- Latest available (Revised)
- Original (As enacted)
This version of this Act contains provisions that are prospective.
The term provision is used to describe a definable element in a piece of legislation that has legislative effect – such as a Part, Chapter or section. A version of a provision is prospective either:
Commencement Orders listed in the ‘Changes to Legislation’ box as not yet applied may bring this prospective version into force.
Online Safety Act 2023 is up to date with all changes known to be in force on or before 02 December 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
An Act to make provision for and in connection with the regulation by OFCOM of certain internet services; for and in connection with communications offences; and for connected purposes.
[26th October 2023]
Be it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—
(1)This Act provides for a new regulatory framework which has the general purpose of making the use of internet services regulated by this Act safer for individuals in the United Kingdom.
(2)To achieve that purpose, this Act (among other things)—
(a)imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm (including risks which particularly affect individuals with a certain characteristic) from—
(i)illegal content and activity, and
(ii)content and activity that is harmful to children, and
(b)confers new functions and powers on the regulator, OFCOM.
(3)Duties imposed on providers by this Act seek to secure (among other things) that services regulated by this Act are—
(a)safe by design, and
(b)designed and operated in such a way that—
(i)a higher standard of protection is provided for children than for adults,
(ii)users’ rights to freedom of expression and privacy are protected, and
(iii)transparency and accountability are provided in relation to those services.
Commencement Information
I1S. 1 in force at Royal Assent, see s. 240(4)(a)
(1)Parts 2 to 9 and 11 and 12 of this Act contain provision about the regulation by OFCOM of certain internet services.
(2)Part 2 contains key definitions, including the definition of a user-to-user service, a search service, a Part 3 service and a regulated service.
(3)Part 3 imposes duties of care on providers of user-to-user services and search services and requires OFCOM to issue codes of practice about those duties.
(4)Part 4 imposes further duties on providers of user-to-user services and search services.
(5)Part 5 imposes duties on providers of internet services (including user-to-user services and search services) that publish certain pornographic content.
(6)Part 6, which imposes requirements to pay fees to OFCOM, applies to providers of internet services to which the duties in Part 3, 4 or 5 apply (“regulated services”).
(7)Part 7 is about OFCOM’s powers and duties in relation to regulated services (including powers to obtain information and enforcement powers).
(8)Part 8 is about appeals and complaints relating to regulated services.
(9)Part 9 is about the Secretary of State’s functions in relation to regulated services.
(10)Part 10 contains communications offences.
(11)Parts 11 and 12 contain supplementary provisions including an index of terms defined in this Act (see section 237).
Commencement Information
I2S. 2 in force at Royal Assent, see s. 240(4)(a)
(1)In this Act “user-to-user service” means an internet service by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service.
(2)For the purposes of subsection (1)—
(a)it does not matter if content is actually shared with another user or users as long as a service has a functionality that allows such sharing;
(b)it does not matter what proportion of content on a service is content described in that subsection.
(3)For the meaning of “content” and “encounter”, see section 236.
(4)In this Act “search service” means an internet service that is, or includes, a search engine (see section 229).
(5)Subsections (6) and (7) have effect to determine whether an internet service that—
(a)is of a kind described in subsection (1), and
(b)includes a search engine,
is a user-to-user service or a search service for the purposes of this Act.
(6)It is a search service if the only content described in subsection (1) that is enabled by the service is content of any of the following kinds—
(a)content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content;
(b)content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content);
(c)content present on a part of the service in relation to which the conditions in paragraph 7(2) of Schedule 1 are met (internal business service conditions).
(7)Otherwise, it is a user-to-user service.
Commencement Information
I3S. 3 in force at Royal Assent, see s. 240(4)(a)
(1)This section applies for the purposes of this Act.
(2)A user-to-user service is a “regulated user-to-user service”, and a search service is a “regulated search service”, if the service—
(a)has links with the United Kingdom (see subsections (5) and (6)), and
(b)is not—
(i)a service of a description that is exempt as provided for by Schedule 1, or
(ii)a service of a kind described in Schedule 2 (services combining user-generated content or search content not regulated by this Act with pornographic content that is regulated).
(3)“Part 3 service” means a regulated user-to-user service or a regulated search service.
(4)“Regulated service” means—
(a)a regulated user-to-user service,
(b)a regulated search service, or
(c)an internet service, other than a regulated user-to-user service or a regulated search service, that is within section 80(2) (including a service of a kind described in Schedule 2).
(5)For the purposes of subsection (2), a user-to-user service or a search service “has links with the United Kingdom” if—
(a)the service has a significant number of United Kingdom users, or
(b)United Kingdom users form one of the target markets for the service (or the only target market).
(6)For the purposes of subsection (2), a user-to-user service or a search service also “has links with the United Kingdom” if—
(a)the service is capable of being used in the United Kingdom by individuals, and
(b)there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom presented by—
(i)in the case of a user-to-user service, user-generated content present on the service or (if the service includes a search engine) search content of the service;
(ii)in the case of a search service, search content of the service.
(7)A regulated user-to-user service that includes a public search engine is referred to in this Act as a “combined service”.
“Public search engine” means a search engine other than one in relation to which the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met.
(8)In this section—
“search content” has the same meaning as in Part 3 (see section 57);
“user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).
Commencement Information
I4S. 4 in force at Royal Assent, see s. 240(4)(a)
(1)This Act does not apply in relation to a part of a Part 3 service if the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part.
(2)This Act does not apply in relation to a part of a regulated search service if—
(a)the only user-generated content enabled by that part of the service is content of any of the following kinds—
(i)content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content;
(ii)content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content); and
(b)no regulated provider pornographic content is published or displayed on that part of the service.
(3)In this section—
“regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79);
“user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).
Commencement Information
I5S. 5 in force at Royal Assent, see s. 240(4)(a)
(1)This Part imposes duties of care on providers of regulated user-to-user services and regulated search services and requires OFCOM to issue codes of practice relating to some of those duties.
(2)Chapter 2 imposes duties of care on providers of regulated user-to-user services in relation to content and activity on their services.
(3)Chapter 3 imposes duties of care on providers of regulated search services in relation to content and activity on their services.
(4)Chapter 4 imposes duties on providers of regulated user-to-user services and regulated search services to assess whether a service is likely to be accessed by children.
(5)Chapter 5 imposes duties on providers of certain regulated user-to-user services and regulated search services relating to fraudulent advertising.
(6)Chapter 6 requires OFCOM to issue codes of practice relating to particular duties and explains what effects the codes of practice have.
(7)Chapter 7 is about the interpretation of this Part, and it includes definitions of the following key terms—
“content that is harmful to children”, “primary priority content that is harmful to children” and “priority content that is harmful to children” (see sections 60 to 62);
“illegal content”, “priority offence”, “terrorism content”, “CSEA content” and “priority illegal content” (see section 59);
“search content” (see section 57).
Commencement Information
I6S. 6 in force at Royal Assent, see s. 240(4)(b)
(1)Subsections (2) to (6) apply to determine which of the duties set out in this Chapter (and, in the case of combined services, Chapter 3) must be complied with by providers of regulated user-to-user services.
(2)All providers of regulated user-to-user services must comply with the following duties in relation to each such service which they provide—
(a)the duties about illegal content risk assessments set out in section 9,
(b)the duties about illegal content set out in section 10(2) to (8),
(c)the duty about content reporting set out in section 20,
(d)the duties about complaints procedures set out in section 21,
(e)the duties about freedom of expression and privacy set out in section 22(2) and (3), and
(f)the duties about record-keeping and review set out in section 23(2) to (6).
(3)Additional duties must be complied with by providers of particular kinds of regulated user-to-user services, as follows.
(4)All providers of regulated user-to-user services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—
(a)the duties about children’s risk assessments set out in section 11, and
(b)the duties to protect children’s online safety set out in section 12(2) to (13).
(5)All providers of Category 1 services must comply with the following duties in relation to each such service which they provide—
(a)the duty about illegal content risk assessments set out in section 10(9),
(b)the duty about children’s risk assessments set out in section 12(14),
(c)the duties about assessments related to adult user empowerment set out in section 14,
(d)the duties to empower adult users set out in section 15,
(e)the duties to protect content of democratic importance set out in section 17,
(f)the duties to protect news publisher content set out in section 18,
(g)the duties to protect journalistic content set out in section 19,
(h)the duties about freedom of expression and privacy set out in section 22(4), (6) and (7), and
(i)the duties about record-keeping set out in section 23(9) and (10).
(6)All providers of combined services must comply with the following duties in relation to the search engine of each such service which they provide—
(a)if the service is not a Category 2A service and is not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2);
(b)if the service is not a Category 2A service and is likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2) and (4);
(c)if the service is a Category 2A service not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2) and (5);
(d)if the service is a Category 2A service likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2), (4) and (5).
(7)For the meaning of “likely to be accessed by children”, see section 37.
(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Commencement Information
I7S. 7 not in force at Royal Assent, see s. 240(1)
I8S. 7(1)-(4)(5)(a)-(e)(g)(i)(6)-(8) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(a)
(1)A duty set out in this Chapter which must be complied with in relation to a user-to-user service that includes regulated provider pornographic content does not extend to—
(a)the regulated provider pornographic content, or
(b)the design, operation or use of the service so far as relating to that content.
See Part 5 for the duties which relate to regulated provider pornographic content, and the meaning of that term.
(2)A duty set out in this Chapter which must be complied with in relation to a combined service does not extend to—
(a)the search content of the service,
(b)any other content that, following a search request, may be encountered as a result of subsequent interactions with internet services, or
(c)anything relating to the design, operation or use of the search engine.
(3)A duty set out in this Chapter which must be complied with in relation to a user-to-user service extends only to—
(a)the design, operation and use of the service in the United Kingdom, and
(b)in the case of a duty that is expressed to apply in relation to users of a service, the design, operation and use of the service as it affects United Kingdom users of the service.
Commencement Information
I9S. 8 not in force at Royal Assent, see s. 240(1)
I10S. 8 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(b)
(1)This section sets out the duties about risk assessments which apply in relation to all regulated user-to-user services.
(2)A duty to carry out a suitable and sufficient illegal content risk assessment at a time set out in, or as provided by, Schedule 3.
(3)A duty to take appropriate steps to keep an illegal content risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient illegal content risk assessment relating to the impacts of that proposed change.
(5)An “illegal content risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)the user base;
(b)the level of risk of individuals who are users of the service encountering the following by means of the service—
(i)each kind of priority illegal content (with each kind separately assessed), and
(ii)other illegal content,
taking into account (in particular) algorithms used by the service, and how easily, quickly and widely content may be disseminated by means of the service;
(c)the level of risk of the service being used for the commission or facilitation of a priority offence;
(d)the level of risk of harm to individuals presented by illegal content of different kinds or by the use of the service for the commission or facilitation of a priority offence;
(e)the level of risk of functionalities of the service facilitating the presence or dissemination of illegal content or the use of the service for the commission or facilitation of a priority offence, identifying and assessing those functionalities that present higher levels of risk;
(f)the different ways in which the service is used, and the impact of such use on the level of risk of harm that might be suffered by individuals;
(g)the nature, and severity, of the harm that might be suffered by individuals from the matters identified in accordance with paragraphs (b) to (f);
(h)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(6)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to individuals presented by illegal content.
(7)See also—
(a)section 23(2) and (10) (records of risk assessments), and
(b)Schedule 3 (timing of providers’ assessments).
Commencement Information
I11S. 9 not in force at Royal Assent, see s. 240(1)
I12S. 9 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(c)
(1)This section sets out the duties about illegal content which apply in relation to regulated user-to-user services (as indicated by the headings).
(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to—
(a)prevent individuals from encountering priority illegal content by means of the service,
(b)effectively mitigate and manage the risk of the service being used for the commission or facilitation of a priority offence, as identified in the most recent illegal content risk assessment of the service, and
(c)effectively mitigate and manage the risks of harm to individuals, as identified in the most recent illegal content risk assessment of the service (see section 9(5)(g)).
(3)A duty to operate a service using proportionate systems and processes designed to—
(a)minimise the length of time for which any priority illegal content is present;
(b)where the provider is alerted by a person to the presence of any illegal content, or becomes aware of it in any other way, swiftly take down such content.
(4)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)regulatory compliance and risk management arrangements,
(b)design of functionalities, algorithms and other features,
(c)policies on terms of use,
(d)policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,
(e)content moderation, including taking down content,
(f)functionalities allowing users to control the content they encounter,
(g)user support measures, and
(h)staff policies and practices.
(5)A duty to include provisions in the terms of service specifying how individuals are to be protected from illegal content, addressing each paragraph of subsection (3), and (in relation to paragraph (a)) separately addressing terrorism content, CSEA content (see section 59 and Schedule 6) and other priority illegal content.
(6)A duty to apply the provisions of the terms of service referred to in subsection (5) consistently.
(7)A duty to include provisions in the terms of service giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).
(8)A duty to ensure that the provisions of the terms of service referred to in subsections (5) and (7) are clear and accessible.
(9)A duty to summarise in the terms of service the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals).
(10)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)all the findings of the most recent illegal content risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to individuals), and
(b)the size and capacity of the provider of a service.
(11)In this section “illegal content risk assessment” has the meaning given by section 9.
(12)See also, in relation to duties set out in this section, section 22 (duties about freedom of expression and privacy).
Commencement Information
I13S. 10 not in force at Royal Assent, see s. 240(1)
I14S. 10 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(c)
(1)This section sets out the duties about risk assessments which apply in relation to regulated user-to-user services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 9 and, in the case of services likely to be accessed by children which are Category 1 services, the duties about assessments set out in section 14).
(2)A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.
(3)A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.
(5)Where a children’s risk assessment of a service identifies the presence of non-designated content that is harmful to children, a duty to notify OFCOM of—
(a)the kinds of such content identified, and
(b)the incidence of those kinds of content on the service.
(6)A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)the user base, including the number of users who are children in different age groups;
(b)the level of risk of children who are users of the service encountering the following by means of the service—
(i)each kind of primary priority content that is harmful to children (with each kind separately assessed),
(ii)each kind of priority content that is harmful to children (with each kind separately assessed), and
(iii)non-designated content that is harmful to children,
giving separate consideration to children in different age groups, and taking into account (in particular) algorithms used by the service and how easily, quickly and widely content may be disseminated by means of the service;
(c)the level of risk of harm to children presented by different kinds of content that is harmful to children, giving separate consideration to children in different age groups;
(d)the level of risk of harm to children presented by content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;
(e)the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including functionalities—
(i)enabling adults to search for other users of the service (including children), or
(ii)enabling adults to contact other users (including children) by means of the service;
(f)the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service (for example a feature that enables content to play automatically), and the impact of such use on the level of risk of harm that might be suffered by children;
(g)the nature, and severity, of the harm that might be suffered by children from the matters identified in accordance with paragraphs (b) to (f), giving separate consideration to children in different age groups;
(h)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(7)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.
(8)See also—
(a)section 23(2) and (10) (records of risk assessments), and
(b)Schedule 3 (timing of providers’ assessments).
Commencement Information
I15S. 11 not in force at Royal Assent, see s. 240(1)
I16S. 11 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(d)
(1)This section sets out the duties to protect children’s online safety which apply in relation to regulated user-to-user services that are likely to be accessed by children (as indicated by the headings).
(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—
(a)mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 11(6)(g)), and
(b)mitigate the impact of harm to children in different age groups presented by content that is harmful to children present on the service.
(3)A duty to operate a service using proportionate systems and processes designed to—
(a)prevent children of any age from encountering, by means of the service, primary priority content that is harmful to children;
(b)protect children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) from encountering it by means of the service.
(4)The duty set out in subsection (3)(a) requires a provider to use age verification or age estimation (or both) to prevent children of any age from encountering primary priority content that is harmful to children which the provider identifies on the service.
(5)That requirement applies to a provider in relation to a particular kind of primary priority content that is harmful to children in every case except where—
(a)a term of service indicates (in whatever words) that the presence of that kind of primary priority content that is harmful to children is prohibited on the service, and
(b)that policy applies in relation to all users of the service.
(6)If a provider is required by subsection (4) to use age verification or age estimation for the purpose of compliance with the duty set out in subsection (3)(a), the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.
(7)Age verification or age estimation to identify who is or is not a child user or which age group a child user is in are examples of measures which (if not required by subsection (4)) may be taken or used (among others) for the purpose of compliance with a duty set out in subsection (2) or (3).
(8)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)regulatory compliance and risk management arrangements,
(b)design of functionalities, algorithms and other features,
(c)policies on terms of use,
(d)policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,
(e)content moderation, including taking down content,
(f)functionalities allowing for control over content that is encountered, especially by children,
(g)user support measures, and
(h)staff policies and practices.
(9)A duty to include provisions in the terms of service specifying—
(a)how children of any age are to be prevented from encountering primary priority content that is harmful to children (with each kind of primary priority content separately covered);
(b)how children in age groups judged to be at risk of harm from priority content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so (with each kind of priority content separately covered);
(c)how children in age groups judged to be at risk of harm from non-designated content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so.
(10)A duty to apply the provisions of the terms of service referred to in subsection (9) consistently.
(11)If a provider takes or uses a measure designed to prevent access to the whole of the service or a part of the service by children under a certain age, a duty to—
(a)include provisions in the terms of service specifying details about the operation of the measure, and
(b)apply those provisions consistently.
(12)A duty to include provisions in the terms of service giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).
(13)A duty to ensure that the provisions of the terms of service referred to in subsections (9), (11) and (12) are clear and accessible.
(14)A duty to summarise in the terms of service the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).
Commencement Information
I17S. 12 not in force at Royal Assent, see s. 240(1)
I18S. 12 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(d)
(1)In determining what is proportionate for the purposes of section 12, the following factors, in particular, are relevant—
(a)all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and
(b)the size and capacity of the provider of a service.
(2)So far as a duty set out in section 12 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).
(3)References in section 12(3)(b) and (9)(b) and (c) to children in age groups judged to be at risk of harm from content that is harmful to children are references to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.
(4)The duties set out in section 12(3) and (9) are to be taken to extend only to content that is harmful to children where the risk of harm is presented by the nature of the content (rather than the fact of its dissemination).
(5)The duties set out in section 12 extend only to such parts of a service as it is possible for children to access.
(6)For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(7)In section 12 and this section “children’s risk assessment” has the meaning given by section 11.
(8)See also, in relation to duties set out in section 12, section 22 (duties about freedom of expression and privacy).
Commencement Information
I19S. 13 not in force at Royal Assent, see s. 240(1)
I20S. 13 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(d)
(1)This section sets out the duties about assessments related to adult user empowerment which apply in relation to Category 1 services (in addition to the duties about risk assessments set out in section 9 and, in the case of Category 1 services likely to be accessed by children, section 11).
(2)A duty to carry out a suitable and sufficient assessment for the purposes of section 15(2) at a time set out in, or as provided by, Schedule 3.
(3)A duty to take appropriate steps to keep such an assessment up to date.
(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient assessment for the purposes of section 15(2) relating to the impacts of that proposed change.
(5)An assessment of a service “for the purposes of section 15(2)” means an assessment of the following matters—
(a)the user base;
(b)the incidence of relevant content on the service;
(c)the likelihood of adult users of the service encountering, by means of the service, each kind of relevant content (with each kind separately assessed), taking into account (in particular) algorithms used by the service, and how easily, quickly and widely content may be disseminated by means of the service;
(d)the likelihood of adult users with a certain characteristic or who are members of a certain group encountering relevant content which particularly affects them;
(e)the likelihood of functionalities of the service facilitating the presence or dissemination of relevant content, identifying and assessing those functionalities more likely to do so;
(f)the different ways in which the service is used, and the impact of such use on the likelihood of adult users encountering relevant content;
(g)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to strengthen adult users’ control over their interaction with user-generated content, and other systems and processes) may reduce or increase the likelihood of adult users encountering relevant content.
(6)In this section “relevant content” means content to which section 15(2) applies (content to which user empowerment duties set out in that provision apply).
(7)See also—
(a)section 23(9) and (10) (records of assessments), and
(b)Schedule 3 (timing of providers’ assessments).
Commencement Information
I21S. 14 not in force at Royal Assent, see s. 240(1)
I22S. 14 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(e)
(1)This section sets out the duties to empower adult users which apply in relation to Category 1 services.
(2)A duty to include in a service, to the extent that it is proportionate to do so, features which adult users may use or apply if they wish to increase their control over content to which this subsection applies.
(3)The features referred to in subsection (2) are those which, if used or applied by a user, result in the use by the service of systems or processes designed to effectively—
(a)reduce the likelihood of the user encountering content to which subsection (2) applies present on the service, or
(b)alert the user to content present on the service that is a particular kind of content to which subsection (2) applies.
(4)A duty to ensure that all features included in a service in compliance with the duty set out in subsection (2) (“control features”) are made available to all adult users and are easy to access.
(5)A duty to operate a service using a system or process which seeks to ensure that all registered adult users are offered the earliest possible opportunity, in relation to each control feature included in the service, to take a step indicating to the provider that—
(a)the user wishes to retain the default setting for the feature (whether that is that the feature is in use or applied, or is not in use or applied), or
(b)the user wishes to change the default setting for the feature.
(6)The duty set out in subsection (5)—
(a)continues to apply in relation to a user and a control feature for so long as the user has not yet taken a step mentioned in that subsection in relation to the feature;
(b)no longer applies in relation to a user once the user has taken such a step in relation to every control feature included in the service.
(7)A duty to include clear and accessible provisions in the terms of service specifying which control features are offered and how users may take advantage of them.
(8)A duty to summarise in the terms of service the findings of the most recent assessment of a service under section 14 (assessments related to the duty set out in subsection (2)).
(9)A duty to include in a service features which adult users may use or apply if they wish to filter out non-verified users.
(10)The features referred to in subsection (9) are those which, if used or applied by a user, result in the use by the service of systems or processes designed to effectively—
(a)prevent non-verified users from interacting with content which that user generates, uploads or shares on the service, and
(b)reduce the likelihood of that user encountering content which non-verified users generate, upload or share on the service.
Commencement Information
I23S. 15 not in force at Royal Assent, see s. 240(1)
I24S. 15 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(e)
(1)In determining what is proportionate for the purposes of section 15(2), the following factors, in particular, are relevant—
(a)all the findings of the most recent assessment under section 14, and
(b)the size and capacity of the provider of the service.
(2)Section 15(2) applies to content that—
(a)is regulated user-generated content in relation to the service in question, and
(b)is within subsection (3), (4) or (5).
(3)Content is within this subsection if it encourages, promotes or provides instructions for—
(a)suicide or an act of deliberate self-injury, or
(b)an eating disorder or behaviours associated with an eating disorder.
(4)Content is within this subsection if it is abusive and the abuse targets any of the following characteristics—
(a)race,
(b)religion,
(c)sex,
(d)sexual orientation,
(e)disability, or
(f)gender reassignment.
(5)Content is within this subsection if it incites hatred against people—
(a)of a particular race, religion, sex or sexual orientation,
(b)who have a disability, or
(c)who have the characteristic of gender reassignment.
(6)The duty set out in section 15(5) applies in relation to all registered adult users, not just those who begin to use a service after that duty begins to apply.
(7)In section 15 and this section—
“disability” means any physical or mental impairment;
“injury” includes poisoning;
“non-verified user” means a user who—
is an individual, whether in the United Kingdom or outside it, and
has not verified their identity to the provider of a service;
“race” includes colour, nationality, and ethnic or national origins.
(8)In section 15 and this section—
(a)references to features include references to functionalities and settings, and
(b)references to religion include references to a lack of religion.
(9)For the purposes of section 15 and this section, a person has the characteristic of gender reassignment if the person is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex, and the reference to gender reassignment in subsection (4) is to be construed accordingly.
(10)See also, in relation to duties set out in section 15, section 22 (duties about freedom of expression and privacy).
Commencement Information
I25S. 16 not in force at Royal Assent, see s. 240(1)
I26S. 16 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(e)
(1)This section sets out the duties to protect content of democratic importance which apply in relation to Category 1 services.
(2)A duty to operate a service using proportionate systems and processes designed to ensure that the importance of the free expression of content of democratic importance is taken into account when making decisions about—
(a)how to treat such content (especially decisions about whether to take it down or restrict users’ access to it), and
(b)whether to take action against a user generating, uploading or sharing such content.
(3)A duty to ensure that the systems and processes mentioned in subsection (2) apply in the same way to a wide diversity of political opinion.
(4)A duty to include provisions in the terms of service specifying the policies and processes that are designed to take account of the principle mentioned in subsection (2), including, in particular, how that principle is applied to decisions mentioned in that subsection.
(5)A duty to ensure that—
(a)the provisions of the terms of service referred to in subsection (4) are clear and accessible, and
(b)those provisions are applied consistently.
(6)In determining what is proportionate for the purposes of subsection (2), the size and capacity of the provider of a service, in particular, is relevant.
(7)For the purposes of this section content is “content of democratic importance”, in relation to a user-to-user service, if—
(a)the content is—
(i)news publisher content in relation to that service, or
(ii)regulated user-generated content in relation to that service; and
(b)the content is or appears to be specifically intended to contribute to democratic political debate in the United Kingdom or a part or area of the United Kingdom.
(8)In this section, the reference to “taking action” against a user is to giving a warning to a user, or suspending or banning a user from using a service, or in any way restricting a user’s ability to use a service.
(9)For the meaning of “news publisher content” and “regulated user-generated content”, see section 55.
Commencement Information
I27S. 17 not in force at Royal Assent, see s. 240(1)
I28S. 17 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(e)
Prospective
(1)This section sets out the duties to protect news publisher content which apply in relation to Category 1 services.
(2)Subject to subsections (4), (5) and (8), a duty, in relation to a service, to take the steps set out in subsection (3) before—
(a)taking action in relation to content present on the service that is news publisher content, or
(b)taking action against a user who is a recognised news publisher.
(3)The steps referred to in subsection (2) are—
(a)to give the recognised news publisher in question a notification which—
(i)specifies the action that the provider is considering taking,
(ii)gives reasons for that proposed action by reference to each relevant provision of the terms of service,
(iii)where the proposed action relates to news publisher content that is also journalistic content, explains how the provider took the importance of the free expression of journalistic content into account when deciding on the proposed action, and
(iv)specifies a reasonable period within which the recognised news publisher may make representations,
(b)to consider any representations that are made, and
(c)to notify the recognised news publisher of the decision and the reasons for it (addressing any representations made).
(4)If a provider of a service reasonably considers that the provider would incur criminal or civil liability in relation to news publisher content present on the service if it were not taken down swiftly, the provider may take down that content without having taken the steps set out in subsection (3).
(5)A provider of a service may also take down news publisher content present on the service without having taken the steps set out in subsection (3) if that content amounts to a relevant offence (see section 59 and also subsection (10) of this section).
(6)Subject to subsection (8), if a provider takes action in relation to news publisher content or against a recognised news publisher without having taken the steps set out in subsection (3), a duty to take the steps set out in subsection (7).
(7)The steps referred to in subsection (6) are—
(a)to swiftly notify the recognised news publisher in question of the action taken, giving the provider’s justification for not having first taken the steps set out in subsection (3),
(b)to specify a reasonable period within which the recognised news publisher may request that the action is reversed, and
(c)if a request is made as mentioned in paragraph (b)—
(i)to consider the request and whether the steps set out in subsection (3) should have been taken prior to the action being taken,
(ii)if the provider concludes that those steps should have been taken, to swiftly reverse the action, and
(iii)to notify the recognised news publisher of the decision and the reasons for it (addressing any reasons accompanying the request for reversal of the action).
(8)If a recognised news publisher has been banned from using a service (and the ban is still in force), the provider of the service may take action in relation to news publisher content present on the service which was generated or originally published or broadcast by the recognised news publisher without complying with the duties set out in this section.
(9)For the purposes of this section, a provider is not to be regarded as taking action in relation to news publisher content in the following circumstances—
(a)a provider takes action in relation to content which is not news publisher content, that action affects related news publisher content, the grounds for the action only relate to the content which is not news publisher content, and it is not technically feasible for the action only to relate to the content which is not news publisher content;
(b)a provider takes action against a user, and that action affects news publisher content that has been uploaded to or shared on the service by the user.
(10)Section 192 (providers’ judgements about the status of content) applies in relation to judgements by providers about whether news publisher content amounts to a relevant offence as it applies in relation to judgements about whether content is illegal content.
(11)Any provision of the terms of service has effect subject to this section.
(12)In this section—
(a)references to “news publisher content” are to content that is news publisher content in relation to the service in question;
(b)references to “taking action” against a person are to giving a warning to a person, or suspending or banning a person from using a service, or in any way restricting a person’s ability to use a service.
(13)In this section references to “taking action” in relation to content are to—
(a)taking down content,
(b)restricting users’ access to content, or
(c)adding warning labels to content, except warning labels normally encountered only by child users,
and also include references to taking any other action in relation to content on the grounds that it is content of a kind which is the subject of a relevant term of service (but not otherwise).
(14)A “relevant term of service” means a term of service which indicates to users (in whatever words) that the presence of a particular kind of content, from the time it is generated, uploaded or shared on the service, is not tolerated on the service or is tolerated but liable to result in the provider treating it in a way that makes it less likely that other users will encounter it.
(15)Taking any step set out in subsection (3) or (7) does not count as “taking action” for the purposes of this section.
(16)See—
section 19 for the meaning of “journalistic content”;
section 55 for the meaning of “news publisher content”;
section 56 for the meaning of “recognised news publisher”.
