Online Safety Act

The Online Safety Act (OSA) places obligations on online ‘user-to-user’ (U2U) services and search services to take steps to control and monitor the content published on their platforms. The obligations imposed on U2U and search services, and overseen by Ofcom, will require providers of those services to take active steps in both the design of their platforms and in their policies and procedures to protect individuals against harmful content. New criminal offences are introduced under the OSA which will apply to all individuals in respect of distributing illegal content.

What is the general purpose of the law?

The primary purpose of the OSA is to require online services to take steps to keep the internet safe for children and give adults more choice over what they see online. The rules imposed under the OSA are designed, in the UK government’s own words, to make the UK “the safest place in the world to be online”.

Is the text of the law finalised yet? When will it apply?

Yes. The OSA received Royal Assent on 26 October 2023, becoming law in the UK on the same day. A number of obligations relating to Ofcom’s role as regulator under the OSA entered into force on the date of Royal Assent – laying the foundation for Ofcom to publish specific guidance and codes of practice on the duties applicable to U2U and search services. Certain specific obligations on illegal content, children’s online safety and user empowerment will enter into force on the day Ofcom’s codes of practice in respect of those duties come into force. Initial risk assessments need to be completed three months after Ofcom publishes the relevant guidance. Generally, the remaining provisions of the OSA will enter into force on a day specified in regulations yet to be seen.

Ofcom has announced that it will take a phased approach to publishing guidance and codes, prioritising enforcement of rules against the most harmful content as soon as possible. It published extensive draft codes and guidance on illegal content duties on 9 November 2023, with Ofcom expecting the duties to become enforceable around the end of 2024. It also published a consultation on draft guidance on age checks to stop children accessing online porn services on 5 December 2023. It intends to follow up with the relevant codes and guidance on child safety in Spring 2024, and for those duties to become enforceable in Summer 2025.

The guidance to be produced by Ofcom is intended to substantiate and give colour to the relatively high-level obligations set out under the OSA. Businesses will need to familiarise themselves with both the OSA and the applicable guidance (once published), as they are intended to be read in parallel.

Who does the law apply to?

Geographically, the OSA applies to U2U and search services having links with the UK (whether provided from the UK or not). This generally means that the service has a significant number of UK users, or UK users form one of the target markets for the service (or the only target market). The OSA does not set out how many UK users is considered “significant”; Ofcom expects U2U and search services to be prepared to explain their reasoning when calculating whether their service has (or does not have) a significant number of UK users. A service can also be caught if it is capable of being used in the UK and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK presented by the service’s content. Ofcom has published a short guide for businesses to help assess whether they fall within scope of the OSA .

The OSA applies in a funnel-like manner with certain obligations applying to all U2U services or search services. Ofcom has confirmed that U2U services include social media services, video-sharing services, online marketplaces, discussion forums, and gaming services. Search services cover general search services that allow users to search content from across the web. Interestingly, services allowing users to search for specific products or services offered by different companies, such as flights, credit cards, or insurance, are also included. Online services that search only one website or database are not caught.

The larger or more significant U2U and search services will subject to heightened cumulative obligations. The largest U2U services will be classed as “Category 1” services. Other large U2U services will have obligations as “Category 2B” services, while the largest search or combined services will face obligations as “Category 2A” services. However, the thresholds for these categories and the companies within scope of each will be identified in Ofcom’s registers for each category, which it anticipates publishing by the end of 2024.

All providers of U2U and search services that fall within scope of the OSA and that meet minimum revenue criteria (to be consulted on by Ofcom) will be required to notify Ofcom of their status as regulated under the OSA and may be required to pay an annual fee to Ofcom. The amount / level of the fee payable to Ofcom will be consulted on. The approach envisaged appears comparable to the ICO registration process for data controllers, however how registration with Ofcom will operate in practice remains to be seen.

What are the main obligations in the law?

