xmlns:atom="http://www.w3.org/2005/Atom"

Online Safety Act 2023

2023 CHAPTER 50

An Act to make provision for and in connection with the regulation by OFCOM of certain internet services; for and in connection with communications offences; and for connected purposes.

[26th October 2023]

Be it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—

PART 1Introduction

1Introduction

(1)This Act provides for a new regulatory framework which has the general purpose of making the use of internet services regulated by this Act safer for individuals in the United Kingdom.

(2)To achieve that purpose, this Act (among other things)—

(a)imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm (including risks which particularly affect individuals with a certain characteristic) from—

(i)illegal content and activity, and

(ii)content and activity that is harmful to children, and

(b)confers new functions and powers on the regulator, OFCOM.

(3)Duties imposed on providers by this Act seek to secure (among other things) that services regulated by this Act are—

(a)safe by design, and

(b)designed and operated in such a way that—

(i)a higher standard of protection is provided for children than for adults,

(ii)users’ rights to freedom of expression and privacy are protected, and

(iii)transparency and accountability are provided in relation to those services.

2Overview of Act

(1)Parts 2 to 9 and 11 and 12 of this Act contain provision about the regulation by OFCOM of certain internet services.

(2)Part 2 contains key definitions, including the definition of a user-to-user service, a search service, a Part 3 service and a regulated service.

(3)Part 3 imposes duties of care on providers of user-to-user services and search services and requires OFCOM to issue codes of practice about those duties.

(4)Part 4 imposes further duties on providers of user-to-user services and search services.

(5)Part 5 imposes duties on providers of internet services (including user-to-user services and search services) that publish certain pornographic content.

(6)Part 6, which imposes requirements to pay fees to OFCOM, applies to providers of internet services to which the duties in Part 3, 4 or 5 apply (“regulated services”).

(7)Part 7 is about OFCOM’s powers and duties in relation to regulated services (including powers to obtain information and enforcement powers).

(8)Part 8 is about appeals and complaints relating to regulated services.

(9)Part 9 is about the Secretary of State’s functions in relation to regulated services.

(10)Part 10 contains communications offences.

(11)Parts 11 and 12 contain supplementary provisions including an index of terms defined in this Act (see section 237).

PART 2Key definitions

3“User-to-user service” and “search service”

(1)In this Act “user-to-user service” means an internet service by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service.

(2)For the purposes of subsection (1)

(a)it does not matter if content is actually shared with another user or users as long as a service has a functionality that allows such sharing;

(b)it does not matter what proportion of content on a service is content described in that subsection.

(3)For the meaning of “content” and “encounter”, see section 236.

(4)In this Act “search service” means an internet service that is, or includes, a search engine (see section 229).

(5)Subsections (6) and (7) have effect to determine whether an internet service that—

(a)is of a kind described in subsection (1), and

(b)includes a search engine,

is a user-to-user service or a search service for the purposes of this Act.

(6)It is a search service if the only content described in subsection (1) that is enabled by the service is content of any of the following kinds—

(a)content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content;

(b)content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content);

(c)content present on a part of the service in relation to which the conditions in paragraph 7(2) of Schedule 1 are met (internal business service conditions).

(7)Otherwise, it is a user-to-user service.

4“Regulated service”, “Part 3 service” etc

(1)This section applies for the purposes of this Act.

(2)A user-to-user service is a “regulated user-to-user service”, and a search service is a “regulated search service”, if the service—

(a)has links with the United Kingdom (see subsections (5) and (6)), and

(b)is not—

(i)a service of a description that is exempt as provided for by Schedule 1, or

(ii)a service of a kind described in Schedule 2 (services combining user-generated content or search content not regulated by this Act with pornographic content that is regulated).

(3)Part 3 service” means a regulated user-to-user service or a regulated search service.

(4)Regulated service” means—

(a)a regulated user-to-user service,

(b)a regulated search service, or

(c)an internet service, other than a regulated user-to-user service or a regulated search service, that is within section 80(2) (including a service of a kind described in Schedule 2).

(5)For the purposes of subsection (2), a user-to-user service or a search service “has links with the United Kingdom” if—

(a)the service has a significant number of United Kingdom users, or

(b)United Kingdom users form one of the target markets for the service (or the only target market).

(6)For the purposes of subsection (2), a user-to-user service or a search service also “has links with the United Kingdom” if—

(a)the service is capable of being used in the United Kingdom by individuals, and

(b)there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom presented by—

(i)in the case of a user-to-user service, user-generated content present on the service or (if the service includes a search engine) search content of the service;

(ii)in the case of a search service, search content of the service.

(7)A regulated user-to-user service that includes a public search engine is referred to in this Act as a “combined service”.

Public search engine” means a search engine other than one in relation to which the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met.

(8)In this section—

5Disapplication of Act to certain parts of services

(1)This Act does not apply in relation to a part of a Part 3 service if the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part.

(2)This Act does not apply in relation to a part of a regulated search service if—

(a)the only user-generated content enabled by that part of the service is content of any of the following kinds—

(i)content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS and MMS messages, one-to-one live aural communications) and related identifying content;

(ii)content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content); and

(b)no regulated provider pornographic content is published or displayed on that part of the service.

(3)In this section—

PART 3Providers of regulated user-to-user services and regulated search services: duties of care

CHAPTER 1Introduction

6Overview of Part 3

(1)This Part imposes duties of care on providers of regulated user-to-user services and regulated search services and requires OFCOM to issue codes of practice relating to some of those duties.

(2)Chapter 2 imposes duties of care on providers of regulated user-to-user services in relation to content and activity on their services.

(3)Chapter 3 imposes duties of care on providers of regulated search services in relation to content and activity on their services.

(4)Chapter 4 imposes duties on providers of regulated user-to-user services and regulated search services to assess whether a service is likely to be accessed by children.

(5)Chapter 5 imposes duties on providers of certain regulated user-to-user services and regulated search services relating to fraudulent advertising.

(6)Chapter 6 requires OFCOM to issue codes of practice relating to particular duties and explains what effects the codes of practice have.

(7)Chapter 7 is about the interpretation of this Part, and it includes definitions of the following key terms—

CHAPTER 2Providers of user-to-user services: duties of care

User-to-user services: which duties apply, and scope of duties

7Providers of user-to-user services: duties of care

(1)Subsections (2) to (6) apply to determine which of the duties set out in this Chapter (and, in the case of combined services, Chapter 3) must be complied with by providers of regulated user-to-user services.

(2)All providers of regulated user-to-user services must comply with the following duties in relation to each such service which they provide—

(a)the duties about illegal content risk assessments set out in section 9,

(b)the duties about illegal content set out in section 10(2) to (8),

(c)the duty about content reporting set out in section 20,

(d)the duties about complaints procedures set out in section 21,

(e)the duties about freedom of expression and privacy set out in section 22(2) and (3), and

(f)the duties about record-keeping and review set out in section 23(2) to (6).

(3)Additional duties must be complied with by providers of particular kinds of regulated user-to-user services, as follows.

(4)All providers of regulated user-to-user services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—

(a)the duties about children’s risk assessments set out in section 11, and

(b)the duties to protect children’s online safety set out in section 12(2) to (13).

(5)All providers of Category 1 services must comply with the following duties in relation to each such service which they provide—

(a)the duty about illegal content risk assessments set out in section 10(9),

(b)the duty about children’s risk assessments set out in section 12(14),

(c)the duties about assessments related to adult user empowerment set out in section 14,

(d)the duties to empower adult users set out in section 15,

(e)the duties to protect content of democratic importance set out in section 17,

(f)the duties to protect news publisher content set out in section 18,

(g)the duties to protect journalistic content set out in section 19,

(h)the duties about freedom of expression and privacy set out in section 22(4), (6) and (7), and

(i)the duties about record-keeping set out in section 23(9) and (10).

(6)All providers of combined services must comply with the following duties in relation to the search engine of each such service which they provide—

(a)if the service is not a Category 2A service and is not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2);

(b)if the service is not a Category 2A service and is likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2) and (4);

(c)if the service is a Category 2A service not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2) and (5);

(d)if the service is a Category 2A service likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2), (4) and (5).

(7)For the meaning of “likely to be accessed by children”, see section 37.

(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).

8Scope of duties of care

(1)A duty set out in this Chapter which must be complied with in relation to a user-to-user service that includes regulated provider pornographic content does not extend to—

(a)the regulated provider pornographic content, or

(b)the design, operation or use of the service so far as relating to that content.

See Part 5 for the duties which relate to regulated provider pornographic content, and the meaning of that term.

(2)A duty set out in this Chapter which must be complied with in relation to a combined service does not extend to—

(a)the search content of the service,

(b)any other content that, following a search request, may be encountered as a result of subsequent interactions with internet services, or

(c)anything relating to the design, operation or use of the search engine.

(3)A duty set out in this Chapter which must be complied with in relation to a user-to-user service extends only to—

(a)the design, operation and use of the service in the United Kingdom, and

(b)in the case of a duty that is expressed to apply in relation to users of a service, the design, operation and use of the service as it affects United Kingdom users of the service.

Illegal content duties for user-to-user services

9Illegal content risk assessment duties

(1)This section sets out the duties about risk assessments which apply in relation to all regulated user-to-user services.

(2)A duty to carry out a suitable and sufficient illegal content risk assessment at a time set out in, or as provided by, Schedule 3.

(3)A duty to take appropriate steps to keep an illegal content risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.

(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient illegal content risk assessment relating to the impacts of that proposed change.

(5)An “illegal content risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—

(a)the user base;

(b)the level of risk of individuals who are users of the service encountering the following by means of the service—

(i)each kind of priority illegal content (with each kind separately assessed), and

(ii)other illegal content,

taking into account (in particular) algorithms used by the service, and how easily, quickly and widely content may be disseminated by means of the service;

(c)the level of risk of the service being used for the commission or facilitation of a priority offence;

(d)the level of risk of harm to individuals presented by illegal content of different kinds or by the use of the service for the commission or facilitation of a priority offence;

(e)the level of risk of functionalities of the service facilitating the presence or dissemination of illegal content or the use of the service for the commission or facilitation of a priority offence, identifying and assessing those functionalities that present higher levels of risk;

(f)the different ways in which the service is used, and the impact of such use on the level of risk of harm that might be suffered by individuals;

(g)the nature, and severity, of the harm that might be suffered by individuals from the matters identified in accordance with paragraphs (b) to (f);

(h)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.

(6)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to individuals presented by illegal content.

(7)See also—

(a)section 23(2) and (10) (records of risk assessments), and

(b)Schedule 3 (timing of providers’ assessments).

10Safety duties about illegal content

(1)This section sets out the duties about illegal content which apply in relation to regulated user-to-user services (as indicated by the headings).

All services

(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to—

(a)prevent individuals from encountering priority illegal content by means of the service,

(b)effectively mitigate and manage the risk of the service being used for the commission or facilitation of a priority offence, as identified in the most recent illegal content risk assessment of the service, and

(c)effectively mitigate and manage the risks of harm to individuals, as identified in the most recent illegal content risk assessment of the service (see section 9(5)(g)).

(3)A duty to operate a service using proportionate systems and processes designed to—

(a)minimise the length of time for which any priority illegal content is present;

(b)where the provider is alerted by a person to the presence of any illegal content, or becomes aware of it in any other way, swiftly take down such content.

(4)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—

(a)regulatory compliance and risk management arrangements,

(b)design of functionalities, algorithms and other features,

(c)policies on terms of use,

(d)policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,

(e)content moderation, including taking down content,

(f)functionalities allowing users to control the content they encounter,

(g)user support measures, and

(h)staff policies and practices.

(5)A duty to include provisions in the terms of service specifying how individuals are to be protected from illegal content, addressing each paragraph of subsection (3), and (in relation to paragraph (a)) separately addressing terrorism content, CSEA content (see section 59 and Schedule 6) and other priority illegal content.

(6)A duty to apply the provisions of the terms of service referred to in subsection (5) consistently.

(7)A duty to include provisions in the terms of service giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).

(8)A duty to ensure that the provisions of the terms of service referred to in subsections (5) and (7) are clear and accessible.

Additional duty for Category 1 services

(9)A duty to summarise in the terms of service the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals).

Interpretation

(10)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—

(a)all the findings of the most recent illegal content risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to individuals), and

(b)the size and capacity of the provider of a service.

(11)In this section “illegal content risk assessment” has the meaning given by section 9.

(12)See also, in relation to duties set out in this section, section 22 (duties about freedom of expression and privacy).

User-to-user services likely to be accessed by children

11Children’s risk assessment duties

(1)This section sets out the duties about risk assessments which apply in relation to regulated user-to-user services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 9 and, in the case of services likely to be accessed by children which are Category 1 services, the duties about assessments set out in section 14).

(2)A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.

(3)A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.

(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.

(5)Where a children’s risk assessment of a service identifies the presence of non-designated content that is harmful to children, a duty to notify OFCOM of—

(a)the kinds of such content identified, and

(b)the incidence of those kinds of content on the service.

(6)A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—

(a)the user base, including the number of users who are children in different age groups;

(b)the level of risk of children who are users of the service encountering the following by means of the service—

(i)each kind of primary priority content that is harmful to children (with each kind separately assessed),

(ii)each kind of priority content that is harmful to children (with each kind separately assessed), and

(iii)non-designated content that is harmful to children,

giving separate consideration to children in different age groups, and taking into account (in particular) algorithms used by the service and how easily, quickly and widely content may be disseminated by means of the service;

(c)the level of risk of harm to children presented by different kinds of content that is harmful to children, giving separate consideration to children in different age groups;

(d)the level of risk of harm to children presented by content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;

(e)the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including functionalities—

(i)enabling adults to search for other users of the service (including children), or

(ii)enabling adults to contact other users (including children) by means of the service;

(f)the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service (for example a feature that enables content to play automatically), and the impact of such use on the level of risk of harm that might be suffered by children;

(g)the nature, and severity, of the harm that might be suffered by children from the matters identified in accordance with paragraphs (b) to (f), giving separate consideration to children in different age groups;

(h)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.

(7)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.

(8)See also—

(a)section 23(2) and (10) (records of risk assessments), and

(b)Schedule 3 (timing of providers’ assessments).

12Safety duties protecting children

(1)This section sets out the duties to protect children’s online safety which apply in relation to regulated user-to-user services that are likely to be accessed by children (as indicated by the headings).

All services

(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—

(a)mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 11(6)(g)), and

(b)mitigate the impact of harm to children in different age groups presented by content that is harmful to children present on the service.

(3)A duty to operate a service using proportionate systems and processes designed to—

(a)prevent children of any age from encountering, by means of the service, primary priority content that is harmful to children;

(b)protect children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) from encountering it by means of the service.

(4)The duty set out in subsection (3)(a) requires a provider to use age verification or age estimation (or both) to prevent children of any age from encountering primary priority content that is harmful to children which the provider identifies on the service.

(5)That requirement applies to a provider in relation to a particular kind of primary priority content that is harmful to children in every case except where—

(a)a term of service indicates (in whatever words) that the presence of that kind of primary priority content that is harmful to children is prohibited on the service, and

(b)that policy applies in relation to all users of the service.

(6)If a provider is required by subsection (4) to use age verification or age estimation for the purpose of compliance with the duty set out in subsection (3)(a), the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.

(7)Age verification or age estimation to identify who is or is not a child user or which age group a child user is in are examples of measures which (if not required by subsection (4)) may be taken or used (among others) for the purpose of compliance with a duty set out in subsection (2) or (3).

(8)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—

(a)regulatory compliance and risk management arrangements,

(b)design of functionalities, algorithms and other features,

(c)policies on terms of use,

(d)policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,

(e)content moderation, including taking down content,

(f)functionalities allowing for control over content that is encountered, especially by children,

(g)user support measures, and

(h)staff policies and practices.

(9)A duty to include provisions in the terms of service specifying—

(a)how children of any age are to be prevented from encountering primary priority content that is harmful to children (with each kind of primary priority content separately covered);

(b)how children in age groups judged to be at risk of harm from priority content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so (with each kind of priority content separately covered);

(c)how children in age groups judged to be at risk of harm from non-designated content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so.

(10)A duty to apply the provisions of the terms of service referred to in subsection (9) consistently.

(11)If a provider takes or uses a measure designed to prevent access to the whole of the service or a part of the service by children under a certain age, a duty to—

(a)include provisions in the terms of service specifying details about the operation of the measure, and

(b)apply those provisions consistently.

(12)A duty to include provisions in the terms of service giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).

(13)A duty to ensure that the provisions of the terms of service referred to in subsections (9), (11) and (12) are clear and accessible.

Additional duty for Category 1 services

(14)A duty to summarise in the terms of service the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).

13Safety duties protecting children: interpretation

(1)In determining what is proportionate for the purposes of section 12, the following factors, in particular, are relevant—

(a)all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and

(b)the size and capacity of the provider of a service.

(2)So far as a duty set out in section 12 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).

(3)References in section 12(3)(b) and (9)(b) and (c) to children in age groups judged to be at risk of harm from content that is harmful to children are references to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.

(4)The duties set out in section 12(3) and (9) are to be taken to extend only to content that is harmful to children where the risk of harm is presented by the nature of the content (rather than the fact of its dissemination).

(5)The duties set out in section 12 extend only to such parts of a service as it is possible for children to access.

(6)For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.

(7)In section 12 and this section “children’s risk assessment” has the meaning given by section 11.

(8)See also, in relation to duties set out in section 12, section 22 (duties about freedom of expression and privacy).

Category 1 services

14Assessment duties: user empowerment

(1)This section sets out the duties about assessments related to adult user empowerment which apply in relation to Category 1 services (in addition to the duties about risk assessments set out in section 9 and, in the case of Category 1 services likely to be accessed by children, section 11).

(2)A duty to carry out a suitable and sufficient assessment for the purposes of section 15(2) at a time set out in, or as provided by, Schedule 3.

(3)A duty to take appropriate steps to keep such an assessment up to date.

(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient assessment for the purposes of section 15(2) relating to the impacts of that proposed change.

(5)An assessment of a service “for the purposes of section 15(2)” means an assessment of the following matters—

(a)the user base;

(b)the incidence of relevant content on the service;

(c)the likelihood of adult users of the service encountering, by means of the service, each kind of relevant content (with each kind separately assessed), taking into account (in particular) algorithms used by the service, and how easily, quickly and widely content may be disseminated by means of the service;

(d)the likelihood of adult users with a certain characteristic or who are members of a certain group encountering relevant content which particularly affects them;

(e)the likelihood of functionalities of the service facilitating the presence or dissemination of relevant content, identifying and assessing those functionalities more likely to do so;

(f)the different ways in which the service is used, and the impact of such use on the likelihood of adult users encountering relevant content;

(g)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to strengthen adult users’ control over their interaction with user-generated content, and other systems and processes) may reduce or increase the likelihood of adult users encountering relevant content.

(6)In this section “relevant content” means content to which section 15(2) applies (content to which user empowerment duties set out in that provision apply).

(7)See also—

(a)section 23(9) and (10) (records of assessments), and

(b)Schedule 3 (timing of providers’ assessments).

15User empowerment duties

(1)This section sets out the duties to empower adult users which apply in relation to Category 1 services.

(2)A duty to include in a service, to the extent that it is proportionate to do so, features which adult users may use or apply if they wish to increase their control over content to which this subsection applies.

(3)The features referred to in subsection (2) are those which, if used or applied by a user, result in the use by the service of systems or processes designed to effectively—

(a)reduce the likelihood of the user encountering content to which subsection (2) applies present on the service, or

(b)alert the user to content present on the service that is a particular kind of content to which subsection (2) applies.

(4)A duty to ensure that all features included in a service in compliance with the duty set out in subsection (2) (“control features”) are made available to all adult users and are easy to access.

(5)A duty to operate a service using a system or process which seeks to ensure that all registered adult users are offered the earliest possible opportunity, in relation to each control feature included in the service, to take a step indicating to the provider that—

(a)the user wishes to retain the default setting for the feature (whether that is that the feature is in use or applied, or is not in use or applied), or

(b)the user wishes to change the default setting for the feature.

(6)The duty set out in subsection (5)

(a)continues to apply in relation to a user and a control feature for so long as the user has not yet taken a step mentioned in that subsection in relation to the feature;

(b)no longer applies in relation to a user once the user has taken such a step in relation to every control feature included in the service.

(7)A duty to include clear and accessible provisions in the terms of service specifying which control features are offered and how users may take advantage of them.

(8)A duty to summarise in the terms of service the findings of the most recent assessment of a service under section 14 (assessments related to the duty set out in subsection (2)).

(9)A duty to include in a service features which adult users may use or apply if they wish to filter out non-verified users.

(10)The features referred to in subsection (9) are those which, if used or applied by a user, result in the use by the service of systems or processes designed to effectively—

(a)prevent non-verified users from interacting with content which that user generates, uploads or shares on the service, and

(b)reduce the likelihood of that user encountering content which non-verified users generate, upload or share on the service.

16User empowerment duties: interpretation

(1)In determining what is proportionate for the purposes of section 15(2), the following factors, in particular, are relevant—

(a)all the findings of the most recent assessment under section 14, and

(b)the size and capacity of the provider of the service.

(2)Section 15(2) applies to content that—

(a)is regulated user-generated content in relation to the service in question, and

(b)is within subsection (3), (4) or (5).

(3)Content is within this subsection if it encourages, promotes or provides instructions for—

(a)suicide or an act of deliberate self-injury, or

(b)an eating disorder or behaviours associated with an eating disorder.

(4)Content is within this subsection if it is abusive and the abuse targets any of the following characteristics—

(a)race,

(b)religion,

(c)sex,

(d)sexual orientation,

(e)disability, or

(f)gender reassignment.

(5)Content is within this subsection if it incites hatred against people—

(a)of a particular race, religion, sex or sexual orientation,

(b)who have a disability, or

(c)who have the characteristic of gender reassignment.

(6)The duty set out in section 15(5) applies in relation to all registered adult users, not just those who begin to use a service after that duty begins to apply.

(7)In section 15 and this section—

(8)In section 15 and this section—

(a)references to features include references to functionalities and settings, and

(b)references to religion include references to a lack of religion.

(9)For the purposes of section 15 and this section, a person has the characteristic of gender reassignment if the person is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex, and the reference to gender reassignment in subsection (4) is to be construed accordingly.

(10)See also, in relation to duties set out in section 15, section 22 (duties about freedom of expression and privacy).

17Duties to protect content of democratic importance

(1)This section sets out the duties to protect content of democratic importance which apply in relation to Category 1 services.

(2)A duty to operate a service using proportionate systems and processes designed to ensure that the importance of the free expression of content of democratic importance is taken into account when making decisions about—

(a)how to treat such content (especially decisions about whether to take it down or restrict users’ access to it), and

(b)whether to take action against a user generating, uploading or sharing such content.

(3)A duty to ensure that the systems and processes mentioned in subsection (2) apply in the same way to a wide diversity of political opinion.

(4)A duty to include provisions in the terms of service specifying the policies and processes that are designed to take account of the principle mentioned in subsection (2), including, in particular, how that principle is applied to decisions mentioned in that subsection.

(5)A duty to ensure that—

(a)the provisions of the terms of service referred to in subsection (4) are clear and accessible, and

(b)those provisions are applied consistently.

(6)In determining what is proportionate for the purposes of subsection (2), the size and capacity of the provider of a service, in particular, is relevant.

(7)For the purposes of this section content is “content of democratic importance”, in relation to a user-to-user service, if—

(a)the content is—

(i)news publisher content in relation to that service, or

(ii)regulated user-generated content in relation to that service; and

(b)the content is or appears to be specifically intended to contribute to democratic political debate in the United Kingdom or a part or area of the United Kingdom.

(8)In this section, the reference to “taking action” against a user is to giving a warning to a user, or suspending or banning a user from using a service, or in any way restricting a user’s ability to use a service.

(9)For the meaning of “news publisher content” and “regulated user-generated content”, see section 55.

18Duties to protect news publisher content

(1)This section sets out the duties to protect news publisher content which apply in relation to Category 1 services.

(2)Subject to subsections (4), (5) and (8), a duty, in relation to a service, to take the steps set out in subsection (3) before—

(a)taking action in relation to content present on the service that is news publisher content, or

(b)taking action against a user who is a recognised news publisher.

(3)The steps referred to in subsection (2) are—

(a)to give the recognised news publisher in question a notification which—

(i)specifies the action that the provider is considering taking,

(ii)gives reasons for that proposed action by reference to each relevant provision of the terms of service,

(iii)where the proposed action relates to news publisher content that is also journalistic content, explains how the provider took the importance of the free expression of journalistic content into account when deciding on the proposed action, and

(iv)specifies a reasonable period within which the recognised news publisher may make representations,

(b)to consider any representations that are made, and

(c)to notify the recognised news publisher of the decision and the reasons for it (addressing any representations made).

(4)If a provider of a service reasonably considers that the provider would incur criminal or civil liability in relation to news publisher content present on the service if it were not taken down swiftly, the provider may take down that content without having taken the steps set out in subsection (3).

(5)A provider of a service may also take down news publisher content present on the service without having taken the steps set out in subsection (3) if that content amounts to a relevant offence (see section 59 and also subsection (10) of this section).

(6)Subject to subsection (8), if a provider takes action in relation to news publisher content or against a recognised news publisher without having taken the steps set out in subsection (3), a duty to take the steps set out in subsection (7).

(7)The steps referred to in subsection (6) are—

(a)to swiftly notify the recognised news publisher in question of the action taken, giving the provider’s justification for not having first taken the steps set out in subsection (3),

(b)to specify a reasonable period within which the recognised news publisher may request that the action is reversed, and

(c)if a request is made as mentioned in paragraph (b)—

(i)to consider the request and whether the steps set out in subsection (3) should have been taken prior to the action being taken,

(ii)if the provider concludes that those steps should have been taken, to swiftly reverse the action, and

(iii)to notify the recognised news publisher of the decision and the reasons for it (addressing any reasons accompanying the request for reversal of the action).

(8)If a recognised news publisher has been banned from using a service (and the ban is still in force), the provider of the service may take action in relation to news publisher content present on the service which was generated or originally published or broadcast by the recognised news publisher without complying with the duties set out in this section.

(9)For the purposes of this section, a provider is not to be regarded as taking action in relation to news publisher content in the following circumstances—

(a)a provider takes action in relation to content which is not news publisher content, that action affects related news publisher content, the grounds for the action only relate to the content which is not news publisher content, and it is not technically feasible for the action only to relate to the content which is not news publisher content;

(b)a provider takes action against a user, and that action affects news publisher content that has been uploaded to or shared on the service by the user.

(10)Section 192 (providers’ judgements about the status of content) applies in relation to judgements by providers about whether news publisher content amounts to a relevant offence as it applies in relation to judgements about whether content is illegal content.

(11)Any provision of the terms of service has effect subject to this section.

(12)In this section—

(a)references to “news publisher content” are to content that is news publisher content in relation to the service in question;

(b)references to “taking action” against a person are to giving a warning to a person, or suspending or banning a person from using a service, or in any way restricting a person’s ability to use a service.

(13)In this section references to “taking action” in relation to content are to—

(a)taking down content,

(b)restricting users’ access to content, or

(c)adding warning labels to content, except warning labels normally encountered only by child users,

and also include references to taking any other action in relation to content on the grounds that it is content of a kind which is the subject of a relevant term of service (but not otherwise).

(14)A “relevant term of service” means a term of service which indicates to users (in whatever words) that the presence of a particular kind of content, from the time it is generated, uploaded or shared on the service, is not tolerated on the service or is tolerated but liable to result in the provider treating it in a way that makes it less likely that other users will encounter it.

(15)Taking any step set out in subsection (3) or (7) does not count as “taking action” for the purposes of this section.

(16)See—

19Duties to protect journalistic content

(1)This section sets out the duties to protect journalistic content which apply in relation to Category 1 services.

The duties

(2)A duty to operate a service using proportionate systems and processes designed to ensure that the importance of the free expression of journalistic content is taken into account when making decisions about—

(a)how to treat such content (especially decisions about whether to take it down or restrict users’ access to it), and

(b)whether to take action against a user generating, uploading or sharing such content.

(3)A duty, in relation to a decision by a provider to take down content or to restrict access to it, to make a dedicated and expedited complaints procedure available to a person who considers the content to be journalistic content and who is—

(a)the user who generated, uploaded or shared the content on the service, or

(b)the creator of the content (see subsections (14) and (15)).

(4)A duty to make a dedicated and expedited complaints procedure available to users of a service in relation to a decision by the provider of the service to take action against a user because of content generated, uploaded or shared by the user which the user considers to be journalistic content.

(5)A duty to ensure that—

(a)if a complaint about a decision mentioned in subsection (3) is upheld, the content is swiftly reinstated on the service;

(b)if a complaint about a decision mentioned in subsection (4) is upheld, the action against the user is swiftly reversed.

(6)Subsections (3) and (4) do not require a provider to make a dedicated and expedited complaints procedure available to a recognised news publisher in relation to a decision if the provider has taken the steps set out in section 18(3) in relation to that decision.

(7)A duty to include provisions in the terms of service specifying—

(a)by what methods content present on the service is to be identified as journalistic content;

(b)how the importance of the free expression of journalistic content is to be taken into account when making decisions mentioned in subsection (2);

(c)the policies and processes for handling complaints in relation to content which is, or is considered to be, journalistic content.

(8)A duty to ensure that—

(a)the provisions of the terms of service referred to in subsection (7) are clear and accessible, and

(b)those provisions are applied consistently.

Interpretation

(9)In determining what is proportionate for the purposes of subsection (2), the size and capacity of the provider of a service, in particular, is relevant.

(10)For the purposes of this Part content is “journalistic content”, in relation to a user-to-user service, if—

(a)the content is—

(i)news publisher content in relation to that service, or

(ii)regulated user-generated content in relation to that service;

(b)the content is generated for the purposes of journalism; and

(c)the content is UK-linked.

(11)For the purposes of this section content is “UK-linked” if—

(a)United Kingdom users of the service form one of the target markets for the content (or the only target market), or

(b)the content is or is likely to be of interest to a significant number of United Kingdom users.

(12)In this section references to “taking action” against a user are to giving a warning to a user, or suspending or banning a user from using a service, or in any way restricting a user’s ability to use a service.

(13)In this section the reference to the “creator” of content is to be read in accordance with subsections (14) and (15).

(14)The creator of news publisher content is the recognised news publisher in question.

(15)The creator of content other than news publisher content is—

(a)an individual who—

(i)created the content, and

(ii)is in the United Kingdom; or

(b)an entity which—

(i)created the content, and

(ii)is incorporated or formed under the law of any part of the United Kingdom.

(16)For the meaning of “news publisher content”, “regulated user-generated content” and “recognised news publisher”, see sections 55 and 56.

Duties about content reporting and complaints procedures

20Duty about content reporting

(1)This section sets out the duty about content reporting which applies in relation to all regulated user-to-user services.

(2)A duty to operate a service using systems and processes that allow users and affected persons to easily report content which they consider to be content of a kind specified below (with the duty extending to different kinds of content depending on the kind of service, as indicated by the headings).

All services

(3)Illegal content.

Services likely to be accessed by children

(4)Content that is harmful to children, present on a part of a service that it is possible for children to access.

Interpretation

(5)In this section “affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—

(a)the subject of the content,

(b)a member of a class or group of people with a certain characteristic targeted by the content,

(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or

(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.

(6)For the purposes of subsection (4), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.

(7)See also—

(a)section 22 (duties about freedom of expression and privacy), and

(b)section 72(5)(a) (reporting of content that terms of service allow to be taken down or restricted).

21Duties about complaints procedures

(1)This section sets out the duties about complaints procedures which apply in relation to all regulated user-to-user services.

(2)A duty to operate a complaints procedure in relation to a service that—

(a)allows for relevant kinds of complaint to be made (as set out under the headings below),

(b)provides for appropriate action to be taken by the provider of the service in response to complaints of a relevant kind, and

(c)is easy to access, easy to use (including by children) and transparent.

(3)A duty to include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a relevant kind.

All services

(4)The following kinds of complaint are relevant for all services—

(a)complaints by users and affected persons about content present on a service which they consider to be illegal content;

(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—

(i)section 10 (illegal content),

(ii)section 20 (content reporting), or

(iii)section 22(2) or (3) (freedom of expression and privacy);

(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down on the basis that it is illegal content;

(d)complaints by a user of a service if the provider has given a warning to the user, suspended or banned the user from using the service, or in any other way restricted the user’s ability to use the service, as a result of content generated, uploaded or shared by the user which the provider considers to be illegal content;

(e)complaints by a user who has generated, uploaded or shared content on a service if—

(i)the use of proactive technology on the service results in that content being taken down or access to it being restricted, or given a lower priority or otherwise becoming less likely to be encountered by other users, and

(ii)the user considers that the proactive technology has been used in a way not contemplated by, or in breach of, the terms of service (for example, by affecting content not of a kind specified in the terms of service as a kind of content in relation to which the technology would operate).

Services likely to be accessed by children

(5)The following kinds of complaint are relevant for services that are likely to be accessed by children—

(a)complaints by users and affected persons about content, present on a part of a service that it is possible for children to access, which they consider to be content that is harmful to children;

(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in section 12 (children’s online safety);

(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is content that is harmful to children;

(d)complaints by a user of a service if the provider has given a warning to the user, suspended or banned the user from using the service, or in any other way restricted the user’s ability to use the service, as a result of content generated, uploaded or shared by the user which the provider considers to be content that is harmful to children;

(e)complaints by a user who is unable to access content because measures used to comply with a duty set out in section 12(2) or (3) have resulted in an incorrect assessment of the user’s age.