Commencement Information
I29S. 18 not in force at Royal Assent, see s. 240(1)
(1)This section sets out the duties to protect journalistic content which apply in relation to Category 1 services.
(2)A duty to operate a service using proportionate systems and processes designed to ensure that the importance of the free expression of journalistic content is taken into account when making decisions about—
(a)how to treat such content (especially decisions about whether to take it down or restrict users’ access to it), and
(b)whether to take action against a user generating, uploading or sharing such content.
(3)A duty, in relation to a decision by a provider to take down content or to restrict access to it, to make a dedicated and expedited complaints procedure available to a person who considers the content to be journalistic content and who is—
(a)the user who generated, uploaded or shared the content on the service, or
(b)the creator of the content (see subsections (14) and (15)).
(4)A duty to make a dedicated and expedited complaints procedure available to users of a service in relation to a decision by the provider of the service to take action against a user because of content generated, uploaded or shared by the user which the user considers to be journalistic content.
(5)A duty to ensure that—
(a)if a complaint about a decision mentioned in subsection (3) is upheld, the content is swiftly reinstated on the service;
(b)if a complaint about a decision mentioned in subsection (4) is upheld, the action against the user is swiftly reversed.
(6)Subsections (3) and (4) do not require a provider to make a dedicated and expedited complaints procedure available to a recognised news publisher in relation to a decision if the provider has taken the steps set out in section 18(3) in relation to that decision.
(7)A duty to include provisions in the terms of service specifying—
(a)by what methods content present on the service is to be identified as journalistic content;
(b)how the importance of the free expression of journalistic content is to be taken into account when making decisions mentioned in subsection (2);
(c)the policies and processes for handling complaints in relation to content which is, or is considered to be, journalistic content.
(8)A duty to ensure that—
(a)the provisions of the terms of service referred to in subsection (7) are clear and accessible, and
(b)those provisions are applied consistently.
(9)In determining what is proportionate for the purposes of subsection (2), the size and capacity of the provider of a service, in particular, is relevant.
(10)For the purposes of this Part content is “journalistic content”, in relation to a user-to-user service, if—
(a)the content is—
(i)news publisher content in relation to that service, or
(ii)regulated user-generated content in relation to that service;
(b)the content is generated for the purposes of journalism; and
(c)the content is UK-linked.
(11)For the purposes of this section content is “UK-linked” if—
(a)United Kingdom users of the service form one of the target markets for the content (or the only target market), or
(b)the content is or is likely to be of interest to a significant number of United Kingdom users.
(12)In this section references to “taking action” against a user are to giving a warning to a user, or suspending or banning a user from using a service, or in any way restricting a user’s ability to use a service.
(13)In this section the reference to the “creator” of content is to be read in accordance with subsections (14) and (15).
(14)The creator of news publisher content is the recognised news publisher in question.
(15)The creator of content other than news publisher content is—
(a)an individual who—
(i)created the content, and
(ii)is in the United Kingdom; or
(b)an entity which—
(i)created the content, and
(ii)is incorporated or formed under the law of any part of the United Kingdom.
(16)For the meaning of “news publisher content”, “regulated user-generated content” and “recognised news publisher”, see sections 55 and 56.
Commencement Information
I30S. 19 not in force at Royal Assent, see s. 240(1)
I31S. 19 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(e)
(1)This section sets out the duty about content reporting which applies in relation to all regulated user-to-user services.
(2)A duty to operate a service using systems and processes that allow users and affected persons to easily report content which they consider to be content of a kind specified below (with the duty extending to different kinds of content depending on the kind of service, as indicated by the headings).
(3)Illegal content.
(4)Content that is harmful to children, present on a part of a service that it is possible for children to access.
(5)In this section “affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)the subject of the content,
(b)a member of a class or group of people with a certain characteristic targeted by the content,
(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(6)For the purposes of subsection (4), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(7)See also—
(a)section 22 (duties about freedom of expression and privacy), and
(b)section 72(5)(a) (reporting of content that terms of service allow to be taken down or restricted).
Commencement Information
I32S. 20 not in force at Royal Assent, see s. 240(1)
I33S. 20(1)-(6)(7)(a) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(f)
(1)This section sets out the duties about complaints procedures which apply in relation to all regulated user-to-user services.
(2)A duty to operate a complaints procedure in relation to a service that—
(a)allows for relevant kinds of complaint to be made (as set out under the headings below),
(b)provides for appropriate action to be taken by the provider of the service in response to complaints of a relevant kind, and
(c)is easy to access, easy to use (including by children) and transparent.
(3)A duty to include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a relevant kind.
(4)The following kinds of complaint are relevant for all services—
(a)complaints by users and affected persons about content present on a service which they consider to be illegal content;
(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—
(i)section 10 (illegal content),
(ii)section 20 (content reporting), or
(iii)section 22(2) or (3) (freedom of expression and privacy);
(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down on the basis that it is illegal content;
(d)complaints by a user of a service if the provider has given a warning to the user, suspended or banned the user from using the service, or in any other way restricted the user’s ability to use the service, as a result of content generated, uploaded or shared by the user which the provider considers to be illegal content;
(e)complaints by a user who has generated, uploaded or shared content on a service if—
(i)the use of proactive technology on the service results in that content being taken down or access to it being restricted, or given a lower priority or otherwise becoming less likely to be encountered by other users, and
(ii)the user considers that the proactive technology has been used in a way not contemplated by, or in breach of, the terms of service (for example, by affecting content not of a kind specified in the terms of service as a kind of content in relation to which the technology would operate).
(5)The following kinds of complaint are relevant for services that are likely to be accessed by children—
(a)complaints by users and affected persons about content, present on a part of a service that it is possible for children to access, which they consider to be content that is harmful to children;
(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in section 12 (children’s online safety);
(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is content that is harmful to children;
(d)complaints by a user of a service if the provider has given a warning to the user, suspended or banned the user from using the service, or in any other way restricted the user’s ability to use the service, as a result of content generated, uploaded or shared by the user which the provider considers to be content that is harmful to children;
(e)complaints by a user who is unable to access content because measures used to comply with a duty set out in section 12(2) or (3) have resulted in an incorrect assessment of the user’s age.
(6)The relevant kind of complaint for Category 1 services is complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—
(a)section 15 (user empowerment),
(b)section 17 (content of democratic importance),
(c)section 18 (news publisher content),
(d)section 19 (journalistic content), or
(e)section 22(4), (6) or (7) (freedom of expression and privacy).
(7)In this section “affected person” has the meaning given by section 20.
(8)For the purposes of subsection (5)(a), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(9)See also—
(a)section 22 (duties about freedom of expression and privacy), and
(b)section 72(6) (complaints procedure relating to content that terms of service allow to be taken down or restricted).
Commencement Information
I34S. 21 not in force at Royal Assent, see s. 240(1)
I35S. 21(1)-(5)(6)(a)(b)(d)(e)(7)(8)(9)(a) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(g)
(1)This section sets out the duties about freedom of expression and privacy which apply in relation to regulated user-to-user services (as indicated by the headings).
(2)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users’ right to freedom of expression within the law.
(3)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service (including, but not limited to, any such provision or rule concerning the processing of personal data).
(4)A duty—
(a)when deciding on safety measures and policies, to carry out an assessment of the impact that such measures or policies would have on—
(i)users’ right to freedom of expression within the law, and
(ii)the privacy of users; and
(b)to carry out an assessment of the impact of adopted safety measures and policies on the matters mentioned in paragraph (a)(i) and (ii).
(5)An impact assessment relating to a service must include a section which considers the impact of the safety measures and policies on the availability and treatment on the service of content which is news publisher content or journalistic content in relation to the service.
(6)A duty to—
(a)keep an impact assessment up to date, and
(b)publish impact assessments.
(7)A duty to specify in a publicly available statement the positive steps that the provider has taken in response to an impact assessment to—
(a)protect users’ right to freedom of expression within the law, and
(b)protect the privacy of users.
(8)In this section—
“impact assessment” means an impact assessment under subsection (4);
“safety measures and policies” means measures and policies designed to secure compliance with any of the duties set out in—
section 10 (illegal content),
section 12 (children’s online safety),
section 15 (user empowerment),
section 20 (content reporting), or
section 21 (complaints procedures).
(9)Any reference in this section to the privacy of users or steps taken to protect the privacy of users is to be construed in accordance with subsection (3).
(10)See—
section 19 for the meaning of “journalistic content”;
section 55 for the meaning of “news publisher content”.
Commencement Information
I36S. 22 not in force at Royal Assent, see s. 240(1)
I37S. 22 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(h)
(1)This section sets out the record-keeping and review duties which apply in relation to regulated user-to-user services (as indicated by the headings).
(2)A duty to make and keep a written record, in an easily understandable form, of all aspects of every risk assessment under section 9 or 11, including details about how the assessment was carried out and its findings.
(3)A duty to make and keep a written record of any measures taken or in use to comply with a relevant duty which—
(a)are described in a code of practice and recommended for the purpose of compliance with the duty in question, and
(b)apply in relation to the provider and the service in question.
In this section such measures are referred to as “applicable measures in a code of practice”.
(4)If alternative measures have been taken or are in use to comply with a relevant duty, a duty to make and keep a written record containing the following information—
(a)the applicable measures in a code of practice that have not been taken or are not in use,
(b)the alternative measures that have been taken or are in use,
(c)how those alternative measures amount to compliance with the duty in question, and
(d)how the provider has complied with section 49(5) (freedom of expression and privacy).
(5)If alternative measures have been taken or are in use to comply with a duty set out in section 10(2) or (3) or 12(2) or (3), the record required under subsection (4) of this section must also indicate whether such measures have been taken or are in use in every area listed in section 10(4) or 12(8) (as the case may be) in relation to which there are applicable measures in a code of practice.
(6)A duty to review compliance with the relevant duties in relation to a service—
(a)regularly, and
(b)as soon as reasonably practicable after making any significant change to any aspect of the design or operation of the service.
(7)OFCOM may provide that particular descriptions of providers of user-to-user services are exempt from any or all of the duties set out in this section, and may revoke such an exemption.
(8)OFCOM must publish details of any exemption or revocation under subsection (7), including reasons for the revocation of an exemption.
(9)A duty to make and keep a written record, in an easily understandable form, of all aspects of every assessment under section 14 (assessments related to the adult user empowerment duty set out in section 15(2)), including details about how the assessment was carried out and its findings.
(10)As soon as reasonably practicable after making a record of an assessment as required by subsection (2) or (9), or revising such a record, a duty to supply OFCOM with a copy of the record (in full).
(11)In this section—
“alternative measures” means measures other than measures which are (in relation to the provider and the service in question) applicable measures in a code of practice;
“code of practice” means a code of practice published under section 46;
“relevant duties” means the duties set out in—
section 10 (illegal content),
section 12 (children’s online safety),
section 15 (user empowerment),
section 17 (content of democratic importance),
section 19 (journalistic content),
section 20 (content reporting), and
section 21 (complaints procedures),
and for the purposes of subsection (6), also includes the duties set out in sections 18 (news publisher content), 71 and 72 (duties about terms of service), and 75 (deceased child users).
Commencement Information
I38S. 23 not in force at Royal Assent, see s. 240(1)
I39S. 23(1)-(10) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(i)
I40S. 23(11) in force at 10.1.2024 for specified purposes by S.I. 2023/1420, reg. 2(i)
(1)Subsections (2) to (4) apply to determine which of the duties set out in this Chapter must be complied with by providers of regulated search services.
(2)All providers of regulated search services must comply with the following duties in relation to each such service which they provide—
(a)the duties about illegal content risk assessments set out in section 26,
(b)the duties about illegal content set out in section 27(2) to (8),
(c)the duty about content reporting set out in section 31,
(d)the duties about complaints procedures set out in section 32,
(e)the duties about freedom of expression and privacy set out in section 33, and
(f)the duties about record-keeping and review set out in section 34(2) to (6).
(3)Additional duties must be complied with by providers of particular kinds of regulated search services, as follows.
(4)All providers of regulated search services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—
(a)the duties about children’s risk assessments set out in section 28, and
(b)the duties to protect children’s online safety set out in section 29(2) to (8).
(5)All providers of regulated search services that are Category 2A services must comply with the following duties in relation to each such service which they provide—
(a)the duty about illegal content risk assessments set out in section 27(9),
(b)the duty about children’s risk assessments set out in section 29(9), and
(c)the duty about record-keeping set out in section 34(9).
(6)For the meaning of “likely to be accessed by children”, see section 37.
(7)For the meaning of “Category 2A service”, see section 95 (register of categories of services).
Commencement Information
I41S. 24 not in force at Royal Assent, see s. 240(1)
I42S. 24 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)A duty set out in this Chapter which must be complied with in relation to a search service extends only to—
(a)the search content of the service,
(b)the design, operation and use of the search engine in the United Kingdom, and
(c)in the case of a duty that is expressed to apply in relation to users of a service, the design, operation and use of the search engine as it affects United Kingdom users of the service.
(2)For the purposes of the application of this Chapter in relation to the search engine of a combined service (see section 7(6))—
(a)a duty set out in this Chapter which requires a matter to be included in a publicly available statement may be satisfied by including the matter in the terms of service;
(b)references in this Chapter (except in section 24) to a search service are to be read as references to the search engine;
(c)references in this Chapter (except in section 24) to the provider of a search service are to be read as references to the provider of the combined service.
Commencement Information
I43S. 25 not in force at Royal Assent, see s. 240(1)
I44S. 25 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duties about risk assessments which apply in relation to all regulated search services.
(2)A duty to carry out a suitable and sufficient illegal content risk assessment at a time set out in, or as provided by, Schedule 3.
(3)A duty to take appropriate steps to keep an illegal content risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient illegal content risk assessment relating to the impacts of that proposed change.
(5)An “illegal content risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)the level of risk of individuals who are users of the service encountering search content of the following kinds—
(i)each kind of priority illegal content (with each kind separately assessed), and
(ii)other illegal content,
taking into account (in particular) risks presented by algorithms used by the service, and the way that the service indexes, organises and presents search results;
(b)the level of risk of functionalities of the service facilitating individuals encountering search content that is illegal content, identifying and assessing those functionalities that present higher levels of risk;
(c)the nature, and severity, of the harm that might be suffered by individuals from the matters identified in accordance with paragraphs (a) and (b);
(d)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(6)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to individuals presented by illegal content.
(7)See also—
(a)section 34(2) and (9) (records of risk assessments), and
(b)Schedule 3 (timing of providers’ assessments).
Commencement Information
I45S. 26 not in force at Royal Assent, see s. 240(1)
I46S. 26 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duties about illegal content which apply in relation to regulated search services (as indicated by the headings).
(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively mitigate and manage the risks of harm to individuals, as identified in the most recent illegal content risk assessment of the service (see section 26(5)(c)).
(3)A duty to operate a service using proportionate systems and processes designed to minimise the risk of individuals encountering search content of the following kinds—
(a)priority illegal content;
(b)other illegal content that the provider knows about (having been alerted to it by another person or become aware of it in any other way).
(4)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way the search engine is designed, operated and used as well as search content of the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)regulatory compliance and risk management arrangements,
(b)design of functionalities, algorithms and other features relating to the search engine,
(c)functionalities allowing users to control the content they encounter in search results,
(d)content prioritisation,
(e)user support measures, and
(f)staff policies and practices.
(5)A duty to include provisions in a publicly available statement specifying how individuals are to be protected from search content that is illegal content.
(6)A duty to apply the provisions of the statement referred to in subsection (5) consistently.
(7)A duty to include provisions in a publicly available statement giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).
(8)A duty to ensure that the provisions of the publicly available statement referred to in subsections (5) and (7) are clear and accessible.
(9)A duty to summarise in a publicly available statement the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals).
(10)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)all the findings of the most recent illegal content risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to individuals), and
(b)the size and capacity of the provider of a service.
(11)In this section “illegal content risk assessment” has the meaning given by section 26.
(12)See also, in relation to duties set out in this section, section 33 (duties about freedom of expression and privacy).
Commencement Information
I47S. 27 not in force at Royal Assent, see s. 240(1)
I48S. 27 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duties about risk assessments which apply in relation to regulated search services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 26).
(2)A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.
(3)A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.
(5)A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)the level of risk of children who are users of the service encountering search content of the following kinds—
(i)each kind of primary priority content that is harmful to children (with each kind separately assessed),
(ii)each kind of priority content that is harmful to children (with each kind separately assessed), and
(iii)non-designated content that is harmful to children,
giving separate consideration to children in different age groups, and taking into account (in particular) risks presented by algorithms used by the service and the way that the service indexes, organises and presents search results;
(b)the level of risk of children who are users of the service encountering search content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;
(c)the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including a functionality that makes suggestions relating to users’ search requests (predictive search functionality);
(d)the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service, and the impact of such use on the level of risk of harm that might be suffered by children;
(e)the nature, and severity, of the harm that might be suffered by children from the matters identified in accordance with paragraphs (a) to (d), giving separate consideration to children in different age groups;
(f)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(6)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.
(7)See also—
(a)section 34(2) and (9) (records of risk assessments), and
(b)Schedule 3 (timing of providers’ assessments).
Commencement Information
I49S. 28 not in force at Royal Assent, see s. 240(1)
I50S. 28 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duties to protect children’s online safety which apply in relation to regulated search services that are likely to be accessed by children (as indicated by the headings).
(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—
(a)mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 28(5)(e)), and
(b)mitigate the impact of harm to children in different age groups presented by search content that is harmful to children.
(3)A duty to operate a service using proportionate systems and processes designed to—
(a)minimise the risk of children of any age encountering search content that is primary priority content that is harmful to children;
(b)minimise the risk of children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) encountering search content of that kind.
(4)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way the search engine is designed, operated and used as well as search content of the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)regulatory compliance and risk management arrangements,
(b)design of functionalities, algorithms and other features relating to the search engine,
(c)functionalities allowing for control over content that is encountered in search results, especially by children,
(d)content prioritisation,
(e)user support measures, and
(f)staff policies and practices.
(5)A duty to include provisions in a publicly available statement specifying how children are to be protected from search content of the following kinds—
(a)primary priority content that is harmful to children (with each kind of primary priority content separately covered),
(b)priority content that is harmful to children (with each kind of priority content separately covered), and
(c)non-designated content that is harmful to children.
(6)A duty to apply the provisions of the statement referred to in subsection (5) consistently.
(7)A duty to include provisions in a publicly available statement giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).
(8)A duty to ensure that the provisions of the publicly available statement referred to in subsections (5) and (7) are clear and accessible.
(9)A duty to summarise in a publicly available statement the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).
Commencement Information
I51S. 29 not in force at Royal Assent, see s. 240(1)
I52S. 29 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)In determining what is proportionate for the purposes of section 29, the following factors, in particular, are relevant—
(a)all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and
(b)the size and capacity of the provider of a service.
(2)So far as a duty set out in section 29 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).
(3)The reference in section 29(3)(b) to children in age groups judged to be at risk of harm from content that is harmful to children is a reference to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.
(4)The duties set out in section 29(3) are to be taken to extend only to content that is harmful to children where the risk of harm is presented by the nature of the content (rather than the fact of its dissemination).
(5)The duties set out in section 29 extend only to such parts of a service as it is possible for children to access.
(6)For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(7)In section 29 and this section “children’s risk assessment” has the meaning given by section 28.
(8)See also, in relation to duties set out in section 29, section 33 (duties about freedom of expression and privacy).
Commencement Information
I53S. 30 not in force at Royal Assent, see s. 240(1)
I54S. 30 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duty about content reporting which applies in relation to all regulated search services.
(2)A duty to operate a service using systems and processes that allow users and affected persons to easily report search content which they consider to be content of a kind specified below (with the duty extending to content that is harmful to children depending on the kind of service, as indicated by the headings).
(3)Illegal content.
(4)Content that is harmful to children.
(5)In this section “affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)the subject of the content,
(b)a member of a class or group of people with a certain characteristic targeted by the content,
(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(6)See also, in relation to the duty set out in this section, section 33 (duties about freedom of expression and privacy).
Commencement Information
I55S. 31 not in force at Royal Assent, see s. 240(1)
I56S. 31 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duties about complaints procedures which apply in relation to all regulated search services.
(2)A duty to operate a complaints procedure in relation to a service that—
(a)allows for relevant kinds of complaint to be made (as set out under the headings below),
(b)provides for appropriate action to be taken by the provider of the service in response to complaints of a relevant kind, and
(c)is easy to access, easy to use (including by children) and transparent.
(3)A duty to make the policies and processes that govern the handling and resolution of complaints of a relevant kind publicly available and easily accessible (including to children).
(4)The following kinds of complaint are relevant for all services—
(a)complaints by users and affected persons about search content which they consider to be illegal content;
(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—
(i)section 27 (illegal content),
(ii)section 31 (content reporting), or
(iii)section 33 (freedom of expression and privacy);
(c)complaints by an interested person if the provider of a search service takes or uses measures in order to comply with a duty set out in section 27 that result in content relating to that interested person no longer appearing in search results or being given a lower priority in search results;
(d)complaints by an interested person if—
(i)the use of proactive technology on a search service results in content relating to that interested person no longer appearing in search results or being given a lower priority in search results, and
(ii)the interested person considers that the proactive technology has been used in a way not contemplated by, or in breach of, the provider’s policies on its use (for example, by affecting content not of a kind specified in those policies as a kind of content in relation to which the technology would operate).
(5)The following kinds of complaint are relevant for services that are likely to be accessed by children—
(a)complaints by users and affected persons about search content which they consider to be content that is harmful to children;
(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in section 29 (children’s online safety);
(c)complaints by an interested person if the provider of a search service takes or uses measures in order to comply with a duty set out in section 29 that result in content relating to that interested person no longer appearing in search results or being given a lower priority in search results;
(d)complaints by a user who is unable to access content because measures used to comply with a duty set out in section 29(2) or (3) have resulted in an incorrect assessment of the user’s age.
(6)In this section—
“affected person” has the meaning given by section 31;
“interested person” has the meaning given by section 227(7).
(7)See also, in relation to duties set out in this section, section 33 (duties about freedom of expression and privacy).
Commencement Information
I57S. 32 not in force at Royal Assent, see s. 240(1)
I58S. 32 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the duties about freedom of expression and privacy which apply in relation to all regulated search services.
(2)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting the rights of users and interested persons to freedom of expression within the law.
(3)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a search service (including, but not limited to, any such provision or rule concerning the processing of personal data).
(4)In this section—
“interested person” has the meaning given by section 227(7);
“safety measures and policies” means measures and policies designed to secure compliance with any of the duties set out in—
section 27 (illegal content),
section 29 (children’s online safety),
section 31 (content reporting), or
section 32 (complaints procedures).
Commencement Information
I59S. 33 not in force at Royal Assent, see s. 240(1)
I60S. 33 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
(1)This section sets out the record-keeping and review duties which apply in relation to regulated search services (as indicated by the headings).
(2)A duty to make and keep a written record, in an easily understandable form, of all aspects of every risk assessment under section 26 or 28, including details about how the assessment was carried out and its findings.
(3)A duty to make and keep a written record of any measures taken or in use to comply with a relevant duty which—
(a)are described in a code of practice and recommended for the purpose of compliance with the duty in question, and
(b)apply in relation to the provider and the service in question.
In this section such measures are referred to as “applicable measures in a code of practice”.
(4)If alternative measures have been taken or are in use to comply with a relevant duty, a duty to make and keep a written record containing the following information—
(a)the applicable measures in a code of practice that have not been taken or are not in use,
(b)the alternative measures that have been taken or are in use,
(c)how those alternative measures amount to compliance with the duty in question, and
(d)how the provider has complied with section 49(5) (freedom of expression and privacy).
(5)If alternative measures have been taken or are in use to comply with a duty set out in section 27(2) or (3) or 29(2) or (3), the record required under subsection (4) of this section must also indicate whether such measures have been taken or are in use in every area listed in subsection (4) of those sections in relation to which there are applicable measures in a code of practice.
(6)A duty to review compliance with the relevant duties in relation to a service—
(a)regularly, and
(b)as soon as reasonably practicable after making any significant change to any aspect of the design or operation of the service.
(7)OFCOM may provide that particular descriptions of providers of search services are exempt from any or all of the duties set out in this section, and may revoke such an exemption.
(8)OFCOM must publish details of any exemption or revocation under subsection (7), including reasons for the revocation of an exemption.
(9)As soon as reasonably practicable after making a record of a risk assessment as required by subsection (2), or revising such a record, a duty to supply OFCOM with a copy of the record (in full).
(10)In this section—
“alternative measures” means measures other than measures which are (in relation to the provider and the service in question) applicable measures in a code of practice;
“code of practice” means a code of practice published under section 46;
“relevant duties” means the duties set out in—
section 27 (illegal content),
section 29 (children’s online safety),
section 31 (content reporting), and
section 32 (complaints procedures),
and for the purposes of subsection (6), also includes the duties set out in section 75 (deceased child users).
Commencement Information
I61S. 34 not in force at Royal Assent, see s. 240(1)
I62S. 34(1)-(9) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(j)
I63S. 34(10) in force at 10.1.2024 for specified purposes by S.I. 2023/1420, reg. 2(j)
(1)In this Part, a “children’s access assessment” means an assessment of a Part 3 service—
(a)to determine whether it is possible for children to access the service or a part of the service, and
(b)if it is possible for children to access the service or a part of the service, to determine whether the child user condition is met in relation to the service or a part of the service.
(2)A provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(3)The “child user condition” is met in relation to a service, or a part of a service, if—
(a)there is a significant number of children who are users of the service or of that part of it, or
(b)the service, or that part of it, is of a kind likely to attract a significant number of users who are children.
(4)For the purposes of subsection (3)—
(a)the reference to a “significant” number includes a reference to a number which is significant in proportion to the total number of United Kingdom users of a service or (as the case may be) a part of a service;
(b)whether the test in paragraph (a) of that subsection is met is to be based on evidence about who actually uses a service, rather than who the intended users of the service are.
(5)In this Chapter—
(a)references to children are to children in the United Kingdom;
(b)references to a part of a service do not include any part of a service that is not, or is not included in, a user-to-user part of a service or a search engine.
Commencement Information
I64S. 35 not in force at Royal Assent, see s. 240(1)
I65S. 35 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(k)
(1)A provider of a Part 3 service must carry out the first children’s access assessment at a time set out in, or as provided by, Schedule 3.
(2)Subsections (3) and (4) apply to a provider of a Part 3 service during any period when the service is not treated as likely to be accessed by children (see section 37).
(3)The provider must carry out children’s access assessments of the service not more than one year apart.
(4)The provider must carry out a children’s access assessment of the service—
(a)before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant,
(b)in response to evidence about reduced effectiveness of age verification or age estimation that is used on the service as mentioned in section 35(2), or
(c)in response to evidence about a significant increase in the number of children using the service.
(5)If a person is the provider of more than one Part 3 service, children’s access assessments must be carried out for each service separately.
(6)Children’s access assessments must be suitable and sufficient for the purposes of this Part.
(7)A provider must make and keep a written record, in an easily understandable form, of every children’s access assessment.
Commencement Information
I66S. 36 not in force at Royal Assent, see s. 240(1)
I67S. 36 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(k)
(1)For the purposes of this Part, a Part 3 service is to be treated as “likely to be accessed by children” in the following three cases (with the result that the duties set out in sections 11 and 12, or (as the case may be) sections 28 and 29, apply in relation to the service).
(2)The first case is where a children’s access assessment carried out by the provider of the service concludes that—
(a)it is possible for children to access the service or a part of it, and
(b)the child user condition is met in relation to—
(i)the service, or
(ii)a part of the service that it is possible for children to access.
This subsection is to be interpreted consistently with section 35.
(3)In that case, the service is to be treated as likely to be accessed by children from the date on which the children’s access assessment is completed.
(4)The second case is where the provider of the service fails to carry out the first children’s access assessment as required by section 36(1).
(5)In that case—
(a)the service is to be treated as likely to be accessed by children from the date by which the first children’s access assessment was required to have been completed (see Part 1 of Schedule 3), and
(b)the service is to continue to be treated as likely to be accessed by children by reason of subsection (4) until such time as the provider completes the first children’s access assessment of the service.
(6)The third case is where, following an investigation into a failure to comply with a duty set out in section 36, OFCOM determine that a service should be treated as likely to be accessed by children: see section 135(4) and (5).
(7)In that case, the service is to be treated as likely to be accessed by children from the date of, or specified in, the confirmation decision given to the provider of the service (as the case may be: see section 135(5)).
Commencement Information
I68S. 37 not in force at Royal Assent, see s. 240(1)
I69S. 37 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(k)
(1)A provider of a Category 1 service must operate the service using proportionate systems and processes designed to—
(a)prevent individuals from encountering content consisting of fraudulent advertisements by means of the service;
(b)minimise the length of time for which any such content is present;
(c)where the provider is alerted by a person to the presence of such content, or becomes aware of it in any other way, swiftly take down such content.
(2)A provider of a Category 1 service must include clear and accessible provisions in the terms of service giving information about any proactive technology used by the service for the purpose of compliance with the duty set out in subsection (1) (including the kind of technology, when it is used, and how it works).
(3)In relation to a Category 1 service, an advertisement is a “fraudulent advertisement” if—
(a)it is a paid-for advertisement (see section 236),
(b)it amounts to an offence specified in section 40 (construed in accordance with section 59: see subsections (3), (11) and (12) of that section), and
(c)it is not regulated user-generated content (see section 55) in relation to the service.
(4)If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.
