The Government has made clear that, under the Online Safety Bill, it intends to hold "senior managers" personally liable for failures of compliance by tech firms. What is less clear, without detailed examination of the Bill, is what this actually means.
We set out below what the senior managers regime entails, i.e. who will be liable for what and how they will be punished. We then consider the additional, little discussed, personal liability that will be introduced under other sections of the Bill.
In brief, the Bill as currently drafted introduces potential criminal liability for senior managers and other officers and employees of in-scope companies for a number of different acts and omissions. Most of these are information offences, such as destroying information that has been requested by Ofcom. However, an amendment has been tabled, which the Government has indicated that it will support, which will introduce personal liability in relation to a corporate breach of the duty to protect children online.
While we do not expect Ofcom to immediately start taking action against individuals, it is important for officers and employees of in-scope companies to understand this liability and consider what steps they should take to ensure personal as well as corporate compliance with the Bill. Given that the Bill is likely to become law in the Autumn and, in our view, it is unlikely that there will be further changes to sections relating to personal liability (other than the introduction of the amendment mentioned above), now is the time to start considering this issue.
Liability of senior managers
One of Ofcom's many powers is to issue an "information notice" to a regulated entity (as well as to other entities that support regulated entities) requiring that entity "to provide them with any information that they require for the purpose of exercising, or deciding whether to exercise, any of their online safety functions" (clause 91).
Under clause 93(2), where the provider is a regulated entity, "OFCOM may include in the information notice a requirement that the provider must name, in their response to the notice, an individual who the provider considers to be a senior manager of the entity and who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice". 1
Clause 98 sets out the following offences for service providers with regards to information notices: (a) failing to comply with the notice, (b) knowingly / recklessly providing false information, (c) intentionally providing encrypted information which OFCOM cannot understand, and (d) intentionally suppressing, destroying or altering information.
Clause 99 states that the senior manager also commits an offence if the entity commits one of the offences in clause 98 and the individual has failed to take all reasonable steps to prevent it. Clause 102 sets out the penalties: some of the offences can include a maximum term of two years' imprisonment and/or a fine.
Perhaps most significantly, an amendment to the Bill has been tabled by the Government creating a new offence which captures instances where senior managers, or those purporting to act in that capacity, have consented to or connived in ignoring enforceable requirements, risking serious harm to children. The offence will be punishable with up to two years' imprisonment.
In contrast to the other offences mentioned above, which relate to Ofcom's powers to require the provision of information, this amendment introduces personal liability in relation to one of the Bill's core purposes: protecting children online. It is here that we expect the greatest pressure will be put on Ofcom to take action against individuals.
Liability of other individuals
Clause 178 – entitled "Liability of corporate officers for offences" – states as follows: "If an offence is committed by a relevant entity and it is proved that the offence— (a) has been committed with the consent or connivance of an officer of the entity, or (b) is attributable to any neglect on the part of an officer of the entity, the officer (as well as the entity) commits the offence and… is liable to be proceeded against and punished accordingly." The definition of "officer" is broad: "a director, manager, associate, secretary or other similar officer, or… a person purporting to act in any such capacity".
Examples of offences for which "officers" could be held personally liable include:
- Clause 100: a service provider commits an offence if it (a) fails to comply with an audit notice without reasonable excuse, (b) knowingly or recklessly provides information in response to an audit which is false in a material respect, or (c) suppresses, destroys, alters information with the intention of preventing Ofcom from being provided with the information as it was before the alteration. Paragraph 102(2) sets out the penalties (which can include a term of imprisonment).
- Clause 101: a service provider commits an offence if they intentionally obstruct or delay the regulator when seeking to take copies of documents produced as a result of an information notice. Again, paragraph 102(2) sets out the penalties (which can include a term of imprisonment).
Clause 96: Ofcom has the power to require an individual, including an officer, partner or employee of a service provider, to attend an interview and answer questions. Paragraph 101(2) and (3) make it an offence to refuse to comply or to provide false information (knowingly or recklessly). Paragraph 101(3) states that this offence is punishable by a fine.
Parallels with Health and Safety Legislation
The new duties created by the Bill, which are to be met by these newly identified dutyholders – service providers and senior managers/officers – mirror the 'senior manager/director' offence that currently exists under UK health and safety (H&S) legislation. The respective H&S regulator can:
- Impose notices if they believe a person has contravened a relevant statutory provision (section 21 and 22 of the Health and Safety at Work etc Act 1974); and
- Hold senior officers of an organisation accountable for failing to mitigate risks to the health and safety of relevant persons, by committing an offence due to their "consent, connivance…or attributable to their neglect" (section 37 HSWA).
We can observe the way matters are currently dealt with in the health and safety environment to anticipate the potential impact of the Bill on the new dutyholders, with a failure to comply often resulting in a criminal prosecution, with the maximum penalty of an unlimited fine and/or up to 2 years' imprisonment.