UK Online Safety Bill – top 10 things to know

The UK Online Safety Bill (“OSB”) has been the subject of much debate and media discussion in the UK due to its novel nature and goal of introducing new measures to protect people whilst they use online platforms. Much of the debate including in the UK parliament and by commentators has centred on the challenge of balancing the protection of freedom of expression and individual users’ use of the internet. The OSB was first introduced in May 2021 and it has been revised three times since, with the latest iteration being January 2023. The bill is still at the House of Lords stage of the UK legislative process, and so it is not quite in final form and amendments to the text are expected.

However, it is widely expected that the OSB will be passed into law during the second half of 2023. Therefore, we have set out the top 10 things that businesses need to know ahead of the bill’s passage into law.

1) Novel regulation of platforms: If passed into law, the OSB will introduce new rules and duties for providers of platforms which host user-generated content (ie those which allow users to post their own content online or interact with each other) and for search engines. Most user to user and search services operating in the UK are not subject to any regulation concerning user safety. Currently, only a limited number of user-to-user services which are used in the United Kingdom are subject to the Video Sharing Platform regime set out in Part 4B of the Communications Act 2003 (known as the “VSP Regime”). Ofcom is responsible for enforcing the VSP Regime. The OSB is not just aimed at protecting children but all users of online services as defined by the OSB.

2) Who is in scope: The OSB mainly imposes legal requirements on providers of:

• “User-to-user Services” (or “U2U Services”): internet services “by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service”. Likely examples of these services are social media platforms, user discussion forums, messenger apps, “wiki” pages; and
• “Search Services”: search engines which enable users to search multiple websites and databases.

A regulated U2U Service, which includes a public search engine, is referred to as a “Combined Service”. There are exemptions set out in Schedule 1 and Schedule 2 of the OSB.

The OSB also includes obligations on providers of “Access Facilities” (ie an entity that can provide access to and “is able to withdraw, adapt or manipulate it in such a way as to impede access (by means of that facility) to the regulated service (or to part of it) by United Kingdom users of that service”). Examples of access facilities include “(a) internet access services by means of which a regulated service is made available, and (b) application stores through which a mobile application for a regulated service may be downloaded or otherwise accessed”.

The UK Government expects that at least 25,000 companies will be in scope of the OSB.

3) Exterritorial Effect: The OSB applies to “regulated” U2U Services and Search Services. These services are “regulated” if they have “links” with the UK which means:

• the service has a significant number of UK users or UK users form a target market for the service; and/or
• the service is capable of being used in the UK by individuals and there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the UK.

These “regulated” services are also known as “Part 3 Services”.

4) Future Obligations and Categories of Services: The OSB introduces categorisations of in-scope services (currently referred to Category 1, 2A and 2B) where different obligations will be imposed for providers of these services. Ofcom will establish and maintain a register of services falling within each of the Categories. The UK Secretary of State will pass secondary legislation setting out the criteria for each of these Categories once the OSB is passed into law. Relevant factors in determining the criteria will include the number of users of the service, the functionalities that it offers and the likely risk of harm to relevant users.

5) Notable exemptions from scope: There are exemptions listed under the OSB. We have set out the notable exemptions below. The OSB will not apply to:

• Email, SMS and MMS services if emails, SMS and/or MMS are the only user-generated content;
• One-to-one live aural communications if one-to-one live aural communications are the only user-generated content enabled by the relevant service;
• Limited functionality services where the functionalities of the relevant service are limited so that users are only able to communicate through the service by posting or interacting (via emojis, yes/no voting or applying a “like” or a “dislike” of the content) with comments or reviews related to content published by the service provider (as opposed to other users); and
• Internal business services if the service is an internal resource or tool for a business or businesses carried on by the same person.

6) Main duties for Part 3 Services: Part 3 Services will be subject to a range of obligations. The OSB imposes “duties of care” on the providers of these services. These duties can be broken down into two themes: the safety duties and free speech duties.

• Safety Duties: These duties require providers of Part 3 Services to act and prevent their services from being used for “illegal content”, as defined under the OSB. This will require in-scope services to, among other things, conduct relevant risk assessments, take proportionate measures relating to the design and operation of the service, including details about the measures taken in the applicable terms of service, maintaining systems allowing users to report content and operating a complaints procedure.

  In addition, all Part 3 Services providers must carry out an assessment to determine: (i) whether it is possible for children to access the service, or part of the service, and (ii) if it is possible, where there is a significant number of child users or it is the type of service that is likely to attract a significant number of child users.

  If the assessment concludes that children are likely to access the service, the service provider must comply with certain child safety duties.