Category 1 services

(6)The relevant kind of complaint for Category 1 services is complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—

(a)section 15 (user empowerment),

(b)section 17 (content of democratic importance),

(c)section 18 (news publisher content),

(d)section 19 (journalistic content), or

(e)section 22(4), (6) or (7) (freedom of expression and privacy).

Interpretation

(7)In this section “affected person” has the meaning given by section 20.

(8)For the purposes of subsection (5)(a), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.

(9)See also—

(a)section 22 (duties about freedom of expression and privacy), and

(b)section 72(6) (complaints procedure relating to content that terms of service allow to be taken down or restricted).

Cross-cutting duties

22Duties about freedom of expression and privacy

(1)This section sets out the duties about freedom of expression and privacy which apply in relation to regulated user-to-user services (as indicated by the headings).

All services

(2)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users’ right to freedom of expression within the law.

(3)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service (including, but not limited to, any such provision or rule concerning the processing of personal data).

Additional duties for Category 1 services

(4)A duty—

(a)when deciding on safety measures and policies, to carry out an assessment of the impact that such measures or policies would have on—

(i)users’ right to freedom of expression within the law, and

(ii)the privacy of users; and

(b)to carry out an assessment of the impact of adopted safety measures and policies on the matters mentioned in paragraph (a)(i) and (ii).

(5)An impact assessment relating to a service must include a section which considers the impact of the safety measures and policies on the availability and treatment on the service of content which is news publisher content or journalistic content in relation to the service.

(6)A duty to—

(a)keep an impact assessment up to date, and

(b)publish impact assessments.

(7)A duty to specify in a publicly available statement the positive steps that the provider has taken in response to an impact assessment to—

(a)protect users’ right to freedom of expression within the law, and

(b)protect the privacy of users.

Interpretation

(8)In this section—

(9)Any reference in this section to the privacy of users or steps taken to protect the privacy of users is to be construed in accordance with subsection (3).

(10)See—

23Record-keeping and review duties

(1)This section sets out the record-keeping and review duties which apply in relation to regulated user-to-user services (as indicated by the headings).

All services

(2)A duty to make and keep a written record, in an easily understandable form, of all aspects of every risk assessment under section 9 or 11, including details about how the assessment was carried out and its findings.

(3)A duty to make and keep a written record of any measures taken or in use to comply with a relevant duty which—

(a)are described in a code of practice and recommended for the purpose of compliance with the duty in question, and

(b)apply in relation to the provider and the service in question.

In this section such measures are referred to as “applicable measures in a code of practice”.

(4)If alternative measures have been taken or are in use to comply with a relevant duty, a duty to make and keep a written record containing the following information—

(a)the applicable measures in a code of practice that have not been taken or are not in use,

(b)the alternative measures that have been taken or are in use,

(c)how those alternative measures amount to compliance with the duty in question, and

(d)how the provider has complied with section 49(5) (freedom of expression and privacy).

(5)If alternative measures have been taken or are in use to comply with a duty set out in section 10(2) or (3) or 12(2) or (3), the record required under subsection (4) of this section must also indicate whether such measures have been taken or are in use in every area listed in section 10(4) or 12(8) (as the case may be) in relation to which there are applicable measures in a code of practice.

(6)A duty to review compliance with the relevant duties in relation to a service—

(a)regularly, and

(b)as soon as reasonably practicable after making any significant change to any aspect of the design or operation of the service.

(7)OFCOM may provide that particular descriptions of providers of user-to-user services are exempt from any or all of the duties set out in this section, and may revoke such an exemption.

(8)OFCOM must publish details of any exemption or revocation under subsection (7), including reasons for the revocation of an exemption.

Additional duties for Category 1 services

(9)A duty to make and keep a written record, in an easily understandable form, of all aspects of every assessment under section 14 (assessments related to the adult user empowerment duty set out in section 15(2)), including details about how the assessment was carried out and its findings.

(10)As soon as reasonably practicable after making a record of an assessment as required by subsection (2) or (9), or revising such a record, a duty to supply OFCOM with a copy of the record (in full).

Interpretation

(11)In this section—

CHAPTER 3Providers of search services: duties of care

Search services: which duties apply, and scope of duties

24Providers of search services: duties of care

(1)Subsections (2) to (4) apply to determine which of the duties set out in this Chapter must be complied with by providers of regulated search services.

(2)All providers of regulated search services must comply with the following duties in relation to each such service which they provide—

(a)the duties about illegal content risk assessments set out in section 26,

(b)the duties about illegal content set out in section 27(2) to (8),

(c)the duty about content reporting set out in section 31,

(d)the duties about complaints procedures set out in section 32,

(e)the duties about freedom of expression and privacy set out in section 33, and

(f)the duties about record-keeping and review set out in section 34(2) to (6).

(3)Additional duties must be complied with by providers of particular kinds of regulated search services, as follows.

(4)All providers of regulated search services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—

(a)the duties about children’s risk assessments set out in section 28, and

(b)the duties to protect children’s online safety set out in section 29(2) to (8).

(5)All providers of regulated search services that are Category 2A services must comply with the following duties in relation to each such service which they provide—

(a)the duty about illegal content risk assessments set out in section 27(9),

(b)the duty about children’s risk assessments set out in section 29(9), and

(c)the duty about record-keeping set out in section 34(9).

(6)For the meaning of “likely to be accessed by children”, see section 37.

(7)For the meaning of “Category 2A service”, see section 95 (register of categories of services).

25Scope of duties of care

(1)A duty set out in this Chapter which must be complied with in relation to a search service extends only to—

(a)the search content of the service,

(b)the design, operation and use of the search engine in the United Kingdom, and

(c)in the case of a duty that is expressed to apply in relation to users of a service, the design, operation and use of the search engine as it affects United Kingdom users of the service.

(2)For the purposes of the application of this Chapter in relation to the search engine of a combined service (see section 7(6))—

(a)a duty set out in this Chapter which requires a matter to be included in a publicly available statement may be satisfied by including the matter in the terms of service;

(b)references in this Chapter (except in section 24) to a search service are to be read as references to the search engine;

(c)references in this Chapter (except in section 24) to the provider of a search service are to be read as references to the provider of the combined service.

Illegal content duties for search services

26Illegal content risk assessment duties

(1)This section sets out the duties about risk assessments which apply in relation to all regulated search services.

(2)A duty to carry out a suitable and sufficient illegal content risk assessment at a time set out in, or as provided by, Schedule 3.

(3)A duty to take appropriate steps to keep an illegal content risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.

(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient illegal content risk assessment relating to the impacts of that proposed change.

(5)An “illegal content risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—

(a)the level of risk of individuals who are users of the service encountering search content of the following kinds—

(i)each kind of priority illegal content (with each kind separately assessed), and

(ii)other illegal content,

taking into account (in particular) risks presented by algorithms used by the service, and the way that the service indexes, organises and presents search results;

(b)the level of risk of functionalities of the service facilitating individuals encountering search content that is illegal content, identifying and assessing those functionalities that present higher levels of risk;

(c)the nature, and severity, of the harm that might be suffered by individuals from the matters identified in accordance with paragraphs (a) and (b);

(d)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.

(6)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to individuals presented by illegal content.

(7)See also—

(a)section 34(2) and (9) (records of risk assessments), and

(b)Schedule 3 (timing of providers’ assessments).

27Safety duties about illegal content

(1)This section sets out the duties about illegal content which apply in relation to regulated search services (as indicated by the headings).

All services

(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively mitigate and manage the risks of harm to individuals, as identified in the most recent illegal content risk assessment of the service (see section 26(5)(c)).

(3)A duty to operate a service using proportionate systems and processes designed to minimise the risk of individuals encountering search content of the following kinds—

(a)priority illegal content;

(b)other illegal content that the provider knows about (having been alerted to it by another person or become aware of it in any other way).

(4)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way the search engine is designed, operated and used as well as search content of the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—

(a)regulatory compliance and risk management arrangements,

(b)design of functionalities, algorithms and other features relating to the search engine,

(c)functionalities allowing users to control the content they encounter in search results,

(d)content prioritisation,

(e)user support measures, and

(f)staff policies and practices.

(5)A duty to include provisions in a publicly available statement specifying how individuals are to be protected from search content that is illegal content.

(6)A duty to apply the provisions of the statement referred to in subsection (5) consistently.

(7)A duty to include provisions in a publicly available statement giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).

(8)A duty to ensure that the provisions of the publicly available statement referred to in subsections (5) and (7) are clear and accessible.

Additional duty for Category 2A services

(9)A duty to summarise in a publicly available statement the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals).

Interpretation

(10)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—

(a)all the findings of the most recent illegal content risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to individuals), and

(b)the size and capacity of the provider of a service.

(11)In this section “illegal content risk assessment” has the meaning given by section 26.

(12)See also, in relation to duties set out in this section, section 33 (duties about freedom of expression and privacy).

Search services likely to be accessed by children

28Children’s risk assessment duties

(1)This section sets out the duties about risk assessments which apply in relation to regulated search services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 26).

(2)A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.

(3)A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.

(4)Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.

(5)A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—

(a)the level of risk of children who are users of the service encountering search content of the following kinds—

(i)each kind of primary priority content that is harmful to children (with each kind separately assessed),

(ii)each kind of priority content that is harmful to children (with each kind separately assessed), and

(iii)non-designated content that is harmful to children,

giving separate consideration to children in different age groups, and taking into account (in particular) risks presented by algorithms used by the service and the way that the service indexes, organises and presents search results;

(b)the level of risk of children who are users of the service encountering search content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;

(c)the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including a functionality that makes suggestions relating to users’ search requests (predictive search functionality);

(d)the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service, and the impact of such use on the level of risk of harm that might be suffered by children;

(e)the nature, and severity, of the harm that might be suffered by children from the matters identified in accordance with paragraphs (a) to (d), giving separate consideration to children in different age groups;

(f)how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.

(6)In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.

(7)See also—

(a)section 34(2) and (9) (records of risk assessments), and

(b)Schedule 3 (timing of providers’ assessments).

29Safety duties protecting children

(1)This section sets out the duties to protect children’s online safety which apply in relation to regulated search services that are likely to be accessed by children (as indicated by the headings).

All services

(2)A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—

(a)mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 28(5)(e)), and

(b)mitigate the impact of harm to children in different age groups presented by search content that is harmful to children.

(3)A duty to operate a service using proportionate systems and processes designed to—

(a)minimise the risk of children of any age encountering search content that is primary priority content that is harmful to children;

(b)minimise the risk of children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) encountering search content of that kind.

(4)The duties set out in subsections (2) and (3) apply across all areas of a service, including the way the search engine is designed, operated and used as well as search content of the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—

(a)regulatory compliance and risk management arrangements,

(b)design of functionalities, algorithms and other features relating to the search engine,

(c)functionalities allowing for control over content that is encountered in search results, especially by children,

(d)content prioritisation,

(e)user support measures, and

(f)staff policies and practices.

(5)A duty to include provisions in a publicly available statement specifying how children are to be protected from search content of the following kinds—

(a)primary priority content that is harmful to children (with each kind of primary priority content separately covered),

(b)priority content that is harmful to children (with each kind of priority content separately covered), and

(c)non-designated content that is harmful to children.

(6)A duty to apply the provisions of the statement referred to in subsection (5) consistently.

(7)A duty to include provisions in a publicly available statement giving information about any proactive technology used by a service for the purpose of compliance with a duty set out in subsection (2) or (3) (including the kind of technology, when it is used, and how it works).

(8)A duty to ensure that the provisions of the publicly available statement referred to in subsections (5) and (7) are clear and accessible.

Additional duty for Category 2A services

(9)A duty to summarise in a publicly available statement the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).

30Safety duties protecting children: interpretation

(1)In determining what is proportionate for the purposes of section 29, the following factors, in particular, are relevant—

(a)all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and

(b)the size and capacity of the provider of a service.

(2)So far as a duty set out in section 29 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).

(3)The reference in section 29(3)(b) to children in age groups judged to be at risk of harm from content that is harmful to children is a reference to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.

(4)The duties set out in section 29(3) are to be taken to extend only to content that is harmful to children where the risk of harm is presented by the nature of the content (rather than the fact of its dissemination).

(5)The duties set out in section 29 extend only to such parts of a service as it is possible for children to access.

(6)For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.

(7)In section 29 and this section “children’s risk assessment” has the meaning given by section 28.

(8)See also, in relation to duties set out in section 29, section 33 (duties about freedom of expression and privacy).

Duties about content reporting and complaints procedures

31Duty about content reporting

(1)This section sets out the duty about content reporting which applies in relation to all regulated search services.

(2)A duty to operate a service using systems and processes that allow users and affected persons to easily report search content which they consider to be content of a kind specified below (with the duty extending to content that is harmful to children depending on the kind of service, as indicated by the headings).

All services

(3)Illegal content.

Services likely to be accessed by children

(4)Content that is harmful to children.

Interpretation

(5)In this section “affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—

(a)the subject of the content,

(b)a member of a class or group of people with a certain characteristic targeted by the content,

(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or

(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.

(6)See also, in relation to the duty set out in this section, section 33 (duties about freedom of expression and privacy).

32Duties about complaints procedures

(1)This section sets out the duties about complaints procedures which apply in relation to all regulated search services.

(2)A duty to operate a complaints procedure in relation to a service that—

(a)allows for relevant kinds of complaint to be made (as set out under the headings below),

(b)provides for appropriate action to be taken by the provider of the service in response to complaints of a relevant kind, and

(c)is easy to access, easy to use (including by children) and transparent.

(3)A duty to make the policies and processes that govern the handling and resolution of complaints of a relevant kind publicly available and easily accessible (including to children).

All services

(4)The following kinds of complaint are relevant for all services—

(a)complaints by users and affected persons about search content which they consider to be illegal content;

(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—

(i)section 27 (illegal content),

(ii)section 31 (content reporting), or

(iii)section 33 (freedom of expression and privacy);

(c)complaints by an interested person if the provider of a search service takes or uses measures in order to comply with a duty set out in section 27 that result in content relating to that interested person no longer appearing in search results or being given a lower priority in search results;

(d)complaints by an interested person if—

(i)the use of proactive technology on a search service results in content relating to that interested person no longer appearing in search results or being given a lower priority in search results, and

(ii)the interested person considers that the proactive technology has been used in a way not contemplated by, or in breach of, the provider’s policies on its use (for example, by affecting content not of a kind specified in those policies as a kind of content in relation to which the technology would operate).

Services likely to be accessed by children

(5)The following kinds of complaint are relevant for services that are likely to be accessed by children—

(a)complaints by users and affected persons about search content which they consider to be content that is harmful to children;

(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in section 29 (children’s online safety);

(c)complaints by an interested person if the provider of a search service takes or uses measures in order to comply with a duty set out in section 29 that result in content relating to that interested person no longer appearing in search results or being given a lower priority in search results;

(d)complaints by a user who is unable to access content because measures used to comply with a duty set out in section 29(2) or (3) have resulted in an incorrect assessment of the user’s age.

Interpretation

(6)In this section—

(7)See also, in relation to duties set out in this section, section 33 (duties about freedom of expression and privacy).

Cross-cutting duties

33Duties about freedom of expression and privacy

(1)This section sets out the duties about freedom of expression and privacy which apply in relation to all regulated search services.

(2)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting the rights of users and interested persons to freedom of expression within the law.

(3)When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a search service (including, but not limited to, any such provision or rule concerning the processing of personal data).

(4)In this section—

34Record-keeping and review duties

(1)This section sets out the record-keeping and review duties which apply in relation to regulated search services (as indicated by the headings).

All services

(2)A duty to make and keep a written record, in an easily understandable form, of all aspects of every risk assessment under section 26 or 28, including details about how the assessment was carried out and its findings.

(3)A duty to make and keep a written record of any measures taken or in use to comply with a relevant duty which—

(a)are described in a code of practice and recommended for the purpose of compliance with the duty in question, and

(b)apply in relation to the provider and the service in question.

In this section such measures are referred to as “applicable measures in a code of practice”.

(4)If alternative measures have been taken or are in use to comply with a relevant duty, a duty to make and keep a written record containing the following information—

(a)the applicable measures in a code of practice that have not been taken or are not in use,

(b)the alternative measures that have been taken or are in use,

(c)how those alternative measures amount to compliance with the duty in question, and

(d)how the provider has complied with section 49(5) (freedom of expression and privacy).

(5)If alternative measures have been taken or are in use to comply with a duty set out in section 27(2) or (3) or 29(2) or (3), the record required under subsection (4) of this section must also indicate whether such measures have been taken or are in use in every area listed in subsection (4) of those sections in relation to which there are applicable measures in a code of practice.

(6)A duty to review compliance with the relevant duties in relation to a service—

(a)regularly, and

(b)as soon as reasonably practicable after making any significant change to any aspect of the design or operation of the service.

(7)OFCOM may provide that particular descriptions of providers of search services are exempt from any or all of the duties set out in this section, and may revoke such an exemption.

(8)OFCOM must publish details of any exemption or revocation under subsection (7), including reasons for the revocation of an exemption.

Additional duty for Category 2A services

(9)As soon as reasonably practicable after making a record of a risk assessment as required by subsection (2), or revising such a record, a duty to supply OFCOM with a copy of the record (in full).

Interpretation

(10)In this section—

and for the purposes of subsection (6), also includes the duties set out in section 75 (deceased child users).

CHAPTER 4Children's access assessments

35Children’s access assessments

(1)In this Part, a “children’s access assessment” means an assessment of a Part 3 service—

(a)to determine whether it is possible for children to access the service or a part of the service, and

(b)if it is possible for children to access the service or a part of the service, to determine whether the child user condition is met in relation to the service or a part of the service.

(2)A provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.

(3)The “child user condition” is met in relation to a service, or a part of a service, if—

(a)there is a significant number of children who are users of the service or of that part of it, or

(b)the service, or that part of it, is of a kind likely to attract a significant number of users who are children.

(4)For the purposes of subsection (3)

(a)the reference to a “significant” number includes a reference to a number which is significant in proportion to the total number of United Kingdom users of a service or (as the case may be) a part of a service;

(b)whether the test in paragraph (a) of that subsection is met is to be based on evidence about who actually uses a service, rather than who the intended users of the service are.

(5)In this Chapter—

(a)references to children are to children in the United Kingdom;

(b)references to a part of a service do not include any part of a service that is not, or is not included in, a user-to-user part of a service or a search engine.

36Duties about children’s access assessments

(1)A provider of a Part 3 service must carry out the first children’s access assessment at a time set out in, or as provided by, Schedule 3.

(2)Subsections (3) and (4) apply to a provider of a Part 3 service during any period when the service is not treated as likely to be accessed by children (see section 37).

(3)The provider must carry out children’s access assessments of the service not more than one year apart.

(4)The provider must carry out a children’s access assessment of the service—

(a)before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant,

(b)in response to evidence about reduced effectiveness of age verification or age estimation that is used on the service as mentioned in section 35(2), or

(c)in response to evidence about a significant increase in the number of children using the service.

(5)If a person is the provider of more than one Part 3 service, children’s access assessments must be carried out for each service separately.

(6)Children’s access assessments must be suitable and sufficient for the purposes of this Part.

(7)A provider must make and keep a written record, in an easily understandable form, of every children’s access assessment.

37Meaning of “likely to be accessed by children”

(1)For the purposes of this Part, a Part 3 service is to be treated as “likely to be accessed by children” in the following three cases (with the result that the duties set out in sections 11 and 12, or (as the case may be) sections 28 and 29, apply in relation to the service).

(2)The first case is where a children’s access assessment carried out by the provider of the service concludes that—

(a)it is possible for children to access the service or a part of it, and

(b)the child user condition is met in relation to—

(i)the service, or

(ii)a part of the service that it is possible for children to access.

This subsection is to be interpreted consistently with section 35.

(3)In that case, the service is to be treated as likely to be accessed by children from the date on which the children’s access assessment is completed.

(4)The second case is where the provider of the service fails to carry out the first children’s access assessment as required by section 36(1).

(5)In that case—

(a)the service is to be treated as likely to be accessed by children from the date by which the first children’s access assessment was required to have been completed (see Part 1 of Schedule 3), and

(b)the service is to continue to be treated as likely to be accessed by children by reason of subsection (4) until such time as the provider completes the first children’s access assessment of the service.

(6)The third case is where, following an investigation into a failure to comply with a duty set out in section 36, OFCOM determine that a service should be treated as likely to be accessed by children: see section 135(4) and (5).

(7)In that case, the service is to be treated as likely to be accessed by children from the date of, or specified in, the confirmation decision given to the provider of the service (as the case may be: see section 135(5)).

CHAPTER 5Duties about fraudulent advertising

38Duties about fraudulent advertising: Category 1 services

(1)A provider of a Category 1 service must operate the service using proportionate systems and processes designed to—

(a)prevent individuals from encountering content consisting of fraudulent advertisements by means of the service;

(b)minimise the length of time for which any such content is present;

(c)where the provider is alerted by a person to the presence of such content, or becomes aware of it in any other way, swiftly take down such content.

(2)A provider of a Category 1 service must include clear and accessible provisions in the terms of service giving information about any proactive technology used by the service for the purpose of compliance with the duty set out in subsection (1) (including the kind of technology, when it is used, and how it works).

(3)In relation to a Category 1 service, an advertisement is a “fraudulent advertisement” if—

(a)it is a paid-for advertisement (see section 236),

(b)it amounts to an offence specified in section 40 (construed in accordance with section 59: see subsections (3), (11) and (12) of that section), and

(c)it is not regulated user-generated content (see section 55) in relation to the service.

(4)If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.

(5)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—

(a)the nature, and severity, of potential harm to individuals presented by different kinds of fraudulent advertisement, and

(b)the degree of control a provider has in relation to the placement of advertisements on the service.

(6)In the case of a Category 1 service which is a combined service, the duties set out in this section do not extend to—

(a)fraudulent advertisements that may be encountered in search results of the service or, following a search request, as a result of subsequent interactions with internet services, or

(b)anything relating to the design, operation or use of the search engine.

But if the service is also a Category 2A service, the duties set out in section 39 apply as well as the duties set out in this section.

(7)The duties set out in this section extend only to the design, operation and use of a Category 1 service in the United Kingdom.

(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).

39Duties about fraudulent advertising: Category 2A services

(1)A provider of a Category 2A service must operate the service using proportionate systems and processes designed to—

(a)prevent individuals from encountering content consisting of fraudulent advertisements in or via search results of the service;

(b)if any such content may be encountered in or via search results of the service, minimise the length of time that that is the case;

(c)where the provider is alerted by a person to the fact that such content may be so encountered, or becomes aware of that fact in any other way, swiftly ensure that individuals are no longer able to encounter such content in or via search results of the service.

(2)A provider of a Category 2A service must include clear and accessible provisions in a publicly available statement giving information about any proactive technology used by the service for the purpose of compliance with the duty set out in subsection (1) (including the kind of technology, when it is used, and how it works).

(3)In relation to a Category 2A service, an advertisement is a “fraudulent advertisement” if—

(a)it is a paid-for advertisement (see section 236), and

(b)it amounts to an offence specified in section 40 (construed in accordance with section 59: see subsections (3), (11) and (12) of that section).

(4)The references to encountering fraudulent advertisements “in or via search results” of a search service—

(a)are references to encountering fraudulent advertisements—

(i)in search results of the service, or

(ii)as a result of interacting with a paid-for advertisement in search results of the service (for example, by clicking on it);

(b)do not include references to encountering fraudulent advertisements as a result of any subsequent interactions with an internet service other than the search service.

(5)If a person is the provider of more than one Category 2A service, the duties set out in this section apply in relation to each such service.

(6)In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—

(a)the nature, and severity, of potential harm to individuals presented by different kinds of fraudulent advertisement, and

(b)the degree of control a provider has in relation to the placement of advertisements on the service.

(7)The duties set out in this section extend only to the design, operation and use of a Category 2A service in the United Kingdom.

(8)For the meaning of “Category 2A service”, see section 95 (register of categories of services).

40Fraud etc offences

(1)This section specifies offences for the purposes of this Chapter (see sections 38(3)(b) and 39(3)(b)).

(2)An offence under any of the following provisions of the Financial Services and Markets Act 2000—

(a)section 23 (contravention of prohibition on carrying on regulated activity unless authorised or exempt);

(b)section 24 (false claims to be authorised or exempt);

(c)section 25 (contravention of restrictions on financial promotion).

(3)An offence under any of the following provisions of the Fraud Act 2006—

(a)section 2 (fraud by false representation);

(b)section 4 (fraud by abuse of position);

(c)section 7 (making or supplying articles for use in frauds);

(d)section 9 (participating in fraudulent business carried on by sole trader etc).

(4)An offence under any of the following provisions of the Financial Services Act 2012—

(a)section 89 (misleading statements);

(b)section 90 (misleading impressions).

(5)An offence of attempting or conspiring to commit an offence specified in subsection (2), (3) or (4).

(6)An offence under Part 2 of the Serious Crime Act 2007 (encouraging or assisting) in relation to an offence specified in subsection (2), (3) or (4), or (in Scotland) inciting a person to commit such an offence.

(7)An offence of aiding, abetting, counselling or procuring the commission of an offence specified in subsection (2), (3) or (4), or (in Scotland) being involved art and part in the commission of such an offence.

CHAPTER 6Codes of practice and guidance

Codes of practice

41Codes of practice about duties

(1)OFCOM must prepare and issue a code of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content) so far as relating to terrorism content or offences within Schedule 5 (terrorism offences).

(2)OFCOM must prepare and issue a code of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content) so far as relating to CSEA content or offences within Schedule 6 (child sexual exploitation and abuse offences).

(3)OFCOM must prepare and issue one or more codes of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with the relevant duties (except to the extent that measures for the purpose of compliance with such duties are described in a code of practice prepared under subsection (1) or (2)).

(4)OFCOM must prepare and issue a code of practice for providers of Category 1 services and providers of Category 2A services describing measures recommended for the purpose of compliance with the duties set out in Chapter 5 (fraudulent advertising).

(5)Where a code of practice under this section is in force, OFCOM may—

(a)prepare a draft of amendments of the code of practice;

(b)prepare a draft of a code of practice under subsection (1), (2), (3) or (4) as a replacement for a code of practice previously issued under the subsection in question;

(c)withdraw the code of practice.

(6)In the course of preparing a draft of a code of practice or amendments of a code of practice under this section, OFCOM must consult—

(a)the Secretary of State,

(b)persons who appear to OFCOM to represent providers of Part 3 services,

(c)persons who appear to OFCOM to represent the interests of United Kingdom users of Part 3 services,

(d)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),

(e)persons who appear to OFCOM to represent the interests of persons who have suffered harm as a result of matters to which the code of practice is relevant,

(f)persons whom OFCOM consider to have relevant expertise in equality issues and human rights, in particular—

(i)the right to freedom of expression set out in Article 10 of the Convention, and

(ii)the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,

(g)the Information Commissioner,

(h)the Children’s Commissioner,

(i)the Commissioner for Victims and Witnesses,

(j)the Domestic Abuse Commissioner,

(k)persons whom OFCOM consider to have expertise in public health, science or medicine that is relevant to online safety matters,

(l)persons whom OFCOM consider to have expertise in innovation, or emerging technology, that is relevant to online safety matters, and

(m)such other persons as OFCOM consider appropriate.

(7)In the course of preparing a draft of a code of practice or amendments to which this subsection applies, OFCOM must also consult persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters.

(8)Subsection (7) applies to—

(a)a code of practice under subsection (1) and amendments of such a code,

(b)a code of practice under subsection (2) and amendments of such a code,

(c)a code of practice under subsection (3) that describes measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content),

(d)amendments of a code of practice under subsection (3), if and to the extent that those amendments relate to measures recommended for the purpose of compliance with duties set out in section 10 or 27, and

(e)a code of practice under subsection (4) and amendments of such a code.

(9)Subsections (6) and (7) are subject to section 48 (minor amendments of code of practice).

(10)In this section “the relevant duties” means the duties set out in—

(a)sections 10 and 27 (illegal content),

(b)sections 12 and 29 (children’s online safety),

(c)section 15 (user empowerment),

(d)section 17 (content of democratic importance),

(e)section 19 (journalistic content),

(f)sections 20 and 31 (content reporting), and

(g)sections 21 and 32 (complaints procedures).

42Codes of practice: principles, objectives, content

Schedule 4 contains—

(a)provision about the principles OFCOM must consider when preparing codes of practice under section 41,

(b)the online safety objectives (and a power for the Secretary of State by regulations to revise those objectives),

(c)provision about the measures that may be described in codes of practice (including, in particular, constraints on the recommendation of the use of proactive technology), and

(d)other provision related to codes of practice.

43Procedure for issuing codes of practice

(1)Where OFCOM have prepared a draft of a code of practice under section 41, they must submit the draft to the Secretary of State.

(2)Unless the Secretary of State intends to give a direction to OFCOM under section 44(1), (2) or (3) in relation to the draft, the Secretary of State must, as soon as reasonably practicable, lay the draft before Parliament.

(3)If, within the 40-day period, either House of Parliament resolves not to approve the draft—

(a)OFCOM must not issue the code of practice in the form of that draft, and

(b)OFCOM must prepare another draft of the code of practice under section 41.

(4)If no such resolution is made within that period—

(a)OFCOM must issue the code of practice in the form of the draft laid before Parliament, and

(b)the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued.

(5)“The 40-day period” is the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid).

(6)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.

(7)Subsections (1) to (6) apply in relation to a draft of amendments of a code of practice prepared under section 41 as they apply in relation to a draft of a code of practice prepared under that section.

(8)This section is subject to section 48 (minor amendments of codes of practice).

(9)Subsection (11) applies to—

(a)a draft of the first code of practice prepared under section 41(1) (terrorism code of practice);

(b)a draft of the first code of practice prepared under section 41(2) (CSEA code of practice);

(c)a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 10 or 27 (illegal content);

(d)a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 12 or 29 (children’s online safety);

(e)a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 20 or 31 (content reporting);

(f)a draft of the first code of practice prepared under section 41(3) relating to—

(i)a duty set out in section 21 (complaints procedures) that concerns complaints of a kind mentioned in subsection (4) or (5) of that section, or

(ii)a duty set out in section 32 (complaints procedures).

(10)For the purposes of paragraphs (c) to (f) of subsection (9) a draft of a code of practice is a draft of the first code of practice relating to a duty if—

(a)it describes measures recommended for the purpose of compliance with the duty, and

(b)it is a draft of the first code of practice prepared under section 41(3) that describes measures for that purpose.

(11)OFCOM must submit a draft to which this subsection applies to the Secretary of State under subsection (1) within the period of 18 months beginning with the day on which this Act is passed.

(12)If OFCOM consider that it is necessary to extend the period mentioned in subsection (11) in relation to a draft mentioned in any of paragraphs (a) to (f) of subsection (9), OFCOM may extend the period in relation to that draft by up to 12 months by making and publishing a statement.

But this is subject to subsection (15).

(13)A statement under subsection (12) must set out—

(a)the reasons why OFCOM consider that it is necessary to extend the period mentioned in subsection (11) in relation to the draft concerned, and

(b)the period of extension.

(14)A statement under subsection (12) may be published at the same time as (or incorporate) a statement under section 194(3) (extension of time to prepare certain guidance).

(15)But a statement under subsection (12) may not be made in relation to a draft mentioned in a particular paragraph of subsection (9) if—

(a)a statement has previously been made under subsection (12) (whether in relation to a draft mentioned in the same or a different paragraph of subsection (9)), or

(b)a statement has previously been made under section 194(3).

44Secretary of State’s powers of direction

(1)The Secretary of State may direct OFCOM to modify a draft of a code of practice submitted under section 43(1) if the Secretary of State believes that modifications are required for the purpose of securing compliance with an international obligation of the United Kingdom.

(2)The Secretary of State may direct OFCOM to modify a draft of a code of practice, other than a terrorism or CSEA code of practice, submitted under section 43(1) if the Secretary of State believes that modifications are required for exceptional reasons relating to—

(a)national security,

(b)public safety,

(c)public health, or

(d)relations with the government of a country outside the United Kingdom.

(3)The Secretary of State may direct OFCOM to modify a draft of a terrorism or CSEA code of practice submitted under section 43(1) if the Secretary of State believes that modifications are required—

(a)for reasons of national security or public safety, or

(b)for exceptional reasons relating to public health or relations with the government of a country outside the United Kingdom.

(4)But if a draft of a terrorism or CSEA code of practice is submitted under section 43(1) following a review under section 47(2), the Secretary of State may only direct OFCOM to modify the draft if the Secretary of State believes that modifications are required for reasons of national security or public safety.

(5)If, following a review of a terrorism or CSEA code of practice under section 47(2), OFCOM submit a statement to the Secretary of State under section 47(3)(b) (“OFCOM’s review statement”), the Secretary of State may direct OFCOM to modify the code of practice if the Secretary of State believes that modifications are required for reasons of national security or public safety.

(6)A direction given under subsection (5)

(a)must be given within the period of 45 days beginning with the day on which OFCOM’s review statement is submitted to the Secretary of State, and

(b)must make particular reference to OFCOM’s review statement.

(7)A direction given under this section—

(a)may not require OFCOM to include in a code of practice provision about a particular measure recommended to be taken or used by providers of Part 3 services,

(b)must set out the Secretary of State’s reasons for requiring modifications, except in a case where the Secretary of State considers that doing so would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom, and

(c)must, as soon as reasonably practicable, be published and laid before Parliament.

(8)If the Secretary of State considers that publishing and laying before Parliament a direction given under this section would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom—

(a)subsection (7)(c) does not apply in relation to the direction, and

(b)the Secretary of State must, as soon as reasonably practicable, publish and lay before Parliament a document stating—

(i)that a direction has been given,

(ii)the kind of code of practice to which it relates, and

(iii)the reasons for not publishing it.

