Recap and background 

As a reminder, the OSA was passed into law in the UK on October 26, 2023, and introduces a range of provisions including new rules and duties applicable to providers of regulated user-to-user services (U2U Services) and/or regulated search services (Search Services) with links to the UK (Part 3 Services). These rules and duties have extraterritorial effect as the scope is determined by the location of users rather than the location of the service provider. 

Duties under the OSA will come into effect in phases, the timing of which is dependent on when relevant further secondary legislation is passed, and codes of practice (COP) and/or guidance are published by Ofcom, the regulatory body appointed to enforce the OSA.  

Ofcom has published a timeline of when it plans to consult on and publish its consultations as required under the OSA. Ofcom has to date published two sets of consultations under the OSA: the Illegal Harms Consultation and its consultation on service providers publishing pornographic content on December 5, 2023 (which is part of 'Phase 2' of its implementation plan). 

Overview of the Illegal Harms Consultation  

At a high level, the IHC consists of six volumes and 16 annexes, spans over 1,700 pages, and covers a range of topics. To assist with the volume of documentation, we have provided a high-level summary of the volumes and annexes below: 

Ofcom comments that its proposals 'reflect research we have carried out over the last three years, as well as evidence gathered through extensive engagement with industry and other experts.' 

This article will cover some of the notable proposals in the IHC that impact providers of Part 3 Services under the OSA. Given the sheer length of the IHC, we are unable to cover all of them in this article.  

Key concepts 

Before considering some of the notable proposals under the IHC, there are some important concepts that are prevalent throughout. We have set some of these out here for context: 

• Service categorization: In the IHC, Ofcom makes distinctions about services based on size and level of risk. The key definitions are as follows: 
  • 'large services' are services with a number of monthly UK users that exceeds 7 million; 
  • 'small services' are services provided by businesses that employ 10 to 49 full-time employees; 
  • 'micro businesses' are businesses that employ one to nine full-time employees; 
  • 'low risk services' are services provided by businesses that assess their services as being at low risk for all kinds of harm in their risk assessments; 
  • 'multi-risk services' are services provided by businesses that assess themselves as being at medium or high risk in relation to at least two different kinds of illegal harm in their latest illegal harms risk assessment; and 
  • 'specific-risk services' are services provided by businesses which have assessed themselves as being at medium or high risk for a specific kind of harm for which Ofcom proposes a particular measure.
• Status of guidance: Ofcom guidance is not intended to be compulsory, but is intended to assist service providers in complying with their legal obligations. 
• Compliance with COP means compliance with duty: Service providers that choose to implement the measures recommended in COP will be treated by Ofcom as complying with the relevant duty. 
• Ofcom notes regarding developing technologies: Ofcom appreciates the development of new technologies such as online digital worlds/Metaverse, immersive technologies, and generative AI, suggesting it will try to adapt its remit to accommodate such technologies. 
• Grouping illegal harms: Ofcom has grouped the over 130 illegal harms referred to in the OSA into 15 groups of illegal harm.  

Key proposals in the IHC 

Proposals on Ofcom's Register of Risks (Chapter 6) 

Under the OSA, Ofcom must conduct sector-wide risk assessments to identify and assess the risks of psychological and physical harm to UK individuals posed by Part 3 Services and identify any characteristics relevant to the identified risks. Ofcom must publish its risk assessments in a Register of Risks and subsequently prepare Risk Profiles. Both of these must be kept up to date.  

For the IHC, Ofcom has: 

• conducted a risk assessment for illegal content on Part 3 Services and considered if U2U Services could be used to commit or facilitate 'priority offences' as defined under the OSA; 
• identified a list of characteristics of Part 3 Services which are relevant to the risks of different kinds of illegal harms (referred to in this article as 'Part 3 Service Characteristics'), and are based on the non-exhaustive list included in the OSA and additional characteristics that Ofcom has identified; and 
• considered how Part 3 Service Characteristics may be relevant to the kinds of illegal harm identified. 

The Part 3 Service Characteristics identified by Ofcom are: 

• a service's functionalities (i.e., a service's front-end features which are visible to users); 
• a service's user base (it is important to note that a user does not need to be registered to be considered a user); 
• a service's business model (considered in a limited sense by Ofcom, i.e., revenue model and growth strategy); 
• a service's governance and other systems/processes (i.e., oversight and actions taken); 
• the service type (i.e., the nature of the service, e.g., social media, private messaging, and online gaming services); 
• recommender systems (i.e., information retrieval and ranking systems designed to optimize and personalize a user's experience of the service); and 
• commercial profiles (i.e., size of service by revenue and/or number of employees, maturity of service, and rate of growth of users or revenues). 

