What's the issue?

The UK's Online Safety Act (OSA) received Royal Assent on 26 October 2023. Ofcom's powers have come in immediately but most of the rest of the provisions will be brought into force in two months' time. Much of the detail around compliance under the OSA will be provided by codes of practice and guidance, and Ofcom has now published its first OSA consultation on protecting people from illegal harms online.

What is the OSA?

The OSA focuses on user-generated content (subject to limited exceptions) and applies to user-to-user services and search services as well as pornographic content services. The OSA regulates illegal content and certain specified types of harmful content, focusing especially on content harmful to children on services likely to be accessed by them. Terrorism and Child Sexual Exploitation and Abuse (CSEA) content are a particular focus, but a range of harmful content is also covered in specified circumstances. In relation to the most harmful type of content likely to be accessed by children, age verification/estimation must be used (subject to a limited exception).

The OSA applies to services which have links to the UK. Various safety duties apply to different categories of content. In order to establish what services need to do, they have to carry out a variety of risk assessments against Ofcom risk profiles. Service providers also have transparency requirements and obligations to provide redress and are likely to to have to amend their terms and conditions. There are wider duties to protect freedom of expression and the right to privacy including personal data. 

Category 1 services (to be determined, but likely to be the larger social media services) and Category 2A and 2B services have additional duties.  In particular, Category 1 services have expanded duties to protect fundamental freedoms including content of democratic importance and news publisher content.  They also have to comply with adult user empowerment provisions which require them to give adults users options to prevent them encountering certain types of harmful content.

Ofcom is the regulator of the OSA.  It has extensive powers and duties. It is responsible for producing initial risk profiles and a raft of codes of practice and guidance which will inform how service providers are supposed to comply with the OSA, as well as a range of reports on the impact and operation of the OSA.  The process of introducing these (as set out in Ofcom's revised approach to implementing the OSA) is likely to take at least three years with everything subject to consultation and much of it dependent on the introduction of secondary legislation.  Ultimately, Ofcom will have a range of enforcement powers including the ability to fine organisations the higher of up to £18m or 10% of global annual turnover.  The OSA is very wide-ranging and Ofcom estimates that around 100,000 online services could be in scope.

Ofcom's consultation on protecting people from illegal harms online

Ofcom published its consultation on protecting people from illegal harms online on 9 November 2023. This is the first of four major consultations planned by Ofcom over the next 18 months under the OSA.

What's in the consultation?

The consultation focuses on:

• the causes and impacts of illegal harms
• how services should assess and mitigate the risk of illegal harms
• how services can identify illegal content
• Ofcom's approach to enforcement.

As part of this, Ofcom has also published first draft codes of practice and associated guidance which will form the bedrock of compliance with the illegal harms regime. These cover:

• draft service risk assessment guidance
• draft guidance on record keeping and review
• draft illegal content codes of practice for user-to-user and search services
• draft guidance on content communicated ‘publicly’ and ‘privately’ under the Online Safety Act
• draft guidance on judgement for illegal content
• draft enforcement guidance.

Helpfully Ofcom has provided a 15-page at a glance summary which is comprised mostly of a table setting out which obligations apply to different types of organisation classified by size and risk level,  and a summary of each chapter which provide the best way in. Measures proposed for services are broken down into which measures are likely to apply to services based on their size, and the level of risk for illegal harms, classified by Ofcom as either low risk, specific risk, or multi-risk. Ofcom proposes defining a service as large where it has an average user base of more than 7 million per month in the UK (roughly 10% of the UK's population).  Less helpfully, these classifications do not correlate to those for Category 1, 2A and 2B service providers which will be set out later under secondary legislation.  Organisations will need to refer to the Service Risk Assessment Guidance (Volume 3 and Annex 5) to help them identify which risk level each relevant service falls into.

Volume 2 of the consultation sets out the causes and impacts of online harm.  This is Ofcom's register of risks which form the basis for Ofcom's risk profiles (set out in Appendix A of Annex 5) and services are expected to refer to it when carrying out their own risk assessments relating to illegal harms. Ofcom highlights certain service types as playing a particularly prominent role in the spread of priority illegal content.  Notably, it says that file-storage and file-sharing services and adult services pose a particularly high risk of disseminating Child Sexual Abuse Material (CSAM), and social media services play a role in the spread of an especially broad range of illegal harms.

Certain functionalities are also identified as posing particular risks, notably:

• end-to-end encryption
• pseudonymity and anonymity
• livestreaming
• recommender systems.

