February 22, 2024
The Online Safety Act (OSA) received Royal Assent on 26 October 2023. Most of the provisions in the OSA are already in force but some are due to come into force in secondary legislation, for example on 1 April 2024, under the Online Safety Act 2023 (Commencement No 2) Regulations 2023 and also when Ofcom has published relevant codes of practice.
Businesses need to be complying with the OSA provisions which are already in force. They also need to be aware of any rules which may apply to them going forward.
The legislation has, at a very basic level, been put in place to ensure the safety of online users and in particular children. It places specific obligations upon various online service providers. For example, the OSA places legal responsibility on companies to prevent and rapidly remove illegal content.
Ofcom, the UK authority for broadcasting, telecommunications and postal industries, are tasked with enforcement of the OSA. Its role is to make sure regulated service providers take appropriate steps to protect their users and to make sure social media sites and other regulated online services have appropriate systems and processes in place to protect their users.
Ofcom will have the power to impose fines of the higher of £18m or 10% of global annual turnover, should companies fail to comply with the new rules, so the implications of not getting compliance right is significant.
The OSA applies to, amongst other types of services, user-to-user services. These are internet services through which user-generated content may be encountered by other users through online platforms, such as websites or applications. Ofcom has listed the following as examples: social media services; video-sharing services; messaging services; marketplaces and listing services; dating services; review services; gaming services; file sharing services; audio sharing services; discussion forums and chat rooms; information sharing services (such as online encyclopaedias and question and answer services); fundraising services and services with user-generated pornographic content.
So, it is clear that the scope of OSA is intended to apply to bigger social media platforms and search engines but also smaller platforms will need to comply with the legislation. There is no barrier in terms of size of company when it comes to compliance – if you are providing this type of user-to-user service you will need to comply with the OSA.
There are some exempt services, which include services provided by public bodies in exercising their public functions, services comprising internal business resources or user-to-user services with limited functionalities.
All user-to-user services and search services will have certain obligations under the OSA. There will be a duty for user-to-user services to carry out suitable and sufficient illegal content risk assessments. This will involve providers of online services maintaining up-to-date risk assessment processes, accounting for any changes to risk profiles by Ofcom. These duties also include the requirement to have in place effective risk management processes for mitigation.
Providers will also need to take proportionate measures to mitigate and manage risk in relation to illegal content. This will involve preventing users from encountering such content on their services at the outset. Online service providers were previously only required to act rapidly in removing unlawful content once they were put on notice of the presence of such content, so this signifies a shift in that process. Services must also include provisions in their terms of service to indicate how they are protecting users, and these provisions must be clear and accessible to users.
Services will need to operate comprehensible methods of easily reporting illegal content, as well as operating an accessible complaints procedure for users. Services will need to maintain risk assessment records, in addition to any reports of illegal content.
On top of this, providers will also need to ensure they protect users’ freedom of expression and privacy rights, including relating to data protection.
If you are operating a user-to-user service and you haven't already done so, you should assess how the OSA applies to your business to make sure that you are complying with the law. All providers must include clear and accessible provisions in their terms of service informing users of their right to bring a claim for breach of contract where their content is taken down or they are suspended or banned in breach of the terms of service. This requirement is already in force.
You should be aware of Ofcom’s activities, as it prepares to regulate the OSA and consults on various aspects of the legislation. You should therefore review your existing systems and process to make sure you can monitor content in line with the OSA, and to protect users of your services in accordance with the law.
If you need help assessing your position in light of the OSA, of if you’d like to discuss any queries arising from this article, please get in touch with the team.