Online Safety: Illegal Harms Codes of Practice and categorisation thresholds laid before Parliament, new critical deadlines for digital services
Written By
Partner
UK
I am a partner working on data and online safety compliance from our London office. I work with a wide variety of organisations, particularly in the media, sports and life sciences sectors. I also advise extensively on children's and employee privacy matters.
Associate
UK
I'm an associate in the London commercial team, working across the retail & consumer, media, entertainment and sport sectors with a particular passion for video games. I practice consumer law, online safety and digital regulation. Additionally, I cover various forms of commercial contracts.
Related
Practices
Sectors
Trending Topics
Regions
Countries
Today (16 December 2024), the UK’s online safety regulator Ofcom has published its Illegal Harms Statement, including its much-anticipated final Service Risk Assessment Guidance for illegal harms and its final draft Illegal Content Codes of Practice for user-to-user and search services under the UK Online Safety Act 2023 (OSA). These have in turn been laid before Parliament today, along with regulations on the thresholds for categorised services, triggering key deadlines for compliance. Ofcom has also announced the intent to run a further consultation on revisions to the final Illegal Content Code to consider further measures in the spring.
What are the deadlines?
We now know that Illegal Harms Risk Assessments must be completed by 16 March 2025. Although this is a Sunday, UK law does not automatically extend calendar month deadlines for non-working days.
If the proper parliamentary process is followed without unexpected interruption, Ofcom believes the Illegal Content Codes of Practice will be final – and illegal harms related duties will bind OSA caught services – from 17 March 2025.
What to read first?
The Illegal Harms Statement encompasses 23 separate pdfs, from summaries of chapters and decisions through to the Codes and guidance themselves, and lengthy volumes that support and explain Ofcom’s positions. Sadly, none of these is a clear summary of what has changed from the initial consultation drafts. These are not even the only documents published by Ofcom today, with an additional consultation on proactive technology notices under s.121 of the OSA and new research on teen safety also added to what is a lengthy pre-Christmas reading list for anyone working in online safety. Even Ofcom has recommended digesting all its content in different ways, depending on their size, profile and familiarity with ‘trust & safety’ concepts.
We will be pulling together our own summary of what is new and what services should be doing now, but to help you navigate the materials, we have listed what we consider the key initial pieces below, along with hyperlinks and a topline description of these documents.
What are some of the headline materials that been published today?
- Draft Illegal Content Codes of Practice for user-to-user services (see here)
Codes of Practice for regulated user-to-user service providers, outlining how these service providers can comply with their illegal content safety duties, reporting duties and complaints duties. These Codes of Practice include the types of measures service providers can adopt in order to achieve OSA compliance. This has already been laid before Parliament – so do not further expect change.
- Draft Illegal Content Codes of Practice for search services (see here)
Codes of Practice for regulated search service providers, outlining how these service providers can comply with their illegal content safety duties, reporting duties and complaints duties. These Codes of Practice include the types of measures service providers can adopt in order to achieve OSA compliance. This, again, has already been laid before Parliament – so do not further expect change.
- Risk Assessment Guidance and Risk Profiles (see here)
Guidance to assist service providers with completing their illegal content risk assessments. All 17 kinds of priority illegal content and other illegal content (including non-priority content) will need to be assessed. The guidance helps service providers understand their risk profiles and risk levels as applicable to their service type.
- Ofcom’s Overview of Illegal Harms and Overview of regulated services: If you are looking at OSA for the first time, this might help you get a sense of impact on your business. These can be skipped by readers who are already in the online safety weeds – except perhaps to see if your service gets a name check!
- Ofcom’s Volumes 1, 2 and 3: These explain Ofcom’s decisions on Governance and Risks Management, Service design and user choice, and Transparency, trust and other guidance respectively. These are vital reading for compliance lawyers, if painfully long, as they add important colour to the Codes of Practice measures and other published guidance. See the link to the Illegal Harms Statement above. They also explain the changes Ofcom has made since the consultation drafts, and what measures might be subject for future consultation in the spring.
- Register of Risks (see here)
This is Ofcom’s assessment of the causes and impacts of online illegal harms (based on its own research). This document includes analysis of how online illegal harms manifest, and how particular service characteristics interact with these risks. For example, that social media services and online gaming services pose a particular risk for hate offences. It provides useful guidance for risk assessment and the basis of Ofcom’s Risk Profiles.
- Illegal Content Judgements Guidance (here)
Guidance to help service providers understand their OSA obligations in relation to making judgements about whether content is illegal or not. The OSA requires services to take this guidance into account when making their judgements.
- Guidance on content communicated ‘publicly’ and ‘privately’ under the Online Safety Act (here)
Guidance that explains the concepts of when content is communicated ‘publicly’ or ‘privately’, as referred to in the OSA. This is important because certain duties attach only to content that is communicated ‘publicly’.
- Record keeping and review guidance (here)
Guidance on how to comply with record keeping and review obligations. This includes guidance on how to maintain records of risk assessments and measures taken to comply with safety duties.
- Online Safety Enforcement Guidance (here)
Guidance on Ofcom’s approach to enforcing under the OSA. This includes detail on the expected lifecycle of an investigation (assessment, formal investigation, provisional notice of contravention, rights to make representations and confirmation of decision).
What should I do now?
If you haven’t already done so, the first step is to assess whether your services fall within scope of the OSA.
All non-exempt services will need to conduct an illegal harms risk assessment, with only three months from today to review, assess and collect your evidence. With the projected single additional day to put either Code measures or evidenced alternatives into place before duties come into force, there will be little time for rest for affected services in Q1 of 2025. Smaller services may wish to take the risk of waiting for Ofcom’s announced digital tool to assist them – but this will leave even less time, so is not advisable for services that carry higher risk or have a larger amount of change to make to their systems and processes.
With Ofcom's claim that there are over 40 types of measures to consider, resource allocation and risk prioritisation for online safety will be critical going into the new year. If you think you’ll need extra help, our online safety team are here to assist!
