Diogeledd Labs

#NotALawyer — just wanted to clear that up first and foremost.

At 353 pages, the Online Safety Act is a hefty piece of newly enacted legislation which has dominated media headlines this past number of months, cited as being for the purpose of protecting children, and forcing swathes of popular online services to enrol ID verification services, placing the personal data and privacy of millions of people into the hands of corporate services with often well documented as questionable at best cyber security practices when it comes to keeping user data secure and safe.

This is not an opinion piece, this is more a review of the Online Safety Act from a ‘privacy of people’ perspective, highlighting sections which hold bearing. Under the Online Safety Act, UK Regulator OFCOM have been handed vast new powers, which extend way beyond that which the media has presented.

Sections 1-6 of the OSA consist of the introduction of the Act, and outlines some (but not all) definitions, other definitions are scattered throughout the Act. Additionally, here it states exemptions to the Act (apart from the bit about Public Bodies being exempt, which was buried down in Schedule 12 way down on page 300 and something). Lets look at definitions first.

DEFINITIONS WITHIN (THE CONTEXT OF) THE ONLINE SAFETY ACT 2023

“User-to User Service” – means an internet service by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service. Note: It does not matter if the content is actually shared with another user or users so long as the service has a functionality that allows such sharing

“Search Service” means an internet service that is, or includes a search engine

“Search Engine” includes a service or functionality within a service which enables a person to search some websites or databases. Does not include a service which enables a person to search just one website or database Note: a search engine is not to be taken to be “included” in an internet service or user-to-user service if the search engine is controlled by a person who does not control other parts of the service.

“Content” means anything communicated by means of an internet service, whether publicly or privately, including written material or messages, aural communications, photographs, video’s, visual images, music and data of any description.

“Encounter” , in relation to content, means read, view, hear or otherwise experience content

“Search Content” – means content that may be encountered in or via search results of a search service, except; Paid-for-advertisements, Content on the website of a recognised news publisher, and Content that;

• reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it)
• is video or audio content that was originally published or broadcast by a recognised news publisher, and is not clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or
• is a link to an article or item of other of the above points.

“User Generated Content” -In relation to a user-to-user service, means content that is;

• Generated directly on the service by a user of the service or
• Uploaded to or shared on the service by a user of the service and that may be encountered by another user or users of the service by the means of the service.
• Content generated, uploaded or shared by a user includes content generated, uploaded or shared by means of software or an automated tool applied by the user. NOTE: a bot or other automated tool is regarded to be a user of the service if: the functions of the bot include interacting with user-generated content and the bot is not controlled by or on behalf of the provider of the service.

“Regulated Service” is the encompassing term for either a regulated user-to-user service, a regulated search service, or an internet service which;

• Regulated provider pornographic content is published or displayed on the service
• The service is not exempt, and
• The service has links with or to the United Kingdom

“Has Links With The United Kingdom” in the context of the OSA means;

• The service has a significant number of United Kingdom users, or;
• The United Kingdom user for one of the target markets for the service (or the only target market).
• The service is capable of being used in the United Kingdom by individuals, and
• There are reasonable grounds to believe that there is a material risk to individuals in the United Kingdom presented by EITHER; (for user-to-user services) user-generated content present on the service or search content of the service OR(for search service) search content of the service.

A “Combined Service” is a regulated user-to-user service that includes a public search engine

“Recognised News Publisher” – means any of the following;

• The British Broadcasting Corporation (BBC)
• Sianel Pedwar Cymru
• The holder of a licence under the Broadcasting Act 1990 or 1996 who publishes news-related material in connection with the broadcasting activities authorised under the licence

Additionally, any other entity which meets all of the following conditions can also be deemed a Recognised News Publisher;

• Has as its principle purpose the publication of new-related material and such material which;
• Is created by different persons, and
• Is subject to editorial control (i.e. “subject to editorial control” – If there is a person (whether or not the publisher of the material) who has editorial or equivalent responsibility for the material, including responsibility for how it is presented and the decision to publish it).
• Publishes such material in the course of a business (whether or not carried on with a view to profit)
• Is subject to a standards code
• Has policies and procedures for handling and resolving complaints
• Has a registered office or other business address in the United Kingdom
• The person with legal responsibility for material published by it is in the United Kingdom

“Journalistic Content” in relation to a user-to-user service is where the content is news publisher content in relation tot that service, OR regulated user-generated content in relation to that service. It can also be where the content is generated for the purposes of journalism, or where the content is UK linked.

