Online Safety Act 2023

PART 1 — Introduction

Introduction

1

• (1) This Act provides for a new regulatory framework which has the general purpose of making the use of internet services regulated by this Act safer for individuals in the United Kingdom.

• (2) To achieve that purpose, this Act (among other things)—

• (a) imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm (including risks which particularly affect individuals with a certain characteristic) from—

• (i) illegal content and activity, and

• (ii) content and activity that is harmful to children, and

• (b) confers new functions and powers on the regulator, OFCOM.

• (3) Duties imposed on providers by this Act seek to secure (among other things) that services regulated by this Act are—

• (a) safe by design, and

• (b) designed and operated in such a way that—

• (i) a higher standard of protection is provided for children than for adults,

• (ii) users’ rights to freedom of expression and privacy are protected, and

• (iii) transparency and accountability are provided in relation to those services.

Overview of Act

2

• (1) Parts 2 to 9 and 11 and 12 of this Act contain provision about the regulation by OFCOM of certain internet services.

• (2) Part 2 contains key definitions, including the definition of a user-to-user service, a search service, a Part 3 service and a regulated service.

• (3) Part 3 imposes duties of care on providers of user-to-user services and search services and requires OFCOM to issue codes of practice about those duties.

• (4) Part 4 imposes further duties on providers of user-to-user services and search services.

• (5) Part 5 imposes duties on providers of internet services (including user-to-user services and search services) that publish certain pornographic content.

• (6) Part 6, which imposes requirements to pay fees to OFCOM, applies to providers of internet services to which the duties in Part 3, 4 or 5 apply (“regulated services”).

• (7) Part 7 is about OFCOM’s powers and duties in relation to regulated services (including powers to obtain information and enforcement powers).

• (8) Part 8 is about appeals and complaints relating to regulated services.

• (9) Part 9 is about the Secretary of State’s functions in relation to regulated services.

• (10) Part 10 contains communications offences.

• (11) Parts 11 and 12 contain supplementary provisions including an index of terms defined in this Act (see section 237).

PART 2 — Key definitions

“User-to-user service” and “search service”

3

• (1) In this Act “user-to-user service” means an internet service by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service.

• (2) For the purposes of subsection (1)—

• (a) it does not matter if content is actually shared with another user or users as long as a service has a functionality that allows such sharing;

• (b) it does not matter what proportion of content on a service is content described in that subsection.

• (3) For the meaning of “content” and “encounter”, see section 236.

• (4) In this Act “search service” means an internet service that is, or includes, a search engine (see section 229).

• (5) Subsections (6) and (7) have effect to determine whether an internet service that—

• (a) is of a kind described in subsection (1), and

• (b) includes a search engine,

is a user-to-user service or a search service for the purposes of this Act.

• (6) It is a search service if the only content described in subsection (1) that is enabled by the service is content of any of the following kinds—

• (a) content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content;

• (b) content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content);

• (c) content present on a part of the service in relation to which the conditions in paragraph 7(2) of Schedule 1 are met (internal business service conditions).

• (7) Otherwise, it is a user-to-user service.

“Regulated service”, “Part 3 service” etc

4

• (1) This section applies for the purposes of this Act.

• (2) A user-to-user service is a “regulated user-to-user service”, and a search service is a “regulated search service”, if the service—

• (a) has links with the United Kingdom (see subsections (5) and (6)), and

• (b) is not—

• (i) a service of a description that is exempt as provided for by Schedule 1, or

• (ii) a service of a kind described in Schedule 2 (services combining user-generated content or search content not regulated by this Act with pornographic content that is regulated).

• (3) “Part 3 service” means a regulated user-to-user service or a regulated search service.

• (4) “Regulated service” means—

• (a) a regulated user-to-user service,

• (b) a regulated search service, or

• (c) an internet service, other than a regulated user-to-user service or a regulated search service, that is within section 80(2) (including a service of a kind described in Schedule 2).

• (5) For the purposes of subsection (2), a user-to-user service or a search service “has links with the United Kingdom” if—

• (a) the service has a significant number of United Kingdom users, or

• (b) United Kingdom users form one of the target markets for the service (or the only target market).

