PART 1Introduction
1Introduction
(1)
This Act provides for a new regulatory framework which has the general purpose of making the use of internet services regulated by this Act safer for individuals in the United Kingdom.
(2)
To achieve that purpose, this Act (among other things)—
(a)
imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm (including risks which particularly affect individuals with a certain characteristic) from—
(i)
illegal content and activity, and
(ii)
content and activity that is harmful to children, and
(b)
confers new functions and powers on the regulator, OFCOM.
(3)
Duties imposed on providers by this Act seek to secure (among other things) that services regulated by this Act are—
(a)
safe by design, and
(b)
designed and operated in such a way that—
(i)
a higher standard of protection is provided for children than for adults,
(ii)
users’ rights to freedom of expression and privacy are protected, and
(iii)
transparency and accountability are provided in relation to those services.
2Overview of Act
(1)
Parts 2 to 9 and 11 and 12 of this Act contain provision about the regulation by OFCOM of certain internet services.
(2)
Part 2 contains key definitions, including the definition of a user-to-user service, a search service, a Part 3 service and a regulated service.
(3)
Part 3 imposes duties of care on providers of user-to-user services and search services and requires OFCOM to issue codes of practice about those duties.
(4)
Part 4 imposes further duties on providers of user-to-user services and search services.
(5)
Part 5 imposes duties on providers of internet services (including user-to-user services and search services) that publish certain pornographic content.
(6)
Part 6, which imposes requirements to pay fees to OFCOM, applies to providers of internet services to which the duties in Part 3, 4 or 5 apply (“regulated services”).
(7)
Part 7 is about OFCOM’s powers and duties in relation to regulated services (including powers to obtain information and enforcement powers).
(8)
Part 8 is about appeals and complaints relating to regulated services.
(9)
Part 9 is about the Secretary of State’s functions in relation to regulated services.
(10)
Part 10 contains communications offences.
(11)
Parts 11 and 12 contain supplementary provisions including an index of terms defined in this Act (see section 237).
PART 2Key definitions
3“User-to-user service” and “search service”
(1)
In this Act “user-to-user service” means an internet service by means of which content that is generated directly on the service by a user of the service, or uploaded to or shared on the service by a user of the service, may be encountered by another user, or other users, of the service.
(2)
For the purposes of subsection (1)—
(a)
it does not matter if content is actually shared with another user or users as long as a service has a functionality that allows such sharing;
(b)
it does not matter what proportion of content on a service is content described in that subsection.
(3)
For the meaning of “content” and “encounter”, see section 236.
(4)
In this Act “search service” means an internet service that is, or includes, a search engine (see section 229).
(5)
(a)
is of a kind described in subsection (1), and
(b)
includes a search engine,
is a user-to-user service or a search service for the purposes of this Act.
(6)
It is a search service if the only content described in subsection (1) that is enabled by the service is content of any of the following kinds—
(a)
(b)
content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content);
(c)
content present on a part of the service in relation to which the conditions in paragraph 7(2) of Schedule 1 are met (internal business service conditions).
(7)
Otherwise, it is a user-to-user service.
4“Regulated service”, “Part 3 service” etc
(1)
This section applies for the purposes of this Act.
(2)
A user-to-user service is a “regulated user-to-user service”, and a search service is a “regulated search service”, if the service—
(b)
is not—
(i)
a service of a description that is exempt as provided for by Schedule 1, or
(ii)
a service of a kind described in Schedule 2 (services combining user-generated content or search content not regulated by this Act with pornographic content that is regulated).
(3)
“Part 3 service” means a regulated user-to-user service or a regulated search service.
(4)
“Regulated service” means—
(a)
a regulated user-to-user service,
(b)
a regulated search service, or
(c)
an internet service, other than a regulated user-to-user service or a regulated search service, that is within section 80(2) (including a service of a kind described in Schedule 2).
(5)
For the purposes of subsection (2), a user-to-user service or a search service “has links with the United Kingdom” if—
(a)
the service has a significant number of United Kingdom users, or
(b)
United Kingdom users form one of the target markets for the service (or the only target market).
(6)
For the purposes of subsection (2), a user-to-user service or a search service also “has links with the United Kingdom” if—
(a)
the service is capable of being used in the United Kingdom by individuals, and
(b)
there are reasonable grounds to believe that there is a material risk of significant harm to individuals in the United Kingdom presented by—
(i)
in the case of a user-to-user service, user-generated content present on the service or (if the service includes a search engine) search content of the service;
(ii)
in the case of a search service, search content of the service.
(7)
A regulated user-to-user service that includes a public search engine is referred to in this Act as a “combined service”.
“Public search engine” means a search engine other than one in relation to which the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met.
(8)
In this section—
“search content” has the same meaning as in Part 3 (see section 57);
5Disapplication of Act to certain parts of services
(1)
This Act does not apply in relation to a part of a Part 3 service if the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part.
(2)
This Act does not apply in relation to a part of a regulated search service if—
(a)
the only user-generated content enabled by that part of the service is content of any of the following kinds—
(i)
(ii)
content arising in connection with any of the activities described in paragraph 4(1) of Schedule 1 (comments etc on provider content); and
(b)
no regulated provider pornographic content is published or displayed on that part of the service.
(3)
In this section—
“regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79);
PART 3Providers of regulated user-to-user services and regulated search services: duties of care
CHAPTER 1Introduction
6Overview of Part 3
(1)
This Part imposes duties of care on providers of regulated user-to-user services and regulated search services and requires OFCOM to issue codes of practice relating to some of those duties.
(2)
Chapter 2 imposes duties of care on providers of regulated user-to-user services in relation to content and activity on their services.
(3)
Chapter 3 imposes duties of care on providers of regulated search services in relation to content and activity on their services.
(4)
Chapter 4 imposes duties on providers of regulated user-to-user services and regulated search services to assess whether a service is likely to be accessed by children.
(5)
Chapter 5 imposes duties on providers of certain regulated user-to-user services and regulated search services relating to fraudulent advertising.
(6)
Chapter 6 requires OFCOM to issue codes of practice relating to particular duties and explains what effects the codes of practice have.
(7)
Chapter 7 is about the interpretation of this Part, and it includes definitions of the following key terms—
“content that is harmful to children”, “primary priority content that is harmful to children” and “priority content that is harmful to children” (see sections 60 to 62);
“illegal content”, “priority offence”, “terrorism content”, “CSEA content” and “priority illegal content” (see section 59);
“search content” (see section 57).
CHAPTER 2Providers of user-to-user services: duties of care
User-to-user services: which duties apply, and scope of duties
7Providers of user-to-user services: duties of care
(1)
(2)
All providers of regulated user-to-user services must comply with the following duties in relation to each such service which they provide—
(a)
the duties about illegal content risk assessments set out in section 9,
(c)
the duty about content reporting set out in section 20,
(d)
the duties about complaints procedures set out in section 21,
(3)
Additional duties must be complied with by providers of particular kinds of regulated user-to-user services, as follows.
(4)
All providers of regulated user-to-user services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—
(a)
the duties about children’s risk assessments set out in section 11, and
(5)
All providers of Category 1 services must comply with the following duties in relation to each such service which they provide—
(a)
the duty about illegal content risk assessments set out in section 10(9),
(b)
the duty about children’s risk assessments set out in section 12(14),
(c)
the duties about assessments related to adult user empowerment set out in section 14,
(d)
the duties to empower adult users set out in section 15,
(e)
the duties to protect content of democratic importance set out in section 17,
(f)
the duties to protect news publisher content set out in section 18,
(g)
the duties to protect journalistic content set out in section 19,
(6)
All providers of combined services must comply with the following duties in relation to the search engine of each such service which they provide—
(a)
if the service is not a Category 2A service and is not likely to be accessed by children, the duties set out in Chapter 3 referred to in section 24(2);
(b)
(c)
(7)
For the meaning of “likely to be accessed by children”, see section 37.
(8)
For the meaning of “Category 1 service”, see section 95 (register of categories of services).
8Scope of duties of care
(1)
A duty set out in this Chapter which must be complied with in relation to a user-to-user service that includes regulated provider pornographic content does not extend to—
(a)
the regulated provider pornographic content, or
(b)
the design, operation or use of the service so far as relating to that content.
See Part 5 for the duties which relate to regulated provider pornographic content, and the meaning of that term.
(2)
A duty set out in this Chapter which must be complied with in relation to a combined service does not extend to—
(a)
the search content of the service,
(b)
any other content that, following a search request, may be encountered as a result of subsequent interactions with internet services, or
(c)
anything relating to the design, operation or use of the search engine.
(3)
A duty set out in this Chapter which must be complied with in relation to a user-to-user service extends only to—
(a)
the design, operation and use of the service in the United Kingdom, and
(b)
in the case of a duty that is expressed to apply in relation to users of a service, the design, operation and use of the service as it affects United Kingdom users of the service.
Illegal content duties for user-to-user services
9Illegal content risk assessment duties
(1)
This section sets out the duties about risk assessments which apply in relation to all regulated user-to-user services.
(2)
A duty to carry out a suitable and sufficient illegal content risk assessment at a time set out in, or as provided by, Schedule 3.
(3)
A duty to take appropriate steps to keep an illegal content risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)
Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient illegal content risk assessment relating to the impacts of that proposed change.
(5)
An “illegal content risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)
the user base;
(b)
the level of risk of individuals who are users of the service encountering the following by means of the service—
(i)
each kind of priority illegal content (with each kind separately assessed), and
(ii)
other illegal content,
taking into account (in particular) algorithms used by the service, and how easily, quickly and widely content may be disseminated by means of the service;
(c)
the level of risk of the service being used for the commission or facilitation of a priority offence;
(d)
the level of risk of harm to individuals presented by illegal content of different kinds or by the use of the service for the commission or facilitation of a priority offence;
(e)
the level of risk of functionalities of the service facilitating the presence or dissemination of illegal content or the use of the service for the commission or facilitation of a priority offence, identifying and assessing those functionalities that present higher levels of risk;
(f)
the different ways in which the service is used, and the impact of such use on the level of risk of harm that might be suffered by individuals;
(g)
(h)
how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(6)
In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to individuals presented by illegal content.
(7)
See also—
(b)
Schedule 3 (timing of providers’ assessments).
10Safety duties about illegal content
(1)
This section sets out the duties about illegal content which apply in relation to regulated user-to-user services (as indicated by the headings).
All services
(2)
A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to—
(a)
prevent individuals from encountering priority illegal content by means of the service,
(b)
effectively mitigate and manage the risk of the service being used for the commission or facilitation of a priority offence, as identified in the most recent illegal content risk assessment of the service, and
(c)
effectively mitigate and manage the risks of harm to individuals, as identified in the most recent illegal content risk assessment of the service (see section 9(5)(g)).
(3)
A duty to operate a service using proportionate systems and processes designed to—
(a)
minimise the length of time for which any priority illegal content is present;
(b)
where the provider is alerted by a person to the presence of any illegal content, or becomes aware of it in any other way, swiftly take down such content.
(4)
The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)
regulatory compliance and risk management arrangements,
(b)
design of functionalities, algorithms and other features,
(c)
policies on terms of use,
(d)
policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,
(e)
content moderation, including taking down content,
(f)
functionalities allowing users to control the content they encounter,
(g)
user support measures, and
(h)
staff policies and practices.
(5)
A duty to include provisions in the terms of service specifying how individuals are to be protected from illegal content, addressing each paragraph of subsection (3), and (in relation to paragraph (a)) separately addressing terrorism content, CSEA content (see section 59 and Schedule 6) and other priority illegal content.
(6)
A duty to apply the provisions of the terms of service referred to in subsection (5) consistently.
(7)
(8)
Additional duty for Category 1 services
(9)
A duty to summarise in the terms of service the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals).
Interpretation
(10)
In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)
all the findings of the most recent illegal content risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to individuals), and
(b)
the size and capacity of the provider of a service.
(11)
In this section “illegal content risk assessment” has the meaning given by section 9.
(12)
See also, in relation to duties set out in this section, section 22 (duties about freedom of expression and privacy).
User-to-user services likely to be accessed by children
11Children’s risk assessment duties
(1)
This section sets out the duties about risk assessments which apply in relation to regulated user-to-user services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 9 and, in the case of services likely to be accessed by children which are Category 1 services, the duties about assessments set out in section 14).
(2)
A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.
(3)
A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)
Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.
(5)
Where a children’s risk assessment of a service identifies the presence of non-designated content that is harmful to children, a duty to notify OFCOM of—
(a)
the kinds of such content identified, and
(b)
the incidence of those kinds of content on the service.
(6)
A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)
the user base, including the number of users who are children in different age groups;
(b)
the level of risk of children who are users of the service encountering the following by means of the service—
(i)
each kind of primary priority content that is harmful to children (with each kind separately assessed),
(ii)
each kind of priority content that is harmful to children (with each kind separately assessed), and
(iii)
non-designated content that is harmful to children,
giving separate consideration to children in different age groups, and taking into account (in particular) algorithms used by the service and how easily, quickly and widely content may be disseminated by means of the service;
(c)
the level of risk of harm to children presented by different kinds of content that is harmful to children, giving separate consideration to children in different age groups;
(d)
the level of risk of harm to children presented by content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;
(e)
the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including functionalities—
(i)
enabling adults to search for other users of the service (including children), or
(ii)
enabling adults to contact other users (including children) by means of the service;
(f)
the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service (for example a feature that enables content to play automatically), and the impact of such use on the level of risk of harm that might be suffered by children;
(g)
(h)
how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(7)
In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.
(8)
See also—
(b)
Schedule 3 (timing of providers’ assessments).
12Safety duties protecting children
(1)
This section sets out the duties to protect children’s online safety which apply in relation to regulated user-to-user services that are likely to be accessed by children (as indicated by the headings).
All services
(2)
A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—
(a)
mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 11(6)(g)), and
(b)
mitigate the impact of harm to children in different age groups presented by content that is harmful to children present on the service.
(3)
A duty to operate a service using proportionate systems and processes designed to—
(a)
prevent children of any age from encountering, by means of the service, primary priority content that is harmful to children;
(b)
protect children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) from encountering it by means of the service.
(4)
The duty set out in subsection (3)(a) requires a provider to use age verification or age estimation (or both) to prevent children of any age from encountering primary priority content that is harmful to children which the provider identifies on the service.
(5)
That requirement applies to a provider in relation to a particular kind of primary priority content that is harmful to children in every case except where—
(a)
a term of service indicates (in whatever words) that the presence of that kind of primary priority content that is harmful to children is prohibited on the service, and
(b)
that policy applies in relation to all users of the service.
(6)
If a provider is required by subsection (4) to use age verification or age estimation for the purpose of compliance with the duty set out in subsection (3)(a), the age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.
(7)
Age verification or age estimation to identify who is or is not a child user or which age group a child user is in are examples of measures which (if not required by subsection (4)) may be taken or used (among others) for the purpose of compliance with a duty set out in subsection (2) or (3).
(8)
The duties set out in subsections (2) and (3) apply across all areas of a service, including the way it is designed, operated and used as well as content present on the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)
regulatory compliance and risk management arrangements,
(b)
design of functionalities, algorithms and other features,
(c)
policies on terms of use,
(d)
policies on user access to the service or to particular content present on the service, including blocking users from accessing the service or particular content,
(e)
content moderation, including taking down content,
(f)
functionalities allowing for control over content that is encountered, especially by children,
(g)
user support measures, and
(h)
staff policies and practices.
(9)
A duty to include provisions in the terms of service specifying—
(a)
how children of any age are to be prevented from encountering primary priority content that is harmful to children (with each kind of primary priority content separately covered);
(b)
how children in age groups judged to be at risk of harm from priority content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so (with each kind of priority content separately covered);
(c)
how children in age groups judged to be at risk of harm from non-designated content that is harmful to children (or from a particular kind of such content) are to be protected from encountering it, where they are not prevented from doing so.
(10)
A duty to apply the provisions of the terms of service referred to in subsection (9) consistently.
(11)
If a provider takes or uses a measure designed to prevent access to the whole of the service or a part of the service by children under a certain age, a duty to—
(a)
include provisions in the terms of service specifying details about the operation of the measure, and
(b)
apply those provisions consistently.
(12)
(13)
Additional duty for Category 1 services
(14)
A duty to summarise in the terms of service the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).
13Safety duties protecting children: interpretation
(1)
In determining what is proportionate for the purposes of section 12, the following factors, in particular, are relevant—
(a)
all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and
(b)
the size and capacity of the provider of a service.
(2)
So far as a duty set out in section 12 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).
(3)
References in section 12(3)(b) and (9)(b) and (c) to children in age groups judged to be at risk of harm from content that is harmful to children are references to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.
(4)
(5)
The duties set out in section 12 extend only to such parts of a service as it is possible for children to access.
(6)
For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(7)
In section 12 and this section “children’s risk assessment” has the meaning given by section 11.
(8)
See also, in relation to duties set out in section 12, section 22 (duties about freedom of expression and privacy).
Category 1 services
14Assessment duties: user empowerment
(1)
This section sets out the duties about assessments related to adult user empowerment which apply in relation to Category 1 services (in addition to the duties about risk assessments set out in section 9 and, in the case of Category 1 services likely to be accessed by children, section 11).
(2)
A duty to carry out a suitable and sufficient assessment for the purposes of section 15(2) at a time set out in, or as provided by, Schedule 3.
(3)
A duty to take appropriate steps to keep such an assessment up to date.
(4)
Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient assessment for the purposes of section 15(2) relating to the impacts of that proposed change.
(5)
An assessment of a service “for the purposes of section 15(2)” means an assessment of the following matters—
(a)
the user base;
(b)
the incidence of relevant content on the service;
(c)
the likelihood of adult users of the service encountering, by means of the service, each kind of relevant content (with each kind separately assessed), taking into account (in particular) algorithms used by the service, and how easily, quickly and widely content may be disseminated by means of the service;
(d)
the likelihood of adult users with a certain characteristic or who are members of a certain group encountering relevant content which particularly affects them;
(e)
the likelihood of functionalities of the service facilitating the presence or dissemination of relevant content, identifying and assessing those functionalities more likely to do so;
(f)
the different ways in which the service is used, and the impact of such use on the likelihood of adult users encountering relevant content;
(g)
how the design and operation of the service (including the business model, governance, use of proactive technology, measures to strengthen adult users’ control over their interaction with user-generated content, and other systems and processes) may reduce or increase the likelihood of adult users encountering relevant content.
(6)
In this section “relevant content” means content to which section 15(2) applies (content to which user empowerment duties set out in that provision apply).
(7)
See also—
(b)
Schedule 3 (timing of providers’ assessments).
15User empowerment duties
(1)
This section sets out the duties to empower adult users which apply in relation to Category 1 services.
(2)
A duty to include in a service, to the extent that it is proportionate to do so, features which adult users may use or apply if they wish to increase their control over content to which this subsection applies.
(3)
The features referred to in subsection (2) are those which, if used or applied by a user, result in the use by the service of systems or processes designed to effectively—
(a)
reduce the likelihood of the user encountering content to which subsection (2) applies present on the service, or
(b)
alert the user to content present on the service that is a particular kind of content to which subsection (2) applies.
(4)
A duty to ensure that all features included in a service in compliance with the duty set out in subsection (2) (“control features”) are made available to all adult users and are easy to access.
(5)
A duty to operate a service using a system or process which seeks to ensure that all registered adult users are offered the earliest possible opportunity, in relation to each control feature included in the service, to take a step indicating to the provider that—
(a)
the user wishes to retain the default setting for the feature (whether that is that the feature is in use or applied, or is not in use or applied), or
(b)
the user wishes to change the default setting for the feature.
(6)
The duty set out in subsection (5)—
(a)
continues to apply in relation to a user and a control feature for so long as the user has not yet taken a step mentioned in that subsection in relation to the feature;
(b)
no longer applies in relation to a user once the user has taken such a step in relation to every control feature included in the service.
(7)
A duty to include clear and accessible provisions in the terms of service specifying which control features are offered and how users may take advantage of them.
(8)
A duty to summarise in the terms of service the findings of the most recent assessment of a service under section 14 (assessments related to the duty set out in subsection (2)).
(9)
A duty to include in a service features which adult users may use or apply if they wish to filter out non-verified users.
(10)
The features referred to in subsection (9) are those which, if used or applied by a user, result in the use by the service of systems or processes designed to effectively—
(a)
prevent non-verified users from interacting with content which that user generates, uploads or shares on the service, and
(b)
reduce the likelihood of that user encountering content which non-verified users generate, upload or share on the service.
16User empowerment duties: interpretation
(1)
In determining what is proportionate for the purposes of section 15(2), the following factors, in particular, are relevant—
(a)
all the findings of the most recent assessment under section 14, and
(b)
the size and capacity of the provider of the service.
