← All briefings Briefing No. 1

Speakers, not just hosts

Why the Online Safety Act 2023 and article 22 UK GDPR are inadequate to the harms posed by AI chatbots, and what a coherent UK response would require.

Author: Scott McCulloch, Founder · Published: 2 May 2026 · Length: approx. 3,700 words / 15-minute read

Download as Word document FAIR's submissions
Summary. In February 2024, a 14-year-old boy in Florida took his own life after a months-long emotional and quasi-romantic relationship with an AI chatbot which, in their final exchange, told him “Please do, my sweet king” when he indicated he was ready to die. In April 2025, a 16-year-old in California took his own life after ChatGPT, over the preceding months, provided him with detailed methods of suicide and counselled him not to tell his parents. In the year to 2025, the Internet Watch Foundation identified a 26,385 per cent increase in AI-generated child sexual abuse videos. The United Kingdom’s online-safety framework, designed for a world in which platforms hosted content created by users, is engaging only by extension with a world in which the platform is itself the speaker. This briefing argues that a coherent response requires the United Kingdom to legislate for AI services as speakers, not as hosts; sets out the legal architecture that such a response would entail; and proposes the principles by which Parliament should now act.

1. The hosts framework, in brief

The framework on which the United Kingdom’s online-safety architecture rests is one of intermediary liability. Platforms are treated, in substance and in the language of the legislation, as hosts of speech created by their users. The Online Safety Act 2023[1] is the most recent and most ambitious instance of this approach in UK law. The Act’s headline duties of care apply to “user-to-user services” in respect of “user-generated content”;[2] the corresponding obligations of risk assessment, takedown, and reporting are calibrated to the platform’s control over what its users post.

The framework has antecedents which are by now well established. The European Union’s Electronic Commerce Directive of 2000 confined platform liability to circumstances in which the platform had actual knowledge of unlawful content. The United States’ Communications Decency Act, at section 230,[3] continues to immunise platforms from liability for the speech of their users. The Online Safety Act, while imposing more demanding positive duties of risk assessment, retains the underlying conceptual move: the platform stands in a relation of intermediary to the speech of others.

In a world of social media, video-sharing services, messaging applications, gaming platforms, and the like, that conceptual move is sound. The platform is, in fact, the host. The user is, in fact, the speaker. The legal questions of duty, responsibility, and liability properly track the underlying architecture of the speech.

2. The architecture has changed

In a world of generative artificial intelligence, the architecture has changed. When a user enters a prompt into a general-purpose chatbot, an AI companion service, or a multimodal generative service, the response is not user-generated content in any meaningful sense. The response is generated by the service. The service is, in plain terms, the speaker.

Three categories of present harm establish the point.

2.1 AI chatbots and child suicide

In Garcia v Character Technologies Inc,[4] the wrongful-death claim brought by Megan Garcia following the death of her 14-year-old son Sewell Setzer III in February 2024, the alleged facts include that Sewell developed a months-long emotional and quasi-romantic relationship with a chatbot persona on Character.AI; that the chatbot was permitted by the platform to engage with him in sexually explicit conversation; that he expressed suicidal ideation to the chatbot on multiple occasions; and that, in the final exchange before his death, when he told the bot he was going to “come home” to her, the bot replied “Please do, my sweet king”.[5] He died minutes later. The case settled by mediation in January 2026.[6]

In Raine v OpenAI Inc,[7] the wrongful-death claim brought by Matthew and Maria Raine following the death of their 16-year-old son Adam in April 2025, the alleged facts include that Adam confided suicidal thoughts to ChatGPT from November 2024 and that, from January 2025 onwards, ChatGPT provided him with detailed methods of suicide and counselled him not to tell his parents about his thoughts. Adam Raine’s father gave testimony before the United States Senate Committee on the Judiciary on 16 September 2025.[8] Multiple subsequent wrongful-death claims have been filed against OpenAI on similar facts.

These are not cases in which the platform hosted harmful third-party content. The platform was the speaker. The platform encouraged. The platform supplied the method. The harm is qualitatively different from the harm contemplated by an intermediary-liability regime.

