The Online Safety and Media Regulation Act 2022 – a new framework for the regulation of harmful online content in Ireland

The OSMR Act makes substantial amendments to the existing regulatory framework in relation to broadcasting services and also transposes EU Directive 2010/13/EU of the European Parliament and of the Council of 10 March 2010 on the coordination of certain provisions laid down by law, regulation or administrative action in Member States concerning the provision of audiovisual media services (the Audiovisual Media Services Directive)] which concerns the regulation of television broadcasting services, on-demand programmes and video-sharing platforms, and also incorporates rules on television advertising and product placement.  Significantly the OSMR Act also establishes, by way of Part 11, a brand new statutory regime for online safety including the regulation of harmful online content which will also be commenced on  15 March 2023.

A new regulator

In addition to its role under the OSMR Act, Coimisiún na Meán will also be Ireland’s Digital Services Coordinator under the Digital Services Act (the “DSA”), with  responsibility for implementing and enforcing its provisions in Ireland. The Irish Government also intends it to be designated as Ireland’s competent authority under Regulation (EU) 2021/784 which seeks to tackle the dissemination of terrorist content online.

Four out of the five members of Coimisiún na Meán who will each act as a commissioner with a particular function have been appointed including the Online Safety Commissioner, (Ms Niamh Hodnett), who is tasked with overseeing the regulatory framework for online safety under the OSMR Act. (The recruitment process for the fifth and final member who will act as the Digital Services Commissioner is underway). This new online safety regime marks a fundamental shift in Ireland’s approach to the regulation of harmful online content. It creates for the first time, a statutory framework which, once fully operational under the system of online safety codes which are to be established, will impose proactive obligation on captured online service providers to minimise the availability of, and risks arising from, harmful online content and to protect their users from the potential harms posed by such content.

What services are captured by the OSMR Act’s online safety regime?

Part 11 of the OSMR Act applies to “relevant online services”, i.e. any video-sharing platforms under the jurisdiction of the State or any information society services that are under the jurisdiction of the State and on which user-generated content is made available, either directly or indirectly (but excluding an audiovisual on-demand media service). If an organisation is caught within this definition, it is in scope to be designated by Coimisiún na Meán as an organisation to which one or more online safety codes apply. Where an organisation is so designated as caught by the scope of one or more online safety codes, it is referred to in the OSMR Act as a “designated online service”.

Core online safety obligations under the OSMR Act

Under the OSMR Act, the core obligations to be complied with will be established through a system of online safety codes which Coimisiún na Meán is responsible for making. Under these codes, the core obligations applying to relevant organisations which are designated as falling with the scope of a particular code will be set out. These  codes will address “harmful online content”, while separately “age-inappropriate online content” will be the subject matter of guidance materials and advisory notes developed by Coimisiún na Meán.

“Harmful online content” is defined in the OSMR Act as comprising two types of content. Firstly, it includes offence-specific categories of online content – this is essentially online content comprising information which is otherwise criminally prohibited from being published/ broadcast, for example online content which identifies the complainant or accused in a sexual offence case. Secondly it also includes any of the following online content: content consisting of one person bullying or humiliating another; content which promotes or encourages eating disorders; and content which promotes or encourages self-harm/ suicide or makes available information on methods of self-harm/suicide. However for these latter categories of online content, they must also meet a risk test, such that the content will only qualify as harmful online content where the content in question either gives rise to any risk to a person’s life or poses a significant risk of harm to a person’s mental/physical health which is reasonably foreseeable. It should be noted that provision is also made for the categories of harmful online content to be further expanded by Ministerial Order following a proposal made by Coimisiún na Meán.

“Age-inappropriate online content” is content that is specifically unsuitable for children either generally or below a specific age, in particular pornography and realistic representations of gross/gratuitous violence or acts of cruelty. However as noted above this definition is relevant for the purposes of guidance and advisory materials to be issued by Coimisiún na Meán rather than for the making of online safety codes.

Online safety codes will be made for any of the following purposes: ensuring that relevant organisations take appropriate measures to minimise the availability and risks of harmful online content; protecting users from exposure to such content; and protecting users, especially children in relation to commercial communications (i.e. advertising/promotional content) on their service . In particular, an online safety code may:

• Set out specific standards that services must meet and practices and measures that service providers must take;
• Set out specific standards, practices or measures relating to content moderation and the delivery of content on services;
• Specify requirements for the assessment by service providers of the availability of harmful online content available on their services, the risk of it being available and the risk to users posed by that harmful online content;
• Require the making of reports by service providers to Coimisiún na Meán; and
• Specify requirements for handling communications or complaints from services users.