(2)
Section 15(2) applies to content that—
(a)
is regulated user-generated content in relation to the service in question, and
(3)
Content is within this subsection if it encourages, promotes or provides instructions for—
(a)
suicide or an act of deliberate self-injury, or
(b)
an eating disorder or behaviours associated with an eating disorder.
(4)
Content is within this subsection if it is abusive and the abuse targets any of the following characteristics—
(a)
race,
(b)
religion,
(c)
sex,
(d)
sexual orientation,
(e)
disability, or
(f)
gender reassignment.
(5)
Content is within this subsection if it incites hatred against people—
(a)
of a particular race, religion, sex or sexual orientation,
(b)
who have a disability, or
(c)
who have the characteristic of gender reassignment.
(6)
The duty set out in section 15(5) applies in relation to all registered adult users, not just those who begin to use a service after that duty begins to apply.
(7)
In section 15 and this section—
“disability” means any physical or mental impairment;
“injury” includes poisoning;
“non-verified user” means a user who—
(a)
is an individual, whether in the United Kingdom or outside it, and
(b)
has not verified their identity to the provider of a service;
“race” includes colour, nationality, and ethnic or national origins.
(8)
In section 15 and this section—
(a)
references to features include references to functionalities and settings, and
(b)
references to religion include references to a lack of religion.
(9)
For the purposes of section 15 and this section, a person has the characteristic of gender reassignment if the person is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex, and the reference to gender reassignment in subsection (4) is to be construed accordingly.
(10)
See also, in relation to duties set out in section 15, section 22 (duties about freedom of expression and privacy).
17Duties to protect content of democratic importance
(1)
This section sets out the duties to protect content of democratic importance which apply in relation to Category 1 services.
(2)
A duty to operate a service using proportionate systems and processes designed to ensure that the importance of the free expression of content of democratic importance is taken into account when making decisions about—
(a)
how to treat such content (especially decisions about whether to take it down or restrict users’ access to it), and
(b)
whether to take action against a user generating, uploading or sharing such content.
(3)
A duty to ensure that the systems and processes mentioned in subsection (2) apply in the same way to a wide diversity of political opinion.
(4)
A duty to include provisions in the terms of service specifying the policies and processes that are designed to take account of the principle mentioned in subsection (2), including, in particular, how that principle is applied to decisions mentioned in that subsection.
(5)
A duty to ensure that—
(a)
the provisions of the terms of service referred to in subsection (4) are clear and accessible, and
(b)
those provisions are applied consistently.
(6)
In determining what is proportionate for the purposes of subsection (2), the size and capacity of the provider of a service, in particular, is relevant.
(7)
For the purposes of this section content is “content of democratic importance”, in relation to a user-to-user service, if—
(a)
the content is—
(i)
news publisher content in relation to that service, or
(ii)
regulated user-generated content in relation to that service; and
(b)
the content is or appears to be specifically intended to contribute to democratic political debate in the United Kingdom or a part or area of the United Kingdom.
(8)
In this section, the reference to “taking action” against a user is to giving a warning to a user, or suspending or banning a user from using a service, or in any way restricting a user’s ability to use a service.
(9)
For the meaning of “news publisher content” and “regulated user-generated content”, see section 55.
18Duties to protect news publisher content
(1)
This section sets out the duties to protect news publisher content which apply in relation to Category 1 services.
(2)
Subject to subsections (4), (5) and (8), a duty, in relation to a service, to take the steps set out in subsection (3) before—
(a)
taking action in relation to content present on the service that is news publisher content, or
(b)
taking action against a user who is a recognised news publisher.
(3)
The steps referred to in subsection (2) are—
(a)
to give the recognised news publisher in question a notification which—
(i)
specifies the action that the provider is considering taking,
(ii)
gives reasons for that proposed action by reference to each relevant provision of the terms of service,
(iii)
where the proposed action relates to news publisher content that is also journalistic content, explains how the provider took the importance of the free expression of journalistic content into account when deciding on the proposed action, and
(iv)
specifies a reasonable period within which the recognised news publisher may make representations,
(b)
to consider any representations that are made, and
(c)
to notify the recognised news publisher of the decision and the reasons for it (addressing any representations made).
(4)
If a provider of a service reasonably considers that the provider would incur criminal or civil liability in relation to news publisher content present on the service if it were not taken down swiftly, the provider may take down that content without having taken the steps set out in subsection (3).
(5)
A provider of a service may also take down news publisher content present on the service without having taken the steps set out in subsection (3) if that content amounts to a relevant offence (see section 59 and also subsection (10) of this section).
(6)
(7)
The steps referred to in subsection (6) are—
(a)
to swiftly notify the recognised news publisher in question of the action taken, giving the provider’s justification for not having first taken the steps set out in subsection (3),
(b)
to specify a reasonable period within which the recognised news publisher may request that the action is reversed, and
(c)
if a request is made as mentioned in paragraph (b)—
(i)
to consider the request and whether the steps set out in subsection (3) should have been taken prior to the action being taken,
(ii)
if the provider concludes that those steps should have been taken, to swiftly reverse the action, and
(iii)
to notify the recognised news publisher of the decision and the reasons for it (addressing any reasons accompanying the request for reversal of the action).
(8)
If a recognised news publisher has been banned from using a service (and the ban is still in force), the provider of the service may take action in relation to news publisher content present on the service which was generated or originally published or broadcast by the recognised news publisher without complying with the duties set out in this section.
(9)
For the purposes of this section, a provider is not to be regarded as taking action in relation to news publisher content in the following circumstances—
(a)
a provider takes action in relation to content which is not news publisher content, that action affects related news publisher content, the grounds for the action only relate to the content which is not news publisher content, and it is not technically feasible for the action only to relate to the content which is not news publisher content;
(b)
a provider takes action against a user, and that action affects news publisher content that has been uploaded to or shared on the service by the user.
(10)
Section 192 (providers’ judgements about the status of content) applies in relation to judgements by providers about whether news publisher content amounts to a relevant offence as it applies in relation to judgements about whether content is illegal content.
(11)
Any provision of the terms of service has effect subject to this section.
(12)
In this section—
(a)
references to “news publisher content” are to content that is news publisher content in relation to the service in question;
(b)
references to “taking action” against a person are to giving a warning to a person, or suspending or banning a person from using a service, or in any way restricting a person’s ability to use a service.
(13)
In this section references to “taking action” in relation to content are to—
(a)
taking down content,
(b)
restricting users’ access to content, or
(c)
adding warning labels to content, except warning labels normally encountered only by child users,
and also include references to taking any other action in relation to content on the grounds that it is content of a kind which is the subject of a relevant term of service (but not otherwise).
(14)
A “relevant term of service” means a term of service which indicates to users (in whatever words) that the presence of a particular kind of content, from the time it is generated, uploaded or shared on the service, is not tolerated on the service or is tolerated but liable to result in the provider treating it in a way that makes it less likely that other users will encounter it.
(15)
Taking any step set out in subsection (3) or (7) does not count as “taking action” for the purposes of this section.
(16)
See—
section 19 for the meaning of “journalistic content”;
section 55 for the meaning of “news publisher content”;
section 56 for the meaning of “recognised news publisher”.
19Duties to protect journalistic content
(1)
This section sets out the duties to protect journalistic content which apply in relation to Category 1 services.
The duties
(2)
A duty to operate a service using proportionate systems and processes designed to ensure that the importance of the free expression of journalistic content is taken into account when making decisions about—
(a)
how to treat such content (especially decisions about whether to take it down or restrict users’ access to it), and
(b)
whether to take action against a user generating, uploading or sharing such content.
(3)
A duty, in relation to a decision by a provider to take down content or to restrict access to it, to make a dedicated and expedited complaints procedure available to a person who considers the content to be journalistic content and who is—
(a)
the user who generated, uploaded or shared the content on the service, or
(4)
A duty to make a dedicated and expedited complaints procedure available to users of a service in relation to a decision by the provider of the service to take action against a user because of content generated, uploaded or shared by the user which the user considers to be journalistic content.
(5)
A duty to ensure that—
(a)
if a complaint about a decision mentioned in subsection (3) is upheld, the content is swiftly reinstated on the service;
(b)
if a complaint about a decision mentioned in subsection (4) is upheld, the action against the user is swiftly reversed.
(6)
Subsections (3) and (4) do not require a provider to make a dedicated and expedited complaints procedure available to a recognised news publisher in relation to a decision if the provider has taken the steps set out in section 18(3) in relation to that decision.
(7)
A duty to include provisions in the terms of service specifying—
(a)
by what methods content present on the service is to be identified as journalistic content;
(b)
how the importance of the free expression of journalistic content is to be taken into account when making decisions mentioned in subsection (2);
(c)
the policies and processes for handling complaints in relation to content which is, or is considered to be, journalistic content.
(8)
A duty to ensure that—
(a)
the provisions of the terms of service referred to in subsection (7) are clear and accessible, and
(b)
those provisions are applied consistently.
Interpretation
(9)
In determining what is proportionate for the purposes of subsection (2), the size and capacity of the provider of a service, in particular, is relevant.
(10)
For the purposes of this Part content is “journalistic content”, in relation to a user-to-user service, if—
(a)
the content is—
(i)
news publisher content in relation to that service, or
(ii)
regulated user-generated content in relation to that service;
(b)
the content is generated for the purposes of journalism; and
(c)
the content is UK-linked.
(11)
For the purposes of this section content is “UK-linked” if—
(a)
United Kingdom users of the service form one of the target markets for the content (or the only target market), or
(b)
the content is or is likely to be of interest to a significant number of United Kingdom users.
(12)
In this section references to “taking action” against a user are to giving a warning to a user, or suspending or banning a user from using a service, or in any way restricting a user’s ability to use a service.
(13)
(14)
The creator of news publisher content is the recognised news publisher in question.
(15)
The creator of content other than news publisher content is—
(a)
an individual who—
(i)
created the content, and
(ii)
is in the United Kingdom; or
(b)
an entity which—
(i)
created the content, and
(ii)
is incorporated or formed under the law of any part of the United Kingdom.
(16)
For the meaning of “news publisher content”, “regulated user-generated content” and “recognised news publisher”, see sections 55 and 56.
Duties about content reporting and complaints procedures
20Duty about content reporting
(1)
This section sets out the duty about content reporting which applies in relation to all regulated user-to-user services.
(2)
A duty to operate a service using systems and processes that allow users and affected persons to easily report content which they consider to be content of a kind specified below (with the duty extending to different kinds of content depending on the kind of service, as indicated by the headings).
All services
(3)
Illegal content.
Services likely to be accessed by children
(4)
Content that is harmful to children, present on a part of a service that it is possible for children to access.
Interpretation
(5)
In this section “affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)
the subject of the content,
(b)
a member of a class or group of people with a certain characteristic targeted by the content,
(c)
a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)
an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(6)
For the purposes of subsection (4), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(7)
See also—
(a)
section 22 (duties about freedom of expression and privacy), and
(b)
section 72(5)(a) (reporting of content that terms of service allow to be taken down or restricted).
21Duties about complaints procedures
(1)
This section sets out the duties about complaints procedures which apply in relation to all regulated user-to-user services.
(2)
A duty to operate a complaints procedure in relation to a service that—
(a)
allows for relevant kinds of complaint to be made (as set out under the headings below),
(b)
provides for appropriate action to be taken by the provider of the service in response to complaints of a relevant kind, and
(c)
is easy to access, easy to use (including by children) and transparent.
(3)
A duty to include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a relevant kind.
All services
(4)
The following kinds of complaint are relevant for all services—
(a)
complaints by users and affected persons about content present on a service which they consider to be illegal content;
(b)
complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—
(i)
section 10 (illegal content),
(ii)
section 20 (content reporting), or
(c)
complaints by a user who has generated, uploaded or shared content on a service if that content is taken down on the basis that it is illegal content;
(d)
complaints by a user of a service if the provider has given a warning to the user, suspended or banned the user from using the service, or in any other way restricted the user’s ability to use the service, as a result of content generated, uploaded or shared by the user which the provider considers to be illegal content;
(e)
complaints by a user who has generated, uploaded or shared content on a service if—
(i)
the use of proactive technology on the service results in that content being taken down or access to it being restricted, or given a lower priority or otherwise becoming less likely to be encountered by other users, and
(ii)
the user considers that the proactive technology has been used in a way not contemplated by, or in breach of, the terms of service (for example, by affecting content not of a kind specified in the terms of service as a kind of content in relation to which the technology would operate).
Services likely to be accessed by children
(5)
The following kinds of complaint are relevant for services that are likely to be accessed by children—
(a)
complaints by users and affected persons about content, present on a part of a service that it is possible for children to access, which they consider to be content that is harmful to children;
(b)
complaints by users and affected persons if they consider that the provider is not complying with a duty set out in section 12 (children’s online safety);
(c)
complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is content that is harmful to children;
(d)
complaints by a user of a service if the provider has given a warning to the user, suspended or banned the user from using the service, or in any other way restricted the user’s ability to use the service, as a result of content generated, uploaded or shared by the user which the provider considers to be content that is harmful to children;
Category 1 services
(6)
The relevant kind of complaint for Category 1 services is complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—
(a)
section 15 (user empowerment),
(b)
section 17 (content of democratic importance),
(c)
section 18 (news publisher content),
(d)
section 19 (journalistic content), or
Interpretation
(7)
In this section “affected person” has the meaning given by section 20.
(8)
For the purposes of subsection (5)(a), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(9)
See also—
(a)
section 22 (duties about freedom of expression and privacy), and
(b)
section 72(6) (complaints procedure relating to content that terms of service allow to be taken down or restricted).
Cross-cutting duties
22Duties about freedom of expression and privacy
(1)
This section sets out the duties about freedom of expression and privacy which apply in relation to regulated user-to-user services (as indicated by the headings).
All services
(2)
When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users’ right to freedom of expression within the law.
(3)
When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service (including, but not limited to, any such provision or rule concerning the processing of personal data).
Additional duties for Category 1 services
(4)
A duty—
(a)
when deciding on safety measures and policies, to carry out an assessment of the impact that such measures or policies would have on—
(i)
users’ right to freedom of expression within the law, and
(ii)
the privacy of users; and
(5)
An impact assessment relating to a service must include a section which considers the impact of the safety measures and policies on the availability and treatment on the service of content which is news publisher content or journalistic content in relation to the service.
(6)
A duty to—
(a)
keep an impact assessment up to date, and
(b)
publish impact assessments.
(7)
A duty to specify in a publicly available statement the positive steps that the provider has taken in response to an impact assessment to—
(a)
protect users’ right to freedom of expression within the law, and
(b)
protect the privacy of users.
Interpretation
(8)
In this section—
“impact assessment” means an impact assessment under subsection (4);
“safety measures and policies” means measures and policies designed to secure compliance with any of the duties set out in—
(a)
section 10 (illegal content),
(b)
section 12 (children’s online safety),
(c)
section 15 (user empowerment),
(d)
section 20 (content reporting), or
(e)
section 21 (complaints procedures).
(9)
Any reference in this section to the privacy of users or steps taken to protect the privacy of users is to be construed in accordance with subsection (3).
(10)
See—
section 19 for the meaning of “journalistic content”;
section 55 for the meaning of “news publisher content”.
23Record-keeping and review duties
(1)
This section sets out the record-keeping and review duties which apply in relation to regulated user-to-user services (as indicated by the headings).
All services
(2)
A duty to make and keep a written record, in an easily understandable form, of all aspects of every risk assessment under section 9 or 11, including details about how the assessment was carried out and its findings.
(3)
A duty to make and keep a written record of any measures taken or in use to comply with a relevant duty which—
(a)
are described in a code of practice and recommended for the purpose of compliance with the duty in question, and
(b)
apply in relation to the provider and the service in question.
In this section such measures are referred to as “applicable measures in a code of practice”.
(4)
If alternative measures have been taken or are in use to comply with a relevant duty, a duty to make and keep a written record containing the following information—
(a)
the applicable measures in a code of practice that have not been taken or are not in use,
(b)
the alternative measures that have been taken or are in use,
(c)
how those alternative measures amount to compliance with the duty in question, and
(d)
how the provider has complied with section 49(5) (freedom of expression and privacy).
(5)
If alternative measures have been taken or are in use to comply with a duty set out in section 10(2) or (3) or 12(2) or (3), the record required under subsection (4) of this section must also indicate whether such measures have been taken or are in use in every area listed in section 10(4) or 12(8) (as the case may be) in relation to which there are applicable measures in a code of practice.
(6)
A duty to review compliance with the relevant duties in relation to a service—
(a)
regularly, and
(b)
as soon as reasonably practicable after making any significant change to any aspect of the design or operation of the service.
(7)
OFCOM may provide that particular descriptions of providers of user-to-user services are exempt from any or all of the duties set out in this section, and may revoke such an exemption.
(8)
OFCOM must publish details of any exemption or revocation under subsection (7), including reasons for the revocation of an exemption.
Additional duties for Category 1 services
(9)
A duty to make and keep a written record, in an easily understandable form, of all aspects of every assessment under section 14 (assessments related to the adult user empowerment duty set out in section 15(2)), including details about how the assessment was carried out and its findings.
(10)
As soon as reasonably practicable after making a record of an assessment as required by subsection (2) or (9), or revising such a record, a duty to supply OFCOM with a copy of the record (in full).
Interpretation
(11)
In this section—
“alternative measures” means measures other than measures which are (in relation to the provider and the service in question) applicable measures in a code of practice;
“code of practice” means a code of practice published under section 46;
“relevant duties” means the duties set out in—
(a)
section 10 (illegal content),
(b)
section 12 (children’s online safety),
(c)
section 15 (user empowerment),
(d)
section 17 (content of democratic importance),
(e)
section 19 (journalistic content),
(f)
section 20 (content reporting), and
(g)
section 21 (complaints procedures),
and for the purposes of subsection (6), also includes the duties set out in sections 18 (news publisher content), 71 and 72 (duties about terms of service), and 75 (deceased child users).
CHAPTER 3Providers of search services: duties of care
Search services: which duties apply, and scope of duties
24Providers of search services: duties of care
(1)
(2)
All providers of regulated search services must comply with the following duties in relation to each such service which they provide—
(a)
the duties about illegal content risk assessments set out in section 26,
(c)
the duty about content reporting set out in section 31,
(d)
the duties about complaints procedures set out in section 32,
(e)
the duties about freedom of expression and privacy set out in section 33, and
(3)
Additional duties must be complied with by providers of particular kinds of regulated search services, as follows.
(4)
All providers of regulated search services that are likely to be accessed by children must comply with the following duties in relation to each such service which they provide—
(a)
the duties about children’s risk assessments set out in section 28, and
(5)
All providers of regulated search services that are Category 2A services must comply with the following duties in relation to each such service which they provide—
(a)
the duty about illegal content risk assessments set out in section 27(9),
(b)
the duty about children’s risk assessments set out in section 29(9), and
(c)
the duty about record-keeping set out in section 34(9).
(6)
For the meaning of “likely to be accessed by children”, see section 37.
(7)
For the meaning of “Category 2A service”, see section 95 (register of categories of services).
25Scope of duties of care
(1)
A duty set out in this Chapter which must be complied with in relation to a search service extends only to—
(a)
the search content of the service,
(b)
the design, operation and use of the search engine in the United Kingdom, and
(c)
in the case of a duty that is expressed to apply in relation to users of a service, the design, operation and use of the search engine as it affects United Kingdom users of the service.
(2)
For the purposes of the application of this Chapter in relation to the search engine of a combined service (see section 7(6))—
(a)
a duty set out in this Chapter which requires a matter to be included in a publicly available statement may be satisfied by including the matter in the terms of service;
(b)
references in this Chapter (except in section 24) to a search service are to be read as references to the search engine;
(c)
references in this Chapter (except in section 24) to the provider of a search service are to be read as references to the provider of the combined service.
Illegal content duties for search services
26Illegal content risk assessment duties
(1)
This section sets out the duties about risk assessments which apply in relation to all regulated search services.
(2)
A duty to carry out a suitable and sufficient illegal content risk assessment at a time set out in, or as provided by, Schedule 3.
(3)
A duty to take appropriate steps to keep an illegal content risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)
Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient illegal content risk assessment relating to the impacts of that proposed change.
(5)
An “illegal content risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)
the level of risk of individuals who are users of the service encountering search content of the following kinds—
(i)
each kind of priority illegal content (with each kind separately assessed), and
(ii)
other illegal content,
taking into account (in particular) risks presented by algorithms used by the service, and the way that the service indexes, organises and presents search results;
(b)
the level of risk of functionalities of the service facilitating individuals encountering search content that is illegal content, identifying and assessing those functionalities that present higher levels of risk;
(c)
the nature, and severity, of the harm that might be suffered by individuals from the matters identified in accordance with paragraphs (a) and (b);
(d)
how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(6)
In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to individuals presented by illegal content.
(7)
See also—
(b)
Schedule 3 (timing of providers’ assessments).
27Safety duties about illegal content
(1)
This section sets out the duties about illegal content which apply in relation to regulated search services (as indicated by the headings).