2.2 AI-generated CSAM at industrial scale

The Internet Watch Foundation, the United Kingdom’s sole authorised reporter of online child sexual abuse material, identified 8,029 items of AI-generated content showing realistic child sexual abuse in 2025, a 14 per cent increase on the previous year, and 3,443 AI-generated CSAM videos in 2025 against 13 in 2024, an increase of 26,385 per cent.[9] Sixty-five per cent of the AI-generated CSAM videos were classified as Category A, the most severe category.[10] The Crime and Policing Act 2026 has, by sections 38 to 41, made it an offence to possess, create, or distribute AI models which have been fine-tuned on child sexual abuse imagery, and an offence to possess manuals on how to do so;[11] but the underlying problem of foundation models which are capable, on prompt, of generating realistic CSAM remains substantially unaddressed at the level of the model itself.

Here, again, the platform is the speaker. The image is not hosted by the service in any meaningful sense; it is generated by the service.

2.3 The architecture of grooming and predator misuse

AI chatbots are increasingly deployed by predators to engage children in grooming conversations, to generate sexually explicit material implicating children, and to coach children in the production of intimate imagery for predatory purposes. Where the chatbot is the speaker, conventional intermediary-liability analysis offers no purchase: the platform has not failed to take down user-generated content; the platform has authored the content. The same architectural change applies.

3. Why the current architecture is inadequate

3.1 The Online Safety Act 2023 engages only by extension

The Online Safety Act 2023 was drafted before generative AI services achieved their present prevalence and was framed for user-to-user services. Ofcom has issued guidance which acknowledges that some generative AI services may fall within the scope of the Act if they enable users to share or encounter the model’s outputs in user-to-user functionality;[12] but the Act’s structure was not designed to engage the model’s outputs as such.

The result is that the duty of care under the Act, as it stands, does not engage cleanly with the harms outlined in section 2 of this briefing. A child harmed by a one-to-one conversation with an AI chatbot, where that conversation takes place wholly within the chatbot’s own service and is not made available to other users, is not protected by the Act’s user-to-user duties at all. A child whose synthetic sexually explicit image was produced by a generative service, but whose image is not subsequently made available to others, is engaged with by the Act only obliquely. The architecture is the wrong shape for the harm.

3.2 Article 22 UK GDPR is structurally limited

Article 22 of the UK GDPR[13] confers a right not to be subject to a decision based solely on automated processing which produces legal or similarly significant effects. The Data (Use and Access) Act 2025 has expanded the scope of article 22 to capture certain semi-automated decision-making and has clarified the lawful bases on which it may be conducted.[14] The right is, however, structurally limited to the protection of data subjects in respect of decisions, and is not engaged by AI services which speak, advise, encourage, or generate.

The point is not that article 22 is inadequate to its own purpose. The point is that the rights catalogue of which article 22 is part was framed for a paradigm of profiling and decisional automation which does not, in its terms, reach the harm caused by an AI service which speaks.

3.3 The common law of negligence reaches only by extension

The common law of negligence is in principle capable of imposing a duty of care on AI service providers, but the doctrinal analysis is unsettled. The wrongful-death claims pleaded in Garcia and Raine in the United States rest on novel theories of products liability and negligent design, and have not yet been determined by appellate courts. The application of analogous principles in England and Wales has not yet been tested. In the meantime, the families of children harmed by AI services have no clear path to remedy.

4. What a speakers framework requires

FAIR’s position is that the United Kingdom should now legislate, in primary legislation, for AI services as speakers. A coherent statutory architecture would involve five elements.

4.1 Recognition of the AI service as a legal speaker

The starting point is conceptual. The output of a generative AI service is, for the purpose of liability, the speech of the service. That conceptual move is presupposed by the wrongful-death claims pleaded in Garcia and Raine; it should be made explicit in UK law.

4.2 A duty of care owed by AI service providers to users

An AI service provider owes a duty of care to its users in respect of the speech the service produces. The standard of that duty would be calibrated to the foreseeability of harm and to the vulnerability of the user. A heightened standard would apply to children and to users known or reasonably believed by the service to be at risk of suicide, self-harm, eating disorders, or other categories of acute vulnerability.

