Online Safety Act – illegal content codes of practice 2024: explanatory memorandum
Published 17 December 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/online-safety-act-illegal-content-codes-of-practice-2024-explanatory-memorandum/98907e99-8df5-42a9-ae18-8da15821746f
1. Introduction
1.1 This explanatory memorandum has been prepared by the Department for Science, Innovation and Technology and is laid before Parliament by Command of His Majesty.
2. Purpose of the instrument
2.1 The Rt Hon Peter Kyle MP, Secretary of State for Science, Innovation and Technology at the Department for Science, Innovation and Technology confirms that this Explanatory Memorandum meets the required standard.
2.2 1. Daniel Okubo, Deputy Director for Online Safety Policy and Regulation at the Department for Science, Innovation and Technology confirms that this Explanatory Memorandum meets the required standard.
3. Contact
3.1 Simon Quinn at the Department for Science, Innovation and Technology Telephone: 07922 576012 or email: osaimplementation@dsit.gov.uk can be contacted with any queries regarding the draft codes of practice.
Part 1: explanation, and context, of the draft codes of practice
4. Overview of the draft codes of practice
What does the document do?
4.1 The Online Safety Act 2023 (“the OSA”) confers duties on the providers of certain internet services (regulated “user-to-user services” and “search services”) to take proportionate measures to protect users from ‘illegal content’. These are the “illegal content duties” (sections 10 and 27 of the OSA). In outline, a user-to-user service is an internet service if content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service – may be encountered by another user (or other users) of the service. A search service means an internet service that is, or includes, a search engine.
4.2 The OSA requires Ofcom to prepare draft codes of practice for in-scope services describing measures recommended to prepare draft codes of practice for in-scope services describing measures recommended to comply with illegal content duties relating to (i) terrorism (ii) child sexual exploitation and abuse (‘CSEA’) and (iii) other illegal content duties. To minimise duplication and simplify the regime for service providers, Ofcom has compiled these codes of practice into 2 documents. 1 is for user-to-user services and 1 for search services. These each contain the codes of practice for terrorism, CSEA and other illegal content duties for that type of service. Ofcom has clearly identified the relevant code(s) for each measure in the index of recommended measures which can be found in section 2 of each document.
4.3. The codes of practice describe the measures services can take to fulfil their illegal content duties. It recommends measures in areas including user support, safety-by-design, additional protections for children, and content moderation or de-indexing.
Where do the draft codes of practice extend to, and apply?
4.4 The extent of these draft codes of practice (that is, the jurisdiction(s) which these draft codes of practice forms part of the law of) is England and Wales, Scotland and Northern Ireland.
4.5 The territorial application of these draft codes of practice (that is, where these draft codes of practice produce a practical effect) is England and Wales, Scotland and Northern Ireland.
5. Policy context
What is being done and why?
5.1 The OSA creates a new regulatory framework for user-to-user services and search services. As part of this, it gives all user-to-user services and search services new duties to protect users from illegal content on their services. User-to-user services must also reduce the risks of illegal activity that might be facilitated by their services. These are the ‘illegal content duties’ (sections 10 and 27 of the OSA). The purpose of these duties is to require providers of user-to-user services and search services to take more responsibility for protecting UK-based users from illegal content and activity that is facilitated or encountered via their services.
5.2 The OSA establishes Ofcom as the independent regulator for this regime. Ofcom is responsible for setting out the steps that providers can take to fulfil their new illegal content duties in codes of practice. These steps are not mandatory, and providers can choose to take alternative steps to fulfil these duties. However, providers which take all relevant steps in a code of practice will be considered compliant with the duties. Ofcom has produced 2 documents; 1 for user-to-user services and 1 for search services. This reflects the differences between recommended measures, depending on the type of service (as well as on the size of the service and risks identified).
5.3 The draft codes of practice for user-to-user services and search services describe measures recommended by Ofcom that providers can take to comply with their duties under the OSA. The codes recommend that providers of different kinds and with different capacities take different steps, proportionate their size, capacity and level of risk. Many of the measures in the draft codes are ‘cross-cutting’ measures which will help to address all illegal harms. Certain measures are targeted at specific high priority harms, including child sexual abuse material (‘CSAM’), terrorism and fraud. For example, these include measures on automated tools to detect CSAM and for establishing routes so that the police and the Financial Conduct Authority (FCA) can report fraud and scams to online service providers. Included measures will also make it easier for users to report potentially illegal content.
5.4 Section 41 of the OSA sets out that Ofcom should consult on draft versions of its codes. After this, section 43 of the OSA sets out that Ofcom should submit final proposed versions to the Secretary of State. Under section 44 of the OSA, the Secretary of State then has the power to direct Ofcom to amend the codes, where the Secretary of State believes this is necessary for certain public policy reasons. Where the Secretary of State does not use these powers, they must lay the codes in Parliament as soon as practicable for scrutiny.