All services
(2)
A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively mitigate and manage the risks of harm to individuals, as identified in the most recent illegal content risk assessment of the service (see section 26(5)(c)).
(3)
A duty to operate a service using proportionate systems and processes designed to minimise the risk of individuals encountering search content of the following kinds—
(a)
priority illegal content;
(b)
other illegal content that the provider knows about (having been alerted to it by another person or become aware of it in any other way).
(4)
The duties set out in subsections (2) and (3) apply across all areas of a service, including the way the search engine is designed, operated and used as well as search content of the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)
regulatory compliance and risk management arrangements,
(b)
design of functionalities, algorithms and other features relating to the search engine,
(c)
functionalities allowing users to control the content they encounter in search results,
(d)
content prioritisation,
(e)
user support measures, and
(f)
staff policies and practices.
(5)
A duty to include provisions in a publicly available statement specifying how individuals are to be protected from search content that is illegal content.
(6)
A duty to apply the provisions of the statement referred to in subsection (5) consistently.
(7)
(8)
Additional duty for Category 2A services
(9)
A duty to summarise in a publicly available statement the findings of the most recent illegal content risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to individuals).
Interpretation
(10)
In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)
all the findings of the most recent illegal content risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to individuals), and
(b)
the size and capacity of the provider of a service.
(11)
In this section “illegal content risk assessment” has the meaning given by section 26.
(12)
See also, in relation to duties set out in this section, section 33 (duties about freedom of expression and privacy).
Search services likely to be accessed by children
28Children’s risk assessment duties
(1)
This section sets out the duties about risk assessments which apply in relation to regulated search services that are likely to be accessed by children (in addition to the duties about risk assessments set out in section 26).
(2)
A duty to carry out a suitable and sufficient children’s risk assessment at a time set out in, or as provided by, Schedule 3.
(3)
A duty to take appropriate steps to keep a children’s risk assessment up to date, including when OFCOM make any significant change to a risk profile that relates to services of the kind in question.
(4)
Before making any significant change to any aspect of a service’s design or operation, a duty to carry out a further suitable and sufficient children’s risk assessment relating to the impacts of that proposed change.
(5)
A “children’s risk assessment” of a service of a particular kind means an assessment of the following matters, taking into account the risk profile that relates to services of that kind—
(a)
the level of risk of children who are users of the service encountering search content of the following kinds—
(i)
each kind of primary priority content that is harmful to children (with each kind separately assessed),
(ii)
each kind of priority content that is harmful to children (with each kind separately assessed), and
(iii)
non-designated content that is harmful to children,
giving separate consideration to children in different age groups, and taking into account (in particular) risks presented by algorithms used by the service and the way that the service indexes, organises and presents search results;
(b)
the level of risk of children who are users of the service encountering search content that is harmful to children which particularly affects individuals with a certain characteristic or members of a certain group;
(c)
the extent to which the design of the service, in particular its functionalities, affects the level of risk of harm that might be suffered by children, identifying and assessing those functionalities that present higher levels of risk, including a functionality that makes suggestions relating to users’ search requests (predictive search functionality);
(d)
the different ways in which the service is used, including functionalities or other features of the service that affect how much children use the service, and the impact of such use on the level of risk of harm that might be suffered by children;
(e)
(f)
how the design and operation of the service (including the business model, governance, use of proactive technology, measures to promote users’ media literacy and safe use of the service, and other systems and processes) may reduce or increase the risks identified.
(6)
In this section references to risk profiles are to the risk profiles for the time being published under section 98 which relate to the risk of harm to children presented by content that is harmful to children.
(7)
See also—
(b)
Schedule 3 (timing of providers’ assessments).
29Safety duties protecting children
(1)
This section sets out the duties to protect children’s online safety which apply in relation to regulated search services that are likely to be accessed by children (as indicated by the headings).
All services
(2)
A duty, in relation to a service, to take or use proportionate measures relating to the design or operation of the service to effectively—
(a)
mitigate and manage the risks of harm to children in different age groups, as identified in the most recent children’s risk assessment of the service (see section 28(5)(e)), and
(b)
mitigate the impact of harm to children in different age groups presented by search content that is harmful to children.
(3)
A duty to operate a service using proportionate systems and processes designed to—
(a)
minimise the risk of children of any age encountering search content that is primary priority content that is harmful to children;
(b)
minimise the risk of children in age groups judged to be at risk of harm from other content that is harmful to children (or from a particular kind of such content) encountering search content of that kind.
(4)
The duties set out in subsections (2) and (3) apply across all areas of a service, including the way the search engine is designed, operated and used as well as search content of the service, and (among other things) require the provider of a service to take or use measures in the following areas, if it is proportionate to do so—
(a)
regulatory compliance and risk management arrangements,
(b)
design of functionalities, algorithms and other features relating to the search engine,
(c)
functionalities allowing for control over content that is encountered in search results, especially by children,
(d)
content prioritisation,
(e)
user support measures, and
(f)
staff policies and practices.
(5)
A duty to include provisions in a publicly available statement specifying how children are to be protected from search content of the following kinds—
(a)
primary priority content that is harmful to children (with each kind of primary priority content separately covered),
(b)
priority content that is harmful to children (with each kind of priority content separately covered), and
(c)
non-designated content that is harmful to children.
(6)
A duty to apply the provisions of the statement referred to in subsection (5) consistently.
(7)
(8)
Additional duty for Category 2A services
(9)
A duty to summarise in a publicly available statement the findings of the most recent children’s risk assessment of a service (including as to levels of risk and as to nature, and severity, of potential harm to children).
30Safety duties protecting children: interpretation
(1)
In determining what is proportionate for the purposes of section 29, the following factors, in particular, are relevant—
(a)
all the findings of the most recent children’s risk assessment (including as to levels of risk and as to nature, and severity, of potential harm to children), and
(b)
the size and capacity of the provider of a service.
(2)
So far as a duty set out in section 29 relates to non-designated content that is harmful to children, the duty is to be taken to extend only to addressing risks of harm from the kinds of such content that have been identified in the most recent children’s risk assessment (if any have been identified).
(3)
The reference in section 29(3)(b) to children in age groups judged to be at risk of harm from content that is harmful to children is a reference to children in age groups judged to be at risk of such harm as assessed by the provider of a service in the most recent children’s risk assessment of the service.
(4)
The duties set out in section 29(3) are to be taken to extend only to content that is harmful to children where the risk of harm is presented by the nature of the content (rather than the fact of its dissemination).
(5)
The duties set out in section 29 extend only to such parts of a service as it is possible for children to access.
(6)
For the purposes of subsection (5), a provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(7)
In section 29 and this section “children’s risk assessment” has the meaning given by section 28.
(8)
See also, in relation to duties set out in section 29, section 33 (duties about freedom of expression and privacy).
Duties about content reporting and complaints procedures
31Duty about content reporting
(1)
This section sets out the duty about content reporting which applies in relation to all regulated search services.
(2)
A duty to operate a service using systems and processes that allow users and affected persons to easily report search content which they consider to be content of a kind specified below (with the duty extending to content that is harmful to children depending on the kind of service, as indicated by the headings).
All services
(3)
Illegal content.
Services likely to be accessed by children
(4)
Content that is harmful to children.
Interpretation
(5)
In this section “affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)
the subject of the content,
(b)
a member of a class or group of people with a certain characteristic targeted by the content,
(c)
a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)
an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(6)
See also, in relation to the duty set out in this section, section 33 (duties about freedom of expression and privacy).
32Duties about complaints procedures
(1)
This section sets out the duties about complaints procedures which apply in relation to all regulated search services.
(2)
A duty to operate a complaints procedure in relation to a service that—
(a)
allows for relevant kinds of complaint to be made (as set out under the headings below),
(b)
provides for appropriate action to be taken by the provider of the service in response to complaints of a relevant kind, and
(c)
is easy to access, easy to use (including by children) and transparent.
(3)
A duty to make the policies and processes that govern the handling and resolution of complaints of a relevant kind publicly available and easily accessible (including to children).
All services
(4)
The following kinds of complaint are relevant for all services—
(a)
complaints by users and affected persons about search content which they consider to be illegal content;
(b)
complaints by users and affected persons if they consider that the provider is not complying with a duty set out in—
(i)
section 27 (illegal content),
(ii)
section 31 (content reporting), or
(iii)
section 33 (freedom of expression and privacy);
(c)
complaints by an interested person if the provider of a search service takes or uses measures in order to comply with a duty set out in section 27 that result in content relating to that interested person no longer appearing in search results or being given a lower priority in search results;
(d)
complaints by an interested person if—
(i)
the use of proactive technology on a search service results in content relating to that interested person no longer appearing in search results or being given a lower priority in search results, and
(ii)
the interested person considers that the proactive technology has been used in a way not contemplated by, or in breach of, the provider’s policies on its use (for example, by affecting content not of a kind specified in those policies as a kind of content in relation to which the technology would operate).
Services likely to be accessed by children
(5)
The following kinds of complaint are relevant for services that are likely to be accessed by children—
(a)
complaints by users and affected persons about search content which they consider to be content that is harmful to children;
(b)
complaints by users and affected persons if they consider that the provider is not complying with a duty set out in section 29 (children’s online safety);
(c)
complaints by an interested person if the provider of a search service takes or uses measures in order to comply with a duty set out in section 29 that result in content relating to that interested person no longer appearing in search results or being given a lower priority in search results;
Interpretation
(6)
In this section—
“affected person” has the meaning given by section 31;
“interested person” has the meaning given by section 227(7).
(7)
See also, in relation to duties set out in this section, section 33 (duties about freedom of expression and privacy).
Cross-cutting duties
33Duties about freedom of expression and privacy
(1)
This section sets out the duties about freedom of expression and privacy which apply in relation to all regulated search services.
(2)
When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting the rights of users and interested persons to freedom of expression within the law.
(3)
When deciding on, and implementing, safety measures and policies, a duty to have particular regard to the importance of protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a search service (including, but not limited to, any such provision or rule concerning the processing of personal data).
(4)
In this section—
“interested person” has the meaning given by section 227(7);
“safety measures and policies” means measures and policies designed to secure compliance with any of the duties set out in—
(a)
section 27 (illegal content),
(b)
section 29 (children’s online safety),
(c)
section 31 (content reporting), or
(d)
section 32 (complaints procedures).
34Record-keeping and review duties
(1)
This section sets out the record-keeping and review duties which apply in relation to regulated search services (as indicated by the headings).
All services
(2)
A duty to make and keep a written record, in an easily understandable form, of all aspects of every risk assessment under section 26 or 28, including details about how the assessment was carried out and its findings.
(3)
A duty to make and keep a written record of any measures taken or in use to comply with a relevant duty which—
(a)
are described in a code of practice and recommended for the purpose of compliance with the duty in question, and
(b)
apply in relation to the provider and the service in question.
In this section such measures are referred to as “applicable measures in a code of practice”.
(4)
If alternative measures have been taken or are in use to comply with a relevant duty, a duty to make and keep a written record containing the following information—
(a)
the applicable measures in a code of practice that have not been taken or are not in use,
(b)
the alternative measures that have been taken or are in use,
(c)
how those alternative measures amount to compliance with the duty in question, and
(d)
how the provider has complied with section 49(5) (freedom of expression and privacy).
(5)
If alternative measures have been taken or are in use to comply with a duty set out in section 27(2) or (3) or 29(2) or (3), the record required under subsection (4) of this section must also indicate whether such measures have been taken or are in use in every area listed in subsection (4) of those sections in relation to which there are applicable measures in a code of practice.
(6)
A duty to review compliance with the relevant duties in relation to a service—
(a)
regularly, and
(b)
as soon as reasonably practicable after making any significant change to any aspect of the design or operation of the service.
(7)
OFCOM may provide that particular descriptions of providers of search services are exempt from any or all of the duties set out in this section, and may revoke such an exemption.
(8)
OFCOM must publish details of any exemption or revocation under subsection (7), including reasons for the revocation of an exemption.
Additional duty for Category 2A services
(9)
As soon as reasonably practicable after making a record of a risk assessment as required by subsection (2), or revising such a record, a duty to supply OFCOM with a copy of the record (in full).
Interpretation
(10)
In this section—
“alternative measures” means measures other than measures which are (in relation to the provider and the service in question) applicable measures in a code of practice;
“code of practice” means a code of practice published under section 46;
“relevant duties” means the duties set out in—
(a)
section 27 (illegal content),
(b)
section 29 (children’s online safety),
(c)
section 31 (content reporting), and
(d)
section 32 (complaints procedures),
and for the purposes of subsection (6), also includes the duties set out in section 75 (deceased child users).
CHAPTER 4Children's access assessments
35Children’s access assessments
(1)
In this Part, a “children’s access assessment” means an assessment of a Part 3 service—
(a)
to determine whether it is possible for children to access the service or a part of the service, and
(b)
if it is possible for children to access the service or a part of the service, to determine whether the child user condition is met in relation to the service or a part of the service.
(2)
A provider is only entitled to conclude that it is not possible for children to access a service, or a part of it, if age verification or age estimation is used on the service with the result that children are not normally able to access the service or that part of it.
(3)
The “child user condition” is met in relation to a service, or a part of a service, if—
(a)
there is a significant number of children who are users of the service or of that part of it, or
(b)
the service, or that part of it, is of a kind likely to attract a significant number of users who are children.
(4)
For the purposes of subsection (3)—
(a)
the reference to a “significant” number includes a reference to a number which is significant in proportion to the total number of United Kingdom users of a service or (as the case may be) a part of a service;
(b)
whether the test in paragraph (a) of that subsection is met is to be based on evidence about who actually uses a service, rather than who the intended users of the service are.
(5)
In this Chapter—
(a)
references to children are to children in the United Kingdom;
(b)
references to a part of a service do not include any part of a service that is not, or is not included in, a user-to-user part of a service or a search engine.
36Duties about children’s access assessments
(1)
A provider of a Part 3 service must carry out the first children’s access assessment at a time set out in, or as provided by, Schedule 3.
(2)
(3)
The provider must carry out children’s access assessments of the service not more than one year apart.
(4)
The provider must carry out a children’s access assessment of the service—
(a)
before making any significant change to any aspect of the service’s design or operation to which such an assessment is relevant,
(b)
in response to evidence about reduced effectiveness of age verification or age estimation that is used on the service as mentioned in section 35(2), or
(c)
in response to evidence about a significant increase in the number of children using the service.
(5)
If a person is the provider of more than one Part 3 service, children’s access assessments must be carried out for each service separately.
(6)
Children’s access assessments must be suitable and sufficient for the purposes of this Part.
(7)
A provider must make and keep a written record, in an easily understandable form, of every children’s access assessment.
37Meaning of “likely to be accessed by children”
(1)
For the purposes of this Part, a Part 3 service is to be treated as “likely to be accessed by children” in the following three cases (with the result that the duties set out in sections 11 and 12, or (as the case may be) sections 28 and 29, apply in relation to the service).
(2)
The first case is where a children’s access assessment carried out by the provider of the service concludes that—
(a)
it is possible for children to access the service or a part of it, and
(b)
the child user condition is met in relation to—
(i)
the service, or
(ii)
a part of the service that it is possible for children to access.
This subsection is to be interpreted consistently with section 35.
(3)
In that case, the service is to be treated as likely to be accessed by children from the date on which the children’s access assessment is completed.
(4)
The second case is where the provider of the service fails to carry out the first children’s access assessment as required by section 36(1).
(5)
In that case—
(a)
the service is to be treated as likely to be accessed by children from the date by which the first children’s access assessment was required to have been completed (see Part 1 of Schedule 3), and
(b)
the service is to continue to be treated as likely to be accessed by children by reason of subsection (4) until such time as the provider completes the first children’s access assessment of the service.
(6)
(7)
In that case, the service is to be treated as likely to be accessed by children from the date of, or specified in, the confirmation decision given to the provider of the service (as the case may be: see section 135(5)).
CHAPTER 5Duties about fraudulent advertising
38Duties about fraudulent advertising: Category 1 services
(1)
A provider of a Category 1 service must operate the service using proportionate systems and processes designed to—
(a)
prevent individuals from encountering content consisting of fraudulent advertisements by means of the service;
(b)
minimise the length of time for which any such content is present;
(c)
where the provider is alerted by a person to the presence of such content, or becomes aware of it in any other way, swiftly take down such content.
(2)
A provider of a Category 1 service must include clear and accessible provisions in the terms of service giving information about any proactive technology used by the service for the purpose of compliance with the duty set out in subsection (1) (including the kind of technology, when it is used, and how it works).
(3)
In relation to a Category 1 service, an advertisement is a “fraudulent advertisement” if—
(a)
it is a paid-for advertisement (see section 236),
(b)
(c)
it is not regulated user-generated content (see section 55) in relation to the service.
(4)
If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.
(5)
In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)
the nature, and severity, of potential harm to individuals presented by different kinds of fraudulent advertisement, and
(b)
the degree of control a provider has in relation to the placement of advertisements on the service.
(6)
In the case of a Category 1 service which is a combined service, the duties set out in this section do not extend to—
(a)
fraudulent advertisements that may be encountered in search results of the service or, following a search request, as a result of subsequent interactions with internet services, or
(b)
anything relating to the design, operation or use of the search engine.
But if the service is also a Category 2A service, the duties set out in section 39 apply as well as the duties set out in this section.
(7)
The duties set out in this section extend only to the design, operation and use of a Category 1 service in the United Kingdom.
(8)
For the meaning of “Category 1 service”, see section 95 (register of categories of services).
39Duties about fraudulent advertising: Category 2A services
(1)
A provider of a Category 2A service must operate the service using proportionate systems and processes designed to—
(a)
prevent individuals from encountering content consisting of fraudulent advertisements in or via search results of the service;
(b)
if any such content may be encountered in or via search results of the service, minimise the length of time that that is the case;
(c)
where the provider is alerted by a person to the fact that such content may be so encountered, or becomes aware of that fact in any other way, swiftly ensure that individuals are no longer able to encounter such content in or via search results of the service.
(2)
A provider of a Category 2A service must include clear and accessible provisions in a publicly available statement giving information about any proactive technology used by the service for the purpose of compliance with the duty set out in subsection (1) (including the kind of technology, when it is used, and how it works).
(3)
In relation to a Category 2A service, an advertisement is a “fraudulent advertisement” if—
(a)
it is a paid-for advertisement (see section 236), and
(b)
it amounts to an offence specified in section 40 (construed in accordance with section 59: see subsections (3), (11) and (12) of that section).
(4)
The references to encountering fraudulent advertisements “in or via search results” of a search service—
(a)
are references to encountering fraudulent advertisements—
(i)
in search results of the service, or
(ii)
as a result of interacting with a paid-for advertisement in search results of the service (for example, by clicking on it);
(b)
do not include references to encountering fraudulent advertisements as a result of any subsequent interactions with an internet service other than the search service.
(5)
If a person is the provider of more than one Category 2A service, the duties set out in this section apply in relation to each such service.
(6)
In determining what is proportionate for the purposes of this section, the following factors, in particular, are relevant—
(a)
the nature, and severity, of potential harm to individuals presented by different kinds of fraudulent advertisement, and
(b)
the degree of control a provider has in relation to the placement of advertisements on the service.
(7)
The duties set out in this section extend only to the design, operation and use of a Category 2A service in the United Kingdom.
(8)
For the meaning of “Category 2A service”, see section 95 (register of categories of services).
40Fraud etc offences
(1)
(2)
An offence under any of the following provisions of the Financial Services and Markets Act 2000—
(a)
section 23 (contravention of prohibition on carrying on regulated activity unless authorised or exempt);
(b)
section 24 (false claims to be authorised or exempt);
(c)
section 25 (contravention of restrictions on financial promotion).
(3)
An offence under any of the following provisions of the Fraud Act 2006—
(a)
section 2 (fraud by false representation);
(b)
section 4 (fraud by abuse of position);
(c)
section 7 (making or supplying articles for use in frauds);
(d)
section 9 (participating in fraudulent business carried on by sole trader etc).
(4)
An offence under any of the following provisions of the Financial Services Act 2012—
(a)
section 89 (misleading statements);
(b)
section 90 (misleading impressions).
(5)
(6)
(7)
CHAPTER 6Codes of practice and guidance
Codes of practice
41Codes of practice about duties
(1)
OFCOM must prepare and issue a code of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content) so far as relating to terrorism content or offences within Schedule 5 (terrorism offences).
(2)
OFCOM must prepare and issue a code of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content) so far as relating to CSEA content or offences within Schedule 6 (child sexual exploitation and abuse offences).
(3)
OFCOM must prepare and issue one or more codes of practice for providers of Part 3 services describing measures recommended for the purpose of compliance with the relevant duties (except to the extent that measures for the purpose of compliance with such duties are described in a code of practice prepared under subsection (1) or (2)).
