The UK’s Online Safety Bill: what are the risks to human rights?

When the European Commission published its proposal for a new Digital Services Act at the end of last year, its 74 Articles over 70 pages made it the longest and most comprehensive proposed piece of content regulation to date.

That honour now goes to the UK’s draft Online Safety Bill, which comprises 141 clauses and 5 schedules over almost 150 pages. The length and complexity of the proposed legislation reflects the breadth of the UK government’s ambition: to address not only illegal content, but also content which is “lawful but harmful” to adults and children, as well as to establish a comprehensive oversight and enforcement mechanism.

Our blogpost, published last week, highlights the main concerns that we have over the draft Bill’s potential impacts on freedom and expression of privacy. These concerns are wide-ranging and include:

• The pressure the legislation would place on large platforms to remove legal but “harmful” content, which is only vaguely defined;

• The breadth of types of illegal content against which platforms will be expected to take action, going far beyond categories such as child sexual abuse imagery to messages which are merely “grossly offensive”, “indecent” or “obscene”;

• The absence of any meaningful safeguards to ensure that encrypted and private communication platforms are not subject to the same monitoring requirements as public platforms;

• The requirement for large platforms to make sure that they do not remove “content of democratic importance” (even though it is sometimes political figures who incite violence on social media);

• The narrowness of protections for “journalistic content”, which are largely limited to UK-registered news publishers (at the same time, the draft Bill’s wording would mean that the same words would be protected if contained within a news article, but not if an individual posted them).

We’re not alone in this. Responses from other civil society organisations (including Big Brother Watch and Open Rights Group) as well as legal academics and practitioners (such as Dr Edina Harbinja and Graham Smith) also highlight the risks that the draft Bill would pose to human rights. With the UK Parliament now establishing a committee to scrutinise the legislation, we hope that these concerns are taken into account.
 

Other news

• May also marked the Second Anniversary of the Christchurch Call, under which governments and tech companies committed to eliminate terrorist and violent extremist content online. At the Second Anniversary Summit, Croatia, the Czech Republic, Estonia, Peru, Slovakia, Tunisia and (in a change of position from the previous administration) the United States all joined as supporters. The governments and companies involved have committed to further key actions in four areas: building the Call Community, strengthening its crisis response capability, promoting greater transparency from governments and companies, and better understanding the role that algorithms play in radicalisation. As a member of the Christchurch Call Advisory Network, we welcome the continued commitment to “to uphold international human rights law and fundamental freedoms online as well as a free, open and secure internet”. For a fuller analysis of where things stand, take a look at this assessment from Courtney Radsch.
• The Global Network Initiative (GNI)'s newsletter is a great resource for those following debates around online harms and content regulation. Sign up here, and visit the archive to read previous issues.

A busy month for cyber at the UN

In last month’s Digest we predicted a busy May for UN Cyber diplomats, and it was—with important developments at both the Group of Governmental Experts (GGE) and the UNGA Third Committee’s Ad-hoc Cybercrime Committee.

The big news at the GGE was the adoption of its consensus report last week, an outcome that was by no means guaranteed (the last GGE didn’t manage it). While the report isn’t yet public, we’ve heard that it includes guidance on the implementation of GGE norms—a longstanding ask from many stakeholders, including GPD. Importantly, it also affirms the applicability of international humanitarian law in cyberspace, which was a main sticking point in the last GGE, and something the just-concluded Open Ended Working Group (OEWG) process had to skirt over due to lack of agreement. We’ll reserve judgment until we read the full report. 

Over at the Third Committee, the cybercrime grouping’s first round of discussions got off to a decent start. A Chair was elected (H.E Ms. Faouzia Boumazia Mebarki from Algeria) along with 14 Vice-Chairs. Member states then approved a list of international organisations that can participate as observers. Initial disagreements over location and the level of non-governmental involvement were later worked out in informal, “closed door” coordination between diplomats, and the resulting modalities are more open and transparent than those at the OEWG. Importantly, they make it more difficult for states to ban “non-ECOSOC accredited” NGOs from discussions—which should avoid a repeat of the mass exclusions of civil society we saw in that process.

As Human Rights Watch and others have argued, meaningful participation by NGOs in cyber discussions is crucial. Without it, the kinds of cybercrime measures we routinely see adopted at the national level which undermine human rights could be mirrored at the global level, with potentially grave consequences for the rights to freedom of expression and privacy.

Other news:

• The OEWG has just had its organisational meeting, but decisions on the setting up of its “thematic sub-groups” and stakeholder modalities remain unknown. (See Reaching Critical Will's in-depth overview for more). We do know that the first substantive meeting will take place from 13-17 December this year, and that the aim is to have it fully in-person. The tone from the floor was encouraging, with most states supporting more open modalities this time. Whether this is reflected in the modalities adopted, and in practice, remains to be seen. 

• Stakeholder engagement was also on the agenda at a Chatham House event last month, where a range of participants—from civil society, industry and government— reflected on the previous OEWG, and looked forward to the next one. Lots of good points were made around the important role of civil society in both discussions and norm implementation. Watch a recording here.

• The co-sponsors of the proposed UN Cyber Programme of Action (PoA) also met to discuss next steps. While it wasn’t an open event, we’ve heard that many of the co-sponsors voiced support for formalised opportunities for stakeholder engagement. A resolution to set up the PoA will likely be drawn up over the coming months, and presented at this year’s General Assembly.

Responses to the EU’s Artificial Intelligence Act

While April saw a lot of movement on a wide range of AI-related processes at different international forums, May has proven somewhat quieter. 

Sneaking in at the end of April, however, was the EU’s draft Artificial Intelligence Act. See our first thoughts on the proposals here, and read the responses from our friends at ARTICLE 19, Access Now and EDRi.

Listening post

Your monthly global update, tracking relevant laws and policies relating to the digital environment.

On the online content front, a few important updates:

• Ireland's Human Rights and Equality Commissioner has called for specific legislation to deal with online hate crimes, following the recent introduction of a hate crimes bill;

• Germany’s proposed amendment to the Network Enforcement Act (NetzDG) has attracted opposition from civil society;

• Russia’s internet regulator ramped up demands for companies to remove content deemed illegal or restore blocked material;

• The European Commission, under the scope of the Digital Service Act (DSA), is to propose a common definition of hate crime later this year. 

On trust and security, Kiribati and South Africa have both approved cybercrime bills. The UK has also announced plans to review its cybercrime legislation by holding an open consultation on the Computer Misuse Act 1990. 

Elsewhere, proposed amendments to the ICT Law in Mauritius and the publication of the UK’s Online Safety Bill have raised concerns about the future of end-to-end encryption.

On emerging technologies, the Australian government has announced the establishment of a new $50 million National AI Centre to coordinate Australia’s AI expertise and capabilities and drive adoption of the technology.

New data protection laws were passed in Germany and Ecuador, both of which are based on the EU’s General Data Protection Regulation (GDPR). In El Salvador, the Law on the Protection of Personal Data—recently passed by the Economic Commission’s Legislative Assembly—was vetoed by the President and sent back to the Legislative Assembly for further consideration.