The OSA became law on 26 October 2023, with a phased approach to implementation, overseen by Ofcom. The OSA makes online service providers that allow users to share content or interact with each other, and search services, legally responsible for keeping people, especially children, safe online. This includes social media services, online marketplaces, review services, discussion forums and gaming services. Ofcom’s initial analysis suggests that more than 100,000 online services could be subject to these new rules.
All in-scope online services1 have new duties to protect UK users by assessing risks of harm, and taking steps to address them, especially in the form of:
VSPs - transition from the existing regime
The OSA will repeal the existing VSP regime, introduced in November 2020, designed to protect users from videos containing harmful material (Ofcom has described this regime as ‘an effective testbed for how online safety regulation can work in practice2’). At the time of writing, there are 19 regulated VSPs in the UK. The position for these pre-existing VSPs is more complicated as since 10 January 2024, they are within a transition period during which they are subject to both the VSP regime as well as specific duties under the OSA regime, such as the requirement to complete the above listed risk assessments. During the transition period, VSPs may not be subject to all of Ofcom’s enforcement powers under the OSA. Ofcom still has powers to regulate and enforce against UK-based VSPs.
Earlier this year, Government set 2 September 2024 as the ‘assessment start date’, marking the start of the six months’x notice period after which the VSP regime can be repealed. This date is also when pre-existing VSP services should have started to prepare for the abovementioned risk assessments of their services, in line with their OSA duties. The VSP regime is likely to come to an end in the first half of 2025, with all pre-existing VSPs fully transitioning to the OSA.
Details of the anticipated timeframes for completion of the required risk assessments for all online services within scope of the OSA are set out in Figure 1 below.
Figure 1 – timeline for completion of OSA risk assessments
In its recent ‘Implementing the Online Safety Act: progress update’3, Ofcom outlined its current position on enforcement, stating (amongst other things) that:
The penalty provisions of the OSA are significant, with Ofcom having the power to fine non-compliant companies up to 10% of qualifying worldwide revenue or £18 million, whichever is greater. In extreme cases, it can also prevent a company from doing business in the UK.
There are a number of overarching objectives that should be an important part of an organisation’s approach to risk management. First, a successful approach should clearly define the organisation’s appetite for risk (often expressed through delegations of authority or investment requirement) and define clear accountability for risk management, aligning risk management to performance management. It is also important to focus effort on risk management activities not just risk appetite. Finally, risk management activities should be integrated into day-to-day business processes, recognising that different types of risk require different risk management approaches (although one activity may address many risks).
From our experience of working with large online platforms on both OSA compliance and EU Digital Services Act compliance, we identify the following five best practices that all services within the scope of the UK’s new online safety regime can adopt when performing the required risk assessments under the OSA. These best practices are set out in Figure 2, below.
Figure 2 – best practices when conducting OSA risk assessments
Our case studies examine how two fictional online companies operating in the UK - GameWatch and ItemExchange - could comply with their risk assessment duties under the OSA. Both companies are user-to-user (‘U2U’) services, and each has less than a million UK users.
GameWatch is an online service that allows users from the age of 13 to upload and watch streamed video game content. It is currently a VSP, subject to the transitioning VSP regime.
ItemExchange is an online forum for users to buy and sell a range of goods, allowing a range of message content to be shared in the process. It has not been subject to the VSP regime. ItemExchange is considering introducing an AI-enabled tool to help SMEs manage their sales on their platform as well as allow buyers to compare prices of goods across the web.
In Figure 3 below, we set out actions common to both GameWatch & ItemExchange relevant to complying with OSA requirements, including risk assessments. In Figure 4 below, we set out additional and specific considerations that will be required for each company, given their different online service business models.
Figure 3: OSA risk assessment actions common to both GameWatch & ItemExchange
Figure 4: Specific OSA risk assessment actions required by each of GameWatch & ItemExchange
The OSA signals a new era in how online safety will be regulated in the UK, with risk assessments being an integral part of the new regime. By carrying out these assessments, online services should have a clear understanding of risks of harm to their users and the effective risk management processes they should put in place as a result.
For online services that have not yet prepared to carry out these risk assessments, it is important to start now. By leveraging the abovementioned best practices, services can identify an approach that achieves the required compliance objectives, enhancing confidence and trust among their users in the process.
Footnotes:
1 Additional requirements apply to ‘Categorised Services’- i.e. large online services that meet certain criteria related to their number of users or risk of harm – which we do not cover here.
2 Implementing the Online Safety Act: progress update, 17 October 2024
3 Implementing the Online Safety Act: progress update, 17 October 2024