(5)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)the nature, and severity, of potential harm to individuals presented by different kinds of fraudulent advertisement, and
(b)the degree of control a provider has in relation to the placement of advertisements on the service.
(6)In the case of a Category 1 service which is a combined service, the duties set out in this section do not extend to—
(a)fraudulent advertisements that may be encountered in search results of the service or, following a search request, as a result of subsequent interactions with internet services, or
(b)anything relating to the design, operation or use of the search engine.
But if the service is also a Category 2A service, the duties set out in section 39 apply as well as the duties set out in this section.
(7)The duties set out in this section extend only to the design, operation and use of a Category 1 service in the United Kingdom.
(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Commencement Information
I70S. 38 not in force at Royal Assent, see s. 240(1)
I71S. 38 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(l)
(1)A provider of a Category 2A service must operate the service using proportionate systems and processes designed to—
(a)prevent individuals from encountering content consisting of fraudulent advertisements in or via search results of the service;
(b)if any such content may be encountered in or via search results of the service, minimise the length of time that that is the case;
(c)where the provider is alerted by a person to the fact that such content may be so encountered, or becomes aware of that fact in any other way, swiftly ensure that individuals are no longer able to encounter such content in or via search results of the service.
(2)A provider of a Category 2A service must include clear and accessible provisions in a publicly available statement giving information about any proactive technology used by the service for the purpose of compliance with the duty set out in subsection (1) (including the kind of technology, when it is used, and how it works).
(3)In relation to a Category 2A service, an advertisement is a “fraudulent advertisement” if—
(a)it is a paid-for advertisement (see section 236), and
(b)it amounts to an offence specified in section 40 (construed in accordance with section 59: see subsections (3), (11) and (12) of that section).
(4)The references to encountering fraudulent advertisements “in or via search results” of a search service—
(a)are references to encountering fraudulent advertisements—
(i)in search results of the service, or
(ii)as a result of interacting with a paid-for advertisement in search results of the service (for example, by clicking on it);
(b)do not include references to encountering fraudulent advertisements as a result of any subsequent interactions with an internet service other than the search service.
(5)If a person is the provider of more than one Category 2A service, the duties set out in this section apply in relation to each such service.
(6)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)the nature, and severity, of potential harm to individuals presented by different kinds of fraudulent advertisement, and
(b)the degree of control a provider has in relation to the placement of advertisements on the service.
(7)The duties set out in this section extend only to the design, operation and use of a Category 2A service in the United Kingdom.
(8)For the meaning of “Category 2A service”, see section 95 (register of categories of services).
Commencement Information
I72S. 39 not in force at Royal Assent, see s. 240(1)
I73S. 39 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(l)
(1)This section specifies offences for the purposes of this Chapter (see sections 38(3)(b) and 39(3)(b)).
(2)An offence under any of the following provisions of the Financial Services and Markets Act 2000—
(a)section 23 (contravention of prohibition on carrying on regulated activity unless authorised or exempt);
(b)section 24 (false claims to be authorised or exempt);
(c)section 25 (contravention of restrictions on financial promotion).
(3)An offence under any of the following provisions of the Fraud Act 2006—
(a)section 2 (fraud by false representation);
(b)section 4 (fraud by abuse of position);
(c)section 7 (making or supplying articles for use in frauds);
(d)section 9 (participating in fraudulent business carried on by sole trader etc).
(4)An offence under any of the following provisions of the Financial Services Act 2012—
(a)section 89 (misleading statements);
(b)section 90 (misleading impressions).
(5)An offence of attempting or conspiring to commit an offence specified in subsection (2), (3) or (4).
(6)An offence under Part 2 of the Serious Crime Act 2007 (encouraging or assisting) in relation to an offence specified in subsection (2), (3) or (4), or (in Scotland) inciting a person to commit such an offence.
(7)An offence of aiding, abetting, counselling or procuring the commission of an offence specified in subsection (2), (3) or (4), or (in Scotland) being involved art and part in the commission of such an offence.
Commencement Information
I74S. 40 not in force at Royal Assent, see s. 240(1)
I75S. 40 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(l)
(1)OFCOM must prepare and issue a code of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content) so far as relating to terrorism content or offences within Schedule 5 (terrorism offences).
(2)OFCOM must prepare and issue a code of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content) so far as relating to CSEA content or offences within Schedule 6 (child sexual exploitation and abuse offences).
(3)OFCOM must prepare and issue one or more codes of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with the relevant duties (except to the extent that measures for the purpose of compliance with such duties are described in a code of practice prepared under subsection (1) or (2)).
(4)OFCOM must prepare and issue a code of practice for providers of Category 1 services and providers of Category 2A services describing measures recommended for the purpose of compliance with the duties set out in Chapter 5 (fraudulent advertising).
(5)Where a code of practice under this section is in force, OFCOM may—
(a)prepare a draft of amendments of the code of practice;
(b)prepare a draft of a code of practice under subsection (1), (2), (3) or (4) as a replacement for a code of practice previously issued under the subsection in question;
(c)withdraw the code of practice.
(6)In the course of preparing a draft of a code of practice or amendments of a code of practice under this section, OFCOM must consult—
(a)the Secretary of State,
(b)persons who appear to OFCOM to represent providers of Part 3 services,
(c)persons who appear to OFCOM to represent the interests of United Kingdom users of Part 3 services,
(d)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(e)persons who appear to OFCOM to represent the interests of persons who have suffered harm as a result of matters to which the code of practice is relevant,
(f)persons whom OFCOM consider to have relevant expertise in equality issues and human rights, in particular—
(i)the right to freedom of expression set out in Article 10 of the Convention, and
(ii)the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,
(g)the Information Commissioner,
(h)the Children’s Commissioner,
(i)the Commissioner for Victims and Witnesses,
(j)the Domestic Abuse Commissioner,
(k)persons whom OFCOM consider to have expertise in public health, science or medicine that is relevant to online safety matters,
(l)persons whom OFCOM consider to have expertise in innovation, or emerging technology, that is relevant to online safety matters, and
(m)such other persons as OFCOM consider appropriate.
(7)In the course of preparing a draft of a code of practice or amendments to which this subsection applies, OFCOM must also consult persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters.
(8)Subsection (7) applies to—
(a)a code of practice under subsection (1) and amendments of such a code,
(b)a code of practice under subsection (2) and amendments of such a code,
(c)a code of practice under subsection (3) that describes measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content),
(d)amendments of a code of practice under subsection (3), if and to the extent that those amendments relate to measures recommended for the purpose of compliance with duties set out in section 10 or 27, and
(e)a code of practice under subsection (4) and amendments of such a code.
(9)Subsections (6) and (7) are subject to section 48 (minor amendments of code of practice).
(10)In this section “the relevant duties” means the duties set out in—
(a)sections 10 and 27 (illegal content),
(b)sections 12 and 29 (children’s online safety),
(c)section 15 (user empowerment),
(d)section 17 (content of democratic importance),
(e)section 19 (journalistic content),
(f)sections 20 and 31 (content reporting), and
(g)sections 21 and 32 (complaints procedures).
Commencement Information
I76S. 41(1)-(3)(5)-(10) in force at Royal Assent, see s. 240(4)(c)
I77S. 41(4) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(m)
Schedule 4 contains—
(a)provision about the principles OFCOM must consider when preparing codes of practice under section 41,
(b)the online safety objectives (and a power for the Secretary of State by regulations to revise those objectives),
(c)provision about the measures that may be described in codes of practice (including, in particular, constraints on the recommendation of the use of proactive technology), and
(d)other provision related to codes of practice.
Commencement Information
I78S. 42 in force at Royal Assent, see s. 240(4)(d)
(1)Where OFCOM have prepared a draft of a code of practice under section 41, they must submit the draft to the Secretary of State.
(2)Unless the Secretary of State intends to give a direction to OFCOM under section 44(1), (2) or (3) in relation to the draft, the Secretary of State must, as soon as reasonably practicable, lay the draft before Parliament.
(3)If, within the 40-day period, either House of Parliament resolves not to approve the draft—
(a)OFCOM must not issue the code of practice in the form of that draft, and
(b)OFCOM must prepare another draft of the code of practice under section 41.
(4)If no such resolution is made within that period—
(a)OFCOM must issue the code of practice in the form of the draft laid before Parliament, and
(b)the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(5)“The 40-day period” is the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid).
(6)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.
(7)Subsections (1) to (6) apply in relation to a draft of amendments of a code of practice prepared under section 41 as they apply in relation to a draft of a code of practice prepared under that section.
(8)This section is subject to section 48 (minor amendments of codes of practice).
(9)Subsection (11) applies to—
(a)a draft of the first code of practice prepared under section 41(1) (terrorism code of practice);
(b)a draft of the first code of practice prepared under section 41(2) (CSEA code of practice);
(c)a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 10 or 27 (illegal content);
(d)a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 12 or 29 (children’s online safety);
(e)a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 20 or 31 (content reporting);
(f)a draft of the first code of practice prepared under section 41(3) relating to—
(i)a duty set out in section 21 (complaints procedures) that concerns complaints of a kind mentioned in subsection (4) or (5) of that section, or
(ii)a duty set out in section 32 (complaints procedures).
(10)For the purposes of paragraphs (c) to (f) of subsection (9) a draft of a code of practice is a draft of the first code of practice relating to a duty if—
(a)it describes measures recommended for the purpose of compliance with the duty, and
(b)it is a draft of the first code of practice prepared under section 41(3) that describes measures for that purpose.
(11)OFCOM must submit a draft to which this subsection applies to the Secretary of State under subsection (1) within the period of 18 months beginning with the day on which this Act is passed.
(12)If OFCOM consider that it is necessary to extend the period mentioned in subsection (11) in relation to a draft mentioned in any of paragraphs (a) to (f) of subsection (9), OFCOM may extend the period in relation to that draft by up to 12 months by making and publishing a statement.
But this is subject to subsection (15).
(13)A statement under subsection (12) must set out—
(a)the reasons why OFCOM consider that it is necessary to extend the period mentioned in subsection (11) in relation to the draft concerned, and
(b)the period of extension.
(14)A statement under subsection (12) may be published at the same time as (or incorporate) a statement under section 194(3) (extension of time to prepare certain guidance).
(15)But a statement under subsection (12) may not be made in relation to a draft mentioned in a particular paragraph of subsection (9) if—
(a)a statement has previously been made under subsection (12) (whether in relation to a draft mentioned in the same or a different paragraph of subsection (9)), or
(b)a statement has previously been made under section 194(3).
Commencement Information
I79S. 43 in force at Royal Assent, see s. 240(4)(e)
(1)The Secretary of State may direct OFCOM to modify a draft of a code of practice submitted under section 43(1) if the Secretary of State believes that modifications are required for the purpose of securing compliance with an international obligation of the United Kingdom.
(2)The Secretary of State may direct OFCOM to modify a draft of a code of practice, other than a terrorism or CSEA code of practice, submitted under section 43(1) if the Secretary of State believes that modifications are required for exceptional reasons relating to—
(a)national security,
(b)public safety,
(c)public health, or
(d)relations with the government of a country outside the United Kingdom.
(3)The Secretary of State may direct OFCOM to modify a draft of a terrorism or CSEA code of practice submitted under section 43(1) if the Secretary of State believes that modifications are required—
(a)for reasons of national security or public safety, or
(b)for exceptional reasons relating to public health or relations with the government of a country outside the United Kingdom.
(4)But if a draft of a terrorism or CSEA code of practice is submitted under section 43(1) following a review under section 47(2), the Secretary of State may only direct OFCOM to modify the draft if the Secretary of State believes that modifications are required for reasons of national security or public safety.
(5)If, following a review of a terrorism or CSEA code of practice under section 47(2), OFCOM submit a statement to the Secretary of State under section 47(3)(b) (“OFCOM’s review statement”), the Secretary of State may direct OFCOM to modify the code of practice if the Secretary of State believes that modifications are required for reasons of national security or public safety.
(6)A direction given under subsection (5)—
(a)must be given within the period of 45 days beginning with the day on which OFCOM’s review statement is submitted to the Secretary of State, and
(b)must make particular reference to OFCOM’s review statement.
(7)A direction given under this section—
(a)may not require OFCOM to include in a code of practice provision about a particular measure recommended to be taken or used by providers of Part 3 services,
(b)must set out the Secretary of State’s reasons for requiring modifications, except in a case where the Secretary of State considers that doing so would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom, and
(c)must, as soon as reasonably practicable, be published and laid before Parliament.
(8)If the Secretary of State considers that publishing and laying before Parliament a direction given under this section would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom—
(a)subsection (7)(c) does not apply in relation to the direction, and
(b)the Secretary of State must, as soon as reasonably practicable, publish and lay before Parliament a document stating—
(i)that a direction has been given,
(ii)the kind of code of practice to which it relates, and
(iii)the reasons for not publishing it.
(9)If the Secretary of State gives a direction under this section, OFCOM must, as soon as reasonably practicable—
(a)comply with the direction,
(b)submit to the Secretary of State a draft of the code of practice modified in accordance with the direction,
(c)submit to the Secretary of State a document containing—
(i)(except in a case mentioned in subsection (7)(b)) details of the direction, and
(ii)details about how the draft has been revised in response to the direction,
(d)publish the document, and
(e)inform the Secretary of State about modifications that OFCOM have made to the draft that are not in response to the direction (if there are any).
(10)The Secretary of State may give OFCOM one or more further directions requiring OFCOM to modify the draft of the code of practice.
(11)Such further directions may only be given for the reasons set out in subsection (1), (2), (3), (4) or (5) (as the case may be), and subsections (7) to (9) apply again in relation to such further directions.
(12)When the Secretary of State is satisfied that no further modifications to the draft are required, the Secretary of State must, as soon as reasonably practicable, lay before Parliament—
(a)the modified draft,
(b)any document submitted by OFCOM as mentioned in subsection (9)(c), and
(c)in the case of a direction under subsection (5), OFCOM’s review statement.
(13)Before laying OFCOM’s review statement before Parliament, the Secretary of State may, with OFCOM’s agreement, remove or obscure information in the statement (whether by redaction or otherwise) in order to prevent the disclosure of matters that the Secretary of State considers would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom.
(14)This section applies in relation to a draft of amendments of a code of practice submitted under section 43(1) as it applies in relation to a draft of a code of practice submitted under that provision.
(15)In this section “terrorism or CSEA code of practice” means a code of practice under section 41(1) or (2).
Commencement Information
I80S. 44 in force at Royal Assent, see s. 240(4)(e)
(1)This section sets out the procedure that applies where a draft of a code of practice is laid before Parliament under section 44(12).
(2)If the draft contains modifications made following a direction given under section 44(1), (2) or (3)(b), the affirmative procedure applies.
(3)If the draft contains modifications made following a direction given under section 44(3)(a), (4) or (5), the negative procedure applies.
(4)The “affirmative procedure” is as follows—
(a)a code of practice in the form of the draft laid before Parliament must not be issued by OFCOM unless the draft has been approved by a resolution of each House of Parliament;
(b)if the draft is so approved, the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued;
(c)if the draft is not so approved, OFCOM must prepare another draft of the code of practice under section 41.
(5)The “negative procedure” is as follows—
(a)if, within the 40-day period, either House of Parliament resolves not to approve the draft—
(i)OFCOM must not issue the code of practice in the form of that draft, and
(ii)OFCOM must prepare another draft of the code of practice under section 41;
(b)if no such resolution is made within that period—
(i)OFCOM must issue the code of practice in the form of the draft laid before Parliament, and
(ii)the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(6)“The 40-day period” has the same meaning as in section 43 (see subsections (5) and (6) of that section).
(7)This section applies in relation to a draft of amendments of a code of practice laid before Parliament under section 44(12) as it applies in relation to a draft of a code of practice laid under that provision.
Commencement Information
I81S. 45 in force at Royal Assent, see s. 240(4)(e)
(1)OFCOM must publish each code of practice issued under section 43 or 45 within the period of three days beginning with the day on which it is issued.
(2)Where amendments of a code of practice are issued under either of those sections, OFCOM must publish the amended code of practice within the period of three days beginning with the day on which the amendments are issued.
(3)Where a code of practice is withdrawn, OFCOM must publish a notice to that effect.
Commencement Information
I82S. 46 in force at Royal Assent, see s. 240(4)(e)
(1)OFCOM must keep under review each code of practice published under section 46.
(2)The Secretary of State may require OFCOM to review a terrorism or CSEA code of practice published under section 46 if the Secretary of State considers a review to be necessary for reasons of national security or public safety (and the Secretary of State must notify OFCOM whether the reasons fall into the category of national security or public safety).
(3)OFCOM must carry out a review of the code of practice under subsection (2) as soon as reasonably practicable, and when it is completed—
(a)if OFCOM consider that changes are required, they must prepare a draft of amendments to the code of practice or a draft of a replacement code of practice under section 41, or
(b)if OFCOM consider that no changes are required, they must submit to the Secretary of State a statement which explains the reasons for that conclusion.
(4)Subsection (5) applies if—
(a)OFCOM submit a statement under subsection (3)(b) to the Secretary of State,
(b)the period of 45 days beginning with the day on which the statement was submitted has elapsed, and
(c)the Secretary of State has not given a direction under section 44(5).
(5)OFCOM must publish the statement as soon as reasonably practicable after the end of the period mentioned in subsection (4)(b), making it clear which code of practice the statement relates to.
(6)In advance of publication, the Secretary of State may make representations to OFCOM about the desirability of removing or obscuring information in the statement (whether by redaction or otherwise) in order to prevent the disclosure of matters that the Secretary of State considers would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom (and see also section 116(3)).
(7)In this section “terrorism or CSEA code of practice” means a code of practice under section 41(1) or (2).
Commencement Information
I83S. 47 in force at Royal Assent, see s. 240(4)(e)
(1)This section applies if—
(a)OFCOM propose to amend a code of practice under section 41, and
(b)OFCOM consider that the minor nature of the proposal means that—
(i)consultation is unnecessary, and
(ii)the proposed amendments should not be required to be laid before Parliament.
(2)OFCOM must notify the Secretary of State of the proposed amendments.
(3)If the Secretary of State agrees with OFCOM that it is appropriate—
(a)the consultation requirements set out in section 41(6) and (7) do not apply in relation to the proposed amendments, and
(b)section 43 does not apply to the amendments, once prepared.
(4)If the Secretary of State agrees with OFCOM as mentioned in subsection (3), OFCOM may prepare and issue the amendments of the code of practice.
(5)Amendments of a code of practice issued under this section come into force at the end of the period of 21 days beginning with the day on which the amendments are issued.
(6)Section 46(2) applies in relation to amendments of a code of practice issued under this section as it applies in relation to amendments of a code of practice issued under section 43 or 45.
Commencement Information
I84S. 48 in force at Royal Assent, see s. 240(4)(e)
(1)A provider of a Part 3 service is to be treated as complying with a relevant duty if the provider takes or uses the measures described in a code of practice which are recommended for the purpose of compliance with the duty in question.
(2)A provider of a user-to-user service—
(a)is to be treated as complying with the duty set out in section 22(2) (freedom of expression) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect users’ right to freedom of expression within the law;
(b)is to be treated as complying with the duty set out in section 22(3) (privacy) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the privacy of users.
(3)A provider of a search service—
(a)is to be treated as complying with the duty set out in section 33(2) (freedom of expression) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the rights of users and interested persons to freedom of expression within the law;
(b)is to be treated as complying with the duty set out in section 33(3) (privacy) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the privacy of users.
(4)A provider of a Category 1 service or a Category 2A service (or a provider of a service which is both a Category 1 service and a Category 2A service) is to be treated as complying with a duty set out in Chapter 5 if the provider takes or uses the measures described in a fraudulent advertising code of practice which are recommended for the purpose of compliance with the duty in question.
(5)A provider of a Part 3 service who seeks to comply with a relevant duty by acting otherwise than by taking or using a measure described in a code of practice or a fraudulent advertising code of practice which is recommended for the purpose of compliance with the duty must have particular regard to the importance of the following (where relevant)—
(a)protecting the right of users and (in the case of search services) interested persons to freedom of expression within the law, and
(b)protecting the privacy of users.
(6)When assessing whether a provider of a Part 3 service is compliant with a relevant duty where the provider has acted otherwise than by taking or using a measure described in a code of practice or a fraudulent advertising code of practice which is recommended for the purpose of compliance with the duty, OFCOM must consider the extent to which the alternative measures taken or in use by the provider—
(a)extend across all areas of a service as mentioned in section 10(4), 12(8), 27(4) or 29(4) (if relevant to the duty in question), and
(b)(where appropriate) incorporate safeguards for the protection of the matters mentioned in subsection (5)(a) and (b).
(7)In subsections (1) to (4), references to taking or using measures recommended for the purpose of compliance with a duty, or to taking or using relevant recommended measures, are to taking or using such of those measures as are relevant to the provider and the service in question.
(8)In this section—
(a)references to protecting the privacy of users are to protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service or search service (including, but not limited to, any such provision or rule concerning the processing of personal data);
(b)references to a search service include references to a combined service (see section 7(6)).
(9)In this section—
“Chapter 2 safety duty” means a duty set out in—
section 10 (illegal content), or
section 12 (children’s online safety);
“Chapter 3 safety duty” means a duty set out in—
section 27 (illegal content), or
section 29 (children’s online safety);
“code of practice” means a code of practice published under section 46, except a fraudulent advertising code of practice;
“fraudulent advertising code of practice” means a code of practice prepared under section 41(4) and published under section 46;
“relevant duty” means—
a Chapter 2 safety duty,
a Chapter 3 safety duty,
a duty set out in section 15 (user empowerment),
a duty set out in section 17 (content of democratic importance),
a duty set out in section 19 (journalistic content),
a duty set out in section 20 or 31 (content reporting), or
a duty set out in section 21 or 32 (complaints procedures);
“relevant recommended measures” means the measures described in a code of practice which are recommended for the purpose of compliance with—
in the case of a user-to-user service—
a Chapter 2 safety duty, or
a duty set out in section 15 (user empowerment);
in the case of a search service, a Chapter 3 safety duty.
Commencement Information
I85S. 49 not in force at Royal Assent, see s. 240(1)
I86S. 49 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(n)
(1)A failure by a provider of a Part 3 service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings in a court or tribunal.
(2)A code of practice is admissible in evidence in legal proceedings.
(3)In any proceedings in a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining a question arising in the proceedings if—
(a)the question relates to a time when the provision was in force, and
(b)the provision appears to the court or tribunal to be relevant to the question.
(4)OFCOM must take into account a provision of a code of practice in determining a question arising in connection with their exercise of any relevant function if—
(a)the question relates to a time when the provision was in force, and
(b)the provision appears to OFCOM to be relevant to the question.
(5)In this section—
“code of practice” means a code of practice published under section 46;
“relevant functions” means OFCOM’s functions under—
Chapter 4 of Part 7 (information),
Chapter 5 of Part 7 (notices to deal with terrorism content and CSEA content),
Chapter 6 of Part 7 (enforcement), and
Chapter 2 of Part 8 (super-complaints).
Commencement Information
I87S. 50 not in force at Royal Assent, see s. 240(1)
I88S. 50 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(n)
(1)A duty mentioned in subsection (3) applies to providers of Part 3 services from the day on which a code of practice prepared under section 41(3) that is the first code of practice relating to that duty comes into force.
(2)In the case of the duties set out in sections 10 and 27, subsection (1) is subject to subsections (5) and (6).
(3)The duties referred to in subsection (1) are the duties set out in—
(a)sections 10 and 27 (illegal content),
(b)sections 12 and 29 (children’s online safety),
(c)section 15 (user empowerment),
(d)section 17 (content of democratic importance),
(e)section 19 (journalistic content),
(f)sections 20 and 31 (content reporting), and
(g)sections 21 and 32 (complaints procedures).
(4)For the purposes of subsection (1) a code of practice is the first code of practice relating to a duty if—
(a)it describes measures recommended for the purpose of compliance with that duty, and
(b)it is the first code of practice prepared under section 41(3) that describes measures for that purpose.
(5)The duties set out in sections 10 and 27, so far as relating to terrorism content or offences within Schedule 5 (terrorism offences), apply to providers of Part 3 services from the day on which the first code of practice prepared under section 41(1) comes into force.
(6)The duties set out in sections 10 and 27, so far as relating to CSEA content or offences within Schedule 6 (child sexual exploitation and abuse offences), apply to providers of Part 3 services from the day on which the first code of practice prepared under section 41(2) comes into force.
(7)The duties set out in Chapter 5 (fraudulent advertising) apply to providers of a Category 1 service and providers of a Category 2A service (and to providers of a service which is both a Category 1 service and a Category 2A service) from the day on which the first code of practice prepared under section 41(4) comes into force.
(8)In relation to the provider of a particular Part 3 service, references in this section to duties applying to providers of Part 3 services (or to providers of Category 1 services or Category 2A services) are to such duties as apply in relation to that service in accordance with sections 7 and 24 or (as the case may be) Chapter 5.
(9)This section is subject to Part 2 of Schedule 17 (video-sharing platform services: transitional provision etc).
Commencement Information
I89S. 51 not in force at Royal Assent, see s. 240(1)
I90S. 51 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(n)
(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in section 14 (assessments related to the adult user empowerment duty set out in section 15(2)).
(2)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in section 18 (news publisher content).
(3)OFCOM must produce guidance for providers of Part 3 services to assist them in complying with—
(a)their duties set out in section 23 or 34, except the duty set out in section 23(10) or 34(9) (record-keeping and review), and
(b)their duties set out in section 36 (children’s access assessments).
(4)Before producing guidance under subsection (1) or (3) (including revised or replacement guidance), OFCOM must consult the Information Commissioner.
(5)OFCOM must publish guidance under this section (and any revised or replacement guidance).
Commencement Information
I91S. 52(3)-(5) in force at Royal Assent, see s. 240(4)(f)
I92S. 52(1)(2) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(o)
(1)OFCOM must produce guidance for providers of Part 3 services which contains examples of content or kinds of content that OFCOM consider to be, or consider not to be—
(a)primary priority content that is harmful to children, or
(b)priority content that is harmful to children.
(2)OFCOM must produce guidance for providers of Category 1 services which contains examples of content or kinds of content that OFCOM consider to be, or consider not to be, content to which section 15(2) applies (see section 16).
(3)Before producing any guidance under this section (including revised or replacement guidance), OFCOM must consult such persons as they consider appropriate.
(4)OFCOM must publish guidance under this section (and any revised or replacement guidance).
Commencement Information
I93S. 53(1)(3)(4) in force at Royal Assent, see s. 240(4)(g)
I94S. 53(2) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(p)
(1)OFCOM must produce guidance for providers of Part 3 services which focuses on content and activity—
(a)in relation to which such providers have duties set out in this Part or Part 4, and
(b)which disproportionately affects women and girls.
(2)The guidance may, among other things—
(a)contain advice and examples of best practice for assessing risks of harm to women and girls from content and activity mentioned in subsection (1), and for reducing such risks;
(b)refer to provisions contained in a code of practice under section 41 which are particularly relevant to the protection of women and girls from such content and activity.
(3)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)the Commissioner for Victims and Witnesses,
(b)the Domestic Abuse Commissioner, and
(c)such other persons as OFCOM consider appropriate.
(4)OFCOM must publish the guidance (and any revised or replacement guidance).
Commencement Information
I95S. 54 not in force at Royal Assent, see s. 240(1)
I96S. 54 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(q)
(1)This section applies for the purposes of this Part.
(2)“Regulated user-generated content”, in relation to a regulated user-to-user service, means user-generated content, except—
(a)emails,
(b)SMS messages,
(c)MMS messages,
(d)one-to-one live aural communications (see subsection (5)),
(e)comments and reviews on provider content (see subsection (6)),
(f)identifying content that accompanies content within any of paragraphs (a) to (e), and
(g)news publisher content (see subsection (8)).
(3)“User-generated content”, in relation to a user-to-user service, means content—
(a)that is—
(i)generated directly on the service by a user of the service, or
(ii)uploaded to or shared on the service by a user of the service, and
(b)that may be encountered by another user, or other users, of the service by means of the service.
(4)For the purposes of subsection (3)—
(a)the reference to content generated, uploaded or shared by a user includes content generated, uploaded or shared by means of software or an automated tool applied by the user;
(b)a bot or other automated tool is to be regarded as a user of a service if—
(i)the functions of the bot or tool include interacting with user-generated content, and
(ii)the bot or tool is not controlled by or on behalf of the provider of the service.
(5)“One-to-one live aural communications”, in relation to a user-to-user service, means content—
(a)consisting of speech or other sounds conveyed in real time between two users of the service by means of the service,
(b)that is not a recording, and
(c)that is not accompanied by user-generated content of any other kind, except identifying content.
(6)“Comments and reviews on provider content”, in relation to a user-to-user service, means content present on the service consisting of comments or reviews relating to provider content (together with any further comments on such comments or reviews).
(7)In subsection (6) “provider content” means content published on a service by the provider of the service or by a person acting on behalf of the provider, including where the publication of the content is effected or controlled by means of—
(a)software or an automated tool or algorithm applied by the provider or by a person acting on behalf of the provider, or
(b)an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.
For the purposes of subsection (6), content that is user-generated content in relation to a service is not to be regarded as provider content in relation to that service.
(8)“News publisher content”, in relation to a regulated user-to-user service, means any content present on the service that is within subsection (9) or (10).
(9)Content is within this subsection if it was generated directly on the service by a user of the service that is a recognised news publisher.
(10)Content is within this subsection if—
(a)the content was uploaded to or shared on the service by a user of the service, and
(b)the content either—
(i)reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it),
(ii)is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or
(iii)is a link to an article or item within sub-paragraph (i) or to content within sub-paragraph (ii).
