The Online Safety Act (OSA) has broad application. Those with an online presence will need to scrutinise the online content and services they provide – including those provided intermittently and at a low level – to determine whether they are in scope.
The Online Safety Act is the UK's attempt to regulate the safety of users online. It imposes various duties on certain online service providers in relation to user-generated content. A first draft of the legislation was published in May 2021, building on the Online Harms White Paper that had gone before it. Following successive drafts, the legislation has now completed its Parliamentary passage and received Royal Assent on 26 October 2023.
While numerous amendments to the legislation were made along the way, the services within scope have largely remained the same. In fact, the only substantive changes that have occurred since a version of this article was previously published in June 2022, are that certain providers of education and childcare are now potentially exempt and the Secretary of State has power to regulate app stores in future if certain conditions are met.
The OSA applies to any:
that is regulated (meaning that it has "links with the UK" and is not "exempt").
These are considered in detail below (with the exception of pornographic content services which are beyond the scope of this article). However, it should be noted at the outset that a very broad range of service providers are caught.
The definition of a user-to-user service is any "internet service by means of which content that is generated directly on the service by a user of the service or uploaded to or shared on the service by a user of the service, may be encountered by another user, or users, of the service".
The definition is very broad. In particular:
It should be clear from the above that a number of services and functionalities will fall within the definition of a user-to-user service. At its extreme, the OSA potentially catches a one-off online video presentation by one user to another. A careful review of online content should therefore be undertaken.
A search service is defined as any "internet service that is or includes a search engine". A search engine is a service or functionality that enables a person to search more than one website or database. There are provisions to help determine whether a user-to-user service which contains a search engine is to be classified as a user-to-user service or a search service and various provisions around combined services (any user-to-user service that contains a public search engine).
The following should be noted about the definition of a search service:
The government says that offering search functionality can make it easier for people actively to seek out and find illegal/harmful content and can also present illegal/harmful content to people who are not actively seeking it. This is why search services have been included in the OSA. However, the OSA goes beyond large search engines. For example, a facility offered by an online provider that allows a user to search two databases would be caught (assuming those databases contain user-generated content).
A user-to-user service is a "regulated user-to-user service" and a search service is a "regulated search service" if the service has "links with the UK" and is not "exempt". We consider these terms next.
The legislation has wide extra-territorial application. To be caught, a user-to-user service or search service must have links with the UK. A service has links with the UK if:
There is no indication of what constitutes a significant number of users. Whether a service targets the UK ought to be easier to determine given guidance on targeting in other areas of law (such as trade mark law).
The following services/content (or parts of services) are largely exempt:
Services which only have combinations of the above exempted services/content are also largely exempt. The above exemptions might not apply if regulated provider pornographic content is also published or displayed on the service and the service has links with the UK.
The exemptions are drafted very tightly and should be reviewed on a case-by-case basis to determine whether or not they apply. This is particularly the case with below the line content.
The Secretary of State has power to add additional categories of services to the list of exempted services if they consider that the risk of harm to individuals in the UK presented by such services is low. They also have power to remove limited functionality services and one-to-one live aural communications from the list of exempted services.
There is potential for powers to be introduced to regulate app stores for the purposes of minimising or mitigating the risks of harm to children.
As well as search engines, content-sharing platforms, social media platforms, blogs, forums, listings sites, and aggregators, any provider that allows one user to encounter content from another user (or to search more than one website or database) will potentially be caught. The term "users" is potentially wide and goes beyond mere consumers and end users.
The exemptions for eg below the line content are drafted narrowly and won't always apply.
The OSA therefore has wide application and any online presence will need to be evaluated to determine whether it is in scope.
To discuss the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications team.
Louise Popple provides a table summary of the main obligations under the OSA.
1 of 9 Insights
Xuyang Zhu and Danielle Owusu give an overview of safety duties in relation to the different types of illegal and harmful content covered by the OSA.
3 of 9 Insights
Megan Lukins looks at the application of the OSA to user-to-user content likely to be accessed by children.
4 of 9 Insights
Debbie Heywood looks at Ofcom's wide range of duties and powers under the Online Safety Act.
5 of 9 Insights
Debbie Heywood looks at what to expect from Ofcom as its powers under the Online Safety Act commence.
6 of 9 Insights
Miles Harmsworth takes a high level look at some of the key overlaps and differences that in-scope digital service providers will need to consider under both regimes.
7 of 9 Insights
Mark Owen looks at requirements to carry out risk assessments under the OSA.
8 of 9 Insights
Timothy Pinto asks whether the OSA has found the right balance between protecting freedom of expression, privacy, journalistic content and content of democratic importance, and protecting online users.
9 of 9 Insights