The Online Safety Bill is still before Parliament but likely to pass during 2023, at which point, detailed codes of practice will be issued by Ofcom. In anticipation of the legislation and Ofcom’s new duties, the ICO and Ofcom have published a Joint Statement, setting out their shared ambitions for digital regulation. MOW welcomes the publication and, in particular, the clear explanation that the interests of both users and those of businesses are to be addressed.
The full paper is linked here.
The Bill sets rules for search engines and social media and messaging platforms, which will have to accept new duties to protect UK users by assessing and responding to risks of harm. Ofcom’s guidance is to be outlined in the form of codes of practice, and in many areas, Ofcom will be required by statute to consult the ICO on relevant data protection requirements. Recommended measures in codes of practice must be designed in light of the importance of protecting the privacy of users and must, where appropriate, incorporate safeguards to protect users’ privacy. The Joint Statement says:
“Regulated user-to-user and search services must be able to demonstrate that they have “had regard” to the importance of protecting users from a breach of statutory provisions or rules of law concerning privacy (including data protection law) when deciding on and implementing their safety measures and policies to comply with their duties of care under the Bill.”
“Privacy duties on user-to-user services are set out in clause 19 of the Bill, and those for search services are contained in clause 29. Both must have regard to the importance of protecting users from privacy breaches. Category 1 user-to-user services (the highest reach services with the highest risk functionalities) must also publish an assessment of the impact on freedom of expression and privacy of any measures adopted to comply with their online safety duties.”
Whilst the Joint Statement points to many of the current and future regulatory challenges in digital markets, one fundamental point that is not properly addressed are the risks associated with sign-in. On the topic, the Statement simply notes:
“The type of personal information that users must provide to access platforms varies. Some online services offer access to content without the need to subscribe or create a profile, while others might require users to create a profile or verify certain information about themselves (for example, their name, age and contact email address) before they can access services or specific types of content. Some services might offer users tools for people to verify their identity so other users of the service have some assurance that they are who they say they are. In relation to protecting children, age assurance measures can be used in order to stop children below a certain age accessing services or age-inappropriate content.”
It is MOW’s belief that decentralised systems for sign-in should be addressed as a potential alternative to the current system of sign-in for data access. The present system gives gatekeeper platforms, like Google, enormous advantages over competitors on account of their unique position at the start of the user’s journey. This allows them to collect a huge amount of consumer data via the contract immediately entered into upon setting up your Android or Apple device or downloading the Chrome browser. Their dominant position in the online ecosystem then allows them to disintermediate other online services from accessing the same data by giving the consumer the simpler option of signing-in through Google or Apple.
The risk here is not simply a competition one for the consideration of the CMA. The fact that there is no alternative to signing-in through the gatekeeper platforms at the outset means that consent is, in effect, offered under duress. User sign-in agreements license extensive data harvesting, which, in view of the lack of consumer agency, can be seen as evidently exploitative. We would encourage the ICO and Ofcom to consider this risk. MOW will be raising the issue of decentralised networks and sign-in with the relevant authorities as a potential remedy to platform dominance.