Proposals on governance and accountability (Chapter 8)

The providers of Part 3 Services have duties to use proportionate measures to prevent users from encountering priority illegal content. In addition, providers of U2U Services also have a duty to use proportionate measures to mitigate and manage the risk of the service being used for the commission and facilitation of a 'priority offence,' and to have systems and processes to minimize the length of time for which any priority illegal content is present. 

Ofcom splits its proposals as follows: 

• All service providers: to nominate a person accountable to the 'most senior governance body' within the service provider responsible for compliance with illegal content duties and reporting and complaints duties. 
• Providers of multi-risk services and large services (except large vertical search services) to: 
  • prepare a statement of responsibilities for senior members of staff who make decisions related to the management of online safety risks, which clearly shows the responsibilities in relation to online safety risk management and how they align with governance arrangements;  
  • track evidence of new kinds, and unusual increases in particular kinds of illegal content on their services, and report this evidence through the relevant governance channels. Providers of U2U Services should also track and report equivalent changes in the use of the service for the commission or facilitation of 'priority offences.' Relevant evidence may include complaints and content moderation processes or information from trusted flaggers and any other expert group the service providers consider appropriate; 
  • prepare a code of conduct that sets standards and expectations for staff around protecting users from risks of illegal harm; and 
  • ensure that staff involved in the design and operational management of the service are sufficiently trained in the service's approach to compliance. 
• Providers of large services (except large vertical search services): to ensure that the most senior internal body in relation to the service carries out an annual review (and keeps a record) covering how risk management activities are taken in relation to online safety and how developing governance risks are being monitored and managed.  
• Providers of large multi-risk services: to set up an internal monitoring and assurance function to check measures taken to manage the risk of harm to users identified in risk assessments are effective on an ongoing basis, reporting to an overall governance body/audit committee. 

Proposals on illegal harms risk assessments (Chapter 9 and Annex 5) 

Providers of Part 3 Services must conduct 'suitable and sufficient' illegal content risk assessments. The purpose of such risk assessments is to ensure providers of Part 3 Services have an adequate understanding of the risks that arise from their service in order to take suitable measures to manage and mitigate those risks. 

Ofcom has a duty to produce guidance to assist service providers in complying with this duty. Accordingly, Ofcom proposes the following in respect of all Part 3 Services: 

• follow a four-step risk assessment process: These four steps are:  
  1. 'understand the harms that need to be assessed;  
  2. assess risks by considering the likelihood and potential impact of harms occurring on their service;  
  3. implement safety measures and record outcomes of the risk assessment; and  
  4. report, review, and update the risk assessment;' 
• consider the following factors: Ofcom's Risk Profiles (and relevant parts of Ofcom's Register of Risks), user reports, user complaints, user data including age (where relevant), retrospective analysis of incidents of harm, and other relevant information that a service provider holds. The following should also be considered if this evidence does not provide services with a sufficiently good understanding of their risk levels:  
  • results of product testing;  
  • results of content moderation systems;  
  • consultation with internal experts on risks and safety measures;  
  • views of independent experts;  
  • internal and external commissioned research;  
  • outcomes of external audit or other risk assurance processes;  
  • consultation with users and user research; and  
  • engagement with relevant representative groups; 
• issue a policy to review: Providers of Part 3 Services should have a written policy in place to review their assessment at least every 12 months, and to name a person responsible for overseeing this; and 
• update risk assessments where there is a significant change to the service: Providers of Part 3 Services should update risk assessments whenever a significant change to their service occurs. Ofcom will provide general principles on how service providers should interpret what constitutes a significant change. It should be noted that the size of a service when considering if a proposed change may be significant will be relevant. 

Proposals on recordkeeping and review (Chapter 10 and Annex 6) 

Providers of Part 3 Services must keep records of the measures they take to comply with certain of their new duties under the OSA and to regularly review them. Ofcom is required to produce guidance to assist. 

Ofcom makes the following proposals for all providers of Part 3 Services: 

• Any durable medium and simple language: Written records:  
  • can be made and kept in a durable medium of the service provider's choice; and  
  • must be in as simple and clear language as possible. Where reasonably practicable, written records should be kept in English. 
• Updated for significant changes: Service providers should also carry out a compliance review if there is a significant change to any aspect of the design or operation of the service. There are additional recordkeeping requirements if service providers take alternative measures to Ofcom's applicable COP. 
• Retention period - align with policies or five years: Written records should be retained in accordance with the service provider's record retention policies, or for a minimum of five years, whichever is longer. 
• Annual reviews: Service providers should undertake a compliance review at least once annually, but more frequent reviews may be appropriate if the regulated service provider becomes aware of compliance concerns or implements new measures. Reviews should occur with a frequency that allows for a continuous cycle of implementation, monitoring, and review. 

