Following the Online Safety Act receiving Royal Assent on the 26th October 2023, the UK has taken a decisive step in requiring providers of certain online services to protect those in the country from specified online harms. This article summarises the immediate next steps and what to expect from the UK regulator enforcing the Act, Ofcom.
Most provisions of the Online Safety Act (“OSA“) are now in force. As such we expect Ofcom has begun to request information from certain companies, including information about their revenues to help determine fees, and they have begun to carry out consultations on draft Codes of Conduct and guidance. However, the first general compliance deadline for the OSA, where Ofcom will start requiring all companies in scope to take proactive steps to comply with the act, will not be felt until late this year. Which proactive steps are required will be guided by the outcome of the consultations, which we detail further below.
The OSA in brief
A major component of the OSA’s obligations will require relevant services to complete a risk assessment of the level of exposure its user base has to certain online harms, coupled with a requirement to implement proportionate measures, systems and processes in order to minimise those risks.
Within this broad requirement, Ofcom will publish codes of practice (“Codes”) to provide compliance steps which will help companies meet the requirements of the OSA, whilst also reducing risk and compliance cost. Services that follow the measures in the Codes will be deemed to have complied with the relevant legal duties.
Companies are able to deviate from the Codes and select their own measures to achieve compliance with their duties under the OSA. If they select this option, they will need to justify their measures and how they achieve compliance with the OSA. However, in doing so, these companies may use the associated guidance published alongside the Codes, to understand Ofcom’s stance behind the Codes and their views of the act. The publication of the guidance will also herald the start of the official enforcement of the act (with the first set of risk assessments needing to be completed within 3 months of the guidance coming into force).
For any company which fails to comply with their duties under the act, without managing to justify their actions to Ofcom, the penalties can be severe. The OSA specifies a maximum penalty of £18m (or 10% of global turnover, if higher) – which is more than that specified under the similarly stringent GDPR – and gives Ofcom the power to seek a court order to prevent the provision of a non-compliant service, for example through blocking a website from being accessible in the UK.
Since compliance with the Codes and the guidance will be the easiest way to avoid such penalties, Ofcom is expected to genuinely appreciate input from affected services on what is feasible in terms of compliance with the OSA, particularly as many of the provisions of the act require an appropriate and proportionate response considering the service in question and the outcome of risk assessments.
We expect the upcoming OSA consultations to be of interest to a broad variety of companies seeking to submit their views. Doing so will hopefully help steer Ofcom towards the right balance between ensuring compliance with the OSA, whilst keeping expectations on companies feasible and reasonable to comply with.
As such the remainder of this article goes through Ofcom’s statements so far, in particular their roadmap, setting out what is coming and when, and what providers of relevant online services should be looking out for.
Ongoing OSA consultations
Phase one: Illegal Harms
Consultation on codes and guidance open now until 23 February 2024
Ofcom is starting off by focusing on Illegal Harms, as the most serious category in the OSA. This covers procedures that providers need to put in place to prevent fraud, terrorism, and sexual exploitation and abuse of children.
The draft codes and guidance have already been put out to a public consultation, and are currently being analysed by Bird & Bird. In summary the guidance consists of:
Guidance on Illegal content risk assessments
This includes guidance on which illegal harms to consider and the procedure to assess the risk of each of these on the basis of likelihood and impact.
Code of Practice on specific measures Ofcom would expect to see service providers implement.
This is separated out based on what type of service the provider offers, namely “user-to-user” or search services, and whether they are a large or small provider). In some cases, providers are expected to take specific measures only if they have identified a risk of illegal harm of a particular type occurring on their site, highlighting the importance of a careful risk assessment to determine (and justify) exactly whether certain measures are or are not required.
Guidance on judgement of illegal content
Illegal Harms also carries a requirement on service providers to promptly remove content when reported. As such this guidance covers how to handle this duty, including how to make a prompt assessment of whether the content must be removed or not.
Other Guidance
This guidance also covers other administrative matters such as record keeping for duties under the OSA, further guidance on Ofcom’s enforcement plans, and on the distinction between content communicated “publicly” and “privately” (as Ofcom cannot require measures to be taken which involve analysing the latter).
Phase two: Child safety, pornography, and protecting women and girls
Consultation on age verification/estimation to prevent children accessing pornography is open now until 5 March 2024
The next phase will be a string of three pieces of guidance, covering the three umbrella categories of legal content which will be regulated by the OSA. These are:
Services which host pornographic content
This guidance will apply only to a narrow category of service providers, who directly make pornographic content available on their site (as opposed to services which enable users to share such content). The draft of this guidance is already available, as part of the ongoing consultation covered above.
Child Safety
This will be a particularly significant set of Codes, covering children’s access assessments, which all services will need to complete, and the rules around content which is harmful to children. This is among the vaguer parts of the OSA, for instance: the inclusion of content that presents “a material risk of significant harm to an appreciable number of children in the UK” could stray into the “legal but harmful” elements of online content that may be regulated by the act. The consultation on this Code is expected in Spring 2024.
Protecting Women and Girls
This guidance (and prior consultation which is expected in Spring 2025), will be published after much of the other Codes/guidance is already in force. It will supplement the other guidance by drawing particular attention to considerations and steps providers should take to protect women and girls.
Phase three: Categorised Platforms
Call for evidence early 2024, Consultation on guidance opens mid-2024
This category of work will cover guidance for further requirements which are to be placed on a list of categorised services, which meet thresholds to be set by an upcoming statutory instrument (due in Summer 2024). These thresholds will be based around factors such as the number of users and functionality of the service and the requirements include further transparency obligations, and user empowerment tools (such as granting all users the ability to filter out violent content).
Bird & Bird is continuing to assist clients digesting the OSA and its implications for them as well as the avenues to engage with Ofcom as part of their consultations outlined above. If you are a service which is potentially in scope and would like to understand the implications of the OSA for your business, please reach out for help preparing for the OSA’s implementation.