Ofcom has categorised priority illegal content into 15 categories:

• terrorism offences
• Child Sexual Exploitation and Abuse (CSEA) offences, including grooming and CSAM
• encouraging or assisting suicide (or attempted suicide) or serious self-harm offences
• harassment, stalking, threats and abuse offences
• hate offences
• controlling or coercive behaviour (CCB) offence
• drugs and psychoactive substances offences
• firearms and other weapons offences
• unlawful immigration and human trafficking offences
• sexual exploitation of adults offence
• extreme pornography offence
• intimate image abuse offences
• proceeds of crime offences
• fraud and financial services offences, and
• foreign interference offence.

A table setting out the individual offences set out in the OSA (including 130 priority offences) and the classification of the type of harm to which they relate is included in Annex B to in the Service Risk Assessment guidance (Annex 5).

As set out previously by Ofcom, it is proposing a four-step process for illegal content risk assessments:

• understand the harms
• assess the risk of harm
• decide measures, implement and record
• report, review and update risk assessments.

A range of different governance, risk mitigation and content moderation measures are recommended, again differing according to size of organisation and nature of risk and the type of service (u2u or search), but recommended measures to help combat priority illegal harms in scope of the OSA include:

• ensuring content moderation teams are appropriately resourced and trained
• having easy-to-use report and complaints procedures around illegal content
• allowing users to block other users or disable comments
• conducting tests when recommender systems are updated
• steps to make terms and conditions clear and accessible.

Ofcom suggests relevant services take targeted steps to combat CSEA, fraud and terrorism including:

• using hash matching to detect and remove known CSAM. There are no proposals which would involve breaking encryption but end-to-end encrypted services are still subject to all safety duties under the OSA
• taking steps to make it harder to groom children online, for example, default settings so that children do not appear in lists suggesting other users connect with them
• deploying keyword detection systems to help find and remove posts linked to the sale of stolen credentials with high-risk services to have dedicated fraud reporting channels
• transparency around account verification systems
• blocking accounts run by banned terrorist organisations.

The more onerous measures will be targeted only at services which are large and/or high risk.  Guidance around measures to combat violence against women and girls online will not be published until early 2025 as Ofcom recognises it needs to do more work in that area.

Draft illegal content judgements guidance provides guidance to services on how to identify whether or not a piece of content is likely to be illegal.  The guidance on the overall approach is 52 pages but the detail is set out in Annex 10 and runs to 390 pages.

What do you need to do now?

Ofcom anticipates around 100,000 services will need to consider the Online Safety Act. While many of the safety measures will only apply to the larger and higher-risk services, all in-scope services, even the smaller, lower-risk ones, will have a range of obligations, including risk assessment and mitigation, report and complaints and record-keeping. Most businesses will also need to make changes to their terms of service. Ofcom has published an overview and quick guides for online services setting out ‘what you need to know’  to help them understand the first steps. Those impacted by the OSA will need to look at the consultation and associated documents in full which is no easy task as they run to over one thousand pages.  Questions posed in the consultation are couched in broad terms and organisations which wish to respond need to do so by 5pm on 23 February 2024. 

What does this mean for you?

Understanding whether and to what extent you are in scope, assessing risk to users and putting in mitigation measures together with processes to comply with safety duties will be crucial. This is not least because of Ofcom's extensive enforcement powers. 

Once the consultation on illegal harms closes, Ofcom will consider the responses, review its proposals and publish a statement setting out its final decisions together with final versions of the above guidance and codes of practice. The statement is expected in Winter 2024 and services will then have three months to conduct their risk assessments. The codes of practice will be subject to Parliamentary approval and are expected to come into force by the end of 2024.  As such, in-scope service providers have some time to prepare for compliance around illegal harms, but now that they have more (albeit draft) detail, they can begin a more thorough assessment of what they will need to do.

The next phase of consultations will focus on child safety, pornographic content and protecting women and girls, and is expected in December 2023.

It's worth remembering that the UK is not the only country attempting to regulate the online environment. The EU's Digital Services Act (DSA), for example, covers similar but different ground. Businesses impacted by both sets of legislation will face a particularly complex set of compliance challenges.

Find out more

For more on what is covered by the OSA, see our Interface edition. We'll also be holding a webinar on 5 December when we'll look at the impact of the OSA on affected businesses in light of the Ofcom consultation, as well as in the context of the EU's Digital Services Act. Register your interest here.