Content is considered “News Publisher Content” whereby any content presented on the service that is generated directly on the service by a user of the service that is a recognised news publisher or where content was uploaded or shared on the service by a user of the service and either;

• (i) Reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article it item or part of it)
• (ii) Is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it) or
• (iii) Is a link to an article or item within sub-paragraph (i) or to content within (ii).

“One-to-One Live Aural Communications” (in relation to a user-to-user service means content); Consisting of speech or other sounds conveyed in real time between two users of the service by means of the service, that is not a recording and that is not accompanied by user-generated content of any other kind, except identifying content.

“News-Related Material” means material consisting of;

• News or information about current affairs
• Opinion about matters relating to the news or current affairs, or
• Gossip about celebrities, other public figures or other persons in the news

“Publish” in the content of the OSA, means by any means (including broadcasting).

Something is deemed a “Paid for Advertisement” if, the provider of the service receives any consideration (monetary or non-monetary) for the advertisement, whether directly from the advertiser or indirectly from another person [-NOTE: interesting use of the word ‘person’ and not ‘entity’ as applied other areas of the legislation], and the placement of the advertisement is determined by systems or process that are agreed between the parties entering into the contract relating to the advertisement.

WHERE THE ONLINE SAFETY ACT DOES NOT APPLY

There are some instances where the Online Safety Act does not apply, such as to internal business services i.e. closed off internal intranets which are available to a closed access group and where used only for business related activity/communications.

Additionally the Online Safety Act does not apply to part of a regulated service if;

• The content is emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content
• Posting comments or reviews relating to provider content
• Sharing such comments or reviews on a different internet service
• Expressing a view on such comments or reviews, or on provider content by means of; applying a “like” or “dislike” button or other button of that nature, applying an emoji or symbol of any kind, engaging in yes/no voting, or rating or scoring the content (or the comments or reviews) in any way (including giving star or numerical ratings)
• No regulated provider pornographic content is published or displayed on that part of the service.

Though, it is important to note that exemptions to a user-to-user service [SMS, MMS, Services only offering one-to-one live aural communications & limited functionality services] do not apply i.e. a user-to-user service is not exempt if;

• Regulated provider pornographic content is published or displayed on the service, and
• The service has links with the United Kingdom

Public Bodies including Government departments are, in a nutshell, exempt from the Online Safety Act as per Schedule 12 Section 9

SECTIONS 6 TO 54

These sections outline the duties, codes of conduct and requirements for regulated services and OFCOM to meet under the act as well as the duties of regulated services, you could call it the deliverables, and includes the sections relating to reducing harm to children, young women etc.

There is nothing here that is out of the ordinary, if anything these are the types of clauses we would want to see in our legislation that offer hope for legitimately wanting to protect children, they might also be the sections which provide scope for citizens to hold to some level accountable the regulator responsible for enforcing the Act, or failure of, to follow due process or provide results as expected.

These sections almost deserve a write up of their own, but this article is about the Online Safety Act through a privacy lens, but I will summarise the sections with the section headings though for reference.

Section 6 – Overview of Part 3

Section 7 – Providers of User-to-User Services: Duties of Care

Section 8 – Scope of Duties of Care

Section 9 – Illegal Content Risk Assessment Duties

Section 10 – Safety Duties About Illegal Content

Section 11 – Children’s Risk Assessment Duties

Section 12 – Safety Duties Protecting Children

Section 13 – Safety Duties Protection Children: Interpretation

Section 14 – Assessment Duties: User Empowerment

Section 15 – User Empowerment Duties

Section 16 – User Empowerment Duties: Interpretation

Section 17 – Duties to Protect Content of Democratic Importance

Section 18 -Duties to Protect News Publisher Content (prospective clause only, not received Royal Assent yet!)

