An Act to make provision for and in connection with the regulation by OFCOM of certain internet services; for and in connection with communications offences; and for connected purposes.
The Online Safety Act 2023[1][2][3] (c. 50) is an act of the Parliament of the United Kingdom to regulate online speech and media. It passed on 26 October 2023 and gives the relevant Secretary of State the power, subject to parliamentary approval, to designate and suppress or record a wide range of speech and media deemed "harmful".[4][5]
The act requires platforms, including end-to-end encrypted messengers, to scan for child pornography, despite warnings from experts that it is not possible to implement such a scanning mechanism without undermining users' privacy.[6]
The act creates a new duty of care of online platforms, requiring them to take action against illegal, or legal but "harmful", content from their users. Platforms failing this duty would be liable to fines of up to £18 million or 10% of their annual turnover, whichever is higher. It also empowers Ofcom to block access to particular websites. It obliges large social media platforms not to remove, and to preserve access to, journalistic or "democratically important" content such as user comments on political parties and issues.
The bill that became the act was criticised for its proposals to restrain the publication of "lawful but harmful" speech, effectively creating a new form of censorship of otherwise legal speech.[7][8][9] As a result, in November 2022, measures that were intended to force big technology platforms to take down "legal but harmful" materials were removed from the bill. Instead, tech platforms are obliged to introduce systems that will allow users to better filter out the "harmful" content they do not want to see.[10][11]
The act grants significant powers to the secretary of state to direct Ofcom, the media regulator, on the exercise of its functions, which includes the power to direct Ofcom as to the content of codes of practice.[vague] This has raised concerns about the government's intrusion in the regulation of speech with unconstrained emergency-like powers that could undermine Ofcom's authority and independence.
Provisions
Scope
Within the scope of the act is any "user-to-user service". This is defined as an Internet service by means of which content that is generated by a user of the service, or uploaded to or shared on the service by a user of the service, may be read, viewed, heard or otherwise experienced ("encountered") by another user, or other users. Content includes written material or messages, oral communications, photographs, videos, visual images, music and data of any description.[12]
The duty of care applies globally to services with a significant number of United Kingdom users, or which target UK users, or those which are capable of being used in the United Kingdom where there are reasonable grounds to believe that there is a material risk of significant harm.[12]
The idea of a duty of care for Internet intermediaries was first proposed in Thompson (2016)[13] and made popular in the UK by the work of Woods and Perrin (2019).[14]
Duties
The duty of care in the act refers to a number of specific duties to all services within scope:[12]
The illegal content risk assessment duty
The illegal content duties
The duty about rights to freedom of expression and privacy
The duties about reporting and redress
The record-keeping and review duties
For services 'likely to be accessed by children', adopting the same scope as the Age Appropriate Design Code, two additional duties are imposed:[12]
The children's risk assessment duties
The duties to protect children’s online safety
For category 1 services, which will be defined in secondary legislation but are limited to the largest global platforms, there are four further new duties:[12]
The adults' risk assessment duties
The duties to protect adults’ online safety
The duties to protect content of democratic importance
The duties to protect journalistic content
Enforcement
This would empower Ofcom, the national communications regulator, to block access to particular user-to-user services or search engines from the United Kingdom,[15][16][17] including through interventions by internet access providers and app stores. The regulator will also be able to impose, through "service restriction orders", requirements on ancillary services which facilitate the provision of the regulated services.
The act lists in section 92 as examples (i) services which enable funds to be transferred, (ii) search engines which generate search results displaying or promoting content and (iii) services which facilitate the display of advertising on a regulated service (for example, an ad server or an ad network). Ofcom must apply to a court for both Access Restriction and Service Restriction Orders.[12] Section 44 of the act also gives the Secretary of State the power to direct Ofcom to modify a draft code of practice for online safety if deemed necessary for reasons of public policy, national security or public safety. Ofcom must comply with the direction and submit a revised draft to the Secretary of State. The Secretary of State may give Ofcom further directions to modify the draft, and once satisfied, must lay the modified draft before Parliament. Additionally, the Secretary of State can remove or obscure information before laying the review statement before Parliament.[18]
Limitations
The act has provisions to impose legal requirements ensuring that content removals do not arbitrarily remove or infringe access to what it defines as journalistic content.[15] Large social networks would be required to protect "democratically important" content, such as user-submitted posts supporting or opposing particular political parties or policies.[19] The government stated that news publishers' own websites, as well as reader comments on such websites, are not within the intended scope of the law.[15][17]
Age verification for online pornography
Section 212 of the act repeals part 3 of the Digital Economy Act 2017, which demands mandatory age verification to access online pornography but was subsequently not enforced by the government.[20] The act will include within scope any pornographic site which has functionality to allow for user-to-user services, but those which do not have this functionality, or choose to remove it, would not be in scope based on the draft published by the government.[12]
Addressing the House of Commons DCMS Select Committee, the Secretary of State, Oliver Dowden, confirmed he would be happy to consider a proposal during pre-legislative scrutiny of the act by a joint committee of both Houses of Parliament to extend the scope of the act to all commercial pornographic websites.[21] According to the government, the act addresses the major concern expressed by campaigners such as the Open Rights Group[22] about the risk to user privacy with the Digital Economy Act 2017's[23] requirement for age verification by creating, on services within scope of the legislation, "A duty to have regard to the importance of... protecting users from unwarranted infringements of privacy, when deciding on, and implementing, safety policies and procedures."[12]
In February 2022 the Digital Economy Minister, Chris Philp, announced that the bill (as it then was) would be amended to bring commercial pornographic websites within its scope.[24]
The draft bill was given pre-legislative scrutiny by a joint committee of Members of the House of Commons and peers from the House of Lords. The Opposition Spokesperson, Lord Ponsonby of Shulbrede, in the House of Lords said, "My understanding is that we now have a timeline for the online harms Bill, with pre-legislative scrutiny expected immediately after the Queen’s Speech—before the Summer Recess—and that Second Reading would be expected after the Summer Recess."[27] But the Minister replying refused to pre-empt the Queen's Speech by confirming this.
