How we’re preparing to regulate online safety

13 Dec 2021 02:09 PM

Camilla Bustani, Director, International and Ed Leighton, Interim Director, Strategy and Policy at Ofcom, look ahead at our role in regulating online safety and set out the regulatory approaches we might take for this new responsibility.

We’re excited at the prospect of taking on greater responsibilities for helping people lead a safer life online. We’re well into our preparations for this new role and we’re developing relationships with a new set of companies that we haven’t previously regulated.

One of the things we’re thinking about is the extent to which our existing toolkit of regulatory techniques and approaches will need to be adapted to meet the new challenges ahead.

What's in our toolkit

Ofcom sets rules and guidance for a range of very different parts of what constitutes ‘communications’, ranging from telecoms services, to TV and radio, to postal services and how the radio spectrum is used.

Within each of those areas, the regulatory approach we take isn’t necessarily driven by the sector we are looking at. In other words, there isn’t a postal services model, a telecoms model, or a broadcasting model, for example. Instead, we’re able to take a range of different approaches based on the regulatory challenge that needs resolving.

So, how do we do this? We start by establishing a clear view of what we’re trying to achieve. Sometimes that objective is set out specifically by Parliament – the Postal Universal Service Obligation is a good example, where the required frequency of letter deliveries is set in statute.

At other times we have the discretion to balance a range of objectives in order to find the best outcome for people – for example promoting investment in the latest, fastest broadband networks, while needing to ensure affordable prices and fair treatment of customers, to enable people to take up the faster services.

Depending on our objective, we might draw up a prescriptive set of rules which set out how regulated firms should act, and monitor how firms comply with them. Or we might publish information so users of these services can make their own minds up and vote with their feet, encouraging firms to respond to consumer pressure. Alternatively we might establish some high-level principles and guidance and publish best practice for the industry, to which service providers are encouraged to sign up.

Each of these can be called a ‘model’ of regulation, and this is our toolkit. It ranges from very prescriptive models where regulation shapes and sets the standard for industry, through to light-touch models where industry works to set the bar for itself, based on some high-level guidance from us.

What will inform our approach

So, which tools will we use in carrying out our new role in regulating for online safety? In answering this question we will consider factors such as:

• Are we addressing problems with one firm, or a harm / benefit that can come from the whole industry?
• How well aligned are commercial incentives to delivering the desired objectives?
• How severe or urgent are the harms to consumers or audiences?
• How big or systemic are the information asymmetries between us and the regulated sector?
• Are there other legal, skills or capacity constraints that might make some approaches less effective?

Going through these questions, we recognise that the business models of the online platforms are varied, complex and fast-changing – certainly compared to the relatively well-established business models of the telecoms companies and broadcasters we already regulate. At the same time, we acknowledge that online platforms were, broadly speaking ‘born’, and have grown up, fairly free of the kind of regulation they will soon face. A huge amount of what goes on under their bonnets has never been looked at closely, and many of these companies have limited or no experience of being regulated. Information asymmetries exist on both sides.

All of this tells us that hard-wiring prescriptive rules is unlikely to work, as regulation will need to be nimble and will need to respond to changes in products and services, consumer habits and harms.

That means the regulatory regime will need to be iterative. We – both us and the companies we will regulate – will, to some extent, be learning on the job about what works and what doesn’t. In order to learn quickly, and to make sure our regulatory levers remain targeted and proportionate, we will need to draw upon the knowledge of experts, including from academia and civil society, and from other regulatory bodies, as well as from the regulated companies themselves. This is going to be a collective effort.

"Regulation will need to respond to changes in products and services, consumer habits and harms"

At the heart of the new regime will be increasing the transparency of online companies’ businesses and operations for their users and  for us as the regulator. Greater transparency should help empower people to make informed decisions about how they use online services. It should also help us to ensure that the codes of practice we produce are targeted, robust, proportionate, and effective.

Against this backdrop, we anticipate needing an ongoing dialogue with the companies we will be regulating. Placing a duty of care on online companies to make sure their systems promote user safety requires them to take greater responsibility for assessing what is required of them, and this means compliance with the law will be more than a tick-box exercise. Equally, we don’t anticipate there will be a single formula for discharging that duty of care, against which we can judge their performance and hold them accountable. This will need deep engagement on both sides, but it can work if we and the companies are clear about the objectives we are pursuing.

It will be challenging, but we're up for these challenges, and we're looking forward to tackling them together.