Dame Melanie Dawes has provided a clear indication of Ofcom's approach in relation to "small but risky" services under the Online Safety Act (the Act) following a letter from the Secretary of State for Science, Innovation and Technology asking Ofcom to explain how it proposes to monitor these services and how it intends to use "the full force of enforcement."
This signals a very different approach to online safety and smaller businesses will need to take action. This includes building in greater compliance costs into their budgets (across legal, operational and technical aspects) and engaging with the requirements of the Act and Codes of practice early as its clear that Ofcom are going to be taking a proactive approach in this space.
What is a small but risky service?
In light of the indication from Ofcom that these services are a priority for it, services should consider whether they fall within its definition:
- "Small" is defined by Ofcom as an organisation with under 49 employees;
- The risk assessment level assigned to each type of illegal harm (e.g. CSEA, Terrorism, Hate speech, fraud) will enable a service to understand whether it meets the definition of "high risk" for one or more of the illegal harms.
For example, a high-risk service in the context of Child Sexual Abuse Material (CSAM) and/or URLs could include:
- File-storage and file-sharing services
- Adult services;
- A service which allows users to post or send content without creating an account;
- A service which has systematically been used by offenders to upload image-based CSAM;
- A service which has a majority of relevant risk factors associated with CSAM in Ofcom's Risk Profiles in addition to allowing images or videos to be uploaded, posted or sent;
- Social media in the context of the spread of harmful material.
In the context of CSAM, functionalities which add to these inherent risks include:
- End to end encryption;
- Pseudonymity and anonymity;
- Livestreaming;
- Recommender systems.
What can such services expect from Ofcom?
Dame Melanie's letter sets out three ways in which services which fall within the definition of "small but risky" can expect to interact with Ofcom:
- Tailored codes based on risk: those services which pose the greatest risk are likely to attract the greatest precautions by way of mitigation and monitoring by Ofcom;
- Engagement with Ofcom: a dedicated supervision taskforce specifically tasked with engaging with services which are risky either because of size or nature of the service has been set up by Ofcom;
- Targeted enforcement: once the measures under the Act are in force, there is likely to be swift action by Ofcom where there is evidence of significant ongoing risk of harm to users and an apparent lack of safety measures in place.
What should services do now?
Although not final and not in force, services should review the requirements of the draft codes and understand whether and, if so why, their services may be high risk. Generally, the measures adopted to mitigate against risks identified through future risk assessments are expected to be proportionate to the size of the service and risk level. In the case of small but high-risk services, however, the expectation from Ofcom is that they will take substantial steps to mitigate risks.
The draft codes of practice set out the types of measures Ofcom might expect to see outlined in the risk assessments for services which fall within this category. It includes:
- Additional governance measures;
- Additional content and/or search moderation measures;
- Features which make it harder for perpetrators to contact children;
- For certain services, hash matching technology.
Early consideration of any measures outlined in the code of practice with clear records of any decisions taken about implementation of measures (whether Ofcom recommended or alternatives) are likely to assist services when engaging with Ofcom.
What will happen to services which do not engage?
For services which do not engage, Ofcom has signalled it is prepared to take swift action including:
- Investigation;
- Compliance remediation;
- Financial Penalties;
- Business disruption measures; and
- Criminal proceedings.
The letter clearly signals that Ofcom will expect engagement from these services and that enforcement action will be rapid where it considers that there may be non-compliance. Services that fall within this definition should engage now with the requirements of the draft code, risk assessments and mitigation measures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.