Trust At Risk: Who's Accountable For The Online Safety Gap?

As debates around balancing digital protections with individual freedoms intensify, the first of our Code≠Law series exploring the rules governing technology offers insights on how to comply with global regulations

Governments around the world have committed to tackling online safety, charging regulators with drafting and enforcing new rules protecting users, particularly children. The challenge has been to do so without compromising freedom of speech, innovation or investment in new technologies, while also carefully balancing privacy and data security concerns.

It has proved a difficult mandate: rather than retaining focus on its positive intent, the topic has become a political battleground. Much of the debate has also centred on discrete and controversial parts of a wider regulatory mission which will impact many businesses, not just the social media, messaging and search engine platforms provided by Big Tech.

Such is the scale and urgency of the task, companies have started building dedicated teams or broadening the scope of existing staff to comply with multiple regimes, each with their own interpretation of the appropriate balance between protections and individual rights. For global businesses, this means creating compliance strategies which meet the most rigorous standards without suffering competitive disadvantage in regions governed by more flexible frameworks.

But not every business has embraced the received wisdom of proactive engagement with regulators: some have questioned the validity of enforcement decisions, the applicability of certain regulations and the demarcation of freedom of speech from hate speech.

"The internet is the most powerful free speech instrument that humankind has ever had," explains Pablo Mexia, HSF Kramer's Digital and Technology, Media, and Telecommunications lead in Madrid. "In turn, it can also harm privacy rights, consumer rights, or national security. Balancing these conflicting poles is not easy."

In a nutshell

1 Fines are only the beginning. Even small compliance gaps can potentially trigger multi-million dollar penalties, reputational fallout and class action claims.

2 Regulations collide. Meeting online safety obligations can create friction with data privacy, IP, or AI laws — increasing overall risk.

3 One size doesn't fit all. A hub-and-spoke model built on regulatory mapping is the most pragmatic way to balance efficiency with risk control.

4 Global issues need local answers. Effective oversight means integrated global–local frameworks, clear leadership and decisive prioritisation.

5 The rules keep changing. Global harmonisation is unlikely, but cross-border co-operation — especially on child protection — will intensify.

When rights collide: Why is online safety so difficult?

"We're looking for cultural change that puts safety at the heart of business decisions from the start, but freedom of expression and competition will of course remain vital," says Elizabeth Holloway, legal director at UK communications industry regulator Ofcom.

So, how best to balance opposing, fundamental rights? It is a tension which has made online safety an invidious topic central to debates around technology, public safety and individual freedom.

"In the end, there is no separation between online safety and real-world safety, or between online harm and real-world harm," argues Garth de Klerk, CEO of South Africa's Insurance Crime Bureau. "There's little consensus on how to achieve online safety and the issue is a political battleground, with critics citing liberty and privacy concerns. Tech firms are squeezed between protecting vulnerable users and defending others' freedoms."

Political and social differences between countries further exacerbate the problem, with jurisdictions such as the UK, EU and Australia implementing more interventionist regimes compared with the laissez-faire approaches adopted in the US. "Technology might be the same everywhere, but national laws reflect unique local challenges and diverse societal standards on speech and safety, which are themselves subject to change," notes Google's international head of legal Yoram Elkaim.

Adding to the complexity is the pace at which digital platforms and technologies evolve. Traditional regulatory approaches often struggle to keep up with new features, formats and behaviours. At the same time, tools designed to enhance online safety such as content scanning, hash matching and automated moderation are also advancing rapidly, raising fresh questions about effectiveness, privacy and accountability.

While these challenges are not new for global tech companies well accustomed to navigating local differences and some sections of the industry, such as ecommerce platforms, may even benefit from regulations that increase user confidence. However, the industry remains instinctively averse to regulatory limitations such as age verification and wary of content moderation, which can prove difficult to enforce and is fraught with reputational risk.

Online safety around the world

Companies worldwide face a patchwork of online safety regulations. Even within the EU, the bloc's Digital Services Act sits atop differences in legal code and policy between member states. Similar tensions are present in Asia, with marked regulatory differences across Singapore, China, Thailand and Indonesia.

