Online Safety Act

The Online Safety Act (Act) received Royal Assent on 26 October 2023 after a significant period of consultation and debate. The Act will be implemented in stages. The purpose of the Act is to provide for a regulatory framework with the general aim to make the use of internet services regulated by this Act safer for individuals in the United Kingdom.

Broadly, the Act imposes duties on providers of certain online services to identify, mitigate and manage the risks of harm from (i) illegal content; and (ii) content that is harmful to children. Ofcom is the regulator under the legislation and is given wide functions and powers to enforce the Act. This includes the power to issue fines, up to the greater of (i) £18m; and (ii) 10% of worldwide turnover.

Its implementation is likely to result in huge changes in the liability landscape in relation to particular types of internet services.

Structure of the Act

The Act applies to (i) “user-to-user services” and (ii) “search services” and places wide ranging duties on each of those service providers of those services in relation to user generated content.

Broadly, the duties relate to the systems and processes that service providers must put in place to deal with harmful content and illegal content with the most onerous duties reserved for “category 1” providers (see below).

Online services subject to the Act

Two main types of services are regulated by the Act:

(i) “User-to-user services” – which broadly means internet services which allow for the generation or sharing of content. This is likely to apply to: online marketplaces, dating apps, games with chat functions, forums and social media platforms, including where users can interact via direct messaging; and

(ii)“Search services” – this means internet services that allow a search functionality, e.g., Google.

Also specifically regulated are internet services which publish “regulated provider pornographic content”. There are some notable exemptions where the Act does not apply including in relation to email, SMS and MMS services or where the services offer limited user functionality.

Duties

The duties imposed on service providers subject to the Act are wide ranging but there are a number of noteworthy themes, broadly as follows:

•  A requirement to carry out regular risk assessments;
•  An obligation to ensure ease of reporting (e.g. of illegal content) and making complaints;
• Transparency and accountability duties;
• Duties around the protection of freedom of expression and privacy, such that free expression of journalistic content is taken into account when making decisions about content; and
• Maintenance of systems and processes to reduce harm in a proportionate manner, including duties to remove illegal content and a duty to include features which users may use to increase their control over content.

Tiered approach user-to-user services

All user-to-user service providers will have to comply with certain duties which include obligations to undertake illegal content risk assessments and to implement complaints procedures.

Certain categories of services are assigned additional duties depending on the perceived level of risk:

• Category 1 services: the highest reach user-to-user services (i.e. the largest platforms) with the highest risk functionalities, with transparency requirements, a duty to assess risks to adults of legal but harmful content, requirements relating to fraudulent advertising and a variety of other duties.
• Category 2a services: the highest reach search services, which includes transparency and fraudulent advertising requirements.
• Category 2b services: user-to-user services which are high risk and high reach, but not high enough to fall under Category 1. Like Category 1, they will have to comply with additional transparency requirements, but none of the other Category 1 additional duties.

The Secretary of State is responsible for issuing regulations specifying the threshold conditions for each of the categories and Ofcom is responsible for establishing a register of providers in each case. It is currently anticipated that this register will be published in 2025 following the setting of the thresholds. It is not immediately clear whether there will be a process for service providers to challenge a categorisation and more clarity is expected on this as part of Ofcom’s consultation.

Children under the Act

The Act recognises a higher standard of protection for children is required than that for adults. This includes applicable provisions where children are likely to access the relevant content, such as:

• Children specific risk assessments;
• Children access assessments; and
• Taking other proportionate measures in recognition that children are using the particular services.

Extra-territorial effect

The Act applies to “regulated” user-to-user services and search services. These services are “regulated” if they have “links” with the UK which means:

• The service has a significant number of UK users or UK users form a target market for the service; and/or
• The service is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK.

Broadly this can have the effect that service providers that provide relevant services that touch the UK in this way will need to determine whether they are subject to the Act even if they are not a UK-based company.

Ofcom Powers

Ofcom has wide powers and duties in relation to regulated services. Particularly noteworthy are as follows:

• Information requirements: it may by notice require providers to provide it with any information that it requires for the purpose of exercising, or deciding whether to exercise, any of its online safety functions.
• Notices of contravention: it may give a “provisional notice of contravention” if it considers that there are reasonable grounds for believing that the provider has failed, or is failing, to comply with any enforceable requirement in relation to the service.
• Fines: Ofcom may issue fines, the greater of £18m, and 10% of worldwide turnover.
• Codes of Practice: Ofcom must also prepare and issue codes of practice for providers of user- to-user and search services. So far Ofcom has produced Guidance on the Act (January 2024), to assist affect companies with compliance. This guidance can be found here. Ofcom is also undertaking various consultations, including:
• Illegal Harms consultation (November 2023). This focuses on how user-to-user service providers and search service providers should approach their new duties relating to illegal content.
• Draft guidance publishers of online pornographic content (December 2023). This guidance assists publishers in complying the with age assurance rules so that children are not exposed to their content.

Draft guidance publishers of online pornographic content (December 2023). This guidance assists publishers in complying the with age assurance rules so that children are not exposed to their content.

Relation to EU Digital Services Act

Where providers operate in both the EU and the UK, the Act must be read in conjunction with the EU’s Digital Services Act, which also introduces new rules to ensure online safety within member states. If a business operates within both the UK and EU it will need to understand both pieces of legislation and the differences between them which will affect how they do business.

For more information on the EU Digital Services Act, please see our corresponding briefing note here.

The UK and EU Act have differing definitions of ‘illegal content’, and the UK Act contains stricter provisions requiring platforms to proactively prevent users from encountering it. The UK Act also requires all platforms to undertake risk assessments (rather than only the largest) and imposes more detailed requirements for platforms accessible by children. Conversely, the EU Act contains more detailed provisions on advertising restrictions.

Ahead

It will be interesting to see how Ofcom approaches compliance. Businesses need to be looking closely at their service offerings, operations, processes, procedures, user policies and terms and conditions to consider the changes they will need to make to align with this legislation.

For more information or advice, please contact Beverley Flynn and Guy Cartwright in the commercial and technology team at Stevens & Bolton.

The information contained in this guide is intended to be a general introductory summary of the subject matters covered only. It does not purport to be exhaustive, or to provide legal advice, and should not be used as a substitute for such advice.