Reading the Online Safety Act 2023

The Act imposes duties of care on providers of user-to-user services and search services in relation to illegal content, content harmful to children, and content harmful to adults (for certain categorised services), and confers enforcement powers on OFCOM; it also creates new communications offences and requires age verification for pornographic content providers.

Structure

The Act runs to twelve Parts. Part 1 sets out the Act's overview and key concepts. Part 2 establishes the definitions of "internet service", "user-to-user service", "search service", and the thresholds that determine which services are regulated. Part 3 (seven Chapters) imposes duties of care on providers of regulated user-to-user services and regulated search services; it includes distinct regimes for illegal content, content harmful to children, content harmful to adults (for Category 1 and Category 2A services), fraudulent advertising, and children's access assessments (Chapter 4). Part 4 (five Chapters) sets out further provider duties, including user identity verification, mandatory reporting of child sexual exploitation and abuse content (Chapter 2), terms of service transparency, duties concerning deceased child users (Chapter 4), and transparency reporting. Part 5 imposes duties on providers of regulated services in respect of pornographic content, principally age verification. Part 6 authorises OFCOM to charge fees to recover the costs of its regulatory functions. Part 7 (eight Chapters) confers OFCOM's powers and duties: maintaining a register of regulated services (Chapter 2), conducting risk assessments (Chapter 3), information-gathering (Chapter 4), issuing notices to deal with terrorism and CSEA content (Chapter 5), enforcement powers including monetary penalties (Chapter 6), research and reporting (Chapter 7), and media literacy (Chapter 8). Part 8 establishes appeal mechanisms (Chapter 1) and a super-complaints procedure (Chapter 2). Part 9 sets out the Secretary of State's functions in relation to regulated services, including the power to issue guidance and directions to OFCOM. Part 10 creates new communications offences, amending existing provisions in the Malicious Communications Act 1988 and the Communications Act 2003. Part 11 contains supplementary provisions. Part 12 addresses interpretation and final matters, including commencement.

Provisions to read closely

Section 7: Illegal content risk assessment duty "The provider of a regulated user-to-user service must carry out a suitable and sufficient illegal content risk assessment in relation to the service at a time before the service is made available to United Kingdom users, and thereafter at regular intervals." This is the foundational duty for user-to-user services; it obliges providers to assess, before launch and periodically thereafter, the level of risk of individuals encountering illegal content and the risk of the service's design facilitating the presence or dissemination of such content.

Section 12: Safety duties protecting children "The duties set out in subsections (2) to (4) apply in relation to a regulated user-to-user service if the provider's most recent children's access assessment concluded that it is likely that a significant number of users are children… (2) A duty to take or use proportionate measures to prevent individuals who are children from encountering each kind of primary priority content and priority content that is harmful to children." This imposes a graduated duty on services likely to be accessed by children: all such services must prevent children encountering priority harmful content; Category 1 services face additional requirements (subsection (3)) to protect children from non-designated harmful content identified in the provider's own risk assessment.

Section 80: Information notice powers Section 80(1) states: "OFCOM may give a notice to a person (an 'information notice') requiring the person to provide them with information, or a document or other item, specified or described in the notice for the purposes of their functions under this Act." Subsection (4) permits OFCOM to impose time limits and specify the form in which information must be provided. This is the principal investigative power; non-compliance is subject to enforcement under Part 7, Chapter 6.

Section 132: Business disruption measures "Where OFCOM have given a confirmation decision to a person, OFCOM may give a notice to a person ('a business disruption measure') requiring the person to take one or more steps specified in the notice for the purposes of withdrawing, adapting or restricting access to a regulated service in the United Kingdom." The steps may include requiring ancillary service providers (such as payment service providers or hosting providers) to withdraw services from the non-compliant entity (subsection (3)). This power operates where a provider fails to comply with a confirmation decision following a provisional notice of contravention.

Section 159: False communications offence Section 159 repeals Section 127(1) of the Communications Act 2003 and substitutes Section 179 of this Act, which provides: "A person commits an offence if… (a) the person sends a message (whether written or oral)… that the person knows to be false, (b) at the time of sending it, the person intended the message… to cause non-trivial psychological or physical harm to a likely audience, and (c) the person has no reasonable excuse for sending the message." This is a new summary offence (maximum sentence 51 weeks' imprisonment or a fine, or both) replacing the prior "grossly offensive" formulation in Section 127; it requires proof of knowledge, specific intent to harm, and absence of reasonable excuse.

Schedules

The Act contains eleven Schedules. Schedule 1 defines "internet services" and exempted services (including internal business services, cloud storage, and one-to-one live aural communications). Schedule 2 specifies the priority offences (terrorism, child sexual abuse and exploitation, assisting suicide, and others) that determine what constitutes "illegal content". Schedule 3 lists the priority content that is harmful to children, which includes primary priority content (suicide-related, eating disorder-related, certain bullying and abusive content) and priority content (pornographic material, certain depictions of violence). Schedule 4 sets out the content harmful to adults that triggers duties for Category 1 services. Schedule 5 addresses exempt content of news publishers and recognised news publishers. Schedule 6 concerns OFCOM's advisory committee on disinformation and misinformation. Schedule 7 details the information to be included in a children's access assessment. Schedule 8 specifies duties regarding compliance with the Video Recordings Act 1984 classification framework. Schedule 9 governs OFCOM's register of categories of regulated services. Schedule 10 sets out the procedure for appeals to the Upper Tribunal. Schedule 11 establishes the super-complaints procedure, including which entities may bring complaints and the process OFCOM must follow.

What comes next

The Act received Royal Assent on 26 October 2023. Commencement is by order under Section 240; different provisions may be brought into force on different days for different purposes (Section 240(3)). As of the date of this reading, the Act has not been commenced in full; the Secretary of State has made partial commencement orders under Section 240. Readers should consult the individual commencement instruments (not reproduced here) to determine when specific duties and powers come into effect. The Act amends the Communications Act 2003, the Malicious Communications Act 1988, and the Video Recordings Act 1984, among others. It repeals Section 127(1) and (3) of the Communications Act 2003 (Section 162). Cross-references to existing statutory frameworks include the Terrorism Act 2000 and 2006, the Coroners and Justice Act 2009, and the Sexual Offences Act 2003, the offences under which form part of the Schedule 2 list of priority offences.