Trust at risk: Who's accountable for the online safety gap?

When rights collide: Why is online safety so difficult?

“We’re looking for cultural change that puts safety at the heart of business decisions from the start, but freedom of expression and competition will of course remain vital,” says Elizabeth Holloway, legal director at UK communications industry regulator Ofcom.

So, how best to balance opposing, fundamental rights? It is a tension which has made online safety an invidious topic central to debates around technology, public safety and individual freedom.

"In the end, there is no separation between online safety and real-world safety, or between online harm and real-world harm," argues Garth de Klerk, CEO of South Africa's Insurance Crime Bureau. "There's little consensus on how to achieve online safety and the issue is a political battleground, with critics citing liberty and privacy concerns. Tech firms are squeezed between protecting vulnerable users and defending others' freedoms."

Political and social differences between countries further exacerbate the problem, with jurisdictions such as the UK, EU and Australia implementing more interventionist regimes compared with the laissez-faire approaches adopted in the US. “Technology might be the same everywhere, but national laws reflect unique local challenges and diverse societal standards on speech and safety, which are themselves subject to change," notes Google’s international head of legal Yoram Elkaim.

Adding to the complexity is the pace at which digital platforms and technologies evolve. Traditional regulatory approaches often struggle to keep up with new features, formats and behaviours. At the same time, tools designed to enhance online safety such as content scanning, hash matching and automated moderation are also advancing rapidly, raising fresh questions about effectiveness, privacy and accountability.

While these challenges are not new for global tech companies well accustomed to navigating local differences and some sections of the industry, such as ecommerce platforms, may even benefit from regulations that increase user confidence. However, the industry remains instinctively averse to regulatory limitations such as age verification and wary of content moderation, which can prove difficult to enforce and is fraught with reputational risk.

Online safety around the world

Companies worldwide face a patchwork of online safety regulations. Even within the EU, the bloc's Digital Services Act sits atop differences in legal code and policy between member states. Similar tensions are present in Asia, with marked regulatory differences across Singapore, China, Thailand and Indonesia.

Meanwhile, companies must also be aware of the interplay between federal and state law in the US, says HSF Kramer's New York-based litigation lawyer Nick Tonckens. “Federal legislation focuses on child protection via the Children’s Online Privacy Protection Act, but the breadth and depth of state level regulation is far more complex. Some states have introduced requirements for age-appropriate design, while others require age verification or parental consent.”

However, the differences are more striking than the similarities, says Michelle Virgiany, corporate lawyer at Hiswara Bunjamin & Tandjung, HSF Kramer's associated firm in Indonesia: “Different governments have identified broadly similar areas of concern – it's the responses and mechanisms that are very different."

Even where regimes have similar emphasis, their definitions, requirements and penalties can vary significantly. Key differences include:

• Legal basis: Jurisdictions with dedicated laws include the UK’s Online Safety Act, the EU’s Digital Services Act and Australia’s Online Safety Act. Examples of adapted laws include Thailand’s Computer-Related Crime Act and Indonesia’s Electronic Information and Transactions Law which is supplemented by an implementing Government Regulation on Online Child Protection. Countries like Germany, Singapore and China have several relevant laws, while South Africa features a mix of regulation and voluntary codes.
• Requirements: These range from hard controls which include age verification to qualitative measures such as content moderation. Some regimes use reactive tools like take-downs, while Singapore and Australia expect proactive harm prevention. Elsewhere, the UK has introduced a duty of care for in-scope providers. Though all regulations address illegality, each has its own view of legal harms like cyberbullying. Many jurisdictions also have specific prohibitions such as deepfakes (Spain), hoaxes (Indonesia), and violating lèse-majesté (Thailand).
• Implementation: Some regulations were developed with little or no industry input, while other regulators consult on implementation or issuing user guidance. Australia is taking a co-regulatory approach, with industry involvement in drafting mandatory codes of practice.

The global picture is also complicated by overlapping frameworks. “Extra-territoriality is a defining feature of most online safety regulation,” explains Paris-based HSF Kramer corporate TMT partner Emmanuel Ronco. “The focus on user location rather than company location is quite exceptional.”

What are the online safety risks for business? 

The complexity of global online safety regulation creates a twofold risk: the difficulty of achieving 100% compliance in every market and the rapid evolution of regulatory perimeters opening opportunities for claimant firms and funders to pursue perceived breaches.