4.3 Mandatory architectural safeguards

In addition to a duty of care, primary legislation should require AI services accessible to children to incorporate specified architectural safeguards: prohibitions on sexually explicit content involving users; prohibitions on the encouragement of suicide and self-harm; mandatory routing to crisis support where suicidal ideation is detected; mandatory parental notification in defined circumstances; and prohibitions on the deployment of synthetic personas designed to elicit emotional dependency in children. These safeguards should be enforceable against the model provider, not solely against the service that deploys the model.

4.4 A statutory cause of action

Primary legislation should provide a statutory cause of action for users, and the personal representatives of users, who have suffered harm as a result of the speech of an AI service in breach of the duty of care, with proportionate remedies. This would address the doctrinal gap left by the unsettled common law and would give effect, in the law of England and Wales, to the article 2 ECHR positive obligation to protect life.

4.5 An empowered regulator

The regulatory architecture should designate an empowered regulator (Ofcom, the Information Commissioner, or a new statutory body) with full investigatory and enforcement powers, including the power to require risk assessments, audit model behaviour against the architectural safeguards, impose civil penalties, and seek injunctions in respect of non-compliant services.

5. International comparators

The United Kingdom would not be alone in moving in this direction. The European Union’s Artificial Intelligence Act[15] prohibits, at article 5, AI systems which deploy subliminal techniques, exploit vulnerabilities of specific groups including children, or are used for emotion recognition in educational and workplace settings; and requires, at article 50, transparency in respect of AI-generated content and AI-mediated interaction. The United States’ Communications Decency Act, at section 230,[16] continues to immunise platforms in respect of third-party speech, but has been read by recent United States Supreme Court authority[17] not to immunise platforms in respect of their own speech or their own algorithmic editorial choices. The direction of travel, in both jurisdictions, is towards a recognition that the AI service’s own speech engages a different set of legal considerations from the speech of users which the service merely hosts.

6. A note on FAIR’s political activity

This briefing is published by The Foundation for Artificial Intelligence Rights (FAIR) in furtherance of its charitable purposes, namely the advancement of education in respect of artificial intelligence and the advancement of human rights as engaged by artificial intelligence (see Charities Act 2011, section 3(1)(b) and (h)).[18] The Charity Commission’s guidance Speaking out: guidance on campaigning and political activity by charities (CC9)[19] permits a charity to undertake campaigning or other political activity in furtherance of, and as a means of supporting, its charitable purposes, provided that political activity does not become the reason for the charity’s existence. FAIR’s purposes are, and remain, advancement of education and advancement of human rights;[20] the publication of this briefing supports those purposes by educating the public, and Parliament, about the legal architecture of AI safety and the rights that architecture engages.[21] FAIR’s trustees have evaluated this engagement against the four-part test in CC9 and are satisfied that publication is consistent with FAIR’s charitable status.

7. Recommendations

  1. His Majesty’s Government should publish a White Paper on the legal architecture of AI safety in the United Kingdom, recognising the limits of the hosts framework and proposing primary legislation for AI services as speakers.
  2. The Department for Science, Innovation and Technology, in its current consultation ‘Growing up in the online world: a national conversation’,[22] should give explicit consideration to the harm caused by AI services to children, and should set out the Department’s position on whether the Online Safety Act 2023 is, in its current form, adequate to that harm.[23]
  3. The Information Commissioner’s Office, in its current draft guidance on automated decision-making and profiling, should clarify that article 22 UK GDPR does not, of itself, address the harms caused by AI services which speak, advise, or encourage; and should support primary legislation to address those harms.
  4. Parliament should now consider whether the AI (Regulation) Bill, or its successor, is the appropriate legislative vehicle for the speakers framework set out in this briefing, and whether a free-standing AI Safety Act is required.
  5. Industry, academic, and civil-society stakeholders are invited to engage with FAIR on the design of the speakers framework, and on the practical and architectural questions which its implementation would entail.