(11)For the meaning of “recognised news publisher”, see section 56.
(12)In this section—
“MMS message” means a Multimedia Messaging Service message (that may include images, sounds and short videos) that may be sent between telephone numbers allocated in accordance with a national or international numbering plan;
“SMS message” means a Short Message Service text message composed principally of letters or numbers that may be sent between telephone numbers allocated in accordance with a national or international numbering plan.
Commencement Information
I97S. 55 in force at Royal Assent, see s. 240(4)(h)
(1)In this Part, “recognised news publisher” means any of the following entities—
(a)the British Broadcasting Corporation,
(b)Sianel Pedwar Cymru,
(c)the holder of a licence under the Broadcasting Act 1990 or 1996 who publishes news-related material in connection with the broadcasting activities authorised under the licence, and
(d)any other entity which—
(i)meets all of the conditions in subsection (2),
(ii)is not an excluded entity (see subsection (3)), and
(iii)is not a sanctioned entity (see subsection (4)).
(2)The conditions referred to in subsection (1)(d)(i) are that the entity—
(a)has as its principal purpose the publication of news-related material, and such material—
(i)is created by different persons, and
(ii)is subject to editorial control,
(b)publishes such material in the course of a business (whether or not carried on with a view to profit),
(c)is subject to a standards code,
(d)has policies and procedures for handling and resolving complaints,
(e)has a registered office or other business address in the United Kingdom,
(f)is the person with legal responsibility for material published by it in the United Kingdom, and
(g)publishes—
(i)the entity’s name, the address mentioned in paragraph (e) and the entity’s registered number (if any), and
(ii)the name and address of any person who controls the entity (including, where such a person is an entity, the address of that person’s registered or principal office and that person’s registered number (if any)).
(3)An “excluded entity” is an entity—
(a)which is a proscribed organisation under the Terrorism Act 2000 (see section 3 of that Act), or
(b)the purpose of which is to support a proscribed organisation under that Act.
(4)A “sanctioned entity” is an entity which—
(a)is designated by name under a power contained in regulations under section 1 of the Sanctions and Anti-Money Laundering Act 2018 that authorises the Secretary of State or the Treasury to designate persons for the purposes of the regulations or of any provisions of the regulations, or
(b)is a designated person under any provision included in such regulations by virtue of section 13 of that Act (persons named by or under UN Security Council Resolutions).
(5)For the purposes of subsection (2)—
(a)news-related material is “subject to editorial control” if there is a person (whether or not the publisher of the material) who has editorial or equivalent responsibility for the material, including responsibility for how it is presented and the decision to publish it;
(b)“control” has the same meaning as it has in the Broadcasting Act 1990 by virtue of section 202 of that Act.
(6)In this section—
“
” means material consisting of—news or information about current affairs,
opinion about matters relating to the news or current affairs, or
gossip about celebrities, other public figures or other persons in the news;
“publish” means publish by any means (including by broadcasting), and references to a publisher and publication are to be construed accordingly;
“standards code” means—
a code of standards that regulates the conduct of publishers, that is published by an independent regulator, or
a code of standards that regulates the conduct of the entity in question, that is published by the entity itself.
Commencement Information
I98S. 56 in force at Royal Assent, see s. 240(4)(h)
(1)This section applies for the purposes of this Part.
(2)“Search content” means content that may be encountered in or via search results of a search service, except—
(a)paid-for advertisements (see section 236),
(b)content on the website of a recognised news publisher (see section 56), and
(c)content that—
(i)reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it),
(ii)is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or
(iii)is a link to an article or item within sub-paragraph (i) or to content within sub-paragraph (ii).
(3)“Search results”, in relation to a search service, means content presented to a user of the service by operation of the search engine in response to a search request made by the user.
(4)“Search” means search by any means, including by input of text or images or by speech, and references to a search request are to be construed accordingly.
(5)In subsection (2), the reference to encountering content “via search results”—
(a)is to encountering content as a result of interacting with search results (for example, by clicking on them);
(b)does not include a reference to encountering content as a result of subsequent interactions with an internet service other than the search service.
(6)In this section references to a search service include references to a user-to-user service that includes a search engine.
Commencement Information
I99S. 57 in force at Royal Assent, see s. 240(4)(h)
(1)This section applies for the purposes of this Part.
(2)References to restricting users’ access to content, and related references, include any case where a provider takes or uses a measure which has the effect that—
(a)a user is unable to access content without taking a prior step (whether or not taking that step might result in access being denied), or
(b)content is temporarily hidden from a user.
(3)But such references do not include any case where—
(a)the effect mentioned in subsection (2) results from the voluntary use or application by a user of features, functionalities or settings which a provider includes in a service (for example, features, functionalities or settings included in compliance with the duty set out in section 15(2) or (9) (user empowerment)), or
(b)access to content is controlled by another user, rather than the provider.
(4)See also section 236(6).
Commencement Information
I100S. 58 in force at Royal Assent, see s. 240(4)(h)
(1)This section applies for the purposes of this Part.
(2)“Illegal content” means content that amounts to a relevant offence.
(3)Content consisting of certain words, images, speech or sounds amounts to a relevant offence if—
(a)the use of the words, images, speech or sounds amounts to a relevant offence,
(b)the possession, viewing or accessing of the content constitutes a relevant offence, or
(c)the publication or dissemination of the content constitutes a relevant offence.
(4)“Relevant offence” means—
(a)a priority offence, or
(b)an offence within subsection (5).
(5)An offence is within this subsection if—
(a)it is not a priority offence,
(b)the victim or intended victim of the offence is an individual (or individuals), and
(c)the offence is created by this Act or, before or after this Act is passed, by—
(i)another Act,
(ii)an Order in Council,
(iii)an order, rules or regulations made under an Act by the Secretary of State or other Minister of the Crown, including such an instrument made jointly with a devolved authority, or
(iv)devolved subordinate legislation made by a devolved authority with the consent of the Secretary of State or other Minister of the Crown.
(6)But an offence is not within subsection (5) if—
(a)the offence concerns—
(i)the infringement of intellectual property rights,
(ii)the safety or quality of goods (as opposed to what kind of goods they are), or
(iii)the performance of a service by a person not qualified to perform it; or
(b)it is an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277).
(7)“Priority offence” means—
(a)an offence specified in Schedule 5 (terrorism offences),
(b)an offence specified in Schedule 6 (offences related to child sexual exploitation and abuse), or
(c)an offence specified in Schedule 7 (other priority offences).
(8)“Terrorism content” means content that amounts to an offence specified in Schedule 5.
(9)“CSEA content” means content that amounts to an offence specified in Schedule 6.
(10)“Priority illegal content” means—
(a)terrorism content,
(b)CSEA content, and
(c)content that amounts to an offence specified in Schedule 7.
(11)For the purposes of determining whether content amounts to an offence, no account is to be taken of whether or not anything done in relation to the content takes place in any part of the United Kingdom.
(12)References in subsection (3) to conduct of particular kinds are not to be taken to prevent content generated by a bot or other automated tool from being capable of amounting to an offence (see also section 192(7) (providers’ judgements about the status of content)).
(13)Subsection (14) applies in relation to a regulated user-to-user service (but, in the case of a combined service, does not apply in relation to the search content of the service).
(14)References to “illegal content”, “terrorism content”, “CSEA content” and “priority illegal content” are to be read as—
(a)limited to content within the definition in question that is regulated user-generated content in relation to the service, and
(b)including material which, if it were present on the service, would be content within paragraph (a) (and this section is to be read with such modifications as may be necessary for the purpose of this paragraph).
(15)In this section—
“devolved authority” means—
the Scottish Ministers,
the Welsh Ministers, or
a Northern Ireland department;
“devolved subordinate legislation” means—
an instrument made under an Act of the Scottish Parliament,
an instrument made under an Act or Measure of Senedd Cymru, or
an instrument made under Northern Ireland legislation;
“Minister of the Crown” has the meaning given by section 8 of the Ministers of the Crown Act 1975 and also includes the Commissioners for His Majesty’s Revenue and Customs;
“offence” means an offence under the law of any part of the United Kingdom.
(16)See also section 192 (providers’ judgements about the status of content).
Commencement Information
I101S. 59 in force at Royal Assent, see s. 240(4)(h)
(1)This section and sections 61 and 62 apply for the purposes of this Part.
(2)“Content that is harmful to children” means—
(a)primary priority content that is harmful to children (see section 61),
(b)priority content that is harmful to children (see section 62), or
(c)content, not within paragraph (a) or (b), of a kind which presents a material risk of significant harm to an appreciable number of children in the United Kingdom.
(3)Content is not to be regarded as within subsection (2)(c) if the risk of harm flows from—
(a)the content’s potential financial impact,
(b)the safety or quality of goods featured in the content, or
(c)the way in which a service featured in the content may be performed (for example, in the case of the performance of a service by a person not qualified to perform it).
(4)“Non-designated content that is harmful to children” means content within subsection (2)(c).
(5)Subsection (6) applies in relation to a regulated user-to-user service (but, in the case of a combined service, does not apply in relation to the search content of the service).
(6)References to “primary priority content that is harmful to children”, “priority content that is harmful to children”, “content that is harmful to children” and “non-designated content that is harmful to children” are to be read as—
(a)limited to content within the definition in question that is regulated user-generated content in relation to the service, and
(b)including material which, if it were present on the service, would be content within paragraph (a) (and this section and sections 61 and 62 are to be read with such modifications as may be necessary for the purpose of this paragraph).
Commencement Information
I102S. 60 in force at Royal Assent, see s. 240(4)(h)
(1)“Primary priority content that is harmful to children” means content of any of the following kinds.
(2)Pornographic content, other than content within subsection (6).
(3)Content which encourages, promotes or provides instructions for suicide.
(4)Content which encourages, promotes or provides instructions for an act of deliberate self-injury.
(5)Content which encourages, promotes or provides instructions for an eating disorder or behaviours associated with an eating disorder.
(6)Content is within this subsection if it—
(a)consists only of text, or
(b)consists only of text accompanied by—
(i)identifying content which consists only of text,
(ii)other identifying content which is not itself pornographic content,
(iii)a GIF which is not itself pornographic content,
(iv)an emoji or other symbol, or
(v)any combination of content mentioned in sub-paragraphs (i) to (iv).
(7)In this section and section 62 “injury” includes poisoning.
Commencement Information
I103S. 61 in force at Royal Assent, see s. 240(4)(h)
(1)“Priority content that is harmful to children” means content of any of the following kinds.
(2)Content which is abusive and which targets any of the following characteristics—
(a)race,
(b)religion,
(c)sex,
(d)sexual orientation,
(e)disability, or
(f)gender reassignment.
(3)Content which incites hatred against people—
(a)of a particular race, religion, sex or sexual orientation,
(b)who have a disability, or
(c)who have the characteristic of gender reassignment.
(4)Content which encourages, promotes or provides instructions for an act of serious violence against a person.
(5)Bullying content.
(6)Content which—
(a)depicts real or realistic serious violence against a person;
(b)depicts the real or realistic serious injury of a person in graphic detail.
(7)Content which—
(a)depicts real or realistic serious violence against an animal;
(b)depicts the real or realistic serious injury of an animal in graphic detail;
(c)realistically depicts serious violence against a fictional creature or the serious injury of a fictional creature in graphic detail.
(8)Content which encourages, promotes or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else.
(9)Content which encourages a person to ingest, inject, inhale or in any other way self-administer—
(a)a physically harmful substance;
(b)a substance in such a quantity as to be physically harmful.
(10)In subsections (2) and (3)—
(a)“disability” means any physical or mental impairment;
(b)“race” includes colour, nationality, and ethnic or national origins;
(c)references to religion include references to a lack of religion.
(11)For the purposes of subsection (3), a person has the characteristic of gender reassignment if the person is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex, and the reference to gender reassignment in subsection (2) is to be construed accordingly.
(12)For the purposes of subsection (5) content may, in particular, be “bullying content” if it is content targeted against a person which—
(a)conveys a serious threat;
(b)is humiliating or degrading;
(c)forms part of a campaign of mistreatment.
(13)In subsection (6) “person” is not limited to a real person.
(14)In subsection (7) “animal” is not limited to a real animal.
Commencement Information
I104S. 62 in force at Royal Assent, see s. 240(4)(h)
(1)OFCOM must carry out reviews of—
(a)the incidence on regulated user-to-user services of content that is harmful to children,
(b)the incidence on regulated search services and combined services of search content that is harmful to children, and
(c)the severity of harm that children in the United Kingdom suffer, or may suffer, as a result of those kinds of content.
(2)OFCOM must produce and publish a report on the outcome of each review.
(3)The report must include advice as to whether, in OFCOM’s opinion, it is appropriate to make changes to sections 61 and 62, specifying the changes that OFCOM recommend.
(4)The reports must be published not more than three years apart.
(5)The first report must be published before the end of the period of three years beginning with the day on which this Act is passed.
(6)OFCOM must send a copy of each report to the Secretary of State.
Commencement Information
I105S. 63 in force at Royal Assent, see s. 240(4)(h)
(1)A provider of a Category 1 service must offer all adult users of the service the option to verify their identity (if identity verification is not required for access to the service).
(2)The verification process may be of any kind (and in particular, it need not require documentation to be provided).
(3)A provider of a Category 1 service must include clear and accessible provisions in the terms of service explaining how the verification process works.
(4)If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.
(5)The duty set out in subsection (1) applies in relation to all adult users, not just those who begin to use a service after that duty begins to apply.
(6)The duties set out in this section extend only to—
(a)the user-to-user part of a service, and
(b)the design, operation and use of a service in the United Kingdom.
(7)For the purposes of this section a person is an “adult user” of a service if the person is an adult in the United Kingdom who—
(a)is a user of the service, or
(b)seeks to begin to use the service (for example by setting up an account).
(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Commencement Information
I106S. 64 not in force at Royal Assent, see s. 240(1)
(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with the duty set out in section 64(1).
(2)In producing the guidance (including revised or replacement guidance), OFCOM must have particular regard to the desirability of ensuring that providers of Category 1 services offer users a form of identity verification likely to be available to vulnerable adult users.
(3)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)the Information Commissioner,
(b)persons whom OFCOM consider to have technological expertise relevant to the duty set out in section 64(1),
(c)persons who appear to OFCOM to represent the interests of vulnerable adult users of Category 1 services, and
(d)such other persons as OFCOM consider appropriate.
(4)OFCOM must publish the guidance (and any revised or replacement guidance).
Commencement Information
I107S. 65 not in force at Royal Assent, see s. 240(1)
I108S. 65 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(r)
Prospective
(1)A UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on the service to the NCA.
(2)A non-UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on the service to the NCA (and does not report to the NCA CSEA content which is not UK-linked).
(3)A UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on websites or databases capable of being searched by the search engine to the NCA.
(4)A non-UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on websites or databases capable of being searched by the search engine to the NCA (and does not report to the NCA CSEA content which is not UK-linked).
(5)A UK provider of a combined service must comply with the requirement under subsection (3) in relation to the search engine of the service.
(6)A non-UK provider of a combined service must comply with the requirement under subsection (4) in relation to the search engine of the service.
(7)Providers’ reports under this section—
(a)must meet the requirements set out in regulations under section 67, and
(b)must be sent to the NCA in the manner, and within the time frames, set out in those regulations.
(8)If a person is the provider of more than one regulated user-to-user service or regulated search service, requirements under this section apply in relation to each such service.
(9)Terms used in this section are defined in section 70.
(10)This section applies only in relation to CSEA content detected on or after the date on which this section comes into force.
Commencement Information
I109S. 66 not in force at Royal Assent, see s. 240(1)
(1)The Secretary of State must make regulations in connection with the reports that are to be made to the NCA (including by non-UK providers) as required by section 66.
(2)The regulations may make provision about—
(a)the information to be included in the reports,
(b)the format of the reports,
(c)the manner in which the reports must be sent to the NCA,
(d)the time frames for sending the reports to the NCA (including provision about cases of particular urgency),
(e)the records that providers must keep in relation to the reports, or the details that providers must retain as evidence that they have made the reports, and
(f)such other matters relating to the reports as the Secretary of State considers appropriate.
(3)The regulations may also—
(a)require providers to retain, for a specified period, data of a specified description associated with a report, and
(b)impose restrictions or requirements in relation to the retention of such data (including how the data is to be secured or stored or who may access the data).
(4)The power to require the retention of data associated with a report includes power to require the retention of—
(a)content generated, uploaded or shared by any user mentioned in the report (or metadata relating to such content), and
(b)user data relating to any such person (or metadata relating to such data).
“User data” here has the meaning given by section 231.
(5)Before making regulations under this section, the Secretary of State must consult—
(a)the NCA,
(b)OFCOM, and
(c)such other persons as the Secretary of State considers appropriate.
Commencement Information
I110S. 67 not in force at Royal Assent, see s. 240(1)
I111S. 67 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(s)
In section 16 of the Crime and Courts Act 2013 (interpretation of Part 1), in subsection (1), in the definition of “permitted purpose”, after paragraph (o) insert—
“(oa)the exercise of any function of OFCOM (the Office of Communications) under the Online Safety Act 2023;”.
Commencement Information
I112S. 68 not in force at Royal Assent, see s. 240(1)
I113S. 68 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(t)
Prospective
(1)A person commits an offence if, in purported compliance with a requirement under section 66—
(a)the person provides information that is false in a material respect, and
(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(2)A person who commits an offence under this section is liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
Commencement Information
I114S. 69 not in force at Royal Assent, see s. 240(1)
(1)This section applies for the purposes of this Chapter.
(2)A provider of a regulated user-to-user service or a regulated search service is a “UK provider” of the service if the provider is—
(a)an individual or individuals who are habitually resident in the United Kingdom, or
(b)an entity incorporated or formed under the law of any part of the United Kingdom.
(3)Otherwise, a provider of a regulated user-to-user service or a regulated search service is a “non-UK provider” of the service.
(4)CSEA content is “detected” by a provider when the provider becomes aware of the content, whether by means of the provider’s systems or processes or as a result of another person alerting the provider.
(5)CSEA content is “unreported”, in relation to a provider, if the reporting of that content is not covered by arrangements (mandatory or voluntary)—
(a)by which the provider reports content relating to child sexual exploitation or abuse to a foreign agency, or
(b)by which an entity that is a group undertaking in relation to the provider reports content relating to child sexual exploitation or abuse to—
(i)the NCA, or
(ii)a foreign agency.
(6)CSEA content is “UK-linked” if a provider has evidence of a link between the content and the United Kingdom, based on any of the following—
(a)the place where the content was published, generated, uploaded or shared;
(b)the nationality of a person suspected of committing the related offence;
(c)the location of a person suspected of committing the related offence;
(d)the location of a child who is a suspected victim of the related offence.
For the purposes of paragraphs (b), (c) and (d) an offence is “related” to CSEA content if the content amounts to that offence (construed in accordance with section 59: see subsections (3), (11) and (12) of that section).
(7)In this Chapter—
“CSEA content” has the same meaning as in Part 3 (see section 59);
“foreign agency” means a person exercising functions in a country outside the United Kingdom which correspond to the NCA’s functions insofar as they relate to receiving and disseminating reports about CSEA content;
“group undertaking” has the meaning given by section 1161(5) of the Companies Act 2006;
“NCA” means the National Crime Agency.
(8)Sections 1161(5) and 1162 of, and Schedule 7 to, the Companies Act 2006—
(a)are to apply in relation to an entity which is not an undertaking (as defined in section 1161(1) of that Act) as they apply in relation to an undertaking, and
(b)are to be read with any necessary modifications if applied to an entity formed under the law of a country outside the United Kingdom.
Commencement Information
I115S. 70 in force at Royal Assent, see s. 240(4)(i)
Prospective
(1)A provider of a Category 1 service must operate the service using proportionate systems and processes designed to ensure that the provider does not—
(a)take down regulated user-generated content from the service,
(b)restrict users’ access to regulated user-generated content, or
(c)suspend or ban users from using the service,
except in accordance with the terms of service.
(2)Nothing in subsection (1) is to be read as preventing a provider from taking down content from a service or restricting users’ access to it, or suspending or banning a user, if such an action is taken—
(a)to comply with the duties set out in—
(i)section 10(2) or (3) (protecting individuals from illegal content), or
(ii)section 12(2) or (3) (protecting children from content that is harmful to children), or
(b)to avoid criminal or civil liability on the part of the provider that might reasonably be expected to arise if such an action were not taken.
(3)In addition, nothing in subsection (1) is to be read as preventing a provider from—
(a)taking down content from a service or restricting users’ access to it on the basis that a user has committed an offence in generating, uploading or sharing it on the service, or
(b)suspending or banning a user on the basis that—
(i)the user has committed an offence in generating, uploading or sharing content on the service, or
(ii)the user is responsible for, or has facilitated, the presence or attempted placement of a fraudulent advertisement on the service.
(4)The duty set out in subsection (1) does not apply in relation to—
(a)consumer content (see section 74);
(b)terms of service which deal with the treatment of consumer content.
(5)If a person is the provider of more than one Category 1 service, the duty set out in subsection (1) applies in relation to each such service.
(6)The duty set out in subsection (1) extends only to the design, operation and use of a service in the United Kingdom, and references in this section to users are to United Kingdom users of a service.
(7)In this section—
“criminal or civil liability” includes such a liability under the law of a country outside the United Kingdom;
“fraudulent advertisement” has the meaning given by section 38;
“offence” includes an offence under the law of a country outside the United Kingdom.
(8)See also section 18 (duties to protect news publisher content).
Commencement Information
I116S. 71 not in force at Royal Assent, see s. 240(1)
(1)A provider of a regulated user-to-user service must include clear and accessible provisions in the terms of service informing users about their right to bring a claim for breach of contract if—
(a)regulated user-generated content which they generate, upload or share is taken down, or access to it is restricted, in breach of the terms of service, or
(b)they are suspended or banned from using the service in breach of the terms of service.
(2)The duties set out in subsections (3) to (7) apply in relation to a Category 1 service, and references in subsections (3) to (9) to “provider” and “service” are to be read accordingly.
(3)A provider must operate a service using proportionate systems and processes designed to ensure that—
(a)if the terms of service indicate (in whatever words) that the presence of a particular kind of regulated user-generated content is prohibited on the service, the provider takes down such content;
(b)if the terms of service state that the provider will restrict users’ access to a particular kind of regulated user-generated content in a specified way, the provider does restrict users’ access to such content in that way;
(c)if the terms of service state cases in which the provider will suspend or ban a user from using the service, the provider does suspend or ban the user in those cases.
(4)A provider must ensure that—
(a)terms of service which make provision about the provider taking down regulated user-generated content from the service or restricting users’ access to such content, or suspending or banning a user from using the service, are—
(i)clear and accessible, and
(ii)written in sufficient detail to enable users to be reasonably certain whether the provider would be justified in taking the specified action in a particular case, and
(b)those terms of service are applied consistently.
(5)A provider must operate a service using systems and processes that allow users and affected persons to easily report—
(a)content which they consider to be relevant content (see section 74);
(b)a user who they consider should be suspended or banned from using the service in accordance with the terms of service.
(6)A provider must operate a complaints procedure in relation to a service that—
(a)allows for complaints of a kind mentioned in subsection (8) to be made,
(b)provides for appropriate action to be taken by the provider of the service in response to complaints of those kinds, and
(c)is easy to access, easy to use (including by children) and transparent.
(7)A provider must include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a kind mentioned in subsection (8).
(8)The kinds of complaints referred to in subsections (6) and (7) are—
(a)complaints by users and affected persons about content present on a service which they consider to be relevant content;
(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in any of subsections (1) or (3) to (5);
(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is relevant content;
(d)complaints by users who have been suspended or banned from using a service.
(9)The duties set out in subsections (3) and (4) do not apply in relation to terms of service which—
(a)make provision of the kind mentioned in section 10(5) (protecting individuals from illegal content) or 12(9) (protecting children from content that is harmful to children), or
(b)deal with the treatment of consumer content.
(10)If a person is the provider of more than one regulated user-to-user service or Category 1 service, the duties set out in this section apply in relation to each such service.
(11)The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references to users are to United Kingdom users of a service.
(12)See also section 18 (duties to protect news publisher content).
Commencement Information
I117S. 72 not in force at Royal Assent, see s. 240(1)
I118S. 72(1)(10)(11) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(u)
(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in sections 71 and 72(3) to (7).
(2)OFCOM must publish the guidance (and any revised or replacement guidance).
Commencement Information
I119S. 73 not in force at Royal Assent, see s. 240(1)
I120S. 73 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(v)
(1)This section applies for the purposes of this Chapter.
(2)“Regulated user-generated content” has the same meaning as in Part 3 (see section 55), and references to such content are to content that is regulated user-generated content in relation to the service in question.
(3)“Consumer content” means—
(a)regulated user-generated content that constitutes, or is directly connected with content that constitutes, an offer to sell goods or to supply services,
(b)regulated user-generated content that amounts to an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277) (construed in accordance with section 59: see subsections (3), (11) and (12) of that section), or
(c)any other regulated user-generated content in relation to which an enforcement authority has functions under those Regulations (see regulation 19 of those Regulations).
(4)References to restricting users’ access to content, and related references, are to be construed in accordance with sections 58 and 236(6).
(5)Content of a particular kind is “relevant content” if—
(a)a term of service, other than a term of service mentioned in section 72(9), indicates (in whatever words) that the presence of content of that kind is prohibited on the service or that users’ access to content of that kind is restricted, and
(b)it is regulated user-generated content.
References to relevant content are to content that is relevant content in relation to the service in question.
(6)“Affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)the subject of the content,
(b)a member of a class or group of people with a certain characteristic targeted by the content,
(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(7)In determining what is proportionate for the purposes of sections 71 and 72, the size and capacity of the provider of a service is, in particular, relevant.
(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Commencement Information
I121S. 74 in force at Royal Assent, see s. 240(4)(j)
Prospective
(1)A provider of a relevant service must make it clear in the terms of service what their policy is about dealing with requests from parents of a deceased child for information about the child’s use of the service.
(2)A provider of a relevant service must have a dedicated helpline or section of the service, or some similar means, by which parents can easily find out what they need to do to obtain information and updates in those circumstances, and the terms of service must provide details.
(3)A provider of a relevant service must include clear and accessible provisions in the terms of service—
(a)specifying the procedure for parents of a deceased child to request information about the child’s use of the service,
(b)specifying what evidence (if any) the provider will require about the parent’s identity or relationship to the child, and
(c)giving sufficient detail to enable child users and their parents to be reasonably certain about what kinds of information would be disclosed and how information would be disclosed.
(4)A provider of a relevant service must respond in a timely manner to requests from parents of a deceased child for information about the child’s use of the service or for updates about the progress of such information requests.
(5)A provider of a relevant service must operate a complaints procedure in relation to the service that—
(a)allows for complaints to be made by parents of a deceased child who consider that the provider is not complying with a duty set out in any of subsections (1) to (4),
(b)provides for appropriate action to be taken by the provider of the service in response to such complaints, and
(c)is easy to access, easy to use and transparent.
(6)A provider of a relevant service must include in the terms of service provisions which are easily accessible specifying the policies and processes that govern the handling and resolution of such complaints.
(7)If a person is the provider of more than one relevant service, the duties set out in this section apply in relation to each such service.
(8)The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references in this section to children are to children in the United Kingdom.
(9)A “relevant service” means—
(a)a Category 1 service (see section 95(10)(a));
(b)a Category 2A service (see section 95(10)(b));
(c)a Category 2B service (see section 95(10)(c)).
(10)In this section “parent”, in relation to a child, includes any person who is not the child’s parent but who—
(a)has parental responsibility for the child within the meaning of section 3 of the Children Act 1989 or Article 6 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)), or
(b)has parental responsibilities in relation to the child within the meaning of section 1(3) of the Children (Scotland) Act 1995.
(11)In the application of this section to a Category 2A service, references to the terms of service include references to a publicly available statement.
Commencement Information
I122S. 75 not in force at Royal Assent, see s. 240(1)
(1)OFCOM must produce guidance for providers of relevant services to assist them in complying with their duties set out in section 75.
(2)OFCOM must publish the guidance (and any revised or replacement guidance).
(3)In this section “relevant service” has the meaning given by section 75.
Commencement Information
I123S. 76 not in force at Royal Assent, see s. 240(1)
I124S. 76 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(w)
(1)Once a year, OFCOM must give every provider of a relevant service a notice which requires the provider to produce a report about the service (a “transparency report”).
(2)If a person is the provider of more than one relevant service, a notice must be given to the provider in respect of each such service.
(3)In response to a notice relating to a relevant service, the provider of the service must produce a transparency report which must—
(a)contain information of a kind specified or described in the notice,
(b)be in the format specified in the notice,
(c)be submitted to OFCOM by the date specified in the notice, and
(d)be published in the manner and by the date specified in the notice.
(4)A provider must ensure that the information provided in a transparency report is—
(a)complete, and
(b)accurate in all material respects.
(5)A “relevant service” means—
(a)a Category 1 service (see section 95(10)(a));
(b)a Category 2A service (see section 95(10)(b));
(c)a Category 2B service (see section 95(10)(c)).
(6)In a notice which relates to a Category 1 service or a Category 2B service, OFCOM may only specify or describe user-to-user information.
But in the case of a service described in subsection (9), that subsection applies instead.
(7)In a notice which relates to a regulated search service that is a Category 2A service, OFCOM may only specify or describe search engine information.