Whilst not exhaustive, the key obligations that must be complied with are:

All U2U and search services

• U2U and search services must undertake an ‘illegal content risk assessment’ to determine the risk of users encountering and sharing illegal content on the service (factoring in how the design and operation of the service may increase or reduce risks). The illegal content risk assessment must be kept up to date and reviewed following any significant changes to the service’s design.
• U2U and search services must take proportionate measures to mitigate the risks identified in the illegal content risk assessment, and minimise the amount for which illegal content is present on their service.
• U2U services must include provisions in their terms of service (or in the case of search services, a publicly available statement) specifying how individuals are protected from illegal content and how any proactive technology is used to comply with their illegal content obligations.
• U2U and search services must undertake a ‘children’s access assessment’ to determine whether it is possible for children to access the service or a part of the service. All U2U and search services must repeat this assessment annually, regardless of findings.
• U2U and search services must have an easy-to-use process to allow users (or victims of illegal content) to report illegal content. as well as measures for users to challenge any takedown decisions they have been subject to.
• In removing any content, U2U and search services must have regard to users’ freedom of expression and the importance of protecting users from a breach of applicable privacy law.

U2U and search services likely to be accessed by children

•  Unless a children’s access assessment determines otherwise, all U2U and search services are considered “likely to be accessed by children”. Ofcom can also designate services as being likely to be accessed by children.
• U2U and search services likely to be accessed by children must undertake a ‘children’s risk assessment’ to ascertain the risks of children encountering illegal content as well as content harmful to children (whether designated under the OSA or otherwise). This is separate to the children’s access assessment. The OSA expects such services to also assess the risk of harm to children presented by the design of the service, for instance, whether adult users search for child users. Much like illegal content risk assessments, the children’s risk assessment must be kept up to date and reviewed following any significant changes to the service’s design.
• U2U and search services likely to be accessed by children must adopt proportionate measures relating to the design and operation of the service to mitigate and manage the risks of harm to children posed by content on the service.
• U2U and search services likely to be accessed by children must use proportionate systems and processes to prevent children from encountering content harmful to children, and in in the case of U2U services, must use age verification or age estimation measures.
• U2U services likely to be accessed by children must include provisions in their terms of service (or in a publicly available statement for search services) specifying how children are prevented from seeing content harmful to them.

Category 1, 2A, and 2B Services

•  Category 1 Services must empower users to have the ability to control the content visible to them and verify their identity, to ensure its systems and processes protect content of democratic importance and ensure the protection of journalistic/news content, and to prevent individuals from encountering fraudulent advertisements on the service, including a duty to minimise the length of time any such content is present on the service.
• Category 1 Services must also document the result of the findings of the majority of their risk assessments in publicly available policies or terms of service.
• Category 1, 2A and 2B Services will be notified by Ofcom annually to provide a transparency report about that service. Details as to what will be required in such reports will be set out in the notice from Ofcom.

Who will enforce the law?

Ofcom is the primary regulatory authority appointed to oversee compliance with the OSA. Ofcom has various enforcement powers under the OSA, including the power to (among other things) issue information notices requiring service providers to deliver up certain information in respect of their service.

Ofcom may give notices to a U2U service requiring the service to use technology to identify child sexual abuse content communicated publicly or privately via the service. Such notice can require the provider to make such changes to the design or operation of the service as necessary for the technology to be used effectively. The effect of these requirements is that private messaging services using end-to-end encryption could be expected to break that encryption to identify certain content. Service providers had previously suggested they would withdraw from the UK rather than take steps that would require weakening their privacy and security standards. During the OSA’s final stages through Parliament, a government spokesperson looked to provide assurance that “there is no intention by the Government to weaken the encryption technology used by platforms, and we have built strong safeguards into the Bill to ensure that users’ privacy is protected.” However, how this issue is approached in practice remains to be seen.

Ofcom and the ICO released a joint statement in November 2022 confirming that they will work collaboratively to ensure coherence between the online safety regime and the UK’s existing data protection regime. From a data protection perspective, service providers should not disregard their data protection obligations when seeking to comply with their online safety responsibilities. Co-operation between both regulators could result in dual action being taken against a service provider where failure to comply with the OSA reveals a breach of data protection law (or vice versa).