(9)If the Secretary of State gives a direction under this section, OFCOM must, as soon as reasonably practicable—

(a)comply with the direction,

(b)submit to the Secretary of State a draft of the code of practice modified in accordance with the direction,

(c)submit to the Secretary of State a document containing—

(i)(except in a case mentioned in subsection (7)(b)) details of the direction, and

(ii)details about how the draft has been revised in response to the direction,

(d)publish the document, and

(e)inform the Secretary of State about modifications that OFCOM have made to the draft that are not in response to the direction (if there are any).

(10)The Secretary of State may give OFCOM one or more further directions requiring OFCOM to modify the draft of the code of practice.

(11)Such further directions may only be given for the reasons set out in subsection (1), (2), (3), (4) or (5) (as the case may be), and subsections (7) to (9) apply again in relation to such further directions.

(12)When the Secretary of State is satisfied that no further modifications to the draft are required, the Secretary of State must, as soon as reasonably practicable, lay before Parliament—

(a)the modified draft,

(b)any document submitted by OFCOM as mentioned in subsection (9)(c), and

(c)in the case of a direction under subsection (5), OFCOM’s review statement.

(13)Before laying OFCOM’s review statement before Parliament, the Secretary of State may, with OFCOM’s agreement, remove or obscure information in the statement (whether by redaction or otherwise) in order to prevent the disclosure of matters that the Secretary of State considers would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom.

(14)This section applies in relation to a draft of amendments of a code of practice submitted under section 43(1) as it applies in relation to a draft of a code of practice submitted under that provision.

(15)In this section “terrorism or CSEA code of practice” means a code of practice under section 41(1) or (2).

45Procedure for issuing codes of practice following direction under section 44

(1)This section sets out the procedure that applies where a draft of a code of practice is laid before Parliament under section 44(12).

(2)If the draft contains modifications made following a direction given under section 44(1), (2) or (3)(b), the affirmative procedure applies.

(3)If the draft contains modifications made following a direction given under section 44(3)(a), (4) or (5), the negative procedure applies.

(4)The “affirmative procedure” is as follows—

(a)a code of practice in the form of the draft laid before Parliament must not be issued by OFCOM unless the draft has been approved by a resolution of each House of Parliament;

(b)if the draft is so approved, the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued;

(c)if the draft is not so approved, OFCOM must prepare another draft of the code of practice under section 41.

(5)The “negative procedure” is as follows—

(a)if, within the 40-day period, either House of Parliament resolves not to approve the draft—

(i)OFCOM must not issue the code of practice in the form of that draft, and

(ii)OFCOM must prepare another draft of the code of practice under section 41;

(b)if no such resolution is made within that period—

(i)OFCOM must issue the code of practice in the form of the draft laid before Parliament, and

(ii)the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued.

(6)The 40-day period” has the same meaning as in section 43 (see subsections (5) and (6) of that section).

(7)This section applies in relation to a draft of amendments of a code of practice laid before Parliament under section 44(12) as it applies in relation to a draft of a code of practice laid under that provision.

46Publication of codes of practice

(1)OFCOM must publish each code of practice issued under section 43 or 45 within the period of three days beginning with the day on which it is issued.

(2)Where amendments of a code of practice are issued under either of those sections, OFCOM must publish the amended code of practice within the period of three days beginning with the day on which the amendments are issued.

(3)Where a code of practice is withdrawn, OFCOM must publish a notice to that effect.

47Review of codes of practice

(1)OFCOM must keep under review each code of practice published under section 46.

(2)The Secretary of State may require OFCOM to review a terrorism or CSEA code of practice published under section 46 if the Secretary of State considers a review to be necessary for reasons of national security or public safety (and the Secretary of State must notify OFCOM whether the reasons fall into the category of national security or public safety).

(3)OFCOM must carry out a review of the code of practice under subsection (2) as soon as reasonably practicable, and when it is completed—

(a)if OFCOM consider that changes are required, they must prepare a draft of amendments to the code of practice or a draft of a replacement code of practice under section 41, or

(b)if OFCOM consider that no changes are required, they must submit to the Secretary of State a statement which explains the reasons for that conclusion.

(4)Subsection (5) applies if—

(a)OFCOM submit a statement under subsection (3)(b) to the Secretary of State,

(b)the period of 45 days beginning with the day on which the statement was submitted has elapsed, and

(c)the Secretary of State has not given a direction under section 44(5).

(5)OFCOM must publish the statement as soon as reasonably practicable after the end of the period mentioned in subsection (4)(b), making it clear which code of practice the statement relates to.

(6)In advance of publication, the Secretary of State may make representations to OFCOM about the desirability of removing or obscuring information in the statement (whether by redaction or otherwise) in order to prevent the disclosure of matters that the Secretary of State considers would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom (and see also section 116(3)).

(7)In this section “terrorism or CSEA code of practice” means a code of practice under section 41(1) or (2).

48Minor amendments of codes of practice

(1)This section applies if—

(a)OFCOM propose to amend a code of practice under section 41, and

(b)OFCOM consider that the minor nature of the proposal means that—

(i)consultation is unnecessary, and

(ii)the proposed amendments should not be required to be laid before Parliament.

(2)OFCOM must notify the Secretary of State of the proposed amendments.

(3)If the Secretary of State agrees with OFCOM that it is appropriate—

(a)the consultation requirements set out in section 41(6) and (7) do not apply in relation to the proposed amendments, and

(b)section 43 does not apply to the amendments, once prepared.

(4)If the Secretary of State agrees with OFCOM as mentioned in subsection (3), OFCOM may prepare and issue the amendments of the code of practice.

(5)Amendments of a code of practice issued under this section come into force at the end of the period of 21 days beginning with the day on which the amendments are issued.

(6)Section 46(2) applies in relation to amendments of a code of practice issued under this section as it applies in relation to amendments of a code of practice issued under section 43 or 45.

49Relationship between duties and codes of practice
Duties set out in Chapters 2 and 3

(1)A provider of a Part 3 service is to be treated as complying with a relevant duty if the provider takes or uses the measures described in a code of practice which are recommended for the purpose of compliance with the duty in question.

(2)A provider of a user-to-user service—

(a)is to be treated as complying with the duty set out in section 22(2) (freedom of expression) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect users’ right to freedom of expression within the law;

(b)is to be treated as complying with the duty set out in section 22(3) (privacy) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the privacy of users.

(3)A provider of a search service—

(a)is to be treated as complying with the duty set out in section 33(2) (freedom of expression) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the rights of users and interested persons to freedom of expression within the law;

(b)is to be treated as complying with the duty set out in section 33(3) (privacy) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the privacy of users.

Duties set out in Chapter 5

(4)A provider of a Category 1 service or a Category 2A service (or a provider of a service which is both a Category 1 service and a Category 2A service) is to be treated as complying with a duty set out in Chapter 5 if the provider takes or uses the measures described in a fraudulent advertising code of practice which are recommended for the purpose of compliance with the duty in question.

Alternative measures

(5)A provider of a Part 3 service who seeks to comply with a relevant duty by acting otherwise than by taking or using a measure described in a code of practice or a fraudulent advertising code of practice which is recommended for the purpose of compliance with the duty must have particular regard to the importance of the following (where relevant)—

(a)protecting the right of users and (in the case of search services) interested persons to freedom of expression within the law, and

(b)protecting the privacy of users.

(6)When assessing whether a provider of a Part 3 service is compliant with a relevant duty where the provider has acted otherwise than by taking or using a measure described in a code of practice or a fraudulent advertising code of practice which is recommended for the purpose of compliance with the duty, OFCOM must consider the extent to which the alternative measures taken or in use by the provider—

(a)extend across all areas of a service as mentioned in section 10(4), 12(8), 27(4) or 29(4) (if relevant to the duty in question), and

(b)(where appropriate) incorporate safeguards for the protection of the matters mentioned in subsection (5)(a) and (b).

Interpretation

(7)In subsections (1) to (4), references to taking or using measures recommended for the purpose of compliance with a duty, or to taking or using relevant recommended measures, are to taking or using such of those measures as are relevant to the provider and the service in question.

(8)In this section—

(a)references to protecting the privacy of users are to protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service or search service (including, but not limited to, any such provision or rule concerning the processing of personal data);

(b)references to a search service include references to a combined service (see section 7(6)).

(9)In this section—

50Effects of codes of practice

(1)A failure by a provider of a Part 3 service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings in a court or tribunal.

(2)A code of practice is admissible in evidence in legal proceedings.

(3)In any proceedings in a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining a question arising in the proceedings if—

(a)the question relates to a time when the provision was in force, and

(b)the provision appears to the court or tribunal to be relevant to the question.

(4)OFCOM must take into account a provision of a code of practice in determining a question arising in connection with their exercise of any relevant function if—

(a)the question relates to a time when the provision was in force, and

(b)the provision appears to OFCOM to be relevant to the question.

(5)In this section—

51Duties and the first codes of practice

(1)A duty mentioned in subsection (3) applies to providers of Part 3 services from the day on which a code of practice prepared under section 41(3) that is the first code of practice relating to that duty comes into force.

(2)In the case of the duties set out in sections 10 and 27, subsection (1) is subject to subsections (5) and (6).

(3)The duties referred to in subsection (1) are the duties set out in—

(a)sections 10 and 27 (illegal content),

(b)sections 12 and 29 (children’s online safety),

(c)section 15 (user empowerment),

(d)section 17 (content of democratic importance),

(e)section 19 (journalistic content),

(f)sections 20 and 31 (content reporting), and

(g)sections 21 and 32 (complaints procedures).

(4)For the purposes of subsection (1) a code of practice is the first code of practice relating to a duty if—

(a)it describes measures recommended for the purpose of compliance with that duty, and

(b)it is the first code of practice prepared under section 41(3) that describes measures for that purpose.

(5)The duties set out in sections 10 and 27, so far as relating to terrorism content or offences within Schedule 5 (terrorism offences), apply to providers of Part 3 services from the day on which the first code of practice prepared under section 41(1) comes into force.

(6)The duties set out in sections 10 and 27, so far as relating to CSEA content or offences within Schedule 6 (child sexual exploitation and abuse offences), apply to providers of Part 3 services from the day on which the first code of practice prepared under section 41(2) comes into force.

(7)The duties set out in Chapter 5 (fraudulent advertising) apply to providers of a Category 1 service and providers of a Category 2A service (and to providers of a service which is both a Category 1 service and a Category 2A service) from the day on which the first code of practice prepared under section 41(4) comes into force.

(8)In relation to the provider of a particular Part 3 service, references in this section to duties applying to providers of Part 3 services (or to providers of Category 1 services or Category 2A services) are to such duties as apply in relation to that service in accordance with sections 7 and 24 or (as the case may be) Chapter 5.

(9)This section is subject to Part 2 of Schedule 17 (video-sharing platform services: transitional provision etc).

Guidance

52OFCOM’s guidance about certain duties in Part 3

(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in section 14 (assessments related to the adult user empowerment duty set out in section 15(2)).

(2)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in section 18 (news publisher content).

(3)OFCOM must produce guidance for providers of Part 3 services to assist them in complying with—

(a)their duties set out in section 23 or 34, except the duty set out in section 23(10) or 34(9) (record-keeping and review), and

(b)their duties set out in section 36 (children’s access assessments).

(4)Before producing guidance under subsection (1) or (3) (including revised or replacement guidance), OFCOM must consult the Information Commissioner.

(5)OFCOM must publish guidance under this section (and any revised or replacement guidance).

53OFCOM’s guidance: content that is harmful to children and user empowerment

(1)OFCOM must produce guidance for providers of Part 3 services which contains examples of content or kinds of content that OFCOM consider to be, or consider not to be—

(a)primary priority content that is harmful to children, or

(b)priority content that is harmful to children.

(2)OFCOM must produce guidance for providers of Category 1 services which contains examples of content or kinds of content that OFCOM consider to be, or consider not to be, content to which section 15(2) applies (see section 16).

(3)Before producing any guidance under this section (including revised or replacement guidance), OFCOM must consult such persons as they consider appropriate.

(4)OFCOM must publish guidance under this section (and any revised or replacement guidance).

54OFCOM’s guidance about protecting women and girls

(1)OFCOM must produce guidance for providers of Part 3 services which focuses on content and activity—

(a)in relation to which such providers have duties set out in this Part or Part 4, and

(b)which disproportionately affects women and girls.

(2)The guidance may, among other things—

(a)contain advice and examples of best practice for assessing risks of harm to women and girls from content and activity mentioned in subsection (1), and for reducing such risks;

(b)refer to provisions contained in a code of practice under section 41 which are particularly relevant to the protection of women and girls from such content and activity.

(3)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—

(a)the Commissioner for Victims and Witnesses,

(b)the Domestic Abuse Commissioner, and

(c)such other persons as OFCOM consider appropriate.

(4)OFCOM must publish the guidance (and any revised or replacement guidance).

CHAPTER 7Interpretation of Part 3

55“Regulated user-generated content”, “user-generated content”, “news publisher content”

(1)This section applies for the purposes of this Part.

(2)Regulated user-generated content”, in relation to a regulated user-to-user service, means user-generated content, except—

(a)emails,

(b)SMS messages,

(c)MMS messages,

(d)one-to-one live aural communications (see subsection (5)),

(e)comments and reviews on provider content (see subsection (6)),

(f)identifying content that accompanies content within any of paragraphs (a) to (e), and

(g)news publisher content (see subsection (8)).

(3)User-generated content”, in relation to a user-to-user service, means content—

(a)that is—

(i)generated directly on the service by a user of the service, or

(ii)uploaded to or shared on the service by a user of the service, and

(b)that may be encountered by another user, or other users, of the service by means of the service.

(4)For the purposes of subsection (3)

(a)the reference to content generated, uploaded or shared by a user includes content generated, uploaded or shared by means of software or an automated tool applied by the user;

(b)a bot or other automated tool is to be regarded as a user of a service if—

(i)the functions of the bot or tool include interacting with user-generated content, and

(ii)the bot or tool is not controlled by or on behalf of the provider of the service.

(5)One-to-one live aural communications”, in relation to a user-to-user service, means content—

(a)consisting of speech or other sounds conveyed in real time between two users of the service by means of the service,

(b)that is not a recording, and

(c)that is not accompanied by user-generated content of any other kind, except identifying content.

(6)Comments and reviews on provider content”, in relation to a user-to-user service, means content present on the service consisting of comments or reviews relating to provider content (together with any further comments on such comments or reviews).

(7)In subsection (6) “provider content” means content published on a service by the provider of the service or by a person acting on behalf of the provider, including where the publication of the content is effected or controlled by means of—

(a)software or an automated tool or algorithm applied by the provider or by a person acting on behalf of the provider, or

(b)an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.

For the purposes of subsection (6), content that is user-generated content in relation to a service is not to be regarded as provider content in relation to that service.

(8)News publisher content”, in relation to a regulated user-to-user service, means any content present on the service that is within subsection (9) or (10).

(9)Content is within this subsection if it was generated directly on the service by a user of the service that is a recognised news publisher.

(10)Content is within this subsection if—

(a)the content was uploaded to or shared on the service by a user of the service, and

(b)the content either—

(i)reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it),

(ii)is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or

(iii)is a link to an article or item within sub-paragraph (i) or to content within sub-paragraph (ii).

(11)For the meaning of “recognised news publisher”, see section 56.

(12)In this section—

56“Recognised news publisher”

(1)In this Part, “recognised news publisher” means any of the following entities—

(a)the British Broadcasting Corporation,

(b)Sianel Pedwar Cymru,

(c)the holder of a licence under the Broadcasting Act 1990 or 1996 who publishes news-related material in connection with the broadcasting activities authorised under the licence, and

(d)any other entity which—

(i)meets all of the conditions in subsection (2),

(ii)is not an excluded entity (see subsection (3)), and

(iii)is not a sanctioned entity (see subsection (4)).

(2)The conditions referred to in subsection (1)(d)(i) are that the entity—

(a)has as its principal purpose the publication of news-related material, and such material—

(i)is created by different persons, and

(ii)is subject to editorial control,

(b)publishes such material in the course of a business (whether or not carried on with a view to profit),

(c)is subject to a standards code,

(d)has policies and procedures for handling and resolving complaints,

(e)has a registered office or other business address in the United Kingdom,

(f)is the person with legal responsibility for material published by it in the United Kingdom, and

(g)publishes—

(i)the entity’s name, the address mentioned in paragraph (e) and the entity’s registered number (if any), and

(ii)the name and address of any person who controls the entity (including, where such a person is an entity, the address of that person’s registered or principal office and that person’s registered number (if any)).

(3)An “excluded entity” is an entity—

(a)which is a proscribed organisation under the Terrorism Act 2000 (see section 3 of that Act), or

(b)the purpose of which is to support a proscribed organisation under that Act.

(4)A “sanctioned entity” is an entity which—

(a)is designated by name under a power contained in regulations under section 1 of the Sanctions and Anti-Money Laundering Act 2018 that authorises the Secretary of State or the Treasury to designate persons for the purposes of the regulations or of any provisions of the regulations, or

(b)is a designated person under any provision included in such regulations by virtue of section 13 of that Act (persons named by or under UN Security Council Resolutions).

(5)For the purposes of subsection (2)

(a)news-related material is “subject to editorial control” if there is a person (whether or not the publisher of the material) who has editorial or equivalent responsibility for the material, including responsibility for how it is presented and the decision to publish it;

(b)control” has the same meaning as it has in the Broadcasting Act 1990 by virtue of section 202 of that Act.

(6)In this section—

57“Search content”, “search results” etc

(1)This section applies for the purposes of this Part.

(2)Search content” means content that may be encountered in or via search results of a search service, except—

(a)paid-for advertisements (see section 236),

(b)content on the website of a recognised news publisher (see section 56), and

(c)content that—

(i)reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it),

(ii)is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or

(iii)is a link to an article or item within sub-paragraph (i) or to content within sub-paragraph (ii).

(3)Search results”, in relation to a search service, means content presented to a user of the service by operation of the search engine in response to a search request made by the user.

(4)Search” means search by any means, including by input of text or images or by speech, and references to a search request are to be construed accordingly.

(5)In subsection (2), the reference to encountering content “via search results”—

(a)is to encountering content as a result of interacting with search results (for example, by clicking on them);

(b)does not include a reference to encountering content as a result of subsequent interactions with an internet service other than the search service.

(6)In this section references to a search service include references to a user-to-user service that includes a search engine.

58Restricting users’ access to content

(1)This section applies for the purposes of this Part.

(2)References to restricting users’ access to content, and related references, include any case where a provider takes or uses a measure which has the effect that—

(a)a user is unable to access content without taking a prior step (whether or not taking that step might result in access being denied), or

(b)content is temporarily hidden from a user.

(3)But such references do not include any case where—

(a)the effect mentioned in subsection (2) results from the voluntary use or application by a user of features, functionalities or settings which a provider includes in a service (for example, features, functionalities or settings included in compliance with the duty set out in section 15(2) or (9) (user empowerment)), or

(b)access to content is controlled by another user, rather than the provider.

(4)See also section 236(6).

59“Illegal content” etc

(1)This section applies for the purposes of this Part.

(2)Illegal content” means content that amounts to a relevant offence.

(3)Content consisting of certain words, images, speech or sounds amounts to a relevant offence if—

(a)the use of the words, images, speech or sounds amounts to a relevant offence,

(b)the possession, viewing or accessing of the content constitutes a relevant offence, or

(c)the publication or dissemination of the content constitutes a relevant offence.

(4)Relevant offence” means—

(a)a priority offence, or

(b)an offence within subsection (5).

(5)An offence is within this subsection if—

(a)it is not a priority offence,

(b)the victim or intended victim of the offence is an individual (or individuals), and

(c)the offence is created by this Act or, before or after this Act is passed, by—

(i)another Act,

(ii)an Order in Council,

(iii)an order, rules or regulations made under an Act by the Secretary of State or other Minister of the Crown, including such an instrument made jointly with a devolved authority, or

(iv)devolved subordinate legislation made by a devolved authority with the consent of the Secretary of State or other Minister of the Crown.

(6)But an offence is not within subsection (5) if—

(a)the offence concerns—

(i)the infringement of intellectual property rights,

(ii)the safety or quality of goods (as opposed to what kind of goods they are), or

(iii)the performance of a service by a person not qualified to perform it; or

(b)it is an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277).

(7)Priority offence” means—

(a)an offence specified in Schedule 5 (terrorism offences),

(b)an offence specified in Schedule 6 (offences related to child sexual exploitation and abuse), or

(c)an offence specified in Schedule 7 (other priority offences).

(8)Terrorism content” means content that amounts to an offence specified in Schedule 5.

(9)CSEA content” means content that amounts to an offence specified in Schedule 6.

(10)Priority illegal content” means—

(a)terrorism content,

(b)CSEA content, and

(c)content that amounts to an offence specified in Schedule 7.

(11)For the purposes of determining whether content amounts to an offence, no account is to be taken of whether or not anything done in relation to the content takes place in any part of the United Kingdom.

(12)References in subsection (3) to conduct of particular kinds are not to be taken to prevent content generated by a bot or other automated tool from being capable of amounting to an offence (see also section 192(7) (providers’ judgements about the status of content)).

(13)Subsection (14) applies in relation to a regulated user-to-user service (but, in the case of a combined service, does not apply in relation to the search content of the service).

(14)References to “illegal content”, “terrorism content”, “CSEA content” and “priority illegal content” are to be read as—

(a)limited to content within the definition in question that is regulated user-generated content in relation to the service, and

(b)including material which, if it were present on the service, would be content within paragraph (a) (and this section is to be read with such modifications as may be necessary for the purpose of this paragraph).

(15)In this section—

(16)See also section 192 (providers’ judgements about the status of content).

60“Content that is harmful to children”

(1)This section and sections 61 and 62 apply for the purposes of this Part.

(2)Content that is harmful to children” means—

(a)primary priority content that is harmful to children (see section 61),

(b)priority content that is harmful to children (see section 62), or

(c)content, not within paragraph (a) or (b), of a kind which presents a material risk of significant harm to an appreciable number of children in the United Kingdom.

(3)Content is not to be regarded as within subsection (2)(c) if the risk of harm flows from—

(a)the content’s potential financial impact,

(b)the safety or quality of goods featured in the content, or

(c)the way in which a service featured in the content may be performed (for example, in the case of the performance of a service by a person not qualified to perform it).

(4)Non-designated content that is harmful to children” means content within subsection (2)(c).

(5)Subsection (6) applies in relation to a regulated user-to-user service (but, in the case of a combined service, does not apply in relation to the search content of the service).

(6)References to “primary priority content that is harmful to children”, “priority content that is harmful to children”, “content that is harmful to children” and “non-designated content that is harmful to children” are to be read as—

(a)limited to content within the definition in question that is regulated user-generated content in relation to the service, and

(b)including material which, if it were present on the service, would be content within paragraph (a) (and this section and sections 61 and 62 are to be read with such modifications as may be necessary for the purpose of this paragraph).

61“Primary priority content that is harmful to children”

(1)Primary priority content that is harmful to children” means content of any of the following kinds.

(2)Pornographic content, other than content within subsection (6).

(3)Content which encourages, promotes or provides instructions for suicide.

(4)Content which encourages, promotes or provides instructions for an act of deliberate self-injury.

(5)Content which encourages, promotes or provides instructions for an eating disorder or behaviours associated with an eating disorder.

(6)Content is within this subsection if it—

(a)consists only of text, or

(b)consists only of text accompanied by—

(i)identifying content which consists only of text,

(ii)other identifying content which is not itself pornographic content,

(iii)a GIF which is not itself pornographic content,

(iv)an emoji or other symbol, or

(v)any combination of content mentioned in sub-paragraphs (i) to (iv).

(7)In this section and section 62 “injury” includes poisoning.

62“Priority content that is harmful to children”

(1)Priority content that is harmful to children” means content of any of the following kinds.

(2)Content which is abusive and which targets any of the following characteristics—

(a)race,

(b)religion,

(c)sex,

(d)sexual orientation,

(e)disability, or

(f)gender reassignment.

(3)Content which incites hatred against people—

(a)of a particular race, religion, sex or sexual orientation,

(b)who have a disability, or

(c)who have the characteristic of gender reassignment.

(4)Content which encourages, promotes or provides instructions for an act of serious violence against a person.

(5)Bullying content.

(6)Content which—

(a)depicts real or realistic serious violence against a person;

(b)depicts the real or realistic serious injury of a person in graphic detail.

(7)Content which—

(a)depicts real or realistic serious violence against an animal;

(b)depicts the real or realistic serious injury of an animal in graphic detail;

(c)realistically depicts serious violence against a fictional creature or the serious injury of a fictional creature in graphic detail.

(8)Content which encourages, promotes or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else.

(9)Content which encourages a person to ingest, inject, inhale or in any other way self-administer—

(a)a physically harmful substance;

(b)a substance in such a quantity as to be physically harmful.

(10)In subsections (2) and (3)—

(a)disability” means any physical or mental impairment;

(b)race” includes colour, nationality, and ethnic or national origins;

(c)references to religion include references to a lack of religion.

(11)For the purposes of subsection (3), a person has the characteristic of gender reassignment if the person is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex, and the reference to gender reassignment in subsection (2) is to be construed accordingly.

(12)For the purposes of subsection (5) content may, in particular, be “bullying content” if it is content targeted against a person which—

(a)conveys a serious threat;

(b)is humiliating or degrading;

(c)forms part of a campaign of mistreatment.

(13)In subsection (6) “person” is not limited to a real person.

(14)In subsection (7) “animal” is not limited to a real animal.

63Content harmful to children: OFCOM’s review and report

(1)OFCOM must carry out reviews of—

(a)the incidence on regulated user-to-user services of content that is harmful to children,

(b)the incidence on regulated search services and combined services of search content that is harmful to children, and

(c)the severity of harm that children in the United Kingdom suffer, or may suffer, as a result of those kinds of content.

(2)OFCOM must produce and publish a report on the outcome of each review.

(3)The report must include advice as to whether, in OFCOM’s opinion, it is appropriate to make changes to sections 61 and 62, specifying the changes that OFCOM recommend.

(4)The reports must be published not more than three years apart.

(5)The first report must be published before the end of the period of three years beginning with the day on which this Act is passed.

(6)OFCOM must send a copy of each report to the Secretary of State.

PART 4Other duties of providers of regulated user-to-user services and regulated search services

CHAPTER 1User identity verification

64User identity verification

(1)A provider of a Category 1 service must offer all adult users of the service the option to verify their identity (if identity verification is not required for access to the service).

(2)The verification process may be of any kind (and in particular, it need not require documentation to be provided).

(3)A provider of a Category 1 service must include clear and accessible provisions in the terms of service explaining how the verification process works.

(4)If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.

(5)The duty set out in subsection (1) applies in relation to all adult users, not just those who begin to use a service after that duty begins to apply.

(6)The duties set out in this section extend only to—

(a)the user-to-user part of a service, and

(b)the design, operation and use of a service in the United Kingdom.

(7)For the purposes of this section a person is an “adult user” of a service if the person is an adult in the United Kingdom who—

(a)is a user of the service, or

(b)seeks to begin to use the service (for example by setting up an account).

(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).

65OFCOM’s guidance about user identity verification

(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with the duty set out in section 64(1).

(2)In producing the guidance (including revised or replacement guidance), OFCOM must have particular regard to the desirability of ensuring that providers of Category 1 services offer users a form of identity verification likely to be available to vulnerable adult users.

(3)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—

(a)the Information Commissioner,

(b)persons whom OFCOM consider to have technological expertise relevant to the duty set out in section 64(1),

(c)persons who appear to OFCOM to represent the interests of vulnerable adult users of Category 1 services, and

(d)such other persons as OFCOM consider appropriate.

(4)OFCOM must publish the guidance (and any revised or replacement guidance).

CHAPTER 2Reporting child sexual exploitation and abuse content

66Requirement to report CSEA content to the NCA

(1)A UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on the service to the NCA.

(2)A non-UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on the service to the NCA (and does not report to the NCA CSEA content which is not UK-linked).

(3)A UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on websites or databases capable of being searched by the search engine to the NCA.

(4)A non-UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on websites or databases capable of being searched by the search engine to the NCA (and does not report to the NCA CSEA content which is not UK-linked).

(5)A UK provider of a combined service must comply with the requirement under subsection (3) in relation to the search engine of the service.

(6)A non-UK provider of a combined service must comply with the requirement under subsection (4) in relation to the search engine of the service.

(7)Providers’ reports under this section—

(a)must meet the requirements set out in regulations under section 67, and

(b)must be sent to the NCA in the manner, and within the time frames, set out in those regulations.

(8)If a person is the provider of more than one regulated user-to-user service or regulated search service, requirements under this section apply in relation to each such service.

(9)Terms used in this section are defined in section 70.

(10)This section applies only in relation to CSEA content detected on or after the date on which this section comes into force.

67Regulations about reports to the NCA

(1)The Secretary of State must make regulations in connection with the reports that are to be made to the NCA (including by non-UK providers) as required by section 66.

(2)The regulations may make provision about—

(a)the information to be included in the reports,

(b)the format of the reports,

(c)the manner in which the reports must be sent to the NCA,

(d)the time frames for sending the reports to the NCA (including provision about cases of particular urgency),

(e)the records that providers must keep in relation to the reports, or the details that providers must retain as evidence that they have made the reports, and

(f)such other matters relating to the reports as the Secretary of State considers appropriate.

(3)The regulations may also—

(a)require providers to retain, for a specified period, data of a specified description associated with a report, and

(b)impose restrictions or requirements in relation to the retention of such data (including how the data is to be secured or stored or who may access the data).

(4)The power to require the retention of data associated with a report includes power to require the retention of—

(a)content generated, uploaded or shared by any user mentioned in the report (or metadata relating to such content), and

(b)user data relating to any such person (or metadata relating to such data).

“User data” here has the meaning given by section 231.

(5)Before making regulations under this section, the Secretary of State must consult—

(a)the NCA,

(b)OFCOM, and

(c)such other persons as the Secretary of State considers appropriate.

68NCA: information sharing

In section 16 of the Crime and Courts Act 2013 (interpretation of Part 1), in subsection (1), in the definition of “permitted purpose”, after paragraph (o) insert—

(oa)the exercise of any function of OFCOM (the Office of Communications) under the Online Safety Act 2023;.

69Offence in relation to CSEA reporting

(1)A person commits an offence if, in purported compliance with a requirement under section 66—

(a)the person provides information that is false in a material respect, and

(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.

(2)A person who commits an offence under this section is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

70Interpretation of this Chapter

(1)This section applies for the purposes of this Chapter.

(2)A provider of a regulated user-to-user service or a regulated search service is a “UK provider” of the service if the provider is—

(a)an individual or individuals who are habitually resident in the United Kingdom, or

(b)an entity incorporated or formed under the law of any part of the United Kingdom.

(3)Otherwise, a provider of a regulated user-to-user service or a regulated search service is a “non-UK provider” of the service.

(4)CSEA content is “detected” by a provider when the provider becomes aware of the content, whether by means of the provider’s systems or processes or as a result of another person alerting the provider.

(5)CSEA content is “unreported”, in relation to a provider, if the reporting of that content is not covered by arrangements (mandatory or voluntary)—

(a)by which the provider reports content relating to child sexual exploitation or abuse to a foreign agency, or

(b)by which an entity that is a group undertaking in relation to the provider reports content relating to child sexual exploitation or abuse to—

(i)the NCA, or

(ii)a foreign agency.

(6)CSEA content is “UK-linked” if a provider has evidence of a link between the content and the United Kingdom, based on any of the following—

(a)the place where the content was published, generated, uploaded or shared;

(b)the nationality of a person suspected of committing the related offence;

(c)the location of a person suspected of committing the related offence;

(d)the location of a child who is a suspected victim of the related offence.

For the purposes of paragraphs (b), (c) and (d) an offence is “related” to CSEA content if the content amounts to that offence (construed in accordance with section 59: see subsections (3), (11) and (12) of that section).

(7)In this Chapter—

(8)Sections 1161(5) and 1162 of, and Schedule 7 to, the Companies Act 2006—

(a)are to apply in relation to an entity which is not an undertaking (as defined in section 1161(1) of that Act) as they apply in relation to an undertaking, and

(b)are to be read with any necessary modifications if applied to an entity formed under the law of a country outside the United Kingdom.

CHAPTER 3Terms of service: transparency, accountability and freedom of expression

71Duty not to act against users except in accordance with terms of service

(1)A provider of a Category 1 service must operate the service using proportionate systems and processes designed to ensure that the provider does not—

(a)take down regulated user-generated content from the service,

(b)restrict users’ access to regulated user-generated content, or

(c)suspend or ban users from using the service,

except in accordance with the terms of service.

(2)Nothing in subsection (1) is to be read as preventing a provider from taking down content from a service or restricting users’ access to it, or suspending or banning a user, if such an action is taken—

(a)to comply with the duties set out in—

(i)section 10(2) or (3) (protecting individuals from illegal content), or

(ii)section 12(2) or (3) (protecting children from content that is harmful to children), or

(b)to avoid criminal or civil liability on the part of the provider that might reasonably be expected to arise if such an action were not taken.

(3)In addition, nothing in subsection (1) is to be read as preventing a provider from—

(a)taking down content from a service or restricting users’ access to it on the basis that a user has committed an offence in generating, uploading or sharing it on the service, or

(b)suspending or banning a user on the basis that—

(i)the user has committed an offence in generating, uploading or sharing content on the service, or

(ii)the user is responsible for, or has facilitated, the presence or attempted placement of a fraudulent advertisement on the service.

(4)The duty set out in subsection (1) does not apply in relation to—

(a)consumer content (see section 74);

(b)terms of service which deal with the treatment of consumer content.

