What you need to know about the UK’s Online Safety Act

We take a detailed look at the Online Safety Act’s key provisions and the new powers given to OFCOM.

The Online Safety Act (OSA) is the UK’s comprehensive legislation intended to ensure the safety of online users. It places specific obligations upon various online service providers to this end. The OSA received Royal Assent on October 26, 2023, following a number of revisions. The majority of its provisions are expected to come into effect within the next two months.

The OSA has five objectives:

  1. to increase user safety online;
  2. to preserve and enhance freedom of speech;
  3. to improve law enforcement agencies’ ability to tackle illegal content online;
  4. to improve users’ ability to keep themselves safe online;
  5. to improve society’s understanding of online threats.

OFCOM, the UK authority for broadcasting, telecommunications and postal industries, is tasked with enforcement of the OSA. This will widen its regulatory role significantly.

Timeline

The inception of the OSA began with the publication of the Online Harms White Paper in 2019, which set out the Government’s plans for measures to keep UK users safe online. This included the first indication of the Government’s proposals to legally establish a new duty of care for online services and to appoint an independent regulator to oversee online safety.

The Government announced that it was minded to appoint OFCOM as the regulator for online safety in February 2020. A first draft of the OSA was introduced as a Bill in May 2021. This draft was amended heavily before finally achieving Royal Assent.

Indeed, the Bill had already changed significantly before its first reading in March 2022. Key amendments during the Bill’s passage through parliament included additions in respect to journalistic content, adult safety and illegal content, the introduction of user empowerment tools, additional offences, as well as requiring the largest providers of online services to remove or restrict access to legal content when this was consistent with their terms of service. 

The third reading of the Bill was carried out on September 19, 2023, with the Bill finally receiving Royal Assent on the October 26, when it became the Online Safety Act.

In-scope services

The OSA applies to the following services, providing they have links with the UK and are not exempt.

  1. User-to-user services. These are internet services through which user-generated content may be encountered by other users through the platform, such as websites or applications (for example, Instagram or Facebook). Content captures anything communicable by means of an internet service. “Users” are also undefined; the OSA simply outlines those who are not users. “Encountered” includes any way a user experiences content, including hearing, seeing or reading. The length of time that content is available is irrelevant. Accordingly, the definition is broad; many services and functionalities will be caught by this definition.
  2. Search services. These are services that offer search functionality abilities. The definition of a search service is broad, including any functionality permitting a user to search multiple websites or databases. “Searching” goes beyond typing search terms into a search box; these can include reading through a list of contents and using tags or meta data to filter content.
  3. Pornographic content services. The OSA is also applicable to services that provide pornographic content.

Links with the UK

The OSA is also applicable to services based outside the UK. To have “links with the UK” the service must meet any of the following criteria:

  1. the service hosts a significant number of UK users;
  2. UK users constitute the sole or primary target market for the service; and
  3. the service is capable of use within the UK, with reasonable grounds to believe the user-generated content on the service provides a material risk of significant harm to individuals within the UK.

Exempt services include services provided by public bodies in exercising their public functions, services comprising internal business resources or user-to-user services with limited functionalities.

Impact on Services

The impact of the OSA on online services will differ according to how that particular service is categorised. The OSA introduces the following categories, which are still due to be outlined definitively in secondary legislation:

  1. Category 1. These are user-to-user services that will meet certain thresholds (due to be defined in secondary legislation) relating to user quantity, service functionality and other factors.
  2. Category 2A. These are search services that will meet certain threshold conditions due to be defined in secondary legislation.
  3. Category 2B. These are user-to-user services that will meet certain threshold conditions due to be defined in secondary legislation.

More onerous obligations will be applicable to Category 1 services owing to their higher potential as sources of harm.

Children

The OSA also provides additional obligations for user-to-user services and search services likely to be accessed by children. This includes services where: 

  1. it is possible for children to access the service or a part of the service; and
  2. there is a significant number of children who are users of the service or part of the service, or the service or part of the service is of a kind likely to attract a significant number of users who are children (the “child user condition”).

Services potentially in-scope must conduct a children’s access assessment to assess whether these conditions are met.

