Perspectives

UK Online Safety Act: Is your company ready?

Alex Wagner
Jan 10, 2024 / 5 min read

Throughout 2024, the Office of Communications (Ofcom), the UK’s communications regulator, will continue its work on the phased implementation of the Online Safety Act (OSA), which aims to make the UK the safest place in the world to be online. With financial penalties of up to £18 million or 10% of global annual revenue for businesses that fail to comply, as well as the possibility of personal criminal liability for senior officers of such businesses, online platforms should prioritize active preparations to comply with the obligations set out below.

As the regulator of the OSA, Ofcom will help inform the guidance and codes of practice issued by the Secretary of State for Science, Innovation and Technology with consultations already underway on illegal harms and age verification. These consultations mark the start of the 18-month implementation period with obligations and duties applying to any platform with users in the UK, irrespective of where the business is based.

The Online Safety Act – Duties and Implementation

The OSA introduces a new duty of care of online platforms to take action against illegal or harmful content, introducing new obligations to any organisation or individual that offers:

  • User-to-user services that allow users to share content, such as dating apps and social media.
  • Search services that offer online search functionality.
  • Other services including websites featuring adult content.

The Act sets up two main categories of content that platforms will be required to act on, with Category 1 services (that have high risk functionalities or a high user reach) subject to more onerous obligations. All platforms will be required to take proactive measures to protect users from encountering illegal content under offences designated as priority offences, such as terrorist content, immigration and modern slavery. Platforms will also need to prevent children from accessing harmful and age-inappropriate content while implementing age checking measures. Implementation will consist of a three-phased approach:

  • Phase 1 will cover obligations to mitigate the risk of illegal harms, which will be introduced as secondary legislation. Ofcom is set to publish a response to the ongoing consultation by Autumn 2024, after which businesses will have three months to undertake their illegal content risk assessments.
  • Phase 2 will cover additional child safety duties imposed on services that are likely to be accessed by children as well as sites hosting pornographic content. Final guidance is expected to be published by 2025.
  • Phase 3 will apply to services designated as Category 1, subject to additional duties concerning transparency reporting, user empowerment and user rights

Encryption

While the OSA introduces obligations for platforms to pay particular attention to freedom of expression before removing content with additional exemptions for news content, concerns have been raised over the potential threat to user privacy and encryption on platforms.

Section 121 of the Act allows Ofcom to issue notices that could be used to compel messaging apps to use “accredited technologies” to scan messages and files for illegal content, that are otherwise end-to-end encrypted. Messaging platform Signal suggested it would withdraw from the UK in 2023 due to concerns on the Act undermining encryption, as well as the potential security vulnerabilities that such a move could entail. To appease concerns, the Government has insisted Ofcom would only intervene if scanning content was “technically feasible,” though the technology to scan messages without undermining encryption does not yet exist. With further guidance expected, encryption is likely to remain a contentious issue in 2024 with the Investigatory Powers (Amendment) Bill also set to introduce more government powers.

Next Steps

Businesses operating in the UK now need to consider if they fall within scope of the Act, with most online service providers likely to be included. In addition to keeping up to date with the legislative landscape and developments, here are some key steps to consider in 2024:

  • Engage with Ofcom’s consultations on protecting people from illegal harms online (ending February 23, 2024) and on the draft guidance on age assurance (ending March 5, 2024).
  • Follow Ofcom’s activities especially the publishing of guidance, and the introduction of secondary legislation to Parliament by the Department for Science, Innovation and Technology.
  • Carry out a comprehensive risk assessment and demonstrate that your business has taken steps to address potential risks, including the risk of users accessing forms of illegal content. Pay special attention to handling personal data of users, especially minors, while implementing age verification and moderation.
  • Begin implementing systems to identify and remove harmful content and protect users from accessing it. Ensure you have also implemented a clear content reporting and complaints procedure.
  • Assess if you might be classified as a Category 1 service and therefore required to comply with additional obligations.
  • In addition to the obligations for platforms operating in the UK, businesses operating in the EU should also assess whether they need to comply with relevant applicable laws, including the EU’s Digital Services Act which takes effect in February 2024 and introduces similar requirements for online platforms relating to illegal content, transparent advertising and disinformation.

As a global advisory and strategic communications firm, Trilligent specializes in assisting disruptive tech companies in navigating the complex international regulatory environment. From making your voice heard with the political stakeholders shaping new regulations to building campaigns that target users across platforms, we can help communicate your commitment to upholding trust and safety, building enduring and profitable brand reputation across markets. For more information on Trilligent, visit trilligent.com or get in touch at: contactus@trilligent.com.‍

RELATED ARTICLES