(4)
OFCOM must prepare and issue a code of practice for providers of Category 1 services and providers of Category 2A services describing measures recommended for the purpose of compliance with the duties set out in Chapter 5 (fraudulent advertising).
(5)
Where a code of practice under this section is in force, OFCOM may—
(a)
prepare a draft of amendments of the code of practice;
(b)
(c)
withdraw the code of practice.
(6)
In the course of preparing a draft of a code of practice or amendments of a code of practice under this section, OFCOM must consult—
(a)
the Secretary of State,
(b)
persons who appear to OFCOM to represent providers of Part 3 services,
(c)
persons who appear to OFCOM to represent the interests of United Kingdom users of Part 3 services,
(d)
persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(e)
persons who appear to OFCOM to represent the interests of persons who have suffered harm as a result of matters to which the code of practice is relevant,
(f)
persons whom OFCOM consider to have relevant expertise in equality issues and human rights, in particular—
(i)
the right to freedom of expression set out in Article 10 of the Convention, and
(ii)
the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,
(g)
the Information Commissioner,
(h)
the Children’s Commissioner,
(i)
the Commissioner for Victims and Witnesses,
(j)
the Domestic Abuse Commissioner,
(k)
persons whom OFCOM consider to have expertise in public health, science or medicine that is relevant to online safety matters,
(l)
persons whom OFCOM consider to have expertise in innovation, or emerging technology, that is relevant to online safety matters, and
(m)
such other persons as OFCOM consider appropriate.
(7)
In the course of preparing a draft of a code of practice or amendments to which this subsection applies, OFCOM must also consult persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters.
(8)
Subsection (7) applies to—
(a)
a code of practice under subsection (1) and amendments of such a code,
(b)
a code of practice under subsection (2) and amendments of such a code,
(c)
a code of practice under subsection (3) that describes measures recommended for the purpose of compliance with duties set out in section 10 or 27 (illegal content),
(d)
amendments of a code of practice under subsection (3), if and to the extent that those amendments relate to measures recommended for the purpose of compliance with duties set out in section 10 or 27, and
(e)
a code of practice under subsection (4) and amendments of such a code.
(9)
(10)
In this section “the relevant duties” means the duties set out in—
(a)
sections 10 and 27 (illegal content),
(b)
sections 12 and 29 (children’s online safety),
(c)
section 15 (user empowerment),
(d)
section 17 (content of democratic importance),
(e)
section 19 (journalistic content),
(f)
sections 20 and 31 (content reporting), and
(g)
sections 21 and 32 (complaints procedures).
42Codes of practice: principles, objectives, content
Schedule 4 contains—
(a)
provision about the principles OFCOM must consider when preparing codes of practice under section 41,
(b)
the online safety objectives (and a power for the Secretary of State by regulations to revise those objectives),
(c)
provision about the measures that may be described in codes of practice (including, in particular, constraints on the recommendation of the use of proactive technology), and
(d)
other provision related to codes of practice.
43Procedure for issuing codes of practice
(1)
Where OFCOM have prepared a draft of a code of practice under section 41, they must submit the draft to the Secretary of State.
(2)
(3)
If, within the 40-day period, either House of Parliament resolves not to approve the draft—
(a)
OFCOM must not issue the code of practice in the form of that draft, and
(b)
OFCOM must prepare another draft of the code of practice under section 41.
(4)
If no such resolution is made within that period—
(a)
OFCOM must issue the code of practice in the form of the draft laid before Parliament, and
(b)
the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(5)
“The 40-day period” is the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House of Parliament on the same day, the later of the days on which it is laid).
(6)
In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.
(7)
(8)
This section is subject to section 48 (minor amendments of codes of practice).
(9)
Subsection (11) applies to—
(a)
a draft of the first code of practice prepared under section 41(1) (terrorism code of practice);
(b)
a draft of the first code of practice prepared under section 41(2) (CSEA code of practice);
(c)
a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 10 or 27 (illegal content);
(d)
a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 12 or 29 (children’s online safety);
(e)
a draft of the first code of practice prepared under section 41(3) relating to a duty set out in section 20 or 31 (content reporting);
(f)
a draft of the first code of practice prepared under section 41(3) relating to—
(i)
a duty set out in section 21 (complaints procedures) that concerns complaints of a kind mentioned in subsection (4) or (5) of that section, or
(ii)
a duty set out in section 32 (complaints procedures).
(10)
For the purposes of paragraphs (c) to (f) of subsection (9) a draft of a code of practice is a draft of the first code of practice relating to a duty if—
(a)
it describes measures recommended for the purpose of compliance with the duty, and
(b)
it is a draft of the first code of practice prepared under section 41(3) that describes measures for that purpose.
(11)
OFCOM must submit a draft to which this subsection applies to the Secretary of State under subsection (1) within the period of 18 months beginning with the day on which this Act is passed.
(12)
If OFCOM consider that it is necessary to extend the period mentioned in subsection (11) in relation to a draft mentioned in any of paragraphs (a) to (f) of subsection (9), OFCOM may extend the period in relation to that draft by up to 12 months by making and publishing a statement.
But this is subject to subsection (15).
(13)
A statement under subsection (12) must set out—
(a)
the reasons why OFCOM consider that it is necessary to extend the period mentioned in subsection (11) in relation to the draft concerned, and
(b)
the period of extension.
(14)
A statement under subsection (12) may be published at the same time as (or incorporate) a statement under section 194(3) (extension of time to prepare certain guidance).
(15)
But a statement under subsection (12) may not be made in relation to a draft mentioned in a particular paragraph of subsection (9) if—
(a)
a statement has previously been made under subsection (12) (whether in relation to a draft mentioned in the same or a different paragraph of subsection (9)), or
(b)
a statement has previously been made under section 194(3).
44Secretary of State’s powers of direction
(1)
The Secretary of State may direct OFCOM to modify a draft of a code of practice submitted under section 43(1) if the Secretary of State believes that modifications are required for the purpose of securing compliance with an international obligation of the United Kingdom.
(2)
The Secretary of State may direct OFCOM to modify a draft of a code of practice, other than a terrorism or CSEA code of practice, submitted under section 43(1) if the Secretary of State believes that modifications are required for exceptional reasons relating to—
(a)
national security,
(b)
public safety,
(c)
public health, or
(d)
relations with the government of a country outside the United Kingdom.
(3)
The Secretary of State may direct OFCOM to modify a draft of a terrorism or CSEA code of practice submitted under section 43(1) if the Secretary of State believes that modifications are required—
(a)
for reasons of national security or public safety, or
(b)
for exceptional reasons relating to public health or relations with the government of a country outside the United Kingdom.
(4)
But if a draft of a terrorism or CSEA code of practice is submitted under section 43(1) following a review under section 47(2), the Secretary of State may only direct OFCOM to modify the draft if the Secretary of State believes that modifications are required for reasons of national security or public safety.
(5)
If, following a review of a terrorism or CSEA code of practice under section 47(2), OFCOM submit a statement to the Secretary of State under section 47(3)(b) (“OFCOM’s review statement”), the Secretary of State may direct OFCOM to modify the code of practice if the Secretary of State believes that modifications are required for reasons of national security or public safety.
(6)
A direction given under subsection (5)—
(a)
must be given within the period of 45 days beginning with the day on which OFCOM’s review statement is submitted to the Secretary of State, and
(b)
must make particular reference to OFCOM’s review statement.
(7)
A direction given under this section—
(a)
may not require OFCOM to include in a code of practice provision about a particular measure recommended to be taken or used by providers of Part 3 services,
(b)
must set out the Secretary of State’s reasons for requiring modifications, except in a case where the Secretary of State considers that doing so would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom, and
(c)
must, as soon as reasonably practicable, be published and laid before Parliament.
(8)
If the Secretary of State considers that publishing and laying before Parliament a direction given under this section would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom—
(a)
subsection (7)(c) does not apply in relation to the direction, and
(b)
the Secretary of State must, as soon as reasonably practicable, publish and lay before Parliament a document stating—
(i)
that a direction has been given,
(ii)
the kind of code of practice to which it relates, and
(iii)
the reasons for not publishing it.
(9)
If the Secretary of State gives a direction under this section, OFCOM must, as soon as reasonably practicable—
(a)
comply with the direction,
(b)
submit to the Secretary of State a draft of the code of practice modified in accordance with the direction,
(c)
submit to the Secretary of State a document containing—
(i)
(except in a case mentioned in subsection (7)(b)) details of the direction, and
(ii)
details about how the draft has been revised in response to the direction,
(d)
publish the document, and
(e)
inform the Secretary of State about modifications that OFCOM have made to the draft that are not in response to the direction (if there are any).
(10)
The Secretary of State may give OFCOM one or more further directions requiring OFCOM to modify the draft of the code of practice.
(11)
(12)
When the Secretary of State is satisfied that no further modifications to the draft are required, the Secretary of State must, as soon as reasonably practicable, lay before Parliament—
(a)
the modified draft,
(b)
any document submitted by OFCOM as mentioned in subsection (9)(c), and
(c)
in the case of a direction under subsection (5), OFCOM’s review statement.
(13)
Before laying OFCOM’s review statement before Parliament, the Secretary of State may, with OFCOM’s agreement, remove or obscure information in the statement (whether by redaction or otherwise) in order to prevent the disclosure of matters that the Secretary of State considers would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom.
(14)
This section applies in relation to a draft of amendments of a code of practice submitted under section 43(1) as it applies in relation to a draft of a code of practice submitted under that provision.
(15)
45Procedure for issuing codes of practice following direction under section 44
(1)
This section sets out the procedure that applies where a draft of a code of practice is laid before Parliament under section 44(12).
(2)
(3)
(4)
The “affirmative procedure” is as follows—
(a)
a code of practice in the form of the draft laid before Parliament must not be issued by OFCOM unless the draft has been approved by a resolution of each House of Parliament;
(b)
if the draft is so approved, the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued;
(c)
if the draft is not so approved, OFCOM must prepare another draft of the code of practice under section 41.
(5)
The “negative procedure” is as follows—
(a)
if, within the 40-day period, either House of Parliament resolves not to approve the draft—
(i)
OFCOM must not issue the code of practice in the form of that draft, and
(ii)
OFCOM must prepare another draft of the code of practice under section 41;
(b)
if no such resolution is made within that period—
(i)
OFCOM must issue the code of practice in the form of the draft laid before Parliament, and
(ii)
the code of practice comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(6)
(7)
This section applies in relation to a draft of amendments of a code of practice laid before Parliament under section 44(12) as it applies in relation to a draft of a code of practice laid under that provision.
46Publication of codes of practice
(1)
OFCOM must publish each code of practice issued under section 43 or 45 within the period of three days beginning with the day on which it is issued.
(2)
Where amendments of a code of practice are issued under either of those sections, OFCOM must publish the amended code of practice within the period of three days beginning with the day on which the amendments are issued.
(3)
Where a code of practice is withdrawn, OFCOM must publish a notice to that effect.
47Review of codes of practice
(1)
OFCOM must keep under review each code of practice published under section 46.
(2)
The Secretary of State may require OFCOM to review a terrorism or CSEA code of practice published under section 46 if the Secretary of State considers a review to be necessary for reasons of national security or public safety (and the Secretary of State must notify OFCOM whether the reasons fall into the category of national security or public safety).
(3)
OFCOM must carry out a review of the code of practice under subsection (2) as soon as reasonably practicable, and when it is completed—
(a)
if OFCOM consider that changes are required, they must prepare a draft of amendments to the code of practice or a draft of a replacement code of practice under section 41, or
(b)
if OFCOM consider that no changes are required, they must submit to the Secretary of State a statement which explains the reasons for that conclusion.
(4)
Subsection (5) applies if—
(a)
OFCOM submit a statement under subsection (3)(b) to the Secretary of State,
(b)
the period of 45 days beginning with the day on which the statement was submitted has elapsed, and
(c)
the Secretary of State has not given a direction under section 44(5).
(5)
OFCOM must publish the statement as soon as reasonably practicable after the end of the period mentioned in subsection (4)(b), making it clear which code of practice the statement relates to.
(6)
In advance of publication, the Secretary of State may make representations to OFCOM about the desirability of removing or obscuring information in the statement (whether by redaction or otherwise) in order to prevent the disclosure of matters that the Secretary of State considers would be against the interests of national security, public safety or relations with the government of a country outside the United Kingdom (and see also section 116(3)).
(7)
48Minor amendments of codes of practice
(1)
This section applies if—
(a)
OFCOM propose to amend a code of practice under section 41, and
(b)
OFCOM consider that the minor nature of the proposal means that—
(i)
consultation is unnecessary, and
(ii)
the proposed amendments should not be required to be laid before Parliament.
(2)
OFCOM must notify the Secretary of State of the proposed amendments.
(3)
If the Secretary of State agrees with OFCOM that it is appropriate—
(a)
(b)
section 43 does not apply to the amendments, once prepared.
(4)
If the Secretary of State agrees with OFCOM as mentioned in subsection (3), OFCOM may prepare and issue the amendments of the code of practice.
(5)
Amendments of a code of practice issued under this section come into force at the end of the period of 21 days beginning with the day on which the amendments are issued.
(6)
Section 46(2) applies in relation to amendments of a code of practice issued under this section as it applies in relation to amendments of a code of practice issued under section 43 or 45.
49Relationship between duties and codes of practice
Duties set out in Chapters 2 and 3
(1)
A provider of a Part 3 service is to be treated as complying with a relevant duty if the provider takes or uses the measures described in a code of practice which are recommended for the purpose of compliance with the duty in question.
(2)
A provider of a user-to-user service—
(a)
is to be treated as complying with the duty set out in section 22(2) (freedom of expression) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect users’ right to freedom of expression within the law;
(b)
is to be treated as complying with the duty set out in section 22(3) (privacy) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the privacy of users.
(3)
A provider of a search service—
(a)
is to be treated as complying with the duty set out in section 33(2) (freedom of expression) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the rights of users and interested persons to freedom of expression within the law;
(b)
is to be treated as complying with the duty set out in section 33(3) (privacy) if the provider takes or uses such of the relevant recommended measures as incorporate safeguards to protect the privacy of users.
Duties set out in Chapter 5
(4)
A provider of a Category 1 service or a Category 2A service (or a provider of a service which is both a Category 1 service and a Category 2A service) is to be treated as complying with a duty set out in Chapter 5 if the provider takes or uses the measures described in a fraudulent advertising code of practice which are recommended for the purpose of compliance with the duty in question.
Alternative measures
(5)
A provider of a Part 3 service who seeks to comply with a relevant duty by acting otherwise than by taking or using a measure described in a code of practice or a fraudulent advertising code of practice which is recommended for the purpose of compliance with the duty must have particular regard to the importance of the following (where relevant)—
(a)
protecting the right of users and (in the case of search services) interested persons to freedom of expression within the law, and
(b)
protecting the privacy of users.
(6)
When assessing whether a provider of a Part 3 service is compliant with a relevant duty where the provider has acted otherwise than by taking or using a measure described in a code of practice or a fraudulent advertising code of practice which is recommended for the purpose of compliance with the duty, OFCOM must consider the extent to which the alternative measures taken or in use by the provider—
(a)
Interpretation
(7)
(8)
In this section—
(a)
references to protecting the privacy of users are to protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service or search service (including, but not limited to, any such provision or rule concerning the processing of personal data);
(b)
references to a search service include references to a combined service (see section 7(6)).
(9)
In this section—
“Chapter 2 safety duty” means a duty set out in—
(a)
section 10 (illegal content), or
(b)
section 12 (children’s online safety);
“Chapter 3 safety duty” means a duty set out in—
(a)
section 27 (illegal content), or
(b)
section 29 (children’s online safety);
“code of practice” means a code of practice published under section 46, except a fraudulent advertising code of practice;
“fraudulent advertising code of practice” means a code of practice prepared under section 41(4) and published under section 46;
“relevant duty” means—
(a)
a Chapter 2 safety duty,
(b)
a Chapter 3 safety duty,
(c)
a duty set out in section 15 (user empowerment),
(d)
a duty set out in section 17 (content of democratic importance),
(e)
a duty set out in section 19 (journalistic content),
(f)
a duty set out in section 20 or 31 (content reporting), or
(g)
a duty set out in section 21 or 32 (complaints procedures);
“relevant recommended measures” means the measures described in a code of practice which are recommended for the purpose of compliance with—
(a)
in the case of a user-to-user service—
- (i)
a Chapter 2 safety duty, or
- (ii)
a duty set out in section 15 (user empowerment);
(b)
in the case of a search service, a Chapter 3 safety duty.
50Effects of codes of practice
(1)
A failure by a provider of a Part 3 service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings in a court or tribunal.
(2)
A code of practice is admissible in evidence in legal proceedings.
(3)
In any proceedings in a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining a question arising in the proceedings if—
(a)
the question relates to a time when the provision was in force, and
(b)
the provision appears to the court or tribunal to be relevant to the question.
(4)
OFCOM must take into account a provision of a code of practice in determining a question arising in connection with their exercise of any relevant function if—
(a)
the question relates to a time when the provision was in force, and
(b)
the provision appears to OFCOM to be relevant to the question.
(5)
In this section—
“code of practice” means a code of practice published under section 46;
“relevant functions” means OFCOM’s functions under—
(a)
Chapter 4 of Part 7 (information),
(b)
Chapter 5 of Part 7 (notices to deal with terrorism content and CSEA content),
(c)
Chapter 6 of Part 7 (enforcement), and
(d)
Chapter 2 of Part 8 (super-complaints).
51Duties and the first codes of practice
(1)
(2)
(3)
The duties referred to in subsection (1) are the duties set out in—
(a)
sections 10 and 27 (illegal content),
(b)
sections 12 and 29 (children’s online safety),
(c)
section 15 (user empowerment),
(d)
section 17 (content of democratic importance),
(e)
section 19 (journalistic content),
(f)
sections 20 and 31 (content reporting), and
(g)
sections 21 and 32 (complaints procedures).
(4)
For the purposes of subsection (1) a code of practice is the first code of practice relating to a duty if—
(a)
it describes measures recommended for the purpose of compliance with that duty, and
(b)
it is the first code of practice prepared under section 41(3) that describes measures for that purpose.
(5)
The duties set out in sections 10 and 27, so far as relating to terrorism content or offences within Schedule 5 (terrorism offences), apply to providers of Part 3 services from the day on which the first code of practice prepared under section 41(1) comes into force.
(6)
The duties set out in sections 10 and 27, so far as relating to CSEA content or offences within Schedule 6 (child sexual exploitation and abuse offences), apply to providers of Part 3 services from the day on which the first code of practice prepared under section 41(2) comes into force.
(7)
The duties set out in Chapter 5 (fraudulent advertising) apply to providers of a Category 1 service and providers of a Category 2A service (and to providers of a service which is both a Category 1 service and a Category 2A service) from the day on which the first code of practice prepared under section 41(4) comes into force.
(8)
In relation to the provider of a particular Part 3 service, references in this section to duties applying to providers of Part 3 services (or to providers of Category 1 services or Category 2A services) are to such duties as apply in relation to that service in accordance with sections 7 and 24 or (as the case may be) Chapter 5.
(9)
This section is subject to Part 2 of Schedule 17 (video-sharing platform services: transitional provision etc).
Guidance
52OFCOM’s guidance about certain duties in Part 3
(1)
OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in section 14 (assessments related to the adult user empowerment duty set out in section 15(2)).
(2)
OFCOM must produce guidance for providers of Category 1 services to assist them in complying with their duties set out in section 18 (news publisher content).
(3)
OFCOM must produce guidance for providers of Part 3 services to assist them in complying with—
(a)
their duties set out in section 23 or 34, except the duty set out in section 23(10) or 34(9) (record-keeping and review), and
(b)
their duties set out in section 36 (children’s access assessments).
(4)
(5)
OFCOM must publish guidance under this section (and any revised or replacement guidance).
53OFCOM’s guidance: content that is harmful to children and user empowerment
(1)
OFCOM must produce guidance for providers of Part 3 services which contains examples of content or kinds of content that OFCOM consider to be, or consider not to be—
(a)
primary priority content that is harmful to children, or
(b)
priority content that is harmful to children.
(2)
OFCOM must produce guidance for providers of Category 1 services which contains examples of content or kinds of content that OFCOM consider to be, or consider not to be, content to which section 15(2) applies (see section 16).
(3)
Before producing any guidance under this section (including revised or replacement guidance), OFCOM must consult such persons as they consider appropriate.
(4)
OFCOM must publish guidance under this section (and any revised or replacement guidance).
54OFCOM’s guidance about protecting women and girls
(1)
OFCOM must produce guidance for providers of Part 3 services which focuses on content and activity—
(a)
in relation to which such providers have duties set out in this Part or Part 4, and
(b)
which disproportionately affects women and girls.
(2)
The guidance may, among other things—
(a)
contain advice and examples of best practice for assessing risks of harm to women and girls from content and activity mentioned in subsection (1), and for reducing such risks;
(b)
refer to provisions contained in a code of practice under section 41 which are particularly relevant to the protection of women and girls from such content and activity.
