Quick Hits
- The United Kingdom enacted the Online Safety Act, which requires the regulation of online content and activity deemed harmful to individuals, especially children.
- The OSA will impose legal obligations on user-to-user services and search services.
- Businesses will now have a duty to prevent and remove illegal content from their services.
The enforcement of the OSA’s provisions on online services will fall under the purview of the UK Office of Communications (Ofcom), which will gradually release its guidance and codes of practice from November 2023.
What is the OSA?
The OSA aims to regulate online content or activities that are deemed harmful to individuals, especially children. The OSA offers online users more control over online content, particularly by mandating firmer protections for children and directly placing legal responsibility on online services to prevent and remove harmful content.
To whom does the OSA apply?
In addition to online service providers, the OSA imposes legal obligations on “user-to-user services” and “search services.”
“User-to-User Services” are services where content is generated, uploaded, or shared on the service by other service users. This includes services such as social media platforms, online marketplaces, dating services, and online discussion forums.
“Search Services” are search engines that enable users to search numerous websites and databases.
Legal obligations are also applicable outside of the UK, if:
- the service has a significant number of UK users;
- the UK is the target market for the service; or
- the service can include UK users and there are reasonable grounds to believe that UK individuals are at material risk of significant harm.
Businesses that are included under the scope of the OSA will be categorised by Ofcom depending on their scale and nature, with “Category 1” services carrying the most legal obligations.
What does the OSA mean for UK businesses?
Businesses will now have a duty to prevent and remove illegal content from their services. Implementing this duty will involve businesses maintaining a clear understanding of what constitutes illegal content under the OSA. In addition, businesses will be required to conduct an “illegal content risk assessment” and include provisions in a comprehensive and user-accessible “terms of service” to indicate how they are protecting users, as well as their methods of risk mitigation. Service users will also be able to report illegal content. As such, services will require appropriate reporting systems and complaints procedures on which service providers can take appropriate action and remove any illegal content.
Similarly, businesses will have a duty to prevent and remove fraudulent advertising—if a user encounters any such content, the length of time that it is visible must be minimised, and if a user reports fraudulent content it must be swiftly removed.
Businesses will have a responsibility under the OSA to include features within their services that allow users to control and manage any harmful content. This involves carrying out a separate risk assessment to ensure that the user’s right to freedom of expression and right to privacy are not impacted. The OSA requires all risk assessments and preventative measures to be kept in a written record.
The OSA contains further duties for services that are “likely to be accessed by children”; these duties are more stringent than the duties required for adults. The extent of what the OSA means for businesses and the specific requirements of the aforementioned obligations will be subject to the size, scope, and nature of the service and its categorisation by Ofcom.
Failure to comply with OSA duties may result in fines of up to £18 million or 10 percent of a business’s “qualifying worldwide [annual] revenue”—whichever is higher. Under the OSA, corporate officers who fail to take “all reasonable steps” to ensure compliance could face up to two years of imprisonment.
Key Takeaways
The OSA will apply to a variety of online services and obligations differ depending on the businesses category.
Businesses may want to remain current with codes of practise as they are released and anticipate any potential amendments to continue compliance and fulfil the duties set out under the OSA.
Ogletree Deakins’ London office will continue to monitor developments and will provide updates on the Cross-Border and Cybersecurity and Privacy blogs as information becomes available.
Simon J. McMenemy is the managing partner of the London office of Ogletree Deakins, and he is the chair of the firm’s Cybersecurity and Privacy Practice Group.
Lorraine Matthews is a data protection and cybersecurity practice assistant in the London office of Ogletree Deakins.