(5)If a person is the provider of more than one Category 1 service, the duty set out in subsection (1) applies in relation to each such service.

(6)The duty set out in subsection (1) extends only to the design, operation and use of a service in the United Kingdom, and references in this section to users are to United Kingdom users of a service.

(7)In this section—

(8)See also section 18 (duties to protect news publisher content).

72Further duties about terms of service

All services

(1)A provider of a regulated user-to-user service must include clear and accessible provisions in the terms of service informing users about their right to bring a claim for breach of contract if—

(a)regulated user-generated content which they generate, upload or share is taken down, or access to it is restricted, in breach of the terms of service, or

(b)they are suspended or banned from using the service in breach of the terms of service.

Category 1 services

(2)The duties set out in subsections (3) to (7) apply in relation to a Category 1 service, and references in subsections (3) to (9) to “provider” and “service” are to be read accordingly.

(3)A provider must operate a service using proportionate systems and processes designed to ensure that—

(a)if the terms of service indicate (in whatever words) that the presence of a particular kind of regulated user-generated content is prohibited on the service, the provider takes down such content;

(b)if the terms of service state that the provider will restrict users’ access to a particular kind of regulated user-generated content in a specified way, the provider does restrict users’ access to such content in that way;

(c)if the terms of service state cases in which the provider will suspend or ban a user from using the service, the provider does suspend or ban the user in those cases.

(4)A provider must ensure that—

(a)terms of service which make provision about the provider taking down regulated user-generated content from the service or restricting users’ access to such content, or suspending or banning a user from using the service, are—

(i)clear and accessible, and

(ii)written in sufficient detail to enable users to be reasonably certain whether the provider would be justified in taking the specified action in a particular case, and

(b)those terms of service are applied consistently.

(5)A provider must operate a service using systems and processes that allow users and affected persons to easily report—

(a)content which they consider to be relevant content (see section 74);

(b)a user who they consider should be suspended or banned from using the service in accordance with the terms of service.

(6)A provider must operate a complaints procedure in relation to a service that—

(a)allows for complaints of a kind mentioned in subsection (8) to be made,

(b)provides for appropriate action to be taken by the provider of the service in response to complaints of those kinds, and

(c)is easy to access, easy to use (including by children) and transparent.

(7)A provider must include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a kind mentioned in subsection (8).

(8)The kinds of complaints referred to in subsections (6) and (7) are—

(a)complaints by users and affected persons about content present on a service which they consider to be relevant content;

(b)complaints by users and affected persons if they consider that the provider is not complying with a duty set out in any of subsections (1) or (3) to (5);

(c)complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is relevant content;

(d)complaints by users who have been suspended or banned from using a service.

(9)The duties set out in subsections (3) and (4) do not apply in relation to terms of service which—

(a)make provision of the kind mentioned in section 10(5) (protecting individuals from illegal content) or 12(9) (protecting children from content that is harmful to children), or

(b)deal with the treatment of consumer content.

Further provision

(10)If a person is the provider of more than one regulated user-to-user service or Category 1 service, the duties set out in this section apply in relation to each such service.

(11)The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references to users are to United Kingdom users of a service.

(12)See also section 18 (duties to protect news publisher content).

73OFCOM’s guidance about duties set out in sections 71 and 72

(1)OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in sections 71 and 72(3) to (7).

(2)OFCOM must publish the guidance (and any revised or replacement guidance).

74Interpretation of this Chapter

(1)This section applies for the purposes of this Chapter.

(2)Regulated user-generated content” has the same meaning as in Part 3 (see section 55), and references to such content are to content that is regulated user-generated content in relation to the service in question.

(3)Consumer content” means—

(a)regulated user-generated content that constitutes, or is directly connected with content that constitutes, an offer to sell goods or to supply services,

(b)regulated user-generated content that amounts to an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277) (construed in accordance with section 59: see subsections (3), (11) and (12) of that section), or

(c)any other regulated user-generated content in relation to which an enforcement authority has functions under those Regulations (see regulation 19 of those Regulations).

(4)References to restricting users’ access to content, and related references, are to be construed in accordance with sections 58 and 236(6).

(5)Content of a particular kind is “relevant content” if—

(a)a term of service, other than a term of service mentioned in section 72(9), indicates (in whatever words) that the presence of content of that kind is prohibited on the service or that users’ access to content of that kind is restricted, and

(b)it is regulated user-generated content.

References to relevant content are to content that is relevant content in relation to the service in question.

(6)Affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—

(a)the subject of the content,

(b)a member of a class or group of people with a certain characteristic targeted by the content,

(c)a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or

(d)an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.

(7)In determining what is proportionate for the purposes of sections 71 and 72, the size and capacity of the provider of a service is, in particular, relevant.

(8)For the meaning of “Category 1 service”, see section 95 (register of categories of services).

CHAPTER 4Deceased Child Users

75Disclosure of information about use of service by deceased child users

(1)A provider of a relevant service must make it clear in the terms of service what their policy is about dealing with requests from parents of a deceased child for information about the child’s use of the service.

(2)A provider of a relevant service must have a dedicated helpline or section of the service, or some similar means, by which parents can easily find out what they need to do to obtain information and updates in those circumstances, and the terms of service must provide details.

(3)A provider of a relevant service must include clear and accessible provisions in the terms of service—

(a)specifying the procedure for parents of a deceased child to request information about the child’s use of the service,

(b)specifying what evidence (if any) the provider will require about the parent’s identity or relationship to the child, and

(c)giving sufficient detail to enable child users and their parents to be reasonably certain about what kinds of information would be disclosed and how information would be disclosed.

(4)A provider of a relevant service must respond in a timely manner to requests from parents of a deceased child for information about the child’s use of the service or for updates about the progress of such information requests.

(5)A provider of a relevant service must operate a complaints procedure in relation to the service that—

(a)allows for complaints to be made by parents of a deceased child who consider that the provider is not complying with a duty set out in any of subsections (1) to (4),

(b)provides for appropriate action to be taken by the provider of the service in response to such complaints, and

(c)is easy to access, easy to use and transparent.

(6)A provider of a relevant service must include in the terms of service provisions which are easily accessible specifying the policies and processes that govern the handling and resolution of such complaints.

(7)If a person is the provider of more than one relevant service, the duties set out in this section apply in relation to each such service.

(8)The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references in this section to children are to children in the United Kingdom.

(9)A “relevant service” means—

(a)a Category 1 service (see section 95(10)(a));

(b)a Category 2A service (see section 95(10)(b));

(c)a Category 2B service (see section 95(10)(c)).

(10)In this section “parent”, in relation to a child, includes any person who is not the child’s parent but who—

(a)has parental responsibility for the child within the meaning of section 3 of the Children Act 1989 or Article 6 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)), or

(b)has parental responsibilities in relation to the child within the meaning of section 1(3) of the Children (Scotland) Act 1995.

(11)In the application of this section to a Category 2A service, references to the terms of service include references to a publicly available statement.

76OFCOM’s guidance about duties set out in section 75

(1)OFCOM must produce guidance for providers of relevant services to assist them in complying with their duties set out in section 75.

(2)OFCOM must publish the guidance (and any revised or replacement guidance).

(3)In this section “relevant service” has the meaning given by section 75.

CHAPTER 5Transparency reporting

77Transparency reports about certain Part 3 services

(1)Once a year, OFCOM must give every provider of a relevant service a notice which requires the provider to produce a report about the service (a “transparency report”).

(2)If a person is the provider of more than one relevant service, a notice must be given to the provider in respect of each such service.

(3)In response to a notice relating to a relevant service, the provider of the service must produce a transparency report which must—

(a)contain information of a kind specified or described in the notice,

(b)be in the format specified in the notice,

(c)be submitted to OFCOM by the date specified in the notice, and

(d)be published in the manner and by the date specified in the notice.

(4)A provider must ensure that the information provided in a transparency report is—

(a)complete, and

(b)accurate in all material respects.

(5)A “relevant service” means—

(a)a Category 1 service (see section 95(10)(a));

(b)a Category 2A service (see section 95(10)(b));

(c)a Category 2B service (see section 95(10)(c)).

(6)In a notice which relates to a Category 1 service or a Category 2B service, OFCOM may only specify or describe user-to-user information.

But in the case of a service described in subsection (9), that subsection applies instead.

(7)In a notice which relates to a regulated search service that is a Category 2A service, OFCOM may only specify or describe search engine information.

(8)In a notice which relates to a combined service that is a Category 2A service, and is not also a Category 1 service or a Category 2B service, OFCOM may only specify or describe search engine information.

(9)In a notice which relates to a combined service that is a Category 2A service, as well as being a Category 1 service or a Category 2B service, OFCOM may specify or describe user-to-user information or search engine information, or both those kinds of information.

(10)In subsections (6) to (9)

(a)user-to-user information” means information which—

(i)is about the matters listed in Part 1 of Schedule 8, and

(ii)relates to the user-to-user part of a service;

(b)search engine information” means information which—

(i)is about the matters listed in Part 2 of Schedule 8, and

(ii)relates to the search engine of a service.

(11)Part 3 of Schedule 8 makes further provision about transparency reports.

(12)The Secretary of State may by regulations amend subsection (1) so as to change the frequency of the transparency reporting process.

(13)The Secretary of State must consult OFCOM before making regulations under subsection (12).

(14)In this section “notice” means a notice under subsection (1).

78OFCOM’s guidance about transparency reports

(1)OFCOM must produce guidance about—

(a)how OFCOM will determine which information they will require transparency reports under section 77 to contain, including—

(i)the principles that they will apply in relation to each of the factors mentioned in paragraph 37 of Schedule 8, and

(ii)the steps that they will take to engage with providers of relevant services before requiring information in a notice under section 77(1);

(b)how information from transparency reports produced by providers of relevant services under section 77 will be used to produce OFCOM’s transparency reports (see section 159); and

(c)any other matter that OFCOM consider to be relevant to the production and publication of transparency reports under section 77 or 159.

(2)Before producing the guidance (including revised or replacement guidance), OFCOM must consult such of the following as they consider appropriate—

(a)providers of regulated user-to-user services, and of regulated search services,

(b)persons who appear to OFCOM to represent such providers,

(c)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),

(d)persons whom OFCOM consider to have expertise in equality issues and human rights, in particular—

(i)the right to freedom of expression set out in Article 10 of the Convention, and

(ii)the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,

(e)the Information Commissioner,

(f)persons who appear to OFCOM to represent the interests of those with protected characteristics (within the meaning of Part 2 of the Equality Act 2010), and

(g)persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters,

and OFCOM must also consult such other persons as OFCOM consider appropriate.

(3)OFCOM must publish the guidance (and any revised or replacement guidance).

(4)In exercising their functions under section 77 or 159, OFCOM must have regard to the guidance for the time being published under this section.

(5)In this section, “relevant service” has the same meaning as in section 77 (see subsection (5) of that section).

PART 5Duties of providers of regulated services: certain pornographic content

79“Provider pornographic content” and “regulated provider pornographic content”

(1)This section applies for the purposes of this Part.

(2)Provider pornographic content”, in relation to an internet service, means pornographic content that is published or displayed on the service by the provider of the service or by a person acting on behalf of the provider, including pornographic content published or displayed on the service by means of—

(a)software or an automated tool or algorithm applied by the provider or by a person acting on behalf of the provider, or

(b)an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.

(3)Regulated provider pornographic content”, in relation to an internet service, means provider pornographic content other than content within subsection (4) or (5).

(4)Content is within this subsection if it—

(a)consists only of text, or

(b)consists only of text accompanied by—

(i)a GIF which is not itself pornographic content,

(ii)an emoji or other symbol, or

(iii)a combination of content mentioned in sub-paragraphs (i) and (ii).

(5)Content is within this subsection if it consists of a paid-for advertisement (see section 236).

(6)References to pornographic content that is “published or displayed” on a service—

(a)include, in particular—

(i)references to pornographic content that is only visible or audible to users as a result of interacting with content that is blurred, distorted or obscured (for example, by clicking on such content), but only where the pornographic content is present on the service,

(ii)references to pornographic content that is embedded on the service, and

(iii)references to pornographic content that is generated on the service by means of an automated tool or algorithm in response to a prompt by a user and is only visible or audible to that user (no matter for how short a time);

(b)do not include references to pornographic content that appears in search results of a search service or a combined service.

(7)Pornographic content that is user-generated content in relation to an internet service is not to be regarded as provider pornographic content in relation to that service.

(8)In this section—

80Scope of duties about regulated provider pornographic content

(1)A provider of an internet service within subsection (2) must comply with the duties set out in section 81 in relation to the service.

(2)An internet service is within this subsection if—

(a)regulated provider pornographic content is published or displayed on the service,

(b)the service is not exempt, and

(c)the service has links with the United Kingdom.

(3)A service is “exempt” for the purposes of this Part if it is —

(a)a user-to-user service or a search service of a description that is exempt as provided for by Schedule 1, or

(b)an internet service of a kind described in Schedule 9.

(4)A service “has links with the United Kingdom” for the purposes of this Part if either of the following conditions is met in relation to the service—

(a)the service has a significant number of United Kingdom users, or

(b)United Kingdom users form one of the target markets for the service (or the only target market).

(5)This Part does not apply in relation to a part of a regulated service if—

(a)in the case of a Part 3 service, the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part;

(b)in the case of an internet service other than a Part 3 service, the conditions in paragraph 1(2) of Schedule 9 (internal business service conditions) are met in relation to that part.

(6)This Part does not apply in relation to a part of a regulated service if that part is an on-demand programme service within the meaning of section 368A of the Communications Act.

(7)If a person is the provider of more than one internet service within subsection (2), the duties set out in section 81 apply in relation to each such service.

(8)The duties set out in section 81 extend only to the design, operation and use of an internet service in the United Kingdom.

81Duties about regulated provider pornographic content

(1)This section sets out the duties which apply in relation to internet services within section 80(2).

(2)A duty to ensure, by the use of age verification or age estimation (or both), that children are not normally able to encounter content that is regulated provider pornographic content in relation to the service.

(3)The age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.

(4)In relation to the duty set out in subsection (2), a duty to make and keep a written record, in an easily understandable form, of—

(a)the kinds of age verification or age estimation used, and how they are used, and

(b)the way in which the provider, when deciding on the kinds of age verification or age estimation and how they should be used, has had regard to the importance of protecting United Kingdom users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data).

(5)A duty to summarise the written record in a publicly available statement, so far as the record concerns compliance with the duty set out in subsection (2), including details about which kinds of age verification or age estimation a provider is using and how they are used.

82OFCOM’s guidance about duties set out in section 81

(1)OFCOM must produce guidance for providers of internet services within section 80(2) to assist them in complying with their duties set out in section 81.

(2)The guidance must include—

(a)examples of kinds and uses of age verification and age estimation that are, or are not, highly effective at correctly determining whether or not a particular user is a child,

(b)examples of ways in which a provider may have regard to the importance of protecting users as mentioned in section 81(4)(b),

(c)principles that OFCOM propose to apply when determining whether a provider has complied with each of the duties set out in section 81, and

(d)examples of circumstances in which OFCOM are likely to consider that a provider has not complied with each of those duties.

(3)The guidance may elaborate on the following principles governing the use of age verification or age estimation for the purpose of compliance with the duty set out in section 81(2)

(a)the principle that age verification or age estimation should be easy to use;

(b)the principle that age verification or age estimation should work effectively for all users regardless of their characteristics or whether they are members of a certain group;

(c)the principle of interoperability between different kinds of age verification or age estimation.

(4)The guidance may refer to industry or technical standards for age verification or age estimation (where they exist).

(5)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—

(a)the Secretary of State,

(b)persons who appear to OFCOM to represent providers of internet services within section 80(2),

(c)persons who appear to OFCOM to represent adult users of internet services within section 80(2),

(d)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),

(e)the Information Commissioner,

(f)persons whom OFCOM consider to have expertise in innovation, or emerging technology, that is relevant to online safety matters, and

(g)such other persons as OFCOM consider appropriate.

(6)But if OFCOM propose to revise the guidance, and consider that the minor nature of the proposal means that consultation is unnecessary—

(a)OFCOM must notify the Secretary of State of the proposed changes, and

(b)if the Secretary of State agrees that it is appropriate, the consultation requirements set out in subsection (5) do not apply in relation to the proposed changes.

(7)OFCOM must keep the guidance under review.

(8)OFCOM must publish the guidance (and any revised or replacement guidance).

PART 6Duties of providers of regulated services: fees

83Duty to notify OFCOM

(1)A provider of a regulated service must notify OFCOM in relation to a charging year which is—

(a)the first fee-paying year in relation to that provider, or

(b)any charging year after the first fee-paying year where—

(i)the previous charging year was not a fee-paying year in relation to the provider, and the charging year in question is a fee-paying year in relation to the provider, or

(ii)the previous charging year was a fee-paying year in relation to the provider, and the charging year in question is not a fee-paying year in relation to the provider.

(2)A “fee-paying year”, in relation to a provider, means a charging year where both of the following conditions apply—

(a)the provider’s qualifying worldwide revenue for the qualifying period that relates to that charging year is equal to or greater than the threshold figure that has effect for that charging year (see section 86), and

(b)the provider is not exempt (see subsection (6)).

(3)A notification under subsection (1) in relation to a charging year must include details of all regulated services provided by the provider, and where it is a notification under subsection (1)(a) or (b)(i), it must also include—

(a)details of the provider’s qualifying worldwide revenue for the qualifying period that relates to that charging year, and

(b)supporting evidence, documents or other information as required by regulations made by OFCOM under section 85.

(4)Section 85 confers power on OFCOM to make regulations about the determination of a provider’s qualifying worldwide revenue, and the meaning of “qualifying period”, for the purposes of this Part.

(5)A notification under subsection (1) must be provided to OFCOM—

(a)in relation to the initial charging year, within four months of the date on which the first regulations under section 86 come into force (first threshold figure);

(b)in relation to subsequent charging years, at least six months before the beginning of the charging year to which the notification relates.

(6)OFCOM may provide that particular descriptions of providers of regulated services are exempt for the purposes of this section and section 84 where—

(a)OFCOM consider that an exemption for such providers is appropriate, and

(b)the Secretary of State approves the exemption.

(7)OFCOM may revoke such an exemption where they consider that it is no longer appropriate and the Secretary of State approves the revocation.

(8)Exemptions, or revocations of exemptions, which are approved by the Secretary of State are to take effect from the beginning of a particular charging year.

(9)Details of an exemption or revocation must be published by OFCOM at least six months before the beginning of the first charging year for which the exemption or revocation is to have effect.

(10)But subsection (9) does not apply in relation to any exemptions which are to have effect for the initial charging year.

(11)For the purposes of this section and section 84, the “provider” of a regulated service, in relation to a charging year, includes a person who is the provider of the service for part of that year.

84Duty to pay fees

(1)OFCOM may require a provider of a regulated service to pay a fee in respect of a charging year which is a fee-paying year.

(2)Where OFCOM require a provider of a regulated service to pay a fee in respect of a charging year, the fee is to be equal to the amount produced by a computation—

(a)made by reference to—

(i)the provider’s qualifying worldwide revenue for the qualifying period relating to that charging year, and

(ii)any other factors that OFCOM consider appropriate, and

(b)made in the manner that OFCOM consider appropriate.

(3)For the purposes of this section and section 83—

(a)the amount of a provider’s qualifying worldwide revenue for a qualifying period, or

(b)the amount of a fee to be paid to OFCOM, or of an instalment of such a fee,

is, in the event of a disagreement between the provider and OFCOM, the amount determined by OFCOM.

(4)When determining fees payable under this section, OFCOM must do so in accordance with a statement of principles as mentioned in section 88(1).

(5)Where a person is the provider of a regulated service for part of a charging year only, OFCOM may refund all or part of a fee paid to OFCOM under this section by that provider in respect of that year.

(6)In this section, “fee-paying year” has the same meaning as in section 83.

85Regulations by OFCOM about qualifying worldwide revenue etc

(1)For the purposes of this Part, OFCOM may by regulations make provision—

(a)about how the qualifying worldwide revenue of a provider of a regulated service is to be determined, and

(b)defining the “qualifying period” in relation to a charging year.

(2)OFCOM may by regulations also make provision specifying or describing evidence, documents or other information that providers must supply to OFCOM for the purposes of section 83 (see subsection (3)(b) of that section), including provision about the way in which providers must supply the evidence, documents or information.

(3)Regulations under subsection (1)(a) may provide that the qualifying worldwide revenue of a provider of a regulated service (P) who is a member of a group during any part of a qualifying period is to include the qualifying worldwide revenue of any entity that—

(a)is a group undertaking in relation to P for all or part of that period, and

(b)receives or is due to receive, during that period, any amount referable (to any degree) to a regulated service provided by P.

(4)Regulations under subsection (1)(a) may, in particular—

(a)make provision about circumstances in which amounts do, or do not, count as being referable (to any degree) to a regulated service for the purposes of the determination of the qualifying worldwide revenue of the provider of the service or of an entity that is a group undertaking in relation to the provider;

(b)provide for cases or circumstances in which amounts that—

(i)are of a kind specified or described in the regulations, and

(ii)are not referable to a regulated service,

are to be brought into account in determining the qualifying worldwide revenue of the provider of the service or of an entity that is a group undertaking in relation to the provider.

(5)Regulations which make provision of a kind mentioned in subsection (3) may include provision that, in the case of an entity that is a group undertaking in relation to a provider for part (not all) of a qualifying period, only amounts relating to the part of the qualifying period for which the entity was a group undertaking may be brought into account in determining the entity’s qualifying worldwide revenue.

(6)Regulations under subsection (1)(a) may make provision corresponding to paragraph 5(8) of Schedule 13.

(7)Before making regulations under subsection (1) OFCOM must consult—

(a)the Secretary of State,

(b)the Treasury, and

(c)such other persons as OFCOM consider appropriate.

(8)Before making regulations under subsection (2) OFCOM must consult the Secretary of State.

(9)Regulations under this section may make provision subject to such exemptions and exceptions as OFCOM consider appropriate.

(10)In this section—

86Threshold figure

(1)OFCOM must carry out a consultation to inform the setting of the threshold figure for the purposes of sections 83 and 84, consulting such persons as they consider appropriate.

(2)After the completion of the consultation, and having taken advice from OFCOM, the Secretary of State must make regulations specifying the threshold figure for those purposes.

(3)The Secretary of State must keep the threshold figure under review.

(4)If the Secretary of State considers that it may be appropriate to revise the threshold figure, the Secretary of State may request OFCOM to carry out a further consultation, and subsections (1) and (2) apply again.

(5)Regulations must provide that a threshold figure is to take effect from the beginning of a particular charging year.

(6)Regulations specifying a threshold figure must be in force at least nine months before the beginning of the first charging year for which that figure is to have effect.

(7)But subsection (6) does not apply in relation to the first regulations made under this section.

87Secretary of State’s guidance about fees

(1)The Secretary of State must issue guidance to OFCOM about the principles to be included in a statement of principles that OFCOM propose to apply in determining fees payable under section 84 (see section 88).

(2)The Secretary of State must consult OFCOM before issuing, revising or replacing the guidance.

(3)The guidance may not be revised or replaced more frequently than once every three years unless—

(a)the guidance needs to be corrected because of an amendment, repeal or modification of any provision of this Part, or

(b)the revision or replacement is by agreement between the Secretary of State and OFCOM.

(4)The Secretary of State must lay the guidance (including revised or replacement guidance) before Parliament.

(5)The Secretary of State must publish the guidance (and any revised or replacement guidance).

(6)In exercising any functions under this Part, OFCOM must have regard to the guidance for the time being published under this section.

88OFCOM’s fees statements

(1)OFCOM may not require a provider of a regulated service to pay a fee under section 84 unless there is in force a statement of the principles that OFCOM propose to apply in determining fees payable under that section.

(2)Those principles must be such as appear to OFCOM to be likely to secure, on the basis of such estimates of the likely costs as it is practicable for them to make—

(a)that on a year by year basis, the aggregate amount of the fees payable to OFCOM under section 84 is sufficient to meet, but does not exceed, the annual cost to OFCOM of the exercise of their online safety functions;

(b)that the fees required under section 84 are justifiable and proportionate having regard to the functions in respect of which they are imposed;

(c)that the relationship between meeting the cost of the exercise of those functions and the amounts of the fees is transparent.

(3)A statement of principles mentioned in subsection (1) must (among other things)—

(a)include details relating to the computation model used to calculate fees payable under section 84, including details of factors mentioned in subsection (2)(a)(ii) of that section (if any),

(b)include details about the meaning of “qualifying worldwide revenue” and “qualifying period” for the purposes of this Part, and

(c)specify the threshold figure contained in regulations under section 86.

(4)Before making or revising such a statement of principles, OFCOM must consult such persons as they consider appropriate.

(5)Such a statement of principles may make different provision in relation to different kinds of regulated services.

(6)OFCOM must publish such a statement of principles (and any revised or replacement statement).

(7)As soon as reasonably practicable after the end of each charging year, OFCOM must publish a statement setting out, in respect of that year—

(a)the aggregate amount of the fees payable under section 84 for that year that has been received by OFCOM,

(b)the aggregate amount of the fees payable under that section for that year that remains outstanding and is likely to be paid or recovered, and

(c)the cost to OFCOM of the exercise of their online safety functions.

(8)Any deficit or surplus shown (after applying this subsection for all previous years) by a statement under subsection (7) must be carried forward and taken into account in determining what is required to satisfy the requirement imposed by virtue of subsection (2)(a) in relation to the following year.

(9)For the purposes of this section OFCOM’s costs of the exercise of their online safety functions during a charging year include the costs of preparations for the exercise of their online safety functions incurred during that year.

89Recovery of OFCOM’s initial costs

Schedule 10 makes provision about fees chargeable to providers of regulated services in connection with OFCOM’s recovery of costs incurred before the first day of the initial charging year.

90Meaning of “charging year” and “initial charging year”

In this Part—

PART 7OFCOM's powers and duties in relation to regulated services

CHAPTER 1General duties

91General duties of OFCOM under section 3 of the Communications Act

(1)Section 3 of the Communications Act (general duties of OFCOM) is amended in accordance with subsections (2) to (8).

(2)In subsection (2), after paragraph (f) insert—

(g)the adequate protection of citizens from harm presented by content on regulated services, through the appropriate use by providers of such services of systems and processes designed to reduce the risk of such harm.

(3)In subsection (4)(c), at the beginning insert “(subject to subsection (5A))”.

(4)After subsection (4) insert—

(4A)In performing their duties under subsection (1) in relation to matters to which subsection (2)(g) is relevant, OFCOM must have regard to such of the following as appear to them to be relevant in the circumstances—

(a)the risk of harm to citizens presented by regulated services;

(b)the need for a higher level of protection for children than for adults;

(c)the need for it to be clear to providers of regulated services how they may comply with their duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5 of the Online Safety Act 2023;

(d)the need to exercise their functions so as to secure that providers of regulated services may comply with such duties by taking measures, or using measures, systems or processes, which are (where relevant) proportionate to—

(i)the size or capacity of the provider in question, and

(ii)the level of risk of harm presented by the service in question, and the severity of the potential harm;

(e)the desirability of promoting the use by providers of regulated services of technologies which are designed to reduce the risk of harm to citizens presented by content on regulated services;

(f)the extent to which providers of regulated services demonstrate, in a way that is transparent and accountable, that they are complying with their duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5 of the Online Safety Act 2023.

(5)After subsection (5) insert—

(5A)Subsection (4)(c) does not apply in relation to the carrying out of any of OFCOM’s online safety functions.

(6)After subsection (6) insert—

(6ZA)Where it appears to OFCOM, in relation to the carrying out of any of their online safety functions, that any of their general duties conflict with their duty under section 24, priority must be given to their duty under that section.

(7)In subsection (14), at the appropriate places insert—

(8)After subsection (14) insert—

(15)In this section the following terms have the same meaning as in the Online Safety Act 2023—

(9)In section 6 of the Communications Act (duties to review regulatory burdens)—

(a)in subsection (2), after “this section” insert “(except their online safety functions)”, and

(b)after subsection (10) insert—

(11)In this section “online safety functions” has the same meaning as in section 3.

92Duties in relation to strategic priorities

(1)This section applies where a statement has been designated under section 172(1) (Secretary of State’s statement of strategic priorities).

(2)OFCOM must have regard to the statement when carrying out their online safety functions.

(3)Within the period of 40 days beginning with the day on which the statement is designated, or such longer period as the Secretary of State may allow, OFCOM must—

(a)explain in writing what they propose to do in consequence of the statement, and

(b)publish a copy of that explanation.

(4)OFCOM must, as soon as reasonably practicable after the end of—

(a)the period of 12 months beginning with the day on which the first statement is designated under section 172(1), and

(b)every subsequent period of 12 months,

publish a review of what they have done during the period in question in consequence of the statement.

93Duty to carry out impact assessments

(1)Section 7 of the Communications Act (duty to carry out impact assessments) is amended as follows.

(2)In subsection (2), at the beginning insert “Subject to subsection (2A),”.

(3)After subsection (2) insert—

(2A)A proposal to do any of the following is important for the purposes of this section—

(a)to prepare a code of practice under section 41 of the Online Safety Act 2023;

(b)to prepare amendments of such a code of practice; or

(c)to prepare a code of practice as a replacement for such a code of practice.

(4)After subsection (4) insert—

(4A)An assessment under subsection (3)(a) that relates to a proposal mentioned in subsection (2A) must include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.

(4B)An assessment under subsection (3)(a) that relates to a proposal to do anything else for the purposes of, or in connection with, the carrying out of OFCOM’s online safety functions (within the meaning of section 235 of the Online Safety Act 2023) must, so far as the proposal relates to such functions, include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.

CHAPTER 2Register of categories of regulated user-to-user services and regulated search services

94Meaning of threshold conditions etc

(1)Schedule 11 contains provision about regulations specifying the threshold conditions that a Part 3 service must meet to be included in the relevant part of the register established by OFCOM under section 95, and associated provision about the publication of OFCOM’s advice.

(2)In this Chapter, “Category 1 threshold conditions”, “Category 2A threshold conditions” and “Category 2B threshold conditions” have the same meaning as in Schedule 11 (see paragraph 1(1), (2) and (3) of that Schedule).

(3)For the purposes of this Chapter—

(a)references to a service meeting the Category 1, Category 2A or Category 2B threshold conditions are to a service meeting those conditions in a way specified in regulations under paragraph 1 of Schedule 11 (see paragraph 1(4) of that Schedule);

(b)a regulated user-to-user service meets the Category 1 threshold conditions if those conditions are met in relation to the user-to-user part of the service;

(c)a regulated search service or a combined service meets the Category 2A threshold conditions if those conditions are met in relation to the search engine of the service;

(d)a regulated user-to-user service meets the Category 2B threshold conditions if those conditions are met in relation to the user-to-user part of the service;

(e)a regulated user-to-user service meets the conditions in section 97(2) if those conditions are met in relation to the user-to-user part of the service;

(f)references to OFCOM assessing a service (to determine if it meets, or no longer meets, the relevant threshold conditions or the conditions in section 97(2)) are accordingly to be read as references to OFCOM assessing the relevant part (or parts) of a service.

95Register of categories of certain Part 3 services

(1)As soon as reasonably practicable after the first regulations under Schedule 11 come into force, OFCOM must comply with subsections (2) to (4).

(2)OFCOM must establish a register of particular categories of Part 3 services with—

(a)one part for regulated user-to-user services meeting the Category 1 threshold conditions,

(b)one part for regulated search services and combined services meeting the Category 2A threshold conditions, and

(c)one part for regulated user-to-user services meeting the Category 2B threshold conditions.

(3)OFCOM must assess Part 3 services, as follows—

(a)OFCOM must assess each regulated user-to-user service which they consider is likely to meet the Category 1 threshold conditions, to determine whether the service does, or does not, meet those conditions;

(b)OFCOM must assess each regulated search service and combined service which they consider is likely to meet the Category 2A threshold conditions, to determine whether the service does, or does not, meet those conditions;

(c)OFCOM must assess each regulated user-to-user service which they consider is likely to meet the Category 2B threshold conditions, to determine whether the service does, or does not, meet those conditions.

(4)If OFCOM consider that a service meets the relevant threshold conditions, they must add entries relating to that service to the relevant part of the register established under subsection (2).

(5)But—

(a)if OFCOM consider that a regulated user-to-user service meets the Category 1 threshold conditions and the Category 2B threshold conditions (only), entries relating to that service are to be added to the part of the register established under subsection (2)(a) (only);

(b)if OFCOM consider that a combined service meets the Category 1 threshold conditions, the Category 2A threshold conditions and the Category 2B threshold conditions, entries relating to that service are to be added to the parts of the register established under subsection (2)(a) and (b) (only).

(6)If OFCOM consider that a combined service—

(a)meets the Category 2A threshold conditions, and

(b)meets either the Category 1 threshold conditions or the Category 2B threshold conditions (but not both),

entries relating to that service are to be added to the part of the register established under subsection (2)(b) and to the part of the register established under subsection (2)(a) or (c) (whichever applies).

(7)Each part of the register must contain—

(a)the name, and a description, of each service that, in OFCOM’s opinion, meets the relevant threshold conditions, and

(b)the name of the provider of each such service.

(8)OFCOM must publish the register.

(9)When assessing whether a Part 3 service does, or does not, meet the relevant threshold conditions, OFCOM must take such steps as are reasonably practicable to obtain or generate information or evidence for the purposes of the assessment.

(10)In this Act—

(a)a “Category 1 service” means a regulated user-to-user service for the time being included in the part of the register established under subsection (2)(a);

(b)a “Category 2A service” means a regulated search service or a combined service for the time being included in the part of the register established under subsection (2)(b);

(c)a “Category 2B service” means a regulated user-to-user service for the time being included in the part of the register established under subsection (2)(c).

