Debbie Heywood

Senior Professional Support Lawyer

Read More

Debbie Heywood

Senior Professional Support Lawyer

Read More

30. Juli 2021

Download – Online Safety Bill – 6 von 6 Insights

Regulating and enforcing the Online Safety Bill – Ofcom's powers and duties

  • Briefing

The Online Safety Bill (OSB) will introduce a statutory duty of care on providers of certain user-to-user and search services, to protect their users from harm. It contains wide ranging and complex obligations, adopting a risk-based approach which may make it hard for providers to understand whether they are caught and what to do if they are.

Enter Ofcom, which will be overseeing and enforcing the regime – giving it significantly increased responsibilities and powers, not least of which is the ability to fine companies up to £18 million or 10% of qualifying revenue if they fail in their new duty of care.

Risk assessments and profiles

Perhaps the starting point for the entire Online Safety regime is the requirement on Ofcom to carry out risk assessment profiles. First, risk of harm to individuals presented by regulated services must be identified, assessed and understood, considering levels and different kinds of risk posed by illegal content to UK individuals, and by harmful content to children and to adults.

Ofcom must then develop risk profiles for different types of regulated services based on the characteristics of the service including functionality, user base, business model, governance and systems. It will be required to produce guidance to accompany these profiles.

This is crucially important as it is against these risk profiles, that companies will need to self-assess to decide where they fit in and what they need to do.

Register of regulated services

In-scope businesses will be categorised by Ofcom according to the number of users of a service, its functionalities and the risk of harmful content spreading. The highest risk user-user services (most likely the largest social media companies) will be in Category 1, while other services will be placed into Categories 2A and B if they meet user and functionality criteria and the relevant conditions for categorisation set out in Annex 4.

It's Ofcom's job to establish and maintain a register of regulated services by category of services they consider likely to meet the respective category criteria. This means that it is Ofcom which makes the initial decision about in-scope service providers, although its decisions can be appealed.

Ofcom also has powers to impose fees on regulated service providers. Companies above a (to be determined) threshold based on global annual revenue will have to notify Ofcom and pay an annual fee. The threshold is likely to be high enough to mean this will only apply to a small number of businesses.

Guidance and Codes of Practice

The Online Safety Bill places considerable emphasis on a risk-based approach. This makes sense given the vast array of content and services it potentially covers, but that also makes compliance a challenge. Again, it's Ofcom's job to demystify the process.

In addition to all sorts of guidance on, for example, risk profiles and elements like technology transfer assessments and enforcement powers (see below), Ofcom is required to produce Codes of Practice setting out steps to help providers of regulated services comply with their duties regarding terrorism content and CSEA (Child Sexual Exploitation and Abuse) content, as well as other aspects of compliance. 

Until this additional material is produced, it is difficult for service providers to understand exactly what is required of them although the UK government published Interim Codes of Practice in December 2020. This is partly because the OSB itself is an extremely lengthy piece of legislation, but also because flesh needs to be added to the bones of the definitions and outline obligations. Hopefully, this is what Ofcom's guidance and Codes of Practice will provide in due course.

Use of technology notices

Where Ofcom has reason to believe a provider of a regulated service provider is not complying with its duties in relation to illegal terrorism or CSEA content, it can require the provider to use specific technology to help it identify and remove the content. 

The process starts with Ofcom issuing a warning notice. The provider has a period of time in which to make representations, after which, Ofcom can issue the notice itself if necessary. Under the notice, the provider will be required to use specific technology accredited by Ofcom (or a body appointed by Ofcom). If the provider is already using it, then Ofcom can specify how to use it more effectively. It can also issue further technology notices requiring additional or alternative technology be used.

All notices must contain stipulated information and can last for up to 36 months. They can only place requirements on regulated services in the UK or as they impact UK users. Ofcom must publish guidance about use of technology notices, and an annual report about the exercise of its functions in relation to them, and setting out technology which meets or is being developed to meet required standards.

Information, investigations and interviews

Ofcom has the power to request information from pretty much anyone it thinks can provide the information required to help it carry out or decide how to carry out its duties under the OSB. It may also require a relevant senior manager to be named.

