Rachel Coldicutt, who has lots of interesting thoughts about regulation of the Internet, tweeted:
A hypothetical scenario: might an indie podcast be classified as “user-to-user” content and so subject to the hate speech provisions in the OSB? I assume not tbh.
Here’s my attempt at an answer.
It is based on the current draft of the Online Safety Bill (pdf). I say that because there are myriad proposals for what should be in it.
Answering a different question
At risk of sounding like a very pedantic lawyer or, worse, a politician, I’m going to answer a slightly different question.
That’s because the question focusses on the classification of the content - is a podcast “user-to-user content” - but the draft Bill focusses on the classification of the service.
I think the correct question is: “is a service which distributes podcasts in scope of the draft Online Safety Bill?”. But I’m happy to be corrected if that’s not the question.
So let’s dive in.
The draft bill defines “user-to-user service” as:
an internet service by means of which content that is generated by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service.
Not all user-to-user services are in scope, as there is a definition of “regulated service”.
I’ve written about this before, but the gist is that a service must:
- have links with the UK
- not be exempt
(I’m not going to get into the “has links with the UK” here. Update: see the new section at the end, in which I do get into this.)
There is also a schedule full of exemptions (some of which are a bit weird, but that’s for another day). None of them specifically deal with “podcasting” but, depending on exactly what is going on, some of them may apply. See below.
anything communicated by means of an internet service, whether publicly or privately, including written material or messages, oral communications, photographs, videos, visual images, music and data of any description
I don’t think there is any doubt that a podcast, transmitted over the Internet, is content, because anything transmitted over the Internet is content.
“User” is not defined (other than in a section dealing with complaints, which is not helpful to the definition of “user” everywhere else). That is challenging, for the reasons below.
Podcasts can be distributed in different ways. My view is that the specific approach and functionality will have a bearing on the implications under the draft bill.
1. I record a podcast and upload it to my own, self-hosted, web site, for anyone to download.
I think that this is out of scope of the draft bill.
I am sceptical that I am a user of my own service, such that the definition of “user to user service” is not met. The bill is supposed to be about responsibility / liability for what other people do, not about what I do.
But that interpretation of “user” is open for debate.
2. I record a podcast and upload it to my own, self-hosted, web site, for anyone to download. I have a feedback form, which goes only to me.
The podcasting aspect of the service is still out of scope for the reasons above.
The form lets other users submit content, but that still does not meet the definition, which requires that the user-submitted content must be “encountered by another user, or other users, of the service”. Assuming that my logic that, as the admin/owner of the site, I am not a user, stands, then I am not a user as a recipient of those feedback form submissions.
3. I record a podcast and upload it to my own, self-hosted, web site, for anyone to download. I have a comments section, and all comments are viewable by everyone.
The podcasting aspect of the service is still out of scope for the reasons above.
But, because I have a comments section, which lets a user post content (i.e. anything) which can be seen by other users, I am now providing a user-to-user service.
Let’s assume it has links with the UK.
Is it exempt?
Schedule 1 to the draft bill contains an exemption for the charmingly-named “Limited functionality services”.
This expressly covers comments and reviews, but only:
comments or reviews relating to content produced and published by the provider of the service (or by a person acting on behalf of the provider of the service)
I might intend the comments section to be used for people to say nice things about my podcast, but what if they use it for something else?
The exemption starts by saying that:
A user-to-user service is exempt if the functionalities of the service are limited, such that users are able to communicate by means of the service only in the following ways
So I’m fine if they only post comments about my podcasts, but if they comment on anything else, or just post messages to each other, it’s no longer a limited functionality service.
4. I record a podcast and upload it to a third party hosting service, for anyone to download.
I’m no longer in scope: I’m not providing a “user-to-user service”.
But the third party hosting service could well be a “user-to-user service”.
I am a user of that service, and I upload my podcast to it.
My podcast may - arguably - be encountered by another user, or other users, of the service.
The reason I say “arguably” is how proximate to a service must someone be to be a “user” of it.
I suspect that this is caught.
But what that third party podcast hosting service runs on AWS. Is AWS now in scope?
It is an “internet service”.
But is the “user” the podcast hosting service, or the person who uploads the podcast? If it’s the podcast hosting service, they they do not “generate” the content", nor do they “upload” it to AWS. But they might “share” it via AWS.
Or is everyone who uploads to the podcast hosting service a user of both that podcast hosting service and a user of AWS?
5. I run a system which distributes publicly links to podcasts, but does not host the podcasts
(“distributes publicly” in the sense of making the links available publicly, rather than it being a typo for “public links”.)
This is a mix of the scenarios above.