• Free Speech Duties: These are the duties to protect: (i) content of democratic importance; (ii) news publisher content; (iii) journalistic content; and (iv) freedom of expression and privacy. Only providers of Category 1 services will need to comply with the free speech duties.

  There are other duties set out in the OSB, including a duty on Category 1 and 2A services to prevent fraudulent advertising.

7) Regulator: Ofcom will be the designated regulator under the OSB. To date, Ofcom has been the regulator for the UK communications industry. It regulates the TV and radio sectors, fixed line telecoms, mobiles, postal services, plus the airwaves over which wireless devices operate. Ofcom has the right to charge a fee to regulated service providers, primarily calculated by reference to worldwide qualifying revenue of such providers, which is to be used to cover Ofcom’s ongoing costs as the regulator of the OSB.

It is important to note that OSB does not empower Ofcom to take action against individual instances of content or specific accounts which breach the requirements. Practically, we also do not expect that Ofcom will have the resources to individually review every complaint or referral it receives. The presence of harmful content on a service alone will not be decisive in determining whether or not a provider is compliant with the OSB. Ofcom is expected to assess the adequacy of the systems and processes that a provider has implemented for the protection of users. It will consider the overall performance of the providers’ systems and processes.

8) Key sanctions for non-compliance: Ofcom will be granted a range of enforcement powers including:

• using an expert (at the service provider’s cost) to inspect a service provider’s systems;

• powers of entry and inspection at a service provider’s premises;

• issuing an enforcement notice requiring a service provider to do, or refrain from doing, something required under the OSB;

• issuing fines of up to £18m or 10% of global revenue (as a useful comparison, these are greater amounts than available to the ICO under the UK GDPR);

• criminal sanctions for failing to comply with a requirement of an information notice, including fines and imprisonment for up to two years; and/or

• issuing orders requiring a provider of “ancillary services” to an in-scope service (ie a service that facilitates the provision of the regulated service (or part of it) (for example, advertising or credit card services)) to withdraw the ancillary service to the extent that it relates to the relevant service.

  It is also worth noting that the OSB also separately creates new criminal offences which apply certain acts committed within the UK or outside of the UK (if the act is done by a UK person or entity incorporated under the law of England and Wales) such as the “false communications offence” and “threatening communications offence”.

9) Current status of the legislation: As at the time of publishing this article, the OSB is at the House of Lords stage in UK legislative procedure. It is expected that the OSB will be passed into law by the end of 2023 and will be titled the “Online Safety Act”.

However, the timeline as to when the provisions will come into force is still unclear. This is because the Secretary of State will need to draft secondary legislation to implement the Bill, and Ofcom will need to publish codes of practice before the Bill takes effect.

10) What should you be doing now? Whilst the OSB is not yet in force in the UK, the likelihood of it passing into law is high. Therefore, organisations should consider taking appropriate steps now to prepare for its implementation, such as:

• Conducting a risk assessment to determine if the services that your company provides are in-scope: conduct a risk assessment to determine if the services you provide are within the scope of the OSB. The concepts of U2U Services and Search Services have been fairly consistent throughout the various iterations of the OSB and we expect that these are unlikely to change. Therefore, determining whether you are caught by these concepts now would likely help you get ahead. A risk assessment should cover your products and services (including what they do, how many users there are and whether there is a “link” to the UK), complaints procedures and terms of service for those products and internal processes and policies. You should also assess how likely those platforms/products are to be accessed by children. You may have already carried out this assessment in order to determine if you have to comply with the UK ICO’s Childrens’ Code covering the processing of personal data relating to children;
• Considering amendments to products: once a risk assessment is complete, carry out a gap analysis between the current functionality and the required functionality of products in line with the obligations under the OSB. This exercise would enable discussions with product development teams around adjustments to systems and best practices to take place and also consider whether amendments to the product development cycle are required;
• Considering amendments to internal policies/processes: once a risk assessment is complete, carry out a gap analysis between existing key internal processes and what is required under the OSB. Creating a comprehensive audit trail and keeping good records of actions and decisions will be important in light of the sanctions available to Ofcom;
• Monitoring the status of the OSB and Ofcom publications: on the basis that the OSB still being debated and the fact that Ofcom will publish codes of practice, regular monitoring of the OSB progress and Ofcom publications is recommended. The UK Government has published two voluntary and non-binding interim codes of practice on terrorism and on child sexual exploitation, to help companies to begin to implement the necessary changes until Ofcom issues its statutory codes on these harms.

If you have any questions or would like to discuss the above, please do get in touch with us.