(3)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)
the Commissioner for Victims and Witnesses,
(b)
the Domestic Abuse Commissioner, and
(c)
such other persons as OFCOM consider appropriate.
(4)
OFCOM must publish the guidance (and any revised or replacement guidance).
CHAPTER 7Interpretation of Part 3
55“Regulated user-generated content”, “user-generated content”, “news publisher content”
(1)
This section applies for the purposes of this Part.
(2)
“Regulated user-generated content”, in relation to a regulated user-to-user service, means user-generated content, except—
(a)
emails,
(b)
SMS messages,
(c)
MMS messages,
(d)
one-to-one live aural communications (see subsection (5)),
(e)
comments and reviews on provider content (see subsection (6)),
(f)
identifying content that accompanies content within any of paragraphs (a) to (e), and
(g)
news publisher content (see subsection (8)).
(3)
“User-generated content”, in relation to a user-to-user service, means content—
(a)
that is—
(i)
generated directly on the service by a user of the service, or
(ii)
uploaded to or shared on the service by a user of the service, and
(b)
that may be encountered by another user, or other users, of the service by means of the service.
(4)
For the purposes of subsection (3)—
(a)
the reference to content generated, uploaded or shared by a user includes content generated, uploaded or shared by means of software or an automated tool applied by the user;
(b)
a bot or other automated tool is to be regarded as a user of a service if—
(i)
the functions of the bot or tool include interacting with user-generated content, and
(ii)
the bot or tool is not controlled by or on behalf of the provider of the service.
(5)
“One-to-one live aural communications”, in relation to a user-to-user service, means content—
(a)
consisting of speech or other sounds conveyed in real time between two users of the service by means of the service,
(b)
that is not a recording, and
(c)
that is not accompanied by user-generated content of any other kind, except identifying content.
(6)
“Comments and reviews on provider content”, in relation to a user-to-user service, means content present on the service consisting of comments or reviews relating to provider content (together with any further comments on such comments or reviews).
(7)
In subsection (6) “provider content” means content published on a service by the provider of the service or by a person acting on behalf of the provider, including where the publication of the content is effected or controlled by means of—
(a)
software or an automated tool or algorithm applied by the provider or by a person acting on behalf of the provider, or
(b)
an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.
For the purposes of subsection (6), content that is user-generated content in relation to a service is not to be regarded as provider content in relation to that service.
(8)
(9)
Content is within this subsection if it was generated directly on the service by a user of the service that is a recognised news publisher.
(10)
Content is within this subsection if—
(a)
the content was uploaded to or shared on the service by a user of the service, and
(b)
the content either—
(i)
reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it),
(ii)
is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or
(iii)
is a link to an article or item within sub-paragraph (i) or to content within sub-paragraph (ii).
(11)
For the meaning of “recognised news publisher”, see section 56.
(12)
In this section—
“MMS message” means a Multimedia Messaging Service message (that may include images, sounds and short videos) that may be sent between telephone numbers allocated in accordance with a national or international numbering plan;
“SMS message” means a Short Message Service text message composed principally of letters or numbers that may be sent between telephone numbers allocated in accordance with a national or international numbering plan.
56“Recognised news publisher”
(1)
In this Part, “recognised news publisher” means any of the following entities—
(a)
the British Broadcasting Corporation,
(b)
Sianel Pedwar Cymru,
(c)
the holder of a licence under the Broadcasting Act 1990 or 1996 who publishes news-related material in connection with the broadcasting activities authorised under the licence, and
(2)
The conditions referred to in subsection (1)(d)(i) are that the entity—
(a)
has as its principal purpose the publication of news-related material, and such material—
(i)
is created by different persons, and
(ii)
is subject to editorial control,
(b)
publishes such material in the course of a business (whether or not carried on with a view to profit),
(c)
is subject to a standards code,
(d)
has policies and procedures for handling and resolving complaints,
(e)
has a registered office or other business address in the United Kingdom,
(f)
is the person with legal responsibility for material published by it in the United Kingdom, and
(g)
publishes—
(i)
the entity’s name, the address mentioned in paragraph (e) and the entity’s registered number (if any), and
(ii)
the name and address of any person who controls the entity (including, where such a person is an entity, the address of that person’s registered or principal office and that person’s registered number (if any)).
(3)
An “excluded entity” is an entity—
(a)
which is a proscribed organisation under the Terrorism Act 2000 (see section 3 of that Act), or
(b)
the purpose of which is to support a proscribed organisation under that Act.
(4)
A “sanctioned entity” is an entity which—
(a)
is designated by name under a power contained in regulations under section 1 of the Sanctions and Anti-Money Laundering Act 2018 that authorises the Secretary of State or the Treasury to designate persons for the purposes of the regulations or of any provisions of the regulations, or
(b)
is a designated person under any provision included in such regulations by virtue of section 13 of that Act (persons named by or under UN Security Council Resolutions).
(5)
For the purposes of subsection (2)—
(a)
news-related material is “subject to editorial control” if there is a person (whether or not the publisher of the material) who has editorial or equivalent responsibility for the material, including responsibility for how it is presented and the decision to publish it;
(b)
“control” has the same meaning as it has in the Broadcasting Act 1990 by virtue of section 202 of that Act.
(6)
In this section—
“
” means material consisting of—(a)
news or information about current affairs,
(b)
opinion about matters relating to the news or current affairs, or
(c)
gossip about celebrities, other public figures or other persons in the news;
“publish” means publish by any means (including by broadcasting), and references to a publisher and publication are to be construed accordingly;
“standards code” means—
(a)
a code of standards that regulates the conduct of publishers, that is published by an independent regulator, or
(b)
a code of standards that regulates the conduct of the entity in question, that is published by the entity itself.
57“Search content”, “search results” etc
(1)
This section applies for the purposes of this Part.
(2)
“Search content” means content that may be encountered in or via search results of a search service, except—
(a)
paid-for advertisements (see section 236),
(b)
content on the website of a recognised news publisher (see section 56), and
(c)
content that—
(i)
reproduces in full an article or written item that was originally published by a recognised news publisher (and is not a screenshot or photograph of that article or item or of part of it),
(ii)
is video or audio content that was originally published or broadcast by a recognised news publisher, and is not a clipped or edited form of such content (unless it is the recognised news publisher who has clipped or edited it), or
(iii)
is a link to an article or item within sub-paragraph (i) or to content within sub-paragraph (ii).
(3)
“Search results”, in relation to a search service, means content presented to a user of the service by operation of the search engine in response to a search request made by the user.
(4)
“Search” means search by any means, including by input of text or images or by speech, and references to a search request are to be construed accordingly.
(5)
In subsection (2), the reference to encountering content “via search results”—
(a)
is to encountering content as a result of interacting with search results (for example, by clicking on them);
(b)
does not include a reference to encountering content as a result of subsequent interactions with an internet service other than the search service.
(6)
In this section references to a search service include references to a user-to-user service that includes a search engine.
58Restricting users’ access to content
(1)
This section applies for the purposes of this Part.
(2)
References to restricting users’ access to content, and related references, include any case where a provider takes or uses a measure which has the effect that—
(a)
a user is unable to access content without taking a prior step (whether or not taking that step might result in access being denied), or
(b)
content is temporarily hidden from a user.
(3)
But such references do not include any case where—
(a)
the effect mentioned in subsection (2) results from the voluntary use or application by a user of features, functionalities or settings which a provider includes in a service (for example, features, functionalities or settings included in compliance with the duty set out in section 15(2) or (9) (user empowerment)), or
(b)
access to content is controlled by another user, rather than the provider.
(4)
See also section 236(6).
59“Illegal content” etc
(1)
This section applies for the purposes of this Part.
(2)
“Illegal content” means content that amounts to a relevant offence.
(3)
Content consisting of certain words, images, speech or sounds amounts to a relevant offence if—
(a)
the use of the words, images, speech or sounds amounts to a relevant offence,
(b)
the possession, viewing or accessing of the content constitutes a relevant offence, or
(c)
the publication or dissemination of the content constitutes a relevant offence.
(4)
“Relevant offence” means—
(a)
a priority offence, or
(b)
an offence within subsection (5).
(5)
An offence is within this subsection if—
(a)
it is not a priority offence,
(b)
the victim or intended victim of the offence is an individual (or individuals), and
(c)
the offence is created by this Act or, before or after this Act is passed, by—
(i)
another Act,
(ii)
an Order in Council,
(iii)
an order, rules or regulations made under an Act by the Secretary of State or other Minister of the Crown, including such an instrument made jointly with a devolved authority, or
(iv)
devolved subordinate legislation made by a devolved authority with the consent of the Secretary of State or other Minister of the Crown.
(6)
But an offence is not within subsection (5) if—
(a)
the offence concerns—
(i)
the infringement of intellectual property rights,
(ii)
the safety or quality of goods (as opposed to what kind of goods they are), or
(iii)
the performance of a service by a person not qualified to perform it; or
(b)
it is an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277).
(7)
“Priority offence” means—
(a)
an offence specified in Schedule 5 (terrorism offences),
(b)
an offence specified in Schedule 6 (offences related to child sexual exploitation and abuse), or
(c)
an offence specified in Schedule 7 (other priority offences).
(8)
“Terrorism content” means content that amounts to an offence specified in Schedule 5.
(9)
“CSEA content” means content that amounts to an offence specified in Schedule 6.
(10)
“Priority illegal content” means—
(a)
terrorism content,
(b)
CSEA content, and
(c)
content that amounts to an offence specified in Schedule 7.
(11)
For the purposes of determining whether content amounts to an offence, no account is to be taken of whether or not anything done in relation to the content takes place in any part of the United Kingdom.
(12)
References in subsection (3) to conduct of particular kinds are not to be taken to prevent content generated by a bot or other automated tool from being capable of amounting to an offence (see also section 192(7) (providers’ judgements about the status of content)).
(13)
Subsection (14) applies in relation to a regulated user-to-user service (but, in the case of a combined service, does not apply in relation to the search content of the service).
(14)
References to “illegal content”, “terrorism content”, “CSEA content” and “priority illegal content” are to be read as—
(a)
limited to content within the definition in question that is regulated user-generated content in relation to the service, and
(b)
including material which, if it were present on the service, would be content within paragraph (a) (and this section is to be read with such modifications as may be necessary for the purpose of this paragraph).
(15)
In this section—
“devolved authority” means—
(a)
the Scottish Ministers,
(b)
the Welsh Ministers, or
(c)
a Northern Ireland department;
“devolved subordinate legislation” means—
(a)
an instrument made under an Act of the Scottish Parliament,
(b)
an instrument made under an Act or Measure of Senedd Cymru, or
(c)
an instrument made under Northern Ireland legislation;
“Minister of the Crown” has the meaning given by section 8 of the Ministers of the Crown Act 1975 and also includes the Commissioners for His Majesty’s Revenue and Customs;
“offence” means an offence under the law of any part of the United Kingdom.
(16)
See also section 192 (providers’ judgements about the status of content).
60“Content that is harmful to children”
(1)
This section and sections 61 and 62 apply for the purposes of this Part.
(2)
“Content that is harmful to children” means—
(a)
primary priority content that is harmful to children (see section 61),
(b)
priority content that is harmful to children (see section 62), or
(c)
content, not within paragraph (a) or (b), of a kind which presents a material risk of significant harm to an appreciable number of children in the United Kingdom.
(3)
Content is not to be regarded as within subsection (2)(c) if the risk of harm flows from—
(a)
the content’s potential financial impact,
(b)
the safety or quality of goods featured in the content, or
(c)
the way in which a service featured in the content may be performed (for example, in the case of the performance of a service by a person not qualified to perform it).
(4)
“Non-designated content that is harmful to children” means content within subsection (2)(c).
(5)
Subsection (6) applies in relation to a regulated user-to-user service (but, in the case of a combined service, does not apply in relation to the search content of the service).
(6)
References to “primary priority content that is harmful to children”, “priority content that is harmful to children”, “content that is harmful to children” and “non-designated content that is harmful to children” are to be read as—
(a)
limited to content within the definition in question that is regulated user-generated content in relation to the service, and
(b)
including material which, if it were present on the service, would be content within paragraph (a) (and this section and sections 61 and 62 are to be read with such modifications as may be necessary for the purpose of this paragraph).
61“Primary priority content that is harmful to children”
(1)
“Primary priority content that is harmful to children” means content of any of the following kinds.
(2)
Pornographic content, other than content within subsection (6).
(3)
Content which encourages, promotes or provides instructions for suicide.
(4)
Content which encourages, promotes or provides instructions for an act of deliberate self-injury.
(5)
Content which encourages, promotes or provides instructions for an eating disorder or behaviours associated with an eating disorder.
(6)
Content is within this subsection if it—
(a)
consists only of text, or
(b)
consists only of text accompanied by—
(i)
identifying content which consists only of text,
(ii)
other identifying content which is not itself pornographic content,
(iii)
a GIF which is not itself pornographic content,
(iv)
an emoji or other symbol, or
(7)
In this section and section 62 “injury” includes poisoning.
62“Priority content that is harmful to children”
(1)
“Priority content that is harmful to children” means content of any of the following kinds.
(2)
Content which is abusive and which targets any of the following characteristics—
(a)
race,
(b)
religion,
(c)
sex,
(d)
sexual orientation,
(e)
disability, or
(f)
gender reassignment.
(3)
Content which incites hatred against people—
(a)
of a particular race, religion, sex or sexual orientation,
(b)
who have a disability, or
(c)
who have the characteristic of gender reassignment.
(4)
Content which encourages, promotes or provides instructions for an act of serious violence against a person.
(5)
Bullying content.
(6)
Content which—
(a)
depicts real or realistic serious violence against a person;
(b)
depicts the real or realistic serious injury of a person in graphic detail.
(7)
Content which—
(a)
depicts real or realistic serious violence against an animal;
(b)
depicts the real or realistic serious injury of an animal in graphic detail;
(c)
realistically depicts serious violence against a fictional creature or the serious injury of a fictional creature in graphic detail.
(8)
Content which encourages, promotes or provides instructions for a challenge or stunt highly likely to result in serious injury to the person who does it or to someone else.
(9)
Content which encourages a person to ingest, inject, inhale or in any other way self-administer—
(a)
a physically harmful substance;
(b)
a substance in such a quantity as to be physically harmful.
(10)
In subsections (2) and (3)—
(a)
“disability” means any physical or mental impairment;
(b)
“race” includes colour, nationality, and ethnic or national origins;
(c)
references to religion include references to a lack of religion.
(11)
For the purposes of subsection (3), a person has the characteristic of gender reassignment if the person is proposing to undergo, is undergoing or has undergone a process (or part of a process) for the purpose of reassigning the person’s sex by changing physiological or other attributes of sex, and the reference to gender reassignment in subsection (2) is to be construed accordingly.
(12)
For the purposes of subsection (5) content may, in particular, be “bullying content” if it is content targeted against a person which—
(a)
conveys a serious threat;
(b)
is humiliating or degrading;
(c)
forms part of a campaign of mistreatment.
(13)
In subsection (6) “person” is not limited to a real person.
(14)
In subsection (7) “animal” is not limited to a real animal.
63Content harmful to children: OFCOM’s review and report
(1)
OFCOM must carry out reviews of—
(a)
the incidence on regulated user-to-user services of content that is harmful to children,
(b)
the incidence on regulated search services and combined services of search content that is harmful to children, and
(c)
the severity of harm that children in the United Kingdom suffer, or may suffer, as a result of those kinds of content.
(2)
OFCOM must produce and publish a report on the outcome of each review.
(3)
The report must include advice as to whether, in OFCOM’s opinion, it is appropriate to make changes to sections 61 and 62, specifying the changes that OFCOM recommend.
(4)
The reports must be published not more than three years apart.
(5)
The first report must be published before the end of the period of three years beginning with the day on which this Act is passed.
(6)
OFCOM must send a copy of each report to the Secretary of State.
PART 4Other duties of providers of regulated user-to-user services and regulated search services
CHAPTER 1User identity verification
64User identity verification
(1)
A provider of a Category 1 service must offer all adult users of the service the option to verify their identity (if identity verification is not required for access to the service).
(2)
The verification process may be of any kind (and in particular, it need not require documentation to be provided).
(3)
A provider of a Category 1 service must include clear and accessible provisions in the terms of service explaining how the verification process works.
(4)
If a person is the provider of more than one Category 1 service, the duties set out in this section apply in relation to each such service.
(5)
The duty set out in subsection (1) applies in relation to all adult users, not just those who begin to use a service after that duty begins to apply.
(6)
The duties set out in this section extend only to—
(a)
the user-to-user part of a service, and
(b)
the design, operation and use of a service in the United Kingdom.
(7)
For the purposes of this section a person is an “adult user” of a service if the person is an adult in the United Kingdom who—
(a)
is a user of the service, or
(b)
seeks to begin to use the service (for example by setting up an account).
(8)
For the meaning of “Category 1 service”, see section 95 (register of categories of services).
65OFCOM’s guidance about user identity verification
(1)
OFCOM must produce guidance for providers of Category 1 services to assist them in complying with the duty set out in section 64(1).
(2)
In producing the guidance (including revised or replacement guidance), OFCOM must have particular regard to the desirability of ensuring that providers of Category 1 services offer users a form of identity verification likely to be available to vulnerable adult users.
(3)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)
the Information Commissioner,
(b)
persons whom OFCOM consider to have technological expertise relevant to the duty set out in section 64(1),
(c)
persons who appear to OFCOM to represent the interests of vulnerable adult users of Category 1 services, and
(d)
such other persons as OFCOM consider appropriate.
(4)
OFCOM must publish the guidance (and any revised or replacement guidance).
CHAPTER 2Reporting child sexual exploitation and abuse content
66Requirement to report CSEA content to the NCA
(1)
A UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on the service to the NCA.
(2)
A non-UK provider of a regulated user-to-user service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on the service to the NCA (and does not report to the NCA CSEA content which is not UK-linked).
(3)
A UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported CSEA content present on websites or databases capable of being searched by the search engine to the NCA.
(4)
A non-UK provider of a regulated search service must operate the service using systems and processes which secure (so far as possible) that the provider reports all detected and unreported UK-linked CSEA content present on websites or databases capable of being searched by the search engine to the NCA (and does not report to the NCA CSEA content which is not UK-linked).
(5)
A UK provider of a combined service must comply with the requirement under subsection (3) in relation to the search engine of the service.
(6)
A non-UK provider of a combined service must comply with the requirement under subsection (4) in relation to the search engine of the service.
(7)
Providers’ reports under this section—
(a)
must meet the requirements set out in regulations under section 67, and
(b)
must be sent to the NCA in the manner, and within the time frames, set out in those regulations.
(8)
If a person is the provider of more than one regulated user-to-user service or regulated search service, requirements under this section apply in relation to each such service.
(9)
Terms used in this section are defined in section 70.
(10)
This section applies only in relation to CSEA content detected on or after the date on which this section comes into force.
67Regulations about reports to the NCA
(1)
The Secretary of State must make regulations in connection with the reports that are to be made to the NCA (including by non-UK providers) as required by section 66.
(2)
The regulations may make provision about—
(a)
the information to be included in the reports,
(b)
the format of the reports,
(c)
the manner in which the reports must be sent to the NCA,
(d)
the time frames for sending the reports to the NCA (including provision about cases of particular urgency),
(e)
the records that providers must keep in relation to the reports, or the details that providers must retain as evidence that they have made the reports, and
(f)
such other matters relating to the reports as the Secretary of State considers appropriate.
(3)
The regulations may also—
(a)
require providers to retain, for a specified period, data of a specified description associated with a report, and
(b)
impose restrictions or requirements in relation to the retention of such data (including how the data is to be secured or stored or who may access the data).
(4)
The power to require the retention of data associated with a report includes power to require the retention of—
(a)
content generated, uploaded or shared by any user mentioned in the report (or metadata relating to such content), and
(b)
user data relating to any such person (or metadata relating to such data).
“User data” here has the meaning given by section 231.
(5)
Before making regulations under this section, the Secretary of State must consult—
(a)
the NCA,
(b)
OFCOM, and
(c)
such other persons as the Secretary of State considers appropriate.
68NCA: information sharing
“(oa)
the exercise of any function of OFCOM (the Office of Communications) under the Online Safety Act 2023;”.
69Offence in relation to CSEA reporting
(1)
A person commits an offence if, in purported compliance with a requirement under section 66—
(a)
the person provides information that is false in a material respect, and
(b)
at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(2)
A person who commits an offence under this section is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)
on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
70Interpretation of this Chapter
(1)
This section applies for the purposes of this Chapter.
(2)
A provider of a regulated user-to-user service or a regulated search service is a “UK provider” of the service if the provider is—
(a)
an individual or individuals who are habitually resident in the United Kingdom, or
(b)
an entity incorporated or formed under the law of any part of the United Kingdom.
