The Online Safety Act (OSA) has broad application. Those with an online presence will need to scrutinise the online content and services they provide – including those provided intermittently and at a low level – to determine whether they are in scope.
What has happened?
The Online Safety Act is the UK's attempt to regulate the safety of users online. It imposes various duties on certain online service providers in relation to user-generated content. A first draft of the legislation was published in May 2021, building on the Online Harms White Paper that had gone before it. Following successive drafts, the legislation has now completed its Parliamentary passage and received Royal Assent on 26 October 2023.
While numerous amendments to the legislation were made along the way, the services within scope have largely remained the same. In fact, the only substantive changes that have occurred since a version of this article was previously published in June 2022, are that certain providers of education and childcare are now potentially exempt and the Secretary of State has power to regulate app stores in future if certain conditions are met.
Who is in scope?
The OSA applies to any:
- user-to-user service,
- search service, and
- pornographic content service,
that is regulated (meaning that it has "links with the UK" and is not "exempt").
These are considered in detail below (with the exception of pornographic content services which are beyond the scope of this article). However, it should be noted at the outset that a very broad range of service providers are caught.
User-to-user services
The definition of a user-to-user service is any "internet service by means of which content that is generated directly on the service by a user of the service or uploaded to or shared on the service by a user of the service, may be encountered by another user, or users, of the service".
The definition is very broad. In particular:
- An internet service is a service made available by means of the internet or a combination of the internet and an electronic communications service. It therefore covers websites, apps and other software. The fact that payment or subscription is required for such a service is irrelevant.
- Content means anything that can be communicated by means of an internet service, whether publicly or privately, including written materials or messages, oral communications, photographs, videos, visual images, music and data of any description. Webcam footage is therefore content (see government guidance), as is location information, and clicking on an emoji. Identifying information (content the function of which is to identify a user of an internet service, for example, a user name or profile picture) is largely excluded. Both public and private channels are covered (see government guidance).
- Any one act performed by a user – generating (directly on the site), uploading or sharing – suffices. This means that content uploaded/shared by a user irrespective of who generated that content is potentially within scope (although certain services have duties to protect news publisher and journalistic content). This should be kept in mind when auditing online content to determine whether the OSA applies. Helpfully, an amendment to an earlier draft of the OSA made clear that content generated by a user but uploaded by the service provider itself is not covered; the generating by the user has to occur directly on the site.
- The definition applies to content generated, uploaded or shared by a "user". However, there is no definition of "user". Instead, the OSA defines who are not users. These are any of the following when acting in the course of the provider's business: where the provider is an individual(s), that/those individual(s); where the provider is an entity, any officer(s) of the provider; persons who work for the provider (including as employees or volunteers); and any other person(s) providing a business service to the provider, such as a contractor, consultant or auditor. Everyone else appears to be a user. There is likely to be much debate about whether a person is "providing a business service to the provider" and is therefore exempt. Arguably, a variety of third parties could fall within this exemption but the inclusion of contractors, consultants and auditors as examples might suggest that it will be interpreted narrowly. Understanding the scope of this exemption will be important for many providers, most obviously listings websites and repositories.
- The requirement is that the user-generated content "may" be encountered by at least one other user – it does not have to be encountered in fact. "Encountered" is drafted broadly and includes reading, viewing, hearing or otherwise experiencing the content. It therefore incudes such things as one user watching another user play a video game. Content can be encountered if it is capable of being shared with another user by operation of a functionality of the service (such as a private messaging function). The fact that content may be available for a limited period of time only is irrelevant.
- It does not matter what proportion of content or a service falls within the definition of a user-to-user service – there is no de minimis requirement.
It should be clear from the above that a number of services and functionalities will fall within the definition of a user-to-user service. At its extreme, the OSA potentially catches a one-off online video presentation by one user to another. A careful review of online content should therefore be undertaken.
Search services
A search service is defined as any "internet service that is or includes a search engine". A search engine is a service or functionality that enables a person to search more than one website or database. There are provisions to help determine whether a user-to-user service which contains a search engine is to be classified as a user-to-user service or a search service and various provisions around combined services (any user-to-user service that contains a public search engine).
