Another instalment of my annual round-up of what is on the horizon for UK internet law [Updated 29 April and 2 November 2022]. It does stray a little beyond our shores, noting some significant EU developments (pre-Brexit habits die hard). As always, it does not include data protection (too big, not really my field).
Draft Online Safety Bill The UK government published
its draft
Online Safety Bill in May 2021. The Parliamentary Joint Pre-Legislative
Scrutiny Committee published its report
on the draft Bill on 14 December 2021. A sub-committee of the Commons DCMS
Select Committee also published a report
on 24 January 2022, as did the Lords Communications and Digital Committee
Inquiry on Freedom
of Expression Online on 22 July 2021.
The government is expected to introduced a Bill into Parliament
by on 17 March 2022. The Bill had its Second Reading on 19 April 2022. Its Report Stage is paused, likely to be recommenced this month. Among many things for which the draft legislation is notable, its
abandonment of the ECD
Article 15 prohibition on general monitoring obligations stands out.
EU Digital Services Act The European Commission
published its proposals for
a Digital Services Act and a Digital Markets Act on 15 December 2020. The
proposed Digital Services Act includes replacements for Articles 12 to 15 of
the ECommerce Directive. Following a vote
in the European Parliament on 20 January 2022, the proposed legislation
will now entered the trilogue stage. Political agreement was reached on 23 April 2022. The final text was published in the Official Journal on 27 October 2022.
Terrorist content The EU Regulation
on addressing the dissemination of terrorist content online will come into
effect on 7 June 2022.
Erosion of intermediary liability shields by omission
One by-product of Brexit is that the UK is no longer bound to implement the conduit, caching and hosting shields provided by the EU eCommerce Directive. The government says that it “is committed to upholding the liability protections
now that the transition period has ended”.
However, implementation of that policy requires every new
piece of legislation that could impose liability on an intermediary explicitly
to include the protections. If that is not done, then, owing to the fact that
the original Electronic Commerce Directive Regulations 2002 do
not have prospective effect, the protections will not apply to that new
source of liability.
Two examples are already progressing though Parliament: the statutory
codification of the public nuisance offence in the Policing Bill (which, following Royal Assent, came into force on 26 June 2022), and the electronic election imprints offences in the Elections Bill (Royal Assent 28 April 2022, not yet in force), neither of which includes the
conduit, caching and hosting shields.
Such omissions have been known in the past, and were cured
by statutory instrument under the European Communities Act 1972. That option is
no longer available. As time goes on, accretion of such omissions in new
legislation will gradually erode the intermediary protections to which the
government is committed.
Law Commission Reports The Law Commission has issued
two Reports making recommendations that are relevant to online speech. The
first is its Report
on Reform of the Communications Offences (notably, recommending replacing
S.127 Communications Act 2003 and the
Malicious Communications Act 1988 with a new harm-based
offence). The second report is on Hate Crime Laws. The
recommendations on communications offences, at least, are being considered for
incorporation have been included in the Online Safety Bill.
Copyright The Polish government’s challenge to Article 17 (Poland
v Parliament and Council, Case C-401/19) is pending was decided on 26 April 2022. Poland argued that
Article 17 makes it necessary for OSSPs, in order to avoid liability, to carry
out prior automatic filtering of content uploaded online by users, and
therefore to introduce preventive control mechanisms. It contended that such
mechanisms undermine the essence of the right to freedom of expression and
information and do not comply with the requirement that limitations imposed on
that right be proportionate and necessary.
The Advocate-General’s
Opinion was delivered on 15 July 2021. It was something of an Opinion of
Solomon: recommending that the challenge be rejected, but only on the basis that
the Directive is implemented in a way that minimises false positives. The
Advocate General also, in a postscript, challenged aspects of the Article 17 guidance
issued by the Commission subsequent to the drafting of the Opinion. The judgment largely followed the Opinion, dismissing the challenge but on the basis of an interpretation of Article 17 that included strict safeguards against removal of lawful content.
Policing Bill The Police, Crime, Sentencing and
Courts Bill has ignited significant controversy over its impact on street
protests, including through its statutory codification of the common law
offence of public nuisance. The potential application of the new statutory offence
to online
speech, however, has gone virtually unnoticed.
Product Security and Telecommunications Infrastructure
Bill An honourable mention for this Bill: a framework for imposing all
kinds of security requirements on (among other things) internet-connectable products.
Back from the dead? The Digital Economy Act 2017 The
non-commencement of the age verification provisions of the Digital Economy Act
2017 has long been a source of controversy. In November 2021 the High Court gave
permission to two members of the public to commence judicial review proceedings. This may now in practice have been overtaken by the inclusion of pornography sites in the Online Safety Bill.
Cross-border data access The US and the UK signed a Data Access Agreement on 3 October 2019, providing
domestic law comfort zones for service providers to respond to data access demands
from authorities located in the other country. No announcement has yet been
made that Agreement has entered into operation. It came into force on 3 October 2022.
The Second
Additional Protocol to the Convention on Cybercrime on enhanced
co-operation and disclosure of electronic evidence is was open for signature from 12 May 2022 and presented to the UK Parliament in July 2022.
State communications surveillance The kaleidoscopic mosaic of cases
capable of affecting the UK’s Investigatory Powers Act 2016 (IP Act) continues to reshape
itself. In this field CJEU judgments will continue to be relevant in principle, since they
form the backdrop to future reviews of the European Commission’s June 2021 UK data protection adequacy decision.
Domestically,
Liberty has a pending judicial review of the IP Act bulk powers and data
retention powers. Some EU law aspects (including bulk powers) were stayed
pending the Privacy International reference to the CJEU. Those
aspects are now proceeding and, according to Liberty, are likely to be in court
in early 2022. The Divisional Court rejected the claim that the IP Act data retention
powers provide for the general and indiscriminate retention of traffic and
location data, contrary to EU law. That point may in due course come before the
Court of Appeal. The Divisional Court gave judgment on the stayed aspects on 24 June 2022. Liberty's claims were rejected except for one aspect concerning the need for prior independent authorisation for access to some retained data.
Investigatory
Powers Act review The
second half of 2022 will see the Secretary of State preparing the report on the
operation of the IP Act required under Section 260 of the Act.
Electronic transactions The pandemic focused
attention on legal obstacles to transacting electronically and remotely. Whilst
uncommon in commercial transactions, some impediments do exist and, in a few
cases, were temporarily relaxed. That may pave the way for permanent changes in
due course.