Section 19 – Duties to Protect Journalistic Content

Section 20 – Duty About Content Reporting

Section 21 – Duties About Complaints Procedures

Section 22 – Duties about Freedom of Expression and Privacy

Section 23 – Record Keeping and Review Duties

Section 24 – Providers of Search Services: Duties of Care

Section 25 – Scope of Duties of Care

Section 26 – Illegal Content Risk Assessment Duties

Section 27 – Safety Duties About Illegal Content

Section 28 – Children’s Risk Assessment Duties

Section 29 -Safety Duties Protecting Children

Section 30 – Safety Duties Protecting Children: Interpretation

Section 31 – Duty About Content Reporting

Section 32 – Duties About Complaints Procedures

Section 33 – Duties About Freedom of Expression and Privacy

• (2) When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting the rights and users and interested persons to freedom of expression within the law.

Section 34 – Record-Keeping and Review Duties

Section 35 – Children’s Access Assessments

Section 36 – Duties About Children’s Access Assessments

Section 37 – Meaning of “Likely to Be Accessed by Children”

• Where a children’s access assessment carried out by the provider of the service concludes that; It is possible for children to access the service or part of it, and the child user condition us met in relation to the service, or a part of the service that it is possible for children to access
• Where the provider of the service fails to carry out the first children’s access assessment as required by section 36(1)
• Where, following an investigation into a failure to comply with a duty set out in section 36, OFCOM determine that a service should be treated as likely to be accessed by children

Section 38 – Duties About Fraudulent Advertising: Category 1 services

Section 39 – Duties about Fraudulent advertising: Category 2A services

Section 40 – Fraud etc Offences

Section 41 – Codes of Practice About Duties

Section 42 – Codes of Practice: Principles, Objectives, Content

Section 43 – Procedure for Issuing Codes of Practice

Section 44 – Secretary of State’s Powers of Direction

Section 45 – Procedure for Issuing Codes of Practice Following Direction Under Section 44

Section 46 – Publication of Codes of Practice

Section 47 – Review of Codes of Practice

Section 48 – Minor Amendments to Codes of Practice

Section 49 – Relationship Between Duties and Codes of Practice

Section 50 – Effects of Codes of Practice

Section 51 – Duties and The first Codes of Practice

Section 52 – OFCOM’s Guidance About Certain Duties in Part 3

Section 53 – OFCOM’s Guidance: Content That is Harmful to Children and User Empowerment

Section 54 OFCOM’s Guidance About Protecting Women and Girls

Of the 353 A4 pages of the Online Safety Act, the above sections 6 to 54 relating to protecting children etc, consist of pages 5 to 59 – a mere 54 pages. Interpret that how you will.

Section 56 defines what under the OSA is considered to be a “Recognised News Publisher”

With the following conditions

Section 57 outlines the meaning of “search content”, which excludes paid for adverts, content on the website of a recognised news publisher, or reproductions of content from a recognised news publisher.

Section 64 legislates that ID is required for Category 1 services (aka, a regulated service which is on the OFCOM register of regulated services)

Section 68, NCA information sharing (as in the National Crime Agency) is a very short section consisting of only one clause advising of an update to the Crime and Courts Act 2013 permitting information sharing between the NCA and OFCOM, which is kind of wild considering the bearing of what that actually means in principle and more so in practice.

Another well known large UK regulator, the Information Commissioners Office (ICO) has a public register which it requires all UK based data controllers, including sole traders and companies, to pay an annual fee, an amount dependent on which tier of organisation the ICO considers them to be as per below.

I mention this, because section 84 of the Online Safety Act outlines the responsibility and duty of regulated services to pay an annual fee to OFCOM

Section 89 points you toward Schedule 10 where it discusses provisions about fees to regulated services in relation to the recovery of costs OFCOM incurs before the initial charging year commences, we will come back to schedule 10 later since we are working through this sort of chronologically

Back to that OFCOM register for a moment, for section 94 outlines the meaning of the threshold conditions for earning themselves a place on what will be the the register of categorised services. The wording of this is slightly confusing and misleading and overly complicated since all category services (1, 2A, 2B) are all essentially just regulated services in layman terms.