(8)In a notice which relates to a combined service that is a Category 2A service, and is not also a Category 1 service or a Category 2B service, OFCOM may only specify or describe search engine information.
(9)In a notice which relates to a combined service that is a Category 2A service, as well as being a Category 1 service or a Category 2B service, OFCOM may specify or describe user-to-user information or search engine information, or both those kinds of information.
(10)In subsections (6) to (9)—
(a)“user-to-user information” means information which—
(i)is about the matters listed in Part 1 of Schedule 8, and
(ii)relates to the user-to-user part of a service;
(b)“search engine information” means information which—
(i)is about the matters listed in Part 2 of Schedule 8, and
(ii)relates to the search engine of a service.
(11)Part 3 of Schedule 8 makes further provision about transparency reports.
(12)The Secretary of State may by regulations amend subsection (1) so as to change the frequency of the transparency reporting process.
(13)The Secretary of State must consult OFCOM before making regulations under subsection (12).
(14)In this section “notice” means a notice under subsection (1).
Commencement Information
I125S. 77 not in force at Royal Assent, see s. 240(1)
I126S. 77 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(x)
(1)OFCOM must produce guidance about—
(a)how OFCOM will determine which information they will require transparency reports under section 77 to contain, including—
(i)the principles that they will apply in relation to each of the factors mentioned in paragraph 37 of Schedule 8, and
(ii)the steps that they will take to engage with providers of relevant services before requiring information in a notice under section 77(1);
(b)how information from transparency reports produced by providers of relevant services under section 77 will be used to produce OFCOM’s transparency reports (see section 159); and
(c)any other matter that OFCOM consider to be relevant to the production and publication of transparency reports under section 77 or 159.
(2)Before producing the guidance (including revised or replacement guidance), OFCOM must consult such of the following as they consider appropriate—
(a)providers of regulated user-to-user services, and of regulated search services,
(b)persons who appear to OFCOM to represent such providers,
(c)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(d)persons whom OFCOM consider to have expertise in equality issues and human rights, in particular—
(i)the right to freedom of expression set out in Article 10 of the Convention, and
(ii)the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,
(e)the Information Commissioner,
(f)persons who appear to OFCOM to represent the interests of those with protected characteristics (within the meaning of Part 2 of the Equality Act 2010), and
(g)persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters,
and OFCOM must also consult such other persons as OFCOM consider appropriate.
(3)OFCOM must publish the guidance (and any revised or replacement guidance).
(4)In exercising their functions under section 77 or 159, OFCOM must have regard to the guidance for the time being published under this section.
(5)In this section, “relevant service” has the same meaning as in section 77 (see subsection (5) of that section).
Commencement Information
I127S. 78 not in force at Royal Assent, see s. 240(1)
I128S. 78 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(x)
(1)This section applies for the purposes of this Part.
(2)“Provider pornographic content”, in relation to an internet service, means pornographic content that is published or displayed on the service by the provider of the service or by a person acting on behalf of the provider, including pornographic content published or displayed on the service by means of—
(a)software or an automated tool or algorithm applied by the provider or by a person acting on behalf of the provider, or
(b)an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.
(3)“Regulated provider pornographic content”, in relation to an internet service, means provider pornographic content other than content within subsection (4) or (5).
(4)Content is within this subsection if it—
(a)consists only of text, or
(b)consists only of text accompanied by—
(i)a GIF which is not itself pornographic content,
(ii)an emoji or other symbol, or
(iii)a combination of content mentioned in sub-paragraphs (i) and (ii).
(5)Content is within this subsection if it consists of a paid-for advertisement (see section 236).
(6)References to pornographic content that is “published or displayed” on a service—
(a)include, in particular—
(i)references to pornographic content that is only visible or audible to users as a result of interacting with content that is blurred, distorted or obscured (for example, by clicking on such content), but only where the pornographic content is present on the service,
(ii)references to pornographic content that is embedded on the service, and
(iii)references to pornographic content that is generated on the service by means of an automated tool or algorithm in response to a prompt by a user and is only visible or audible to that user (no matter for how short a time);
(b)do not include references to pornographic content that appears in search results of a search service or a combined service.
(7)Pornographic content that is user-generated content in relation to an internet service is not to be regarded as provider pornographic content in relation to that service.
(8)In this section—
“search results” has the meaning given by section 57(3);
“user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).
Commencement Information
I129S. 79 in force at Royal Assent, see s. 240(4)(k)
(1)A provider of an internet service within subsection (2) must comply with the duties set out in section 81 in relation to the service.
(2)An internet service is within this subsection if—
(a)regulated provider pornographic content is published or displayed on the service,
(b)the service is not exempt, and
(c)the service has links with the United Kingdom.
(3)A service is “exempt” for the purposes of this Part if it is —
(a)a user-to-user service or a search service of a description that is exempt as provided for by Schedule 1, or
(b)an internet service of a kind described in Schedule 9.
(4)A service “has links with the United Kingdom” for the purposes of this Part if either of the following conditions is met in relation to the service—
(a)the service has a significant number of United Kingdom users, or
(b)United Kingdom users form one of the target markets for the service (or the only target market).
(5)This Part does not apply in relation to a part of a regulated service if—
(a)in the case of a Part 3 service, the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part;
(b)in the case of an internet service other than a Part 3 service, the conditions in paragraph 1(2) of Schedule 9 (internal business service conditions) are met in relation to that part.
(6)This Part does not apply in relation to a part of a regulated service if that part is an on-demand programme service [F1or a non-UK on-demand programme service that is a Tier 1 service] F2....
[F3(6A)In subsection (6), “on-demand programme service”, “non-UK on-demand programme service” and “Tier 1 service” have the same meaning as in the Communications Act (see sections 368A, 368AA and 368HA of that Act).]
(7)If a person is the provider of more than one internet service within subsection (2), the duties set out in section 81 apply in relation to each such service.
(8)The duties set out in section 81 extend only to the design, operation and use of an internet service in the United Kingdom.
Textual Amendments
F1Words in s. 80(6) inserted (23.8.2024) by Media Act 2024 (c. 15), s. 55(3)(d), Sch. 7 para. 5(2)(a)(i); S.I. 2024/858, reg. 2(1)(z1)
F2Words in s. 80(6) omitted (23.8.2024) by virtue of Media Act 2024 (c. 15), s. 55(3)(d), Sch. 7 para. 5(2)(a)(ii); S.I. 2024/858, reg. 2(1)(z1)
F3S. 80(6A) inserted (23.8.2024) by Media Act 2024 (c. 15), s. 55(3)(d), Sch. 7 para. 5(2)(b); S.I. 2024/858, reg. 2(1)(z1)
Commencement Information
I130S. 80(4) in force at Royal Assent, see s. 240(4)(l)
I131S. 80(1)-(3)(5)-(8) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(y)
(1)This section sets out the duties which apply in relation to internet services within section 80(2).
(2)A duty to ensure, by the use of age verification or age estimation (or both), that children are not normally able to encounter content that is regulated provider pornographic content in relation to the service.
(3)The age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.
(4)In relation to the duty set out in subsection (2), a duty to make and keep a written record, in an easily understandable form, of—
(a)the kinds of age verification or age estimation used, and how they are used, and
(b)the way in which the provider, when deciding on the kinds of age verification or age estimation and how they should be used, has had regard to the importance of protecting United Kingdom users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data).
(5)A duty to summarise the written record in a publicly available statement, so far as the record concerns compliance with the duty set out in subsection (2), including details about which kinds of age verification or age estimation a provider is using and how they are used.
(1)OFCOM must produce guidance for providers of internet services within section 80(2) to assist them in complying with their duties set out in section 81.
(2)The guidance must include—
(a)examples of kinds and uses of age verification and age estimation that are, or are not, highly effective at correctly determining whether or not a particular user is a child,
(b)examples of ways in which a provider may have regard to the importance of protecting users as mentioned in section 81(4)(b),
(c)principles that OFCOM propose to apply when determining whether a provider has complied with each of the duties set out in section 81, and
(d)examples of circumstances in which OFCOM are likely to consider that a provider has not complied with each of those duties.
(3)The guidance may elaborate on the following principles governing the use of age verification or age estimation for the purpose of compliance with the duty set out in section 81(2)—
(a)the principle that age verification or age estimation should be easy to use;
(b)the principle that age verification or age estimation should work effectively for all users regardless of their characteristics or whether they are members of a certain group;
(c)the principle of interoperability between different kinds of age verification or age estimation.
(4)The guidance may refer to industry or technical standards for age verification or age estimation (where they exist).
(5)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)the Secretary of State,
(b)persons who appear to OFCOM to represent providers of internet services within section 80(2),
(c)persons who appear to OFCOM to represent adult users of internet services within section 80(2),
(d)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(e)the Information Commissioner,
(f)persons whom OFCOM consider to have expertise in innovation, or emerging technology, that is relevant to online safety matters, and
(g)such other persons as OFCOM consider appropriate.
(6)But if OFCOM propose to revise the guidance, and consider that the minor nature of the proposal means that consultation is unnecessary—
(a)OFCOM must notify the Secretary of State of the proposed changes, and
(b)if the Secretary of State agrees that it is appropriate, the consultation requirements set out in subsection (5) do not apply in relation to the proposed changes.
(7)OFCOM must keep the guidance under review.
(8)OFCOM must publish the guidance (and any revised or replacement guidance).
Commencement Information
I133S. 82 in force at Royal Assent, see s. 240(4)(m)
(1)A provider of a regulated service must notify OFCOM in relation to a charging year which is—
(a)the first fee-paying year in relation to that provider, or
(b)any charging year after the first fee-paying year where—
(i)the previous charging year was not a fee-paying year in relation to the provider, and the charging year in question is a fee-paying year in relation to the provider, or
(ii)the previous charging year was a fee-paying year in relation to the provider, and the charging year in question is not a fee-paying year in relation to the provider.
(2)A “fee-paying year”, in relation to a provider, means a charging year where both of the following conditions apply—
(a)the provider’s qualifying worldwide revenue for the qualifying period that relates to that charging year is equal to or greater than the threshold figure that has effect for that charging year (see section 86), and
(b)the provider is not exempt (see subsection (6)).
(3)A notification under subsection (1) in relation to a charging year must include details of all regulated services provided by the provider, and where it is a notification under subsection (1)(a) or (b)(i), it must also include—
(a)details of the provider’s qualifying worldwide revenue for the qualifying period that relates to that charging year, and
(b)supporting evidence, documents or other information as required by regulations made by OFCOM under section 85.
(4)Section 85 confers power on OFCOM to make regulations about the determination of a provider’s qualifying worldwide revenue, and the meaning of “qualifying period”, for the purposes of this Part.
(5)A notification under subsection (1) must be provided to OFCOM—
(a)in relation to the initial charging year, within four months of the date on which the first regulations under section 86 come into force (first threshold figure);
(b)in relation to subsequent charging years, at least six months before the beginning of the charging year to which the notification relates.
(6)OFCOM may provide that particular descriptions of providers of regulated services are exempt for the purposes of this section and section 84 where—
(a)OFCOM consider that an exemption for such providers is appropriate, and
(b)the Secretary of State approves the exemption.
(7)OFCOM may revoke such an exemption where they consider that it is no longer appropriate and the Secretary of State approves the revocation.
(8)Exemptions, or revocations of exemptions, which are approved by the Secretary of State are to take effect from the beginning of a particular charging year.
(9)Details of an exemption or revocation must be published by OFCOM at least six months before the beginning of the first charging year for which the exemption or revocation is to have effect.
(10)But subsection (9) does not apply in relation to any exemptions which are to have effect for the initial charging year.
(11)For the purposes of this section and section 84, the “provider” of a regulated service, in relation to a charging year, includes a person who is the provider of the service for part of that year.
Commencement Information
I134S. 83 not in force at Royal Assent, see s. 240(1)
I135S. 83 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
(1)OFCOM may require a provider of a regulated service to pay a fee in respect of a charging year which is a fee-paying year.
(2)Where OFCOM require a provider of a regulated service to pay a fee in respect of a charging year, the fee is to be equal to the amount produced by a computation—
(a)made by reference to—
(i)the provider’s qualifying worldwide revenue for the qualifying period relating to that charging year, and
(ii)any other factors that OFCOM consider appropriate, and
(b)made in the manner that OFCOM consider appropriate.
(3)For the purposes of this section and section 83—
(a)the amount of a provider’s qualifying worldwide revenue for a qualifying period, or
(b)the amount of a fee to be paid to OFCOM, or of an instalment of such a fee,
is, in the event of a disagreement between the provider and OFCOM, the amount determined by OFCOM.
(4)When determining fees payable under this section, OFCOM must do so in accordance with a statement of principles as mentioned in section 88(1).
(5)Where a person is the provider of a regulated service for part of a charging year only, OFCOM may refund all or part of a fee paid to OFCOM under this section by that provider in respect of that year.
(6)In this section, “fee-paying year” has the same meaning as in section 83.
Commencement Information
I136S. 84 not in force at Royal Assent, see s. 240(1)
I137S. 84 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
(1)For the purposes of this Part, OFCOM may by regulations make provision—
(a)about how the qualifying worldwide revenue of a provider of a regulated service is to be determined, and
(b)defining the “qualifying period” in relation to a charging year.
(2)OFCOM may by regulations also make provision specifying or describing evidence, documents or other information that providers must supply to OFCOM for the purposes of section 83 (see subsection (3)(b) of that section), including provision about the way in which providers must supply the evidence, documents or information.
(3)Regulations under subsection (1)(a) may provide that the qualifying worldwide revenue of a provider of a regulated service (P) who is a member of a group during any part of a qualifying period is to include the qualifying worldwide revenue of any entity that—
(a)is a group undertaking in relation to P for all or part of that period, and
(b)receives or is due to receive, during that period, any amount referable (to any degree) to a regulated service provided by P.
(4)Regulations under subsection (1)(a) may, in particular—
(a)make provision about circumstances in which amounts do, or do not, count as being referable (to any degree) to a regulated service for the purposes of the determination of the qualifying worldwide revenue of the provider of the service or of an entity that is a group undertaking in relation to the provider;
(b)provide for cases or circumstances in which amounts that—
(i)are of a kind specified or described in the regulations, and
(ii)are not referable to a regulated service,
are to be brought into account in determining the qualifying worldwide revenue of the provider of the service or of an entity that is a group undertaking in relation to the provider.
(5)Regulations which make provision of a kind mentioned in subsection (3) may include provision that, in the case of an entity that is a group undertaking in relation to a provider for part (not all) of a qualifying period, only amounts relating to the part of the qualifying period for which the entity was a group undertaking may be brought into account in determining the entity’s qualifying worldwide revenue.
(6)Regulations under subsection (1)(a) may make provision corresponding to paragraph 5(8) of Schedule 13.
(7)Before making regulations under subsection (1) OFCOM must consult—
(a)the Secretary of State,
(b)the Treasury, and
(c)such other persons as OFCOM consider appropriate.
(8)Before making regulations under subsection (2) OFCOM must consult the Secretary of State.
(9)Regulations under this section may make provision subject to such exemptions and exceptions as OFCOM consider appropriate.
(10)In this section—
“group” means a parent undertaking and its subsidiary undertakings, reading those terms in accordance with section 1162 of the Companies Act 2006;
“group undertaking” has the meaning given by section 1161(5) of that Act.
Commencement Information
I138S. 85 not in force at Royal Assent, see s. 240(1)
I139S. 85 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
(1)OFCOM must carry out a consultation to inform the setting of the threshold figure for the purposes of sections 83 and 84, consulting such persons as they consider appropriate.
(2)After the completion of the consultation, and having taken advice from OFCOM, the Secretary of State must make regulations specifying the threshold figure for those purposes.
(3)The Secretary of State must keep the threshold figure under review.
(4)If the Secretary of State considers that it may be appropriate to revise the threshold figure, the Secretary of State may request OFCOM to carry out a further consultation, and subsections (1) and (2) apply again.
(5)Regulations must provide that a threshold figure is to take effect from the beginning of a particular charging year.
(6)Regulations specifying a threshold figure must be in force at least nine months before the beginning of the first charging year for which that figure is to have effect.
(7)But subsection (6) does not apply in relation to the first regulations made under this section.
Commencement Information
I140S. 86 not in force at Royal Assent, see s. 240(1)
I141S. 86 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
(1)The Secretary of State must issue guidance to OFCOM about the principles to be included in a statement of principles that OFCOM propose to apply in determining fees payable under section 84 (see section 88).
(2)The Secretary of State must consult OFCOM before issuing, revising or replacing the guidance.
(3)The guidance may not be revised or replaced more frequently than once every three years unless—
(a)the guidance needs to be corrected because of an amendment, repeal or modification of any provision of this Part, or
(b)the revision or replacement is by agreement between the Secretary of State and OFCOM.
(4)The Secretary of State must lay the guidance (including revised or replacement guidance) before Parliament.
(5)The Secretary of State must publish the guidance (and any revised or replacement guidance).
(6)In exercising any functions under this Part, OFCOM must have regard to the guidance for the time being published under this section.
Commencement Information
I142S. 87 not in force at Royal Assent, see s. 240(1)
I143S. 87 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
(1)OFCOM may not require a provider of a regulated service to pay a fee under section 84 unless there is in force a statement of the principles that OFCOM propose to apply in determining fees payable under that section.
(2)Those principles must be such as appear to OFCOM to be likely to secure, on the basis of such estimates of the likely costs as it is practicable for them to make—
(a)that on a year by year basis, the aggregate amount of the fees payable to OFCOM under section 84 is sufficient to meet, but does not exceed, the annual cost to OFCOM of the exercise of their online safety functions;
(b)that the fees required under section 84 are justifiable and proportionate having regard to the functions in respect of which they are imposed;
(c)that the relationship between meeting the cost of the exercise of those functions and the amounts of the fees is transparent.
(3)A statement of principles mentioned in subsection (1) must (among other things)—
(a)include details relating to the computation model used to calculate fees payable under section 84, including details of factors mentioned in subsection (2)(a)(ii) of that section (if any),
(b)include details about the meaning of “qualifying worldwide revenue” and “qualifying period” for the purposes of this Part, and
(c)specify the threshold figure contained in regulations under section 86.
(4)Before making or revising such a statement of principles, OFCOM must consult such persons as they consider appropriate.
(5)Such a statement of principles may make different provision in relation to different kinds of regulated services.
(6)OFCOM must publish such a statement of principles (and any revised or replacement statement).
(7)As soon as reasonably practicable after the end of each charging year, OFCOM must publish a statement setting out, in respect of that year—
(a)the aggregate amount of the fees payable under section 84 for that year that has been received by OFCOM,
(b)the aggregate amount of the fees payable under that section for that year that remains outstanding and is likely to be paid or recovered, and
(c)the cost to OFCOM of the exercise of their online safety functions.
(8)Any deficit or surplus shown (after applying this subsection for all previous years) by a statement under subsection (7) must be carried forward and taken into account in determining what is required to satisfy the requirement imposed by virtue of subsection (2)(a) in relation to the following year.
(9)For the purposes of this section OFCOM’s costs of the exercise of their online safety functions during a charging year include the costs of preparations for the exercise of their online safety functions incurred during that year.
Commencement Information
I144S. 88 not in force at Royal Assent, see s. 240(1)
I145S. 88 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
Schedule 10 makes provision about fees chargeable to providers of regulated services in connection with OFCOM’s recovery of costs incurred before the first day of the initial charging year.
Commencement Information
I146S. 89 not in force at Royal Assent, see s. 240(1)
I147S. 89 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z)
In this Part—
“charging year” means any period of 12 months beginning with 1 April, except such a period that falls before the initial charging year;
“initial charging year” means the period of 12 months beginning with 1 April specified by OFCOM in a notice published for the purposes of this Part.
Commencement Information
I148S. 90 in force at Royal Assent, see s. 240(4)(n)
(1)Section 3 of the Communications Act (general duties of OFCOM) is amended in accordance with subsections (2) to (8).
(2)In subsection (2), after paragraph (f) insert—
“(g)the adequate protection of citizens from harm presented by content on regulated services, through the appropriate use by providers of such services of systems and processes designed to reduce the risk of such harm.”
(3)In subsection (4)(c), at the beginning insert “(subject to subsection (5A))”.
(4)After subsection (4) insert—
“(4A)In performing their duties under subsection (1) in relation to matters to which subsection (2)(g) is relevant, OFCOM must have regard to such of the following as appear to them to be relevant in the circumstances—
(a)the risk of harm to citizens presented by regulated services;
(b)the need for a higher level of protection for children than for adults;
(c)the need for it to be clear to providers of regulated services how they may comply with their duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5 of the Online Safety Act 2023;
(d)the need to exercise their functions so as to secure that providers of regulated services may comply with such duties by taking measures, or using measures, systems or processes, which are (where relevant) proportionate to—
(i)the size or capacity of the provider in question, and
(ii)the level of risk of harm presented by the service in question, and the severity of the potential harm;
(e)the desirability of promoting the use by providers of regulated services of technologies which are designed to reduce the risk of harm to citizens presented by content on regulated services;
(f)the extent to which providers of regulated services demonstrate, in a way that is transparent and accountable, that they are complying with their duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5 of the Online Safety Act 2023.”
(5)After subsection (5) insert—
“(5A)Subsection (4)(c) does not apply in relation to the carrying out of any of OFCOM’s online safety functions.”
(6)After subsection (6) insert—
“(6ZA)Where it appears to OFCOM, in relation to the carrying out of any of their online safety functions, that any of their general duties conflict with their duty under section 24, priority must be given to their duty under that section.”
(7)In subsection (14), at the appropriate places insert—
““content on regulated services” means—
regulated user-generated content present on regulated services,
search content of regulated services,
fraudulent advertisements present on regulated services, and
regulated provider pornographic content present on regulated services;”;
““online safety functions” has the meaning given by section 235 of the Online Safety Act 2023, except that it does not include OFCOM’s general duties;”.
(8)After subsection (14) insert—
“(15)In this section the following terms have the same meaning as in the Online Safety Act 2023—
“content” (see section 236 of that Act);
“fraudulent advertisement” (see sections 38 and 39 of that Act);
“harm” (see section 234 of that Act);
“provider”, in relation to a regulated service (see section 226 of that Act);
“regulated user-generated content” (see section 55 of that Act);
“regulated provider pornographic content” (see section 79 of that Act);
“regulated service” (see section 4 of that Act);
“search content” (see section 57 of that Act).”
(9)In section 6 of the Communications Act (duties to review regulatory burdens)—
(a)in subsection (2), after “this section” insert “(except their online safety functions)”, and
(b)after subsection (10) insert—
“(11)In this section “online safety functions” has the same meaning as in section 3.”
Commencement Information
I149S. 91 in force at Royal Assent, see s. 240(4)(n)
(1)This section applies where a statement has been designated under section 172(1) (Secretary of State’s statement of strategic priorities).
(2)OFCOM must have regard to the statement when carrying out their online safety functions.
(3)Within the period of 40 days beginning with the day on which the statement is designated, or such longer period as the Secretary of State may allow, OFCOM must—
(a)explain in writing what they propose to do in consequence of the statement, and
(b)publish a copy of that explanation.
(4)OFCOM must, as soon as reasonably practicable after the end of—
(a)the period of 12 months beginning with the day on which the first statement is designated under section 172(1), and
(b)every subsequent period of 12 months,
publish a review of what they have done during the period in question in consequence of the statement.
Commencement Information
I150S. 92 not in force at Royal Assent, see s. 240(1)
I151S. 92 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z1)
(1)Section 7 of the Communications Act (duty to carry out impact assessments) is amended as follows.
(2)In subsection (2), at the beginning insert “Subject to subsection (2A),”.
(3)After subsection (2) insert—
“(2A)A proposal to do any of the following is important for the purposes of this section—
(a)to prepare a code of practice under section 41 of the Online Safety Act 2023;
(b)to prepare amendments of such a code of practice; or
(c)to prepare a code of practice as a replacement for such a code of practice.”
(4)After subsection (4) insert—
“(4A)An assessment under subsection (3)(a) that relates to a proposal mentioned in subsection (2A) must include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.
(4B)An assessment under subsection (3)(a) that relates to a proposal to do anything else for the purposes of, or in connection with, the carrying out of OFCOM’s online safety functions (within the meaning of section 235 of the Online Safety Act 2023) must, so far as the proposal relates to such functions, include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.”
Commencement Information
I152S. 93 in force at Royal Assent, see s. 240(4)(o)
(1)Schedule 11 contains provision about regulations specifying the threshold conditions that a Part 3 service must meet to be included in the relevant part of the register established by OFCOM under section 95, and associated provision about the publication of OFCOM’s advice.
(2)In this Chapter, “Category 1 threshold conditions”, “Category 2A threshold conditions” and “Category 2B threshold conditions” have the same meaning as in Schedule 11 (see paragraph 1(1), (2) and (3) of that Schedule).
(3)For the purposes of this Chapter—
(a)references to a service meeting the Category 1, Category 2A or Category 2B threshold conditions are to a service meeting those conditions in a way specified in regulations under paragraph 1 of Schedule 11 (see paragraph 1(4) of that Schedule);
(b)a regulated user-to-user service meets the Category 1 threshold conditions if those conditions are met in relation to the user-to-user part of the service;
(c)a regulated search service or a combined service meets the Category 2A threshold conditions if those conditions are met in relation to the search engine of the service;
(d)a regulated user-to-user service meets the Category 2B threshold conditions if those conditions are met in relation to the user-to-user part of the service;
(e)a regulated user-to-user service meets the conditions in section 97(2) if those conditions are met in relation to the user-to-user part of the service;
(f)references to OFCOM assessing a service (to determine if it meets, or no longer meets, the relevant threshold conditions or the conditions in section 97(2)) are accordingly to be read as references to OFCOM assessing the relevant part (or parts) of a service.
Commencement Information
I153S. 94 in force at Royal Assent, see s. 240(4)(p)
(1)As soon as reasonably practicable after the first regulations under Schedule 11 come into force, OFCOM must comply with subsections (2) to (4).
(2)OFCOM must establish a register of particular categories of Part 3 services with—
(a)one part for regulated user-to-user services meeting the Category 1 threshold conditions,
(b)one part for regulated search services and combined services meeting the Category 2A threshold conditions, and
(c)one part for regulated user-to-user services meeting the Category 2B threshold conditions.
(3)OFCOM must assess Part 3 services, as follows—
(a)OFCOM must assess each regulated user-to-user service which they consider is likely to meet the Category 1 threshold conditions, to determine whether the service does, or does not, meet those conditions;
(b)OFCOM must assess each regulated search service and combined service which they consider is likely to meet the Category 2A threshold conditions, to determine whether the service does, or does not, meet those conditions;
(c)OFCOM must assess each regulated user-to-user service which they consider is likely to meet the Category 2B threshold conditions, to determine whether the service does, or does not, meet those conditions.
(4)If OFCOM consider that a service meets the relevant threshold conditions, they must add entries relating to that service to the relevant part of the register established under subsection (2).
(5)But—
(a)if OFCOM consider that a regulated user-to-user service meets the Category 1 threshold conditions and the Category 2B threshold conditions (only), entries relating to that service are to be added to the part of the register established under subsection (2)(a) (only);
(b)if OFCOM consider that a combined service meets the Category 1 threshold conditions, the Category 2A threshold conditions and the Category 2B threshold conditions, entries relating to that service are to be added to the parts of the register established under subsection (2)(a) and (b) (only).
(6)If OFCOM consider that a combined service—
(a)meets the Category 2A threshold conditions, and
(b)meets either the Category 1 threshold conditions or the Category 2B threshold conditions (but not both),
entries relating to that service are to be added to the part of the register established under subsection (2)(b) and to the part of the register established under subsection (2)(a) or (c) (whichever applies).
(7)Each part of the register must contain—
(a)the name, and a description, of each service that, in OFCOM’s opinion, meets the relevant threshold conditions, and
(b)the name of the provider of each such service.
(8)OFCOM must publish the register.
(9)When assessing whether a Part 3 service does, or does not, meet the relevant threshold conditions, OFCOM must take such steps as are reasonably practicable to obtain or generate information or evidence for the purposes of the assessment.
(10)In this Act—
(a)a “Category 1 service” means a regulated user-to-user service for the time being included in the part of the register established under subsection (2)(a);
(b)a “Category 2A service” means a regulated search service or a combined service for the time being included in the part of the register established under subsection (2)(b);
(c)a “Category 2B service” means a regulated user-to-user service for the time being included in the part of the register established under subsection (2)(c).
Commencement Information
I154S. 95 not in force at Royal Assent, see s. 240(1)
I155S. 95 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z2)
(1)If regulations are made under paragraph 1(1) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—
(a)assess each regulated user-to-user service which they consider is likely to meet the new Category 1 threshold conditions, to determine whether the service does, or does not, meet those conditions, and
(b)make any necessary changes to the register.
(2)If regulations are made under paragraph 1(2) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—
(a)assess each regulated search service and combined service which they consider is likely to meet the new Category 2A threshold conditions, to determine whether the service does, or does not, meet those conditions, and
(b)make any necessary changes to the register.
(3)If regulations are made under paragraph 1(3) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—
(a)assess each regulated user-to-user service which they consider is likely to meet the new Category 2B threshold conditions, to determine whether the service does, or does not, meet those conditions, and
(b)make any necessary changes to the register.
(4)At any other time, if OFCOM consider that a Part 3 service not included in a particular part of the register is likely to meet the threshold conditions relevant to that part, OFCOM must—
(a)assess the service accordingly, and
(b)(subject to section 95(5)) if they consider that the service meets the relevant conditions, add entries relating to that service to that part of the register.