Proposals on recommended measures to mitigate risk of illegal harms (Chapters 11 – 24 (inclusive) and Annexes 8 - 9) 

Ofcom must publish a range of COP to help service providers comply with their safety duties. In particular, it is required to publish three sets of COP for Part 3 Services: a Code for terrorism content, child sexual exploitation and abuse (CSEA) content, and for compliance with other relevant duties. 

Ofcom has recommended several measures which vary by the type of service and level of risk (e.g., whether it is a large service or a multi-risk service). There are useful summary tables in Section A2 of each of Annex 8 and 9 of the IHC. 

Proposals on how to judge if content is illegal (Chapter 26 and Annex 10) 

Section 192 of the OSA requires service providers to take down content where they deem there are 'reasonable grounds to infer' it is illegal, based on 'reasonably available information.' In addition, the OSA states that the size and capacity of the service provider and whether a judgement is made by human moderators, automated systems, or a mix of both are relevant factors in making these determinations. 

Ofcom must produce guidance on how service providers can make these illegal content judgements, Illegal Content Judgements Guidance (ICJG), a draft of which is included in the IHC.  

We have set out some points to note arising from the IHC in respect of the ICJG: 

• 'reasonable grounds to infer:'  
  • This is a new legal threshold and is different from the 'beyond reasonable doubt' threshold used by the criminal courts. The 'beyond reasonable doubt' threshold is a finding that only UK courts can reach; 
  • Ofcom states that assessing if content is illegal does require service providers to consider a person's conduct and state of mind in where the relevant offense has a mental element as well; 
  • forwarding, sharing, or reposting content should be treated as a new piece of content for judging whether content is illegal; 
  • in respect of child sexual abuse material (CSAM), if a reasonable person would assume that a person in an image would be under 18 years of age, the service provider should assume the person is a child, in the absence of good evidence; and 
  • Ofcom acknowledges that the financial services and fraud offenses are amongst the 'most technically difficult' offenses in the OSA to interpret. 
• ICJG not alternative for services' own terms: The ICJG is not intended to be an alternative to service providers developing their own terms of service or community guidelines (or publicly available statements for search services), nor is it a full content moderation system. Service providers should reference the ICJG. 
• 'reasonably available information:' Ofcom gives the following examples of what 'reasonably available information' may include (depending on context), which must be obtained lawfully: 
  • the information in the content itself; 
  • complaints information; 
  • information in the user's profile and the user's activity (Ofcom clarifies that it is not proposing that services should use behavior monitoring technology and it does not consider information from such technology to be 'reasonably available'); and 
  • credible and relevant published/public information that is relevant to the illegal content in question (e.g., if an entity appears on the UK Financial Conduct Authority's list of regulated entities in respect of financial services offenses). 

Conclusion, next steps, and practical considerations for service providers 

Respondents have until 5:00 pm GMT on February 23, 2024, to respond to the IHC. Ofcom will review the responses and plans to publish a statement in winter 2024 setting out its final decisions in relation to the consultation proposals, including final versions of its guidance and COP.  

Following Ofcom's statement, service providers will have three months to conduct their illegal content risk assessments. The COP will also be subject to a parliamentary approval process. Ofcom expects this process to conclude by the end of 2024, at which point the COP will come into force. 

Given the three-month window following publication of the Ofcom statement to complete the illegal content risk assessment, providers of Part 3 Services should consider taking the following practical steps: 

• identifying if their services come within the definitions of 'large services' and, if possible, determining the risk levels according to the IHC definitions; 
• reviewing their existing compliance processes now to identify whether: 
  • they have the ability to assess the content passing through the services;  
  • there are any gaps in those processes; and 
  • if policies and process documents need updating in order to comply with the OSA; 
• identifying what data they are currently able to (lawfully) collect about the content and user base of the service; 
• determining whether they need to establish a senior body to monitor compliance with the OSA; and 
• discerning what capabilities/processes they have to assess whether content is illegal. 

Emily Jones Partner 
[email protected]
Vishal Patel Supervising Associate 
[email protected]
Simmons & Simmons LLP, San Francisco and London