The next few sections of the act, sort of personally irked me for various reasons. If I were the owner of a business operating from a UK premises filled with substantial hardware I owned holding highly sensitive data where privacy and security of that data *really, really mattered, I would be looking to get such operations out of the UK merely to protect the security and privacy of that data in the instance powers might be mis-applied or abused to obtain said sensitive information, particularly taking into account NCA sharing and personal liability on managers of the regulated services.

Section 100 gives OFCOM the powers to require information in the course of their duty to uphold their responsibilities under the OSA

Section 103 outlines he requirement for regulated services to name a senior manager who (as detailed later in the Act) is under the Online Safety Act, are criminally liable.

Section 106 gives OFCOM the power to require interviews

Section 107, again unusually short and sweet given its weighting, gives OFCOM powers of entry

We will come back to this later, as further information is provided on this in the schedule at the end of the Act.

Section 108 advises of an amendment of the Criminal Justice and Police Act 2001, giving OFCOM the legal privilege to seize items

Section 109 details how failure to comply with a information notice from OFCOM is an offence (criminal), whereby the named manager(s) hold liability. The only defences considered to this offence are either that it was not reasonably practical to comply with the information notice at the time BUT that the person did subsequently take reasonable steps to comply with the requirements (i.e. the opposite of what 4Chan are doing presently in their fight for the privacy and freedom of expression of their userbase)

Maybe you’re wondering at this point, how can OFCOM really make enforcement measures to regulated services which do not comply with the Online Safety Act’s measures of conducting risk assessments and protecting children, information etc etc? Well, this will be in the form of what they are calling ‘business disruption measures’ (aka, business disruption orders).

There are four types of business disruption measure they can choose from under the Act, all of which require a court order.

I mean, we all know what this means, right.

• Service Restriction Orders

• Interim Service Restriction Order

• Access Restriction Order

• or finally, and Interim Access Restriction Order

Section 152 confers on OFCOM the responsibility to set up an Advisory Committee on Disinformation and Misinformation, with some specific requirements. Professionals in the designated areas may want to volunteer themselves to be on the committee to perhaps mitigate some of the utter madness which is bound to be discussed during those meetings.

Jumping on down to section 167, which is very wordy but essentially outlines the appeals process against decisions relating to the register of regulated services under section 95, which in a nutshell can only be done through appealing to the Upper Tribunal courts against OFCOM, where issued with a notice, a confirmation decision or penalty notice.

Interestingly, an appeal may be brought forward by any person with sufficient interest in the decision, but any appeal by any person other than the person issued with the notice or decision in question may only be brough with the permission (technical term: leave) of the Upper Tribunal.

Also interestingly, the Upper Tribunal in the appeals process, must decide the appeal by applying the same principles which would be applied by the High Court on an application for judicial review.

Jumping a little bit further to section 172, which is also rather wordy, but within 172(7) it states the following ‘Except as provided by subsection 8, no amendment may be made under subsection 6 within the period of five years beginning with the day on which a statement was most recently designated under section 1″.

Followed by;

An earlier amendment may be made under subsection (6) if-

• (a) since that day-
• (i) a Parliamentary general election has taken place, or
• (ii) there has been a significant change in the policy of His Majesty’s Government affecting online safety matters, or (b) the Secretary of State considers that the statement, or any part of it, conflicts with any of OFCOM’s general duties (within the meaning of section 3 of the Communications Act).

The UK has had a parliamentary election since this Act was voted into play overwhelmingly by Conservative party members who then held Government, does this mean there is scope to repeal the Online Safety Act?! #NotALawyer

Section 175 outlines some powers the Secretary of State has in relation to giving OFCOM directives when it comes to the health and safety of the public and/or to the national security of the UK

The next few sections are where it gets interesting, in a ‘on an individual’ sense since it outlines what false communications offences are under the Act. Very open to interpretation in some aspects given the undefined terminology of ‘false’, essentially meaning the government here gets to choose what false is within scope of a prosecution within section 179 of the Online Safety Act.