96Duty to maintain register

(1)If regulations are made under paragraph 1(1) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—

(a)assess each regulated user-to-user service which they consider is likely to meet the new Category 1 threshold conditions, to determine whether the service does, or does not, meet those conditions, and

(b)make any necessary changes to the register.

(2)If regulations are made under paragraph 1(2) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—

(a)assess each regulated search service and combined service which they consider is likely to meet the new Category 2A threshold conditions, to determine whether the service does, or does not, meet those conditions, and

(b)make any necessary changes to the register.

(3)If regulations are made under paragraph 1(3) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—

(a)assess each regulated user-to-user service which they consider is likely to meet the new Category 2B threshold conditions, to determine whether the service does, or does not, meet those conditions, and

(b)make any necessary changes to the register.

(4)At any other time, if OFCOM consider that a Part 3 service not included in a particular part of the register is likely to meet the threshold conditions relevant to that part, OFCOM must—

(a)assess the service accordingly, and

(b)(subject to section 95(5)) if they consider that the service meets the relevant conditions, add entries relating to that service to that part of the register.

(5)Nothing in subsection (3) or (4) requires OFCOM to assess a Category 1 service to determine whether the service meets the Category 2B threshold conditions.

(6)A provider of a Part 3 service included in the register may at any time request OFCOM to remove entries relating to that service from the register, or from a particular part of the register.

(7)If OFCOM are satisfied, on the basis of evidence submitted by a provider with such a request, that since the registration day there has been a change to the service or to regulations under paragraph 1 of Schedule 11 which appears likely to be relevant, OFCOM must—

(a)assess the service, and

(b)notify the provider of OFCOM’s decision.

(8)OFCOM must remove entries relating to a Part 3 service from the relevant part of the register if, following an assessment of the service, they consider that it no longer meets the threshold conditions relevant to that part.

(9)Section 95(9) applies to an assessment under this section as it applies to an assessment under section 95.

(10)OFCOM must re-publish the register each time a change is made to it.

(11)See section 167 for provision about appeals against a decision to include a service in the register (or in a particular part of the register), or not to remove a service from the register (or from a particular part of the register).

(12)In this section—

97List of emerging Category 1 services

(1)As soon as reasonably practicable after the first regulations under paragraph 1(1) of Schedule 11 come into force (regulations specifying Category 1 threshold conditions), OFCOM must comply with subsections (2) and (3).

(2)OFCOM must assess each regulated user-to-user service which does not meet the Category 1 threshold conditions and which they consider is likely to meet each of the following conditions, to determine whether the service does, or does not, meet them—

(a)the first condition is that the number of United Kingdom users of the user-to-user part of the service is at least 75% of the figure specified in any of the Category 1 threshold conditions relating to number of users (calculating the number of users in accordance with the threshold condition in question);

(b)the second condition is that—

(i)at least one of the Category 1 threshold conditions relating to functionalities of the user-to-user part of the service is met, or

(ii)if the regulations under paragraph 1(1) of Schedule 11 specify that a Category 1 threshold condition relating to a functionality of the user-to-user part of the service must be met in combination with a Category 1 threshold condition relating to another characteristic of that part of the service or a factor relating to that part of the service (see paragraph 1(4) of Schedule 11), at least one of those combinations of conditions is met.

(3)OFCOM must prepare a list of regulated user-to-user services which meet the conditions in subsection (2).

(4)If the regulations under paragraph 1(1) of Schedule 11 specify that a service meets the Category 1 threshold conditions if any one condition about number of users or functionality is met (as mentioned in paragraph 1(4)(a) of that Schedule)—

(a)subsection (2) applies as if paragraph (b) were omitted, and

(b)subsections (3) and (8) apply as if the reference to the conditions in subsection (2) were to the condition in subsection (2)(a).

(5)The list must contain the following details about a service included in it—

(a)the name of the service,

(b)a description of the service,

(c)the name of the provider of the service, and

(d)a description of the Category 1 threshold conditions by reference to which the conditions in subsection (2) are met.

(6)OFCOM must take appropriate steps to keep the list up to date, including by carrying out further assessments of regulated user-to-user services.

(7)OFCOM must publish the list when it is first prepared and each time it is revised.

(8)When assessing whether a service does, or does not, meet the conditions in subsection (2), OFCOM must take such steps as are reasonably practicable to obtain or generate information or evidence for the purposes of the assessment.

(9)An assessment for the purposes of this section may be included in an assessment under section 95 or 96 (as the case may be) or carried out separately.

CHAPTER 3Risk assessments of regulated user-to-user services and regulated search services

98OFCOM’s register of risks, and risk profiles, of Part 3 services

(1)OFCOM must carry out risk assessments to identify and assess the following risks of harm presented by Part 3 services of different kinds—

(a)the risks of harm to individuals in the United Kingdom presented by illegal content present on regulated user-to-user services and by the use of such services for the commission or facilitation of priority offences;

(b)the risk of harm to individuals in the United Kingdom presented by search content of regulated search services that is illegal content;

(c)the risk of harm to children in the United Kingdom, in different age groups, presented by content that is harmful to children.

(2)The risk assessments must, among other things, identify characteristics of different kinds of Part 3 services that are relevant to such risks of harm, and assess the impact of those kinds of characteristics on such risks.

(3)OFCOM—

(a)may combine assessment of any or all of the risks of harm mentioned in subsection (1), or may carry out separate assessments of those risks;

(b)in the case of the risk of harm mentioned in subsection (1)(c), may assess regulated user-to-user services and regulated search services separately or together.

(4)The findings of each risk assessment are to be reflected, as soon as reasonably practicable after completion, in a register of risks of Part 3 services prepared and published by OFCOM.

(5)As soon as reasonably practicable after completing their assessment of a risk of harm mentioned in a particular paragraph of subsection (1), OFCOM must prepare risk profiles for Part 3 services which relate to that risk of harm.

(6)For the purposes of the risk profiles, OFCOM may group Part 3 services together in whichever way they consider appropriate, taking into account—

(a)the characteristics of the services, and

(b)the risk levels and other matters identified in the relevant risk assessment.

(7)OFCOM must publish risk profiles prepared under this section.

(8)OFCOM must from time to time review and revise the risk assessments and risk profiles so as to keep them up to date.

(9)References in this section to Part 3 services—

(a)in the case of a risk assessment or risk profiles which relate only to regulated user-to-user services or to regulated search services, are to be read as references to the kind of service in question;

(b)in the case of a risk assessment or risk profiles which relate only to the risk of harm mentioned in subsection (1)(a), are to be read as references to regulated user-to-user services;

(c)in the case of a risk assessment or risk profiles which relate only to the risk of harm mentioned in subsection (1)(b), are to be read as references to regulated search services.

(10)References in this section to regulated search services include references to the search engine of combined services.

(11)In this section the “characteristics” of a service include its functionalities, user base, business model, governance and other systems and processes.

(12)In this section—

99OFCOM’s guidance about risk assessments

(1)As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the illegality risks, OFCOM must produce guidance to assist providers of regulated user-to-user services in complying with their duties to carry out illegal content risk assessments under section 9.

(2)As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the risk of harm from illegal content, OFCOM must produce guidance to assist providers of regulated search services in complying with their duties to carry out illegal content risk assessments under section 26.

(3)As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the risk of harm to children, OFCOM must produce guidance to assist providers of Part 3 services in complying with their duties to carry out children’s risk assessments under section 11 or 28.

(4)Before producing any guidance under this section (including revised or replacement guidance), OFCOM must consult the Information Commissioner.

(5)OFCOM must revise guidance under this section from time to time in response to further risk assessments under section 98 or to revisions of the risk profiles.

(6)OFCOM must publish guidance under this section (and any revised or replacement guidance).

(7)If the risk profiles mentioned in subsection (3) relate to regulated user-to-user services only or to regulated search services only, that subsection is to be read as requiring the production of guidance relating only to regulated user-to-user services or to regulated search services, as the case may be.

(8)References in this section to regulated search services include references to the search engine of combined services.

(9)In this section—

CHAPTER 4Information

Information powers and information notices

100Power to require information

(1)OFCOM may by notice under this subsection require a person within subsection (5) to provide them with any information that they require for the purpose of exercising, or deciding whether to exercise, any of their online safety functions.

(2)The power conferred by subsection (1) includes power to require a person within subsection (5) to—

(a)obtain or generate information;

(b)provide information about the use of a service by a named individual.

(3)The power conferred by subsection (1) also includes power to require a person within any of paragraphs (a) to (d) of subsection (5) to take steps so that a person authorised by OFCOM is able to view remotely—

(a)information demonstrating in real time the operation of systems, processes or features, including functionalities and algorithms, used by a service;

(b)information generated by a service in real time by the performance of a test or demonstration of a kind required by a notice under subsection (1).

(4)But the power conferred by subsection (1) must be exercised in a way that is proportionate to the use to which the information is to be put in the exercise of OFCOM’s functions.

(5)The persons within this subsection are—

(a)a provider of a user-to-user service or a search service,

(b)a provider of an internet service on which regulated provider pornographic content is published or displayed,

(c)a person who provides an ancillary service (within the meaning of section 144) in relation to a regulated service (see subsections (11) and (12) of that section),

(d)a person who provides an access facility (within the meaning of section 146) in relation to a regulated service (see subsections (10) and (11) of that section),

(e)a person who was within any of paragraphs (a) to (d) at a time to which the required information relates, and

(f)a person not within any of paragraphs (a) to (e) who appears to OFCOM to have, or to be able to generate or obtain, information required by them as mentioned in subsection (1).

(6)The information that may be required by OFCOM under subsection (1) includes, in particular, information that they require for any one or more of the following purposes—

(a)the purpose of assessing compliance with—

(i)any duty or requirement set out in Chapter 2, 3, 4 or 5 of Part 3,

(ii)any duty set out in section 64 (user identity verification),

(iii)any requirement under section 66 (reporting CSEA content),

(iv)any duty set out in section 71 or 72 (terms of service),

(v)any duty set out in section 75 (deceased child users),

(vi)any requirement relating to transparency reporting (see section 77(3) and (4)), or

(vii)any duty set out in section 81 (provider pornographic content);

(b)the purpose of assessing compliance with a requirement under section 83 (duty to notify OFCOM in relation to the charging of fees);

(c)the purpose of a consultation about a threshold figure as mentioned in section 86 (threshold figure for the purposes of charging fees);

(d)the purpose of ascertaining the amount of a person’s qualifying worldwide revenue for the purposes of—

(i)Part 6 (fees), or

(ii)paragraph 4 or 5 of Schedule 13 (amount of penalties etc);

(e)the purpose of assessing compliance with any requirements imposed on a person by—

(i)a notice under section 121(1) (notices to deal with terrorism content and CSEA content), or

(ii)a confirmation decision;

(f)the purpose of assessing the accuracy and effectiveness of technology required to be used by—

(i)a notice under section 121(1), or

(ii)a confirmation decision;

(g)the purpose of assessing whether to give a notice under section 121(1) relating to the development or sourcing of technology (see subsections (2)(b) and (3)(b) of that section);

(h)the purpose of dealing with complaints made to OFCOM under section 169 (super-complaints);

(i)the purpose of OFCOM’s advice to the Secretary of State about provision to be made by regulations under paragraph 1 of Schedule 11 (threshold conditions for categories of Part 3 services);

(j)the purpose of determining whether a Part 3 service meets threshold conditions specified in regulations under paragraph 1 of Schedule 11;

(k)the purpose of preparing a code of practice under section 41;

(l)the purpose of preparing guidance in relation to online safety matters;

(m)the purpose of carrying out research, or preparing a report, in relation to online safety matters;

(n)the purpose of complying with OFCOM’s duties under section 11 of the Communications Act, so far as relating to regulated services (media literacy).

(7)See also section 103 (power to include a requirement to name a senior manager).

(8)The reference in subsection (3) to a person authorised by OFCOM is to a person authorised by OFCOM in writing for the purposes of notices that impose requirements of a kind mentioned in that subsection, and such a person must produce evidence of their identity if requested to do so by a person in receipt of such a notice.

(9)The power conferred by subsection (1) does not include power to require the provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.

(10)In this section—

101Information in connection with an investigation into the death of a child

(1)OFCOM may by notice under this subsection require a relevant person to provide them with information for the purpose of—

(a)responding to a notice given by a senior coroner under paragraph 1(2) of Schedule 5 to the Coroners and Justice Act 2009 in connection with an investigation into the death of a child, or preparing a report under section 163 in connection with such an investigation;

(b)responding to a request for information in connection with the investigation of a procurator fiscal into, or an inquiry held or to be held in relation to, the death of a child, or preparing a report under section 163 in connection with such an inquiry;

(c)responding to a notice given by a coroner under section 17A(2) of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.)) in connection with—

(i)an investigation to determine whether an inquest into the death of a child is necessary, or

(ii)an inquest in relation to the death of a child,

or preparing a report under section 163 in connection with such an investigation or inquest.

(2)The power conferred by subsection (1) includes power to require a relevant person to provide OFCOM with information about the use of a regulated service by the child whose death is under investigation, including, in particular—

(a)content encountered by the child by means of the service,

(b)how the content came to be encountered by the child (including the role of algorithms or particular functionalities),

(c)how the child interacted with the content (for example, by viewing, sharing or storing it or enlarging or pausing on it), and

(d)content generated, uploaded or shared by the child.

(3)The power conferred by subsection (1) includes power to require a relevant person to obtain or generate information.

(4)The power conferred by subsection (1) must be exercised in a way that is proportionate to the purpose mentioned in that subsection.

(5)The power conferred by subsection (1) does not include power to require the provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.

(6)Nothing in this section limits the power conferred on OFCOM by section 100.

(7)In this section—

102Information notices

(1)A notice given under section 100(1) or 101(1) is referred to in this Act as an information notice.

(2)An information notice may require information in any form (including in electronic form).

(3)An information notice must—

(a)specify or describe the information to be provided,

(b)specify why OFCOM require the information,

(c)specify the form and manner in which it must be provided, and

(d)contain information about the consequences of not complying with the notice.

(4)An information notice must specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals).

(5)An information notice requiring a person to take steps of a kind mentioned in section 100(3) must give the person at least seven days’ notice before the steps are required to be taken.

(6)An information notice may specify a place at which, and a person to whom, information is to be provided.

(7)A person to whom a document is produced in response to an information notice may—

(a)take copies of, or extracts from, the document;

(b)require the person producing the document, or a person who is or was an officer of that person, or (in the case of a partnership) a person who is or was a partner, to give an explanation of it.

(8)A person to whom an information notice is given has a duty—

(a)to act in accordance with the requirements of the notice, and

(b)to ensure that the information provided is accurate in all material respects.

(9)OFCOM may cancel an information notice by notice to the person to whom it was given.

(10)In this section—

(11)In relation to information recorded otherwise than in a legible form, references in this section to producing a document are to producing a copy of the information—

(a)in a legible form, or

(b)in a form from which it can readily be produced in a legible form.

103Requirement to name a senior manager

(1)This section applies where—

(a)OFCOM give a provider of a regulated service an information notice, and

(b)the provider is an entity.

(2)OFCOM may include in the information notice a requirement that the provider must name, in their response to the notice, an individual who the provider considers to be a senior manager of the entity and who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice.

(3)If OFCOM impose a requirement to name an individual, the information notice must—

(a)require the provider to inform such an individual, and

(b)include information about the consequences for such an individual of the entity’s failure to comply with the requirements of the notice (see section 110).

(4)An individual is a “senior manager” of an entity if the individual plays a significant role in—

(a)the making of decisions about how the entity’s relevant activities are to be managed or organised, or

(b)the actual managing or organising of the entity’s relevant activities.

(5)An entity’s “relevant activities” are activities relating to the entity’s compliance with the regulatory requirements imposed by this Act in connection with the regulated service to which the information notice in question relates.

Skilled persons' reports

104Reports by skilled persons

(1)OFCOM may exercise the powers in this section where they consider that it is necessary to do so for either of the following purposes—

(a)assisting OFCOM in identifying and assessing a failure, or possible failure, by a provider of a regulated service to comply with a relevant requirement, or

(b)developing OFCOM’s understanding of—

(i)the nature and level of risk of a provider of a regulated service failing to comply with a relevant requirement, and

(ii)ways to mitigate such a risk.

(2)But the powers in this section may be exercised for a purpose mentioned in subsection (1)(b) only where OFCOM consider that the provider in question may be at risk of failing to comply with a relevant requirement.

(3)Section 122 requires OFCOM to exercise the power in subsection (4) for the purpose of assisting OFCOM in connection with a notice under section 121(1).

(4)OFCOM may appoint a skilled person to provide them with a report about matters relevant to the purpose for which the powers under this section are exercised (“the relevant matters”), and, where OFCOM make such an appointment, they must notify the provider about the appointment and the relevant matters to be explored in the report.

(5)Alternatively, OFCOM may give a notice to the provider—

(a)requiring the provider to appoint a skilled person to provide OFCOM with a report in such form as may be specified in the notice, and

(b)specifying the relevant matters to be explored in the report.

(6)References in this section to a skilled person are to a person—

(a)appearing to OFCOM to have the skills necessary to prepare a report about the relevant matters, and

(b)where the appointment is to be made by the provider, nominated or approved by OFCOM.

(7)It is the duty of—

(a)the provider of the service (“P”),

(b)any person who works for (or used to work for) P, or is providing (or used to provide) services to P related to the relevant matters, and

(c)other providers of internet services,

to give the skilled person all such assistance as the skilled person may reasonably require to prepare the report.

(8)The provider of the service is liable for the payment, directly to the skilled person, of the skilled person’s remuneration and expenses relating to the preparation of the report.

(9)Subsections (10) to (12) apply in relation to an amount due to a skilled person under subsection (8).

(10)In England and Wales, such an amount is recoverable—

(a)if the county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.

(11)In Scotland, such an amount may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

(12)In Northern Ireland, such an amount is recoverable—

(a)if a county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.

(13)In this section “relevant requirement” means—

(a)a duty or requirement set out in any of the following—

(i)section 9, 11, 26 or 28 (risk assessments);

(ii)section 10 or 27 (illegal content);

(iii)section 12 or 29 (children’s online safety);

(iv)section 14 (assessments related to the adult user empowerment duty set out in section 15(2));

(v)section 15 (user empowerment);

(vi)section 20 or 31 (content reporting);

(vii)section 21 or 32 (complaints procedures);

(viii)section 23 or 34 (record-keeping and review);

(ix)section 36 (children’s access assessments);

(x)section 38 or 39 (fraudulent advertising);

(xi)section 64 (user identity verification);

(xii)section 66 (reporting CSEA content);

(xiii)section 71 or 72 (terms of service);

(xiv)section 75 (deceased child users);

(xv)section 77(3) or (4) (transparency reports);

(xvi)section 81(2) (children’s access to pornographic content);

(b)a requirement under section 83 to notify OFCOM in connection with the charging of fees (see subsections (1), (3) and (5) of that section); or

(c)a requirement imposed by a notice under section 121(1) (notices to deal with terrorism content and CSEA content).

Investigations and interviews

105Investigations

(1)If OFCOM open an investigation into whether a provider of a regulated service has failed, or is failing, to comply with any requirement mentioned in subsection (2), the provider must co-operate fully with the investigation.

(2)The requirements are—

(a)a requirement imposed by a notice under section 121(1) (notices to deal with terrorism content and CSEA content), and

(b)an enforceable requirement as defined in section 131 (except the requirement in subsection (1) of this section).

106Power to require interviews

(1)The power conferred by this section is exercisable by OFCOM for the purposes of an investigation that they are carrying out into the failure, or possible failure, of a provider of a regulated service to comply with a relevant requirement.

(2)OFCOM may give an individual within subsection (4) a notice requiring the individual—

(a)to attend at a time and place specified in the notice, and

(b)to answer questions and provide explanations about any matter relevant to the investigation.

(3)A notice under this section must—

(a)indicate the subject matter and purpose of the interview, and

(b)contain information about the consequences of not complying with the notice.

(4)The individuals within this subsection are—

(a)if the provider of the service is an individual or individuals, that individual or those individuals,

(b)an officer of the provider of the service,

(c)if the provider of the service is a partnership, a partner,

(d)an employee of the provider of the service, and

(e)an individual who was within any of paragraphs (a) to (d) at a time to which the required information or explanation relates.

(5)If OFCOM give a notice to an individual within subsection (4)(b), (c) or (d), they must give a copy of the notice to the provider of the service.

(6)An individual is not required under this section to disclose information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.

(7)In this section—

Powers of entry, inspection and audit

107Powers of entry, inspection and audit

Schedule 12 makes provision about—

(a)OFCOM’s powers of entry and inspection, and

(b)the carrying out of audits by OFCOM.

108Amendment of Criminal Justice and Police Act 2001

(1)The Criminal Justice and Police Act 2001 is amended as follows.

(2)In section 57(1) (retention of seized items), after paragraph (t) insert—

(u)paragraph 8 of Schedule 12 to the Online Safety Act 2023.

(3)In section 65 (meaning of “legal privilege”)—

(a)after subsection (8B) insert—

(8C)An item which is, or is comprised in, property which has been seized in exercise or purported exercise of the power of seizure conferred by paragraph 7(f), (j) or (k) of Schedule 12 to the Online Safety Act 2023 is to be taken for the purposes of this Part to be an item subject to legal privilege if, and only if, the seizure of that item was in contravention of paragraph 17(3) of that Schedule (privileged information or documents).;

(b)in subsection (9)—

(i)at the end of paragraph (d) omit “or”;

(ii)at the end of paragraph (e) insert “or”;

(iii)before the closing words insert—

(g)paragraph 7(f), (j) or (k) of Schedule 12 to the Online Safety Act 2023.

(4)In Part 1 of Schedule 1 (powers of seizure to which section 50 of the Act applies), after paragraph 73U insert—

Online Safety Act 2023

73VEach of the powers of seizure conferred by paragraph 7(f), (j) and (k) of Schedule 12 to the Online Safety Act 2023.

Information offences and penalties

109Offences in connection with information notices

(1)A person commits an offence if the person fails to comply with a requirement of an information notice.

(2)It is a defence for a person charged with an offence under subsection (1) to show that—

(a)it was not reasonably practicable to comply with the requirements of the information notice at the time required by the notice, but

(b)the person has subsequently taken all reasonable steps to comply with those requirements.

(3)A person commits an offence if, in response to an information notice—

(a)the person provides information that is false in a material respect, and

(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.

(4)A person commits an offence if, in response to an information notice, the person—

(a)provides information which is encrypted such that it is not possible for OFCOM to understand it, or produces a document which is encrypted such that it is not possible for OFCOM to understand the information it contains, and

(b)the person’s intention was to prevent OFCOM from understanding such information.

(5)A person commits an offence if—

(a)the person suppresses, destroys or alters, or causes or permits the suppression, destruction or alteration of, any information required to be provided, or document required to be produced, by an information notice, and

(b)the person’s intention was to prevent OFCOM from being provided with the information or document or (as the case may be) from being provided with it as it was before the alteration.

(6)The reference in subsection (5) to suppressing information or a document includes a reference to destroying the means of reproducing information recorded otherwise than in a legible form.

(7)Offences under this section may be committed only in relation to an information notice which—

(a)relates to—

(i)a user-to-user service,

(ii)a search service, or

(iii)an internet service on which regulated provider pornographic content is published or displayed; and

(b)is given to the provider of that service.

(8)If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person to comply with a requirement of an information notice within such period as may be specified by the order.

(9)See also section 201 (supplementary provision about defences).

(10)In this section, “regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79).

110Senior managers’ liability: information offences

(1)In this section “an individual named as a senior manager of an entity” means an individual who, as required by an information notice, is named as a senior manager of an entity in a response to that notice (see section 103).

(2)An individual named as a senior manager of an entity commits an offence if—

(a)the entity commits an offence under section 109(1) (failure to comply with information notice), and

(b)the individual has failed to take all reasonable steps to prevent that offence being committed.

(3)It is a defence for an individual charged with an offence under subsection (2) to show that the individual was a senior manager within the meaning of section 103 for such a short time after the information notice in question was given that the individual could not reasonably have been expected to take steps to prevent that offence being committed.

(4)An individual named as a senior manager of an entity commits an offence if—

(a)the entity commits an offence under section 109(3) (false information), and

(b)the individual has failed to take all reasonable steps to prevent that offence being committed.

(5)An individual named as a senior manager of an entity commits an offence if—

(a)the entity commits an offence under section 109(4) (encrypted information), and

(b)the individual has failed to take all reasonable steps to prevent that offence being committed.

(6)An individual named as a senior manager of an entity commits an offence if—

(a)the entity commits an offence under section 109(5) (destruction etc of information), and

(b)the individual has failed to take all reasonable steps to prevent that offence being committed.

(7)It is a defence for an individual charged with an offence under subsection (4), (5) or (6) to show that the individual was not a senior manager within the meaning of section 103 at the time at which the act constituting the offence occurred.

(8)It is a defence for an individual charged with an offence under this section to show that the individual had no knowledge of being named as a senior manager in a response to the information notice in question.

(9)See also section 201 (supplementary provision about defences).

111Offences in connection with notices under Schedule 12

(1)A person commits an offence if the person fails without reasonable excuse to comply with a requirement of an audit notice.

(2)A person commits an offence if, in response to an audit notice—

(a)the person provides information that is false in a material respect, and

(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.

(3)A person commits an offence if—

(a)the person suppresses, destroys or alters, or causes or permits the suppression, destruction or alteration of, any information required to be provided, or document required to be produced, by a notice to which this subsection applies, and

(b)the person’s intention was to prevent OFCOM from being provided with the information or document or (as the case may be) from being provided with it as it was before the alteration.

(4)The reference in subsection (3) to suppressing information or a document includes a reference to destroying the means of reproducing information recorded otherwise than in a legible form.

(5)Subsection (3) applies to—

(a)a notice under paragraph 3 of Schedule 12 (information required for inspection), and

(b)an audit notice (see paragraph 4 of that Schedule).

(6)If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person, within such period as may be specified by the order, to comply with a requirement of a notice under paragraph 3 of Schedule 12 or an audit notice (as the case may be).

112Other information offences

(1)A person commits an offence if the person intentionally obstructs or delays a person in the exercise of the power conferred by section 102(7)(a) (copying a document etc).

(2)A person commits an offence if the person fails without reasonable excuse to comply with a requirement under section 106 (interviews).

(3)A person commits an offence if, in purported compliance with a requirement under section 106—

(a)the person provides information that is false in a material respect, and

(b)at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.

(4)If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person, within such period as may be specified by the order, to permit the making of a copy of a document, or to comply with a requirement under section 106 (as the case may be).

113Penalties for information offences

(1)A person who commits an offence under section 109(1), 110(2) or 111(1) is liable—

(a)on summary conviction in England and Wales, to a fine;

(b)on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;

(c)on conviction on indictment, to a fine.

(2)A person who commits an offence under section 109(3), (4) or (5), 110(4), (5) or (6), 111(2) or (3) or 112(1) is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

(3)A person who commits an offence under section 112(2) or (3) is liable—

(a)on summary conviction in England and Wales, to a fine;

(b)on summary conviction in Scotland, to a fine not exceeding level 5 on the standard scale;

(c)on summary conviction in Northern Ireland, to a fine not exceeding level 5 on the standard scale.

Disclosure of information

114Co-operation and disclosure of information: overseas regulators

(1)OFCOM may co-operate with an overseas regulator, including by disclosing online safety information to that regulator, for the purposes of—

(a)facilitating the exercise by the overseas regulator of any of that regulator’s online regulatory functions, or

(b)criminal investigations or proceedings relating to a matter to which the overseas regulator’s online regulatory functions relate.

(2)The power conferred by subsection (1) applies only in relation to an overseas regulator for the time being specified in regulations made by the Secretary of State.

(3)Where information is disclosed to a person in reliance on subsection (1), the person may not—

(a)use the information for a purpose other than the purpose for which it was disclosed, or

(b)further disclose the information,

except with OFCOM’s consent (which may be general or specific) or in accordance with an order of a court or tribunal.

(4)Except as provided by subsection (5), a disclosure of information under subsection (1) does not breach—

(a)any obligation of confidence owed by the person making the disclosure, or

(b)any other restriction on the disclosure of information (however imposed).

(5)Subsection (1) does not authorise a disclosure of information that—

(a)would contravene the restriction imposed by section 116 (intelligence service information),

(b)would contravene the data protection legislation (but in determining whether a disclosure would do so, the power conferred by that subsection is to be taken into account), or

(c)is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(6)Section 18 of the Anti-terrorism, Crime and Security Act 2001 (restriction on disclosure of information for overseas purposes) has effect in relation to a disclosure authorised by subsection (1)(b) as it has effect in relation to a disclosure authorised by any of the provisions to which section 17 of that Act applies.

(7)In this section—

115Disclosure of information

(1)Section 393 of the Communications Act (general restrictions on disclosure of information) is amended as follows.

(2)In subsection (1)—

(a)at the end of paragraph (c) omit “or”,

(b)at the end of paragraph (d) insert “or”, and

(c)after paragraph (d) insert—

(e)the Online Safety Act 2023,.

(3)In subsection (2)(e), after “this Act” insert “or the Online Safety Act 2023”.

(4)In subsection (3), after paragraph (h) insert—

(ha)a person appointed under—

(i)paragraph 1 of Schedule 3 to the Coroners and Justice Act 2009, or

(ii)section 2 of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.));

(hb)the procurator fiscal, within the meaning of the enactment mentioned in subsection (5)(s);.

(5)In subsection (5)—

(a)before paragraph (d) insert—

(ca)the Coroners Act (Northern Ireland) 1959;,

(b)after paragraph (na) insert—

(nb)Part 1 of the Coroners and Justice Act 2009;, and

(c)after paragraph (r) insert—

(s)the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2).

(6)In subsection (6)(a), after “390” insert “, or under section 149 of or Schedule 11 to the Online Safety Act 2023”.

(7)In subsection (6)(b), at the end insert “or the Online Safety Act 2023”.

116Intelligence service information

(1)OFCOM may not disclose information received (directly or indirectly) from, or that relates to, an intelligence service unless the intelligence service consents to the disclosure.

(2)If OFCOM have disclosed information described in subsection (1) to a person, the person must not further disclose the information unless the intelligence service consents to the disclosure.

(3)If OFCOM would contravene subsection (1) by publishing in its entirety—

(a)a statement required to be published by section 47(5), or

(b)a report mentioned in section 164(5),

OFCOM must, before publication, remove or obscure the information which by reason of subsection (1) they must not disclose.

(4)In this section—

117Provision of information to the Secretary of State

(1)Section 24B of the Communications Act (provision of information to assist in formulation of policy) is amended as follows.

(2)In subsection (2)—

(a)at the end of paragraph (d) omit “or”,

(b)at the end of paragraph (e) insert “or”, and

(c)after paragraph (e) insert—

(f)the Online Safety Act 2023,.

(3)After subsection (3) insert—

(4)Subsection (2) does not apply to information—

(a)obtained by OFCOM—

(i)in the exercise of a power conferred by section 100 of the Online Safety Act 2023 for the purpose mentioned in subsection (6)(c) of that section (information in connection with a consultation about a threshold figure for the purposes of charging fees under that Act), or

(ii)in the exercise of a power conferred by section 175(5) of that Act (information in connection with circumstances presenting a threat), and

(b)reasonably required by the Secretary of State.

118Amendment of Enterprise Act 2002

In Schedule 15 to the Enterprise Act 2002 (enactments relevant to provisions about disclosure of information), at the appropriate place insert—

119Information for users of regulated services

(1)Section 26 of the Communications Act (publication of information and advice for consumers etc) is amended as follows.

(2)In subsection (2), after paragraph (d) insert—

(da)United Kingdom users of regulated services;.

(3)After subsection (6) insert—

(7)In this section the following terms have the same meaning as in the Online Safety Act 2023—

120Admissibility of statements

(1)An explanation given, or information provided, by a person in response to a requirement imposed under or by virtue of section 100, 101 or 106 or paragraph 2(4)(e) or (f), 3(2), 4(2)(i) or (j) or 7(d) of Schedule 12, may, in criminal proceedings, only be used in evidence against that person—

(a)on a prosecution for an offence under a provision listed in subsection (2), or

(b)on a prosecution for any other offence where—

(i)in giving evidence that person makes a statement inconsistent with that explanation or information, and

(ii)evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person’s behalf.

(2)Those provisions are—

(a)section 69(1),

(b)section 109(3),

(c)section 110(4),

(d)section 111(2),

(e)section 112(3),

(f)paragraph 18(1)(c) of Schedule 12,

(g)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(h)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), and

(i)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

CHAPTER 5Regulated user-to-user services and regulated search services: notices to deal with terrorism content and CSEA content

121Notices to deal with terrorism content or CSEA content (or both)

(1)If OFCOM consider that it is necessary and proportionate to do so, they may give a notice described in subsection (2), (3) or (4) relating to a regulated user-to-user service or a regulated search service to the provider of the service.

(2)A notice under subsection (1) that relates to a regulated user-to-user service is a notice requiring the provider of the service—

(a)to do any or all of the following—

(i)use accredited technology to identify terrorism content communicated publicly by means of the service and to swiftly take down that content;

(ii)use accredited technology to prevent individuals from encountering terrorism content communicated publicly by means of the service;

(iii)use accredited technology to identify CSEA content, whether communicated publicly or privately by means of the service, and to swiftly take down that content;

(iv)use accredited technology to prevent individuals from encountering CSEA content, whether communicated publicly or privately, by means of the service; or

(b)to use the provider’s best endeavours to develop or source technology for use on or in relation to the service or part of the service, which—

(i)achieves the purpose mentioned in paragraph (a)(iii) or (iv), and

(ii)meets the standards published by the Secretary of State (see section 125(13)).