There are various offences associated with failure to provide information or providing knowingly or recklessly false information. Named individuals can also commit offences and be liable for the company's failures.

Ofcom may also commission reports on compliance failures to help it understand risk and ways to mitigate that risk, and require interviews as part of investigations into compliance failures, which it can compel providers to participate in.

Enforcement powers

Ofcom has a wide range of enforcement powers under the legislation. These include:

  • Enforcement notices – these can be issued to service providers and individuals. In relation to terrorist and CSEA content, they may be accompanied by a use of technology notice. Enforcement notices must set out which enforceable requirements (as set out in the legislation) need to be complied with. A provisional notice will precede a confirmation decision which can be issued where there has been a failure to remedy the issue identified in the provisional notice.
  • Penalties – penalties of up to 10% of annual global qualifying revenue or £18 million (whichever is higher) can be imposed by a confirmation decision or a penalty notice.
  • Business disruption measures – Ofcom may apply to the court for a service restriction order to impose requirements on a provider of a regulated service or one ancillary to it. It can also apply for access restriction orders where a service restriction or interim service restriction order did not fail to prevent significant harm to individuals in the UK or would be unlikely to do so if made.

Ofcom is required to publish details of enforcement actions, unless they are commercially sensitive or otherwise inappropriate for publication in Ofcom's opinion. It is also required to publish guidance on how it intends to use its enforcement powers.

Committees, reports, transparency and promotion of media literacy

Ofcom has several wider policy-focused duties to carry out as a result of the OSB.

It is required to set up an advisory committee on disinformation and misinformation to provide advice to Ofcom on dealing with those issues. It also has to carry out research and produce transparency reports summarising its conclusions on patterns and trends, steps considered to be good practice, and anything else relevant. This is in addition to its annual report and other reports it is required or chooses to make on online safety matters.

Finally, it has a duty to promote media literacy which involves identifying and taking any steps it thinks appropriate as well as, of course, producing guidance.

Appeals and super-complaints

Ofcom's decisions are subject to appeal. 

Eligible entities (to be determined under regulations) can also make a complaint to Ofcom that any feature of one or more regulated services or the conduct of service providers presents material risk of significant harm to users, freedom of expression, privacy or any other significant adverse effect. 

Complaints can be made against a single regulated service or provider only where Ofcom considers the complaint is particularly important or relates to a particularly large number of users or members of the public.

Again, Ofcom will be required to publish guidance.

Regulating a risk-based approach

We're increasingly seeing legislation take a risk-based approach, particularly where complex technology or issues are involved and where a wide range of use cases are covered, from the GDPR to the EC's draft AI Regulation. The OSB follows the same approach.

This places a considerable burden on the appointed regulator (Ofcom in this case). This is partly administrative, but also policy-based, as guidance and Codes of Practice develop to help companies understand the nuance of compliance.

Ofcom has welcomed its new role, but there is no doubt it will add considerably to its workload given the scale and complexity of regulating not just illegal but also harmful online content.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications team.

In dieser Serie

Technology, Media & Communications

Online Safety Bill – are you caught?


von Louise Popple

Technology, Media & Communications

Online Safety Bill – illegal and harmful content and safety duties

In-depth analysis

von Xuyang Zhu

Technology, Media & Communications

Risk assessments under the Online Safety Bill

Quick read

von Mark Owen

Technology, Media & Communications

The regulation of child safety online – an update

In-depth analysis

von Jo Joyce, Alex Walton

Call To Action Arrow Image


Wählen Sie aus unserem Angebot Ihre Interessen aus!

Jetzt abonnieren
Jetzt abonnieren

Related Insights

Technology, Media & Communications

How do you provide ranking transparency under the P2BR?

15. Februar 2021
In-depth analysis

von Debbie Heywood

Klicken Sie hier für Details
Data centre
Technology, Media & Communications

How will the P2B Regulation work and be enforced in the UK?

20. Juli 2020

von Debbie Heywood

Klicken Sie hier für Details
Technology, Media & Communications

ICO says future of 'Real Time Bidding' in Adtech "is in the balance"

17. Februar 2020

von mehreren Autoren

Klicken Sie hier für Details