The Online Safety Act 2023: What Does it Mean for Data Protection?

What is the Online Safety Act?

The OSA (Online Safety Act) originates from a white paper published in April 2019, with the Bill introduced to Parliament in March 2022. It has been a long time in the making and has been fiercely contested, but on 19 September 2023 the OSB was finally approved by the Houses of Parliament and received Royal Assent on 26 October 2023.

The purpose of the OSA is to create and enforce a safer online environment, predominantly for children but also vulnerable adults. It aims to make the large social media companies and search engines more responsible for the safety of their users, but any organisation offering an online service could be in it’s scope.

What types of organisations will it apply to?

The OSA applies to user-to-user services, search services and any service that publishes pornographic content.

User-to-user services are those that host user-generated content (i.e. any service that allows users to post their own content online or interact with other users). Search services refers to search engines, such as Google, but also services that enable users to search various websites or systems.

There are some service types listed as exempt in Schedule 1, including email, SMS, MMS and one-to-one communication, internal business services and limited functionality services, and business-to-customer interactions.

What will it cover?

The OSA is aimed at:

• Removing illegal content (e.g. content including sexual exploitation, terrorism, child sexual abuse, hate crime, fraud, anything inciting violence) from online services;
• Preventing content that is harmful to children (e.g. pornographic content, content that depicts or encourages serious violence, bullying content) from services they might access; and
• Applying measures to protect (vulnerable) adults (e.g., putting in place measures to prevent illegal activity and remove illegal content, removing banned content, enforcing age limits and age-checking mechanisms, and providing clear and accessible ways to report problems online).

The new law will require organisations to assess how they might allow abusers to create anonymous profiles and take steps to ban repeat offenders, such as preventing them from creating new accounts and limiting what new or suspicious accounts can do.

What does the OSA say about personal data?

All the references to data protection in the OSA are in connection with deciding on and implementing safety measures and policies, and require organisations to have regard to their users’ right to privacy and the level of risk for users when engaging with specific technology.

Put another way, the OSA reminds organisations of their responsibilities to balance the requirements of the proposed law against the right to privacy. Organisations are required to protect users from a breach of any statutory provision or rule of law concerning privacy.

How will it be enforced?

Organisations affected by the law are required to demonstrate to Ofcom what processes they have in place to meet the legal requirements, and the regulator will check the effectiveness of those processes. This is not unlike the role of the ICO (Information Commissioner’s Office) in respect of data protection compliance.

Ofcom has powers to act against non-compliant organisations. They could be fined up to £18 million or 10% of their annual global turnover, whichever is greater. Criminal action will be taken against senior managers who fail to follow information requests from Ofcom, and the regulator will be able to hold organisations and senior managers criminally liable if they fail to comply with its enforcement notices. In extreme cases, Ofcom will be able to require payment providers, advertisers and Internet service providers to stop working with a site, preventing it from generating money or being accessed in the UK.

Ofcom is able to act regardless of where the organisation is based, provided its services are accessible to UK users, much like the extraterritorial effect of the GDPR.

It remains to be seen how effective Ofcom will be at enforcing this law. As the regulator for communications services, it already takes responsibility for broadband, home telephone and mobile services, TV and radio, and the universal postal service. To take on online services too, and the likes of Facebook and Google, it will likely need a hefty cash injection and a serious increase to its staffing. While the ethical and moral justifications for the OSB are to be applauded, it seems to generally sit at odds with the government’s rhetoric of the UK, in a post-Brexit world, undertaking a digital transformation and becoming a haven for big tech. The major online service providers will no doubt view additional regulation as restrictive and will likely claim that this law stifles their innovation.

How can we prepare?

We can safely predict that there will be a grace period before the heavily publicised, substantial fines are levied because Ofcom has consultative work to undertake and guidance to produce. However, there are still lots of things you can do before this guidance is issued if you think your organisation might fall within the OSA’s remit:

1. Read the government-issued guide to the OSA that accompanied its passage through Parliament.
2. Review data mapping and records of processing activities to refresh your understanding of your purposes for processing, the processing activities you undertake and the personal data being processed in the provision of your online services. You should be doing this regularly anyway as part of an effective GDPR compliance programme.
3. Review the technical and organisational measures you deploy to protect people’s privacy and personal data. For example, review and, where necessary, update policies and procedures, and engage IT and contracted third parties to review and test your information security mechanisms.
4. Review and, if appropriate, refresh any data protection impact assessments you have conducted on the online services you provide. In particular, focus on reviewing the level of risk associated with those services with the specific audiences of children and vulnerable adults in mind.

The above should be undertaken by subject-matter experts within your organisation. We also recommend submitting a report to your decision-makers on the potential likelihood of the OSB applying to the services you provide. This will give you an excellent overview of the current position and the risk exposure to your users, and enable a more effective compliance implementation programme to begin once the Ofcom guidance is ready.

Ensuring compliance with the Online Safety Act

If you believe your organisation is within the scope of the OSA, we can support you with complying with all of its requirements. We can scope the project via either of the services below, or simply contact us to let us know your concerns.