(3)A notice under subsection (1) that relates to a regulated search service is a notice requiring the provider of the service—

(a)to do either or both of the following—

(i)use accredited technology to identify search content of the service that is terrorism content and to swiftly take measures designed to secure, so far as possible, that search content of the service no longer includes terrorism content identified by the technology;

(ii)use accredited technology to identify search content of the service that is CSEA content and to swiftly take measures designed to secure, so far as possible, that search content of the service no longer includes CSEA content identified by the technology; or

(b)to use the provider’s best endeavours to develop or source technology for use on or in relation to the service which—

(i)achieves the purpose mentioned in paragraph (a)(ii), and

(ii)meets the standards published by the Secretary of State (see section 125(13)).

(4)A notice under subsection (1) that relates to a combined service is a notice requiring the provider of the service—

(a)to do any or all of the things described in subsection (2)(a) in relation to the user-to-user part of the service, or to use best endeavours to develop or source technology as described in subsection (2)(b) for use on or in relation to that part of the service;

(b)to do either or both of the things described in subsection (3)(a) in relation to the search engine of the service, or to use best endeavours to develop or source technology as described in subsection (3)(b) for use on or in relation to the search engine of the service;

(c)to do any or all of the things described in subsection (2)(a) in relation to the user-to-user part of the service and either or both of the things described in subsection (3)(a) in relation to the search engine of the service; or

(d)to use best endeavours to develop or source—

(i)technology as described in subsection (2)(b) for use on or in relation to the user-to-user part of the service, and

(ii)technology as described in subsection (3)(b) for use on or in relation to the search engine of the service.

(5)For the purposes of subsections (2) and (3), a requirement to use accredited technology may be complied with by the use of the technology alone or by means of the technology together with the use of human moderators.

(6)See—

(a)section 122, which requires OFCOM to obtain a skilled person’s report before giving a notice under subsection (1),

(b)section 123, which requires OFCOM to give a warning notice before giving a notice under subsection (1), and

(c)section 124 for provision about matters which OFCOM must consider before giving a notice under subsection (1).

(7)A notice under subsection (1) that relates to a user-to-user service (or to the user-to-user part of a combined service) and requires the use of technology in relation to terrorism content must identify the content, or parts of the service that include content, that OFCOM consider is communicated publicly on that service (see section 232).

(8)For the meaning of “accredited” technology, see section 125(12) and (13).

122Requirement to obtain skilled person’s report

(1)OFCOM may give a notice under section 121(1) to a provider only after obtaining a report from a skilled person appointed by OFCOM under section 104(4).

(2)The purpose of the report is to assist OFCOM in deciding whether to give a notice under section 121(1), and to advise about the requirements that might be imposed by such a notice if it were to be given.

123Warning notices

(1)OFCOM may give a notice under section 121(1) to a provider relating to a service or part of a service only after giving a warning notice to the provider that they intend to give such a notice relating to that service or that part of it.

(2)A warning notice under subsection (1) relating to the use of accredited technology (see section 121(2)(a) and (3)(a)) must—

(a)contain a summary of the report obtained by OFCOM under section 122,

(b)contain details of the technology that OFCOM are considering requiring the provider to use,

(c)specify whether the technology is to be required in relation to terrorism content or CSEA content (or both),

(d)specify any other requirements that OFCOM are considering imposing (see section 125(2) to (4)),

(e)specify the period for which OFCOM are considering imposing the requirements (see section 125(7)),

(f)state that the provider may make representations to OFCOM (with any supporting evidence), and

(g)specify the period within which representations may be made.

(3)A warning notice under subsection (1) relating to the development or sourcing of technology (see section 121(2)(b)and (3)(b)) must—

(a)contain a summary of the report obtained by OFCOM under section 122,

(b)describe the proposed purpose for which the technology must be developed or sourced (see section 121(2)(a)(iii) and (iv) and (3)(a)(ii)),

(c)specify steps that OFCOM consider the provider needs to take in order to comply with the requirement described in section 121(2)(b) or (3)(b), or both those requirements (as the case may be),

(d)specify the proposed period within which the provider must take each of those steps,

(e)specify any other requirements that OFCOM are considering imposing,

(f)state that the provider may make representations to OFCOM (with any supporting evidence), and

(g)specify the period within which representations may be made.

(4)A notice under section 121(1) that relates to both the user-to-user part of a combined service and the search engine of the service (as described in section 121(4)(c) or (d)) may be given to the provider of the service only if—

(a)two separate warning notices have been given to the provider (one relating to the user-to-user part of the service and the other relating to the search engine), or

(b)a single warning notice relating to both the user-to-user part of the service and the search engine has been given to the provider.

(5)A notice under section 121(1) may not be given to a provider until the period allowed by the warning notice for the provider to make representations has expired.

124Matters relevant to a decision to give a notice under section 121(1)

(1)This section specifies the matters which OFCOM must particularly consider in deciding whether it is necessary and proportionate to give a notice under section 121(1) relating to a Part 3 service to the provider of the service.

(2)In the case of a notice requiring the use of accredited technology, the matters are as follows—

(a)the kind of service it is;

(b)the functionalities of the service;

(c)the user base of the service;

(d)in the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the prevalence of relevant content on the service, and the extent of its dissemination by means of the service;

(e)in the case of a notice relating to a search service (or to the search engine of a combined service), the prevalence of search content of the service that is relevant content;

(f)the level of risk of harm to individuals in the United Kingdom presented by relevant content, and the severity of that harm;

(g)the systems and processes used by the service which are designed to identify and remove relevant content;

(h)the contents of the skilled person’s report obtained as required by section 122;

(i)the extent to which the use of the specified technology would or might result in interference with users’ right to freedom of expression within the law;

(j)the level of risk of the use of the specified technology resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data);

(k)in the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the extent to which the use of the specified technology would or might—

(i)have an adverse impact on the availability of journalistic content on the service, or

(ii)result in a breach of the confidentiality of journalistic sources;

(l)whether the use of any less intrusive measures than the specified technology would be likely to achieve a significant reduction in the amount of relevant content.

(3)The references to relevant content in subsection (2)(f), (g) and (l) are to—

(a)in the case of a user-to-user service (or the user-to-user part of a combined service), relevant content present on the service;

(b)in the case of a search service (or the search engine of a combined service), search content of the service that is relevant content.

(4)In the case of a notice relating to the development or sourcing of technology, subsection (2) applies—

(a)as if references to relevant content were to CSEA content, and

(b)with the omission of paragraphs (i), (j), (k) and (l).

(5)In this section—

125Notices under section 121(1): supplementary

(1)In this section “a notice” means a notice under section 121(1) (including a further notice under that provision).

(2)If a provider is already using accredited technology in relation to the service in question, a notice may require the provider to use it more effectively (specifying the ways in which that must be done).

(3)A notice relating to a user-to-user service (or to the user-to-user part of a combined service) may also require a provider to operate an effective complaints procedure allowing for United Kingdom users to challenge the provider for taking down content which they have generated, uploaded or shared on the service.

(4)A notice relating to a search service (or to the search engine of a combined service) may also require a provider to operate an effective complaints procedure allowing for an interested person (see section 227(7)) to challenge measures taken or in use by the provider that result in content relating to that interested person no longer appearing in search results of the service.

(5)A notice given to a provider of a Part 3 service requiring the use of accredited technology is to be taken to require the provider to make such changes to the design or operation of the service as are necessary for the technology to be used effectively.

(6)A notice requiring the use of accredited technology must—

(a)give OFCOM’s reasons for their decision to give the notice,

(b)contain details of the requirements imposed by the notice,

(c)contain details of the technology to be used,

(d)contain details about the manner in which the technology is to be implemented,

(e)specify a reasonable period for compliance with the notice,

(f)specify the period for which the notice is to have effect,

(g)contain details of the rights of appeal under section 168,

(h)contain information about when OFCOM intend to review the notice (see section 126), and

(i)contain information about the consequences of not complying with the notice (including information about the further kinds of enforcement action that it would be open to OFCOM to take).

(7)A notice requiring the use of accredited technology may impose requirements for a period of up to 36 months beginning with the last day of the period specified in the notice in accordance with subsection (6)(e).

(8)A notice relating to the development or sourcing of technology must—

(a)give OFCOM’s reasons for their decision to give the notice,

(b)describe the purpose for which technology is required to be developed or sourced (see section 121(2)(a)(iii) and (iv) and (3)(a)(ii),

(c)specify steps that the provider is required to take (including steps relating to the use of a system or process) in order to comply with the requirement described in section 121(2)(b) or (3)(b), or both those requirements (as the case may be),

(d)specify a reasonable period within which each of the steps specified in the notice must be taken,

(e)contain details of any other requirements imposed by the notice,

(f)contain details of the rights of appeal under section 168,

(g)contain information about when OFCOM intend to review the notice (see section 126), and

(h)contain information about the consequences of not complying with the notice (including information about the further kinds of enforcement action that it would be open to OFCOM to take).

(9)In deciding what period or periods to specify for steps to be taken in accordance with subsection (8)(d), OFCOM must, in particular, consider—

(a)the size and capacity of the provider, and

(b)the state of development of technology capable of achieving the purpose described in the notice in accordance with subsection (8)(b).

(10)A notice may impose requirements only in relation to the design and operation of a Part 3 service—

(a)in the United Kingdom, or

(b)as it affects United Kingdom users of the service.

(11)OFCOM may vary or revoke a notice given to a provider by notifying the provider to that effect.

(12)For the purposes of this Chapter, technology is “accredited” if it is accredited (by OFCOM or another person appointed by OFCOM) as meeting minimum standards of accuracy in the detection of terrorism content or CSEA content (as the case may be).

(13)Those minimum standards of accuracy must be such standards as are for the time being approved and published by the Secretary of State, following advice from OFCOM.

126Review and further notice under section 121(1)

(1)This section applies where OFCOM have given a provider of a Part 3 service a notice under section 121(1).

(2)The power conferred by section 125(11) includes power to revoke the notice if there are reasonable grounds for believing that the provider is failing to comply with it.

(3)If a notice is revoked as mentioned in subsection (2), OFCOM may give the provider a further notice under section 121(1) if they consider that it is necessary and proportionate to do so (taking into account the matters mentioned in section 124).

(4)Except where a notice under section 121(1) is revoked as mentioned in subsection (2), OFCOM must carry out a review of the provider’s compliance with the notice—

(a)in the case of a notice requiring the use of accredited technology, before the end of the period for which the notice has effect;

(b)in the case of a notice relating to the development or sourcing of technology, before the last date by which any step specified in the notice is required to be taken.

(5)In the case of a notice requiring the use of accredited technology, the review must consider—

(a)the extent to which the technology specified in the notice has been used, and

(b)the effectiveness of its use.

(6)Following the review, and after consultation with the provider, OFCOM may give the provider a further notice under section 121(1) if they consider that it is necessary and proportionate to do so (taking into account the matters mentioned in section 124).

(7)If a further notice under section 121(1) is given, subsections (3) to (6) apply again.

(8)A further notice under section 121(1) may impose different requirements from an earlier notice under that provision.

(9)Sections 122 (skilled person’s report) and 123 (warning notices) do not apply in relation to a further notice under section 121(1).

127OFCOM’s guidance about functions under this Chapter

(1)OFCOM must produce guidance for providers of Part 3 services about how OFCOM propose to exercise their functions under this Chapter.

(2)Before producing the guidance (including revised or replacement guidance), OFCOM must consult the Information Commissioner.

(3)OFCOM must keep the guidance under review.

(4)OFCOM must publish the guidance (and any revised or replacement guidance).

(5)In exercising their functions under this Chapter, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.

128OFCOM’s annual report

(1)OFCOM must produce and publish an annual report about—

(a)the exercise of their functions under this Chapter, and

(b)technology which meets, or is in the process of development so as to meet, minimum standards of accuracy (see subsections (12) and (13) of section 125) for the purposes of this Chapter.

(2)OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.

(3)For further provision about reports under this section, see section 164.

129Interpretation of this Chapter

In this Chapter—

CHAPTER 6Enforcement powers

Provisional notices and confirmation decisions

130Provisional notice of contravention

(1)OFCOM may give a notice under this section (a “provisional notice of contravention”) relating to a regulated service to the provider of the service if they consider that there are reasonable grounds for believing that the provider has failed, or is failing, to comply with any enforceable requirement (see section 131) that applies in relation to the service.

(2)OFCOM may also give a provisional notice of contravention to a person on either of the grounds in subsection (3).

(3)The grounds are that—

(a)the person has been given an information notice and OFCOM consider that there are reasonable grounds for believing that the person has failed, or is failing, to comply with either of the duties set out in section 102(8) (duties in relation to information notices), or

(b)the person is required by a skilled person appointed under section 104 to give assistance to the skilled person, and OFCOM consider that there are reasonable grounds for believing that the person has failed, or is failing, to comply with the duty set out in subsection (7) of that section to give such assistance.

(4)A provisional notice of contravention given to a person must—

(a)specify the duty or requirement with which (in OFCOM’s opinion) the person has failed, or is failing, to comply, and

(b)give OFCOM’s reasons for their opinion that the person has failed, or is failing, to comply with it.

(5)A provisional notice of contravention may also contain details as mentioned in subsection (6) or (7), or both.

(6)A provisional notice of contravention may specify steps that OFCOM consider the person needs to take in order to—

(a)comply with the duty or requirement, or

(b)remedy the failure to comply with it.

(7)A provisional notice of contravention may state that OFCOM propose to impose a penalty on the person, and in such a case the notice must—

(a)state the reasons why OFCOM propose to impose a penalty,

(b)state whether OFCOM propose to impose a penalty of a single amount, a penalty calculated by reference to a daily rate, or both penalties (see section 137(1)),

(c)indicate the amount of a penalty that OFCOM propose to impose, including (in relation to a penalty calculated by reference to a daily rate) the daily rate and how the penalty would be calculated,

(d)in relation to a penalty calculated by reference to a daily rate, specify or describe the period for which OFCOM propose that the penalty should be payable, and

(e)state the reasons for proposing a penalty of that amount, including any aggravating or mitigating factors that OFCOM propose to take into account.

(8)A provisional notice of contravention given to a person must—

(a)state that the person may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice, and

(b)specify the period within which such representations may be made.

(9)A provisional notice of contravention may be given in respect of a failure to comply with more than one enforceable requirement.

(10)Where a provisional notice of contravention is given in respect of a continuing failure, the notice may be given in respect of any period during which the failure has continued, and must specify that period.

(11)Where a provisional notice of contravention is given to a person in respect of a failure to comply with a duty or requirement (“the first notice”), a further provisional notice of contravention in respect of a failure to comply with that same duty or requirement may be given to the person only—

(a)in respect of a separate instance of the failure after the first notice was given,

(b)where a period was specified in the first notice in accordance with subsection (10), in respect of the continuation of the failure after the end of that period, or

(c)if the first notice has been withdrawn (without a confirmation decision being given to the person in respect of the failure).

131Requirements enforceable by OFCOM against providers of regulated services

(1)References in this Chapter to “enforceable requirements” are to—

(a)the duties or requirements set out in the provisions of this Act specified in the table in subsection (2), and

(b)the requirements mentioned in subsection (3).

(2)Here is the table—

ProvisionSubject matter
Section 9Illegal content risk assessments
Section 10Illegal content
Section 11Children’s risk assessments
Section 12Children’s online safety
Section 14Assessments related to duty in section 15(2)
Section 15User empowerment
Section 17Content of democratic importance
Section 18News publisher content
Section 19Journalistic content
Section 20Content reporting
Section 21Complaints procedures
Section 22Freedom of expression and privacy
Section 23Record-keeping and review
Section 26Illegal content risk assessments
Section 27Illegal content
Section 28Children’s risk assessments
Section 29Children’s online safety
Section 31Content reporting
Section 32Complaints procedures
Section 33Freedom of expression and privacy
Section 34Record-keeping and review
Section 36Children’s access assessments
Section 38Fraudulent advertising
Section 39Fraudulent advertising
Section 64User identity verification
Section 66Reporting CSEA content to NCA
Section 71Acting against users only in accordance with terms of service
Section 72Terms of service
Section 75Information about use of service by deceased child users
Section 77(3) and (4)Transparency reports
Section 81Provider pornographic content
Section 83Fees: notification of OFCOM
Section 102(8)Information notices
Section 104(7)Assistance to skilled person
Section 105(1)Co-operation with investigation

(3)The requirements referred to in subsection (1)(b) are—

(a)requirements of a notice under section 104(5)(a) to appoint a skilled person;

(b)requirements of a notice given by virtue of section 175(3) (duty to make public statement);

(c)requirements of a notice under section 175(5) (information in connection with circumstances presenting a threat);

(d)requirements imposed by a person acting—

(i)in the exercise of powers conferred by paragraph 2 of Schedule 12 (entry and inspection without warrant), or

(ii)in the execution of a warrant issued under paragraph 5 of that Schedule.

132Confirmation decisions

(1)This section applies if—

(a)OFCOM have given a provisional notice of contravention to a person in relation to a failure to comply with a duty or requirement (or with duties or requirements), and

(b)the period allowed for representations has expired.

A duty or requirement to which the provisional notice of contravention relates is referred to in this section as a “notified requirement”.

(2)If, after considering any representations and evidence, OFCOM decide not to give the person a notice under this section, they must inform the person of that fact.

(3)If OFCOM are satisfied that the person has failed, or has been failing, to comply with a notified requirement, OFCOM may give the person a notice under this section (a “confirmation decision”) confirming that that is OFCOM’s opinion.

(4)A confirmation decision and a notice under section 121(1) may be given in respect of the same failure.

(5)A confirmation decision given to a person may—

(a)require the person to take steps as mentioned in section 133;

(b)require the person to pay a penalty as mentioned in section 137;

(c)require the person to do both those things (or neither of them).

(6)See sections 134 and 135 for further provision which a confirmation decision may include in cases of failure to comply with duties about risk assessments or children’s access assessments.

133Confirmation decisions: requirements to take steps

(1)A confirmation decision may require the person to whom it is given to take such steps as OFCOM consider appropriate (including steps relating to the use of a system or process) for either or both of the following purposes—

(a)complying with a notified requirement;

(b)remedying the failure to comply with a notified requirement.

(2)But see section 136 in relation to OFCOM’s power to include in a confirmation decision requirements as described in subsection (1) relating to the use of proactive technology.

(3)A confirmation decision may impose requirements as described in subsection (1) only in relation to the design or operation of a regulated service—

(a)in the United Kingdom, or

(b)as it affects United Kingdom users of the service.

(4)A confirmation decision that includes requirements as described in subsection (1) must—

(a)specify the steps that are required,

(b)give OFCOM’s reasons for their decision to impose those requirements,

(c)specify which of those requirements (if any) have been designated as CSEA requirements (see subsections (6) and (7)),

(d)specify each notified requirement to which the steps relate,

(e)specify the period during which the failure to comply with a notified requirement has occurred, and whether the failure is continuing,

(f)specify a reasonable period within which each of the steps specified in the decision must be taken or, if a step requires the use of a system or process, a reasonable period within which the system or process must begin to be used (but see subsection (5) in relation to information duties),

(g)(if relevant) specify the period for which a system or process must be used,

(h)contain details of the rights of appeal under section 168, and

(i)contain information about the consequences of not complying with the requirements included in the decision (including information about the further kinds of enforcement action that it would be open to OFCOM to take).

(5)A confirmation decision that requires a person to take steps for the purpose of complying with an information duty may require the person to take those steps immediately.

(6)If the condition in subsection (7) is met in relation to a requirement imposed by a confirmation decision which is of a kind described in subsection (1), OFCOM must designate the requirement as a “CSEA requirement” for the purposes of section 138(3) (offence of failure to comply with confirmation decision).

(7)The condition referred to in subsection (6) is that the requirement is imposed (whether or not exclusively) in relation to either or both of the following—

(a)a failure to comply with section 10(2)(a) or (3)(a) in respect of CSEA content, or in respect of priority illegal content which includes CSEA content;

(b)a failure to comply with section 10(2)(b) in respect of an offence specified in Schedule 6 (CSEA offences), or in respect of priority offences which include such an offence.

(8)A person to whom a confirmation decision is given has a duty to comply with requirements included in the decision which are of a kind described in subsection (1).

(9)The duty under subsection (8) is enforceable in civil proceedings by OFCOM—

(a)for an injunction,

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or

(c)for any other appropriate remedy or relief.

(10)In this section—

134Confirmation decisions: risk assessments

(1)This section applies if—

(a)OFCOM are satisfied that a provider of a Part 3 service has failed to comply with a risk assessment duty,

(b)based on evidence resulting from OFCOM’s investigation into that failure, OFCOM have identified a risk of serious harm to individuals in the United Kingdom arising from a particular aspect of the service (“the identified risk”), and

(c)OFCOM consider that the identified risk is not effectively mitigated or managed.

(2)A confirmation decision given to the provider of the service—

(a)if the identified risk relates to matters required to be covered by an illegal content risk assessment, may include a determination that the duty set out in section 10(2)(b) or (c) or 27(2) (as the case may be) applies as if an illegal content risk assessment carried out by the provider had identified that risk;

(b)if the identified risk relates to matters required to be covered by a children’s risk assessment, may include a determination that the duty set out in section 12(2)(a) or 29(2)(a) (as the case may be) applies as if a children’s risk assessment carried out by the provider had identified that risk.

(3)A confirmation decision which includes a determination as mentioned in subsection (2) must—

(a)give details of the identified risk,

(b)specify the duty to which the determination relates, and

(c)specify the date by which measures (at the provider’s discretion) to comply with that duty must be taken or must begin to be used.

(4)A determination as mentioned in subsection (2) ceases to have effect on the date on which the provider of the service complies with the risk assessment duty with which the provider had previously failed to comply (and accordingly, from that date the duty to which the determination relates applies without the modification mentioned in that subsection).

(5)In this section—

135Confirmation decisions: children’s access assessments

(1)This section applies if OFCOM are satisfied that a provider of a Part 3 service has failed to comply with a duty set out in section 36 (duties about children’s access assessments).

(2)If OFCOM include in a confirmation decision a requirement to take steps relating to the carrying out of a children’s access assessment of a service, they must require that assessment to be completed within three months of the date of the confirmation decision.

(3)OFCOM may vary a confirmation decision which includes a requirement as mentioned in subsection (2) to extend the deadline for completion of a children’s access assessment.

(4)Subsection (5) applies if, based on evidence that OFCOM have about a service resulting from their investigation into compliance with a duty set out in section 36, OFCOM consider that—

(a)it is possible for children to access the service or a part of it, and

(b)the child user condition is met in relation to—

(i)the service, or

(ii)a part of the service that it is possible for children to access.

(5)OFCOM may include in the confirmation decision given to the provider of the service—

(a)a determination that the duties set out in sections 11 and 12, or (as the case may be) sections 28 and 29, must be complied with—

(i)from the date of the confirmation decision, or

(ii)from a later date specified in that decision;

(b)provision about the circumstances in which that determination may be treated as no longer applying in relation to the service.

(6)Subsection (4) is to be interpreted consistently with section 35.

(7)In this section, “children’s access assessment” has the meaning given by section 35.

136Confirmation decisions: proactive technology

(1)This section sets out what powers OFCOM have to include in a confirmation decision a requirement to take steps to use a kind, or one of the kinds, of proactive technology specified in the decision (a “proactive technology requirement”).

(2)A proactive technology requirement may be imposed in a confirmation decision if—

(a)the decision is given to the provider of an internet service within section 80(2), and

(b)the decision is imposed for the purpose of complying with, or remedying the failure to comply with, the duty set out in section 81(2) (provider pornographic content).

(3)The following provisions of this section set out constraints on OFCOM’s power to include a proactive technology requirement in a confirmation decision in any case not within subsection (2).

(4)A proactive technology requirement may be imposed in a confirmation decision only if the decision is given to the provider of a Part 3 service.

(5)A proactive technology requirement may be imposed in a confirmation decision only for the purpose of complying with, or remedying the failure to comply with, any of the duties set out in—

(a)section 10(2) or (3) (illegal content),

(b)section 12(2) or (3) (children’s online safety),

(c)section 27(2) or (3) (illegal content),

(d)section 29(2) or (3) (children’s online safety), or

(e)section 38(1) or 39(1) (fraudulent advertising).

(6)Proactive technology may be required to be used on or in relation to any Part 3 service or any part of such a service, but if and to the extent that the technology operates (or may operate) by analysing content that is user-generated content in relation to the service, or metadata relating to such content, the technology may not be required to be used except to analyse—

(a)user-generated content communicated publicly, and

(b)metadata relating to user-generated content communicated publicly.

(7)Before imposing a proactive technology requirement in relation to a service in a confirmation decision, OFCOM must particularly consider the matters mentioned in subsection (8), so far as they are relevant.

(8)The matters are as follows—

(a)the kind of service it is;

(b)the functionalities of the service;

(c)the user base of the service;

(d)the prevalence of relevant content on the service and the extent of its dissemination by means of the service, or (as the case may be) the prevalence of search content of the service that is relevant content;

(e)the level of risk of harm to individuals in the United Kingdom presented by relevant content present on the service, or (as the case may be) search content of the service that is relevant content, and the severity of that harm;

(f)the degree of accuracy, effectiveness and lack of bias achieved by the kind of technology specified in the decision;

(g)the extent to which the use of the kind of proactive technology specified in the decision would or might result in interference with users’ right to freedom of expression within the law;

(h)the level of risk of the use of the kind of proactive technology specified in the decision resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data);

(i)whether the use of any less intrusive measures than the proactive technology specified in the decision would be likely to result in compliance with, or would be likely to effectively remedy the failure to comply with, the duty in question.

(9)A confirmation decision that imposes a proactive technology requirement on a provider may also impose requirements about review of the technology by the provider.

(10)A confirmation decision relating to a service which requires the use of technology of a kind mentioned in subsection (6) must identify the content, or parts of the service that include content, that OFCOM consider is communicated publicly on that service (see section 232).

(11)In this section—

137Confirmation decisions: penalties

(1)A confirmation decision may require the person to whom it is given to do either or both of the following, depending on what was proposed in the provisional notice of contravention (see paragraph 3 of Schedule 13)—

(a)pay to OFCOM a penalty of a single amount in sterling determined by OFCOM (a “single penalty”) and specified in the confirmation decision;

(b)if the confirmation decision includes a requirement of the kind described in section 133(1)(a) in respect of a continuous failure to comply with a notified requirement, pay a daily rate penalty to OFCOM if that same failure continues after the compliance date.

(2)A “daily rate penalty” means a penalty of an amount in sterling determined by OFCOM and calculated by reference to a daily rate.

(3)A confirmation decision may impose separate single penalties for failure to comply with separate notified requirements specified in the decision.

(4)Where a provisional notice of contravention is given in respect of a period of continuing failure to comply with a notified requirement, no more than one single penalty may be imposed by a confirmation decision in respect of the period of failure specified in the provisional notice of contravention.

(5)A confirmation decision that imposes a penalty must—

(a)give OFCOM’s reasons for their decision to impose the penalty,

(b)specify each notified requirement to which the penalty relates,

(c)specify the period during which the failure to comply with a notified requirement has occurred, and whether the failure is continuing,

(d)state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,

(e)specify a reasonable period within which the penalty must be paid,

(f)contain details of the rights of appeal under section 168, and

(g)contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).

(6)The period specified under subsection (5)(e) for the payment of a single penalty must be at least 28 days beginning with the day on which the confirmation decision is given.

(7)If a confirmation decision imposes a single penalty and a daily rate penalty, the information mentioned in subsection (5)(a), (b), (d) and (e) must be given in respect of each kind of penalty.

(8)As well as containing the information mentioned in subsection (5), a confirmation decision that imposes a daily rate penalty in respect of a continuous failure to comply with a notified requirement must—

(a)state the daily rate of the penalty and how the penalty is calculated;

(b)state that the person will be liable to pay the penalty if that same failure continues after the compliance date;

(c)state the date from which the penalty begins to be payable, which must not be earlier than the day after the compliance date;

(d)provide for the penalty to continue to be payable at the daily rate until—

(i)the date on which the notified requirement is complied with,

(ii)if the penalty is imposed in respect of a failure to comply with more than one notified requirement, the date on which the last of those requirements is complied with, or

(iii)an earlier date specified in the confirmation decision.

(9)In this section—

138Confirmation decisions: offences

(1)A person to whom a confirmation decision is given commits an offence if, without reasonable excuse, the person fails to comply with a requirement imposed by the decision which—

(a)is of a kind described in section 133(1), and

(b)is imposed (whether or not exclusively) in relation to a failure to comply with a children’s online safety duty.

(2)A “children’s online safety duty” means a duty set out in—

(a)section 12(3)(a),

(b)section 12(3)(b),

(c)section 81(2), or

(d)section 81(4).

(3)A person to whom a confirmation decision is given commits an offence if, without reasonable excuse, the person fails to comply with a CSEA requirement imposed by the decision (see section 133(6) and (7)).

(4)A person who commits an offence under this section is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).

Penalty notices etc

139Penalty for failure to comply with confirmation decision

(1)This section applies if—

(a)OFCOM have given a confirmation decision to a person,

(b)the decision includes requirements of a kind described in section 133(1) (requirements to take steps),

(c)OFCOM are satisfied that the person has failed to comply with one or more of those requirements, and

(d)OFCOM have not imposed a daily rate penalty under section 137(1)(b) in respect of that failure.

(2)OFCOM may give the person a penalty notice under this section in respect of the failure to comply with the confirmation decision, requiring the person to pay to OFCOM a penalty of a single amount in sterling determined by OFCOM.

(3)But OFCOM may give such a notice to the person only after—

(a)notifying the person that they propose to give a penalty notice under this section, specifying the reasons for doing so and indicating the amount of the proposed penalty, and

(b)giving the person an opportunity to make representations (with any supporting evidence).

(4)A penalty notice under this section must—

(a)give OFCOM’s reasons for their decision to impose the penalty,

(b)state the amount of the penalty,

(c)state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,

(d)specify the period within which the penalty must be paid,

(e)contain details of the rights of appeal under section 168, and

(f)contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).

(5)The period specified under subsection (4)(d) must be at least 28 days beginning with the day on which the penalty notice is given.

140Penalty for failure to comply with notice under section 121(1)

(1)This section applies if—

(a)OFCOM have given a notice under section 121(1) relating to a Part 3 service to the provider of that service (notices to deal with terrorism content and CSEA content), and

(b)OFCOM are satisfied that the provider has failed, or is failing, to comply with the notice.

(2)OFCOM may give the provider a notice under this subsection stating that they propose to impose a penalty on the provider in respect of that failure.

(3)The provider may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice.

(4)Subsection (5) applies if—

(a)the period allowed for representations has expired, and

(b)OFCOM are still satisfied as to the failure mentioned in subsection (1).

(5)OFCOM may give the provider a penalty notice under this subsection requiring the provider to pay to OFCOM a penalty of an amount in sterling determined by OFCOM.

(6)The penalty may consist of any of the following, depending on what was specified in the notice about the proposed penalty—

(a)a single amount;

(b)an amount calculated by reference to a daily rate;

(c)a combination of a single amount and an amount calculated by reference to a daily rate.

(7)See section 142 for information which must be included in notices under this section.

(8)Nothing in this section is to be taken to prevent OFCOM from giving the provider a further notice under section 121(1) (see section 126), as well as giving a penalty notice under subsection (5).

141Non-payment of fee

(1)This section applies if—

(a)the provider of a regulated service is liable to pay a fee to OFCOM under section 84 or Schedule 10 in respect of the current charging year (within the meaning of Part 6) or a previous charging year, and

(b)in OFCOM’s opinion, the provider has not paid the full amount of the fee that the provider is liable to pay.

(2)OFCOM may give the provider a notice under this subsection specifying—

(a)the outstanding amount of the fee that OFCOM consider the provider is due to pay to them under section 84 or Schedule 10, and

(b)the period within which the provider must pay it.

(3)A notice under subsection (2)

(a)may be given in respect of liabilities that relate to different charging years;

(b)may also state that OFCOM propose to impose a penalty on the provider.

(4)The provider may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice.

(5)Subsection (6) applies if—

(a)the notice under subsection (2) stated that OFCOM propose to impose a penalty,

(b)the period allowed for representations has expired, and

(c)OFCOM are satisfied that an amount of the fee is still due to them.

(6)OFCOM may give the provider a penalty notice under this subsection requiring the provider to pay to OFCOM a penalty of an amount in sterling determined by OFCOM.

(7)The penalty may consist of any of the following, depending on what was specified in the notice about the proposed penalty—

(a)a single amount;

(b)an amount calculated by reference to a daily rate;

(c)a combination of a single amount and an amount calculated by reference to a daily rate.

(8)A penalty notice under subsection (6) may require the payment of separate single amounts in respect of liabilities that relate to different charging years.

(9)See section 142 for information which must be included in notices under this section.

(10)Nothing in this section affects OFCOM’s power to bring proceedings (whether before or after the imposition of a penalty by a notice under subsection (6)) for the recovery of the whole or part of an amount due to OFCOM under section 84 or Schedule 10.

(11)But OFCOM may not bring such proceedings unless a provider has first been given a notice under subsection (2) specifying the amount due to OFCOM.

142Information to be included in notices under sections 140 and 141

(1)Subsection (2) applies in relation to—

(a)a notice under section 140(2), and

(b)a notice under section 141(2) stating that OFCOM propose to impose a penalty.

