Online Safety: in the news and on the statute books

With a flurry of recent news stories looking at the role of the internet in our society and how it can be made a safer space for all to use, Adele Shepherd and Imelda Kavanagh look at the role of the Online Safety Act 2023 and how it will seek to protect internet users from harmful content. 

What is the Online Safety Act 2023?

The Online Safety Act (the 'OSA') received Royal Assent on 26 October 2023. The OSA aims to make the UK the safest place in the world to be online and to regulate the relationship that users have with the internet.

The OSA has come about as a result of the increased awareness of the dangers and risks posed by harmful content on the internet, and a greater understanding of the role played by online intermediaries (such as user-to-user services and search engines) in influencing users.

As a result of the changes to be imposed by the OSA, regulated service providers will become primarily responsible for harmful or illegal content shared on their platforms. This is a step change from the previous position where primary liability lay with the users who published the content and the service provider only had a duty to take steps to remove illegal or harmful content once notified. 

The OSA will see a shift to regulated service providers being more proactive, having procedures in place to actively prevent the creation of content online that is harmful or illegal, and to swiftly take down such content.

When the OSA is fully implemented, OFCOM will have the power to fine regulated service providers up to £18million or 10% of worldwide revenue (whichever is greater) for instances of non-compliance with the obligations imposed by the OSA.

Who does the OSA apply to?

Following OFCOM's recent consultation on the OSA, it is anticipated that more than 100,000 online services could be in scope from a diverse range of sectors including, among others, social media, dating, gaming and adult services[1].

The OSA applies to providers of certain regulated services within the UK and will also include providers who are located outside of the UK, but who target the UK or have a significant number of UK users.

Regulated services include:

1. user-to-user services which include internet services that allow content to be generated, uploaded to or shared on the service by a user, and to be encountered by another user(s). Examples of user-to-user services range from social media platforms and messaging services to discussion forums, and Q&A services, so the application could be fairly broad across a range of clients and sectors;
2. search services which is a service that is, or which includes, a search engine; and
3. services which publish pornographic content.

Some services are exempt from the requirements of the OSA including services limited to email, SMS and MMS, services limited to enabling comments and reviews on provider content only, and services provided by public bodies.

But not all services will be treated equally; the type of regulated service, and the type of content shared, will be prioritised and categorised under the OSA, with additional duties being applied to those services that are likely to be accessed by children and which pose the highest risk. It is anticipated that most services will fall outside of the top categories.

What are the requirements of the OSA?

The main aim of the OSA is to protect children and to tackle illegal online content. The OSA imposes duties of care on providers of all regulated services to help achieve its objectives.

The key requirements are likely to include:

Take down:

• removal of illegal content;
• taking down of material that is not illegal, but which breaches the service's terms of use; and
• providing adult users with greater choice over the content they see and/or engage with.

Risk Assessments:

• completing illegal content risk assessments which assess the relevant user base, the level of risk of access to content that is illegal or harmful to children, and the risks of harm;
• risk assessments will need to be completed within 3 months of OFCOM finalising its guidance (which is expected by the end of 2024); and
• risk assessments will need to be kept under review and up to date.

Processes and procedures:

• promoting active safeguarding by implementing proportionate measures, systems and processes to prevent access to harmful content;
• mitigating and managing the risks and the presence of harmful content; and
• setting up robust complaint and content reporting mechanisms.

Terms of Service:

• putting in place terms of service that are transparent about the approach to safeguarding; and
• including provisions on how users are protected from illegal content, how any proactive technology is used, and how relevant complaints are reported, handled and resolved.

The role of OFCOM

Compliance with the OSA will be regulated by OFCOM, which will be the regulator of online safety, with the primary responsibility of helping to make online services safer for users.

In addition to the media and telecoms work that OFCOM carries out, it now has a responsibility to produce Codes of Practice to supplement the provisions of the OSA. The Codes of Practice will plug the gaps in detail left by the OSA, and online intermediaries will be treated as having complied with their duties if they take or use the measures described by OFCOM in a relevant Code of Practice.

OFCOM has set out a three-phase implementation roadmap for the guidance and Codes of Practice:

1. Phase one: illegal harm duties – this will involve proposals for how services can comply with the illegal content safety duties. Draft guidance has been published, with the final guidance and code of practice expected towards the end of 2024;
2. Phase two: child safety, pornography and protecting women and girls – this will set out guidance for services that host pornographic content and will involve consultations and guidance relating to the child safety duties and protecting women and girls; and
3. Phase three: additional duties for categorised services – will relate to additional duties imposed on regulated services designated as category services. OFCOM will also publish a register of category services.

OFCOM has also been given wide ranging powers of investigation and enforcement in the event of non-compliance by regulated service providers and can impose fines of up to £18million or 10% of worldwide revenue, whichever is greater.

Next steps

Much of the OSA is not yet in force and will not be brought into force until various guidance and Codes of Practice have been made by OFCOM and the Secretary of State.

However, if you manage an online platform that allows user generated content, or which includes a search function, there are a number of practical steps which you can take in advance to help keep your business and users safe.

If you own or manage a regulated service and would like further information on your new responsibilities under the OSA please contact us for expert advice that will help ensure you and your services are OSA compliant.

[1] (see Ofcom: Volume 1, Illegal harms consultation (9 November 2023))