• (6) For the purposes of subsection (2), a user-to-user service or a search service also “has links with the United Kingdom” if—

• (a) the service is capable of being used in the United Kingdom by individuals, and

• (b) there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom presented by—

• (i) in the case of a user-to-user service, user-generated content present on the service or (if the service includes a search engine) search content of the service;

• (ii) in the case of a search service, search content of the service.

• (7) A regulated user-to-user service that includes a public search engine is referred to in this Act as a “combined service”.

“Public search engine” means a search engine other than one in relation to which the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met.

• (8) In this section—

• “search content” has the same meaning as in Part 3 (see section 57);

• “user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).

Disapplication of Act to certain parts of services

5

• (1) This Act does not apply in relation to a part of a Part 3 service if the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part.

• (2) This Act does not apply in relation to a part of a regulated search service if—

• (a) the only user-generated content enabled by that part of the service is content of any of the following kinds—

• (i) content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content;

• (ii) content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content); and

• (b) no regulated provider pornographic content is published or displayed on that part of the service.

• (3) In this section—

• “regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79);

• “user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).

PART 3 — Providers of regulated user-to-user services and regulated search services: duties of care

CHAPTER 1 — Introduction

Overview of Part 3

6

• (1) This Part imposes duties of care on providers of regulated user-to-user services and regulated search services and requires OFCOM to issue codes of practice relating to some of those duties.

• (2) Chapter 2 imposes duties of care on providers of regulated user-to-user services in relation to content and activity on their services.

• (3) Chapter 3 imposes duties of care on providers of regulated search services in relation to content and activity on their services.

• (4) Chapter 4 imposes duties on providers of regulated user-to-user services and regulated search services to assess whether a service is likely to be accessed by children.

• (5) Chapter 5 imposes duties on providers of certain regulated user-to-user services and regulated search services relating to fraudulent advertising.

• (6) Chapter 6 requires OFCOM to issue codes of practice relating to particular duties and explains what effects the codes of practice have.

• (7) Chapter 7 is about the interpretation of this Part, and it includes definitions of the following key terms—

• “content that is harmful to children”, “primary priority content that is harmful to children” and “priority content that is harmful to children” (see sections 60 to 62);

• “illegal content”, “priority offence”, “terrorism content”, “CSEA content” and “priority illegal content” (see section 59);

• “search content” (see section 57).

CHAPTER 2 — Providers of user-to-user services: duties of care

User-to-user services: which duties apply, and scope of duties

Providers of user-to-user services: duties of care

7

• (1) Subsections (2) to (6) apply to determine which of the duties set out in this Chapter (and, in the case of combined services, Chapter 3) must be complied with by providers of regulated user-to-user services.

• (2) All providers of regulated user-to-user services must comply with the following duties in relation to each such service which they provide—

• (a) the duties about illegal content risk assessments set out in section 9,

• (b) the duties about illegal content set out in section 10(2) to (8),

• (c) the duty about content reporting set out in section 20,

• (d) the duties about complaints procedures set out in section 21,

• (e) the duties about freedom of expression and privacy set out in section 22(2) and (3), and

• (f) the duties about record-keeping and review set out in section 23(2) to (6).

• (3) Additional duties must be complied with by providers of particular kinds of regulated user-to-user services, as follows.

• (4) All providers of regulated user-to-user services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—

• (a) the duties about children’s risk assessments set out in section 11, and

• (b) the duties to protect children’s online safety set out in section 12(2) to (13).

• (5) All providers of Category 1 services must comply with the following duties in relation to each such service which they provide—

• (a) the duty about illegal content risk assessments set out in section 10(9),

• (b) the duty about children’s risk assessments set out in section 12(14),

• (c) the duties about assessments related to adult user empowerment set out in section 14,

• (d) the duties to empower adult users set out in section 15,

• (e) the duties to protect content of democratic importance set out in section 17,

• (f) the duties to protect news publisher content set out in section 18,

• (g) the duties to protect journalistic content set out in section 19,

• (h) the duties about freedom of expression and privacy set out in section 22(4), (6) and (7), and

• (i) the duties about record-keeping set out in section 23(9) and (10).

• (6) All providers of combined services must comply with the following duties in relation to the search engine of each such service which they provide—

• (a) if the service is not a Category 2A service and is not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2);

• (b) if the service is not a Category 2A service and is likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2) and (4);

• (c) if the service is a Category 2A service not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2) and (5);

• (d) if the service is a Category 2A service likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2), (4) and (5).