Meanwhile, companies must also be aware of the interplay between federal and state law in the US, says HSF Kramer's New York-based litigation lawyer Nick Tonckens. "Federal legislation focuses on child protection via the Children's Online Privacy Protection Act, but the breadth and depth of state level regulation is far more complex. Some states have introduced requirements for age-appropriate design, while others require age verification or parental consent."

However, the differences are more striking than the similarities, says Michelle Virgiany, corporate lawyer at Hiswara Bunjamin & Tandjung, HSF Kramer's associated firm in Indonesia: "Different governments have identified broadly similar areas of concern – it's the responses and mechanisms that are very different."

Even where regimes have similar emphasis, their definitions, requirements and penalties can vary significantly. Key differences include:

• Legal basis: Jurisdictions with dedicated laws include the UK's Online Safety Act, the EU's Digital Services Act and Australia's Online Safety Act. Examples of adapted laws include Thailand's Computer-Related Crime Act and Indonesia's Electronic Information and Transactions Law which is supplemented by an implementing Government Regulation on Online Child Protection. Countries like Germany, Singapore and China have several relevant laws, while South Africa features a mix of regulation and voluntary codes.
• Requirements: These range from hard controls which include age verification to qualitative measures such as content moderation. Some regimes use reactive tools like take-downs, while Singapore and Australia expect proactive harm prevention. Elsewhere, the UK has introduced a duty of care for in-scope providers. Though all regulations address illegality, each has its own view of legal harms like cyberbullying. Many jurisdictions also have specific prohibitions such as deepfakes (Spain), hoaxes (Indonesia), and violating lèse-majesté (Thailand).
• Implementation: Some regulations were developed with little or no industry input, while other regulators consult on implementation or issuing user guidance. Australia is taking a co-regulatory approach, with industry involvement in drafting mandatory codes of practice.

The global picture is also complicated by overlapping frameworks. "Extra-territoriality is a defining feature of most online safety regulation," explains Paris-based HSF Kramer corporate TMT partner Emmanuel Ronco. "The focus on user location rather than company location is quite exceptional."

Online safety: A global regulatory overview

HSF Kramer's Online Safety Map provides an overview of 14 jurisdictions with current or planned online safety legislation and highlights some of the similarities, including:

Scope: Most regulations cover a broad range of online activities including search, social media, marketplaces and messaging – even if precise definitions vary, such as the EU's use of introducing services versus the UK's user-to-user services.

Priorities: Child protection is a universal goal. As Ofcom's Holloway puts it: "We don't want children to have an adult experience online." There are consistent bans for other illegal content such as terrorist materials.

Penalties: Most laws create broad enforcement powers like take-down orders. Fines are key, with GDPR-style revenue-based penalties allowed by the EU (6%), Germany (6%) and the UK (10%). The UK, Singapore and China are among those creating criminal liabilities, while Hong Kong and Thailand allow for potential imprisonment.

VIEW THE MAP

What are the online safety risks for business?

The complexity of global online safety regulation creates a twofold risk: the difficulty of achieving 100% compliance in every market and the rapid evolution of regulatory perimeters opening opportunities for claimant firms and funders to pursue perceived breaches.

Companies need a targeted, risk-based response to avoid stumbling into a pitfall. The greatest sources of vulnerability are:

Lack of local expertise

Companies facing a complex global picture may be tempted to take a single compliance approach or to focus on a handful of key markets. But rushing for compliance without sufficient local knowledge is risky – even minor compliance breaches have the potential to generate huge fines and reputational damage.

Vagueness and ambiguity

Flexible regulation can provide valuable room for interpretation, but there are risks in being imprecise. "Regulation that's too abstract creates legal uncertainty and hinders competitiveness," says Frankfurt-based HSF Kramer TMT Counsel, Thies Deike. Questions of applicability can catch firms out, such as when generic rules are applied to different activities like search or messaging. Where legal wording is unclear, implementing regulations is all-important and engagement is vital. In Australia, for example, the eSafety Commissioner has significant discretion to guide industry in implementing new mandatory codes or, if the industry is unable to agree on codes or if the codes lack sufficient safeguards, to issue mandatory standards.

