Bulletins | October 6, 2023

Online Safety Act 2023: Internet of order or Internet of scrutiny

With the Online Safety Act 2023 (“OSA“) expected to be passed into law in October 2023, it is important to understand its wide-ranging impact on businesses.

The OSA aims to protect children and tackle illegal and harmful content online. It introduces duties to identify and act against harmful content as further specified by the Office of Communications (“Ofcom“) as regulator.

NB: This is intended to be a brief overview of the impact of the OSA on businesses. For more detailed information on the OSA please visit our earlier publication.

Who will it impact?

The OSA will impact platforms including ‘user-to-user’ content sharing and search service providers. Its biggest impact is expected to be on social media and messaging platforms, online marketplaces, and search and online advertising services. Consequently, large platforms such as Google and Facebook will be impacted, as well as medium and smaller-sized businesses.

Pornography websites and fraudulent online adverts are also caught within the OSA’s scope. However, email, SMS and MMS services, and services offering one-to-one aural communications, will be exempt from the OSA, as well as services which are limited to enabling comments and reviews, internal business services, and services which are provided by public bodies.

Services within the scope of the OSA are collectively known as the “regulated services”.

Geographical Scope

The OSA applies to regulated services which target UK consumers. It will also apply to regulated services based outside the UK where, for example, they have a significant number of UK users or where the service targets the UK.

Regulated Services and Categories

Regulated services will be split into two categories:

  • Category 1 will be large, popular sites, which have a high number of users. Category 1 services will have additional duties compared to Category 2 services.
  • Category 2 services will be categorised depending on the number of UK users and factors which the Sectary of State considers to be relevant. Category 2 is split into two further categories, Category 2A and Category 2B, with the latter additionally assessing a service’s functionalities.

What does the OSA introduce?

Transparency Reports:

Every provider of a regulated service must supply an annual transparency report when notified by Ofcom.

Duties for user-to-user services:

For Category 1 and 2 user-to-user services, the following duties of care apply:

  • Illegal content duties.
  • Content reporting duties.
  • Illegal content risk assessment duty.
  • Duties for compliant procedures.
  • Duties for rights to freedom of expression and privacy.
  • Record-keeping and review duties.
  • Duty to assess whether a service is likely to be accessed by children.

Where these services are likely to be accessed by children, there are additional duties:

  • Children’s risk assessment duties.
  • Duties to protect children’s online safety.

For Category 1 user-to-user services, there are additional duties:

  • Duties to empower adult users.
  • Duties to protect content of democratic importance, news publisher content and journalistic content.
  • Additional duties for freedom of expression and privacy.

Duties for search services:

All regulated search service providers must comply with the following duties:

  • Illegal content duties.
  • Content reporting duty.
  • Illegal content risk assessment duty.
  • Complaints’ procedures.
  • Duty to protect rights to freedom of expression and privacy.
  • Record-keeping and review duties.
  • Duty to assess whether a service is likely to be accessed by children.

Where these services are likely to be accessed by children, there are additional duties:

  • Children’s risk assessment duties.
  • Duties to protect children’s online safety focuses on ‘primary priority content’, ‘priority content’ and other ‘material risk content’.

Duties for combined services:

Combined services are defined as a regulated user-to-user service which includes a public search engine. Providers of combined services have additional duties depending on whether the service is likely to be accessed by children.

Duties for fraudulent advertising:

For Category 1 services relating to paid-for fraudulent advertising, the services will need to put in place proportionate systems and processes which prevent users from facing fraudulent adverts, minimise the time for which they are present, and quickly take them down where the service has been alerted or have become aware of the fraudulent advert.

Category 2A services must use proportionate systems and processes to reduce the risk of users facing fraudulent adverts.

Both types of services must additionally provide information about ‘any proactive technology used to comply with their obligations in their terms of service’.

Additional duties for Category 1 services:

The following duties apply for Category 1 services in addition to the above:

  • Duty to offer all adult users the option to verify their identity.
  • Duty to comply with their terms of service.

Reporting child sexual exploitation and abuse:

Regulated services are obliged to report Child Sexual Exploitation and Abuse content on their platforms to the National Crime Agency.

Pornography:

Regulated providers which place or publish pornographic content on their services, must put in place measures to ensure children are restricted from encountering pornographic content.

New criminal offences

The new ‘harmful communications offence’ is committed when intentionally sending a message with a real and substantial risk of causing serious distress to the likely audience. This offence will address assisting self-harm and the so-called ‘epilepsy trolling’ (ie sending flashing images to epilepsy sufferers).

The ‘false communications offence’ is committed when intentionally sending false information that will cause nontrivial psychological or physical harm to the likely audience. This offence will address hoax calls.

The ‘threatening communications offence’ is committed when sending a threat of death or serious harm intended to cause, or reckless as to whether it would cause, fear that the threat would be carried out

Key Sanctions for Breaches of the OSA

Ofcom are granted a range of powers including, but not limited to, criminal sanctions and fines up to £18 million or 10% of global annual turnover.

Timeline

After OSA being passed into law, secondary legislation must be passed and Ofcom needs to publish codes of practice before the OSA takes effect.

All secondary legislation is predicted to be passed by Autumn 2024, however, this is merely a working estimate.

On the 15th of June, Ofcom published an update on how they are preparing for the OSA which gives an overview of their expected timeline in light of the delay. This can be found here.

Despite this, the timeline of when the OSA’s provisions come into force remains unclear.

What should businesses do now?

Businesses should use this time to prepare for the implementation of the OSA. Businesses should monitor Ofcom’s expected roadmap.

The most important step businesses can take to prepare for the OSA is to conduct a risk assessment to determine whether the services they provide are caught within its scope. This should also include an assessment of whether their services are likely to be accessed by children.

Attention should be paid to the requirements of the OSA in relation to internal systems and policies, as well as the service offered to users. Businesses must assess how they operate to see whether amendments will be necessary to meet these requirements once the OSA is implemented.

Please contact us if you would like preliminary advice on the OSA.

Alexander Dittel is Partner and Scarlet Mitchell is Paralegal in Technology at Wedlake Bell LLP