With governments mandating national regulators to create and enforce new rules primarily aimed at protecting children without impeding freedom of speech, innovation or investment in new technologies, businesses have been left to navigate a myriad of competing obligations.

It has proved a difficult balance, with critics vocal in citing liberty and privacy concerns as tech platforms take steps to protect against online harms. But much of the debate has centred on discrete parts of a broadening global regulatory environment and businesses must be proactive in avoiding the concomitant risks with enforcement actions underway: Ofcom has already opened 21 investigations and issued fines for non-compliance.

As part of our Code≠Law series exploring the evolving field of technology regulation, we explain how to protect your business from the growing risk of disputes arising from online safety, and how challenges might be an important tool for affected companies.

How can companies mitigate the disputes risk?

While debates around some of the specific requirements of online safety legislation intensify, there has already been a flurry of government and regulatory activity across many jurisdictions. In Australia, which unlike the UK has a standalone, specialist online safety regulator, the response from business has been largely proactive and constructive, with some notable exceptions.

"There has been a focus on a proactive engagement strategy and trying to develop a strong regulatory relationship with the eSafety Commissioner as a means to mitigate litigation risk," says Sydney-based regulatory disputes partner Mark Smyth. "There are some exceptions, including various merits and judicial review challenges launched by X Corp and Telegram against the eSafety Commissioner. But generally, the trend has been implementing systems and processes to allow companies to respond positively to regulatory engagements with the Commissioner."

Generally, the trend has been implementing systems and processes that allow companies to respond positively to regulatory engagements with the Commissioner.”

Mark Smyth
Partner, Sydney

A similar approach has been adopted in the UK, where Ofcom has been charged with turning the landmark Online Safety Act legislation into workable regulation. Companies with sufficient exposure have built dedicated teams of full-time staff and are engaging with Ofcom voluntarily and via compulsory requests for information. But enforcements are also underway, says London-based public law and regulatory disputes partner James Wood: “The regulator has kicked off a number of enforcement actions and they're clearly taking a very proactive approach to checking in with what all platforms – big and small – are doing here. Moving forward, we will see this trend of enforcement action increase and intensify as the regime beds in.”

Ofcom has expanded its team considerably in the last couple of years in preparation for this task. But for businesses with a global footprint, the challenge will be remaining compliant with online safety across multiple jurisdictions, where the territorial and regulatory scope of rules can vary significantly.

"It's another example of where we would recommend early engagement, both in terms of understanding the new obligations platforms are under and also in building a good relationship with the regulator," adds Wood. "That good relationship may assist in helping to understand and meet the current requirements, potentially help shape future developments and ensure companies in the best position should there be any regulatory investigation or action."

Companies have also made efforts to ensure their technology can adjust to geographic differences, such as age-gating in the UK but not in jurisdictions where it isn't required.

While the general approach from business has been voluntary engagement with online safety regulation, there have also been high-profile challenges, with some tech companies arguing certain regulators have overreached.

The most notable examples have come from X Corp, which has challenged the Australian eSafety Commissioner on the validity of enforcement decisions, the applicability of the regulatory regime to social media companies, and on the demarcation of freedom of speech from hate speech in online safety.

"These have been judicial review type actions arguing the commissioner has overstepped the bounds of her powers," explains Smyth. "There has been some success in those actions: last year the eSafety Commissioner was purporting to have extraterritorial reach when it came to people accessing the X platform in foreign jurisdictions, but that was found to be beyond the eSafety Commissioner’s statutory powers in the circumstances of the case."

Similarly, avenues exist in the UK for companies to challenge an Ofcom decision both during and after the process, with such routes a legitimate and necessary backstop to ensure regulators are acting proportionately and within the remit of legal frameworks.

There is a reasonably high hurdle for a successful challenge against a regulator but there are established legal mechanisms which provide checks and balances,” says Wood. “Companies must be rightly cautious before starting legal challenges, but those within the scope of the regime should hold regulators to account if they think they are overstepping or they're pushing the edges of what a regulator can lawfully do.”

Companies must be rightly cautious before starting legal challenges, but those within the scope of the regime should hold regulators to account if they think they are overstepping or they're pushing the edges of what a regulator can lawfully do.”

James Wood
Partner, London

Specifically, companies should consider whether the regulator has been consistent with the existing legal framework, acted fairly and considered all views, and been proportionate. If there is uncertainty about interpretation of a legal provision or questions of disproportionality, then a company can consider a legal challenge.

The outcome of such challenges in nascent regulatory regimes are shaped by precedent: though the High Court dismissed Wikimedia’s challenge to Online Safety thresholds in August, the judgment left open the possibility of future challenges. Meanwhile, companies can also learn from challenges by services providers against regulators under the Digital Services Act.

“As we move forward, we will see more challenges where companies seek to hold the regulator to account,” adds Wood. “Companies will want to make sure the decisions regulators have taken are proportionate to the regime and lawful.”

What are the risks of private actions?

The Online Safety Act in the UK does not grant users rights of action against non-compliant platforms, unlike for example the rights granted to data subjects by the GDPR. So, does that mean there is no risk of private actions arising out of online safety?

"Unfortunately not, as we know there are claimant lawyers and funders closely watching this space," warns London-based disputes lawyer David Shepherd. "In particular, given the large number of users of some platforms, we can expect to see efforts to try and build a class action out of any breaches of new regulatory obligations."

To mitigate the litigation risk, platforms should keep that risk in mind throughout their work in this space. If a regulatory investigation leads to an adverse finding and enforcement action, claimant firms may well look to that as a springboard for a private action.

Given the large number of users of some platforms, we can expect to see efforts to try and build a class action out of any breaches of new regulatory obligations.”

David Shepherd
Senior Associate, London

How will the regulation develop?

Much of the online safety regulation seen around the world has been developed as the power of technologies such as AI have grown. Given the urgency of the task laid down by governments and the pace of technological change, regulators are looking for ways to develop frameworks which are suitably robust and adaptable.

Australia has tried to develop a broad piece of legislation which delegated the building of regulatory codes to the eSafety Commissioner in conjunction with industry. Lawmakers hoped the approach would make for a framework adaptable to constant change.

"There are differing views on how effective that is," says Smyth. "It provides flexibility and the ability to adapt but it gives a lot of discretion to Commissioner. There is also uncertainty regarding the application of the codes to different products and services. These two things in combination have contributed to the merits and judicial review challenges alleging overreach that we’ve seen in Australia."

The debate will continue. But governments around the world have committed to online safety policy and many businesses will find themselves wrestling with how to stay compliant – often across multiple jurisdictions.

"The Online Safety Act is a huge piece of legislation which will result in a plethora of new requirements. and that will take some time to develop and bed in,” concludes Shepherd. "Clients should engage with this in the same way they would with any new piece of regulation, whether they're in the central focus of it or if it only slightly touches part of their business."


Tech regulation

View our tech regulation insights

Stay in the know

Receive timely insights and briefings from HSF Kramer, tailored to keep you informed and ahead

Subscribe now
Europe Middle East Africa Australia Americas Asia TMT disputes Technology, media and entertainment, and telecommunications Outsourcing Technology transactions Digital business Media, entertainment and sport Telecommunications Tech Regulation Artificial Intelligence Online safety Technology, Media and Telecoms AI and Emerging Technologies Digital Transformation Emerging Technologies Mark Smyth James Wood Christine Wong David Shepherd