Natalia Chi
The Online Security Bill (the “osb extension”) returns to the UK Government’s legislative agenda, this time with a major update relating to the criminal liability of senior managers. Following some political discussions, minor MPs successfully lobbied the government to broaden the scope of criminal liability for top executives of regulated services who fail to protect children online.
A change of approach
We have written previously on the OSB’s proposed narrow scope of criminal liability for senior management. In the previous iteration of the bill, senior executives were only criminally liable if their company failed to adequately respond to requests for information from regulator, Ofcom.
By mid-January 2023, however, the issue of criminal liability of senior management in the OSB had become a hot topic for MPs, and a proposed amendment had won the support of nearly 50 back-level MPs. This amendment would have created criminal liability for senior executives where the regulated service failed to comply with the OSB’s safety duties to protect minors online, and where the offense was committed with a senior executive.”consent or connivance” or if it was “attributable to [their] to neglect”.
Under pressure, the Government confirmed in a declaration on January 17, 2023 that the next draft of the OSB will include an extension of criminal liability for senior management.
What will criminal liability be like in the new OSB?
The amended provisions on the criminal liability of senior OSB leaders have not yet been proposed, but the government statement provides some clues as to what they might look like.
First, the statement confirmed that the updated OSB will introduce accountability for senior management who “have consented or connived in ignoring the executive requirements, risking serious harm to children”. The idea of ”serious damage” is new; the back-benchers’ amendment did not specify the level of damage required to trigger criminal liability. In particular, while “permitted or conniving” is taken from the back-benchers’ amendment, the government statement does not mention “to neglect”.
Secondly, the statement said that the new amendment will build on the Irish Online Safety and Media Regulation Act 2022 (the “Irish law“). Under Irish law, an appointed ‘Online Safety Commissioner’ can determine that a regulated firm has failed to comply with mandatory ‘Online Safety Codes’ and issue a notice detailing the steps the firm must take to rectify the its non-compliance. Senior management may be held personally liable to criminal liability for the company’s failure to comply with the terms of this notice.1
Looking at the provisions of the Irish Act together with the Government’s statement, it appears that the updated OSB can impose criminal liability for senior management only where Ofcom has expressly directed a regulated service to change its conduct and a senior manager is been responsible for the non-compliance by the regulated service.
Analyses
This pending amendment, if it takes the form anticipated by the government’s statement, would represent a substantial change to the OSB, as it would impose criminal liability on senior executives of regulated services who fail to comply with the central tenet of the legislation, which is to protect children online. The OSB had previously planned to impose only civil penalties for such failures.
However, it appears that the limit for personal criminal liability in the OSB will remain high, as the updated draft is likely to focus on the deliberate, rather than negligent, conduct of senior management. Government guidance that personal criminal liability will be imposed when the conduct of the regulated services is committed under the “consent or connivance“of a senior manager mirrors language commonly used in other UK laws, for example the Theft Act 19682the Corruption Act of 20103and the Fraud Act 20064. “Consent and connivance” has previously been interpreted as requiring that the manager knew or deduced the material facts that constituted an offense by the company, and in any case shared the company’s behaviour.5 Other legislation6 included language that also establishes personal responsibility where the criminal conduct of society is “attributable to any negligence” by the senior manager, but the government has suggested that the OSB will not include this language. This indicates that the OSB may aim to target bad actors who deliberately fail to engage with Ofcom in relation to online harm.
As discussed in a previous message, civil fines can often offer a more proportionate and effective sanction than the imposition of personal criminal liability when trying to encourage compliance. The OSB is an important piece of legislation that will break new ground in terms of regulating online services in the UK. Its priority should be to facilitate compliance of regulated services with new far-reaching obligations and to encourage constructive engagement between Ofcom and regulated services. Imposing criminal liability on executives may not be an effective way to do this.
1Section 139ZT(5) of Irish law.
2Section 18 of the Theft Act 1968.
3Section 14 of the Bribery Act 2010.
4Section 12 of the Fraud Act 2006.
5R v Chargot Limited (t/a Contract Services) and others [2008] UKHL 73a [34].
6 See, for example, section 1255 of the Companies Act 2006, section 37 of the Health and Safety at Work Act 1974 and section 341 of the Gambling Act 2005.