(5)Nothing in subsection (3) or (4) requires OFCOM to assess a Category 1 service to determine whether the service meets the Category 2B threshold conditions.
(6)A provider of a Part 3 service included in the register may at any time request OFCOM to remove entries relating to that service from the register, or from a particular part of the register.
(7)If OFCOM are satisfied, on the basis of evidence submitted by a provider with such a request, that since the registration day there has been a change to the service or to regulations under paragraph 1 of Schedule 11 which appears likely to be relevant, OFCOM must—
(a)assess the service, and
(b)notify the provider of OFCOM’s decision.
(8)OFCOM must remove entries relating to a Part 3 service from the relevant part of the register if, following an assessment of the service, they consider that it no longer meets the threshold conditions relevant to that part.
(9)Section 95(9) applies to an assessment under this section as it applies to an assessment under section 95.
(10)OFCOM must re-publish the register each time a change is made to it.
(11)See section 167 for provision about appeals against a decision to include a service in the register (or in a particular part of the register), or not to remove a service from the register (or from a particular part of the register).
(12)In this section—
“the register” means the register established under section 95;
“the registration day”, in relation to a Part 3 service, means—
Commencement Information
I156S. 96 not in force at Royal Assent, see s. 240(1)
I157S. 96 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z3)
(1)As soon as reasonably practicable after the first regulations under paragraph 1(1) of Schedule 11 come into force (regulations specifying Category 1 threshold conditions), OFCOM must comply with subsections (2) and (3).
(2)OFCOM must assess each regulated user-to-user service which does not meet the Category 1 threshold conditions and which they consider is likely to meet each of the following conditions, to determine whether the service does, or does not, meet them—
(a)the first condition is that the number of United Kingdom users of the user-to-user part of the service is at least 75% of the figure specified in any of the Category 1 threshold conditions relating to number of users (calculating the number of users in accordance with the threshold condition in question);
(b)the second condition is that—
(i)at least one of the Category 1 threshold conditions relating to functionalities of the user-to-user part of the service is met, or
(ii)if the regulations under paragraph 1(1) of Schedule 11 specify that a Category 1 threshold condition relating to a functionality of the user-to-user part of the service must be met in combination with a Category 1 threshold condition relating to another characteristic of that part of the service or a factor relating to that part of the service (see paragraph 1(4) of Schedule 11), at least one of those combinations of conditions is met.
(3)OFCOM must prepare a list of regulated user-to-user services which meet the conditions in subsection (2).
(4)If the regulations under paragraph 1(1) of Schedule 11 specify that a service meets the Category 1 threshold conditions if any one condition about number of users or functionality is met (as mentioned in paragraph 1(4)(a) of that Schedule)—
(a)subsection (2) applies as if paragraph (b) were omitted, and
(b)subsections (3) and (8) apply as if the reference to the conditions in subsection (2) were to the condition in subsection (2)(a).
(5)The list must contain the following details about a service included in it—
(a)the name of the service,
(b)a description of the service,
(c)the name of the provider of the service, and
(d)a description of the Category 1 threshold conditions by reference to which the conditions in subsection (2) are met.
(6)OFCOM must take appropriate steps to keep the list up to date, including by carrying out further assessments of regulated user-to-user services.
(7)OFCOM must publish the list when it is first prepared and each time it is revised.
(8)When assessing whether a service does, or does not, meet the conditions in subsection (2), OFCOM must take such steps as are reasonably practicable to obtain or generate information or evidence for the purposes of the assessment.
(9)An assessment for the purposes of this section may be included in an assessment under section 95 or 96 (as the case may be) or carried out separately.
Commencement Information
I158S. 97 not in force at Royal Assent, see s. 240(1)
I159S. 97 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z4)
(1)OFCOM must carry out risk assessments to identify and assess the following risks of harm presented by Part 3 services of different kinds—
(a)the risks of harm to individuals in the United Kingdom presented by illegal content present on regulated user-to-user services and by the use of such services for the commission or facilitation of priority offences;
(b)the risk of harm to individuals in the United Kingdom presented by search content of regulated search services that is illegal content;
(c)the risk of harm to children in the United Kingdom, in different age groups, presented by content that is harmful to children.
(2)The risk assessments must, among other things, identify characteristics of different kinds of Part 3 services that are relevant to such risks of harm, and assess the impact of those kinds of characteristics on such risks.
(3)OFCOM—
(a)may combine assessment of any or all of the risks of harm mentioned in subsection (1), or may carry out separate assessments of those risks;
(b)in the case of the risk of harm mentioned in subsection (1)(c), may assess regulated user-to-user services and regulated search services separately or together.
(4)The findings of each risk assessment are to be reflected, as soon as reasonably practicable after completion, in a register of risks of Part 3 services prepared and published by OFCOM.
(5)As soon as reasonably practicable after completing their assessment of a risk of harm mentioned in a particular paragraph of subsection (1), OFCOM must prepare risk profiles for Part 3 services which relate to that risk of harm.
(6)For the purposes of the risk profiles, OFCOM may group Part 3 services together in whichever way they consider appropriate, taking into account—
(a)the characteristics of the services, and
(b)the risk levels and other matters identified in the relevant risk assessment.
(7)OFCOM must publish risk profiles prepared under this section.
(8)OFCOM must from time to time review and revise the risk assessments and risk profiles so as to keep them up to date.
(9)References in this section to Part 3 services—
(a)in the case of a risk assessment or risk profiles which relate only to regulated user-to-user services or to regulated search services, are to be read as references to the kind of service in question;
(b)in the case of a risk assessment or risk profiles which relate only to the risk of harm mentioned in subsection (1)(a), are to be read as references to regulated user-to-user services;
(c)in the case of a risk assessment or risk profiles which relate only to the risk of harm mentioned in subsection (1)(b), are to be read as references to regulated search services.
(10)References in this section to regulated search services include references to the search engine of combined services.
(11)In this section the “characteristics” of a service include its functionalities, user base, business model, governance and other systems and processes.
(12)In this section—
“content that is harmful to children” has the same meaning as in Part 3 (see section 60);
“illegal content” has the same meaning as in Part 3 (see section 59);
“priority offence” has the same meaning as in Part 3 (see section 59).
Commencement Information
I160S. 98 in force at Royal Assent, see s. 240(4)(q)
(1)As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the illegality risks, OFCOM must produce guidance to assist providers of regulated user-to-user services in complying with their duties to carry out illegal content risk assessments under section 9.
(2)As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the risk of harm from illegal content, OFCOM must produce guidance to assist providers of regulated search services in complying with their duties to carry out illegal content risk assessments under section 26.
(3)As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the risk of harm to children, OFCOM must produce guidance to assist providers of Part 3 services in complying with their duties to carry out children’s risk assessments under section 11 or 28.
(4)Before producing any guidance under this section (including revised or replacement guidance), OFCOM must consult the Information Commissioner.
(5)OFCOM must revise guidance under this section from time to time in response to further risk assessments under section 98 or to revisions of the risk profiles.
(6)OFCOM must publish guidance under this section (and any revised or replacement guidance).
(7)If the risk profiles mentioned in subsection (3) relate to regulated user-to-user services only or to regulated search services only, that subsection is to be read as requiring the production of guidance relating only to regulated user-to-user services or to regulated search services, as the case may be.
(8)References in this section to regulated search services include references to the search engine of combined services.
(9)In this section—
“illegality risks” means the risks mentioned in section 98(1)(a);
“risk of harm from illegal content” means the risk of harm mentioned in section 98(1)(b);
“risk of harm to children” means the risk of harm mentioned in section 98(1)(c);
“risk profiles” means risk profiles prepared under section 98.
Commencement Information
I161S. 99 in force at Royal Assent, see s. 240(4)(q)
(1)OFCOM may by notice under this subsection require a person within subsection (5) to provide them with any information that they require for the purpose of exercising, or deciding whether to exercise, any of their online safety functions.
(2)The power conferred by subsection (1) includes power to require a person within subsection (5) to—
(a)obtain or generate information;
(b)provide information about the use of a service by a named individual.
(3)The power conferred by subsection (1) also includes power to require a person within any of paragraphs (a) to (d) of subsection (5) to take steps so that a person authorised by OFCOM is able to view remotely—
(a)information demonstrating in real time the operation of systems, processes or features, including functionalities and algorithms, used by a service;
(b)information generated by a service in real time by the performance of a test or demonstration of a kind required by a notice under subsection (1).
(4)But the power conferred by subsection (1) must be exercised in a way that is proportionate to the use to which the information is to be put in the exercise of OFCOM’s functions.
(5)The persons within this subsection are—
(a)a provider of a user-to-user service or a search service,
(b)a provider of an internet service on which regulated provider pornographic content is published or displayed,
(c)a person who provides an ancillary service (within the meaning of section 144) in relation to a regulated service (see subsections (11) and (12) of that section),
(d)a person who provides an access facility (within the meaning of section 146) in relation to a regulated service (see subsections (10) and (11) of that section),
(e)a person who was within any of paragraphs (a) to (d) at a time to which the required information relates, and
(f)a person not within any of paragraphs (a) to (e) who appears to OFCOM to have, or to be able to generate or obtain, information required by them as mentioned in subsection (1).
(6)The information that may be required by OFCOM under subsection (1) includes, in particular, information that they require for any one or more of the following purposes—
(a)the purpose of assessing compliance with—
(i)any duty or requirement set out in Chapter 2, 3, 4 or 5 of Part 3,
(ii)any duty set out in section 64 (user identity verification),
(iii)any requirement under section 66 (reporting CSEA content),
(iv)any duty set out in section 71 or 72 (terms of service),
(v)any duty set out in section 75 (deceased child users),
(vi)any requirement relating to transparency reporting (see section 77(3) and (4)), or
(vii)any duty set out in section 81 (provider pornographic content);
(b)the purpose of assessing compliance with a requirement under section 83 (duty to notify OFCOM in relation to the charging of fees);
(c)the purpose of a consultation about a threshold figure as mentioned in section 86 (threshold figure for the purposes of charging fees);
(d)the purpose of ascertaining the amount of a person’s qualifying worldwide revenue for the purposes of—
(i)Part 6 (fees), or
(ii)paragraph 4 or 5 of Schedule 13 (amount of penalties etc);
(e)the purpose of assessing compliance with any requirements imposed on a person by—
(i)a notice under section 121(1) (notices to deal with terrorism content and CSEA content), or
(ii)a confirmation decision;
(f)the purpose of assessing the accuracy and effectiveness of technology required to be used by—
(i)a notice under section 121(1), or
(ii)a confirmation decision;
(g)the purpose of assessing whether to give a notice under section 121(1) relating to the development or sourcing of technology (see subsections (2)(b) and (3)(b) of that section);
(h)the purpose of dealing with complaints made to OFCOM under section 169 (super-complaints);
(i)the purpose of OFCOM’s advice to the Secretary of State about provision to be made by regulations under paragraph 1 of Schedule 11 (threshold conditions for categories of Part 3 services);
(j)the purpose of determining whether a Part 3 service meets threshold conditions specified in regulations under paragraph 1 of Schedule 11;
(k)the purpose of preparing a code of practice under section 41;
(l)the purpose of preparing guidance in relation to online safety matters;
(m)the purpose of carrying out research, or preparing a report, in relation to online safety matters;
(n)the purpose of complying with OFCOM’s duties under section 11 of the Communications Act, so far as relating to regulated services (media literacy).
(7)See also section 103 (power to include a requirement to name a senior manager).
(8)The reference in subsection (3) to a person authorised by OFCOM is to a person authorised by OFCOM in writing for the purposes of notices that impose requirements of a kind mentioned in that subsection, and such a person must produce evidence of their identity if requested to do so by a person in receipt of such a notice.
(9)The power conferred by subsection (1) does not include power to require the provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.
(10)In this section—
“information” includes documents, and any reference to providing information includes a reference to producing a document (and see also section 102(11));
“regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79).
Commencement Information
I162S. 100 not in force at Royal Assent, see s. 240(1)
I163S. 100(1)-(5) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z5)
I164S. 100(6)(a)(i) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z5)
I165S. 100(6)(a)(iv) in force at 10.1.2024 for specified purposes by S.I. 2023/1420, reg. 2(z5)
I166S. 100(6)(a)(vi) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z5)
I167S. 100(6)(b)-(n) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z5)
I168S. 100(7)-(10) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z5)
(1)OFCOM may by notice under this subsection require a relevant person to provide them with information for the purpose of—
(a)responding to a notice given by a senior coroner under paragraph 1(2) of Schedule 5 to the Coroners and Justice Act 2009 in connection with an investigation into the death of a child, or preparing a report under section 163 in connection with such an investigation;
(b)responding to a request for information in connection with the investigation of a procurator fiscal into, or an inquiry held or to be held in relation to, the death of a child, or preparing a report under section 163 in connection with such an inquiry;
(c)responding to a notice given by a coroner under section 17A(2) of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.)) in connection with—
(i)an investigation to determine whether an inquest into the death of a child is necessary, or
(ii)an inquest in relation to the death of a child,
or preparing a report under section 163 in connection with such an investigation or inquest.
(2)The power conferred by subsection (1) includes power to require a relevant person to provide OFCOM with information about the use of a regulated service by the child whose death is under investigation, including, in particular—
(a)content encountered by the child by means of the service,
(b)how the content came to be encountered by the child (including the role of algorithms or particular functionalities),
(c)how the child interacted with the content (for example, by viewing, sharing or storing it or enlarging or pausing on it), and
(d)content generated, uploaded or shared by the child.
(3)The power conferred by subsection (1) includes power to require a relevant person to obtain or generate information.
(4)The power conferred by subsection (1) must be exercised in a way that is proportionate to the purpose mentioned in that subsection.
(5)The power conferred by subsection (1) does not include power to require the provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.
(6)Nothing in this section limits the power conferred on OFCOM by section 100.
(7)In this section—
“information” includes documents, and any reference to providing information includes a reference to producing a document (and see also section 102(11));
“inquiry” means an inquiry held, or to be held, under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2);
“relevant person” means a person within any of paragraphs (a) to (e) of section 100(5).
Commencement Information
I169S. 101 not in force at Royal Assent, see s. 240(1)
I170S. 101 in force at 1.4.2024 by S.I. 2023/1420, reg. 3(a)
(1)A notice given under section 100(1) or 101(1) is referred to in this Act as an information notice.
(2)An information notice may require information in any form (including in electronic form).
(3)An information notice must—
(a)specify or describe the information to be provided,
(b)specify why OFCOM require the information,
(c)specify the form and manner in which it must be provided, and
(d)contain information about the consequences of not complying with the notice.
(4)An information notice must specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals).
(5)An information notice requiring a person to take steps of a kind mentioned in section 100(3) must give the person at least seven days’ notice before the steps are required to be taken.
(6)An information notice may specify a place at which, and a person to whom, information is to be provided.
(7)A person to whom a document is produced in response to an information notice may—
(a)take copies of, or extracts from, the document;
(b)require the person producing the document, or a person who is or was an officer of that person, or (in the case of a partnership) a person who is or was a partner, to give an explanation of it.
(8)A person to whom an information notice is given has a duty—
(a)to act in accordance with the requirements of the notice, and
(b)to ensure that the information provided is accurate in all material respects.
(9)OFCOM may cancel an information notice by notice to the person to whom it was given.
(10)In this section—
“information” includes documents, and any reference to providing information includes a reference to producing a document;
“officer”, in relation to an entity, includes a director, a manager, an associate, a secretary or, where the affairs of the entity are managed by its members, a member.
(11)In relation to information recorded otherwise than in a legible form, references in this section to producing a document are to producing a copy of the information—
(a)in a legible form, or
(b)in a form from which it can readily be produced in a legible form.
Commencement Information
I171S. 102 not in force at Royal Assent, see s. 240(1)
I172S. 102 in force at 10.1.2024 for specified purposes by S.I. 2023/1420, reg. 2(z6)
I173S. 102 in force at 1.4.2024 by S.I. 2023/1420, reg. 3(b)
(1)This section applies where—
(a)OFCOM give a provider of a regulated service an information notice, and
(b)the provider is an entity.
(2)OFCOM may include in the information notice a requirement that the provider must name, in their response to the notice, an individual who the provider considers to be a senior manager of the entity and who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice.
(3)If OFCOM impose a requirement to name an individual, the information notice must—
(a)require the provider to inform such an individual, and
(b)include information about the consequences for such an individual of the entity’s failure to comply with the requirements of the notice (see section 110).
(4)An individual is a “senior manager” of an entity if the individual plays a significant role in—
(a)the making of decisions about how the entity’s relevant activities are to be managed or organised, or
(b)the actual managing or organising of the entity’s relevant activities.
(5)An entity’s “relevant activities” are activities relating to the entity’s compliance with the regulatory requirements imposed by this Act in connection with the regulated service to which the information notice in question relates.
Commencement Information
I174S. 103 not in force at Royal Assent, see s. 240(1)
I175S. 103 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z7)
(1)OFCOM may exercise the powers in this section where they consider that it is necessary to do so for either of the following purposes—
(a)assisting OFCOM in identifying and assessing a failure, or possible failure, by a provider of a regulated service to comply with a relevant requirement, or
(b)developing OFCOM’s understanding of—
(i)the nature and level of risk of a provider of a regulated service failing to comply with a relevant requirement, and
(ii)ways to mitigate such a risk.
(2)But the powers in this section may be exercised for a purpose mentioned in subsection (1)(b) only where OFCOM consider that the provider in question may be at risk of failing to comply with a relevant requirement.
(3)Section 122 requires OFCOM to exercise the power in subsection (4) for the purpose of assisting OFCOM in connection with a notice under section 121(1).
(4)OFCOM may appoint a skilled person to provide them with a report about matters relevant to the purpose for which the powers under this section are exercised (“the relevant matters”), and, where OFCOM make such an appointment, they must notify the provider about the appointment and the relevant matters to be explored in the report.
(5)Alternatively, OFCOM may give a notice to the provider—
(a)requiring the provider to appoint a skilled person to provide OFCOM with a report in such form as may be specified in the notice, and
(b)specifying the relevant matters to be explored in the report.
(6)References in this section to a skilled person are to a person—
(a)appearing to OFCOM to have the skills necessary to prepare a report about the relevant matters, and
(b)where the appointment is to be made by the provider, nominated or approved by OFCOM.
(7)It is the duty of—
(a)the provider of the service (“P”),
(b)any person who works for (or used to work for) P, or is providing (or used to provide) services to P related to the relevant matters, and
(c)other providers of internet services,
to give the skilled person all such assistance as the skilled person may reasonably require to prepare the report.
(8)The provider of the service is liable for the payment, directly to the skilled person, of the skilled person’s remuneration and expenses relating to the preparation of the report.
(9)Subsections (10) to (12) apply in relation to an amount due to a skilled person under subsection (8).
(10)In England and Wales, such an amount is recoverable—
(a)if the county court so orders, as if it were payable under an order of that court;
(b)if the High Court so orders, as if it were payable under an order of that court.
(11)In Scotland, such an amount may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.
(12)In Northern Ireland, such an amount is recoverable—
(a)if a county court so orders, as if it were payable under an order of that court;
(b)if the High Court so orders, as if it were payable under an order of that court.
(13)In this section “relevant requirement” means—
(a)a duty or requirement set out in any of the following—
(i)section 9, 11, 26 or 28 (risk assessments);
(ii)section 10 or 27 (illegal content);
(iii)section 12 or 29 (children’s online safety);
(iv)section 14 (assessments related to the adult user empowerment duty set out in section 15(2));
(v)section 15 (user empowerment);
(vi)section 20 or 31 (content reporting);
(vii)section 21 or 32 (complaints procedures);
(viii)section 23 or 34 (record-keeping and review);
(ix)section 36 (children’s access assessments);
(x)section 38 or 39 (fraudulent advertising);
(xi)section 64 (user identity verification);
(xii)section 66 (reporting CSEA content);
(xiii)section 71 or 72 (terms of service);
(xiv)section 75 (deceased child users);
(xv)section 77(3) or (4) (transparency reports);
(xvi)section 81(2) (children’s access to pornographic content);
(b)a requirement under section 83 to notify OFCOM in connection with the charging of fees (see subsections (1), (3) and (5) of that section); or
(c)a requirement imposed by a notice under section 121(1) (notices to deal with terrorism content and CSEA content).
Commencement Information
I176S. 104 not in force at Royal Assent, see s. 240(1)
I177S. 104(1)-(12) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z8)
I178S. 104(13)(a)(i)-(x)(xv)(b)(c) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z8)
I179S. 104(13)(a)(xiii) in force at 10.1.2024 for specified purposes by S.I. 2023/1420, reg. 2(z8)
(1)If OFCOM open an investigation into whether a provider of a regulated service has failed, or is failing, to comply with any requirement mentioned in subsection (2), the provider must co-operate fully with the investigation.
(2)The requirements are—
(a)a requirement imposed by a notice under section 121(1) (notices to deal with terrorism content and CSEA content), and
(b)an enforceable requirement as defined in section 131 (except the requirement in subsection (1) of this section).
Commencement Information
I180S. 105 not in force at Royal Assent, see s. 240(1)
I181S. 105 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z9)
(1)The power conferred by this section is exercisable by OFCOM for the purposes of an investigation that they are carrying out into the failure, or possible failure, of a provider of a regulated service to comply with a relevant requirement.
(2)OFCOM may give an individual within subsection (4) a notice requiring the individual—
(a)to attend at a time and place specified in the notice, and
(b)to answer questions and provide explanations about any matter relevant to the investigation.
(3)A notice under this section must—
(a)indicate the subject matter and purpose of the interview, and
(b)contain information about the consequences of not complying with the notice.
(4)The individuals within this subsection are—
(a)if the provider of the service is an individual or individuals, that individual or those individuals,
(b)an officer of the provider of the service,
(c)if the provider of the service is a partnership, a partner,
(d)an employee of the provider of the service, and
(e)an individual who was within any of paragraphs (a) to (d) at a time to which the required information or explanation relates.
(5)If OFCOM give a notice to an individual within subsection (4)(b), (c) or (d), they must give a copy of the notice to the provider of the service.
(6)An individual is not required under this section to disclose information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.
(7)In this section—
“officer”, in relation to an entity, includes a director, a manager, an associate, a secretary or, where the affairs of the entity are managed by its members, a member;
“relevant requirement” has the meaning given by section 104(13).
Commencement Information
I182S. 106 not in force at Royal Assent, see s. 240(1)
I183S. 106 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z9)
Schedule 12 makes provision about—
(a)OFCOM’s powers of entry and inspection, and
(b)the carrying out of audits by OFCOM.
Commencement Information
I184S. 107 not in force at Royal Assent, see s. 240(1)
I185S. 107 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z10)
(1)The Criminal Justice and Police Act 2001 is amended as follows.
(2)In section 57(1) (retention of seized items), after paragraph (t) insert—
“(u)paragraph 8 of Schedule 12 to the Online Safety Act 2023.”
(3)In section 65 (meaning of “legal privilege”)—
(a)after subsection (8B) insert—
“(8C)An item which is, or is comprised in, property which has been seized in exercise or purported exercise of the power of seizure conferred by paragraph 7(f), (j) or (k) of Schedule 12 to the Online Safety Act 2023 is to be taken for the purposes of this Part to be an item subject to legal privilege if, and only if, the seizure of that item was in contravention of paragraph 17(3) of that Schedule (privileged information or documents).”;
(b)in subsection (9)—
(i)at the end of paragraph (d) omit “or”;
(ii)at the end of paragraph (e) insert “or”;
(iii)before the closing words insert—
“(g)paragraph 7(f), (j) or (k) of Schedule 12 to the Online Safety Act 2023.”
(4)In Part 1 of Schedule 1 (powers of seizure to which section 50 of the Act applies), after paragraph 73U insert—
73VEach of the powers of seizure conferred by paragraph 7(f), (j) and (k) of Schedule 12 to the Online Safety Act 2023.”
Commencement Information
I186S. 108 not in force at Royal Assent, see s. 240(1)
I187S. 108 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z10)
(1)A person commits an offence if the person fails to comply with a requirement of an information notice.
(2)It is a defence for a person charged with an offence under subsection (1) to show that—
(a)it was not reasonably practicable to comply with the requirements of the information notice at the time required by the notice, but
(b)the person has subsequently taken all reasonable steps to comply with those requirements.
(3)A person commits an offence if, in response to an information notice—
(a)the person provides information that is false in a material respect, and
(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(4)A person commits an offence if, in response to an information notice, the person—
(a)provides information which is encrypted such that it is not possible for OFCOM to understand it, or produces a document which is encrypted such that it is not possible for OFCOM to understand the information it contains, and
(b)the person’s intention was to prevent OFCOM from understanding such information.
(5)A person commits an offence if—
(a)the person suppresses, destroys or alters, or causes or permits the suppression, destruction or alteration of, any information required to be provided, or document required to be produced, by an information notice, and
(b)the person’s intention was to prevent OFCOM from being provided with the information or document or (as the case may be) from being provided with it as it was before the alteration.
(6)The reference in subsection (5) to suppressing information or a document includes a reference to destroying the means of reproducing information recorded otherwise than in a legible form.
(7)Offences under this section may be committed only in relation to an information notice which—
(a)relates to—
(i)a user-to-user service,
(ii)a search service, or
(iii)an internet service on which regulated provider pornographic content is published or displayed; and
(b)is given to the provider of that service.
(8)If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person to comply with a requirement of an information notice within such period as may be specified by the order.
(9)See also section 201 (supplementary provision about defences).
(10)In this section, “regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79).
Commencement Information
I188S. 109 not in force at Royal Assent, see s. 240(1)
I189S. 109 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z11)
(1)In this section “an individual named as a senior manager of an entity” means an individual who, as required by an information notice, is named as a senior manager of an entity in a response to that notice (see section 103).
(2)An individual named as a senior manager of an entity commits an offence if—
(a)the entity commits an offence under section 109(1) (failure to comply with information notice), and
(b)the individual has failed to take all reasonable steps to prevent that offence being committed.
(3)It is a defence for an individual charged with an offence under subsection (2) to show that the individual was a senior manager within the meaning of section 103 for such a short time after the information notice in question was given that the individual could not reasonably have been expected to take steps to prevent that offence being committed.
(4)An individual named as a senior manager of an entity commits an offence if—
(a)the entity commits an offence under section 109(3) (false information), and
(b)the individual has failed to take all reasonable steps to prevent that offence being committed.
(5)An individual named as a senior manager of an entity commits an offence if—
(a)the entity commits an offence under section 109(4) (encrypted information), and
(b)the individual has failed to take all reasonable steps to prevent that offence being committed.
(6)An individual named as a senior manager of an entity commits an offence if—
(a)the entity commits an offence under section 109(5) (destruction etc of information), and
(b)the individual has failed to take all reasonable steps to prevent that offence being committed.
(7)It is a defence for an individual charged with an offence under subsection (4), (5) or (6) to show that the individual was not a senior manager within the meaning of section 103 at the time at which the act constituting the offence occurred.
(8)It is a defence for an individual charged with an offence under this section to show that the individual had no knowledge of being named as a senior manager in a response to the information notice in question.
(9)See also section 201 (supplementary provision about defences).
Commencement Information
I190S. 110 not in force at Royal Assent, see s. 240(1)
I191S. 110 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z11)
(1)A person commits an offence if the person fails without reasonable excuse to comply with a requirement of an audit notice.
(2)A person commits an offence if, in response to an audit notice—
(a)the person provides information that is false in a material respect, and
(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(3)A person commits an offence if—
(a)the person suppresses, destroys or alters, or causes or permits the suppression, destruction or alteration of, any information required to be provided, or document required to be produced, by a notice to which this subsection applies, and
(b)the person’s intention was to prevent OFCOM from being provided with the information or document or (as the case may be) from being provided with it as it was before the alteration.
(4)The reference in subsection (3) to suppressing information or a document includes a reference to destroying the means of reproducing information recorded otherwise than in a legible form.
(5)Subsection (3) applies to—
(a)a notice under paragraph 3 of Schedule 12 (information required for inspection), and
(b)an audit notice (see paragraph 4 of that Schedule).
(6)If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person, within such period as may be specified by the order, to comply with a requirement of a notice under paragraph 3 of Schedule 12 or an audit notice (as the case may be).
Commencement Information
I192S. 111 not in force at Royal Assent, see s. 240(1)
I193S. 111 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z11)
(1)A person commits an offence if the person intentionally obstructs or delays a person in the exercise of the power conferred by section 102(7)(a) (copying a document etc).
(2)A person commits an offence if the person fails without reasonable excuse to comply with a requirement under section 106 (interviews).
(3)A person commits an offence if, in purported compliance with a requirement under section 106—
(a)the person provides information that is false in a material respect, and
(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(4)If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person, within such period as may be specified by the order, to permit the making of a copy of a document, or to comply with a requirement under section 106 (as the case may be).
Commencement Information
I194S. 112 not in force at Royal Assent, see s. 240(1)
I195S. 112 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z11)
(1)A person who commits an offence under section 109(1), 110(2) or 111(1) is liable—
(a)on summary conviction in England and Wales, to a fine;
(b)on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;
(c)on conviction on indictment, to a fine.
(2)A person who commits an offence under section 109(3), (4) or (5), 110(4), (5) or (6), 111(2) or (3) or 112(1) is liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
(3)A person who commits an offence under section 112(2) or (3) is liable—
(a)on summary conviction in England and Wales, to a fine;
(b)on summary conviction in Scotland, to a fine not exceeding level 5 on the standard scale;
(c)on summary conviction in Northern Ireland, to a fine not exceeding level 5 on the standard scale.