(3)
Otherwise, a provider of a regulated user-to-user service or a regulated search service is a “non-UK provider” of the service.
(4)
CSEA content is “detected” by a provider when the provider becomes aware of the content, whether by means of the provider’s systems or processes or as a result of another person alerting the provider.
(5)
CSEA content is “unreported”, in relation to a provider, if the reporting of that content is not covered by arrangements (mandatory or voluntary)—
(a)
by which the provider reports content relating to child sexual exploitation or abuse to a foreign agency, or
(b)
by which an entity that is a group undertaking in relation to the provider reports content relating to child sexual exploitation or abuse to—
(i)
the NCA, or
(ii)
a foreign agency.
(6)
CSEA content is “UK-linked” if a provider has evidence of a link between the content and the United Kingdom, based on any of the following—
(a)
the place where the content was published, generated, uploaded or shared;
(b)
the nationality of a person suspected of committing the related offence;
(c)
the location of a person suspected of committing the related offence;
(d)
the location of a child who is a suspected victim of the related offence.
(7)
In this Chapter—
“CSEA content” has the same meaning as in Part 3 (see section 59);
“foreign agency” means a person exercising functions in a country outside the United Kingdom which correspond to the NCA’s functions insofar as they relate to receiving and disseminating reports about CSEA content;
“group undertaking” has the meaning given by section 1161(5) of the Companies Act 2006;
“NCA” means the National Crime Agency.
(8)
Sections 1161(5) and 1162 of, and Schedule 7 to, the Companies Act 2006—
(a)
are to apply in relation to an entity which is not an undertaking (as defined in section 1161(1) of that Act) as they apply in relation to an undertaking, and
(b)
are to be read with any necessary modifications if applied to an entity formed under the law of a country outside the United Kingdom.
CHAPTER 3Terms of service: transparency, accountability and freedom of expression
71Duty not to act against users except in accordance with terms of service
(1)
A provider of a Category 1 service must operate the service using proportionate systems and processes designed to ensure that the provider does not—
(a)
take down regulated user-generated content from the service,
(b)
restrict users’ access to regulated user-generated content, or
(c)
suspend or ban users from using the service,
except in accordance with the terms of service.
(2)
Nothing in subsection (1) is to be read as preventing a provider from taking down content from a service or restricting users’ access to it, or suspending or banning a user, if such an action is taken—
(a)
to comply with the duties set out in—
(i)
section 10(2) or (3) (protecting individuals from illegal content), or
(ii)
section 12(2) or (3) (protecting children from content that is harmful to children), or
(b)
to avoid criminal or civil liability on the part of the provider that might reasonably be expected to arise if such an action were not taken.
(3)
In addition, nothing in subsection (1) is to be read as preventing a provider from—
(a)
taking down content from a service or restricting users’ access to it on the basis that a user has committed an offence in generating, uploading or sharing it on the service, or
(b)
suspending or banning a user on the basis that—
(i)
the user has committed an offence in generating, uploading or sharing content on the service, or
(ii)
the user is responsible for, or has facilitated, the presence or attempted placement of a fraudulent advertisement on the service.
(4)
The duty set out in subsection (1) does not apply in relation to—
(a)
consumer content (see section 74);
(b)
terms of service which deal with the treatment of consumer content.
(5)
If a person is the provider of more than one Category 1 service, the duty set out in subsection (1) applies in relation to each such service.
(6)
The duty set out in subsection (1) extends only to the design, operation and use of a service in the United Kingdom, and references in this section to users are to United Kingdom users of a service.
(7)
In this section—
“criminal or civil liability” includes such a liability under the law of a country outside the United Kingdom;
“fraudulent advertisement” has the meaning given by section 38;
“offence” includes an offence under the law of a country outside the United Kingdom.
(8)
See also section 18 (duties to protect news publisher content).
72Further duties about terms of service
All services
(1)
A provider of a regulated user-to-user service must include clear and accessible provisions in the terms of service informing users about their right to bring a claim for breach of contract if—
(a)
regulated user-generated content which they generate, upload or share is taken down, or access to it is restricted, in breach of the terms of service, or
(b)
they are suspended or banned from using the service in breach of the terms of service.
Category 1 services
(2)
(3)
A provider must operate a service using proportionate systems and processes designed to ensure that—
(a)
if the terms of service indicate (in whatever words) that the presence of a particular kind of regulated user-generated content is prohibited on the service, the provider takes down such content;
(b)
if the terms of service state that the provider will restrict users’ access to a particular kind of regulated user-generated content in a specified way, the provider does restrict users’ access to such content in that way;
(c)
if the terms of service state cases in which the provider will suspend or ban a user from using the service, the provider does suspend or ban the user in those cases.
(4)
A provider must ensure that—
(a)
terms of service which make provision about the provider taking down regulated user-generated content from the service or restricting users’ access to such content, or suspending or banning a user from using the service, are—
(i)
clear and accessible, and
(ii)
written in sufficient detail to enable users to be reasonably certain whether the provider would be justified in taking the specified action in a particular case, and
(b)
those terms of service are applied consistently.
(5)
A provider must operate a service using systems and processes that allow users and affected persons to easily report—
(a)
content which they consider to be relevant content (see section 74);
(b)
a user who they consider should be suspended or banned from using the service in accordance with the terms of service.
(6)
A provider must operate a complaints procedure in relation to a service that—
(a)
allows for complaints of a kind mentioned in subsection (8) to be made,
(b)
provides for appropriate action to be taken by the provider of the service in response to complaints of those kinds, and
(c)
is easy to access, easy to use (including by children) and transparent.
(7)
A provider must include in the terms of service provisions which are easily accessible (including to children) specifying the policies and processes that govern the handling and resolution of complaints of a kind mentioned in subsection (8).
(8)
(a)
complaints by users and affected persons about content present on a service which they consider to be relevant content;
(b)
(c)
complaints by a user who has generated, uploaded or shared content on a service if that content is taken down, or access to it is restricted, on the basis that it is relevant content;
(d)
complaints by users who have been suspended or banned from using a service.
(9)
(a)
make provision of the kind mentioned in section 10(5) (protecting individuals from illegal content) or 12(9) (protecting children from content that is harmful to children), or
(b)
deal with the treatment of consumer content.
Further provision
(10)
If a person is the provider of more than one regulated user-to-user service or Category 1 service, the duties set out in this section apply in relation to each such service.
(11)
The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references to users are to United Kingdom users of a service.
(12)
See also section 18 (duties to protect news publisher content).
73OFCOM’s guidance about duties set out in sections 71 and 72
(1)
(2)
OFCOM must publish the guidance (and any revised or replacement guidance).
74Interpretation of this Chapter
(1)
This section applies for the purposes of this Chapter.
(2)
“Regulated user-generated content” has the same meaning as in Part 3 (see section 55), and references to such content are to content that is regulated user-generated content in relation to the service in question.
(3)
“Consumer content” means—
(a)
regulated user-generated content that constitutes, or is directly connected with content that constitutes, an offer to sell goods or to supply services,
(b)
regulated user-generated content that amounts to an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277) (construed in accordance with section 59: see subsections (3), (11) and (12) of that section), or
(c)
any other regulated user-generated content in relation to which an enforcement authority has functions under those Regulations (see regulation 19 of those Regulations).
(4)
References to restricting users’ access to content, and related references, are to be construed in accordance with sections 58 and 236(6).
(5)
Content of a particular kind is “relevant content” if—
(a)
a term of service, other than a term of service mentioned in section 72(9), indicates (in whatever words) that the presence of content of that kind is prohibited on the service or that users’ access to content of that kind is restricted, and
(b)
it is regulated user-generated content.
References to relevant content are to content that is relevant content in relation to the service in question.
(6)
“Affected person” means a person, other than a user of the service in question, who is in the United Kingdom and who is—
(a)
the subject of the content,
(b)
a member of a class or group of people with a certain characteristic targeted by the content,
(c)
a parent of, or other adult with responsibility for, a child who is a user of the service or is the subject of the content, or
(d)
an adult providing assistance in using the service to another adult who requires such assistance, where that other adult is a user of the service or is the subject of the content.
(7)
In determining what is proportionate for the purposes of sections 71 and 72, the size and capacity of the provider of a service is, in particular, relevant.
(8)
For the meaning of “Category 1 service”, see section 95 (register of categories of services).
CHAPTER 4Deceased Child Users
75Disclosure of information about use of service by deceased child users
(1)
A provider of a relevant service must make it clear in the terms of service what their policy is about dealing with requests from parents of a deceased child for information about the child’s use of the service.
(2)
A provider of a relevant service must have a dedicated helpline or section of the service, or some similar means, by which parents can easily find out what they need to do to obtain information and updates in those circumstances, and the terms of service must provide details.
(3)
A provider of a relevant service must include clear and accessible provisions in the terms of service—
(a)
specifying the procedure for parents of a deceased child to request information about the child’s use of the service,
(b)
specifying what evidence (if any) the provider will require about the parent’s identity or relationship to the child, and
(c)
giving sufficient detail to enable child users and their parents to be reasonably certain about what kinds of information would be disclosed and how information would be disclosed.
(4)
A provider of a relevant service must respond in a timely manner to requests from parents of a deceased child for information about the child’s use of the service or for updates about the progress of such information requests.
(5)
A provider of a relevant service must operate a complaints procedure in relation to the service that—
(a)
allows for complaints to be made by parents of a deceased child who consider that the provider is not complying with a duty set out in any of subsections (1) to (4),
(b)
provides for appropriate action to be taken by the provider of the service in response to such complaints, and
(c)
is easy to access, easy to use and transparent.
(6)
A provider of a relevant service must include in the terms of service provisions which are easily accessible specifying the policies and processes that govern the handling and resolution of such complaints.
(7)
If a person is the provider of more than one relevant service, the duties set out in this section apply in relation to each such service.
(8)
The duties set out in this section extend only to the design, operation and use of a service in the United Kingdom, and references in this section to children are to children in the United Kingdom.
(9)
A “relevant service” means—
(a)
a Category 1 service (see section 95(10)(a));
(b)
a Category 2A service (see section 95(10)(b));
(c)
a Category 2B service (see section 95(10)(c)).
(10)
In this section “parent”, in relation to a child, includes any person who is not the child’s parent but who—
(a)
has parental responsibility for the child within the meaning of section 3 of the Children Act 1989 or Article 6 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)), or
(b)
has parental responsibilities in relation to the child within the meaning of section 1(3) of the Children (Scotland) Act 1995.
(11)
In the application of this section to a Category 2A service, references to the terms of service include references to a publicly available statement.
76OFCOM’s guidance about duties set out in section 75
(1)
OFCOM must produce guidance for providers of relevant services to assist them in complying with their duties set out in section 75.
(2)
OFCOM must publish the guidance (and any revised or replacement guidance).
(3)
In this section “relevant service” has the meaning given by section 75.
CHAPTER 5Transparency reporting
77Transparency reports about certain Part 3 services
(1)
Once a year, OFCOM must give every provider of a relevant service a notice which requires the provider to produce a report about the service (a “transparency report”).
(2)
If a person is the provider of more than one relevant service, a notice must be given to the provider in respect of each such service.
(3)
In response to a notice relating to a relevant service, the provider of the service must produce a transparency report which must—
(a)
contain information of a kind specified or described in the notice,
(b)
be in the format specified in the notice,
(c)
be submitted to OFCOM by the date specified in the notice, and
(d)
be published in the manner and by the date specified in the notice.
(4)
A provider must ensure that the information provided in a transparency report is—
(a)
complete, and
(b)
accurate in all material respects.
(5)
A “relevant service” means—
(a)
a Category 1 service (see section 95(10)(a));
(b)
a Category 2A service (see section 95(10)(b));
(c)
a Category 2B service (see section 95(10)(c)).
(6)
In a notice which relates to a Category 1 service or a Category 2B service, OFCOM may only specify or describe user-to-user information.
But in the case of a service described in subsection (9), that subsection applies instead.
(7)
In a notice which relates to a regulated search service that is a Category 2A service, OFCOM may only specify or describe search engine information.
(8)
In a notice which relates to a combined service that is a Category 2A service, and is not also a Category 1 service or a Category 2B service, OFCOM may only specify or describe search engine information.
(9)
In a notice which relates to a combined service that is a Category 2A service, as well as being a Category 1 service or a Category 2B service, OFCOM may specify or describe user-to-user information or search engine information, or both those kinds of information.
(10)
(a)
“user-to-user information” means information which—
(i)
is about the matters listed in Part 1 of Schedule 8, and
(ii)
relates to the user-to-user part of a service;
(b)
“search engine information” means information which—
(i)
is about the matters listed in Part 2 of Schedule 8, and
(ii)
relates to the search engine of a service.
(11)
Part 3 of Schedule 8 makes further provision about transparency reports.
(12)
The Secretary of State may by regulations amend subsection (1) so as to change the frequency of the transparency reporting process.
(13)
The Secretary of State must consult OFCOM before making regulations under subsection (12).
(14)
In this section “notice” means a notice under subsection (1).
78OFCOM’s guidance about transparency reports
(1)
OFCOM must produce guidance about—
(a)
how OFCOM will determine which information they will require transparency reports under section 77 to contain, including—
(i)
the principles that they will apply in relation to each of the factors mentioned in paragraph 37 of Schedule 8, and
(ii)
the steps that they will take to engage with providers of relevant services before requiring information in a notice under section 77(1);
(b)
how information from transparency reports produced by providers of relevant services under section 77 will be used to produce OFCOM’s transparency reports (see section 159); and
(c)
any other matter that OFCOM consider to be relevant to the production and publication of transparency reports under section 77 or 159.
(2)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult such of the following as they consider appropriate—
(a)
providers of regulated user-to-user services, and of regulated search services,
(b)
persons who appear to OFCOM to represent such providers,
(c)
persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(d)
persons whom OFCOM consider to have expertise in equality issues and human rights, in particular—
(i)
the right to freedom of expression set out in Article 10 of the Convention, and
(ii)
the right to respect for a person’s private and family life, home and correspondence set out in Article 8 of the Convention,
(e)
the Information Commissioner,
(f)
persons who appear to OFCOM to represent the interests of those with protected characteristics (within the meaning of Part 2 of the Equality Act 2010), and
(g)
persons whom OFCOM consider to have expertise in the enforcement of the criminal law and the protection of national security that is relevant to online safety matters,
and OFCOM must also consult such other persons as OFCOM consider appropriate.
(3)
OFCOM must publish the guidance (and any revised or replacement guidance).
(4)
In exercising their functions under section 77 or 159, OFCOM must have regard to the guidance for the time being published under this section.
(5)
In this section, “relevant service” has the same meaning as in section 77 (see subsection (5) of that section).
PART 5Duties of providers of regulated services: certain pornographic content
79“Provider pornographic content” and “regulated provider pornographic content”
(1)
This section applies for the purposes of this Part.
(2)
“Provider pornographic content”, in relation to an internet service, means pornographic content that is published or displayed on the service by the provider of the service or by a person acting on behalf of the provider, including pornographic content published or displayed on the service by means of—
(a)
software or an automated tool or algorithm applied by the provider or by a person acting on behalf of the provider, or
(b)
an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.
(3)
(4)
Content is within this subsection if it—
(a)
consists only of text, or
(b)
consists only of text accompanied by—
(i)
a GIF which is not itself pornographic content,
(ii)
an emoji or other symbol, or
(iii)
a combination of content mentioned in sub-paragraphs (i) and (ii).
(5)
Content is within this subsection if it consists of a paid-for advertisement (see section 236).
(6)
References to pornographic content that is “published or displayed” on a service—
(a)
include, in particular—
(i)
references to pornographic content that is only visible or audible to users as a result of interacting with content that is blurred, distorted or obscured (for example, by clicking on such content), but only where the pornographic content is present on the service,
(ii)
references to pornographic content that is embedded on the service, and
(iii)
references to pornographic content that is generated on the service by means of an automated tool or algorithm in response to a prompt by a user and is only visible or audible to that user (no matter for how short a time);
(b)
do not include references to pornographic content that appears in search results of a search service or a combined service.
(7)
Pornographic content that is user-generated content in relation to an internet service is not to be regarded as provider pornographic content in relation to that service.
(8)
In this section—
“search results” has the meaning given by section 57(3);
80Scope of duties about regulated provider pornographic content
(1)
A provider of an internet service within subsection (2) must comply with the duties set out in section 81 in relation to the service.
(2)
An internet service is within this subsection if—
(a)
regulated provider pornographic content is published or displayed on the service,
(b)
the service is not exempt, and
(c)
the service has links with the United Kingdom.
(3)
A service is “exempt” for the purposes of this Part if it is —
(a)
a user-to-user service or a search service of a description that is exempt as provided for by Schedule 1, or
(b)
an internet service of a kind described in Schedule 9.
(4)
A service “has links with the United Kingdom” for the purposes of this Part if either of the following conditions is met in relation to the service—
(a)
the service has a significant number of United Kingdom users, or
(b)
United Kingdom users form one of the target markets for the service (or the only target market).
(5)
This Part does not apply in relation to a part of a regulated service if—
(a)
in the case of a Part 3 service, the conditions in paragraph 7(2) of Schedule 1 (internal business service conditions) are met in relation to that part;
(b)
in the case of an internet service other than a Part 3 service, the conditions in paragraph 1(2) of Schedule 9 (internal business service conditions) are met in relation to that part.
(6)
This Part does not apply in relation to a part of a regulated service if that part is an on-demand programme service within the meaning of section 368A of the Communications Act.
(7)
If a person is the provider of more than one internet service within subsection (2), the duties set out in section 81 apply in relation to each such service.
(8)
The duties set out in section 81 extend only to the design, operation and use of an internet service in the United Kingdom.
81Duties about regulated provider pornographic content
(1)
This section sets out the duties which apply in relation to internet services within section 80(2).
(2)
A duty to ensure, by the use of age verification or age estimation (or both), that children are not normally able to encounter content that is regulated provider pornographic content in relation to the service.
(3)
The age verification or age estimation must be of such a kind, and used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child.
(4)
In relation to the duty set out in subsection (2), a duty to make and keep a written record, in an easily understandable form, of—
(a)
the kinds of age verification or age estimation used, and how they are used, and
(b)
the way in which the provider, when deciding on the kinds of age verification or age estimation and how they should be used, has had regard to the importance of protecting United Kingdom users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data).
(5)
A duty to summarise the written record in a publicly available statement, so far as the record concerns compliance with the duty set out in subsection (2), including details about which kinds of age verification or age estimation a provider is using and how they are used.
82OFCOM’s guidance about duties set out in section 81
(1)
OFCOM must produce guidance for providers of internet services within section 80(2) to assist them in complying with their duties set out in section 81.
(2)
The guidance must include—
(a)
examples of kinds and uses of age verification and age estimation that are, or are not, highly effective at correctly determining whether or not a particular user is a child,
(b)
examples of ways in which a provider may have regard to the importance of protecting users as mentioned in section 81(4)(b),
(c)
principles that OFCOM propose to apply when determining whether a provider has complied with each of the duties set out in section 81, and
(d)
examples of circumstances in which OFCOM are likely to consider that a provider has not complied with each of those duties.
(3)
The guidance may elaborate on the following principles governing the use of age verification or age estimation for the purpose of compliance with the duty set out in section 81(2)—
(a)
the principle that age verification or age estimation should be easy to use;
(b)
the principle that age verification or age estimation should work effectively for all users regardless of their characteristics or whether they are members of a certain group;
(c)
the principle of interoperability between different kinds of age verification or age estimation.
(4)
The guidance may refer to industry or technical standards for age verification or age estimation (where they exist).
(5)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)
the Secretary of State,
(b)
persons who appear to OFCOM to represent providers of internet services within section 80(2),
(c)
persons who appear to OFCOM to represent adult users of internet services within section 80(2),
(d)
persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(e)
the Information Commissioner,
(f)
persons whom OFCOM consider to have expertise in innovation, or emerging technology, that is relevant to online safety matters, and
(g)
such other persons as OFCOM consider appropriate.
(6)
But if OFCOM propose to revise the guidance, and consider that the minor nature of the proposal means that consultation is unnecessary—
(a)
OFCOM must notify the Secretary of State of the proposed changes, and
(b)
if the Secretary of State agrees that it is appropriate, the consultation requirements set out in subsection (5) do not apply in relation to the proposed changes.
(7)
OFCOM must keep the guidance under review.
(8)
OFCOM must publish the guidance (and any revised or replacement guidance).
PART 6Duties of providers of regulated services: fees
83Duty to notify OFCOM
(1)
A provider of a regulated service must notify OFCOM in relation to a charging year which is—
(a)
the first fee-paying year in relation to that provider, or
(b)
any charging year after the first fee-paying year where—
(i)
the previous charging year was not a fee-paying year in relation to the provider, and the charging year in question is a fee-paying year in relation to the provider, or
(ii)
the previous charging year was a fee-paying year in relation to the provider, and the charging year in question is not a fee-paying year in relation to the provider.