Reliance on 'hard' controls

Rigid rules or controls such as age verification and geo-blocks can create a false sense of confidence. "If regulation is too blunt, users will find a way around it," warns Sydney-based TMT sector global co-lead partner Kwok Tang. VPNs, largely unrestricted in most open economies, provide an obvious tool for circumvention. Focusing on outcomes as well as processes is key to avoiding complacency.

Conflict with other laws and areas

Companies must realise that complying with online safety regulation creates tension in other areas including data privacy, security and intellectual property, which may lead to unintended risks. In some jurisdictions there is risk of conflict with new laws in AI and other emerging areas or with longstanding statutes around televised or print media.

Enforcement uncertainty

In jurisdictions like the UK, regulators are aiming for a degree of proportionality when implementing online safety law. That can drive up compliance risks for bigger companies, but it can also catch out smaller firms unsure how to calibrate regulatory expectations. Local insight into the latest regulatory thinking is crucial.

Finally, companies operating online must be wary of broader commercial risks. The most obvious are lost revenue and profit when firms avoid certain activities or markets due to regulation. Regulation can also undermine culture by breeding a passive, box-ticking attitude that undermines creativity.

How to comply with online safety?

The keystone of successful online safety compliance is a clear global strategy that adapts to meet local requirements.

But that's easier said than done, argues HSF Kramer's London-based head of media and digital Hayley Brady: "For the biggest tech firms, trying to develop a coherent global response to online safety is one of the hardest challenges of all."

Online Safety

The disputes risks explained

Read article

Common approaches include:

• High water mark: The tech industry is familiar with the 'Brussels effect'. In theory, adopting the most stringent standards – such as those of the EU, UK or Australia – could offer a degree of immunity in other markets. In practice, local differences and the penalties for non-compliance mean this approach would create as many legal risks as it removes. Companies also risk putting themselves at a competitive disadvantage. "A single global approach is really not going to work in this field," adds Brady.
• Bottom up: Conversely, a granular approach with dedicated design and operations for every major jurisdiction can be adopted. But as Justina Zhang, HSF Kramer Kewei China TMT partner, points out, "the costs of building bespoke solutions in dozens of markets are prohibitive." Moreover, totally separate national frameworks are incompatible with tech operating models for services like messaging or social media.
• Pick and choose: In rare cases, specialist tech firms may opt to withdraw entirely from certain high-risk jurisdictions. However, loss of revenues and reputational risks make this a last resort. Despite their public criticism of regulation, tech companies typically prefer a dual strategy of aiming for compliance while lobbying for carve-outs or lighter enforcement.
• Hub and spoke: For many companies, a hybrid approach based on comprehensive regulatory mapping provides the most pragmatic balance between efficiency and risk management. "This top-down approach leverages compliance in leading jurisdictions like the US and EU into the secondary market," explains HSF Kramer's Johannesburg-based competition Of Counsel, Sandhya Foster. "It then uses gap analysis to identify the minimum required changes to achieve local compliance." Meanwhile, geo-blocking can be used to try to enforce access controls, or to disable selected functionalities.

How can companies adapt to online safety?

Tech companies are accustomed to regulation, but the proliferation of online safety law is accelerating the industry's transition into a world of closer supervision. That is why tech firms need to adopt a more proactive compliance mindset. It is also why companies are investing in specialist talent and developing the back-end links between systems required to generate real-time reporting on alerts, complaints and responses.

However, it is still common to see piecemeal or ad-hoc approaches pushing up costs without transforming compliance. Companies need several practical elements to successfully achieve global online safety compliance week-in, week-out, while preserving flexibility and innovation.

Strategic frameworks

Effective cross-border compliance depends on establishing an integrated global-local framework for online safety oversight. Embedding online safety into strategic thinking, calls for clear leadership and effective prioritisation. "There can definitely be value in viewing online safety as a strategic and cultural priority, not just a narrow compliance obligation," adds Johannesburg-based HSF Kramer regulatory partner Nick Altini. Taking a holistic view of online safety and other governance priorities vital to trust – such as data protection – can help to achieve synergies. However, it is essential to maintain clear distinctions between mandatory regulation and elective choices.