The following should be noted about the definition of a search service:
- The definition of what is a search engine is quite broad and effectively includes any service or functionality that allows a user to search more than one website or database. Searching can be by any means including by input of text, images or speech. Examples of "searching" in the government guidance include typing search terms into a search box, reading through a list of contents and using tags or meta data to filter content.
- Although not apparent from the definition of a search service, the duties imposed by the OSA appear only to apply to "regulated content" that may be encountered in or via search results, not other forms of content. This includes regulated content encountered as a result of interacting with search results (for example, by clicking on them). However, it does not include regulated content encountered as a result of subsequent interactions with an internet service other than the search service.
- A search engine is not to be taken to be "included" in an internet service or a user-to-user service if the search engine is controlled by a person who does not control other parts of the service.
The government says that offering search functionality can make it easier for people actively to seek out and find illegal/harmful content and can also present illegal/harmful content to people who are not actively seeking it. This is why search services have been included in the OSA. However, the OSA goes beyond large search engines. For example, a facility offered by an online provider that allows a user to search two databases would be caught (assuming those databases contain user-generated content).
Regulated services
A user-to-user service is a "regulated user-to-user service" and a search service is a "regulated search service" if the service has "links with the UK" and is not "exempt". We consider these terms next.
Links with the UK
The legislation has wide extra-territorial application. To be caught, a user-to-user service or search service must have links with the UK. A service has links with the UK if:
- it has a significant number of UK users, or
- UK users form one or the only target market for the service, or
- it is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK from user-generated content present (user-to-user services) or search content of the service (search services).
There is no indication of what constitutes a significant number of users. Whether a service targets the UK ought to be easier to determine given guidance on targeting in other areas of law (such as trade mark law).
Exempt services & content
The following services/content (or parts of services) are largely exempt:
- Any user-to-user service where the only user-generated content (other than "identifying content") enabled by the service is emails, SMS messages, MMS messages or a combination of SMS and MMS messages.
- Any user-to-user service with limited functionalities. Effectively, these are services where users are only able to communicate by posting comments or reviews on content published by the provider itself or a person on its behalf (provider content). Sharing such comments or reviews on a different internet service or expressing views on such comments or reviews or on the provider content itself by various specified means (such as by 'like' or 'dislike' buttons or applying emojis) is also exempt. Producing or displaying "identifying content" in relation to any of these categories is likewise exempt. The exemption is drafted quite narrowly and so care should be taken to ensure any 'below the line' content of this kind falls within the exemption.
- Any user-to-user service where the only user-generated content enabled by the service (other than identifying content) is one-to-one live aural communications. The communication must consist solely of real time speech or other sounds between two users of the service by means of the service. If other content, such as written messages, videos or visual images are included, the exemption does not apply. "Identifying content" is, again, acceptable.
- Any user-to-user service or search service provided by public bodies or by providers of education or childcare in exercising their public functions or for the purposes of that education or childcare.
- Any user-to-user service and search service comprising certain internal business resources or tools provided by a business only to a closed group of people connected to the business. This means that most internal message boards and search engines for employees and officers of the provider are exempt.
Services which only have combinations of the above exempted services/content are also largely exempt. The above exemptions might not apply if regulated provider pornographic content is also published or displayed on the service and the service has links with the UK.
The exemptions are drafted very tightly and should be reviewed on a case-by-case basis to determine whether or not they apply. This is particularly the case with below the line content.
The Secretary of State has power to add additional categories of services to the list of exempted services if they consider that the risk of harm to individuals in the UK presented by such services is low. They also have power to remove limited functionality services and one-to-one live aural communications from the list of exempted services.
What else?
There is potential for powers to be introduced to regulate app stores for the purposes of minimising or mitigating the risks of harm to children.
How wide is the OSA?
As well as search engines, content-sharing platforms, social media platforms, blogs, forums, listings sites, and aggregators, any provider that allows one user to encounter content from another user (or to search more than one website or database) will potentially be caught. The term "users" is potentially wide and goes beyond mere consumers and end users.
The exemptions for eg below the line content are drafted narrowly and won't always apply.
The OSA therefore has wide application and any online presence will need to be evaluated to determine whether it is in scope.
Find out more
To discuss the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications team.