(2)
A “fee-paying year”, in relation to a provider, means a charging year where both of the following conditions apply—
(a)
the provider’s qualifying worldwide revenue for the qualifying period that relates to that charging year is equal to or greater than the threshold figure that has effect for that charging year (see section 86), and
(b)
the provider is not exempt (see subsection (6)).
(3)
A notification under subsection (1) in relation to a charging year must include details of all regulated services provided by the provider, and where it is a notification under subsection (1)(a) or (b)(i), it must also include—
(a)
details of the provider’s qualifying worldwide revenue for the qualifying period that relates to that charging year, and
(b)
supporting evidence, documents or other information as required by regulations made by OFCOM under section 85.
(4)
Section 85 confers power on OFCOM to make regulations about the determination of a provider’s qualifying worldwide revenue, and the meaning of “qualifying period”, for the purposes of this Part.
(5)
A notification under subsection (1) must be provided to OFCOM—
(a)
in relation to the initial charging year, within four months of the date on which the first regulations under section 86 come into force (first threshold figure);
(b)
in relation to subsequent charging years, at least six months before the beginning of the charging year to which the notification relates.
(6)
OFCOM may provide that particular descriptions of providers of regulated services are exempt for the purposes of this section and section 84 where—
(a)
OFCOM consider that an exemption for such providers is appropriate, and
(b)
the Secretary of State approves the exemption.
(7)
OFCOM may revoke such an exemption where they consider that it is no longer appropriate and the Secretary of State approves the revocation.
(8)
Exemptions, or revocations of exemptions, which are approved by the Secretary of State are to take effect from the beginning of a particular charging year.
(9)
Details of an exemption or revocation must be published by OFCOM at least six months before the beginning of the first charging year for which the exemption or revocation is to have effect.
(10)
But subsection (9) does not apply in relation to any exemptions which are to have effect for the initial charging year.
(11)
For the purposes of this section and section 84, the “provider” of a regulated service, in relation to a charging year, includes a person who is the provider of the service for part of that year.
84Duty to pay fees
(1)
OFCOM may require a provider of a regulated service to pay a fee in respect of a charging year which is a fee-paying year.
(2)
Where OFCOM require a provider of a regulated service to pay a fee in respect of a charging year, the fee is to be equal to the amount produced by a computation—
(a)
made by reference to—
(i)
the provider’s qualifying worldwide revenue for the qualifying period relating to that charging year, and
(ii)
any other factors that OFCOM consider appropriate, and
(b)
made in the manner that OFCOM consider appropriate.
(3)
For the purposes of this section and section 83—
(a)
the amount of a provider’s qualifying worldwide revenue for a qualifying period, or
(b)
the amount of a fee to be paid to OFCOM, or of an instalment of such a fee,
is, in the event of a disagreement between the provider and OFCOM, the amount determined by OFCOM.
(4)
When determining fees payable under this section, OFCOM must do so in accordance with a statement of principles as mentioned in section 88(1).
(5)
Where a person is the provider of a regulated service for part of a charging year only, OFCOM may refund all or part of a fee paid to OFCOM under this section by that provider in respect of that year.
(6)
In this section, “fee-paying year” has the same meaning as in section 83.
85Regulations by OFCOM about qualifying worldwide revenue etc
(1)
For the purposes of this Part, OFCOM may by regulations make provision—
(a)
about how the qualifying worldwide revenue of a provider of a regulated service is to be determined, and
(b)
defining the “qualifying period” in relation to a charging year.
(2)
OFCOM may by regulations also make provision specifying or describing evidence, documents or other information that providers must supply to OFCOM for the purposes of section 83 (see subsection (3)(b) of that section), including provision about the way in which providers must supply the evidence, documents or information.
(3)
Regulations under subsection (1)(a) may provide that the qualifying worldwide revenue of a provider of a regulated service (P) who is a member of a group during any part of a qualifying period is to include the qualifying worldwide revenue of any entity that—
(a)
is a group undertaking in relation to P for all or part of that period, and
(b)
receives or is due to receive, during that period, any amount referable (to any degree) to a regulated service provided by P.
(4)
Regulations under subsection (1)(a) may, in particular—
(a)
make provision about circumstances in which amounts do, or do not, count as being referable (to any degree) to a regulated service for the purposes of the determination of the qualifying worldwide revenue of the provider of the service or of an entity that is a group undertaking in relation to the provider;
(b)
provide for cases or circumstances in which amounts that—
(i)
are of a kind specified or described in the regulations, and
(ii)
are not referable to a regulated service,
are to be brought into account in determining the qualifying worldwide revenue of the provider of the service or of an entity that is a group undertaking in relation to the provider.
(5)
Regulations which make provision of a kind mentioned in subsection (3) may include provision that, in the case of an entity that is a group undertaking in relation to a provider for part (not all) of a qualifying period, only amounts relating to the part of the qualifying period for which the entity was a group undertaking may be brought into account in determining the entity’s qualifying worldwide revenue.
(6)
Regulations under subsection (1)(a) may make provision corresponding to paragraph 5(8) of Schedule 13.
(7)
Before making regulations under subsection (1) OFCOM must consult—
(a)
the Secretary of State,
(b)
the Treasury, and
(c)
such other persons as OFCOM consider appropriate.
(8)
Before making regulations under subsection (2) OFCOM must consult the Secretary of State.
(9)
Regulations under this section may make provision subject to such exemptions and exceptions as OFCOM consider appropriate.
(10)
In this section—
“group” means a parent undertaking and its subsidiary undertakings, reading those terms in accordance with section 1162 of the Companies Act 2006;
“group undertaking” has the meaning given by section 1161(5) of that Act.
86Threshold figure
(1)
OFCOM must carry out a consultation to inform the setting of the threshold figure for the purposes of sections 83 and 84, consulting such persons as they consider appropriate.
(2)
After the completion of the consultation, and having taken advice from OFCOM, the Secretary of State must make regulations specifying the threshold figure for those purposes.
(3)
The Secretary of State must keep the threshold figure under review.
(4)
(5)
Regulations must provide that a threshold figure is to take effect from the beginning of a particular charging year.
(6)
Regulations specifying a threshold figure must be in force at least nine months before the beginning of the first charging year for which that figure is to have effect.
(7)
But subsection (6) does not apply in relation to the first regulations made under this section.
87Secretary of State’s guidance about fees
(1)
The Secretary of State must issue guidance to OFCOM about the principles to be included in a statement of principles that OFCOM propose to apply in determining fees payable under section 84 (see section 88).
(2)
The Secretary of State must consult OFCOM before issuing, revising or replacing the guidance.
(3)
The guidance may not be revised or replaced more frequently than once every three years unless—
(a)
the guidance needs to be corrected because of an amendment, repeal or modification of any provision of this Part, or
(b)
the revision or replacement is by agreement between the Secretary of State and OFCOM.
(4)
The Secretary of State must lay the guidance (including revised or replacement guidance) before Parliament.
(5)
The Secretary of State must publish the guidance (and any revised or replacement guidance).
(6)
In exercising any functions under this Part, OFCOM must have regard to the guidance for the time being published under this section.
88OFCOM’s fees statements
(1)
OFCOM may not require a provider of a regulated service to pay a fee under section 84 unless there is in force a statement of the principles that OFCOM propose to apply in determining fees payable under that section.
(2)
Those principles must be such as appear to OFCOM to be likely to secure, on the basis of such estimates of the likely costs as it is practicable for them to make—
(a)
that on a year by year basis, the aggregate amount of the fees payable to OFCOM under section 84 is sufficient to meet, but does not exceed, the annual cost to OFCOM of the exercise of their online safety functions;
(b)
that the fees required under section 84 are justifiable and proportionate having regard to the functions in respect of which they are imposed;
(c)
that the relationship between meeting the cost of the exercise of those functions and the amounts of the fees is transparent.
(3)
A statement of principles mentioned in subsection (1) must (among other things)—
(a)
include details relating to the computation model used to calculate fees payable under section 84, including details of factors mentioned in subsection (2)(a)(ii) of that section (if any),
(b)
include details about the meaning of “qualifying worldwide revenue” and “qualifying period” for the purposes of this Part, and
(c)
specify the threshold figure contained in regulations under section 86.
(4)
Before making or revising such a statement of principles, OFCOM must consult such persons as they consider appropriate.
(5)
Such a statement of principles may make different provision in relation to different kinds of regulated services.
(6)
OFCOM must publish such a statement of principles (and any revised or replacement statement).
(7)
As soon as reasonably practicable after the end of each charging year, OFCOM must publish a statement setting out, in respect of that year—
(a)
the aggregate amount of the fees payable under section 84 for that year that has been received by OFCOM,
(b)
the aggregate amount of the fees payable under that section for that year that remains outstanding and is likely to be paid or recovered, and
(c)
the cost to OFCOM of the exercise of their online safety functions.
(8)
Any deficit or surplus shown (after applying this subsection for all previous years) by a statement under subsection (7) must be carried forward and taken into account in determining what is required to satisfy the requirement imposed by virtue of subsection (2)(a) in relation to the following year.
(9)
For the purposes of this section OFCOM’s costs of the exercise of their online safety functions during a charging year include the costs of preparations for the exercise of their online safety functions incurred during that year.
89Recovery of OFCOM’s initial costs
Schedule 10 makes provision about fees chargeable to providers of regulated services in connection with OFCOM’s recovery of costs incurred before the first day of the initial charging year.
90Meaning of “charging year” and “initial charging year”
In this Part—
“charging year” means any period of 12 months beginning with 1 April, except such a period that falls before the initial charging year;
“initial charging year” means the period of 12 months beginning with 1 April specified by OFCOM in a notice published for the purposes of this Part.
PART 7OFCOM's powers and duties in relation to regulated services
CHAPTER 1General duties
91General duties of OFCOM under section 3 of the Communications Act
(1)
(2)
“(g)
the adequate protection of citizens from harm presented by content on regulated services, through the appropriate use by providers of such services of systems and processes designed to reduce the risk of such harm.”
(3)
In subsection (4)(c), at the beginning insert “(subject to subsection (5A))”
.
(4)
“(4A)
In performing their duties under subsection (1) in relation to matters to which subsection (2)(g) is relevant, OFCOM must have regard to such of the following as appear to them to be relevant in the circumstances—
(a)
the risk of harm to citizens presented by regulated services;
(b)
the need for a higher level of protection for children than for adults;
(c)
the need for it to be clear to providers of regulated services how they may comply with their duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5 of the Online Safety Act 2023;
(d)
the need to exercise their functions so as to secure that providers of regulated services may comply with such duties by taking measures, or using measures, systems or processes, which are (where relevant) proportionate to—
(i)
the size or capacity of the provider in question, and
(ii)
the level of risk of harm presented by the service in question, and the severity of the potential harm;
(e)
the desirability of promoting the use by providers of regulated services of technologies which are designed to reduce the risk of harm to citizens presented by content on regulated services;
(f)
the extent to which providers of regulated services demonstrate, in a way that is transparent and accountable, that they are complying with their duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5 of the Online Safety Act 2023.”
(5)
“(5A)
Subsection (4)(c) does not apply in relation to the carrying out of any of OFCOM’s online safety functions.”
(6)
“(6ZA)
Where it appears to OFCOM, in relation to the carrying out of any of their online safety functions, that any of their general duties conflict with their duty under section 24, priority must be given to their duty under that section.”
(7)
““content on regulated services” means—
(a)
regulated user-generated content present on regulated services,
(b)
search content of regulated services,
(c)
fraudulent advertisements present on regulated services, and
(d)
regulated provider pornographic content present on regulated services;”;
““online safety functions” has the meaning given by section 235 of the Online Safety Act 2023, except that it does not include OFCOM’s general duties;”.
(8)
“(15)
In this section the following terms have the same meaning as in the Online Safety Act 2023—
“content” (see section 236 of that Act);
“fraudulent advertisement” (see sections 38 and 39 of that Act);
“harm” (see section 234 of that Act);
“provider”, in relation to a regulated service (see section 226 of that Act);
“regulated user-generated content” (see section 55 of that Act);
“regulated provider pornographic content” (see section 79 of that Act);
“regulated service” (see section 4 of that Act);
“search content” (see section 57 of that Act).”
(9)
In section 6 of the Communications Act (duties to review regulatory burdens)—
(a)
in subsection (2), after “this section” insert “(except their online safety functions)”
, and
(b)
“(11)
In this section “online safety functions” has the same meaning as in section 3.”
92Duties in relation to strategic priorities
(1)
This section applies where a statement has been designated under section 172(1) (Secretary of State’s statement of strategic priorities).
(2)
OFCOM must have regard to the statement when carrying out their online safety functions.
(3)
Within the period of 40 days beginning with the day on which the statement is designated, or such longer period as the Secretary of State may allow, OFCOM must—
(a)
explain in writing what they propose to do in consequence of the statement, and
(b)
publish a copy of that explanation.
(4)
OFCOM must, as soon as reasonably practicable after the end of—
(a)
the period of 12 months beginning with the day on which the first statement is designated under section 172(1), and
(b)
every subsequent period of 12 months,
publish a review of what they have done during the period in question in consequence of the statement.
93Duty to carry out impact assessments
(1)
Section 7 of the Communications Act (duty to carry out impact assessments) is amended as follows.
(2)
In subsection (2), at the beginning insert “Subject to subsection (2A),”
.
(3)
“(2A)
A proposal to do any of the following is important for the purposes of this section—
(a)
to prepare a code of practice under section 41 of the Online Safety Act 2023;
(b)
to prepare amendments of such a code of practice; or
(c)
to prepare a code of practice as a replacement for such a code of practice.”
(4)
“(4A)
An assessment under subsection (3)(a) that relates to a proposal mentioned in subsection (2A) must include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.
(4B)
An assessment under subsection (3)(a) that relates to a proposal to do anything else for the purposes of, or in connection with, the carrying out of OFCOM’s online safety functions (within the meaning of section 235 of the Online Safety Act 2023) must, so far as the proposal relates to such functions, include an assessment of the likely impact of implementing the proposal on small businesses and micro businesses.”
CHAPTER 2Register of categories of regulated user-to-user services and regulated search services
94Meaning of threshold conditions etc
(1)
Schedule 11 contains provision about regulations specifying the threshold conditions that a Part 3 service must meet to be included in the relevant part of the register established by OFCOM under section 95, and associated provision about the publication of OFCOM’s advice.
(2)
(3)
For the purposes of this Chapter—
(a)
references to a service meeting the Category 1, Category 2A or Category 2B threshold conditions are to a service meeting those conditions in a way specified in regulations under paragraph 1 of Schedule 11 (see paragraph 1(4) of that Schedule);
(b)
a regulated user-to-user service meets the Category 1 threshold conditions if those conditions are met in relation to the user-to-user part of the service;
(c)
a regulated search service or a combined service meets the Category 2A threshold conditions if those conditions are met in relation to the search engine of the service;
(d)
a regulated user-to-user service meets the Category 2B threshold conditions if those conditions are met in relation to the user-to-user part of the service;
(e)
a regulated user-to-user service meets the conditions in section 97(2) if those conditions are met in relation to the user-to-user part of the service;
(f)
references to OFCOM assessing a service (to determine if it meets, or no longer meets, the relevant threshold conditions or the conditions in section 97(2)) are accordingly to be read as references to OFCOM assessing the relevant part (or parts) of a service.
95Register of categories of certain Part 3 services
(1)
(2)
OFCOM must establish a register of particular categories of Part 3 services with—
(a)
one part for regulated user-to-user services meeting the Category 1 threshold conditions,
(b)
one part for regulated search services and combined services meeting the Category 2A threshold conditions, and
(c)
one part for regulated user-to-user services meeting the Category 2B threshold conditions.
(3)
OFCOM must assess Part 3 services, as follows—
(a)
OFCOM must assess each regulated user-to-user service which they consider is likely to meet the Category 1 threshold conditions, to determine whether the service does, or does not, meet those conditions;
(b)
OFCOM must assess each regulated search service and combined service which they consider is likely to meet the Category 2A threshold conditions, to determine whether the service does, or does not, meet those conditions;
(c)
OFCOM must assess each regulated user-to-user service which they consider is likely to meet the Category 2B threshold conditions, to determine whether the service does, or does not, meet those conditions.
(4)
If OFCOM consider that a service meets the relevant threshold conditions, they must add entries relating to that service to the relevant part of the register established under subsection (2).
(5)
But—
(a)
if OFCOM consider that a regulated user-to-user service meets the Category 1 threshold conditions and the Category 2B threshold conditions (only), entries relating to that service are to be added to the part of the register established under subsection (2)(a) (only);
(6)
If OFCOM consider that a combined service—
(a)
meets the Category 2A threshold conditions, and
(b)
meets either the Category 1 threshold conditions or the Category 2B threshold conditions (but not both),
(7)
Each part of the register must contain—
(a)
the name, and a description, of each service that, in OFCOM’s opinion, meets the relevant threshold conditions, and
(b)
the name of the provider of each such service.
(8)
OFCOM must publish the register.
(9)
When assessing whether a Part 3 service does, or does not, meet the relevant threshold conditions, OFCOM must take such steps as are reasonably practicable to obtain or generate information or evidence for the purposes of the assessment.
(10)
In this Act—
(a)
a “Category 1 service” means a regulated user-to-user service for the time being included in the part of the register established under subsection (2)(a);
(b)
a “Category 2A service” means a regulated search service or a combined service for the time being included in the part of the register established under subsection (2)(b);
(c)
a “Category 2B service” means a regulated user-to-user service for the time being included in the part of the register established under subsection (2)(c).
96Duty to maintain register
(1)
If regulations are made under paragraph 1(1) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—
(a)
assess each regulated user-to-user service which they consider is likely to meet the new Category 1 threshold conditions, to determine whether the service does, or does not, meet those conditions, and
(b)
make any necessary changes to the register.
(2)
If regulations are made under paragraph 1(2) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—
(a)
assess each regulated search service and combined service which they consider is likely to meet the new Category 2A threshold conditions, to determine whether the service does, or does not, meet those conditions, and
(b)
make any necessary changes to the register.
(3)
If regulations are made under paragraph 1(3) of Schedule 11 which amend or replace regulations previously made under that provision, OFCOM must, as soon as reasonably practicable after the date on which the amending or replacement regulations come into force—
(a)
assess each regulated user-to-user service which they consider is likely to meet the new Category 2B threshold conditions, to determine whether the service does, or does not, meet those conditions, and
(b)
make any necessary changes to the register.
(4)
At any other time, if OFCOM consider that a Part 3 service not included in a particular part of the register is likely to meet the threshold conditions relevant to that part, OFCOM must—
(a)
assess the service accordingly, and
(b)
(subject to section 95(5)) if they consider that the service meets the relevant conditions, add entries relating to that service to that part of the register.
(5)
(6)
A provider of a Part 3 service included in the register may at any time request OFCOM to remove entries relating to that service from the register, or from a particular part of the register.
(7)
If OFCOM are satisfied, on the basis of evidence submitted by a provider with such a request, that since the registration day there has been a change to the service or to regulations under paragraph 1 of Schedule 11 which appears likely to be relevant, OFCOM must—
(a)
assess the service, and
(b)
notify the provider of OFCOM’s decision.
(8)
OFCOM must remove entries relating to a Part 3 service from the relevant part of the register if, following an assessment of the service, they consider that it no longer meets the threshold conditions relevant to that part.
(9)
Section 95(9) applies to an assessment under this section as it applies to an assessment under section 95.
(10)
OFCOM must re-publish the register each time a change is made to it.
(11)
See section 167 for provision about appeals against a decision to include a service in the register (or in a particular part of the register), or not to remove a service from the register (or from a particular part of the register).
(12)
In this section—
“the register” means the register established under section 95;
“the registration day”, in relation to a Part 3 service, means—
(a)
the day on which entries relating to the service were added to the register, or to the particular part of the register in question, or
97List of emerging Category 1 services
(1)
(2)
OFCOM must assess each regulated user-to-user service which does not meet the Category 1 threshold conditions and which they consider is likely to meet each of the following conditions, to determine whether the service does, or does not, meet them—
(a)
the first condition is that the number of United Kingdom users of the user-to-user part of the service is at least 75% of the figure specified in any of the Category 1 threshold conditions relating to number of users (calculating the number of users in accordance with the threshold condition in question);
(b)
the second condition is that—
(i)
at least one of the Category 1 threshold conditions relating to functionalities of the user-to-user part of the service is met, or
(ii)
if the regulations under paragraph 1(1) of Schedule 11 specify that a Category 1 threshold condition relating to a functionality of the user-to-user part of the service must be met in combination with a Category 1 threshold condition relating to another characteristic of that part of the service or a factor relating to that part of the service (see paragraph 1(4) of Schedule 11), at least one of those combinations of conditions is met.
(3)
OFCOM must prepare a list of regulated user-to-user services which meet the conditions in subsection (2).