In early February 2022, ministers planned to add to their existing proposal several criminal offences against those who send death threats online or deliberately share dangerous disinformation about fake cures for COVID-19. Other new offences, such as revenge porn, posts advertising people-smuggling, and messages encouraging people to commit suicide, would fall under the responsibilities of online platforms like Facebook and Twitter to tackle.[28]
In September 2023, during the third reading in the Lords, Lord Parkinson presented a ministerial statement from the government claiming the controversial powers allowing Ofcom to break end-to-end encryption would not be used immediately.[6] Despite the government's claim the powers will not be used, the provisions pertaining to end-to-end encryption weakening were not removed from the act and Ofcom can at any time issue notices requiring the breaking of end-to-end encryption technology. This followed statements from several tech firms, including Signal, suggesting they would withdraw from the UK market rather than weaken their encryption.
Support
The UK National Crime Agency, part of the Home Office, has said the act is necessary to protect children.[29]
The NSPCC has been a prominent supporter of the act, saying it will help protect children from abuse.[30] The Samaritans, that had made strengthening the act one of its key campaigns "to ensure no one is left unprotected from harmful content under the new law"[31] gave the final act its qualified support, also saying the act fell short of the promise to make the UK the safest place to be online.[32]
Opposition
The international human rights organization Article 19 stated that they saw the Online Safety Act 2023 as a potential threat to human rights, describing it as an "extremely complex and incoherent piece of legislation".[33] The Open Rights Group described the Online Safety Bill (OSB) as a "censor's charter".[34]
During an interview for the BBC, Rebecca MacKinnon, the vice president for global advocacy at the Wikimedia Foundation, criticised the OSB, saying the threat of "harsh" new criminal penalties for tech bosses would affect "not only big corporations, but also public interest websites, such as Wikipedia".[35] In the same instance, MacKinnon argued the act should have been based on the European Union's Digital Services Act, which reportedly included differences between centralised content moderation and community-based moderation.[35] In April 2023, both MacKinnon and the chief executive of Wikimedia UK, Lucy Crompton-Reid, announced that the WMF did not intend to apply the age-check requirements of the act to Wikipedia users, stating that it would violate their commitment to collect minimal data about readers and contributors.[36][37] On 29 June of the same year, WMUK and the WMF officially published an open letter, asking the government and Parliament to exempt "public interest projects", including Wikipedia itself, from the OSB before it entered its report stage, starting on 6 July.[38][39]
Apple Inc. criticised legal powers in the OSB which threatened end-to-end encryption on messaging platforms in an official statement, describing the act as "a serious threat" to end-to-end encryption, and urging the UK government to "amend the Bill to protect strong end-to-end encryption".[40][41]
Meta Platforms has criticised the plan, saying, "We don't think people want us reading their private messages ... The overwhelming majority of Brits already rely on apps that use encryption to keep them safe from hackers, fraudsters and criminals".[29] Head of WhatsApp Will Cathcart voiced his opposition to the OSB, stating that the service would not compromise its encryption for the proposed law and saying "The reality is, our users all around the world want security – ninety-eight percent of our users are outside the UK, they do not want us to lower the security of the product and just as a straightforward matter, it would be an odd choice for us to choose to lower the security of the product in a way that would affect those ninety-eight percent of users."[42][43] He also stated in a tweet that scanning everyone's messages would destroy privacy.[44]
In February 2024, the European Court of Human Rights ruled, in an unrelated case, that requiring degraded end-to-end encryption "cannot be regarded as necessary in a democratic society" and was incompatible with Article 6 of the European Convention on Human Rights. This decision may potentially form part of the basis of legal challenges to the Online Safety Act 2023.[45]