A URL alone is still “content”, so if those URLs are submitted by users, then the service is a “user-to-user service”.
If I write code to scrape or retrieve podcast URLs, and to share them? Perhaps closer to use case #1.
6. I run a system which lets two or more people talk to each other and record a podcast.
That system is likely to be a “user-to-user” service.
But there is potentially an exemption.
A user-to-user service is exempt:
if one-to-one live aural communications are the only user-generated content enabled by the service.
So it falls apart if I can have two guests at the same time. One guest, fine. Two guests, bad.
But there are other conditions attached to “one-to-one live aural communications” too:
the communications consist solely of speech or other sounds conveyed between two users
Hmm.. okay. Probably fine.
the communications do not include, and are not accompanied by, any written message, video or other visual image
So no ability to share a common script or slides, or to share links, or to tell someone to wrap it up.
No ability to message a guest in the waiting room that they’re on in 5.
A bit limited, then.
the content is not a recording of such communications
I think that this means “the content is not a recording of [communications made in real time between users of the service by means of the service]”.
So you can have a chat with one guest at a time, and record it, but you can’t do any form of playback of that recording.
Does the draft Online Safety Bill apply merely because there are users in the UK?
Nicky Birch asked on Twitter:
as we assume that the majority of podcasters do use third party hosting platforms - does this mean they will be subject to the new Bill if the creators are based in the UK regardless of whether the platforms are?
I am interpreting this as a question about what brings a “user-to-user service” in scope of the draft Online Safety Bill.
tl;dr: the draft bill has an expansive scope, but the fact a service is available to people in the UK, or is used by people in the UK, is not sufficient in itself to make the service a regulated service.
A “regulated user-to-user service”
The answer lies in the definition of a “regulated service”, which in turn points us to the definition of “a regulated user-to-user service”.
A “regulated user-to-user service” means:
a user-to-user service that— (a) has links with the United Kingdom …, and (b) is not exempt.
I’m going to leave the issue of “is not exempt” aside, since I’ve touched on some of the exemptions in earlier answers.
“has links with the United Kingdom”
A user-to-user service “has links with the United Kingdom” if:
the service has a significant number of United Kingdom users
There is no definition of “significant number”. 1000? 10,000? 10% of the total number?
Presumably, there will be guidance on this but, for now, we can reasonably surmise that the more users in the UK that a service has, the greater the likelihood that it is a regulated user-to-user service.
United Kingdom users form one of the target markets for the service (or the only target market).
Again, there is no clarity as to how this is assessed. Another thing to be left to guidance?
“Target market” suggests that it requires more than “mere availability” of the service to users in the UK. i.e. the fact that someone in the UK can access the service should not be sufficient.
Perhaps we’ll see an approach along the lines of framework for “targeting” in the GDPR:
Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
But, again, I am forced to guess.
If the service sells subscriptions in sterling, that’s probably enough. Merely having the website in the English language? Hopefully not.
Lastly, a user-to-user service is a regulated user-to-user service if:
(a) the service is capable of being used in the United Kingdom by individuals, and (b) there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom arising from … content present on the service
“harm” means “physical or psychological harm”.
This is arguably the broadest of the tests.
I read the first limb as saying that “mere availability” is sufficient: if someone in the UK is capable of using the service, then that’s sufficient, even if no-one in the UK does.
If the first limb is broad, the second limb is simply challenging to apply, because it is vague.
What happens if there are “reasonable grounds” to believe that there is content of the type described, but that, in fact, there is no such content? Is the fact that there are reasonable grounds to believe that there might be sufficient to bring a user-to-user service in scope, even if that belief is misguided?
Who must have that belief? A regulator? The service provider? A mythical “person on the Clapham Omnibus”?
Can a podcast hosting platform realistically assess, without listening to every podcast, whether a podcast might present a “material risk of significant [physical or psychological] harm to individuals in the UK”? Could they determine that even if they listened to every podcast?
What is the condition of the “individuals in the United Kingdom”? Is it some kind of mythical “average person”? Or is it to be assessed from the perspective of someone susceptible to harm (i.e. a sort of “egg-shell skull” approach)?
How proximate must the (potentially) affected individuals be to the content? My impression is that the approach of harm … arising from … content present on the service" means that the provision is designed to cover more than just the service’s users.
- But does that mean that service provider has to make a judgment as to whether someone might reasonably believe that a listener to the podcast might decide, on the basis of a podcast, to assault a particular group of people in the UK, thereby causing them significant physical harm? How could they, realistically, do that?
Honestly, I’ve no idea how a provider is supposed to address this.
And it seems possible that, even if there is no problematic content, or if there is but no-one in the UK accesses it, the service would still be in scope.