Companies need a targeted, risk-based response to avoid stumbling into a pitfall. The greatest sources of vulnerability are:

• High water mark: The tech industry is familiar with the ‘Brussels effect’. In theory, adopting the most stringent standards – such as those of the EU, UK or Australia – could offer a degree of immunity in other markets. In practice, local differences and the penalties for non-compliance mean this approach would create as many legal risks as it removes. Companies also risk putting themselves at a competitive disadvantage. “A single global approach is really not going to work in this field,” adds Brady.
• Bottom up: Conversely, a granular approach with dedicated design and operations for every major jurisdiction can be adopted. But as Justina Zhang, HSF Kramer Kewei China TMT partner, points out, “the costs of building bespoke solutions in dozens of markets are prohibitive." Moreover, totally separate national frameworks are incompatible with tech operating models for services like messaging or social media.
• Pick and choose: In rare cases, specialist tech firms may opt to withdraw entirely from certain high-risk jurisdictions. However, loss of revenues and reputational risks make this a last resort. Despite their public criticism of regulation, tech companies typically prefer a dual strategy of aiming for compliance while lobbying for carve-outs or lighter enforcement.
• Hub and spoke: For many companies, a hybrid approach based on comprehensive regulatory mapping provides the most pragmatic balance between efficiency and risk management. “This top-down approach leverages compliance in leading jurisdictions like the US and EU into the secondary market,” explains HSF Kramer's Johannesburg-based competition Of Counsel, Sandhya Foster. “It then uses gap analysis to identify the minimum required changes to achieve local compliance.” Meanwhile, geo-blocking can be used to try to enforce access controls, or to disable selected functionalities.

How can companies adapt to online safety?

Tech companies are accustomed to regulation, but the proliferation of online safety law is accelerating the industry’s transition into a world of closer supervision. That is why tech firms need to adopt a more proactive compliance mindset. It is also why companies are investing in specialist talent and developing the back-end links between systems required to generate real-time reporting on alerts, complaints and responses.

However, it is still common to see piecemeal or ad-hoc approaches pushing up costs without transforming compliance. Companies need several practical elements to successfully achieve global online safety compliance week-in, week-out, while preserving flexibility and innovation.

There is no single way for tech companies to build practical online safety compliance frameworks. Firms must devise an approach that suits their business models and can adapt to ongoing changes in regulation and technology. A dynamic, iterative approach is key, stresses Altini: “Ongoing adaptability is just as important as point-in-time judgements.”

How will online safety develop? 

“Governments are only beginning to make the online world safer,” notes Virgiany. “We’re just at the start of the process.”

Many online safety regulations are so new that their impact is far from clear. In countries such as the UK and Australia, regulations are still not fully implemented. In most jurisdictions, regulatory decisions are yet to be tested. This is the case in the US, according to HSF Kramer's Silicon Valley-based data protection lawyer Austin Manes: “We’ve seen some district court decisions on new legislation, but the appeals process is not yet concluded. Questions over scope and statutory interpretation remain largely untested in the courts. The law in this area is definitely not settled.”

Legislation will also continue to be enacted. “Static legislation is quite ill-suited to the online safety space, given the nature of content and the web,” says Jenny Duxbury, director of policy, regulatory affairs and research at Australian industry association Digital Industry Group. In Australia, the Online Safety Amendment (Social Media Minimum Age) Act showed a readiness to amend even very new laws. In the US, a bipartisan package which could establish a social media duty of care is currently before the Senate. “This is about a dialogue between technology and law, and that dialogue is more intense than ever " says Google’s Elkaim.

International co-operation will continue, especially on child protection. This includes informal knowledge sharing, formal engagement via supervisory colleges, and agreements like the Joint Ministerial Declaration by the G7 and EU on internet safety principles and the bilateral agreements between Australia and the UK pledging closer co-operation on online safety. “Cross-border consultation provides the best chance of future convergence,” adds Duxbury.

Even so, there is little sign of this engagement leading to greater cross-border consistency, let alone practical convergence. Laws and regulations cannot be separated from their local context, and this subjectivity suggests differences will persist. “There may be similar positions in certain areas,” comments Zhang. “But fundamentally the differences are cultural.”

In the long term, the sharing of best practice between governments and companies could foster greater alignment on the fundamental principles of online safety. Over time, the evolution of enforcement should also contribute to common regulatory expectations. However, true harmonisation could take decades. “It’s just too early to talk about genuine convergence,” cautions HSF Kramer's Brussels-based regulatory partner Morris Schonberg.

For the foreseeable future, the most likely outcome is that convergence in certain areas will be offset by divergence in others – leading to persistent cross-border fragmentation. “Convergence or divergence? It could be both.” concludes Brady.