Obligations: legal and transparency

All user-to-user services and search services will have certain obligations under the Act. These are as follows:

  1. Duties to carry out suitable and sufficient illegal content risk assessments. This will involve providers of online services maintaining up-to-date risk assessment processes, accounting for any changes to risk profiles by OFCOM. These duties also include the requirement to have in place effective risk management processes to mitigate these.
  2. Duties regarding illegal content and priority illegal content. Online services will need to take proportionate measures to mitigate and manage risk in relation to illegal content, which importantly will involve preventing users from encountering such content on their services at the outset. This marks a significant change; online service providers were previously only required to act rapidly in removing unlawful content once they were put on notice of the presence of such content. Services must also include provisions in their terms of service to indicate how they are protecting users, and these provisions must be clear and accessible to users. Priority illegal content includes the most serious and prevalent illegal content online.
  3. Duties regarding transparency, reporting and redress. Services will need to operate comprehensible methods of easily reporting illegal content, as well as operating an accessible complaints procedure for users. Notably, this complaints procedure will also have scope for the removal of content. Records of risk-assessments must be kept, alongside any reports of illegal content. OFCOM has powers around requiring information about use of a service in regards to the death of a child.
  4. Duries regarding protection of certain content and rights. Services must have regard to users’ right to freedom of expression and to their privacy rights, including relating to data protection.

Additional obligations: Category 1 services

Category 1 services will have additional obligations including:

  1. Duties in regard to adult user empowerment. This duty involves a responsibility to carry out risk assessments relating to adult user content (which includes content encouraging suicide, self-injury, eating disorders and behaviors or content which is abusive). Services must carry out risk assessments in relation to ‘adult user empowerment’ which permits users to control and manage harmful material they see online. Services must include proportionate features to allow adult users to reduce the likelihood of encountering adult user content.
  2. Duties in regard to identity verification. Category 1 services are required to offer all adult users of the service the option to verify their identity.
  3. Duties in regard to fraudulent advertising. This duty will require services to prevent individuals from encountering fraudulent advertizements, minimise the length of time for which fraudulent advertizements are visible and swiftly remove fraudulent adverts once reported. Category 2A services have comparable obligations.

Additional obligations: Children

Services likely to be accessed by children will have additional obligations including:

  1. Duties regarding children’s risk assessment. Services must carry suitable and sufficient children’s risk assessments and keep these up to date.
  2. Duties in regard to the design or operation of the service. Services must take or use proportionate measures relating to the design or operation of the service in order to reduce the affects of the level of risk of harm that might be suffered by children.
  3. Duties in regard to operating services designed to prevent children from encountering harmful content. Services should utilize age verification or age estimation to prevent children from encountering such content.
  4. Duties in regard to terms of service. Services must summarize in the terms of service the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).

All of the above duties are caveated by what is reasonable for the size and capacity of the online services provider in question.

OFCOM

As discussed, OFCOM will be the key regulatory authority in regard to enforcement of the OSA. OFCOM will have the power to impose fines of the higher of £18m ($22.5m) or 10% of global annual turnover, should companies fail to comply with the new rules.

OFCOM is due to release further publications in regard to the OSA, which might change the position of organizations. These include the following:

  1. Codes of Practice; these make up a large portion of the OSA in relation to specified duties which are imposed upon online services. The Codes will describe the measures recommended for compliance with these specified duties.
  2. Details of Risk Assessments; under the Act, online services will be required to carry out risk assessments in relation to potential harms faced by users on their sites. OFCOM is still due to confirm the details of these assessments.

Key preparatory work is being undertaken by OFCOM in regard to implementing online protections within the UK. It will roll out this work in three phases:

  1. Phase One: Illegal Harms Duties.
  2. Phase Two: Child Safety Duties and Pornography.
  3. Phase Three: Transparency, User Empowerment, and Other Duties on Categorised Platforms.

The first draft Codes of Practice, with the subject matter of illegal harms, were published on November 9, 2023. These have triggered a consultation focusing on OFCOM’s proposals for how user-to-user services and search services should approach their new duties relating to illegal content. The deadline for responses is the February 23, 2024.

Businesses should take measures to ensure they comprehend the implications of the OSA fully and are capable of implementing any required changes as soon as possible. Additionally, businesses should be aware that their position in regard to the practical implementation of aspects of the OSA may change as OFCOM commences its preparatory work in this area.

David Varney is a partner in the technology team and advises on a range of data protection, technology, intellectual property and commercial matters for clients in a number of sectors, including technology, financial services, media, retail and energy, Burges Salmon.