Meeting illegal harms safety duties under the Online Safety Act – how to navigate Ofcom's proposals for user-to-user services

The UK's Online Safety Act (OSA) came into force on 26 October 2023.  Among other things, it places a range of safety duties on user-to-user (U2U) services in relation to illegal and certain types of harmful online content (as covered here). Much of the detail around compliance is to be set out by Ofcom in Codes of Practice and guidance. 

Ofcom published its consultation on protecting people from illegal harms online on 9 November 2023. This is the first of four major consultations planned by Ofcom over the next 18 months under the OSA.  The OSA is a complex piece of legislation and this first consultation runs to over 1500 pages and jumps around so that, for example, there is information on compliance with illegal harms safety duties for U2U services in a number of areas, including:

• Consultation at a glance – Table 1
• Volume 4 – how to mitigate the risk of illegal harms – the illegal content codes of practice
• Annex 7 – draft illegal content Code of Practice for user-to-user services.

These sections have to be read in conjunction with all the information about types of illegal content, duties and risk assessments – in other words, it is hard to 'cherry pick' your way through the consultation.

So how do U2U services get to grips with this?  There are some parts of the consultation which are particularly important when trying to work out whether you will actually need to meet illegal harms safety duties and how Ofcom recommends you meet those which apply to you.

Table 1 – measures proposed for U2U services

The starting point for U2U services is currently Table 1 in the Consultation at a glance (Table 1).The table summarises the various duties and the type of services which are likely to have to comply with them.  Ofcom proposes the introduction of a new range of criteria which are not set out in the OSA itself by classifying compliance requirements in relation to the size of the service, and the level of risk for illegal harms.

Table 1 divides services as follows:

Size

• Large services – an average user base greater than 7m per month in the UK approximately equivalent to 10% of the population
• Smaller services – those which are not large, including services provided by small and micro-businesses.

The way user numbers are to be calculated is set out in Annex 7 (see below).

Risk level

• Low risk – low risk for all kinds or illegal harms as identified in the relevant risk assessment
• Specific risk – a service assessed as being medium or high risk for a specific kind of harm for which Ofcom proposes a particular measure. A service may have a single or many specific risks. Different harm-specific measures are recommended for different types or risk, however, Ofcom is not proposing harm-specific measures for specific risks of each kind of harm.
• Multi-risk – a service that faces significant risks for illegal harms in relation to which proposed measures are intended to cover illegal harms more generally rather than being targeted at specific risks. Ofcom provisionally proposes defining multi-risk services as those which are assessed as being medium or high-risk for at least two different kinds of priority illegal harms (the priority illegal harms are set out in the draft risk assessment guidance).

Volume 4 – protecting people from illegal harms online

Volume 4 of the consultation which runs to 370 pages, discusses how to mitigate the risk of illegal harms and explains the draft illegal content Codes of Practice.  Ofcom explains that while it is required to produce three sets of Codes of Practice for Part 3 services, it considers it more helpful to include all the information, whether relating to CSEA content, terror and/or other duties, in a single document, a draft of which is set out in Annex 7 (the Code).  This Code covers measures for compliance with illegal content safety duties (in ss10 and 24 of the OSA), content reporting so far as they relate to illegal content (ss2- and 31), and complaints procedures, (ss21 and 32).  The Code specifies which measures are part of all three Codes of Practice and which are part of a subset or aimed at addressing a specific harm.

Services which implement the measures set out in the Code will be treated as complying with the relevant safety duty – although this will not be the only way to comply.

In addition to the categories contained in Table 1, Volume 4 explains that the functionality or user base of the service is also relevant.  For example, some of the measures to reduce grooming in U2U services only apply if there are children using the service and if the service has relevant functionalities including user connections or direct messaging.

Most of this volume explains in detail the thinking behind the approaches taken in the Code.  You need to read through the various options considered by Ofcom in order to understand the provisional conclusions so it's probably not the best starting point.  Rather, it's best to go to the Code itself and then look back to Volume 4 for more explanation of measures which look as though they will apply to your services.

