The Act, which received Royal Assent on 26 October, introduces new duties and powers to UK regulator Ofcom, with new obligations for online businesses on the horizon. For now, the first phase of the Act involves consultations which businesses should be encouraged to engage with, and the working out of pieces of secondary legislation. We look at what is likely to happen next, and what action businesses should take.
- The long-drawn out Bill has been given Royal Assent and we are looking at the substantive rules coming into force over the next two years.
- As some of the powers come into force immediately, Ofcom will be publishing draft guidelines and codes of practice on how they intend to enforce the new duties. The first of these draft documents will be available in early November 2023. We encourage service providers to engage in the consultations.
- Encryption remains the biggest issue with other questions about the bill having been mostly ironed out. Trying to balance individuals' rights to privacy whilst keeping people safe is a tall order. The government has conceded that technology that enables organisations to adhere to the "spy clause" does not exist – although the clause remains in the legislation. A consultation in 2024 will seek to dig into the detail about how the 'spy clause' will operate in practice.
Ofcom's next steps
Businesses will soon be able to participate in Ofcom's consultations, helping to shape how Ofcom will enforce the Act. The Act will impose duties on service providers to prevent harm to users. Service providers may be obliged to step up content moderation efforts and change how they publish content moderation data amidst a push for greater transparency. Although consultations will begin shortly, there is still a long road before the Act is fully in force.
Ofcom has published a timeline of how it will approach enforcement of the Act. Enforcement is scheduled to take place in three phases, and there are several opportunities for your business to engage with Ofcom. Throughout implementation, Ofcom will undertake a number of consultations, including on the codes of practice for the new duties imposed under the Act.
Adoption of the published codes of practice by a service provider will be treated as compliance with the relevant duty under the Act. The consultations therefore provide your business with the opportunity to help shape realistic and effective codes of practice which will have real-world consequences for compliance. Codes of practice must be laid before and approved by Parliament before coming into force.
Timeline for Ofcom's consultations
Over the next few years there will be several opportunities to engage with Ofcom's consultations. Throughout this period, the relevant duties will also begin to come in force:
- 9 November 2023 – draft codes and guidance on illegal harms duties will be published and consulted on. Ofcom's final decision will be made in Autumn 2024.
- December 2023 – draft guidance on age assurance for online pornography services and other interested stakeholders to be published and consulted on.
- Spring 2024 – further consultations on child safety duties. Ofcom's final decision will be made in Spring 2025.
- Spring 2025 – Draft guidance and consultation on protecting women and girls.
For services that will be categorised under the Act, there are additional duties relating to transparency reporting and user empowerment. Service providers meeting the conditions for Categories 1, 2A or 2B will be those considered to comprise the largest and highest risk user-to-user or search services. The timeline for implementation and opportunities to engage are:
- Q1 2024 – Ofcom provides advice to the Secretary of State on categorisation.
- Spring 2024 – Draft guidance on transparency reporting will be published and consulted on. The first transparency notices will be issued by Ofcom in mid-2025.
- Spring 2024 – Consultations on qualifying revenue thresholds to determine liability for fees under the Act.
- By the end of 2024 – Thresholds for service categorisation laid before Parliament and approved. Ofcom to publish the register of categorised services.
- Q1 2025 – Draft codes for categorised services published and consulted on. Ofcom's final decision will be made in Winter 2025.
Finalised codes of practice are expected to be approved by Parliament and come into force over 2024-2026, and fees (for those meeting the thresholds) will become payable in 2026/2027.
Your business is in scope – what should your priorities be?
With the codes of practice forming a vital part of how the Act will be enforced, producing detailed and effective contributions to each consultation is an important step. Engaging at this stage will also help your business identify how Ofcom will approach its role and what steps – if any – your business may need to take to prepare for the imposition of the duties.
Even if you do not engage with the consultations, the approval of each code of conduct by Parliament will also mark when the corresponding duty becomes enforceable by Ofcom. Staying on top of each implementation phase will ensure you know when and if any changes need to be made to your service's content moderation policies.
Additionally, risk assessments for illegal harms and the protection of children will need to be completed within three months of Ofcom's final statement setting out the final version of each set codes and guidance. This may mean that a risk assessment must be completed by services before the duty comes into force.
For all regulated services, the impending consultation on illegal harms duties means that taking stock of your risk assessment, detection and enforcement measures should be a high priority. After the illegal harms consultation, regularly engaging with Ofcom's consultations and reviewing its publications should be considered a key part of your service's compliance and policy programme to ensure you stay up to date with requirements.
With all this in mind, the Act is not a 'big bang' of regulatory changes, but it marks the beginning of a long process. The best action your business can take is to remain engaged throughout every stage.
The legal position on encrypted content remains unclear
During the Act's progression through Parliament, Ofcom's power to notify service providers to use "accredited technology" to identify terrorism and/or child sexual exploitation and abuse ("CSEA") content, including in private messaging, attracted much controversy. While the government appeared to back down by stating that Ofcom's powers to use the "spy clause" could only apply where relevant technology existed, the clause remained in the bill and is now in the Act.
Ofcom has stated that it intends to consult on the framework for its use of powers to require services to use or develop "accredited technology" in 2024. Although this does not explicitly depart from the Government's messaging, it suggests that this controversial element of the Act will remain a talking point. Service providers, particularly those employing end-to-end encryption, should keep an eye out for the accredited technology consultation in 2024.
Readers based in the US who would like more information on the Online Safety Act from a US perspective, please contact Mark Webber at our Silicon Valley Office.
With thanks to Trainee Solicitor Jonathan Comfort, co-author of this article.
Sign up to our email digest