5.5 Through the framework set out in the OSA, Ofcom will be able to update the codes of practice over time as technologies develop, as online offending manifests in different ways and as best practice on protecting users emerges.
What was the previous policy, how is this different?
5.6 The position pre-OSA was that providers of intermediary services (such as user-to-user and search services) did not have specific duties in relation to illegal content, but were subject to the general criminal law with protections from liability as provided for by provisions in The Electronic Commerce (EC Directive) Regulations 2002 and other legislation implementing Articles 12 -15 of the E-Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market). The duties under the OSA will apply in addition. The OSA established new duties for relevant online service providers and requires Ofcom to produce codes of practice and guidance setting out how providers can fulfil these duties. These are the first draft codes of practice produced by Ofcom under section 41 of the OSA.
6. Legislative and legal context
How has the law changed?
6.1 This is part of a new regulatory regime under the OSA. These are the first draft codes of practice that Ofcom has prepared and which the Secretary of State has laid for parliamentary scrutiny. They set out Ofcom’s recommended steps that user-to-user services and search services can take to fulfil their illegal content duties under the OSA.
6.2 Section 49 of the OSA provides that a provider which takes the steps in a code of practice recommended for compliance with a particular duty is treated as complying with that duty. Section 50 provides that, although a failure to act in accordance with a code of practice is not of itself a ground for bringing legal action against a provider, a court of tribunal must take into account a provision of a code of practice where it is relevant to a question in proceedings and was in force at the relevant time. Ofcom must similarly take a relevant code of practice provision into account in determining questions arising in connection with the exercise of certain functions.
Why was this approach taken to change the law?
6.3 There is a duty under section 41 of the OSA for Ofcom to issue codes of practice for the illegal content duties, as they relate to terrorism content (section 41(1)), CSEA content (section 41(2)) and other illegal content (section 41(3)). The Secretary of State has considered the draft codes of practice and does not intend to give a direction under Section 44 of the OSA. Therefore, in line with Section 43(2) of the OSA, the Secretary of State is laying the draft codes of practice before parliament.
7. Consultation
Summary of consultation outcome and methodology
7.1 Ofcom consulted on the draft codes of practice as a part of a package of regulatory proposals under the OSA (the other instruments included in the package do not need to be laid). Ofcom issued 3 consultations:
(i) On 9 November 2023, “Protecting people from illegal harms online”. The consultation documents and non-confidential responses are available on the Ofcom website
(ii) On 8 May 2024, “Protecting children from harms online”. This contained some amended proposals in relation to illegal harms online. The consultation documents and non-confidential responses are available on the Ofcom website
(iii) On 2 August 2024, “Torture and animal cruelty”. The consultation documents and non-confidential responses are available on the Ofcom website
7.2 There has been a high level of public interest in the codes. Ofcom received 353 responses commenting on all aspects of the proposals in the 3 consultations. There has been strong support for the package of measures. There have also been concerns raised about the codes’ ambition (including more than 60 suggestions for additional codes measures). Concerns were also raised about the codes’ prescriptiveness, impact on service providers, impact on human rights and feasibility.
7.3 The issues raised and Ofcom’s response to them is included in detail in Ofcom’s regulatory Statement (i.e. the document it produces which sets out its reasoning in full) - a series of documents together amounting to more than 1000 pages which are published on Ofcom’s website. In particular, comments on Ofcom’s approach to developing the codes and on who they apply to are summarised and addressed in the chapter entitled “Our approach to developing Codes measures”. Comments on each proposed measure are summarised and addressed in the chapter within Volume 2 setting out the reasoning for recommending that measure. Annex 1 contains further responses and Ofcom’s response to them.
8. Applicable guidance
8.1 Ofcom has not published any Guidance documents required to interpret the draft codes of practice. They are complete in their own right.
8.2 However, Ofcom will publish a series of other Guidance documents under the OSA, without which the online safety regulatory regime as it relates to illegal harms would not be complete. These documents will all be available on Ofcom’s website and comprise: (i) Register of risk under section 98; (ii) Risk profiles under section 98; (iii) Risk assessment guidance under section 99; (iv) Illegal content judgements guidance under section 193; (v) Enforcement guidance under section 151; (vi) Record keeping guidance under section 52; and (vii) Non-statutory guidance on when content can be said to be communicated publicly.
Part 2: impact and the Better Regulation Framework
9. Impact assessment
9.1 Ofcom has a duty under section 7 of the Communications Act 2003 to carry out impact assessments when preparing a code of practice under section 41 of the OSA. The assessment must include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.
9.2 Ofcom has discretion as to the substance and form of an impact assessment. The impact assessments for these codes of practice are included in Volume 1, Volume 2, 1. and Annex 4 of Ofcom’s regulatory Statement (i.e. the document published on its website which sets out its reasoning in full).