Annex 7 – draft illegal content Codes of Practice for U2U services

The Code itself starts off with another set of tables.  These are similar to but not the same as Table 1.  They index recommended measures according to:

• The services to which they apply (by size and risk)
• The Codes or Practice in which they are included (CSEA, Terrorism and/or other duties), and
• The duties to which they relate (by section of the OSA).

Unhelpfully, the description of the relevant measure (referred to as "proposed measure" in Table 1 and "recommended measure" in the Code), is more detailed in Table 1 than it is in the Code.  As a result, Table 1 is more useful (particularly if you are a low risk or smaller service) for working out which obligations are likely to apply to you and what measures you are likely to have to take.  However, the Code itself is more useful for understanding which Code of Practice and to which specific duties under the OSA a relevant measure applies.  At least the relevant measures have the same numbering so cross referencing is not as painful as it might have been.  Alternatively, the recommended measures are set out in fuller detail in the body of the Annex, again using the same numbering system.

A second table contains relevant definitions used in the Code.  This is helpful up to a point but also potentially confusing.  This is because some terms are defined in italics and others are not.  Broadly, the non-italicised terms are either not used or are not defined in the OSA itself whereas the italicised terms are. Where the definitions are in italics, the OSA definitions take precedence in the event of any conflict.  Where they are not in italics and are defined differently in the Code and the OSA, the definition in the Code applies.  Another unhelpful element is that some definitions are not included in full, for example the definition of "Internet service", in which case you need to refer back to the OSA for the full definition.

A further table sets out the priority offences, and a final section deals with how to determine user numbers which are relevant for deciding whether you are a large or smaller service as follows:

• A service it to be treated as having more than a particular number of monthly UK users from such time as the number of monthly UK users of the U2U part of the service is more than the number in question and until such time as that number is at or below the specified number for a continuous period of six months.
• The number of monthly UK users of the U2U part of the service is the mean number of UK users per month calculated for the period of 12 months ending with the month preceding the time in question, or, if the service has not been in operation for that period, the period for which the service has operated.

When will this apply?

The process or finalising the Code and for it coming into force and then effect is as follows. The consultation closed on 23 February 2024.  Ofcom now has to consider and take into account responses before producing its final regulatory documents and conclusions.  It then submits a Statement to the Secretary of State who may set out further requirements via directions where there are exceptional reasons to do so (within defined parameters).  Once the Secretary of State is happy with the Code, it is laid before Parliament.  Unless either House resolves not to approve it within 40 days, Ofcom will issue the Code and it and the duties to which it relates will come into force 21 days later.

Ofcom sets out more detail about implementation of Codes of Practice and provides non-binding guidance on when services are expected to adopt the measures they propose in Volume 6 of the illegal harms consultation.  While the illegal harms duties come into force 21 days after the Code is published, understanding what you need to do will depend to a large degree on the results of the illegal content risk assessment and, where relevant, the children's access, and potentially children's risk assessment. Services have three months from publication of final guidance on those to carry them out.

It's slightly unclear whether these interdependencies will work seamlessly, however, Ofcom recognises (see Volume 6) that services will need time to understand the new regulations and to assess and adapt their systems when the relevant Codes of Practice and guidance come into effect. It will therefore focus its efforts on working with services to help them understand what they need to do to come into compliance.  As a result, Ofcom does not expect to take enforcement action in the earliest stages of the regime, except for serious breaches of duties.

What to do now

It's too early to know exactly what compliance will look like but it is possible to get an idea of the illegal harms duties likely to apply to your U2U services and the measures you are likely to have to take if you want to achieve compliance by implementing the illegal harms Code of Practice.  Taking the following steps may be one way to start:

• Step 1: are you a U2U service?
• Step 2: are you likely to be a smaller or large service?
• Step 3: is your service likely to be low, specific or multi-risk?
• Step 4: use a combination of Table 1 and the Index of recommended measures in Annex 7 to produce your own table of compliance points in relation to illegal harms and begin to scope out how to achieve the recommended measures.

Note that the next consultation will focus on child safety and the final phase will be on additional duties for categorised services, so for many in-scope services, following these steps will only help create part of the compliance picture.

For more on the OSA and the EU's Digital Services Act, and how we can help, see here.

You can access Part 1 of our Interface content on the OSA here, Part 2 here, and our full range of content on the OSA and the DSA here.