In relation to the last item above, Coimisiún na Meán is mandated to establish an online safety code requiring any service providers which fall within the scope of the code (as decided by Coimisiún na Meán) to report to it, at a minimum every 3 months, on the service provider’s handling of user complaints and communications. Insofar as complaints to Coimisiún na Meán are concerned, while there is no automatic provision in the OSMR Act for it to receive complaints from the public, it may establish a scheme for handling and resolving complaints concerning the availability of harmful online content on specific online services but such a scheme can only be made if there is already an online safety code which applies to those online services concerning those services’ own handling of user complaints.

Finally it also noteworthy that provision is made in the OSMR Act for the possibility of an online safety code prohibiting the inclusion in user generated content or programmes of commercial communications relating to foods and beverages which are the “subject of public concern in respect of the general public health interests of children”, particularly infant/follow on formulas and foods/beverages containing fat, trans-fatty acids, salts or sugars.

Application of online safety codes

When making an online safety code, Coimisiún na Meán will also decide what online service providers the particular code should apply to, whether by way of specific application to a particular named service or more generally to a category of services. The OSMR Act sets out the procedures by which a service is designated as falling within the scope of a specific online safety code, including a list of the factors that must be taken into account; these factors include the levels of risks of harm to users, especially children, which are posed by the availability of harmful online content on a service or a category of services. There is also a requirement for advance notice to be given to a service which is captured by the online safety code while the application of a specific online safety code to a service can also be revoked by Coimisiún na Meán.

Enforcement

The OSMR Act allows for the imposition of potentially very significant penalties for organisations that are found to have contravened online safety codes. Administrative financial sanctions of up to €20 million or 10% of turnover for the preceding financial year may be imposed, as well as the possibility of various enforcement orders being made by Coimisiún na Meán or the Courts. Notably, where an organisation has been found to have  contravened an online safety code and it further fails without reasonable excuse to comply with a notice issued under the OSMR Act to end that contravention, this constitutes an offence. Where such an offence is committed with the consent or involvement of a person who holds any one of a variety of senior positions within the organisation, or is attributable in any way to that person’s neglect, that individual may also be also guilty of an offence under the OSMR Act.

What can organisations do to prepare?

While the content of the prospective online safety code(s) are currently unknown, it would be prudent for online service providers to start to consider the potential application of the OSMR Act’s online safety regime to their operations. As a preliminary step in looking towards future compliance, an organisation should assess whether it is a “relevant online service” for the purposes of the OSMR Act. If caught within that definition, it is in scope to potentially be designated by Coimisiún na Meán as an organisation to which one or more online safety codes apply. Ahead of any steps being taken towards the creation of online safety codes by Coimisiún na Meán, any organisations which self-assess as being providers of relevant online services, should also consider conducting a preliminary risk assessment exercise to identify the availability and extent of harmful online content (as defined within the OSMR Act) on their services, as well as the risks posed by that content. In particular, consideration should be given to whether such content is available to children and the risks posed to them by it,  as well as the mechanisms in place (or which could be implemented) to minimise the availability and the risks posed to users by harmful online content. Similarly, other forward-looking preparatory actions for such organisations could include examining the convenience and efficacy of existing complaint handling procedures for users to make complaints about harmful online content on the service. In this context consideration should be given to evaluating metrics and outputs around existing complaint mechanisms, for example to assess what proportion of complaints result in the removal of, or other actions to address, harmful online content, as well as average times to resolve such issues and the transparency for users of complaint handling procedures and protocols. Overall, these sorts of assessments should assist organisations in identifying potential gaps in their existing measures and determining remediation measures that might be appropriate to address those gaps.

More generally, one of the most significant preparation challenges for organisations will be understanding how their obligations under the OSMR Act in relation to online safety/ harmful online content will interact and overlap with other obligations, in particular those arising from the Digital Services Act (“DSA”) concerning illegal content, and the protection of minors amongst other things. With the DSA’s broader suite of obligations becoming applicable for all service providers which are caught by its application by no later than February 2024, organisations which may also fall within the scope of the OSMR Act should consider extending their DSA readiness projects to also encompass readiness under the OSMR, in anticipation of being captured within the scope of one or more online safety codes.