In its Online Harms White Paper, the UK government stated that it is considering imposing liability on individual senior managers for major breaches of the new statutory duty of care. It stated that this could involve personal liability for civil fines or could “even” extend to criminal liability. Unsurprisingly, these proposals have been controversial.
In this post I will ask: is it appropriate to impose criminal liability in this context? In a separate post, my colleague Ben Packer considers how the Government’s proposal of civil liability for senior managers compares with the Senior Managers & Certification Regime that applies in financial services.
As I noted in my post on the recent DCMS report, in its initial response to the consultation, published on 12 February 2020, the Government acknowledged that there had been a spectrum of views on appropriate sanctions. It noted that discussions with industry and civil society groups had raised:
- the risk of potential negative impacts on the attractiveness of the UK tech sector;
- concerns that the approach may unduly penalise individuals for content often originating from third parties, who may not be affected by the sanctions; and
- concerns about risks to freedom of expression and the potential impact of censorship associated with enforcement powers.
These are all key issues, but, in relation to criminal liability, a threshold question should also be asked: is it appropriate to impose criminal liability in this context?
Do senior managers deserve the stigma of a criminal conviction?
The Law Commission published a consultation paper in 2010 titled 'Criminal Liability in Regulatory Contexts’. That paper is now ten years old, but many of the points raised are still relevant today. In that paper the Law Commission states that the criminal law should only be used to deal with those who “deserve the stigma” associated with a criminal conviction because they have “engaged in seriously reprehensible conduct”.
As we flagged here, the focus of the online harms regime will be on the systems and processes that an entity has in place. We don’t know exactly how any related criminal offence would be drafted, but, by way of example: has a nominated senior individual who works at an entity which has put in place no systems and controls to comply with its statutory duty of care “engaged in seriously reprehensible conduct” such that they “deserve the stigma” associated with a criminal conviction?
Many in the tech sector agree that online harms are a serious problem. I would argue that some of those perpetuating such harms online are, indeed engaging in “seriously reprehensible conduct”. However, this offence targets senior individuals employed at regulated entities which fail to put sufficient processes and controls in place. These entities will often be the ‘host’ of such content rather than the ‘creator’. Linking back to one of the issues which was raised with the government in response to the White Paper, it is here that the risk arises of unduly penalising individuals for content which often originates from third parties. Is the failure to put in place appropriate systems and controls sufficiently reprehensible?
For a specific senior individual to “deserve the stigma” associated with a criminal conviction, that individual must also have been in a sufficiently senior position to fulfil the duty in the first place. Ben Packer considers this issue in his post.
The Law Commission also makes the point that offences created to support the activities of regulatory agencies are often rarely used. It points to the cost, uncertainty and delay involved in pursuing criminal proceedings, in circumstances where the outcome could be little more than a fine, as reasons why such offences are little used. For a criminal offence to have any deterrent effect, it must be used sufficiently frequently to constitute a real threat of sanction. I think that is unlikely, particularly given the limited circumstances in which such a prosecution is likely to be appropriate.
What is Ofcom’s view?
Ofcom, as the regulator which is likely to be granted the enforcement powers, was asked by the DCMS for its views on criminal sanctions during the inquiry stage of the DCMS’s recent report. Dame Melanie Dawes, Ofcom Chief Executive, acknowledged that, while “Criminal sanction for criminal activities is incredibly important”, criminal sanctions are “very serious” and in her view “We would have to know that people are complicit in some way in the harm that is being perpetrated”. She clearly considered the issue to be a question for parliament. The DCMS went on to recommend that custodial sentences are available as a sanction under the new regime in its report.
Awaiting the Government’s proposals
The Government’s proposals also contemplate civil liability for senior managers. In his post, my colleague Ben Packer contrasts his experience of the Senior Managers and Certification Regime that applies in financial services with those proposals.
The government’s full response to the consultation is due in autumn. Senior managers at in-scope firms should be keeping a keen eye out for publication.
59. Senior manager liability emerged as an area of concern. Discussions with industry highlighted the risk of potential negative impacts on the attractiveness of the UK tech sector. Further concerns emerged that this approach may unduly penalise individuals for content often originating from other third-parties who would not be adversely affected by the sanctions, unless the regime proposed is able to account for these. With regard to further powers, industry representatives felt that the regulator should fulfill a supervisory function and look to support compliance in the first instance.