The Online Safety Bill in final form: What’s on Ofcom’s to-do list

The Online Safety Bill (“OSB”) has completed the Parliamentary process and will be enacted when it receives Royal Assent. That is expected to be in mid to late October, when the current Parliamentary recess ends following the political party conference season in the UK.

Ofcom has a lot to do. It has a very broad range of responsibilities under the OSB and is required to consult widely before exercising various functions. It expects to start publishing various sets of regulatory codes and guidance for consultation immediately after the OSB is enacted. Ofcom’s CEO, Melanie Dawes, confirmed that:

“Very soon after the bill receives Royal Assent, we’ll consult on the first set of standards that we’ll expect tech firms to meet in tackling illegal online harms, including child sexual exploitation, fraud and terrorism”.

In July 2022, Ofcom published a “roadmap to regulation” which set out indicative timelines for the steps Ofcom must take to implement the new regulatory regime. Following a series of delays to the Bill’s passage, including as a result of “tweaks” prompted by changes in Prime Ministers and policy direction (covered in our previous blog here), Ofcom produced an update in June 2023 with a revised implementation timeline.

We take a look at the short, medium and long-term tasks on Ofcom’s to-do list:

Short term: “very shortly” after enactment (i.e. expected to be Autumn 2023)

Ofcom will publish and consult on the following types of regulatory codes and guidance:

• draft codes of practice for the duties to address illegal online content (complying with the codes will demonstrate compliance with the duties);

• a risk assessment in relation to illegal content on online services and “risk profiles” grouping different types of services, based on characteristics that present heightened risk of harm;

• draft guidance to services on how to conduct their own illegal content risk assessments and on how they can identify illegal content;

• draft guidance for services on record keeping; and

• draft guidelines on how Ofcom will approach enforcement.

Ofcom also expects to publish a call for evidence in Autumn 2023 on the additional duties that apply to higher risk services due to be designated in different categories if they satisfy thresholds relating to user numbers, functionalities and features. Those duties are to:

• produce transparency reports;
• protect against fraud ads;
• provide user empowerment tools;
• operate in line with terms of service;
• protect certain types of journalist content and content of “democratic importance”; and
• prevent fraudulent advertising.

Around this time, Ofcom will also consult on its transparency report guidance.

Medium term: (expected to be from Autumn 2023 to Q2 2024)

• Ofcom is expected to publish draft guidance on age assurance “from Autumn 2023” (age estimation or age verification must be used by services to comply with certain of the child safety duties). This guidance will relate only to pornography services but may provide an indication of Ofcom’s expectations on age assurance in relation to the highest risk services.

• Ofcom will publish draft codes of practice relating to the child safety duties around six months after its powers commence (which it expects to be two months after enactment). Alongside this, Ofcom plans to consult on: a register of risks and risk profiles relating to harms to children and draft risk assessment guidance focusing on harms to children.

• The results of Ofcom’s consultations on the thresholds applicable to categorised services will inform Ofcom's advice to government, which it intends to send around six months after Royal Assent. That advice will lead to the Secretary of State setting the thresholds in secondary legislation.

Longer term: (expected to be Q3 2024 onwards)

Ofcom’s implementation of the regime is likely to run well into next year. For example, the duties on categorised services (and Ofcom’s regulatory codes and guidance relating to them), cannot apply until the Secretary of State has designated those services. Ofcom will therefore carry out the following steps in the second half of next year and possibly beyond then:

• Ofcom will publish its register of services (i.e. setting out which service falls into which Category) as soon as possible after the Government publishes its secondary legislation on categorisation.

• Ofcom will also consult on the remaining codes and guidance applicable to categorised services after the register is published.

Next steps for in-scope services providers

Despite running to a few hundred clauses (and pages) in length, the OSB is relatively light on detail in terms of the practical steps services will be expected to take. Ofcom’s codes of practice will underpin the new regime and will operate on a “comply or explain” basis. Demonstrating compliance with the steps “recommended” in a code will be sufficient to satisfy the underlying legislative obligation but service providers will retain the option of taking an alternative approach if they can satisfactorily explain non-compliance with a code.

There is likely to be a raft of documents published by Ofcom for consultation in the coming weeks and months, including some draft codes of practice. This means service providers have a real opportunity to shape the approach taken to implementing the regulatory regime and ensuring it is risk-based and proportionate.

For providers that consider their service, or aspects of it, to be low-risk and wish to avoid the obligations that should be targeted at the highest-risk online features, it will be critical to engage with Ofcom and explain how to tailor the rules to target the most harmful systems and processes and avoid an inadvertent regulatory burden and adverse impact on user rights and experience.

Authored by Telha Arshad, Louis Biggs.