Skills and expertise

To embed online safety compliance into daily operations, firms need multi-competency teams with a mixture of global expertise and local knowledge. Learning from the experience of other regions and organisations is key, so targeted hiring, training and development are essential. Integrating legal and compliance specialists into project teams will keep designers and developers briefed on core regulatory requirements and local nuances.

Harnessing AI

"It's inevitable that AI will not only be part of OS compliance, but integral to it," forecasts Kwok Tang. In qualitative areas such as content classification and filtering, AI is the only feasible way to achieve compliance at a global scale. Of course, AI can be used by bad actors and its potential for bias, unpredictability or opacity can give rise to risks. AI tools struggle to understand context and online safety training data from one market is often unsuited to another. But while AI can never entirely replace human judgement, with the right training and guardrails it has the potential to transform risk detection and mitigation. "Who or what does AI replace? Often, nothing," argues Paris-based HSF Kramer partner Vincent Denoyelle. "So, while it's far from perfect, it has a huge role to play."

Continuous improvement

The speed of change in online technology and regulation means staying on top of the latest thinking is critical to compliance. That requires knowledge sharing with peers and consulting external counsel; proactive engagement with regulators and industry bodies; and effective prioritisation for limited legal and engineering resources. Finally, it needs regular risk analysis and audits to identify compliance gaps, with feedback mechanisms to deliver continuous improvement.

There is no single way for tech companies to build practical online safety compliance frameworks. Firms must devise an approach that suits their business models and can adapt to ongoing changes in regulation and technology. A dynamic, iterative approach is key, stresses Altini: "Ongoing adaptability is just as important as point-in-time judgements."

How will online safety develop?

"Governments are only beginning to make the online world safer," notes Virgiany. "We're just at the start of the process."

Many online safety regulations are so new that their impact is far from clear. In countries such as the UK and Australia, regulations are still not fully implemented. In most jurisdictions, regulatory decisions are yet to be tested. This is the case in the US, according to HSF Kramer's Silicon Valley-based data protection lawyer Austin Manes: "We've seen some district court decisions on new legislation, but the appeals process is not yet concluded. Questions over scope and statutory interpretation remain largely untested in the courts. The law in this area is definitely not settled."

Legislation will also continue to be enacted. "Static legislation is quite ill-suited to the online safety space, given the nature of content and the web," says Jenny Duxbury, director of policy, regulatory affairs and research at Australian industry association Digital Industry Group. In Australia, the Online Safety Amendment (Social Media Minimum Age) Act showed a readiness to amend even very new laws. In the US, a bipartisan package which could establish a social media duty of care is currently before the Senate. "This is about a dialogue between technology and law, and that dialogue is more intense than ever " says Google's Elkaim.

International co-operation will continue, especially on child protection. This includes informal knowledge sharing, formal engagement via supervisory colleges, and agreements like the Joint Ministerial Declaration by the G7 and EU on internet safety principles and the bilateral agreements between Australia and the UK pledging closer co-operation on online safety. "Cross-border consultation provides the best chance of future convergence," adds Duxbury.

Even so, there is little sign of this engagement leading to greater cross-border consistency, let alone practical convergence. Laws and regulations cannot be separated from their local context, and this subjectivity suggests differences will persist. "There may be similar positions in certain areas," comments Zhang. "But fundamentally the differences are cultural."

In the long term, the sharing of best practice between governments and companies could foster greater alignment on the fundamental principles of online safety. Over time, the evolution of enforcement should also contribute to common regulatory expectations. However, true harmonisation could take decades. "It's just too early to talk about genuine convergence," cautions HSF Kramer's Brussels-based regulatory partner Morris Schonberg.

For the foreseeable future, the most likely outcome is that convergence in certain areas will be offset by divergence in others – leading to persistent cross-border fragmentation. "Convergence or divergence? It could be both." concludes Brady.