Commencement Information
I196S. 113 not in force at Royal Assent, see s. 240(1)
I197S. 113 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z11)
(1)OFCOM may co-operate with an overseas regulator, including by disclosing online safety information to that regulator, for the purposes of—
(a)facilitating the exercise by the overseas regulator of any of that regulator’s online regulatory functions, or
(b)criminal investigations or proceedings relating to a matter to which the overseas regulator’s online regulatory functions relate.
(2)The power conferred by subsection (1) applies only in relation to an overseas regulator for the time being specified in regulations made by the Secretary of State.
(3)Where information is disclosed to a person in reliance on subsection (1), the person may not—
(a)use the information for a purpose other than the purpose for which it was disclosed, or
(b)further disclose the information,
except with OFCOM’s consent (which may be general or specific) or in accordance with an order of a court or tribunal.
(4)Except as provided by subsection (5), a disclosure of information under subsection (1) does not breach—
(a)any obligation of confidence owed by the person making the disclosure, or
(b)any other restriction on the disclosure of information (however imposed).
(5)Subsection (1) does not authorise a disclosure of information that—
(a)would contravene the restriction imposed by section 116 (intelligence service information),
(b)would contravene the data protection legislation (but in determining whether a disclosure would do so, the power conferred by that subsection is to be taken into account), or
(c)is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(6)Section 18 of the Anti-terrorism, Crime and Security Act 2001 (restriction on disclosure of information for overseas purposes) has effect in relation to a disclosure authorised by subsection (1)(b) as it has effect in relation to a disclosure authorised by any of the provisions to which section 17 of that Act applies.
(7)In this section—
“online regulatory functions”, in relation to an overseas regulator, means functions of that regulator which correspond to OFCOM’s online safety functions;
“online safety information” means information held by OFCOM in connection with any of OFCOM’s online safety functions;
“overseas regulator” means a person exercising functions in a country outside the United Kingdom which correspond to any of OFCOM’s online safety functions;
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
Commencement Information
I198S. 114 not in force at Royal Assent, see s. 240(1)
I199S. 114(1)(3)-(6) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z12)
I200S. 114(2)(7) in force at 22.11.2023 by S.I. 2023/1242, reg. 2
(1)Section 393 of the Communications Act (general restrictions on disclosure of information) is amended as follows.
(2)In subsection (1)—
(a)at the end of paragraph (c) omit “or”,
(b)at the end of paragraph (d) insert “or”, and
(c)after paragraph (d) insert—
“(e)the Online Safety Act 2023,”.
(3)In subsection (2)(e), after “this Act” insert “or the Online Safety Act 2023”.
(4)In subsection (3), after paragraph (h) insert—
“(ha)a person appointed under—
(i)paragraph 1 of Schedule 3 to the Coroners and Justice Act 2009, or
(ii)section 2 of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.));
(hb)the procurator fiscal, within the meaning of the enactment mentioned in subsection (5)(s);”.
(5)In subsection (5)—
(a)before paragraph (d) insert—
“(ca)the Coroners Act (Northern Ireland) 1959;”,
(b)after paragraph (na) insert—
“(nb)Part 1 of the Coroners and Justice Act 2009;”, and
(c)after paragraph (r) insert—
“(s)the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2).”
(6)In subsection (6)(a), after “390” insert “, or under section 149 of or Schedule 11 to the Online Safety Act 2023”.
(7)In subsection (6)(b), at the end insert “or the Online Safety Act 2023”.
Commencement Information
I201S. 115 in force at Royal Assent, see s. 240(4)(r)
(1)OFCOM may not disclose information received (directly or indirectly) from, or that relates to, an intelligence service unless the intelligence service consents to the disclosure.
(2)If OFCOM have disclosed information described in subsection (1) to a person, the person must not further disclose the information unless the intelligence service consents to the disclosure.
(3)If OFCOM would contravene subsection (1) by publishing in its entirety—
(a)a statement required to be published by section 47(5), or
(b)a report mentioned in section 164(5),
OFCOM must, before publication, remove or obscure the information which by reason of subsection (1) they must not disclose.
(4)In this section—
“information” means information held by OFCOM in connection with an online safety matter;
“intelligence service” means—
the Security Service,
the Secret Intelligence Service, or
the Government Communications Headquarters.
Commencement Information
I202S. 116 in force at Royal Assent, see s. 240(4)(r)
(1)Section 24B of the Communications Act (provision of information to assist in formulation of policy) is amended as follows.
(2)In subsection (2)—
(a)at the end of paragraph (d) omit “or”,
(b)at the end of paragraph (e) insert “or”, and
(c)after paragraph (e) insert—
“(f)the Online Safety Act 2023,”.
(3)After subsection (3) insert—
“(4)Subsection (2) does not apply to information—
(a)obtained by OFCOM—
(i)in the exercise of a power conferred by section 100 of the Online Safety Act 2023 for the purpose mentioned in subsection (6)(c) of that section (information in connection with a consultation about a threshold figure for the purposes of charging fees under that Act), or
(ii)in the exercise of a power conferred by section 175(5) of that Act (information in connection with circumstances presenting a threat), and
(b)reasonably required by the Secretary of State.”
Commencement Information
I203S. 117 in force at Royal Assent, see s. 240(4)(r)
In Schedule 15 to the Enterprise Act 2002 (enactments relevant to provisions about disclosure of information), at the appropriate place insert—
“Online Safety Act 2023.”
Commencement Information
I204S. 118 not in force at Royal Assent, see s. 240(1)
I205S. 118 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z13)
(1)Section 26 of the Communications Act (publication of information and advice for consumers etc) is amended as follows.
(2)In subsection (2), after paragraph (d) insert—
“(da)United Kingdom users of regulated services;”.
(3)After subsection (6) insert—
“(7)In this section the following terms have the same meaning as in the Online Safety Act 2023—
“regulated service” (see section 4 of that Act);
“United Kingdom user” (see section 227 of that Act).”
Commencement Information
I206S. 119 not in force at Royal Assent, see s. 240(1)
I207S. 119 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z14)
(1)An explanation given, or information provided, by a person in response to a requirement imposed under or by virtue of section 100, 101 or 106 or paragraph 2(4)(e) or (f), 3(2), 4(2)(i) or (j) or 7(d) of Schedule 12, may, in criminal proceedings, only be used in evidence against that person—
(a)on a prosecution for an offence under a provision listed in subsection (2), or
(b)on a prosecution for any other offence where—
(i)in giving evidence that person makes a statement inconsistent with that explanation or information, and
(ii)evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person’s behalf.
(2)Those provisions are—
(a)section 69(1),
(b)section 109(3),
(c)section 110(4),
(d)section 111(2),
(e)section 112(3),
(f)paragraph 18(1)(c) of Schedule 12,
(g)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(h)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), and
(i)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
Commencement Information
I208S. 120 not in force at Royal Assent, see s. 240(1)
I209S. 120(1)(2)(b)-(i) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z15)
(1)If OFCOM consider that it is necessary and proportionate to do so, they may give a notice described in subsection (2), (3) or (4) relating to a regulated user-to-user service or a regulated search service to the provider of the service.
(2)A notice under subsection (1) that relates to a regulated user-to-user service is a notice requiring the provider of the service—
(a)to do any or all of the following—
(i)use accredited technology to identify terrorism content communicated publicly by means of the service and to swiftly take down that content;
(ii)use accredited technology to prevent individuals from encountering terrorism content communicated publicly by means of the service;
(iii)use accredited technology to identify CSEA content, whether communicated publicly or privately by means of the service, and to swiftly take down that content;
(iv)use accredited technology to prevent individuals from encountering CSEA content, whether communicated publicly or privately, by means of the service; or
(b)to use the provider’s best endeavours to develop or source technology for use on or in relation to the service or part of the service, which—
(i)achieves the purpose mentioned in paragraph (a)(iii) or (iv), and
(ii)meets the standards published by the Secretary of State (see section 125(13)).
(3)A notice under subsection (1) that relates to a regulated search service is a notice requiring the provider of the service—
(a)to do either or both of the following—
(i)use accredited technology to identify search content of the service that is terrorism content and to swiftly take measures designed to secure, so far as possible, that search content of the service no longer includes terrorism content identified by the technology;
(ii)use accredited technology to identify search content of the service that is CSEA content and to swiftly take measures designed to secure, so far as possible, that search content of the service no longer includes CSEA content identified by the technology; or
(b)to use the provider’s best endeavours to develop or source technology for use on or in relation to the service which—
(i)achieves the purpose mentioned in paragraph (a)(ii), and
(ii)meets the standards published by the Secretary of State (see section 125(13)).
(4)A notice under subsection (1) that relates to a combined service is a notice requiring the provider of the service—
(a)to do any or all of the things described in subsection (2)(a) in relation to the user-to-user part of the service, or to use best endeavours to develop or source technology as described in subsection (2)(b) for use on or in relation to that part of the service;
(b)to do either or both of the things described in subsection (3)(a) in relation to the search engine of the service, or to use best endeavours to develop or source technology as described in subsection (3)(b) for use on or in relation to the search engine of the service;
(c)to do any or all of the things described in subsection (2)(a) in relation to the user-to-user part of the service and either or both of the things described in subsection (3)(a) in relation to the search engine of the service; or
(d)to use best endeavours to develop or source—
(i)technology as described in subsection (2)(b) for use on or in relation to the user-to-user part of the service, and
(ii)technology as described in subsection (3)(b) for use on or in relation to the search engine of the service.
(5)For the purposes of subsections (2) and (3), a requirement to use accredited technology may be complied with by the use of the technology alone or by means of the technology together with the use of human moderators.
(6)See—
(a)section 122, which requires OFCOM to obtain a skilled person’s report before giving a notice under subsection (1),
(b)section 123, which requires OFCOM to give a warning notice before giving a notice under subsection (1), and
(c)section 124 for provision about matters which OFCOM must consider before giving a notice under subsection (1).
(7)A notice under subsection (1) that relates to a user-to-user service (or to the user-to-user part of a combined service) and requires the use of technology in relation to terrorism content must identify the content, or parts of the service that include content, that OFCOM consider is communicated publicly on that service (see section 232).
(8)For the meaning of “accredited” technology, see section 125(12) and (13).
Commencement Information
I210S. 121 not in force at Royal Assent, see s. 240(1)
I211S. 121 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)OFCOM may give a notice under section 121(1) to a provider only after obtaining a report from a skilled person appointed by OFCOM under section 104(4).
(2)The purpose of the report is to assist OFCOM in deciding whether to give a notice under section 121(1), and to advise about the requirements that might be imposed by such a notice if it were to be given.
Commencement Information
I212S. 122 not in force at Royal Assent, see s. 240(1)
I213S. 122 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)OFCOM may give a notice under section 121(1) to a provider relating to a service or part of a service only after giving a warning notice to the provider that they intend to give such a notice relating to that service or that part of it.
(2)A warning notice under subsection (1) relating to the use of accredited technology (see section 121(2)(a) and (3)(a)) must—
(a)contain a summary of the report obtained by OFCOM under section 122,
(b)contain details of the technology that OFCOM are considering requiring the provider to use,
(c)specify whether the technology is to be required in relation to terrorism content or CSEA content (or both),
(d)specify any other requirements that OFCOM are considering imposing (see section 125(2) to (4)),
(e)specify the period for which OFCOM are considering imposing the requirements (see section 125(7)),
(f)state that the provider may make representations to OFCOM (with any supporting evidence), and
(g)specify the period within which representations may be made.
(3)A warning notice under subsection (1) relating to the development or sourcing of technology (see section 121(2)(b)and (3)(b)) must—
(a)contain a summary of the report obtained by OFCOM under section 122,
(b)describe the proposed purpose for which the technology must be developed or sourced (see section 121(2)(a)(iii) and (iv) and (3)(a)(ii)),
(c)specify steps that OFCOM consider the provider needs to take in order to comply with the requirement described in section 121(2)(b) or (3)(b), or both those requirements (as the case may be),
(d)specify the proposed period within which the provider must take each of those steps,
(e)specify any other requirements that OFCOM are considering imposing,
(f)state that the provider may make representations to OFCOM (with any supporting evidence), and
(g)specify the period within which representations may be made.
(4)A notice under section 121(1) that relates to both the user-to-user part of a combined service and the search engine of the service (as described in section 121(4)(c) or (d)) may be given to the provider of the service only if—
(a)two separate warning notices have been given to the provider (one relating to the user-to-user part of the service and the other relating to the search engine), or
(b)a single warning notice relating to both the user-to-user part of the service and the search engine has been given to the provider.
(5)A notice under section 121(1) may not be given to a provider until the period allowed by the warning notice for the provider to make representations has expired.
Commencement Information
I214S. 123 not in force at Royal Assent, see s. 240(1)
I215S. 123 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)This section specifies the matters which OFCOM must particularly consider in deciding whether it is necessary and proportionate to give a notice under section 121(1) relating to a Part 3 service to the provider of the service.
(2)In the case of a notice requiring the use of accredited technology, the matters are as follows—
(a)the kind of service it is;
(b)the functionalities of the service;
(c)the user base of the service;
(d)in the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the prevalence of relevant content on the service, and the extent of its dissemination by means of the service;
(e)in the case of a notice relating to a search service (or to the search engine of a combined service), the prevalence of search content of the service that is relevant content;
(f)the level of risk of harm to individuals in the United Kingdom presented by relevant content, and the severity of that harm;
(g)the systems and processes used by the service which are designed to identify and remove relevant content;
(h)the contents of the skilled person’s report obtained as required by section 122;
(i)the extent to which the use of the specified technology would or might result in interference with users’ right to freedom of expression within the law;
(j)the level of risk of the use of the specified technology resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data);
(k)in the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the extent to which the use of the specified technology would or might—
(i)have an adverse impact on the availability of journalistic content on the service, or
(ii)result in a breach of the confidentiality of journalistic sources;
(l)whether the use of any less intrusive measures than the specified technology would be likely to achieve a significant reduction in the amount of relevant content.
(3)The references to relevant content in subsection (2)(f), (g) and (l) are to—
(a)in the case of a user-to-user service (or the user-to-user part of a combined service), relevant content present on the service;
(b)in the case of a search service (or the search engine of a combined service), search content of the service that is relevant content.
(4)In the case of a notice relating to the development or sourcing of technology, subsection (2) applies—
(a)as if references to relevant content were to CSEA content, and
(b)with the omission of paragraphs (i), (j), (k) and (l).
(5)In this section—
“journalistic content” has the meaning given by section 19;
“relevant content” means terrorism content or CSEA content or both those kinds of content (depending on the kind, or kinds, of content in relation to which the specified technology is to operate);
“specified technology” means the technology to be specified in the notice under section 121(1).
Commencement Information
I216S. 124 not in force at Royal Assent, see s. 240(1)
I217S. 124 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)In this section “a notice” means a notice under section 121(1) (including a further notice under that provision).
(2)If a provider is already using accredited technology in relation to the service in question, a notice may require the provider to use it more effectively (specifying the ways in which that must be done).
(3)A notice relating to a user-to-user service (or to the user-to-user part of a combined service) may also require a provider to operate an effective complaints procedure allowing for United Kingdom users to challenge the provider for taking down content which they have generated, uploaded or shared on the service.
(4)A notice relating to a search service (or to the search engine of a combined service) may also require a provider to operate an effective complaints procedure allowing for an interested person (see section 227(7)) to challenge measures taken or in use by the provider that result in content relating to that interested person no longer appearing in search results of the service.
(5)A notice given to a provider of a Part 3 service requiring the use of accredited technology is to be taken to require the provider to make such changes to the design or operation of the service as are necessary for the technology to be used effectively.
(6)A notice requiring the use of accredited technology must—
(a)give OFCOM’s reasons for their decision to give the notice,
(b)contain details of the requirements imposed by the notice,
(c)contain details of the technology to be used,
(d)contain details about the manner in which the technology is to be implemented,
(e)specify a reasonable period for compliance with the notice,
(f)specify the period for which the notice is to have effect,
(g)contain details of the rights of appeal under section 168,
(h)contain information about when OFCOM intend to review the notice (see section 126), and
(i)contain information about the consequences of not complying with the notice (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(7)A notice requiring the use of accredited technology may impose requirements for a period of up to 36 months beginning with the last day of the period specified in the notice in accordance with subsection (6)(e).
(8)A notice relating to the development or sourcing of technology must—
(a)give OFCOM’s reasons for their decision to give the notice,
(b)describe the purpose for which technology is required to be developed or sourced (see section 121(2)(a)(iii) and (iv) and (3)(a)(ii),
(c)specify steps that the provider is required to take (including steps relating to the use of a system or process) in order to comply with the requirement described in section 121(2)(b) or (3)(b), or both those requirements (as the case may be),
(d)specify a reasonable period within which each of the steps specified in the notice must be taken,
(e)contain details of any other requirements imposed by the notice,
(f)contain details of the rights of appeal under section 168,
(g)contain information about when OFCOM intend to review the notice (see section 126), and
(h)contain information about the consequences of not complying with the notice (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(9)In deciding what period or periods to specify for steps to be taken in accordance with subsection (8)(d), OFCOM must, in particular, consider—
(a)the size and capacity of the provider, and
(b)the state of development of technology capable of achieving the purpose described in the notice in accordance with subsection (8)(b).
(10)A notice may impose requirements only in relation to the design and operation of a Part 3 service—
(a)in the United Kingdom, or
(b)as it affects United Kingdom users of the service.
(11)OFCOM may vary or revoke a notice given to a provider by notifying the provider to that effect.
(12)For the purposes of this Chapter, technology is “accredited” if it is accredited (by OFCOM or another person appointed by OFCOM) as meeting minimum standards of accuracy in the detection of terrorism content or CSEA content (as the case may be).
(13)Those minimum standards of accuracy must be such standards as are for the time being approved and published by the Secretary of State, following advice from OFCOM.
Commencement Information
I218S. 125 not in force at Royal Assent, see s. 240(1)
I219S. 125 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)This section applies where OFCOM have given a provider of a Part 3 service a notice under section 121(1).
(2)The power conferred by section 125(11) includes power to revoke the notice if there are reasonable grounds for believing that the provider is failing to comply with it.
(3)If a notice is revoked as mentioned in subsection (2), OFCOM may give the provider a further notice under section 121(1) if they consider that it is necessary and proportionate to do so (taking into account the matters mentioned in section 124).
(4)Except where a notice under section 121(1) is revoked as mentioned in subsection (2), OFCOM must carry out a review of the provider’s compliance with the notice—
(a)in the case of a notice requiring the use of accredited technology, before the end of the period for which the notice has effect;
(b)in the case of a notice relating to the development or sourcing of technology, before the last date by which any step specified in the notice is required to be taken.
(5)In the case of a notice requiring the use of accredited technology, the review must consider—
(a)the extent to which the technology specified in the notice has been used, and
(b)the effectiveness of its use.
(6)Following the review, and after consultation with the provider, OFCOM may give the provider a further notice under section 121(1) if they consider that it is necessary and proportionate to do so (taking into account the matters mentioned in section 124).
(7)If a further notice under section 121(1) is given, subsections (3) to (6) apply again.
(8)A further notice under section 121(1) may impose different requirements from an earlier notice under that provision.
(9)Sections 122 (skilled person’s report) and 123 (warning notices) do not apply in relation to a further notice under section 121(1).
Commencement Information
I220S. 126 not in force at Royal Assent, see s. 240(1)
I221S. 126 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)OFCOM must produce guidance for providers of Part 3 services about how OFCOM propose to exercise their functions under this Chapter.
(2)Before producing the guidance (including revised or replacement guidance), OFCOM must consult the Information Commissioner.
(3)OFCOM must keep the guidance under review.
(4)OFCOM must publish the guidance (and any revised or replacement guidance).
(5)In exercising their functions under this Chapter, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.
Commencement Information
I222S. 127 not in force at Royal Assent, see s. 240(1)
I223S. 127 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
(1)OFCOM must produce and publish an annual report about—
(a)the exercise of their functions under this Chapter, and
(b)technology which meets, or is in the process of development so as to meet, minimum standards of accuracy (see subsections (12) and (13) of section 125) for the purposes of this Chapter.
(2)OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.
(3)For further provision about reports under this section, see section 164.
Commencement Information
I224S. 128 not in force at Royal Assent, see s. 240(1)
I225S. 128 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z16)
In this Chapter—
“search content” has the same meaning as in Part 3 (see section 57);
“search results” has the meaning given by section 57(3);
“terrorism content” and “CSEA content” have the same meaning as in Part 3 (see section 59).
Commencement Information
I226S. 129 in force at Royal Assent, see s. 240(4)(s)
(1)OFCOM may give a notice under this section (a “provisional notice of contravention”) relating to a regulated service to the provider of the service if they consider that there are reasonable grounds for believing that the provider has failed, or is failing, to comply with any enforceable requirement (see section 131) that applies in relation to the service.
(2)OFCOM may also give a provisional notice of contravention to a person on either of the grounds in subsection (3).
(3)The grounds are that—
(a)the person has been given an information notice and OFCOM consider that there are reasonable grounds for believing that the person has failed, or is failing, to comply with either of the duties set out in section 102(8) (duties in relation to information notices), or
(b)the person is required by a skilled person appointed under section 104 to give assistance to the skilled person, and OFCOM consider that there are reasonable grounds for believing that the person has failed, or is failing, to comply with the duty set out in subsection (7) of that section to give such assistance.
(4)A provisional notice of contravention given to a person must—
(a)specify the duty or requirement with which (in OFCOM’s opinion) the person has failed, or is failing, to comply, and
(b)give OFCOM’s reasons for their opinion that the person has failed, or is failing, to comply with it.
(5)A provisional notice of contravention may also contain details as mentioned in subsection (6) or (7), or both.
(6)A provisional notice of contravention may specify steps that OFCOM consider the person needs to take in order to—
(a)comply with the duty or requirement, or
(b)remedy the failure to comply with it.
(7)A provisional notice of contravention may state that OFCOM propose to impose a penalty on the person, and in such a case the notice must—
(a)state the reasons why OFCOM propose to impose a penalty,
(b)state whether OFCOM propose to impose a penalty of a single amount, a penalty calculated by reference to a daily rate, or both penalties (see section 137(1)),
(c)indicate the amount of a penalty that OFCOM propose to impose, including (in relation to a penalty calculated by reference to a daily rate) the daily rate and how the penalty would be calculated,
(d)in relation to a penalty calculated by reference to a daily rate, specify or describe the period for which OFCOM propose that the penalty should be payable, and
(e)state the reasons for proposing a penalty of that amount, including any aggravating or mitigating factors that OFCOM propose to take into account.
(8)A provisional notice of contravention given to a person must—
(a)state that the person may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice, and
(b)specify the period within which such representations may be made.
(9)A provisional notice of contravention may be given in respect of a failure to comply with more than one enforceable requirement.
(10)Where a provisional notice of contravention is given in respect of a continuing failure, the notice may be given in respect of any period during which the failure has continued, and must specify that period.
(11)Where a provisional notice of contravention is given to a person in respect of a failure to comply with a duty or requirement (“the first notice”), a further provisional notice of contravention in respect of a failure to comply with that same duty or requirement may be given to the person only—
(a)in respect of a separate instance of the failure after the first notice was given,
(b)where a period was specified in the first notice in accordance with subsection (10), in respect of the continuation of the failure after the end of that period, or
(c)if the first notice has been withdrawn (without a confirmation decision being given to the person in respect of the failure).
Commencement Information
I227S. 130 not in force at Royal Assent, see s. 240(1)
I228S. 130 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)References in this Chapter to “enforceable requirements” are to—
(a)the duties or requirements set out in the provisions of this Act specified in the table in subsection (2), and
(b)the requirements mentioned in subsection (3).
(2)Here is the table—
Provision | Subject matter |
---|---|
Section 9 | Illegal content risk assessments |
Section 10 | Illegal content |
Section 11 | Children’s risk assessments |
Section 12 | Children’s online safety |
Section 14 | Assessments related to duty in section 15(2) |
Section 15 | User empowerment |
Section 17 | Content of democratic importance |
Section 18 | News publisher content |
Section 19 | Journalistic content |
Section 20 | Content reporting |
Section 21 | Complaints procedures |
Section 22 | Freedom of expression and privacy |
Section 23 | Record-keeping and review |
Section 26 | Illegal content risk assessments |
Section 27 | Illegal content |
Section 28 | Children’s risk assessments |
Section 29 | Children’s online safety |
Section 31 | Content reporting |
Section 32 | Complaints procedures |
Section 33 | Freedom of expression and privacy |
Section 34 | Record-keeping and review |
Section 36 | Children’s access assessments |
Section 38 | Fraudulent advertising |
Section 39 | Fraudulent advertising |
Section 64 | User identity verification |
Section 66 | Reporting CSEA content to NCA |
Section 71 | Acting against users only in accordance with terms of service |
Section 72 | Terms of service |
Section 75 | Information about use of service by deceased child users |
Section 77(3) and (4) | Transparency reports |
Section 81 | Provider pornographic content |
Section 83 | Fees: notification of OFCOM |
Section 102(8) | Information notices |
Section 104(7) | Assistance to skilled person |
Section 105(1) | Co-operation with investigation |
(3)The requirements referred to in subsection (1)(b) are—
(a)requirements of a notice under section 104(5)(a) to appoint a skilled person;
(b)requirements of a notice given by virtue of section 175(3) (duty to make public statement);
(c)requirements of a notice under section 175(5) (information in connection with circumstances presenting a threat);
(d)requirements imposed by a person acting—
(i)in the exercise of powers conferred by paragraph 2 of Schedule 12 (entry and inspection without warrant), or
(ii)in the execution of a warrant issued under paragraph 5 of that Schedule.
Commencement Information
I229S. 131 not in force at Royal Assent, see s. 240(1)
I230S. 131 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section applies if—
(a)OFCOM have given a provisional notice of contravention to a person in relation to a failure to comply with a duty or requirement (or with duties or requirements), and
(b)the period allowed for representations has expired.
A duty or requirement to which the provisional notice of contravention relates is referred to in this section as a “notified requirement”.
(2)If, after considering any representations and evidence, OFCOM decide not to give the person a notice under this section, they must inform the person of that fact.
(3)If OFCOM are satisfied that the person has failed, or has been failing, to comply with a notified requirement, OFCOM may give the person a notice under this section (a “confirmation decision”) confirming that that is OFCOM’s opinion.
(4)A confirmation decision and a notice under section 121(1) may be given in respect of the same failure.
(5)A confirmation decision given to a person may—
(a)require the person to take steps as mentioned in section 133;
(b)require the person to pay a penalty as mentioned in section 137;
(c)require the person to do both those things (or neither of them).
(6)See sections 134 and 135 for further provision which a confirmation decision may include in cases of failure to comply with duties about risk assessments or children’s access assessments.
Commencement Information
I231S. 132 not in force at Royal Assent, see s. 240(1)
I232S. 132 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)A confirmation decision may require the person to whom it is given to take such steps as OFCOM consider appropriate (including steps relating to the use of a system or process) for either or both of the following purposes—
(a)complying with a notified requirement;
(b)remedying the failure to comply with a notified requirement.
(2)But see section 136 in relation to OFCOM’s power to include in a confirmation decision requirements as described in subsection (1) relating to the use of proactive technology.
(3)A confirmation decision may impose requirements as described in subsection (1) only in relation to the design or operation of a regulated service—
(a)in the United Kingdom, or
(b)as it affects United Kingdom users of the service.
(4)A confirmation decision that includes requirements as described in subsection (1) must—
(a)specify the steps that are required,
(b)give OFCOM’s reasons for their decision to impose those requirements,
(c)specify which of those requirements (if any) have been designated as CSEA requirements (see subsections (6) and (7)),
(d)specify each notified requirement to which the steps relate,
(e)specify the period during which the failure to comply with a notified requirement has occurred, and whether the failure is continuing,
(f)specify a reasonable period within which each of the steps specified in the decision must be taken or, if a step requires the use of a system or process, a reasonable period within which the system or process must begin to be used (but see subsection (5) in relation to information duties),
(g)(if relevant) specify the period for which a system or process must be used,
(h)contain details of the rights of appeal under section 168, and
(i)contain information about the consequences of not complying with the requirements included in the decision (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(5)A confirmation decision that requires a person to take steps for the purpose of complying with an information duty may require the person to take those steps immediately.
(6)If the condition in subsection (7) is met in relation to a requirement imposed by a confirmation decision which is of a kind described in subsection (1), OFCOM must designate the requirement as a “CSEA requirement” for the purposes of section 138(3) (offence of failure to comply with confirmation decision).
(7)The condition referred to in subsection (6) is that the requirement is imposed (whether or not exclusively) in relation to either or both of the following—
(a)a failure to comply with section 10(2)(a) or (3)(a) in respect of CSEA content, or in respect of priority illegal content which includes CSEA content;
(b)a failure to comply with section 10(2)(b) in respect of an offence specified in Schedule 6 (CSEA offences), or in respect of priority offences which include such an offence.
(8)A person to whom a confirmation decision is given has a duty to comply with requirements included in the decision which are of a kind described in subsection (1).
(9)The duty under subsection (8) is enforceable in civil proceedings by OFCOM—
(a)for an injunction,
(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or
(c)for any other appropriate remedy or relief.
(10)In this section—
“CSEA content”, “priority illegal content” and “priority offence” have the same meaning as in Part 3 (see section 59);
“information duty” means a duty set out in section 102(8);
“notified requirement” has the meaning given by section 132.