(2)Such a notice must—

(a)state the reasons why OFCOM propose to impose the penalty,

(b)state whether OFCOM propose that the penalty should consist of a single amount, an amount calculated by reference to a daily rate, or a combination of the two,

(c)indicate the amount of the proposed penalty, including (in relation to an amount calculated by reference to a daily rate) the daily rate and how the penalty would be calculated,

(d)in relation to an amount calculated by reference to a daily rate, specify or describe the period for which OFCOM propose that the amount should be payable,

(e)state the reasons for proposing a penalty of that amount, including any aggravating or mitigating factors that OFCOM propose to take into account, and

(f)specify the period within which representations in relation to the proposed penalty may be made.

(3)A penalty notice under section 140(5) or 141(6) must—

(a)give OFCOM’s reasons for their decision to impose the penalty,

(b)state whether the penalty consists of a single amount, an amount calculated by reference to a daily rate, or a combination of the two, and how it is calculated,

(c)in relation to a single amount, state that amount,

(d)in relation to an amount calculated by reference to a daily rate, state the daily rate,

(e)state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,

(f)specify a reasonable period within which the penalty must be paid,

(g)contain details of the rights of appeal under section 168, and

(h)contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).

(4)A penalty notice under section 141(6) must also specify the amount of the fee that is (in OFCOM’s opinion) due to be paid to OFCOM.

(5)The period specified under subsection (3)(f)  for the payment of a single amount must be at least 28 days beginning with the day on which the penalty notice is given.

(6)Subsection (7) applies in relation to a penalty notice under section 140(5) or 141(6) that includes a requirement to pay an amount calculated by reference to a daily rate.

(7)Such a notice must—

(a)state the date from which the amount begins to be payable, which must not be earlier than the day after the day on which the notice is given;

(b)provide for the amount to continue to be payable at the daily rate until—

(i)(in the case of a notice under section 140(5)) the date on which OFCOM are satisfied that the provider is complying with the notice under section 121(1), or (in the case of a notice under section 141(6)) the date on which the full amount of the fee (as specified in the penalty notice) has been paid to OFCOM, or

(ii)an earlier date specified in the penalty notice.

Amount of penalties etc

143Amount of penalties etc

Schedule 13 contains provision about the amount of penalties that OFCOM may impose under this Chapter, and makes further provision about such penalties.

Business disruption measures

144Service restriction orders

(1)OFCOM may apply to the court for an order under this section (a “service restriction order”) in relation to a regulated service where they consider that—

(a)the grounds in subsection (3) apply in relation to the service, or

(b)in the case of a Part 3 service, the grounds in subsection (4) apply in relation to the service.

(2)A service restriction order is an order imposing requirements on one or more persons who provide an ancillary service (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (11)).

(3)The grounds mentioned in subsection (1)(a) are that—

(a)the provider of the regulated service has failed to comply with an enforceable requirement that applies in relation to the regulated service,

(b)the failure is continuing, and

(c)any of the following applies—

(i)the provider has failed to comply with a requirement imposed by a confirmation decision that is of a kind described in section 133(1) relating to the failure;

(ii)the provider has failed to pay a penalty imposed by a confirmation decision relating to the failure (and the confirmation decision did not impose any requirements of a kind described in section 133(1));

(iii)the provider would be likely to fail to comply with requirements imposed by a confirmation decision if given;

(iv)the circumstances of the failure or the risks of harm to individuals in the United Kingdom are such that it is appropriate to make the application without having given a provisional notice of contravention, without having given a confirmation decision, or (having given a confirmation decision imposing requirements) without waiting to ascertain compliance with those requirements.

(4)The grounds mentioned in subsection (1)(b) are that—

(a)the provider of the Part 3 service has failed to comply with a notice under section 121(1) that relates to the service (notices to deal with terrorism content and CSEA content), and

(b)the failure is continuing.

(5)An application by OFCOM for a service restriction order must—

(a)specify the regulated service in relation to which the application is made (“the relevant service”),

(b)specify the provider of that service (“the non-compliant provider”),

(c)specify the grounds on which the application is based, and contain evidence about those grounds,

(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,

(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an ancillary service in relation to the relevant service, and specify any such ancillary service provided,

(f)specify the requirements which OFCOM consider that the order should impose on such persons, and

(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.

(6)The court may make a service restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—

(a)as to the grounds in subsection (3) or the grounds in subsection (4) (as the case may be),

(b)that the person provides an ancillary service in relation to the relevant service,

(c)that it is appropriate to make the order for the purpose of preventing harm to individuals in the United Kingdom, and the order is proportionate to the risk of such harm,

(d)in the case of an application made on the ground in subsection (3)(c)(iii) or (iv), that it is appropriate to make the order before a provisional notice of contravention or confirmation decision has been given, or before compliance with requirements imposed by a confirmation decision has been ascertained (as the case may be), and

(e)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.

(7)When considering whether to make a service restriction order in relation to the relevant service, and when considering what provision it should contain, the court must take into account (among other things) the rights and obligations of all relevant parties, including those of—

(a)the non-compliant provider,

(b)the person or persons on whom the court is considering imposing the requirements, and

(c)United Kingdom users of the relevant service.

(8)A service restriction order made in relation to the relevant service must—

(a)identify the non-compliant provider,

(b)identify the persons on whom the requirements are imposed, and any ancillary service to which the requirements relate,

(c)require such persons to take the steps specified in the order, or to put in place arrangements, that have the effect of withdrawing the ancillary service to the extent that it relates to the relevant service (or part of it), or preventing the ancillary service from promoting or displaying content that relates to the relevant service (or part of it) in any way,

(d)specify the date by which the requirements in the order must be complied with, and

(e)specify the date on which the order expires, or the period for which the order has effect.

(9)The steps that may be specified or arrangements that may be required to be put in place—

(a)include steps or arrangements that will or may require the termination of an agreement (whether or not made before the coming into force of this section), or the prohibition of the performance of such an agreement, and

(b)are limited, so far as that is possible, to steps or arrangements relating to the operation of the relevant service as it affects United Kingdom users.

(10)OFCOM must inform the Secretary of State as soon as reasonably practicable after a service restriction order has been made.

(11)For the purposes of this section, a service is an “ancillary service” in relation to a regulated service if the service facilitates the provision of the regulated service (or part of it), whether directly or indirectly, or displays or promotes content relating to the regulated service (or to part of it).

(12)Examples of ancillary services include—

(a)services, provided (directly or indirectly) in the course of a business, which enable funds to be transferred in relation to a regulated service,

(b)search engines which generate search results displaying or promoting content relating to a regulated service,

(c)user-to-user services which make content relating to a regulated service available to users, and

(d)services which use technology to facilitate the display of advertising on a regulated service (for example, an ad server or an ad network).

(13)In this section “the court” means—

(a)in England and Wales, the High Court or the county court,

(b)in Scotland, the Court of Session or a sheriff, and

(c)in Northern Ireland, the High Court or a county court.

145Interim service restriction orders

(1)OFCOM may apply to the court for an interim order under this section (an “interim service restriction order”) in relation to a regulated service where they consider that—

(a)the grounds in subsection (3) apply in relation to the service, or

(b)in the case of a Part 3 service, the grounds in subsection (4) apply in relation to the service.

(2)An interim service restriction order is an interim order imposing requirements on one or more persons who provide an ancillary service (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (9)).

(3)The grounds mentioned in subsection (1)(a) are that—

(a)it is likely that the provider of the regulated service is failing to comply with an enforceable requirement that applies in relation to the regulated service, and

(b)the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure before applying for the order.

(4)The grounds mentioned in subsection (1)(b) are that—

(a)it is likely that the provider of the Part 3 service is failing to comply with a notice under section 121(1) that relates to the service (notices to deal with terrorism content and CSEA content), and

(b)the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure before applying for the order.

(5)An application by OFCOM for an interim service restriction order must—

(a)specify the regulated service in relation to which the application is made (“the relevant service”),

(b)specify the provider of that service (“the non-compliant provider”),

(c)specify the grounds on which the application is based, and contain evidence about those grounds,

(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,

(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an ancillary service in relation to the relevant service, and specify any such ancillary service provided,

(f)specify the requirements which OFCOM consider that the order should impose on such persons, and

(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.

(6)The court may make an interim service restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—

(a)as to the ground in subsection (3)(a) or the ground in subsection (4)(a) (as the case may be),

(b)that the person provides an ancillary service in relation to the relevant service,

(c)that there are prima facie grounds to suggest that an application for a service restriction order under section 144 would be successful,

(d)that the level of risk of harm to individuals in the United Kingdom relating to the likely failure mentioned in subsection (3)(a) or (4)(a) (whichever applies), and the nature and severity of that harm, are such that it is not appropriate to wait for the failure to be established before making the order, and

(e)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.

(7)An interim service restriction order ceases to have effect on the earlier of—

(a)the date specified in the order, or the date on which the period specified in the order expires (as the case may be), and

(b)the date on which the court makes a service restriction order under section 144 in relation to the relevant service that imposes requirements on the same persons on whom requirements are imposed by the interim order, or dismisses the application for such an order.

(8)Subsections (7) to (10) of section 144 apply in relation to an interim service restriction order under this section as they apply in relation to a service restriction order under that section.

(9)In this section, “ancillary service” and “the court” have the same meaning as in section 144 (see subsections (11), (12) and (13) of that section).

146Access restriction orders

(1)OFCOM may apply to the court for an order under this section (an “access restriction order”) in relation to a regulated service where they consider that—

(a)the grounds in section 144(3) or (4) apply in relation to the service, and

(b)either—

(i)a service restriction order under section 144 or an interim service restriction order under section 145 has been made in relation to the failure, and it was not sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure, or

(ii)the likely consequences of the failure are such that if a service restriction order or an interim service restriction order were to be made, it would be unlikely to be sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure,

and in this paragraph, “the failure” means the failure mentioned in section 144(3)(a) or (4)(a) (as the case may be).

(2)An access restriction order is an order imposing requirements on one or more persons who provide an access facility (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (10)).

(3)An application by OFCOM for an access restriction order must—

(a)specify the regulated service in relation to which the application is made (“the relevant service”),

(b)specify the provider of that service (“the non-compliant provider”),

(c)specify the grounds on which the application is based, and contain evidence about those grounds,

(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,

(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an access facility in relation to the relevant service, and specify any such access facility provided,

(f)specify the requirements which OFCOM consider that the order should impose on such persons, and

(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.

(4)The court may make an access restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—

(a)as to the grounds in subsection (1),

(b)that the person provides an access facility in relation to the relevant service,

(c)that it is appropriate to make the order for the purpose of preventing significant harm to individuals in the United Kingdom, and the order is proportionate to the risk of such harm,

(d)in the case of an application made on the ground in subsection (3)(c)(iii) or (iv) of section 144 (by virtue of subsection (1)(a)), that it is appropriate to make the order before a provisional notice of contravention or confirmation decision has been given, or before compliance with requirements imposed by a confirmation decision has been ascertained (as the case may be), and

(e)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.

(5)When considering whether to make an access restriction order in relation to the relevant service, and when considering what provision it should contain, the court must take into account (among other things) the rights and obligations of all relevant parties, including those of—

(a)the non-compliant provider,

(b)the person or persons on whom the court is considering imposing the requirements, and

(c)United Kingdom users of the relevant service.

(6)An access restriction order made in relation to the relevant service must—

(a)identify the non-compliant provider,

(b)identify the persons on whom the requirements are imposed, and any access facility to which the requirements relate,

(c)require such persons to take the steps specified in the order, or to put in place arrangements, to withdraw, adapt or manipulate the access facility in order to impede users’ access (by means of that facility) to the relevant service (or to part of it),

(d)specify the date by which the requirements in the order must be complied with, and

(e)specify the date on which the order expires, or the period for which the order has effect.

(7)The steps that may be specified or arrangements that may be required to be put in place—

(a)include steps or arrangements that will or may require the termination of an agreement (whether or not made before the coming into force of this section), or the prohibition of the performance of such an agreement,

(b)are limited, so far as that is possible, to steps or arrangements that impede the access of United Kingdom users, and

(c)are limited, so far as that is possible, to steps or arrangements that do not affect such users’ ability to access any other internet services.

(8)OFCOM must inform the Secretary of State as soon as reasonably practicable after an access restriction order has been made.

(9)Where a person who provides an access facility takes steps or puts in place arrangements required by an access restriction order, OFCOM may, by notice, require that person to (where possible) notify persons in the United Kingdom who attempt to access the relevant service via that facility of the access restriction order (and where a confirmation decision has been given to the non-compliant provider, the notification must refer to that decision).

(10)For the purposes of this section, a facility is an “access facility” in relation to a regulated service if the person who provides the facility is able to withdraw, adapt or manipulate it in such a way as to impede access (by means of that facility) to the regulated service (or to part of it) by United Kingdom users of that service.

(11)Examples of access facilities include—

(a)internet access services by means of which a regulated service is made available, and

(b)app stores through which a mobile app for a regulated service may be downloaded or otherwise accessed.

(12)In this section—

147Interim access restriction orders

(1)OFCOM may apply to the court for an interim order under this section (an “interim access restriction order”) in relation to a regulated service where they consider that—

(a)the grounds in section 145(3) or (4) apply in relation to the service, and

(b)either—

(i)a service restriction order under section 144 or an interim service restriction order under section 145 has been made in relation to the likely failure, and it was not sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure, or

(ii)the likely consequences of such a failure would be such that if a service restriction order or an interim service restriction order were to be made, it would be unlikely to be sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure,

and in this section, “the likely failure” means the likely failure mentioned in section 145(3)(a) or (4)(a) (as the case may be).

(2)An interim access restriction order is an interim order imposing requirements on one or more persons who provide an access facility (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (8)).

(3)An application by OFCOM for an interim access restriction order must—

(a)specify the regulated service in relation to which the application is made (“the relevant service”),

(b)specify the provider of that service (“the non-compliant provider”),

(c)specify the grounds on which the application is based, and contain evidence about those grounds,

(d)specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,

(e)contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an access facility in relation to the relevant service, and specify any such access facility provided,

(f)specify the requirements which OFCOM consider that the order should impose on such persons, and

(g)in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.

(4)The court may make an interim access restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—

(a)that the ground in section 145(3)(a) or (4)(a) (as the case may be) applies in relation to the service,

(b)as to the ground in subsection (1)(b)(i) or (ii),

(c)that the person provides an access facility in relation to the relevant service,

(d)that there are prima facie grounds to suggest that an application for an access restriction order under section 146 would be successful,

(e)that the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it is not appropriate to wait for the failure to be established before making the order, and

(f)if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.

(5)An interim access restriction order ceases to have effect on the earlier of—

(a)the date specified in the order, or the date on which the period specified in the order expires (as the case may be), and

(b)the date on which the court makes an access restriction order under section 146 in relation to the relevant service that imposes requirements on the same persons on whom requirements are imposed by the interim order, or dismisses an application for such an order.

(6)Subsections (5) to (8) of section 146 apply in relation to an interim access restriction order under this section as they apply in relation to an access restriction order under that section.

(7)Where a person who provides an access facility takes steps or puts in place arrangements required by an interim access restriction order, OFCOM may, by notice, require that person to (where possible) notify persons in the United Kingdom who attempt to access the relevant service via that facility of the interim access restriction order.

(8)In this section, “access facility” and “the court” have the same meaning as in section 146 (see subsections (10), (11) and (12) of that section).

148Interaction with other action by OFCOM

(1)Where OFCOM apply for a business disruption order in respect of a failure by a provider of a regulated service to comply with an enforceable requirement, nothing in sections 144 to 147 is to be taken to prevent OFCOM also giving the provider—

(a)a confirmation decision in respect of the failure, or

(b)a penalty notice under section 139 in relation to a confirmation decision in respect of the failure.

(2)Where OFCOM apply for a business disruption order in respect of a failure by a provider of a Part 3 service to comply with a notice under section 121(1) (notices to deal with terrorism content and CSEA content), nothing in sections 144 to 147 is to be taken to prevent OFCOM also giving the provider either or both of the following—

(a)a further notice under section 121(1) (see section 126);

(b)a penalty notice under section 140(5).

(3)In this section, a “business disruption order” means—

(a)a service restriction order under section 144,

(b)an interim service restriction order under section 145,

(c)an access restriction order under section 146, or

(d)an interim access restriction order under section 147.

Publication of enforcement action

149Publication by OFCOM of details of enforcement action

(1)Subsections (2) and (3) apply where OFCOM have given a person (and not withdrawn) any of the following—

(a)a confirmation decision;

(b)a penalty notice under section 139;

(c)a penalty notice under section 140(5);

(d)a penalty notice under section 141(6).

(2)OFCOM must publish details identifying the person and describing—

(a)the failure (or failures) to which the decision or notice relates, and

(b)OFCOM’s response.

(3)But OFCOM may not publish anything that, in OFCOM’s opinion—

(a)is confidential in accordance with subsections (4) and (5), or

(b)is otherwise not appropriate for publication.

(4)A matter is confidential under this subsection if—

(a)it relates specifically to the affairs of a particular body, and

(b)publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that body.

(5)A matter is confidential under this subsection if—

(a)it relates to the private affairs of an individual, and

(b)publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that individual.

(6)Where OFCOM have given a person a provisional notice of contravention but have not given the person a confirmation decision, OFCOM may publish details identifying the person and describing the reasons for the provisional notice.

(7)OFCOM must notify the person concerned that information has been published under this section.

150Publication by providers of details of enforcement action

(1)This section applies where—

(a)OFCOM have given a person (and not withdrawn) any of the following—

(i)a confirmation decision;

(ii)a penalty notice under section 139;

(iii)a penalty notice under section 140(5);

(iv)a penalty notice under section 141(6), and

(b)the appeal period in relation to the decision or notice has ended.

(2)OFCOM may give to the person a notice (a “publication notice”) requiring the person to—

(a)publish details describing—

(i)the failure (or failures) to which the decision or notice mentioned in subsection (1)(a) relates, and

(ii)OFCOM’s response, or

(b)otherwise notify users of the service to which the decision or notice mentioned in subsection (1)(a) relates of those details.

(3)A publication notice may require a person to publish details under subsection (2)(a) or give notification of details under subsection (2)(b) or both.

(4)A publication notice must—

(a)specify the decision or notice mentioned in subsection (1)(a) to which it relates,

(b)specify or describe the details that must be published or notified,

(c)specify the form and manner in which the details must be published or notified,

(d)specify a date by which the details must be published or notified, and

(e)contain information about the consequences of not complying with the notice.

(5)Where a publication notice requires a person to publish details under subsection (2)(a) the notice may also specify a period during which publication in the specified form and manner must continue.

(6)Where a publication notice requires a person to give notification of details under subsection (2)(b) the notice may only require that notification to be given to United Kingdom users of the service (see section 227).

(7)A publication notice may not require a person to publish or give notification of anything that, in OFCOM’s opinion—

(a)is confidential in accordance with subsections (8) and (9), or

(b)is otherwise not appropriate for publication or notification.

(8)A matter is confidential under this subsection if—

(a)it relates specifically to the affairs of a particular body, and

(b)publication or notification of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that body.

(9)A matter is confidential under this subsection if—

(a)it relates to the private affairs of an individual, and

(b)publication or notification of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that individual.

(10)A person to whom a publication notice is given has a duty to comply with it.

(11)The duty under subsection (10) is enforceable in civil proceedings by OFCOM—

(a)for an injunction,

(b)for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or

(c)for any other appropriate remedy or relief.

(12)For the purposes of subsection (1)(b)the appeal period”, in relation to a decision or notice mentioned in subsection (1)(a), means—

(a)the period during which any appeal relating to the decision or notice may be made, or

(b)where such an appeal has been made, the period ending with the determination or withdrawal of that appeal.

Guidance

151OFCOM’s guidance about enforcement action

(1)OFCOM must produce guidance for providers of regulated services about how OFCOM propose to exercise their functions under this Chapter.

(2)The guidance must, in particular, give information about the factors that OFCOM would consider it appropriate to take into account when taking, or considering taking, enforcement action relating to a person’s failure to comply with different kinds of enforceable requirements.

(3)In relation to any enforcement action by OFCOM which relates to a failure by a provider of a regulated service to comply with a relevant duty, the guidance must include provision explaining how OFCOM will take into account the impact (or possible impact) of such a failure on children.

(4)Before producing the guidance (including revised or replacement guidance), OFCOM must consult—

(a)the Secretary of State,

(b)the Information Commissioner, and

(c)such other persons as OFCOM consider appropriate.

(5)OFCOM must publish the guidance (and any revised or replacement guidance).

(6)Guidelines prepared by OFCOM under section 392 of the Communications Act (amount of penalties) may, so far as relating to penalties imposed under this Chapter, be included in the same document as guidance under this section.

(7)In exercising their functions under this Chapter, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.

(8)In this section, a “relevant duty” means—

(a)a duty set out in section 10 or 27 (illegal content),

(b)a duty set out in section 12 or 29 (children’s online safety), or

(c)a duty set out in section 81(2) (children’s access to provider pornographic content).

CHAPTER 7Committees, research and reports

152Advisory committee on disinformation and misinformation

(1)OFCOM must, in accordance with the following provisions of this section, exercise their powers under paragraph 14 of the Schedule to the Office of Communications Act 2002 (committees of OFCOM) to establish and maintain a committee to provide the advice specified in this section.

(2)The committee is to consist of—

(a)a chairman appointed by OFCOM, and

(b)such number of other members appointed by OFCOM as OFCOM consider appropriate.

(3)In appointing persons to be members of the committee, OFCOM must have regard to the desirability of ensuring that the members of the committee include—

(a)persons representing the interests of United Kingdom users of regulated services,

(b)persons representing providers of regulated services, and

(c)persons with expertise in the prevention and handling of disinformation and misinformation online.

(4)The function of the committee is to provide advice to OFCOM (including other committees established by OFCOM) about—

(a)how providers of regulated services should deal with disinformation and misinformation on such services,

(b)OFCOM’s exercise of the power conferred by section 77 to require information about a matter listed in Part 1 or 2 of Schedule 8, so far as relating to disinformation and misinformation, and

(c)OFCOM’s exercise of their functions under section 11 of the Communications Act (duties to promote media literacy) in relation to countering disinformation and misinformation on regulated services.

(5)The committee must publish a report within the period of 18 months after being established, and after that must publish periodic reports.

153Functions of the Content Board

(1)Section 13 of the Communications Act (functions of the Content Board) is amended as follows.

(2)At the beginning of subsection (2), insert “Subject to subsection (3A),”.

(3)After subsection (3) insert—

(3A)OFCOM may, but need not, confer on the Content Board functions in relation to matters that concern the nature or kind of online content in relation to which OFCOM have functions under the Online Safety Act 2023 (see Parts 3 and 5 of that Act).

(4)After subsection (7) insert—

(8)In this section references to “matters mentioned in subsection (2)” do not include references to the matters mentioned in subsection (3A).

154Research about users’ experiences of regulated services

(1)Section 14 of the Communications Act (consumer research) is amended as follows.

(2)After subsection (6A) insert—

(6B)OFCOM must make arrangements for ascertaining—

(a)the state of public opinion from time to time concerning providers of regulated services and their manner of operating their services;

(b)the experiences of United Kingdom users of regulated services in relation to their use of such services;

(c)the experiences of United Kingdom users of regulated user-to-user services and regulated search services in relation to the handling of complaints made by them to providers of such services; and

(d)the interests and experiences of United Kingdom users of regulated services in relation to matters that are incidental to or otherwise connected with their experiences of using such services.

(6C)OFCOM’s report under paragraph 12 of the Schedule to the Office of Communications Act 2002 for each financial year must contain a statement by OFCOM about the research that has been carried out in that year under subsection (6B).

(3)After subsection (8) insert—

(8A)In subsection (6B) the following terms have the same meaning as in the Online Safety Act 2023—

155Consumer consultation

(1)Section 16 of the Communications Act (consumer consultation) is amended as follows.

(2)In subsection (4), after paragraph (d) insert—

(da)regulated services;.

(3)After subsection (5) insert—

(5A)As regards OFCOM’s functions under the Online Safety Act 2023 in relation to regulated services—

(a)the reference in subsection (5) to “the contents” of a thing includes a reference to specific pieces of online content, but

(b)subsection (5) is not to be read as preventing the Consumer Panel from being able to give advice about any matter that more generally concerns—

(i)different kinds of online content in relation to which OFCOM have functions under that Act (see Parts 3 and 5 of that Act), and

(ii)the impact that different kinds of such content may have on United Kingdom users of regulated services.

(4)After subsection (12) insert—

(12A)OFCOM’s report under paragraph 12 of the Schedule to the Office of Communications Act 2002 for each financial year must contain a statement by OFCOM about the arrangements for consultation that have been made in that year under this section, so far as the arrangements relate to regulated services.

(5)In subsection (13), in the definition of “domestic and small business consumer”, in paragraph (b)(i), after “available” insert “or a provider of a regulated service”.

(6)After subsection (13) insert—

(14)In this section the following terms have the same meaning as in the Online Safety Act 2023—

156OFCOM’s statement about freedom of expression and privacy

OFCOM’s report under paragraph 12 of the Schedule to the Office of Communications Act 2002 for each financial year must contain a statement by OFCOM about the steps they have taken, and the processes they operate, to ensure that their online safety functions have been exercised in that year compatibly with Articles 8 and 10 of the Convention (so far as relevant).

157OFCOM’s reports about use of age assurance

(1)OFCOM must produce and publish a report assessing—

(a)how providers of regulated services have used age assurance for the purpose of compliance with their duties set out in this Act,

(b)how effective the use of age assurance has been for that purpose, and

(c)whether there are factors that have prevented or hindered the effective use of age assurance, or a particular kind of age assurance, for that purpose,

(and in this section, references to a report are to a report described in this subsection).

(2)A report must, in particular, consider whether the following have prevented or hindered the effective use of age assurance—

(a)the costs to providers of using it, and

(b)the need to protect users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data).

(3)Unless the Secretary of State requires the production of a further report (see subsection (6)), the requirement in subsection (1) is met by producing and publishing one report within the period of 18 months beginning with the day on which sections 12 and 81(2) come into force (or if those provisions come into force on different days, the period of 18 months beginning with the later of those days).

(4)In preparing a report, OFCOM must consult—

(a)the Information Commissioner, and

(b)such other persons as OFCOM consider appropriate.

(5)OFCOM must send a copy of a report to the Secretary of State, and the Secretary of State must lay it before Parliament.

(6)The Secretary of State may require OFCOM to produce and publish a further report in response to—

(a)the development of age assurance technology, or

(b)evidence of the reduced effectiveness of such technology.

(7)But such a requirement may not be imposed—

(a)within the period of three years beginning with the date on which the first report is published, or

(b)more frequently than once every three years.

(8)For further provision about reports under this section, see section 164.

(9)In this section “age assurance” means age verification or age estimation.

158OFCOM’s reports about news publisher content and journalistic content

(1)OFCOM must produce and publish a report assessing the impact of the regulatory framework provided for in this Act on the availability and treatment of news publisher content and journalistic content on Category 1 services (and in this section, references to a report are to a report described in this subsection).

(2)Unless the Secretary of State requires the production of a further report (see subsection (6)), the requirement in subsection (1) is met by producing and publishing one report within the period of two years beginning with the day on which sections 18 and 19 come into force (or if those sections come into force on different days, the period of two years beginning with the later of those days).

(3)A report must, in particular, consider how effective the duties to protect such content set out in sections 18 and 19 are at protecting it.

(4)In preparing a report, OFCOM must consult—

(a)persons who represent recognised news publishers,

(b)persons who appear to OFCOM to represent creators of journalistic content,

(c)persons who appear to OFCOM to represent providers of Category 1 services, and

(d)such other persons as OFCOM consider appropriate.

(5)OFCOM must send a copy of a report to the Secretary of State, and the Secretary of State must lay it before Parliament.

(6)The Secretary of State may require OFCOM to produce and publish a further report if the Secretary of State considers that the regulatory framework provided for in this Act is, or may be, having a detrimental effect on the availability and treatment of news publisher content or journalistic content on Category 1 services.

(7)But such a requirement may not be imposed—

(a)within the period of three years beginning with the date on which the first report is published, or

(b)more frequently than once every three years.

(8)For further provision about reports under this section, see section 164.

(9)In this section—

(10)For the meaning of “Category 1 service”, see section 95 (register of categories of services).

159OFCOM’s transparency reports

(1)OFCOM must produce transparency reports based on information contained in the transparency reports produced by providers of Part 3 services under section 77.

(2)OFCOM’s transparency reports must contain—

(a)a summary of conclusions drawn from the transparency reports produced under section 77 regarding patterns or trends which OFCOM have identified in such reports,

(b)a summary of measures mentioned in such transparency reports which OFCOM consider to be good industry practice, and

(c)any other information from such transparency reports which OFCOM consider it appropriate to include.

(3)OFCOM’s first transparency report must be published by the end of the period of one year beginning with—

(a)the day on which the first report under section 77 is published by a provider of a Part 3 service (see subsection (3)(d) of that section), or

(b)if later, the earliest date specified by OFCOM for submission of a report under section 77 in a notice given to a provider (see subsection (3)(c) of that section).

(4)OFCOM must publish a transparency report at least once a year after the publication of their first transparency report.

(5)For further provision about reports under this section, see section 164.

160OFCOM’s report about reporting and complaints procedures

(1)OFCOM must produce a report assessing the measures taken or in use by providers of Part 3 services to enable users and others to—

(a)report particular kinds of content present on such services, and

(b)make complaints to providers of such services.

(2)OFCOM’s report must take into account the experiences of users and others in reporting content and making complaints to providers of Part 3 services, including—

(a)how clear the procedures are for reporting content and making complaints,

(b)how easy it is to do those things, and

(c)whether providers are taking appropriate and timely action in response to reports and complaints that are made.

(3)The report must include advice from OFCOM about whether they consider that the Secretary of State should make regulations under section 217 (duty about alternative dispute resolution procedure).

(4)In the report, OFCOM may make recommendations that they consider would improve the experiences of users and others in reporting content or making complaints to providers of Part 3 services, or would deliver better outcomes in relation to reports or complaints that are made.

(5)In preparing the report under this section, OFCOM must consult—

(a)the Secretary of State,

(b)persons who appear to OFCOM to represent the interests of United Kingdom users of Part 3 services,

(c)persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),

(d)the Information Commissioner, and

(e)such other persons as OFCOM consider appropriate.

(6)The report may draw on OFCOM’s research under section 14 of the Communications Act (see subsection (6B) of that section).

(7)The report is not required to address any matters which are the subject of a report by OFCOM under section 158 (report about the availability and treatment of news publisher content and journalistic content).

(8)OFCOM must publish the report within the period of two years beginning with the day on which this section comes into force.

(9)OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.

(10)The Secretary of State must publish a statement responding to the report within the period of three months beginning with the day on which the report is published, and the statement must include a response to OFCOM’s advice about whether to make regulations under section 217.

(11)The statement must be published in such manner as the Secretary of State considers appropriate for bringing it to the attention of persons who may be affected by it.

(12)For further provision about the report under this section, see section 164.

(13)References in this section to “users and others” are to United Kingdom users and individuals in the United Kingdom.

161OFCOM’s report about use of app stores by children

(1)OFCOM must produce a report about the use of app stores by children.

(2)In particular, the report must—

(a)assess what role app stores play in children encountering content that is harmful to children, search content that is harmful to children or regulated provider pornographic content by means of regulated apps which the app stores make available,

(b)assess the extent to which age assurance is currently used by providers of app stores, and how effective it is, and

(c)explore whether children’s online safety would be better protected by the greater use of age assurance or particular kinds of age assurance by such providers, or by other measures.

(3)OFCOM must publish the report during the period beginning two years, and ending three years, after the day on which sections 12 and 29 come into force (or if those sections come into force on different days, the later of those days).

(4)For further provision about the report under this section, see section 164.

(5)In this section—

(6)In this section references to children are to children in the United Kingdom.

162OFCOM’s report about researchers’ access to information

(1)OFCOM must produce a report—

(a)describing how, and to what extent, persons carrying out independent research into online safety matters are currently able to obtain information from providers of regulated services to inform their research,

(b)exploring the legal and other issues which currently constrain the sharing of information for such purposes, and

(c)assessing the extent to which greater access to information for such purposes might be achieved.

(2)For the purposes of this section a person carries out “independent research” if the person carries out research on behalf of a person other than a provider of a regulated service.

(3)In preparing the report, OFCOM must consult—

(a)the Information Commissioner,

(b)the Centre for Data Ethics and Innovation,

(c)United Kingdom Research and Innovation,

(d)persons who appear to OFCOM to represent providers of regulated services, and

(e)such other persons as OFCOM consider appropriate.

(4)OFCOM must publish the report within the period of 18 months beginning with the day on which this section comes into force.

(5)OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.

(6)For further provision about the report under this section, see section 164.

(7)OFCOM must produce guidance about the matters dealt with by the report for providers of regulated services and persons carrying out independent research into online safety matters.

(8)Before producing the guidance (including revised guidance) OFCOM must consult the persons mentioned in subsection (3).

(9)OFCOM must publish the guidance (and any revised guidance).

(10)OFCOM must include in each transparency report under section 159 an assessment of the effectiveness of the guidance.

163OFCOM’s report in connection with investigation into a death

(1)Subsection (2) applies if OFCOM receive—

(a)a notice from a senior coroner under paragraph 1(2) of Schedule 5 to the Coroners and Justice Act 2009 in connection with an investigation into the death of a person;

(b)a request for information in connection with the investigation of a procurator fiscal into, or an inquiry held or to be held in relation to, the death of a person;

(c)a notice from a coroner under section 17A(2) of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.)) in connection with—

(i)an investigation to determine whether an inquest into the death of a person is necessary, or

(ii)an inquest in relation to the death of a person.

