Online Safety Act becomes law

After years of debate, the Online Safety Bill has now become the Online Safety Act 2023 ("OSA"), making it the first regulation in the UK to specifically target providers of online platforms and search services by requiring them to actively monitor the content flowing through their platforms. The final text is available here.

1) What is the OSA and why is it novel?

The OSA introduces a range of new rules and duties when conducting online activities. Many of these target providers of online services and oblige them to monitor the content made available through the service. Prior to the OSA becoming law, most user-to-user and search services operating in the UK were not subject to any regulation concerning user safety.

The duties imposed by the OSA seek to ensure that the services regulated are, amongst other things, safe by design and set up and operated in a way that provides a higher standard of protection for children than for adults.

The OSA also introduces a range of criminal offences, referred to as "communications offences" (e.g. sending false or threatening communications with intent to harm or assisting of encouraging or assisting self-harm) which generally apply to the sender of the offending content rather than the service provider of the service used to spread the content. We do not focus on these communications offences in this article.

Ofcom is the designated regulator under the OSA. To date, Ofcom has been the regulator for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobiles, postal services, plus the airwaves over which wireless devices operate. Ofcom has the right to charge a fee to regulated service providers, primarily calculated by reference to worldwide qualifying revenue of such providers, which is to be used to cover Ofcom's ongoing costs as the regulator of the OSA.

2) Who is in scope of the OSA?

The OSA mainly imposes legal requirements on providers of:

a. "User-to-user Services" ("U2U Services"): internet services "by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service". According to Ofcom, these services will include:

• social media services;
• video-sharing services;
• private messaging services;
• online marketplaces;
• dating services;
• review services;
• file- and audio-sharing services;
• discussion forums;
• information-sharing services; and
• gaming services; and

b. "Search Services": search engines which enable users to search multiple websites and databases.

In addition, the OSA has extraterritorial effect in the manner in which it applies to "regulated" U2U Services and Search Services.  Amongst other things, such services are "regulated" if they have "links" with the UK, i.e.:

• the service has a significant number of UK users or UK users form a target market for the service; and/or

• the service is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK.

Regulated U2U Services and/or regulated Search Services are referred to as "Part 3 Services" in the OSA.

The OSA also includes obligations on providers of "Access Facilities" (i.e. an entity that can provide access to and "is able to withdraw, adapt or manipulate it in such a way as to impede access (by means of that facility) to the regulated service (or to part of it) by United Kingdom users of that service"). Examples of access facilities include internet service providers and app stores.

3) Which services are not included in the scope of the OSA?

The OSA does not apply to the following (amongst others):

• email, SMS and MMS services if emails, SMS and/or MMS are the only user-generated content;

• one-to-one live aural communications if one-to-one live aural communications are the only user-generated content enabled by the relevant service;

• limited functionality services where the functionalities of the relevant service are limited so that users are only able to communicate through the service by posting or interacting (via emojis, yes/no voting or applying a "like" or a "dislike" of the content) with comments or reviews related to content published by the service provider (as opposed to other users); and

• internal business services if the service is an internal resource or tool for a business or businesses carried on by the same person.

4) What obligations are placed on providers of Part 3 Services?

The OSA imposes various obligations on the providers of the Part 3 Services referred to above. The obligations differ depending on the type of Part 3 Service that a provider operates. We have set out a high level overview of the duties below.

Illegal content duties

These duties require providers of regulated services to act and prevent their services from being used for "illegal content", as defined under the OSA. This requires in-scope services to, amongst other things, conduct relevant risk assessments, take proportionate measures relating to the design and operation of the service, including details about the measures taken in the applicable terms of service, maintaining systems allowing users to report content and operating a complaints procedure.

Children user duties

In addition, all providers of Part 3 services must carry out an assessment to determine: (i) whether it is possible for children to access the service, or part of the service, and (ii) if it is possible, whether there is a significant number of child users or it is the type of service that is likely to attract a significant number of child users. If the assessment concludes that children are likely to access the service, the service provider must comply with certain child safety duties.

Further duties based on additional categorisation

There are other duties set out in the OSA, including a duty on the providers of certain services to prevent fraudulent advertising, and to protect freedom of expression. The OSA categorises in-scope services (referred to as Category 1, 2A and 2B) where different obligations will be imposed for providers of these services.

5) What are the sanctions for non-compliance?

Ofcom has a range of enforcement powers including:

• using an expert (at the service provider's cost) to inspect a service provider's systems;

• powers of entry and inspection at a service provider's premises;

• issuing an enforcement notice requiring a service provider to do, or refrain from doing, something required under the OSA;

• issuing fines of up to £18m or 10% of global revenue (these are greater amounts than can be potentially issued  by the UK Information Commissioner's Office under the UK GDPR);

• criminal sanctions for failing to comply with a requirement of an information notice, including fines and imprisonment for up to two years; and/or

• issuing orders requiring a provider of "ancillary services" to an in-scope service (i.e. a service that facilitates the provision of the regulated service (or part of it) (for example, advertising or credit card services)) to withdraw the ancillary service to the extent that it relates to the relevant service.

6) Next steps

The biggest challenge for companies caught by the OSA is that, despite now being passed into law, many of the obligations and duties imposed by the OSA will not come into effect until either further secondary legislation is passed and/or codes of practice and/or guidance are published by Ofcom. Ofcom generally has up to 18 months following the date the OSA became law to submit codes of practice to the UK Parliament for approval and to publish guidance. Ofcom plans to publish codes of practice and guidance in three phases:

• Phase 1 covers how service providers will need to respond to illegal content - a consultation with proposals on how to handle these duties is due to be published on 9 November 2023; and

• Phases 2 and 3 cover service providers' obligations around child safety and preventing underage access to pornography as well as producing transparency reports, preventing scam ads, and offering "empowerment tools" to give users more control over the content they're shown.

Ofcom must complete the above steps before all of the provisions in the OSA come into force but the time periods for in-scope companies to comply once these activities are complete are not very long. In-scope entities should therefore focus on preparing to comply with the requirements of the OSA as much as is possible in advance.

If you have any questions or would like to discuss the above, please do get in touch with us.