Commencement Information
I233S. 133 not in force at Royal Assent, see s. 240(1)
I234S. 133 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section applies if—
(a)OFCOM are satisfied that a provider of a Part 3 service has failed to comply with a risk assessment duty,
(b)based on evidence resulting from OFCOM’s investigation into that failure, OFCOM have identified a risk of serious harm to individuals in the United Kingdom arising from a particular aspect of the service (“the identified risk”), and
(c)OFCOM consider that the identified risk is not effectively mitigated or managed.
(2)A confirmation decision given to the provider of the service—
(a)if the identified risk relates to matters required to be covered by an illegal content risk assessment, may include a determination that the duty set out in section 10(2)(b) or (c) or 27(2) (as the case may be) applies as if an illegal content risk assessment carried out by the provider had identified that risk;
(b)if the identified risk relates to matters required to be covered by a children’s risk assessment, may include a determination that the duty set out in section 12(2)(a) or 29(2)(a) (as the case may be) applies as if a children’s risk assessment carried out by the provider had identified that risk.
(3)A confirmation decision which includes a determination as mentioned in subsection (2) must—
(a)give details of the identified risk,
(b)specify the duty to which the determination relates, and
(c)specify the date by which measures (at the provider’s discretion) to comply with that duty must be taken or must begin to be used.
(4)A determination as mentioned in subsection (2) ceases to have effect on the date on which the provider of the service complies with the risk assessment duty with which the provider had previously failed to comply (and accordingly, from that date the duty to which the determination relates applies without the modification mentioned in that subsection).
(5)In this section—
“children’s risk assessment” has the meaning given by section 11 or 28 (as the case may be);
“illegal content risk assessment” has the meaning given by section 9 or 26 (as the case may be);
“risk assessment duty” means a duty set out in—
section 9,
section 11,
section 26, or
section 28.
Commencement Information
I235S. 134 not in force at Royal Assent, see s. 240(1)
I236S. 134 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section applies if OFCOM are satisfied that a provider of a Part 3 service has failed to comply with a duty set out in section 36 (duties about children’s access assessments).
(2)If OFCOM include in a confirmation decision a requirement to take steps relating to the carrying out of a children’s access assessment of a service, they must require that assessment to be completed within three months of the date of the confirmation decision.
(3)OFCOM may vary a confirmation decision which includes a requirement as mentioned in subsection (2) to extend the deadline for completion of a children’s access assessment.
(4)Subsection (5) applies if, based on evidence that OFCOM have about a service resulting from their investigation into compliance with a duty set out in section 36, OFCOM consider that—
(a)it is possible for children to access the service or a part of it, and
(b)the child user condition is met in relation to—
(i)the service, or
(ii)a part of the service that it is possible for children to access.
(5)OFCOM may include in the confirmation decision given to the provider of the service—
(a)a determination that the duties set out in sections 11 and 12, or (as the case may be) sections 28 and 29, must be complied with—
(i)from the date of the confirmation decision, or
(ii)from a later date specified in that decision;
(b)provision about the circumstances in which that determination may be treated as no longer applying in relation to the service.
(6)Subsection (4) is to be interpreted consistently with section 35.
(7)In this section, “children’s access assessment” has the meaning given by section 35.
Commencement Information
I237S. 135 not in force at Royal Assent, see s. 240(1)
I238S. 135 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section sets out what powers OFCOM have to include in a confirmation decision a requirement to take steps to use a kind, or one of the kinds, of proactive technology specified in the decision (a “proactive technology requirement”).
(2)A proactive technology requirement may be imposed in a confirmation decision if—
(a)the decision is given to the provider of an internet service within section 80(2), and
(b)the decision is imposed for the purpose of complying with, or remedying the failure to comply with, the duty set out in section 81(2) (provider pornographic content).
(3)The following provisions of this section set out constraints on OFCOM’s power to include a proactive technology requirement in a confirmation decision in any case not within subsection (2).
(4)A proactive technology requirement may be imposed in a confirmation decision only if the decision is given to the provider of a Part 3 service.
(5)A proactive technology requirement may be imposed in a confirmation decision only for the purpose of complying with, or remedying the failure to comply with, any of the duties set out in—
(a)section 10(2) or (3) (illegal content),
(b)section 12(2) or (3) (children’s online safety),
(c)section 27(2) or (3) (illegal content),
(d)section 29(2) or (3) (children’s online safety), or
(e)section 38(1) or 39(1) (fraudulent advertising).
(6)Proactive technology may be required to be used on or in relation to any Part 3 service or any part of such a service, but if and to the extent that the technology operates (or may operate) by analysing content that is user-generated content in relation to the service, or metadata relating to such content, the technology may not be required to be used except to analyse—
(a)user-generated content communicated publicly, and
(b)metadata relating to user-generated content communicated publicly.
(7)Before imposing a proactive technology requirement in relation to a service in a confirmation decision, OFCOM must particularly consider the matters mentioned in subsection (8), so far as they are relevant.
(8)The matters are as follows—
(a)the kind of service it is;
(b)the functionalities of the service;
(c)the user base of the service;
(d)the prevalence of relevant content on the service and the extent of its dissemination by means of the service, or (as the case may be) the prevalence of search content of the service that is relevant content;
(e)the level of risk of harm to individuals in the United Kingdom presented by relevant content present on the service, or (as the case may be) search content of the service that is relevant content, and the severity of that harm;
(f)the degree of accuracy, effectiveness and lack of bias achieved by the kind of technology specified in the decision;
(g)the extent to which the use of the kind of proactive technology specified in the decision would or might result in interference with users’ right to freedom of expression within the law;
(h)the level of risk of the use of the kind of proactive technology specified in the decision resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data);
(i)whether the use of any less intrusive measures than the proactive technology specified in the decision would be likely to result in compliance with, or would be likely to effectively remedy the failure to comply with, the duty in question.
(9)A confirmation decision that imposes a proactive technology requirement on a provider may also impose requirements about review of the technology by the provider.
(10)A confirmation decision relating to a service which requires the use of technology of a kind mentioned in subsection (6) must identify the content, or parts of the service that include content, that OFCOM consider is communicated publicly on that service (see section 232).
(11)In this section—
“content that is harmful to children” has the same meaning as in Part 3 (see section 60);
“fraudulent advertisement” has the meaning given by section 38 or 39 (depending on the kind of service in question);
“illegal content” has the same meaning as in Part 3 (see section 59);
“relevant content” means illegal content, content that is harmful to children or content consisting of fraudulent advertisements, or any or all of those kinds of content (depending on the duties (as mentioned in subsection (5)) for the purposes of which the proactive technology requirement is imposed);
“search content” has the same meaning as in Part 3 (see section 57);
“user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).
Commencement Information
I239S. 136 not in force at Royal Assent, see s. 240(1)
I240S. 136(1)(2)(a)(3)-(11) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)A confirmation decision may require the person to whom it is given to do either or both of the following, depending on what was proposed in the provisional notice of contravention (see paragraph 3 of Schedule 13)—
(a)pay to OFCOM a penalty of a single amount in sterling determined by OFCOM (a “single penalty”) and specified in the confirmation decision;
(b)if the confirmation decision includes a requirement of the kind described in section 133(1)(a) in respect of a continuous failure to comply with a notified requirement, pay a daily rate penalty to OFCOM if that same failure continues after the compliance date.
(2)A “daily rate penalty” means a penalty of an amount in sterling determined by OFCOM and calculated by reference to a daily rate.
(3)A confirmation decision may impose separate single penalties for failure to comply with separate notified requirements specified in the decision.
(4)Where a provisional notice of contravention is given in respect of a period of continuing failure to comply with a notified requirement, no more than one single penalty may be imposed by a confirmation decision in respect of the period of failure specified in the provisional notice of contravention.
(5)A confirmation decision that imposes a penalty must—
(a)give OFCOM’s reasons for their decision to impose the penalty,
(b)specify each notified requirement to which the penalty relates,
(c)specify the period during which the failure to comply with a notified requirement has occurred, and whether the failure is continuing,
(d)state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,
(e)specify a reasonable period within which the penalty must be paid,
(f)contain details of the rights of appeal under section 168, and
(g)contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(6)The period specified under subsection (5)(e) for the payment of a single penalty must be at least 28 days beginning with the day on which the confirmation decision is given.
(7)If a confirmation decision imposes a single penalty and a daily rate penalty, the information mentioned in subsection (5)(a), (b), (d) and (e) must be given in respect of each kind of penalty.
(8)As well as containing the information mentioned in subsection (5), a confirmation decision that imposes a daily rate penalty in respect of a continuous failure to comply with a notified requirement must—
(a)state the daily rate of the penalty and how the penalty is calculated;
(b)state that the person will be liable to pay the penalty if that same failure continues after the compliance date;
(c)state the date from which the penalty begins to be payable, which must not be earlier than the day after the compliance date;
(d)provide for the penalty to continue to be payable at the daily rate until—
(i)the date on which the notified requirement is complied with,
(ii)if the penalty is imposed in respect of a failure to comply with more than one notified requirement, the date on which the last of those requirements is complied with, or
(iii)an earlier date specified in the confirmation decision.
(9)In this section—
“compliance date”, in relation to a notified requirement, means—
in a case where the confirmation decision requires steps to be taken immediately to comply with that requirement (see section 133(5)), the date of the confirmation decision;
in any other case, the last day of the period specified in the confirmation decision in accordance with section 133(4)(f) for compliance with that requirement;
“notified requirement” has the meaning given by section 132.
Commencement Information
I241S. 137 not in force at Royal Assent, see s. 240(1)
I242S. 137 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)A person to whom a confirmation decision is given commits an offence if, without reasonable excuse, the person fails to comply with a requirement imposed by the decision which—
(a)is of a kind described in section 133(1), and
(b)is imposed (whether or not exclusively) in relation to a failure to comply with a children’s online safety duty.
(2)A “children’s online safety duty” means a duty set out in—
(a)section 12(3)(a),
(b)section 12(3)(b),
(c)section 81(2), or
(d)section 81(4).
(3)A person to whom a confirmation decision is given commits an offence if, without reasonable excuse, the person fails to comply with a CSEA requirement imposed by the decision (see section 133(6) and (7)).
(4)A person who commits an offence under this section is liable—
(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
Commencement Information
I243S. 138 not in force at Royal Assent, see s. 240(1)
I244S. 138(1)(2)(a)(b)(3)(4) in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section applies if—
(a)OFCOM have given a confirmation decision to a person,
(b)the decision includes requirements of a kind described in section 133(1) (requirements to take steps),
(c)OFCOM are satisfied that the person has failed to comply with one or more of those requirements, and
(d)OFCOM have not imposed a daily rate penalty under section 137(1)(b) in respect of that failure.
(2)OFCOM may give the person a penalty notice under this section in respect of the failure to comply with the confirmation decision, requiring the person to pay to OFCOM a penalty of a single amount in sterling determined by OFCOM.
(3)But OFCOM may give such a notice to the person only after—
(a)notifying the person that they propose to give a penalty notice under this section, specifying the reasons for doing so and indicating the amount of the proposed penalty, and
(b)giving the person an opportunity to make representations (with any supporting evidence).
(4)A penalty notice under this section must—
(a)give OFCOM’s reasons for their decision to impose the penalty,
(b)state the amount of the penalty,
(c)state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,
(d)specify the period within which the penalty must be paid,
(e)contain details of the rights of appeal under section 168, and
(f)contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(5)The period specified under subsection (4)(d) must be at least 28 days beginning with the day on which the penalty notice is given.
Commencement Information
I245S. 139 not in force at Royal Assent, see s. 240(1)
I246S. 139 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section applies if—
(a)OFCOM have given a notice under section 121(1) relating to a Part 3 service to the provider of that service (notices to deal with terrorism content and CSEA content), and
(b)OFCOM are satisfied that the provider has failed, or is failing, to comply with the notice.
(2)OFCOM may give the provider a notice under this subsection stating that they propose to impose a penalty on the provider in respect of that failure.
(3)The provider may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice.
(4)Subsection (5) applies if—
(a)the period allowed for representations has expired, and
(b)OFCOM are still satisfied as to the failure mentioned in subsection (1).
(5)OFCOM may give the provider a penalty notice under this subsection requiring the provider to pay to OFCOM a penalty of an amount in sterling determined by OFCOM.
(6)The penalty may consist of any of the following, depending on what was specified in the notice about the proposed penalty—
(a)a single amount;
(b)an amount calculated by reference to a daily rate;
(c)a combination of a single amount and an amount calculated by reference to a daily rate.
(7)See section 142 for information which must be included in notices under this section.
(8)Nothing in this section is to be taken to prevent OFCOM from giving the provider a further notice under section 121(1) (see section 126), as well as giving a penalty notice under subsection (5).
Commencement Information
I247S. 140 not in force at Royal Assent, see s. 240(1)
I248S. 140 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)This section applies if—
(a)the provider of a regulated service is liable to pay a fee to OFCOM under section 84 or Schedule 10 in respect of the current charging year (within the meaning of Part 6) or a previous charging year, and
(b)in OFCOM’s opinion, the provider has not paid the full amount of the fee that the provider is liable to pay.
(2)OFCOM may give the provider a notice under this subsection specifying—
(a)the outstanding amount of the fee that OFCOM consider the provider is due to pay to them under section 84 or Schedule 10, and
(b)the period within which the provider must pay it.
(3)A notice under subsection (2)—
(a)may be given in respect of liabilities that relate to different charging years;
(b)may also state that OFCOM propose to impose a penalty on the provider.
(4)The provider may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice.
(5)Subsection (6) applies if—
(a)the notice under subsection (2) stated that OFCOM propose to impose a penalty,
(b)the period allowed for representations has expired, and
(c)OFCOM are satisfied that an amount of the fee is still due to them.
(6)OFCOM may give the provider a penalty notice under this subsection requiring the provider to pay to OFCOM a penalty of an amount in sterling determined by OFCOM.
(7)The penalty may consist of any of the following, depending on what was specified in the notice about the proposed penalty—
(a)a single amount;
(b)an amount calculated by reference to a daily rate;
(c)a combination of a single amount and an amount calculated by reference to a daily rate.
(8)A penalty notice under subsection (6) may require the payment of separate single amounts in respect of liabilities that relate to different charging years.
(9)See section 142 for information which must be included in notices under this section.
(10)Nothing in this section affects OFCOM’s power to bring proceedings (whether before or after the imposition of a penalty by a notice under subsection (6)) for the recovery of the whole or part of an amount due to OFCOM under section 84 or Schedule 10.
(11)But OFCOM may not bring such proceedings unless a provider has first been given a notice under subsection (2) specifying the amount due to OFCOM.
Commencement Information
I249S. 141 not in force at Royal Assent, see s. 240(1)
I250S. 141 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)Subsection (2) applies in relation to—
(a)a notice under section 140(2), and
(b)a notice under section 141(2) stating that OFCOM propose to impose a penalty.
(2)Such a notice must—
(a)state the reasons why OFCOM propose to impose the penalty,
(b)state whether OFCOM propose that the penalty should consist of a single amount, an amount calculated by reference to a daily rate, or a combination of the two,
(c)indicate the amount of the proposed penalty, including (in relation to an amount calculated by reference to a daily rate) the daily rate and how the penalty would be calculated,
(d)in relation to an amount calculated by reference to a daily rate, specify or describe the period for which OFCOM propose that the amount should be payable,
(e)state the reasons for proposing a penalty of that amount, including any aggravating or mitigating factors that OFCOM propose to take into account, and
(f)specify the period within which representations in relation to the proposed penalty may be made.
(3)A penalty notice under section 140(5) or 141(6) must—
(a)give OFCOM’s reasons for their decision to impose the penalty,
(b)state whether the penalty consists of a single amount, an amount calculated by reference to a daily rate, or a combination of the two, and how it is calculated,
(c)in relation to a single amount, state that amount,
(d)in relation to an amount calculated by reference to a daily rate, state the daily rate,
(e)state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,
(f)specify a reasonable period within which the penalty must be paid,
(g)contain details of the rights of appeal under section 168, and
(h)contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(4)A penalty notice under section 141(6) must also specify the amount of the fee that is (in OFCOM’s opinion) due to be paid to OFCOM.
(5)The period specified under subsection (3)(f) for the payment of a single amount must be at least 28 days beginning with the day on which the penalty notice is given.
(6)Subsection (7) applies in relation to a penalty notice under section 140(5) or 141(6) that includes a requirement to pay an amount calculated by reference to a daily rate.
(7)Such a notice must—
(a)state the date from which the amount begins to be payable, which must not be earlier than the day after the day on which the notice is given;
(b)provide for the amount to continue to be payable at the daily rate until—
(i)(in the case of a notice under section 140(5)) the date on which OFCOM are satisfied that the provider is complying with the notice under section 121(1), or (in the case of a notice under section 141(6)) the date on which the full amount of the fee (as specified in the penalty notice) has been paid to OFCOM, or
(ii)an earlier date specified in the penalty notice.
Commencement Information
I251S. 142 not in force at Royal Assent, see s. 240(1)
I252S. 142 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
Schedule 13 contains provision about the amount of penalties that OFCOM may impose under this Chapter, and makes further provision about such penalties.
Commencement Information
I253S. 143 not in force at Royal Assent, see s. 240(1)
I254S. 143 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)OFCOM may apply to the court for an order under this section (a “service restriction order”) in relation to a regulated service where they consider that—
(a)the grounds in subsection (3) apply in relation to the service, or
(b)in the case of a Part 3 service, the grounds in subsection (4) apply in relation to the service.
(2)A service restriction order is an order imposing requirements on one or more persons who provide an ancillary service (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (11)).
(3)The grounds mentioned in subsection (1)(a) are that—
(a)the provider of the regulated service has failed to comply with an enforceable requirement that applies in relation to the regulated service,
(b)the failure is continuing, and
(c)any of the following applies—
(i)the provider has failed to comply with a requirement imposed by a confirmation decision that is of a kind described in section 133(1) relating to the failure;
(ii)the provider has failed to pay a penalty imposed by a confirmation decision relating to the failure (and the confirmation decision did not impose any requirements of a kind described in section 133(1));
(iii)the provider would be likely to fail to comply with requirements imposed by a confirmation decision if given;
(iv)the circumstances of the failure or the risks of harm to individuals in the United Kingdom are such that it is appropriate to make the application without having given a provisional notice of contravention, without having given a confirmation decision, or (having given a confirmation decision imposing requirements) without waiting to ascertain compliance with those requirements.
(4)The grounds mentioned in subsection (1)(b) are that—
(a)the provider of the Part 3 service has failed to comply with a notice under section 121(1) that relates to the service (notices to deal with terrorism content and CSEA content), and
(b)the failure is continuing.
(5)An application by OFCOM for a service restriction order must—
(a)specify the regulated service in relation to which the application is made (“the relevant service”),
(b)specify the provider of that service (“the non-compliant provider”),
(c)specify the grounds on which the application is based, and contain evidence about those grounds,
(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an ancillary service in relation to the relevant service, and specify any such ancillary service provided,
(f)specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(6)The court may make a service restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(a)as to the grounds in subsection (3) or the grounds in subsection (4) (as the case may be),
(b)that the person provides an ancillary service in relation to the relevant service,
(c)that it is appropriate to make the order for the purpose of preventing harm to individuals in the United Kingdom, and the order is proportionate to the risk of such harm,
(d)in the case of an application made on the ground in subsection (3)(c)(iii) or (iv), that it is appropriate to make the order before a provisional notice of contravention or confirmation decision has been given, or before compliance with requirements imposed by a confirmation decision has been ascertained (as the case may be), and
(e)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(7)When considering whether to make a service restriction order in relation to the relevant service, and when considering what provision it should contain, the court must take into account (among other things) the rights and obligations of all relevant parties, including those of—
(a)the non-compliant provider,
(b)the person or persons on whom the court is considering imposing the requirements, and
(c)United Kingdom users of the relevant service.
(8)A service restriction order made in relation to the relevant service must—
(a)identify the non-compliant provider,
(b)identify the persons on whom the requirements are imposed, and any ancillary service to which the requirements relate,
(c)require such persons to take the steps specified in the order, or to put in place arrangements, that have the effect of withdrawing the ancillary service to the extent that it relates to the relevant service (or part of it), or preventing the ancillary service from promoting or displaying content that relates to the relevant service (or part of it) in any way,
(d)specify the date by which the requirements in the order must be complied with, and
(e)specify the date on which the order expires, or the period for which the order has effect.
(9)The steps that may be specified or arrangements that may be required to be put in place—
(a)include steps or arrangements that will or may require the termination of an agreement (whether or not made before the coming into force of this section), or the prohibition of the performance of such an agreement, and
(b)are limited, so far as that is possible, to steps or arrangements relating to the operation of the relevant service as it affects United Kingdom users.
(10)OFCOM must inform the Secretary of State as soon as reasonably practicable after a service restriction order has been made.
(11)For the purposes of this section, a service is an “ancillary service” in relation to a regulated service if the service facilitates the provision of the regulated service (or part of it), whether directly or indirectly, or displays or promotes content relating to the regulated service (or to part of it).
(12)Examples of ancillary services include—
(a)services, provided (directly or indirectly) in the course of a business, which enable funds to be transferred in relation to a regulated service,
(b)search engines which generate search results displaying or promoting content relating to a regulated service,
(c)user-to-user services which make content relating to a regulated service available to users, and
(d)services which use technology to facilitate the display of advertising on a regulated service (for example, an ad server or an ad network).
(13)In this section “the court” means—
(a)in England and Wales, the High Court or the county court,
(b)in Scotland, the Court of Session or a sheriff, and
(c)in Northern Ireland, the High Court or a county court.
Commencement Information
I255S. 144 not in force at Royal Assent, see s. 240(1)
I256S. 144 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)OFCOM may apply to the court for an interim order under this section (an “interim service restriction order”) in relation to a regulated service where they consider that—
(a)the grounds in subsection (3) apply in relation to the service, or
(b)in the case of a Part 3 service, the grounds in subsection (4) apply in relation to the service.
(2)An interim service restriction order is an interim order imposing requirements on one or more persons who provide an ancillary service (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (9)).
(3)The grounds mentioned in subsection (1)(a) are that—
(a)it is likely that the provider of the regulated service is failing to comply with an enforceable requirement that applies in relation to the regulated service, and
(b)the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure before applying for the order.
(4)The grounds mentioned in subsection (1)(b) are that—
(a)it is likely that the provider of the Part 3 service is failing to comply with a notice under section 121(1) that relates to the service (notices to deal with terrorism content and CSEA content), and
(b)the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure before applying for the order.
(5)An application by OFCOM for an interim service restriction order must—
(a)specify the regulated service in relation to which the application is made (“the relevant service”),
(b)specify the provider of that service (“the non-compliant provider”),
(c)specify the grounds on which the application is based, and contain evidence about those grounds,
(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an ancillary service in relation to the relevant service, and specify any such ancillary service provided,
(f)specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(6)The court may make an interim service restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(a)as to the ground in subsection (3)(a) or the ground in subsection (4)(a) (as the case may be),
(b)that the person provides an ancillary service in relation to the relevant service,
(c)that there are prima facie grounds to suggest that an application for a service restriction order under section 144 would be successful,
(d)that the level of risk of harm to individuals in the United Kingdom relating to the likely failure mentioned in subsection (3)(a) or (4)(a) (whichever applies), and the nature and severity of that harm, are such that it is not appropriate to wait for the failure to be established before making the order, and
(e)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(7)An interim service restriction order ceases to have effect on the earlier of—
(a)the date specified in the order, or the date on which the period specified in the order expires (as the case may be), and
(b)the date on which the court makes a service restriction order under section 144 in relation to the relevant service that imposes requirements on the same persons on whom requirements are imposed by the interim order, or dismisses the application for such an order.
(8)Subsections (7) to (10) of section 144 apply in relation to an interim service restriction order under this section as they apply in relation to a service restriction order under that section.
(9)In this section, “ancillary service” and “the court” have the same meaning as in section 144 (see subsections (11), (12) and (13) of that section).
Commencement Information
I257S. 145 not in force at Royal Assent, see s. 240(1)
I258S. 145 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)OFCOM may apply to the court for an order under this section (an “access restriction order”) in relation to a regulated service where they consider that—
(a)the grounds in section 144(3) or (4) apply in relation to the service, and
(b)either—
(i)a service restriction order under section 144 or an interim service restriction order under section 145 has been made in relation to the failure, and it was not sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure, or
(ii)the likely consequences of the failure are such that if a service restriction order or an interim service restriction order were to be made, it would be unlikely to be sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure,
and in this paragraph, “the failure” means the failure mentioned in section 144(3)(a) or (4)(a) (as the case may be).
(2)An access restriction order is an order imposing requirements on one or more persons who provide an access facility (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (10)).
(3)An application by OFCOM for an access restriction order must—
(a)specify the regulated service in relation to which the application is made (“the relevant service”),
(b)specify the provider of that service (“the non-compliant provider”),
(c)specify the grounds on which the application is based, and contain evidence about those grounds,
(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an access facility in relation to the relevant service, and specify any such access facility provided,
(f)specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(4)The court may make an access restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(a)as to the grounds in subsection (1),
(b)that the person provides an access facility in relation to the relevant service,
(c)that it is appropriate to make the order for the purpose of preventing significant harm to individuals in the United Kingdom, and the order is proportionate to the risk of such harm,
(d)in the case of an application made on the ground in subsection (3)(c)(iii) or (iv) of section 144 (by virtue of subsection (1)(a)), that it is appropriate to make the order before a provisional notice of contravention or confirmation decision has been given, or before compliance with requirements imposed by a confirmation decision has been ascertained (as the case may be), and
(e)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(5)When considering whether to make an access restriction order in relation to the relevant service, and when considering what provision it should contain, the court must take into account (among other things) the rights and obligations of all relevant parties, including those of—
(a)the non-compliant provider,
(b)the person or persons on whom the court is considering imposing the requirements, and
(c)United Kingdom users of the relevant service.
(6)An access restriction order made in relation to the relevant service must—
(a)identify the non-compliant provider,
(b)identify the persons on whom the requirements are imposed, and any access facility to which the requirements relate,
(c)require such persons to take the steps specified in the order, or to put in place arrangements, to withdraw, adapt or manipulate the access facility in order to impede users’ access (by means of that facility) to the relevant service (or to part of it),
(d)specify the date by which the requirements in the order must be complied with, and
(e)specify the date on which the order expires, or the period for which the order has effect.
(7)The steps that may be specified or arrangements that may be required to be put in place—
(a)include steps or arrangements that will or may require the termination of an agreement (whether or not made before the coming into force of this section), or the prohibition of the performance of such an agreement,
(b)are limited, so far as that is possible, to steps or arrangements that impede the access of United Kingdom users, and
(c)are limited, so far as that is possible, to steps or arrangements that do not affect such users’ ability to access any other internet services.
(8)OFCOM must inform the Secretary of State as soon as reasonably practicable after an access restriction order has been made.
(9)Where a person who provides an access facility takes steps or puts in place arrangements required by an access restriction order, OFCOM may, by notice, require that person to (where possible) notify persons in the United Kingdom who attempt to access the relevant service via that facility of the access restriction order (and where a confirmation decision has been given to the non-compliant provider, the notification must refer to that decision).
(10)For the purposes of this section, a facility is an “access facility” in relation to a regulated service if the person who provides the facility is able to withdraw, adapt or manipulate it in such a way as to impede access (by means of that facility) to the regulated service (or to part of it) by United Kingdom users of that service.
(11)Examples of access facilities include—
(a)internet access services by means of which a regulated service is made available, and
(b)app stores through which a mobile app for a regulated service may be downloaded or otherwise accessed.
(12)In this section—
“the court” means—
in England and Wales, the High Court or the county court,
in Scotland, the Court of Session or a sheriff, and
in Northern Ireland, the High Court or a county court;
“facility” means any kind of service, infrastructure or apparatus enabling users of a regulated service to access the regulated service;
“internet access service” means a service that provides access to virtually all (or just some) of the end points of the internet.
Commencement Information
I259S. 146 not in force at Royal Assent, see s. 240(1)
I260S. 146 in force at 10.1.2024 by S.I. 2023/1420, reg. 2(z17)
(1)OFCOM may apply to the court for an interim order under this section (an “interim access restriction order”) in relation to a regulated service where they consider that—
(a)the grounds in section 145(3) or (4) apply in relation to the service, and
(b)either—
(i)a service restriction order under section 144 or an interim service restriction order under section 145 has been made in relation to the likely failure, and it was not sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure, or
(ii)the likely consequences of such a failure would be such that if a service restriction order or an interim service restriction order were to be made, it would be unlikely to be sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure,
and in this section, “the likely failure” means the likely failure mentioned in section 145(3)(a) or (4)(a) (as the case may be).
(2)An interim access restriction order is an interim order imposing requirements on one or more persons who provide an access facility (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (8)).
(3)An application by OFCOM for an interim access restriction order must—
(a)specify the regulated service in relation to which the application is made (“the relevant service”),
(b)specify the provider of that service (“the non-compliant provider”),
(c)specify the grounds on which the application is based, and contain evidence about those grounds,
(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an access facility in relation to the relevant service, and specify any such access facility provided,
(f)specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(4)The court may make an interim access restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(a)that the ground in section 145(3)(a) or (4)(a) (as the case may be) applies in relation to the service,
(b)as to the ground in subsection (1)(b)(i) or (ii),
(c)that the person provides an access facility in relation to the relevant service,
(d)that there are prima facie grounds to suggest that an application for an access restriction order under section 146 would be successful,
(e)