was considered an essential step even in the early stages of the Bill’s passage through Parliament. During the House of Commons Committee stage, reference was made to “previous examples of large social media firms withholding information and simply paying a large fine.”
There was particular concern about the 2021 Competition and Markets Authority (CMA) case relating to Facebook’s failure to provide information, despite it being repeatedly requested over an extended period, which ultimately ended in Facebook paying a £50 million fine rather than providing the information.
Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport Chris Philp stated: “Let me put on record now that that behaviour is completely unacceptable. We condemn it unreservedly. It is because we do not want to see that happen again that there will be senior manager criminal liability in relation to providing information, with up to two years in prison.”
Extending senior manager criminal liability
Until the early part of 2023, the criminal liability of senior managers under the Bill was limited to the provider’s compliance with information notices.
However, by January of this year, nearly 50 backbenchers were supporting a proposed amendment that would create criminal liability for senior managers where the provider had failed to comply with child protection safety duties, and where the offence had been committed with a senior manager’s “consent or connivance” or if it was attributable to their “neglect”.
This backbench rebellion appears to have forced the government into announcing, on 17 January 2023, that the next draft of the Bill would include an expanded form of criminal liability for senior managers.
Arguments for and against wider ranging criminal offences
Those in favour of extending senior manager criminal liability argue the following. If the only sanction available to Ofcom is a financial penalty, then there is a risk that big tech companies will treat the fine as a cost of doing business and carry on acting in a non-compliant way.
In order for the government to hardwire the safety duties directly into the management of regulated firms, and to enforce the delivery of a culture of compliance, the Bill must be strengthened to promote cultural change and embed compliance with safety regulations at board level.
The only way for the Bill to ensure that this is done, and to have any real “bite”, is if senior managers are forced to take personal responsibility. If their company fails to meet the expectations required of them, then the individual risks prosecution and the possibility of a custodial sentence. This, say those in favour of enhanced criminal offences, will incentivise senior management to take all reasonable steps to ensure compliance with the regulatory regime.
On the other side of the argument are those who are concerned that criminalising senior managers will unduly penalise individuals for the availability of content that normally originates from third parties outside their companies (who may not themselves face sanctions).
There are concerns that senior managers, faced with criminal liability, might adopt an over-zealous approach to their duties, restricting freedom of expression. There is also the very real problem of putting criminal offences onto the statute book that may have the appearance of being an effective deterrent, but which prove near impossible to prosecute.
Without the real risk of rigorous investigation and prosecution, the deterrent effect will never be realised in practice. Arguably, it would be much more effective to provide that Ofcom should name the Chief Executive of a provider (or the most senior board director or senior manager resident in the UK) rather than requiring the entity itself to choose a senior manager for themselves.
At present, under clause 93(2) of the Bill, the provider can be required to name a senior manager “who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice.” This gives far more discretion to the provider than should be necessary and may too easily lead to entities avoiding the risk of prosecution for the most senior executives.
Establishing an effective regime of regulation based on breaches of statutory duties has been shown to be possible in the field of health and safety; the regulatory framework of the Health & Safety at Work Act 1974 has stood the test of time. There are other successful examples relating to environmental protection and company law.
The difference between those situations and the challenge of regulating online service providers are manifold. The global scale of the big tech organisations involved; their dominant economic and supra-national political power; the multiple jurisdictions in which they operate and process data; and the expectation that they could effectively police the private use of the internet by billions of global users.
This is manifestly not equivalent to expecting companies to introduce adequate procedures to prevent bribery by “associated persons”, or the burden on regulated professionals to report suspicions of criminal activity arising in the course of business in the regulated sector. The anti-bribery and anti-money laundering regimes focus on situations where there is a much greater and more logical commercial proximity between the relevant parties.
In the online world, service providers do not have that same proximity or commercial relationship with their users. A comparison could be made with telecommunications offences relating to malicious communications. Telephone companies are not criminally liable for a failure to prevent a malicious, menacing or indecent communication by one of their customers.
Whilst agreeing to revisit senior manager criminal liability, the government does not appear to be willing to go as far as the back-benchers want them to.
Michelle Donelan, Secretary of State for Science, Innovation and Technology, declared: “We are committed to ensuring that children are safe online […] so will work to table an effective amendment in the Lords. This amendment will deliver our shared aims of holding people accountable for their actions in a way which is effective and targeted towards child safety, whilst ensuring the UK remains an attractive place for technology companies to invest and grow […]we intend to base our amendment on the Irish Online Safety and Media Regulation Act (2022) which introduces individual criminal liability for failure to comply with a notice to end contravention.”
If this approach is adopted, it will be a half-way house. Once again, criminal liability will arise from a failure to comply with a form of written notice.
Under the Irish legislation cited, an appointed “Online Safety Commissioner” can determine that a regulated company has not complied with binding online safety codes and consequently issue a notice specifying the steps that the company must take to rectify its non-compliance. Senior managers can be held personally criminally liable for the company’s failure to comply with the terms of such a notice.
If, as suspected, the Bill’s approach is amended to mirror the Irish example, it will be interesting to see if it is sufficient to hold the back bench rebels at arm’s length.
There will be those who say that the proposed approach is inadequate in that it only imposes criminal culpability on individuals once they (or more accurately their companies) have already failed to comply with the regime.
Others will say the approach is proportionate and especially in the early stages of implementation, senior managers should be told if they are making errors and given the opportunity to remedy them without facing criminal liability.
It is easy to bang the political drum in favour of locking up tech executives but much less easy to nail down the precise nature of the conduct to which criminal culpability would (and should) apply.
The failure to prevent model is not transferable to the online regulation model; there has not yet been any form of individual criminal liability based on failure to prevent, which has so far been restricted to corporate entities. There is an attraction to adopting a regime comparable to that of other countries, such as Ireland.
Ultimately, however, there needs to be a global and harmonised approach to the problem of regulating the internet. Draconian laws passed in one country will not necessarily produce the desired solution.
It is right that the criminal law gives regulatory regimes teeth. But if those teeth are over-sharpened, there is a real risk that it will create a culture of censorship, and that businesses are driven from the UK into jurisdictions where unscrupulous approaches to online safety flourish in a culture of impunity.
 There are also a range of other linked information notice offences, such as providing information in response to such a notice that is false and misleading, or in an encrypted form so that Ofcom is unable to understand its contents or suppressing or altering information that responds to the Notice’s requirements.
 Hansard – Column 217 COMPLETE REFERENCE
 Which would be OFCOM in the UK