9.3 Ofcom has considered how each measure will reduce the risk of harm it has identified and how effectively it will do this. While Ofcom has sought to quantify impacts where feasible, there is a lack of robust quantitative evidence. It is even more challenging to put certain benefits in monetary terms. For example, it is difficult to quantify the social and psychological impacts of exposure to illegal content and damage to physical and mental health. While Ofcom has not generally quantified these benefits in monetary terms, it has placed significant weight on such impacts in its decisions. As required by section 98 of the OSA, it has published a comprehensive assessment of the causes and impacts of illegal harms in the Register of Risks.
Impact on businesses, charities and voluntary bodies
9.4 The impact on businesses is that if businesses providing online user-to-user services and search services comply with the measures in the codes of practice then they are considered to be compliant with their online safety duties. Service providers can take alternative measures and must keep a record of the measures and explain how the relevant safety duties have been met.
9.5 The impact on business, charities or voluntary bodies will vary depending on whether they provide services within scope of the OSA and whether they identify illegal harms risks on those services. For providers of smaller services that assess their service as low risk of all kinds of illegal harm, the measures largely relate to explicit requirements in the OSA. Very few measures are recommended beyond that and the incremental cost of those extra measures is very low. However, for service providers that identify significant risks of illegal content in their risk assessments, the impact may be significant. Ofcom has taken this into account and considers the measures warranted given the scale of the potential harm posed by services with significant risks. There are also additional measures for providers of large and higher-risk services, which are expected to do more. Many measures allow providers some flexibility in how they are implemented, so providers can tailor to their service which tends to reduce the cost burden. Ofcom has assessed the impact of these measures and found them proportionate.
9.6 The draft codes of practice do not impact small or micro businesses. The impact depends on whether they assess as having risks on their services, as described in the previous paragraph.
9.7 The impact on the public sector is limited in that paragraphs 9 and 10 of Schedule 1 to the OSA exempt services provided by public bodies and services provided by persons providing education or childcare from being regulated.
9.8 The breadth and complexity of this new regime means the codes cover many areas. Ofcom has taken steps in its Statement to make the regime as accessible as possible, including: (i) A summary of Ofcom’s decisions and the user-to-user and search services to which they apply. (ii) A summary of each chapter, setting out what it is about, stakeholder feedback received, and the decisions Ofcom has taken. (iii) The introductory chapter to Ofcom’s Statement includes suggestions to signpost stakeholders towards the documentation and tools they might find most helpful (e.g. a digital support service for small and medium sized services).
9.9 Moving forward, Ofcom will continue to meet with interested parties and explain its decisions through meetings, conferences, and webinars.
10. Monitoring and review
What is the approach to monitoring and reviewing this legislation?
10.1 The approach to monitoring the legislation is that, pursuant to section 47 of the OSA, Ofcom must keep the codes of practice under review. Ofcom will evaluate compliance with the regime and the impact of its guidance and codes of practice. Ofcom’s monitoring and evaluation work includes assessing whether its interventions are leading to changes in services’ systems and processes, a safer online life for users, particularly children, and unintended consequences that need mitigation.
10.2 Ofcom has said that given the breadth and the depth of the OSA, its evaluation strategy will cover several key strands of work. These include assessing the overall impact of the introduction of the OSA in priority areas, as set out in Ofcom’s publication Implementing the Online Safety Act: progress update Ofcom has said it wants to evaluate whether service providers are assessing the risk of harm on their services and putting in place measures to address the areas of greatest risk to people, especially children. To do this, it will engage directly with a sample of services and is also planning to use a business survey to reach out to a larger group of services. Ofcom also intends to track whether users are having better experiences online, using evidence from its own research, such as Ofcom’s Online Experiences Tracker, and from Ofcom’s partners in government, law enforcement and civil society.
10.3 It is also important that Ofcom understands the impact of its policies in specific areas. This could include, for example, the impact of regulation on businesses’ costs, particularly for small and micro businesses.
10.4 Additionally, Ofcom aims to understand the impact of discrete changes made by regulated services on safety outcomes, and will work with services to incentivise them to embed evaluation into their product development. Its Economics Discussion Paper Evaluating online safety measures sets out how a widely used evaluation framework could be applied to assess the impact and effectiveness of online services’ safety measures.
10.5 The Secretary of State may require Ofcom to review a terrorism or CSEA code of practice if necessary for national security or public safety interest.
10.6 The instrument does not include a statutory review clause; the OSA requires Ofcom to keep the codes of practice under review as described in the paragraph above.
Part 3: statements and matters of particular interest to Parliament
11. Matters of special interest to Parliament
11.1 None
12. European Convention on Human Rights
12.1 As the draft codes of practice are not primary legislation a human rights statement is not required.
13. The Relevant European Union Acts
13.1 The draft codes of practice are not made under the European Union (Withdrawal) Act 2018, the European Union (Future Relationship) Act 2020 or the Retained EU Law (Revocation and Reform) Act 2023 (“relevant European Union Acts”).