This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 2 minute read

Online safety: Pushing the boundaries of the Data Protection Top Ten

Last October saw the introduction of the Online Safety Act, a landmark piece of legislation aimed at significantly improving internet safety and the UK’s answer to the EU’s Digital Services Act.

Last October saw the introduction of the Online Safety Act, a landmark piece of legislation aimed at significantly improving internet safety and the UK’s answer to the EU’s Digital Services Act.

Despite the UK government’s bold claims that the OSA will make the UK ‘the safest place in the world to be online’, some might question the OSA’s place in this year’s data protection ‘top 10’—it isn’t even data protection legislation after all! Yet considering its remit, covering matters such as age assurance and protecting children online, there’s clear overlap with data protection laws, including the ICO’s Age Appropriate Design Code, and protecting a user’s privacy is undoubtedly paramount to ensuring their safety online. Notably, the ICO and Ofcom issued a new joint statement on 1st May, which builds on their earlier joint statement published in 2022. The statement confirms the regulators’ commitment to protecting users online and sets out their plans to collaborate where data protection and online safety intersect, with the aim of ensuring consistency across both regimes.

Who is subject to the OSA?

The OSA places obligations on two key categories of online service providers: user-to-user services (including social media platforms, online gaming sites and video-sharing services) and search services (i.e. services incorporating a search engine). In recent years, many big players in these categories have borne the brunt of data protection regulators’ investigation and enforcement activities. They may be less than delighted at the prospect of another regulatory regime alongside the EU’s Digital Services Act.

Though it’s UK legislation, the OSA also has an extraterritorial scope, covering services that have a significant number of UK users, services that are actively targeting the UK market, and services that are accessible from the UK, which present a ‘material risk of significant harm’ to UK users.

What are the OSA obligations?

Organisations caught by the OSA will have many new obligations to get to grips with. At its core, the OSA mandates a proactive approach to user online safety, focusing on preventing illegal content and, specifically shielding children from broader forms of other harmful content. This is a far cry from the current legal regime, which only provides that service providers must promptly remove unlawful content once aware of it.

Service providers must conduct risk assessments, implement measures to counter illegal and harmful content, and employ effective age verification mechanisms to protect children from inappropriate material. However, it should be noted that these obligations will not enter into force until Ofcom, the OSA regulator, has published corresponding guidance and codes of practice. Ofcom is taking a phased approach to this task, with its first draft guidance and consultation relating to illegal harms issued towards the end of last year.

Looking ahead

Ofcom has published a roadmap of guidance, codes of conduct consultations, reports and other actions intended to support the implementation of the OSA, which runs until the end of 2026. Its latest consultation, relating to protecting children from online harms, was published on 8th May. By spring 2025, we can expect to see the first OSA obligations come into force, with Ofcom’s OSA enforcement activity anticipated to commence later that year. Answers on a postcard for which organisations might be at the top of its hitlist, but with fining powers even greater than the ICO’s, we could see Ofcom delivering some seriously hefty penalties over the next few years.

Until then, Ofcom will have to make do with flexing gits muscles against video-sharing platforms only, as existing obligations are in place to protect users against harmful videos under Ofcom’s ‘VSP Framework’. In force since 2020, the OSA regime will ultimately absorb this framework.

This article is part of our Data Protection Top 10 2024 publication.

Subscribe to receive our latest insights - on the topics that matter most to you - direct to your inbox, at your preferred frequency. Subscribe here

Tags

dptop10_2024, online safety act, technology, online safety, data protection and privacy, article