What are the consequences of non-compliance with the law?

Penalties under the OSA are not insubstantial. Fines can reach levels of up to £18 million or 10% of a businesses’ qualifying worldwide revenue. For comparison, fines under the UK GDPR are limited to the greater of £17.5 million or (in the case of an undertaking) 4% of that undertaking’s total worldwide annual turnover of the preceding financial year.

Appointed senior managers may also face personal liability under the OSA. This can arise where Ofcom issues an information notice to any regulated U2U or search service which would, among other things, require the company to appoint a senior manager who may reasonably be expected to be in a position to ensure compliance with the notice. For certain offences, where the named senior manager fails to take all reasonable steps to prevent an offence being committed, the senior manager commits an offence themself. Certain offences under the OSA also carry liability for corporate officers (e.g. directors, managers, secretaries) where an offence is committed by a company with the consent of the corporate officer, or is attributable to any neglect on their part.

Does the EU have anything similar?

The Digital Services Act (DSA) entered into force across the EU on 16 November 2022, with most provisions applying from 17 February 2024 (although for Very Large Online Platforms, certain obligations commenced from 25 August 2023). The DSA, much like the OSA, seeks to address (among other things) the dissemination of illegal content and disinformation, as well as encouraging transparent advertising practices.

The DSA introduced a harmonised approach across the EU to controlling content online (particularly at a technological level); the OSA arguably goes further in targeting specific identifiable illegal content and seeking to address the issues pertaining to online safety at their core.

Obligations under the DSA include an expectation of compliance with orders from national authorities to act against illegal content (but not to actively monitor such content). Similar to what is expected of Category 1 Services under the OSA, certain services under the DSA are expected to implement mechanisms to allow third parties to report alleged illegal content on their platforms to implement procedures to manage complaints in respect of content removed from the platform. Very Large Online Platforms under the DSA (equivalent to Category 1 Services) are required to undertake annual risk assessments comparable to those imposed on services under the OSA, and are subject to comparably enhanced supervision.

What are some of the commercial impacts of the OSA?

Whilst the true impact of the OSA may not be felt until mid-2024 at the earliest, service providers should already be considering whether they are in scope of the OSA. It is important to remember that it is not just the big social media firms in scope of the OSA. If a service provider considers that they are in scope of the OSA, they should review relevant guidance as it is released and consider what steps are required to comply with the proposed regime. Service providers already complying with the DSA may benefit from mapping the OSA against the DSA and determining the extent to which obligations under the OSA area already being met.

Service providers are expected to make changes to their technical operations (including algorithms), policies and procedures to account for the new regime. This will require a comprehensive review of the service’s terms of use; terms of service; and technical functions (among other things). Category 1 Services for instance will need to consider whether their content moderation functions are adequate in the face of the OSA and if not, will need to alter the design of their service.

In addition to reputational concerns, with the regime of fines potentially exceeding those under the GDPR, compliance with the OSA will feature in the context of due diligence exercises.Businesses will need to be particularly alive to the acquisition of possible liabilities under the OSA in the same way one would typically seek to draw out possible liabilities in respect of the GDPR.

Ofcom has estimated its own costs in preparing for the OSA could reach close to £170 million by the end of 2025, with initial estimates predicting an overall implementation cost for businesses of (cumulatively) over £2 billion. The exercise of complying with the OSA will not be a simple nor a quick one for businesses, and users (whether individuals or corporates) of services can expect to be faced with changes to terms and conditions under which they use such services. As one of the first pieces of legislation governing online safety globally, the effectiveness and practicalities of complying with and enforcing the OSA (given its scale) are hard to predict; it is hoped that Ofcom’s guidance in respect of compliance will give assurance to U2U and search services in approaching compliance with the OSA.

As more guidance is published by Ofcom, services will gain a more detailed picture of expectations under the OSA. In the meantime, businesses should ascertain whether the regime applies to them and, if so, ready themselves for an extensive compliance exercise.