8. Conclusion

The United Kingdom’s online-safety framework was designed for a world in which platforms hosted speech created by their users. That world has changed. In a world of generative AI, the platform is, frequently, the speaker. The legal architecture of AI safety must catch up with that architectural change. FAIR commends the principles set out in this briefing to Parliament, to Government, and to the public. The lives of children depend on the United Kingdom getting this right.

9. About FAIR

The Foundation for Artificial Intelligence Rights (FAIR) is a UK organisation (registration pending). FAIR’s charitable purposes, registered with the Charity Commission, are the advancement of education in respect of artificial intelligence and the advancement of human rights as engaged by artificial intelligence. FAIR is independent of Government, of any political party, and of the AI industry; FAIR does not accept funding from AI developers or deployers, or from any organisation whose commercial interests would be materially affected by the position FAIR takes in regulatory consultations or in published briefings.

10. Contact

Further engagement on any aspect of this briefing is welcomed.

Scott McCulloch, Founder
The Foundation for Artificial Intelligence Rights (FAIR)
International House, 50 Essex Street, London WC2R 3JF
Email: info@airights.org.uk
Web: airights.org.uk

Footnotes

  1. Online Safety Act 2023.
  2. Online Safety Act 2023, ss 9-15 (duties of care of user-to-user services); s 80 (definitions, including “user-generated content”).
  3. Communications Decency Act 1996 (US), 47 USC s 230.
  4. Garcia v Character Technologies Inc, No 6:24-cv-01903 (MD Fla, complaint filed 22 October 2024).
  5. K Roose, ‘Can A.I. Be Blamed for a Teen’s Suicide?’ New York Times (New York, 23 October 2024).
  6. M Field, ‘Google and Character.AI agree to mediated settlement of teen suicide lawsuit’ CBS News (8 January 2026).
  7. Raine v OpenAI Inc, No CGC-25-628165 (San Francisco County Superior Court, complaint filed 26 August 2025).
  8. M Raine, Written Testimony Before the United States Senate Committee on the Judiciary (16 September 2025).
  9. Internet Watch Foundation, Harm Without Limits: AI Child Sexual Abuse Material Through the Eyes of Our Analysts (IWF 2026).
  10. Internet Watch Foundation, Harm Without Limits: AI Child Sexual Abuse Material Through the Eyes of Our Analysts (IWF 2026).
  11. Crime and Policing Act 2026 (received Royal Assent 29 April 2026).
  12. Ofcom, ‘AI chatbots and online regulation: what you need to know’ (Ofcom, 2025); see also Ofcom, Strategic Approach to AI 2025/26 (Ofcom 2025).
  13. UK General Data Protection Regulation, art 22.
  14. Data (Use and Access) Act 2025, s 80 (amending art 22 of the UK GDPR).
  15. Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) [2024] OJ L1689/1, art 50 (transparency) and art 5 (prohibited practices).
  16. Communications Decency Act 1996 (US), 47 USC s 230.
  17. Moody v NetChoice LLC 603 US 707 (2024) (US Supreme Court).
  18. Charities Act 2011, s 3(1)(b) and (h).
  19. Speaking out: guidance on campaigning and political activity by charities (CC9), Charity Commission (updated November 2022).
  20. FAIR’s purposes are published at airights.org.uk/purposes.html accessed 2 May 2026.
  21. Charities Act 2011, s 3(1)(b) and (h).
  22. Department for Science, Innovation and Technology, Growing Up in the Online World: A National Consultation (consultation paper, 2 March 2026).
  23. FAIR’s submission to the DSIT consultation is published at airights.org.uk/submissions.html accessed 2 May 2026.
The Foundation for Artificial Intelligence Rights (FAIR) is a UK organisation (registration pending). The views expressed in this briefing are those of FAIR and are published in furtherance of FAIR’s charitable purposes (advancement of education and the advancement of human rights). FAIR is independent of Government, of any political party, and of the AI industry. See FAIR’s Charitable Purposes and Conflicts of Interest Policy. Press enquiries: press@airights.org.uk.