There are of course some exceptions from false communications being a criminal offence, namely for: recognised news publishers, the BBC or licence holder of the BBC. (aka, state controlled media)

Section 181 details the ways in which threatening communications are now a criminal offence

And latterly, section 182 outlines how these clauses under the above section 181 relating to threatening communications offences can be interpreted

Additionally, section 184 outlines the offence of encouraging or assisting in serious self harm

Previously I touched on that named senior managers were liable under the OSA. Section 186 details this a little further (more info to come later in the Act also)

In addition to existing laws, it is also a criminal offence through the Online Safety Act to send photographs or film of genitals, as highlighted in section 187

However, there are an unusual number of exemptions to section 187, which considering the nature of what this legislation is being sold as being the purpose of, i.e. protecting young people from forms of harm including pornographic content, is different.

Section 199 I thought to be rather interesting, it is the section which outlines the instances which must be met order for proceedings against a person or regulated service under section 109 (offences in connection with information notices) or paragraph 18 of schedule 12 to be taken. It is also named ‘Information Offences: supplimentary’ which isn’t as accurately named as nearly all other section headings.

For convenience in reading alongside the above section, here is section 18 of schedule 12

Section 202 provides a little more insight into the liability of corporate officers (aka senior managers) for offences under the Online Safety Act

Section 204 provides some suggestion as to how the government and OFCOM intend to enforce the Online Safety Act where the user base is in the UK but the provider of the service is not.

Section 208 outlines the process for the service of notices

Section 213 advises of an update to the Obscene Publications Act 1959

Section 215 confers the powers to OFCOM regulate the app stores with Secretary of State approval and some conditions attached (kind of a big power move when you think about it, like, taking on the app stores in this way)

There is some accompanying supplimentary info which goes with clause 215, under section 216;

Section 231 is also relatively interesting, and relates to “proactive technology”, is very wide in scope.

All the way down in Section 234 of the Online Safety Act is where they define ‘harm’ in the context of the Act, wild given its purpose is to prevent harm.

Now to some of the juicier bits. The Schedules. These are right at the bottom of the act.

Schedule 1 outlines the exempt user-to-user and search services which includes;

· Email only services (emails must be the only user generated content enabled by the service

· SMS & MMS services (where SMS and/or MMS are the only user generated content enabled by the service

· Services offering one to one live aural communications, and that is the only user generated content enabled by the service.

· Internal business services to a closed group

· Services provided by public bodies (but check out the wording and scope of that)

Interestingly, services provided by persons providing education or healthcare are also exempt, which seems to defeat purpose of the Act being allegedly designed to protect children from harm.

I touched on early that it is outlined that OFCOM will introduce a register of regulated services and charge an annual fee to members of the register. Additionally, the Online Safety Act permits OFCOM with the powers to recover their initial costs from regulated services, which is laid out to be done in three phases.

Phase one of initial cost recovery;

Phase two of initial cost recovery;

Phase three of initial cost recovery; (side note-remember when they said VAT was temporary, this will be like that)

For the math nerds, here is how OFCOM is going to be calculating the recoverable amount from regulated services

Schedule 12 confers powers of entry, inspection and audit to OFCOM,

Where certain conditions are met, OFCOM have been granted the power of entry and inspection, without a warrant.

Where during an inspection OFCOM require information, documentation or tests, OFCOM are required to give notice of this

In relation to Audit requirements, these are set out in section 4 of Schedule 12

To conduct an Audit, notice must be provided in advance of the Audit by OFCOM

In the instance that a regulated service opts to ignore or not confirm or submit to notices of inspection or notices of audit (which if you remember is now a criminal offence in itself), OFCOM can apply to the courts for a warrant, which to do so the following conditions must be met

It is important for any recipient of a warrant to remember their legal rights, and remember the obligations which must be met by the holder of the warrant

But to also bear in mind the powers which are exercisable by a warrant issued under the Online Safety Act

Failure to comply, is an offence.

Just to reiterate again, I am not a lawyer.