(2)OFCOM may produce a report for use by the coroner or procurator fiscal, dealing with any matters that they consider may be relevant.

(3)In subsection (1)(b) “inquiry” means an inquiry held, or to be held, under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2).

164OFCOM’s reports

(1)OFCOM may from time to time produce and publish reports about online safety matters.

(2)In publishing a report mentioned in subsection (5), OFCOM must have regard to the need to exclude from publication, so far as that is practicable, the matters which are confidential in accordance with subsections (3) and (4).

(3)A matter is confidential under this subsection if—

(a)it relates specifically to the affairs of a particular body, and

(b)publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that body.

(4)A matter is confidential under this subsection if—

(a)it relates to the private affairs of an individual, and

(b)publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that individual.

(5)The reports referred to in subsection (2) are—

(a)a report under section 128 (report in connection with notices to deal with terrorism content and CSEA content),

(b)a report under section 157 (report about use of age assurance),

(c)a report under section 158 (report about news publisher content and journalistic content),

(d)a report under section 159 (transparency report),

(e)a report under section 160 (report about reporting and complaints procedures),

(f)a report under section 161 (report about use of app stores by children),

(g)a report under section 162 (report about researchers’ access to information), and

(h)a report produced under this section.

(6)See also section 116(3) (restriction on publishing intelligence service information).

CHAPTER 8Media literacy

165Media literacy

(1)Section 11 of the Communications Act is amended in accordance with subsections (2) to (5).

(2)Before subsection (1) insert—

(A1)In this section—

(a)subsection (1) imposes duties on OFCOM which apply in relation to material published by means of the electronic media (including by means of regulated services), and

(b)subsections (1A) to (1E) expand on those duties, and impose further duties on OFCOM, in relation to regulated services only.

(3)After subsection (1) insert—

(1A)OFCOM must take such steps, and enter into such arrangements, as they consider most likely to be effective in heightening the public’s awareness and understanding of ways in which they can protect themselves and others when using regulated services, in particular by helping them to—

(a)understand the nature and impact of harmful content and the harmful ways in which regulated services may be used, especially content and activity disproportionately affecting particular groups, including women and girls;

(b)reduce their and others’ exposure to harmful content and to the use of regulated services in harmful ways, especially content and activity disproportionately affecting particular groups, including women and girls;

(c)use or apply—

(i)features included in a regulated service, including features mentioned in section 15(2) of the Online Safety Act 2023, and

(ii)tools or apps, including tools such as browser extensions,

so as to mitigate the harms mentioned in paragraph (b);

(d)establish the reliability, accuracy and authenticity of content;

(e)understand the nature and impact of disinformation and misinformation, and reduce their and others’ exposure to it;

(f)understand how their personal information may be protected.

(1B)OFCOM must take such steps, and enter into such arrangements, as they consider most likely to encourage the development and use of technologies and systems for supporting users of regulated services to protect themselves and others as mentioned in paragraph (a), (b), (c), (d) or (e) of subsection (1A), including technologies and systems which—

(a)provide further context to users about content they encounter;

(b)help users to identify, and provide further context about, content of democratic importance present on regulated user-to-user services;

(c)signpost users to resources, tools or information raising awareness about how to use regulated services so as to mitigate the harms mentioned in subsection (1A)(b).

(1C)OFCOM’s duty under subsection (1A) is to be performed in the following ways (among others)—

(a)pursuing activities and initiatives,

(b)commissioning others to pursue activities and initiatives,

(c)taking steps designed to encourage others to pursue activities and initiatives, and

(d)making arrangements for the carrying out of research (see section 14(6)(a)).

(1D)OFCOM must draw up, and from time to time review and revise, a statement recommending ways in which others, including providers of regulated services, might develop, pursue and evaluate activities or initiatives relevant to media literacy in relation to regulated services.

(1E)OFCOM must publish the statement and any revised statement in such manner as they consider appropriate for bringing it to the attention of the persons who, in their opinion, are likely to be affected by it.

(4)After subsection (2) insert—

(3)In this section and in section 11A, “regulated service” means—

(a)a regulated user-to-user service, or

(b)a regulated search service.

Regulated user-to-user service” and “regulated search service” have the same meaning as in the Online Safety Act 2023 (see section 4 of that Act).

(4)In this section—

(a)content”, in relation to regulated services, means regulated user-generated content, search content or fraudulent advertisements;

(b)the following terms have the same meaning as in the Online Safety Act 2023—

(5)In the heading, for “Duty” substitute “Duties”.

(6)In section 14 of the Communications Act (consumer research), in subsection (6)(a), after “11(1)” insert “, (1A) and (1B)”.

166Media literacy strategy and media literacy statement

After section 11 of the Communications Act insert—

11ARegulated services: media literacy strategy and media literacy statement

(1)OFCOM must prepare and publish a media literacy strategy within the period of one year beginning with the day on which the Online Safety Act 2023 is passed.

(2)A media literacy strategy is a plan setting out how OFCOM propose to exercise their functions under section 11 in the period covered by the plan, which must be not more than three years.

(3)In particular, a media literacy strategy must state OFCOM’s objectives and priorities for the period it covers.

(4)Before the end of the period covered by a media literacy strategy, OFCOM must prepare and publish a media literacy strategy for a further period, ensuring that each successive strategy covers a period beginning immediately after the end of the last one.

(5)In preparing or revising a media literacy strategy, OFCOM must consult such persons as they consider appropriate.

(6)OFCOM’s annual report must contain a media literacy statement.

(7)A media literacy statement is a statement by OFCOM—

(a)summarising what they have done in the financial year to which the report relates in the exercise of their functions under section 11, and

(b)assessing what progress has been made towards achieving the objectives and priorities set out in their media literacy strategy in that year.

(8)A media literacy statement must include a summary and an evaluation of the activities and initiatives pursued or commissioned by OFCOM in the exercise of their functions under section 11 in the financial year to which the report relates.

(9)The first annual report that is required to contain a media literacy statement is the report for the financial year during which OFCOM’s first media literacy strategy is published, and that first statement is to relate to the period from publication day until the end of that financial year.

(10)But if OFCOM’s first media literacy strategy is published during the second half of a financial year—

(a)the first annual report that is required to contain a media literacy statement is the report for the next financial year, and

(b)that first statement is to relate to the period from publication day until the end of that financial year.

(11)References in this section to OFCOM’s functions under section 11 are to those functions so far as they relate to regulated services.

(12)In this section—

PART 8Appeals and super-complaints

CHAPTER 1Appeals

167Appeals against OFCOM decisions relating to the register under section 95

(1)This section applies to the following decisions of OFCOM—

(a)a decision to include a regulated user-to-user service in the part of the register referred to in section 95(2)(a) (Category 1 services);

(b)a decision not to remove a regulated user-to-user service from that part of the register;

(c)a decision to include a regulated search service or a combined service in the part of the register referred to in section 95(2)(b) (Category 2A services);

(d)a decision not to remove a regulated search service or a combined service from that part of the register;

(e)a decision to include a regulated user-to-user service in the part of the register referred to in section 95(2)(c) (Category 2B services);

(f)a decision not to remove a regulated user-to-user service from that part of the register.

(2)The provider of the service to which the decision relates may appeal to the Upper Tribunal against the decision.

(3)Where an appeal is made under subsection (1)(a), (c) or (e), any special requirements need not be complied with until the determination or withdrawal of the appeal.

(4)Special requirement” means—

(a)in the case of an appeal against a decision mentioned in subsection (1)(a)

(i)any duty or requirement of this Act that applies in relation to Category 1 services but not in relation to any other regulated services, or

(ii)any duty or requirement of this Act that applies in relation to Category 1 services, Category 2A services and Category 2B services but not in relation to any other regulated services;

(b)in the case of an appeal against a decision mentioned in subsection (1)(c)

(i)any duty or requirement of this Act that applies in relation to Category 2A services but not in relation to any other regulated services, or

(ii)any duty or requirement of this Act that applies in relation to Category 1 services, Category 2A services and Category 2B services but not in relation to any other regulated services;

(c)in the case of an appeal against a decision mentioned in subsection (1)(e), any duty or requirement of this Act that applies in relation to Category 1 services, Category 2A services and Category 2B services but not in relation to any other regulated services.

(5)The Upper Tribunal must decide the appeal by applying the same principles as would be applied—

(a)by the High Court on an application for judicial review, or

(b)in Scotland, on an application to the supervisory jurisdiction of the Court of Session.

(6)On an appeal under this section, the Upper Tribunal may—

(a)dismiss the appeal, or

(b)quash the decision being challenged.

(7)Where a decision is quashed, the Upper Tribunal must remit the decision to OFCOM for reconsideration with such directions (if any) as the Tribunal considers appropriate.

168Appeals against OFCOM notices

(1)An appeal to the Upper Tribunal against OFCOM’s decision to give to a person—

(a)a notice under section 121(1) (notices to deal with terrorism content and CSEA content),

(b)a confirmation decision, or

(c)a penalty notice,

may be brought by any person with a sufficient interest in the decision.

(2)An appeal under subsection (1) by a person other than the person given the notice or decision in question may be brought only with the permission (or leave) of the Upper Tribunal.

(3)The Upper Tribunal must decide the appeal by applying the same principles as would be applied—

(a)by the High Court on an application for judicial review, or

(b)in Scotland, on an application to the supervisory jurisdiction of the Court of Session.

(4)On an appeal under this section, the Upper Tribunal may—

(a)dismiss the appeal, or

(b)quash the decision being challenged.

(5)Where a decision is quashed, the Upper Tribunal must remit the decision to OFCOM for reconsideration with such directions (if any) as the Tribunal considers appropriate.

(6)In this section “penalty notice” means a penalty notice under section 139, 140(5) or 141(6).

CHAPTER 2Super-complaints

169Power to make super-complaints

(1)An eligible entity may make a complaint to OFCOM that any feature of one or more regulated services, or any conduct of one or more providers of such services, or any combination of such features and such conduct is, appears to be, or presents a material risk of—

(a)causing significant harm to users of the services or members of the public, or a particular group of such users or members of the public;

(b)significantly adversely affecting the right to freedom of expression within the law of users of the services or members of the public, or of a particular group of such users or members of the public; or

(c)otherwise having a significant adverse impact on users of the services or members of the public, or on a particular group of such users or members of the public.

(2)But a complaint under subsection (1) that relates to a single regulated service or that relates to a single provider of one or more regulated services is only admissible if OFCOM consider that—

(a)the complaint is of particular importance, or

(b)the complaint relates to the impacts on a particularly large number of users of the service or members of the public.

(3)An entity is an “eligible entity” if the entity meets criteria specified in regulations made by the Secretary of State.

(4)Regulations under subsection (3) must specify as one of the criteria that the entity must be a body representing the interests of users of regulated services, or members of the public, or a particular group of such users or members of the public.

(5)Before making regulations under subsection (3), the Secretary of State must consult—

(a)OFCOM, and

(b)such other persons as the Secretary of State considers appropriate.

(6)In this section—

170Procedure for super-complaints

(1)The Secretary of State must make regulations containing provision about procedural matters relating to complaints under section 169.

(2)Such regulations may, in particular, include provision about the following matters—

(a)notification to OFCOM of an intention to make a complaint under section 169;

(b)the form and manner of such a complaint, including requirements for supporting evidence in relation to—

(i)matters mentioned in subsections (1) and (2) of section 169, and

(ii)criteria specified in regulations under subsection (3) of that section;

(c)steps that OFCOM must take in relation to such a complaint, including requirements for publication of responses;

(d)time limits for taking steps in relation to such a complaint (or provision about how such time limits are to be determined) including time limits in relation to the determination of—

(i)whether a complaint is a complaint that is within section 169(1),

(ii)where applicable, whether a complaint is admissible under section 169(2), and

(iii)whether an entity is an eligible entity (see section 169(3)).

(3)Before making regulations under subsection (1), the Secretary of State must consult—

(a)OFCOM, and

(b)such other persons as the Secretary of State considers appropriate.

171OFCOM’s guidance about super-complaints

(1)OFCOM must produce guidance about complaints under section 169, which must include guidance about—

(a)the criteria specified in regulations under section 169(3),

(b)procedural matters relating to such complaints, and

(c)any other aspect of such complaints that OFCOM consider it appropriate to include.

(2)OFCOM must publish the guidance (and any revised or replacement guidance).

PART 9Secretary of State's functions in relation to regulated services

Strategic priorities

172Statement of strategic priorities

(1)The Secretary of State may designate a statement for the purposes of this section if the requirements set out in section 173 (consultation and parliamentary procedure) are satisfied.

(2)The statement is a statement prepared by the Secretary of State that sets out strategic priorities of His Majesty’s Government in the United Kingdom relating to online safety matters.

(3)The statement may, among other things, set out particular outcomes identified with a view to achieving the strategic priorities.

(4)This section does not restrict the Secretary of State’s powers under any other provision of this Act or any other enactment.

(5)A statement designated under subsection (1) must be published in such manner as the Secretary of State considers appropriate.

(6)A statement designated under subsection (1) may be amended (including by replacing the whole or a part of the statement with new material) by a subsequent statement designated under that subsection, and this section and sections 92 and 173 apply in relation to any such subsequent statement as they apply in relation to the original statement.

(7)Except as provided by subsection (8), no amendment may be made under subsection (6) within the period of five years beginning with the day on which a statement was most recently designated under subsection (1).

(8)An earlier amendment may be made under subsection (6) if—

(a)since that day—

(i)a Parliamentary general election has taken place, or

(ii)there has been a significant change in the policy of His Majesty’s Government affecting online safety matters, or

(b)the Secretary of State considers that the statement, or any part of it, conflicts with any of OFCOM’s general duties (within the meaning of section 3 of the Communications Act).

173Consultation and parliamentary procedure

(1)This section sets out the requirements that must be satisfied in relation to a statement before the Secretary of State may designate it under section 172.

(2)The Secretary of State must consult—

(a)OFCOM, and

(b)such other persons as the Secretary of State considers appropriate,

on a draft of the statement.

(3)The Secretary of State must allow OFCOM a period of at least 40 days to respond to any consultation under subsection (2)(a).

(4)After that period has ended the Secretary of State—

(a)must make any changes to the draft that appear to the Secretary of State to be necessary in view of responses to the consultation, and

(b)must then lay the draft before Parliament.

(5)The Secretary of State must then wait until the end of the 40-day period and may not designate the statement if, within that period, either House of Parliament resolves not to approve it.

(6)“The 40-day period” is the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House on the same day, the later of the days on which it is laid).

(7)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.

Directions to OFCOM

174Directions about advisory committees

(1)The Secretary of State may give OFCOM a direction requiring OFCOM to establish a committee to provide them with advice about online safety matters of a kind specified in the direction.

(2)The Secretary of State must consult OFCOM before giving or varying such a direction.

(3)A committee required to be established by a direction is to consist of the following members, unless the direction specifies otherwise—

(a)a chairman appointed by OFCOM, and

(b)such number of other members appointed by OFCOM as OFCOM consider appropriate.

(4)A committee required to be established by a direction must, unless the direction specifies otherwise, publish a report within the period of 18 months after being established, and after that must publish periodic reports.

(5)The Secretary of State may vary or revoke a direction given under this section.

175Directions in special circumstances

(1)The Secretary of State may give a direction to OFCOM under subsection (2) or (3) if the Secretary of State has reasonable grounds for believing that circumstances exist that present a threat—

(a)to the health or safety of the public, or

(b)to national security.

(2)A direction under this subsection is a direction requiring OFCOM, in exercising their media literacy functions, to give priority for a specified period to specified objectives designed to address the threat presented by the circumstances mentioned in subsection (1).

(3)A direction under this subsection is a direction requiring OFCOM to give a public statement notice to—

(a)a specified provider of a regulated service, or

(b)providers of regulated services generally.

(4)A “public statement notice” is a notice requiring a provider of a regulated service to make a publicly available statement, by a date specified in the notice, about steps the provider is taking in response to the threat presented by the circumstances mentioned in subsection (1).

(5)OFCOM may, by a public statement notice or a subsequent notice, require a provider of a regulated service to provide OFCOM with such information as they may require for the purpose of responding to that threat.

(6)If a direction under subsection (2) or (3) is given on the ground mentioned in subsection (1)(a), the Secretary of State must publish the reasons for giving the direction.

(7)The Secretary of State may vary or revoke a direction given under subsection (2) or (3).

(8)If the Secretary of State varies or revokes a direction given under subsection (3), OFCOM may, in consequence, vary or revoke a public statement notice that they have given by virtue of the direction.

(9)In subsection (2)media literacy functions” means OFCOM’s functions under section 11 of the Communications Act (duties to promote media literacy), so far as functions under that section relate to regulated services.

(10)In subsections (2) and (3)specified” means specified in a direction under this section.

Guidance

176Secretary of State’s guidance

(1)The Secretary of State may issue guidance to OFCOM about—

(a)OFCOM’s exercise of their functions under this Act,

(b)OFCOM’s exercise of their powers under section 1(3) of the Communications Act (functions and general powers of OFCOM) to carry out research in connection with online safety matters or to arrange for others to carry out research in connection with such matters, and

(c)OFCOM’s exercise of their functions under section 11 of the Communications Act (media literacy) in relation to regulated services.

(2)In the rest of this section, “the guidance” means any such guidance as is mentioned in subsection (1), except that it does not include guidance under section 87 (guidance to OFCOM about fees).

(3)The Secretary of State must consult OFCOM before issuing, revising or replacing the guidance.

(4)The guidance may not be revised or replaced more frequently than once every three years unless—

(a)the guidance needs to be corrected because of an amendment, repeal or modification of any provision of this Act or of section 11 of the Communications Act, or

(b)the revision or replacement is by agreement between the Secretary of State and OFCOM.

(5)The guidance must be issued as one document.

(6)The Secretary of State must lay the guidance (including revised or replacement guidance) before Parliament.

(7)The Secretary of State must publish the guidance (and any revised or replacement guidance).

(8)In exercising any functions to which the guidance relates, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.

Annual report

177Annual report on the Secretary of State’s functions

In section 390 of the Communications Act (annual report on the Secretary of State’s functions), in subsection (2), after paragraph (e) insert—

(f)the Online Safety Act 2023.

Review

178Review

(1)The Secretary of State must review the operation of—

(a)the regulatory framework provided for in this Act, and

(b)section 11 of the Communications Act, to the extent that that section relates to regulated services.

(2)The review—

(a)must not be carried out before the end of the period of two years beginning with the day on which the last of the provisions of Part 3 comes into force, but

(b)must be carried out before the end of the period of five years beginning with that day.

(3)The review must, in particular, consider how effective the regulatory framework provided for in this Act is at—

(a)securing that regulated services are operated using systems and processes that, so far as relevant—

(i)minimise the risk of harm to individuals in the United Kingdom presented by content on regulated services,

(ii)provide higher levels of protection for children than for adults,

(iii)provide transparency and accountability to users in relation to actions taken to comply with duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5,

(iv)protect the right of users and (in the case of search services or combined services) interested persons to freedom of expression within the law, and

(v)protect users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data); and

(b)ensuring that regulation of services is proportionate, having regard to the level of risk of harm presented by regulated services of different kinds and to the size and capacity of providers.

(4)The review must also, in particular, consider—

(a)the effectiveness of—

(i)the information gathering and information sharing powers available to OFCOM, and

(ii)the enforcement powers available to OFCOM; and

(b)the extent to which OFCOM have had regard to the desirability of encouraging innovation by providers of regulated services.

(5)In carrying out the review, the Secretary of State must consult—

(a)OFCOM, and

(b)such other persons as the Secretary of State considers appropriate.

(6)In carrying out the review, the Secretary of State must take into account any report published by OFCOM under section 158 (reports about news publisher content and journalistic content).

(7)The Secretary of State must produce and publish a report on the outcome of the review.

(8)The report must be laid before Parliament.

(9)In subsection (3)content on regulated services” means—

(a)regulated user-generated content present on regulated services,

(b)search content of regulated services,

(c)fraudulent advertisements present on regulated services, and

(d)regulated provider pornographic content published or displayed on regulated services.

(10)In subsection (9)

PART 10Communications offences

False and threatening communications offences

179False communications offence

(1)A person commits an offence if—

(a)the person sends a message (see section 182),

(b)the message conveys information that the person knows to be false,

(c)at the time of sending it, the person intended the message, or the information in it, to cause non-trivial psychological or physical harm to a likely audience, and

(d)the person has no reasonable excuse for sending the message.

(2)For the purposes of this offence an individual is a “likely audience” of a message if, at the time the message is sent, it is reasonably foreseeable that the individual—

(a)would encounter the message, or

(b)in the online context, would encounter a subsequent message forwarding or sharing the content of the message.

(3)In a case where several or many individuals are a likely audience, it is not necessary for the purposes of subsection (1)(c) that the person intended to cause harm to any one of them in particular (or to all of them).

(4)See section 180 for exemptions from the offence under this section.

(5)A person who commits an offence under this section is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both);

(b)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding level 5 on the standard scale (or both).

(6)In subsection (5)(a)the maximum term for summary offences” means—

(a)if the offence is committed before the time when section 281(5) of the Criminal Justice Act 2003 comes into force, 6 months;

(b)if the offence is committed after that time, 51 weeks.

(7)Proceedings for an offence under this section may be brought within the period of 6 months beginning with the date on which evidence sufficient in the opinion of the prosecutor to justify the proceedings comes to the prosecutor’s knowledge.

(8)But such proceedings may not be brought by virtue of subsection (7) more than 3 years after the commission of the offence.

(9)A certificate signed by the prosecutor as to the date on which the evidence in question came to the prosecutor’s knowledge is conclusive evidence of the date on which it did so; and a certificate to that effect and purporting to be so signed is to be treated as being so signed unless the contrary is proved.

180Exemptions from offence under section 179

(1)A recognised news publisher cannot commit an offence under section 179.

(2)An offence under section 179 cannot be committed by the holder of a licence under the Broadcasting Act 1990 or 1996 in connection with anything done under the authority of the licence.

(3)An offence under section 179 cannot be committed by the holder of a multiplex licence in connection with anything done under the authority of the licence.

(4)An offence under section 179 cannot be committed by the provider of an on-demand programme service in connection with anything done in the course of providing such a service.

(5)An offence under section 179 cannot be committed in connection with the showing of a film made for cinema to members of the public.

181Threatening communications offence

(1)A person commits an offence if—

(a)the person sends a message (see section 182),

(b)the message conveys a threat of death or serious harm, and

(c)at the time of sending it, the person—

(i)intended an individual encountering the message to fear that the threat would be carried out (whether or not by the person sending the message), or

(ii)was reckless as to whether an individual encountering the message would fear that the threat would be carried out (whether or not by the person sending the message).

(2)Serious harm” means—

(a)serious injury amounting to grievous bodily harm within the meaning of the Offences against the Person Act 1861,

(b)rape,

(c)assault by penetration within the meaning of section 2 of the Sexual Offences Act 2003, or

(d)serious financial loss.

(3)In proceedings for an offence under this section relating to a threat of serious financial loss, it is a defence for the person to show that—

(a)the threat was used to reinforce a reasonable demand, and

(b)the person reasonably believed that the use of the threat was a proper means of reinforcing the demand.

(4)If evidence is adduced which is sufficient to raise an issue with respect to the defence under subsection (3), the court must assume that the defence is satisfied unless the prosecution proves beyond reasonable doubt that it is not.

(5)A person who commits an offence under this section is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(c)on conviction on indictment, to imprisonment for a term not exceeding 5 years or a fine (or both).

182Interpretation of sections 179 to 181

(1)This section applies for the purposes of sections 179 to 181, and references in this section to an offence are to an offence under section 179 or 181.

(2)A person “sends a message” if the person—

(a)sends, transmits or publishes a communication (including an oral communication) by electronic means, or

(b)sends, or gives to an individual, a letter or a thing of any other description,

and references to a message are to be read accordingly.

(3)A person also “sends a message” if the person—

(a)causes a communication (including an oral communication) to be sent, transmitted or published by electronic means, or

(b)causes a letter or a thing of any other description to be—

(i)sent, or

(ii)given to an individual.

(4)But a provider of an internet service by means of which a communication is sent, transmitted or published is not to be regarded as a person who sends a message.

(5)Encounter”, in relation to a message, means read, view, hear or otherwise experience the message.

(6)It does not matter whether the content of a message is created by the person who sends it (so for example, in the online context, an offence may be committed by a person who forwards another person’s direct message or shares another person’s post).

(7)In the application of sections 179 to 181 to the sending by electronic means of a message consisting of or including a hyperlink to other content—

(a)references to the message are to be read as including references to content accessed directly via the hyperlink, and

(b)an individual who is a likely audience in relation to the hyperlink for the purposes of section 179 is to be assumed to be a likely audience in relation to the linked content.

(8)In the application of sections 179 to 181 to the sending of an item on which data is stored electronically, references to the message are to be read as including content accessed by means of the item to which the recipient is specifically directed by the sender (and in this subsection “sending” includes “giving”, and “sender” is to be read accordingly).

(9)In the online context, the date on which a person commits an offence in relation to a message is the date on which the message is first sent by the person.

(10)Recognised news publisher” has the meaning given by section 56.

(11)Multiplex licence” means a licence under section 8 of the Wireless Telegraphy Act 2006 which authorises the provision of a multiplex service within the meaning of section 42(6) of that Act.

(12)On-demand programme service” has the same meaning as in the Communications Act (see section 368A of that Act), and a person is the “provider” of an on-demand programme service if the person has given notification of the person’s intention to provide that service in accordance with section 368BA of that Act.

Offences of sending or showing flashing images

183Offences of sending or showing flashing images electronically

(1)A person (A) commits an offence if—

(a)A sends a communication by electronic means which consists of or includes flashing images (see subsection (13)),

(b)either condition 1 or condition 2 is met, and

(c)A has no reasonable excuse for sending the communication.

(2)Condition 1 is that—

(a)at the time the communication is sent, it is reasonably foreseeable that an individual with epilepsy would be among the individuals who would view it, and

(b)A sends the communication with the intention that such an individual will suffer harm as a result of viewing the flashing images.

(3)Condition 2 is that, when sending the communication—

(a)A believes that an individual (B)—

(i)whom A knows to be an individual with epilepsy, or

(ii)whom A suspects to be an individual with epilepsy,

will, or might, view it, and

(b)A intends that B will suffer harm as a result of viewing the flashing images.

(4)In subsections (2)(a) and (3)(a), references to viewing the communication are to be read as including references to viewing a subsequent communication forwarding or sharing the content of the communication.

(5)The exemptions contained in section 180 apply to an offence under subsection (1) as they apply to an offence under section 179.

(6)For the purposes of subsection (1), a provider of an internet service by means of which a communication is sent is not to be regarded as a person who sends a communication.

(7)In the application of subsection (1) to a communication consisting of or including a hyperlink to other content, references to the communication are to be read as including references to content accessed directly via the hyperlink.

(8)A person (A) commits an offence if—

(a)A shows an individual (B) flashing images by means of an electronic communications device,

(b)when showing the images—

(i)A knows that B is an individual with epilepsy, or

(ii)A suspects that B is an individual with epilepsy,

(c)when showing the images, A intends that B will suffer harm as a result of viewing them, and

(d)A has no reasonable excuse for showing the images.

(9)An offence under subsection (1) or (8) cannot be committed by a healthcare professional acting in that capacity.

(10)A person who commits an offence under subsection (1) or (8) is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(c)on conviction on indictment, to imprisonment for a term not exceeding 5 years or a fine (or both).

(11)It does not matter for the purposes of this section whether flashing images may be viewed at once (for example, a GIF that plays automatically) or only after some action is performed (for example, pressing play).

(12)In this section—

(a)references to sending a communication include references to causing a communication to be sent;

(b)references to showing flashing images include references to causing flashing images to be shown.

(13)In this section—

Offence of encouraging or assisting serious self-harm

184Offence of encouraging or assisting serious self-harm

(1)A person (D) commits an offence if—

(a)D does a relevant act capable of encouraging or assisting the serious self-harm of another person, and

(b)D’s act was intended to encourage or assist the serious self-harm of another person.

(2)D “does a relevant act” if D—

(a)communicates in person,

(b)sends, transmits or publishes a communication by electronic means,

(c)shows a person such a communication,

(d)publishes material by any means other than electronic means,

(e)sends, gives, shows or makes available to a person—

(i)material published as mentioned in paragraph (d), or

(ii)any form of correspondence, or

(f)sends, gives or makes available to a person an item on which data is stored electronically.

(3)Serious self-harm” means self-harm amounting to—

(a)in England and Wales and Northern Ireland, grievous bodily harm within the meaning of the Offences Against the Person Act 1861, and

(b)in Scotland, severe injury,

and includes successive acts of self-harm which cumulatively reach that threshold.

(4)The person referred to in subsection (1)(a) and (b) need not be a specific person (or class of persons) known to, or identified by, D.

(5)D may commit an offence under this section whether or not serious self-harm occurs.

(6)If a person (D1) arranges for a person (D2) to do an act that is capable of encouraging or assisting the serious self-harm of another person and D2 does that act, D1 is to be treated as also having done it.

(7)In the application of subsection (1) to an act by D involving an electronic communication or a publication in physical form, it does not matter whether the content of the communication or publication is created by D (so for example, in the online context, the offence under this section may be committed by forwarding another person’s direct message or sharing another person’s post).

(8)In the application of subsection (1) to the sending, transmission or publication by electronic means of a communication consisting of or including a hyperlink to other content, the reference in subsection (2)(b) to the communication is to be read as including a reference to content accessed directly via the hyperlink.

(9)In the application of subsection (1) to an act by D involving an item on which data is stored electronically, the reference in subsection (2)(f) to the item is to be read as including a reference to content accessed by means of the item to which the person in receipt of the item is specifically directed by D.

(10)A provider of an internet service by means of which a communication is sent, transmitted or published is not to be regarded as a person who sends, transmits or publishes it.

(11)Any reference in this section to doing an act that is capable of encouraging the serious self-harm of another person includes a reference to doing so by threatening another person or otherwise putting pressure on another person to seriously self-harm.

“Seriously self-harm” is to be interpreted consistently with subsection (3).

(12)Any reference to an act in this section, except in subsection (3), includes a reference to a course of conduct, and references to doing an act are to be read accordingly.

(13)In subsection (3) “act” includes omission.

(14)A person who commits an offence under this section is liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);

(b)on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);

(c)on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);

(d)on conviction on indictment, to imprisonment for a term not exceeding 5 years or a fine (or both).

Further provision

185Extra-territorial application and jurisdiction

(1)Sections 179(1), 181(1) and 183(1) apply to an act done outside the United Kingdom, but only if the act is done by a person within subsection (2).

(2)A person is within this subsection if the person is—

(a)an individual who is habitually resident in England and Wales or Northern Ireland, or

(b)a body incorporated or constituted under the law of England and Wales or Northern Ireland.

(3)Section 184(1) applies to an act done outside the United Kingdom, but only if the act is done by a person within subsection (4).

(4)A person is within this subsection if the person is—

(a)an individual who is habitually resident in the United Kingdom, or

(b)a body incorporated or constituted under the law of any part of the United Kingdom.

(5)Proceedings for an offence committed under section 179, 181 or 183(1) outside the United Kingdom may be taken, and the offence may for incidental purposes be treated as having been committed, at any place in England and Wales or Northern Ireland.

(6)Proceedings for an offence committed under section 184 outside the United Kingdom may be taken, and the offence may for incidental purposes be treated as having been committed, at any place in the United Kingdom.

(7)In the application of subsection (6) to Scotland, any such proceedings against a person may be taken, and the offence may for incidental purposes be treated as having been committed—

(a)in any sheriff court district in which the person is apprehended or is in custody, or

(b)in such sheriff court district as the Lord Advocate may determine.

(8)In subsection (7)sheriff court district” is to be construed in accordance with the Criminal Procedure (Scotland) Act 1995 (see section 307(1) of that Act).

186Liability of corporate officers

(1)If an offence under section 179, 181, 183 or 184 is committed by a body corporate and it is proved that the offence—

(a)has been committed with the consent or connivance of an officer of the body corporate, or

(b)is attributable to any neglect on the part of an officer of the body corporate,

the officer (as well as the body corporate) commits the offence and is liable to be proceeded against and punished accordingly.

(2)Officer”, in relation to a body corporate, means—

(a)a director, manager, associate, secretary or other similar officer, or

(b)a person purporting to act in any such capacity.

In paragraph (a)director”, in relation to a body corporate whose affairs are managed by its members, means a member of the body corporate.

(3)If an offence under section 184 is committed by a Scottish partnership and it is proved that the offence—

(a)has been committed with the consent or connivance of a partner of the partnership, or

(b)is attributable to any neglect on the part of a partner of the partnership,

the partner (as well as the partnership) commits the offence and is liable to be proceeded against and punished accordingly.

(4)Partner”, in relation to a Scottish partnership, includes any person who was purporting to act as a partner.

Offences to be inserted into Sexual Offences Act 2003

187Sending etc photograph or film of genitals

In the Sexual Offences Act 2003, after section 66 insert—

66ASending etc photograph or film of genitals

(1)A person (A) who intentionally sends or gives a photograph or film of any person’s genitals to another person (B) commits an offence if—

(a)A intends that B will see the genitals and be caused alarm, distress or humiliation, or

(b)A sends or gives such a photograph or film for the purpose of obtaining sexual gratification and is reckless as to whether B will be caused alarm, distress or humiliation.

(2)References to sending or giving such a photograph or film to another person include, in particular—

(a)sending it to another person by any means, electronically or otherwise,

(b)showing it to another person, and

(c)placing it for a particular person to find.

(3)Photograph” includes the negative as well as the positive version.

(4)Film” means a moving image.