Online Safety Bill – Outsourced Platforms

When the Government first announced plans to regulate online discussion platforms I wondered whether small organisations would be able to outsource the compliance burden to a provider better equipped to deliver rapid and effective response. Clause 180(2) of the Online Safety Bill suggests the answer is yes:

The provider of a user-to-user service is to be treated as being the entity that has control over who can use the user-to-user part of the service (and that entity alone).

The first thing to note is that this implements the Impact Assessment statement (para 67) that any exemption for educational institutions “also includes platforms like intranets and cloud storage systems, but also ‘edtech’ platforms”. Whether the platform is operated in-house or by a third party, the institution is likely to “control who can use” it, so it will be the provider and the platform’s status will reflect that of the institution.

Conversely, if an organisation wants to outsource the compliance duties for a discussion platform, it must outsource “control over who can use” it. The first such platform I came across was Disqus, with three “login options” used here to illustrate how responsibility might work:

  • Universal Disqus: a single user account that works across all Disqus instances, so appears to be controlled by Disqus and make them responsible for Online Safety Bill compliance;
  • Social Login: including Facebook, Google and Twitter; although it doesn’t manage credentials for these users, or have any control over who they are issued to, Disqus does seem to be able to block trouble-makers, which could be an argument that they “control who can use”;
  • Single Sign-On (SSO): assuming the individual organisation “controls” who has accounts in its user management system, it seems likely to be the provider of the discussion service for the purpose of the Bill, responsible for any compliance obligations. Note, however, that “Internal Business Services” – an obvious application for SSO – may be covered by the exemption in Schedule 1 para 7.


By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *