On 16 December 2024, Ofcom published its Statement on protecting people from illegal harms online. This is a decision on the Illegal Harms Codes and guidance which set out what user-to-user and search service providers need to do to comply with their illegal harms safety duties under the UK's Online Safety Act.
The compliance clock is now ticking. In-scope providers must assess the risk of illegal harms on their services by 16 March 2025. The Codes of Practice are expected to complete the Parliamentary process in time for the 17 March 2025 deadline at which point the illegal harms safety duties become enforceable by Ofcom. This means that providers need to take the safety measures set out in the Codes or use other effective measures to protect users from illegal content and activity. Ofcom is "ready to take enforcement action if providers do not act promptly to address the risk on their services".
The Codes and guidance have been subject to consultation which has actually increased their length and there is a bewildering range of (in some cases lengthy) regulatory documents to assess and absorb including:
The Codes of Practice are not in force until they have been laid before Parliament by the Secretary of State, but the majority of the documents come into force immediately.
To help services navigate the documents, Ofcom has reviewed the presentation and structure of the documents, produced some online tools to help service providers understand whether they are in scope and the steps they need to take to comply, and pointed different types of providers towards the best places to start.
The regulatory documents and their annexes are part of the Illegal Harms Statement which is broken down into Overview and Context Documents and also contains three main volumes which set out Ofcom's reasoning. The context chapters cover:
The three volumes cover Governance and Risk Management, Service Design and User Choice and Transparency and trust and other guidance.
What does this mean for you?
Those services which looked closely at Ofcom's draft documents will find that Ofcom's overall approach has not changed dramatically. Changes appear, for the most part, designed to help clarification rather than to introduce unexpected measures. Services must now re-confirm whether they are in scope and then begin to complete risk assessments and prepare for compliance by mid-March 2025. Services are not required to implement the applicable Code of Practice in order to comply but will be treated as having complied with relevant duties under the OSA if they do. If services take alternative measures, the onus will be on them to demonstrate these are sufficient to achieve compliance, so, for the vast majority of in-scope services, the Codes of Practice and related regulatory documents and guidance will be the easiest route to compliance.
Find out more
Our full range of insights into the UK's Online Safety Act and the EU's Digital Services Act can be found here and there will be more to come! Sign up to receive content here, or reach out to a member of our online safety team or your usual Taylor Wessing contact.