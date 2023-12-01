On 9 November 2023, the UK Office of Communications (Ofcom) issued its first set of draft guidance on the UK's long-anticipated Online Safety Act (OSA), which aims to protect online users against illegal and harmful content. While the OSA officially became law in the UK on 26 October 2023, Ofcom – the UK's communications regulator – will now take a three-year phased approach to implementation and enforcement. The latest draft guidance from Ofcom focuses on how certain online service providers must approach their duties regarding 'illegal content' and is the first of four major consultations that Ofcom will conduct in the coming months.

At a high level, the OSA introduces a new UK regulatory regime to address online safety. It imposes extensive new obligations on online service providers to identify, mitigate and manage the risks of harm to users from illegal and harmful content. With a focus on the protection of children, the OSA builds on the age appropriate design code of the Information Commissioner's Office and confers special obligations on service providers whose platforms are likely to be accessed by children.

More broadly, the OSA is one of several new global regulatory developments focused on addressing online safety. The OSA is distinct from the European Union's Digital Services Act (see our February 2023 blog on the DSA); however, it bears similarities, as it also adopts a risk-based approach to content regulation with large or higher-risk online platforms subject to more extensive obligations, as explained in more detail below.

Which services are subject to the OSA?

There are three types of online service providers which are intended to be subject to the OSA, provided each have links with the UK:

'User-to-user' services (U2U services).

Search services.

Services that publish or display certain pornographic content.

The OSA, therefore, applies to qualifying service providers – wherever they are located.

Links with the UK

Services are considered to have links with the UK if they have a significant number of UK users or if the UK forms one of its target markets. The OSA does not specify the number of users that qualifies as 'significant', although Ofcom has advised organisations to be ready to explain their decisions, especially where they believe that their UK user base is not significant.

In addition, regulated U2U and search services are considered to have links with the UK if they are capable of being used in the UK, and there are reasonable grounds to believe that there is a material risk of significant harm to UK individuals presented by content associated with the service. This provision appears to be designed to capture high-risk services which might not otherwise be captured by the OSA – e.g., because the number of UK user numbers would not otherwise meet the 'significant user number' or 'target market' thresholds.

U2U and search services

U2U and search services are likely to be subject to the OSA if they have links with the UK (see above) and are not exempt. The OSA outlines certain services that are exempt – for instance, services will not be subject to the OSA if emails, SMS messages (texts) or one-to-one live aural communications are the only user-generated content enabled by the service.

Providers of pornographic content

Service providers that publish or display pornographic content are likely to be regulated by the OSA if they have links with the UK (see above). However, some types of services – such as 'internal business services' and 'on-demand programme services' – may be exempt under certain conditions.

How will the OSA impact in-scope services?

Categorisation

For regulated U2U and search services, the OSA takes a tiered approach to regulation by dividing certain services into categories ('categorised services'). Ofcom has stated that only a small proportion of services will be designated as categorised services. Categorised services are subject to additional duties – see the Obligations ('duties of care') section below.

Although the category thresholds have not yet been set, Ofcom has stated it will advise the government on the thresholds in early 2024. Ofcom anticipates that the government will pass the necessary legislation by summer 2024, and – assuming such legislation is passed – Ofcom will:

Publish the register of categorised services by the end of 2024 (and, in any event, 'as soon as reasonably practicable').

Publish draft proposals on the additional duties that categorised services will be subject to in early 2025.

In mid-2025, start issuing categorised services with an annual notice requiring them to produce a transparency report.

The service categories are defined as follows:

Category 1. Regulated U2U services that meet the Category 1 threshold conditions, which relate to the following factors:

that meet the Category 1 threshold conditions, which relate to the following factors: Number of users. Service functionalities. Any other characteristics of the service that the government may consider relevant. The thresholds also will account for the likely impact of the number of users and the service's functionalities on how easily, quickly and widely content may be disseminated.

Category 2A. Regulated search or 'combined' services (i.e., a regulated U2U service that also includes a public search service) that meet the Category 2A threshold conditions, which relate to:

(i.e., a regulated U2U service that also includes a public search service) that meet the Category 2A threshold conditions, which relate to: Number of users. Any other characteristics of the service that the government may consider relevant.

Category 2B. Regulated U2U services that meet the Category 2B threshold conditions, which will be set by reference to the same factors as Category 1 services, i.e.:

that meet the Category 2B threshold conditions, which will be set by reference to the same factors as Category 1 services, i.e.: Number of users. Service functionalities. Any other characteristics of the service that the government may consider relevant.



The exact threshold conditions for each category will vary and will be defined in secondary legislation, expected to be enacted by summer 2024.

Providers of pornographic content will not be categorised, but nevertheless do have duties of care, as set out below.

Obligations ('duties of care')

The OSA imposes obligations, or 'duties of care', which vary depending on both the type (i.e., U2U, search or pornographic) and category of service. To illustrate, we summarise some of the key duties below. Ofcom has stated its intention to produce guidance on each of these duties and the many others that are contained in the OSA over the next 18 months.