(4)
If the regulations under paragraph 1(1) of Schedule 11 specify that a service meets the Category 1 threshold conditions if any one condition about number of users or functionality is met (as mentioned in paragraph 1(4)(a) of that Schedule)—
(a)
subsection (2) applies as if paragraph (b) were omitted, and
(5)
The list must contain the following details about a service included in it—
(a)
the name of the service,
(b)
a description of the service,
(c)
the name of the provider of the service, and
(d)
a description of the Category 1 threshold conditions by reference to which the conditions in subsection (2) are met.
(6)
OFCOM must take appropriate steps to keep the list up to date, including by carrying out further assessments of regulated user-to-user services.
(7)
OFCOM must publish the list when it is first prepared and each time it is revised.
(8)
When assessing whether a service does, or does not, meet the conditions in subsection (2), OFCOM must take such steps as are reasonably practicable to obtain or generate information or evidence for the purposes of the assessment.
(9)
An assessment for the purposes of this section may be included in an assessment under section 95 or 96 (as the case may be) or carried out separately.
CHAPTER 3Risk assessments of regulated user-to-user services and regulated search services
98OFCOM’s register of risks, and risk profiles, of Part 3 services
(1)
OFCOM must carry out risk assessments to identify and assess the following risks of harm presented by Part 3 services of different kinds—
(a)
the risks of harm to individuals in the United Kingdom presented by illegal content present on regulated user-to-user services and by the use of such services for the commission or facilitation of priority offences;
(b)
the risk of harm to individuals in the United Kingdom presented by search content of regulated search services that is illegal content;
(c)
the risk of harm to children in the United Kingdom, in different age groups, presented by content that is harmful to children.
(2)
The risk assessments must, among other things, identify characteristics of different kinds of Part 3 services that are relevant to such risks of harm, and assess the impact of those kinds of characteristics on such risks.
(3)
OFCOM—
(a)
may combine assessment of any or all of the risks of harm mentioned in subsection (1), or may carry out separate assessments of those risks;
(b)
in the case of the risk of harm mentioned in subsection (1)(c), may assess regulated user-to-user services and regulated search services separately or together.
(4)
The findings of each risk assessment are to be reflected, as soon as reasonably practicable after completion, in a register of risks of Part 3 services prepared and published by OFCOM.
(5)
As soon as reasonably practicable after completing their assessment of a risk of harm mentioned in a particular paragraph of subsection (1), OFCOM must prepare risk profiles for Part 3 services which relate to that risk of harm.
(6)
For the purposes of the risk profiles, OFCOM may group Part 3 services together in whichever way they consider appropriate, taking into account—
(a)
the characteristics of the services, and
(b)
the risk levels and other matters identified in the relevant risk assessment.
(7)
OFCOM must publish risk profiles prepared under this section.
(8)
OFCOM must from time to time review and revise the risk assessments and risk profiles so as to keep them up to date.
(9)
References in this section to Part 3 services—
(a)
in the case of a risk assessment or risk profiles which relate only to regulated user-to-user services or to regulated search services, are to be read as references to the kind of service in question;
(b)
in the case of a risk assessment or risk profiles which relate only to the risk of harm mentioned in subsection (1)(a), are to be read as references to regulated user-to-user services;
(c)
in the case of a risk assessment or risk profiles which relate only to the risk of harm mentioned in subsection (1)(b), are to be read as references to regulated search services.
(10)
References in this section to regulated search services include references to the search engine of combined services.
(11)
In this section the “characteristics” of a service include its functionalities, user base, business model, governance and other systems and processes.
(12)
In this section—
“content that is harmful to children” has the same meaning as in Part 3 (see section 60);
“illegal content” has the same meaning as in Part 3 (see section 59);
“priority offence” has the same meaning as in Part 3 (see section 59).
99OFCOM’s guidance about risk assessments
(1)
As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the illegality risks, OFCOM must produce guidance to assist providers of regulated user-to-user services in complying with their duties to carry out illegal content risk assessments under section 9.
(2)
As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the risk of harm from illegal content, OFCOM must produce guidance to assist providers of regulated search services in complying with their duties to carry out illegal content risk assessments under section 26.
(3)
As soon as reasonably practicable after OFCOM have published the first risk profiles relating to the risk of harm to children, OFCOM must produce guidance to assist providers of Part 3 services in complying with their duties to carry out children’s risk assessments under section 11 or 28.
(4)
Before producing any guidance under this section (including revised or replacement guidance), OFCOM must consult the Information Commissioner.
(5)
OFCOM must revise guidance under this section from time to time in response to further risk assessments under section 98 or to revisions of the risk profiles.
(6)
OFCOM must publish guidance under this section (and any revised or replacement guidance).
(7)
If the risk profiles mentioned in subsection (3) relate to regulated user-to-user services only or to regulated search services only, that subsection is to be read as requiring the production of guidance relating only to regulated user-to-user services or to regulated search services, as the case may be.
(8)
References in this section to regulated search services include references to the search engine of combined services.
(9)
In this section—
“illegality risks” means the risks mentioned in section 98(1)(a);
“risk of harm from illegal content” means the risk of harm mentioned in section 98(1)(b);
“risk of harm to children” means the risk of harm mentioned in section 98(1)(c);
“risk profiles” means risk profiles prepared under section 98.
CHAPTER 4Information
Information powers and information notices
100Power to require information
(1)
OFCOM may by notice under this subsection require a person within subsection (5) to provide them with any information that they require for the purpose of exercising, or deciding whether to exercise, any of their online safety functions.
(2)
(a)
obtain or generate information;
(b)
provide information about the use of a service by a named individual.
(3)
The power conferred by subsection (1) also includes power to require a person within any of paragraphs (a) to (d) of subsection (5) to take steps so that a person authorised by OFCOM is able to view remotely—
(a)
information demonstrating in real time the operation of systems, processes or features, including functionalities and algorithms, used by a service;
(b)
information generated by a service in real time by the performance of a test or demonstration of a kind required by a notice under subsection (1).
(4)
But the power conferred by subsection (1) must be exercised in a way that is proportionate to the use to which the information is to be put in the exercise of OFCOM’s functions.
(5)
The persons within this subsection are—
(a)
a provider of a user-to-user service or a search service,
(b)
a provider of an internet service on which regulated provider pornographic content is published or displayed,
(c)
(d)
(e)
(6)
The information that may be required by OFCOM under subsection (1) includes, in particular, information that they require for any one or more of the following purposes—
(a)
the purpose of assessing compliance with—
(i)
any duty or requirement set out in Chapter 2, 3, 4 or 5 of Part 3,
(ii)
any duty set out in section 64 (user identity verification),
(iii)
any requirement under section 66 (reporting CSEA content),
(iv)
any duty set out in section 71 or 72 (terms of service),
(v)
any duty set out in section 75 (deceased child users),
(vii)
any duty set out in section 81 (provider pornographic content);
(b)
the purpose of assessing compliance with a requirement under section 83 (duty to notify OFCOM in relation to the charging of fees);
(c)
the purpose of a consultation about a threshold figure as mentioned in section 86 (threshold figure for the purposes of charging fees);
(d)
the purpose of ascertaining the amount of a person’s qualifying worldwide revenue for the purposes of—
(i)
Part 6 (fees), or
(e)
the purpose of assessing compliance with any requirements imposed on a person by—
(i)
a notice under section 121(1) (notices to deal with terrorism content and CSEA content), or
(ii)
a confirmation decision;
(f)
the purpose of assessing the accuracy and effectiveness of technology required to be used by—
(i)
a notice under section 121(1), or
(ii)
a confirmation decision;
(g)
(h)
the purpose of dealing with complaints made to OFCOM under section 169 (super-complaints);
(i)
the purpose of OFCOM’s advice to the Secretary of State about provision to be made by regulations under paragraph 1 of Schedule 11 (threshold conditions for categories of Part 3 services);
(j)
the purpose of determining whether a Part 3 service meets threshold conditions specified in regulations under paragraph 1 of Schedule 11;
(k)
the purpose of preparing a code of practice under section 41;
(l)
the purpose of preparing guidance in relation to online safety matters;
(m)
the purpose of carrying out research, or preparing a report, in relation to online safety matters;
(n)
the purpose of complying with OFCOM’s duties under section 11 of the Communications Act, so far as relating to regulated services (media literacy).
(7)
See also section 103 (power to include a requirement to name a senior manager).
(8)
The reference in subsection (3) to a person authorised by OFCOM is to a person authorised by OFCOM in writing for the purposes of notices that impose requirements of a kind mentioned in that subsection, and such a person must produce evidence of their identity if requested to do so by a person in receipt of such a notice.
(9)
The power conferred by subsection (1) does not include power to require the provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.
(10)
In this section—
“information” includes documents, and any reference to providing information includes a reference to producing a document (and see also section 102(11));
“regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79).
101Information in connection with an investigation into the death of a child
(1)
OFCOM may by notice under this subsection require a relevant person to provide them with information for the purpose of—
(a)
responding to a notice given by a senior coroner under paragraph 1(2) of Schedule 5 to the Coroners and Justice Act 2009 in connection with an investigation into the death of a child, or preparing a report under section 163 in connection with such an investigation;
(b)
responding to a request for information in connection with the investigation of a procurator fiscal into, or an inquiry held or to be held in relation to, the death of a child, or preparing a report under section 163 in connection with such an inquiry;
(c)
responding to a notice given by a coroner under section 17A(2) of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.)) in connection with—
(i)
an investigation to determine whether an inquest into the death of a child is necessary, or
(ii)
an inquest in relation to the death of a child,
or preparing a report under section 163 in connection with such an investigation or inquest.
(2)
The power conferred by subsection (1) includes power to require a relevant person to provide OFCOM with information about the use of a regulated service by the child whose death is under investigation, including, in particular—
(a)
content encountered by the child by means of the service,
(b)
how the content came to be encountered by the child (including the role of algorithms or particular functionalities),
(c)
how the child interacted with the content (for example, by viewing, sharing or storing it or enlarging or pausing on it), and
(d)
content generated, uploaded or shared by the child.
(3)
The power conferred by subsection (1) includes power to require a relevant person to obtain or generate information.
(4)
The power conferred by subsection (1) must be exercised in a way that is proportionate to the purpose mentioned in that subsection.
(5)
The power conferred by subsection (1) does not include power to require the provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.
(6)
Nothing in this section limits the power conferred on OFCOM by section 100.
(7)
In this section—
“information” includes documents, and any reference to providing information includes a reference to producing a document (and see also section 102(11));
“inquiry” means an inquiry held, or to be held, under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2);
“relevant person” means a person within any of paragraphs (a) to (e) of section 100(5).
102Information notices
(1)
A notice given under section 100(1) or 101(1) is referred to in this Act as an information notice.
(2)
An information notice may require information in any form (including in electronic form).
(3)
An information notice must—
(a)
specify or describe the information to be provided,
(b)
specify why OFCOM require the information,
(c)
specify the form and manner in which it must be provided, and
(d)
contain information about the consequences of not complying with the notice.
(4)
An information notice must specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals).
(5)
An information notice requiring a person to take steps of a kind mentioned in section 100(3) must give the person at least seven days’ notice before the steps are required to be taken.
(6)
An information notice may specify a place at which, and a person to whom, information is to be provided.
(7)
A person to whom a document is produced in response to an information notice may—
(a)
take copies of, or extracts from, the document;
(b)
require the person producing the document, or a person who is or was an officer of that person, or (in the case of a partnership) a person who is or was a partner, to give an explanation of it.
(8)
A person to whom an information notice is given has a duty—
(a)
to act in accordance with the requirements of the notice, and
(b)
to ensure that the information provided is accurate in all material respects.
(9)
OFCOM may cancel an information notice by notice to the person to whom it was given.
(10)
In this section—
“information” includes documents, and any reference to providing information includes a reference to producing a document;
“officer”, in relation to an entity, includes a director, a manager, an associate, a secretary or, where the affairs of the entity are managed by its members, a member.
(11)
In relation to information recorded otherwise than in a legible form, references in this section to producing a document are to producing a copy of the information—
(a)
in a legible form, or
(b)
in a form from which it can readily be produced in a legible form.
103Requirement to name a senior manager
(1)
This section applies where—
(a)
OFCOM give a provider of a regulated service an information notice, and
(b)
the provider is an entity.
(2)
OFCOM may include in the information notice a requirement that the provider must name, in their response to the notice, an individual who the provider considers to be a senior manager of the entity and who may reasonably be expected to be in a position to ensure compliance with the requirements of the notice.
(3)
If OFCOM impose a requirement to name an individual, the information notice must—
(a)
require the provider to inform such an individual, and
(b)
include information about the consequences for such an individual of the entity’s failure to comply with the requirements of the notice (see section 110).
(4)
An individual is a “senior manager” of an entity if the individual plays a significant role in—
(a)
the making of decisions about how the entity’s relevant activities are to be managed or organised, or
(b)
the actual managing or organising of the entity’s relevant activities.
(5)
An entity’s “relevant activities” are activities relating to the entity’s compliance with the regulatory requirements imposed by this Act in connection with the regulated service to which the information notice in question relates.
Skilled persons' reports
104Reports by skilled persons
(1)
OFCOM may exercise the powers in this section where they consider that it is necessary to do so for either of the following purposes—
(a)
assisting OFCOM in identifying and assessing a failure, or possible failure, by a provider of a regulated service to comply with a relevant requirement, or
(b)
developing OFCOM’s understanding of—
(i)
the nature and level of risk of a provider of a regulated service failing to comply with a relevant requirement, and
(ii)
ways to mitigate such a risk.
(2)
But the powers in this section may be exercised for a purpose mentioned in subsection (1)(b) only where OFCOM consider that the provider in question may be at risk of failing to comply with a relevant requirement.
(3)
(4)
OFCOM may appoint a skilled person to provide them with a report about matters relevant to the purpose for which the powers under this section are exercised (“the relevant matters”), and, where OFCOM make such an appointment, they must notify the provider about the appointment and the relevant matters to be explored in the report.
(5)
Alternatively, OFCOM may give a notice to the provider—
(a)
requiring the provider to appoint a skilled person to provide OFCOM with a report in such form as may be specified in the notice, and
(b)
specifying the relevant matters to be explored in the report.
(6)
References in this section to a skilled person are to a person—
(a)
appearing to OFCOM to have the skills necessary to prepare a report about the relevant matters, and
(b)
where the appointment is to be made by the provider, nominated or approved by OFCOM.
(7)
It is the duty of—
(a)
the provider of the service (“P”),
(b)
any person who works for (or used to work for) P, or is providing (or used to provide) services to P related to the relevant matters, and
(c)
other providers of internet services,
to give the skilled person all such assistance as the skilled person may reasonably require to prepare the report.
(8)
The provider of the service is liable for the payment, directly to the skilled person, of the skilled person’s remuneration and expenses relating to the preparation of the report.
(9)
(10)
In England and Wales, such an amount is recoverable—
(a)
if the county court so orders, as if it were payable under an order of that court;
(b)
if the High Court so orders, as if it were payable under an order of that court.
(11)
In Scotland, such an amount may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.
(12)
In Northern Ireland, such an amount is recoverable—
(a)
if a county court so orders, as if it were payable under an order of that court;
(b)
if the High Court so orders, as if it were payable under an order of that court.
(13)
In this section “relevant requirement” means—
(a)
a duty or requirement set out in any of the following—
(i)
section 9, 11, 26 or 28 (risk assessments);
(ii)
section 10 or 27 (illegal content);
(iii)
section 12 or 29 (children’s online safety);
(iv)
section 14 (assessments related to the adult user empowerment duty set out in section 15(2));
(v)
section 15 (user empowerment);
(vi)
section 20 or 31 (content reporting);
(vii)
section 21 or 32 (complaints procedures);
(viii)
section 23 or 34 (record-keeping and review);
(ix)
section 36 (children’s access assessments);
(x)
section 38 or 39 (fraudulent advertising);
(xi)
section 64 (user identity verification);
(xii)
section 66 (reporting CSEA content);
(xiii)
section 71 or 72 (terms of service);
(xiv)
section 75 (deceased child users);
(xvi)
section 81(2) (children’s access to pornographic content);
(b)
(c)
a requirement imposed by a notice under section 121(1) (notices to deal with terrorism content and CSEA content).
Investigations and interviews
105Investigations
(1)
If OFCOM open an investigation into whether a provider of a regulated service has failed, or is failing, to comply with any requirement mentioned in subsection (2), the provider must co-operate fully with the investigation.
(2)
The requirements are—
(a)
a requirement imposed by a notice under section 121(1) (notices to deal with terrorism content and CSEA content), and
(b)
an enforceable requirement as defined in section 131 (except the requirement in subsection (1) of this section).
106Power to require interviews
(1)
The power conferred by this section is exercisable by OFCOM for the purposes of an investigation that they are carrying out into the failure, or possible failure, of a provider of a regulated service to comply with a relevant requirement.
(2)
OFCOM may give an individual within subsection (4) a notice requiring the individual—
(a)
to attend at a time and place specified in the notice, and
(b)
to answer questions and provide explanations about any matter relevant to the investigation.
(3)
A notice under this section must—
(a)
indicate the subject matter and purpose of the interview, and
(b)
contain information about the consequences of not complying with the notice.
(4)
The individuals within this subsection are—
(a)
if the provider of the service is an individual or individuals, that individual or those individuals,
(b)
an officer of the provider of the service,
(c)
if the provider of the service is a partnership, a partner,
(d)
an employee of the provider of the service, and
(5)
(6)
An individual is not required under this section to disclose information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings.
(7)
In this section—
“officer”, in relation to an entity, includes a director, a manager, an associate, a secretary or, where the affairs of the entity are managed by its members, a member;
“relevant requirement” has the meaning given by section 104(13).
Powers of entry, inspection and audit
107Powers of entry, inspection and audit
Schedule 12 makes provision about—
(a)
OFCOM’s powers of entry and inspection, and
(b)
the carrying out of audits by OFCOM.
108Amendment of Criminal Justice and Police Act 2001
(1)
The Criminal Justice and Police Act 2001 is amended as follows.
(2)
“(u)
paragraph 8 of Schedule 12 to the Online Safety Act 2023.”
(3)
In section 65 (meaning of “legal privilege”)—
(a)
“(8C)
An item which is, or is comprised in, property which has been seized in exercise or purported exercise of the power of seizure conferred by paragraph 7(f), (j) or (k) of Schedule 12 to the Online Safety Act 2023 is to be taken for the purposes of this Part to be an item subject to legal privilege if, and only if, the seizure of that item was in contravention of paragraph 17(3) of that Schedule (privileged information or documents).”;
(b)
in subsection (9)—
(i)
at the end of paragraph (d) omit “or”;
(ii)
at the end of paragraph (e) insert “or”
;
(iii)
“(g)
paragraph 7(f), (j) or (k) of Schedule 12 to the Online Safety Act 2023.”
(4)
“Online Safety Act 2023
73V
Each of the powers of seizure conferred by paragraph 7(f), (j) and (k) of Schedule 12 to the Online Safety Act 2023.”
Information offences and penalties
109Offences in connection with information notices
(1)
A person commits an offence if the person fails to comply with a requirement of an information notice.
(2)
It is a defence for a person charged with an offence under subsection (1) to show that—
(a)
it was not reasonably practicable to comply with the requirements of the information notice at the time required by the notice, but
(b)
the person has subsequently taken all reasonable steps to comply with those requirements.
(3)
A person commits an offence if, in response to an information notice—
(a)
the person provides information that is false in a material respect, and
(b)
at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(4)
A person commits an offence if, in response to an information notice, the person—
(a)
provides information which is encrypted such that it is not possible for OFCOM to understand it, or produces a document which is encrypted such that it is not possible for OFCOM to understand the information it contains, and
(b)
the person’s intention was to prevent OFCOM from understanding such information.
(5)
A person commits an offence if—
(a)
the person suppresses, destroys or alters, or causes or permits the suppression, destruction or alteration of, any information required to be provided, or document required to be produced, by an information notice, and
(b)
the person’s intention was to prevent OFCOM from being provided with the information or document or (as the case may be) from being provided with it as it was before the alteration.
(6)
The reference in subsection (5) to suppressing information or a document includes a reference to destroying the means of reproducing information recorded otherwise than in a legible form.
(7)
Offences under this section may be committed only in relation to an information notice which—
(a)
relates to—
(i)
a user-to-user service,
(ii)
a search service, or
(iii)
an internet service on which regulated provider pornographic content is published or displayed; and
(b)
is given to the provider of that service.
(8)
If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person to comply with a requirement of an information notice within such period as may be specified by the order.
(9)
See also section 201 (supplementary provision about defences).
(10)
In this section, “regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79).
110Senior managers’ liability: information offences
(1)
In this section “an individual named as a senior manager of an entity” means an individual who, as required by an information notice, is named as a senior manager of an entity in a response to that notice (see section 103).
(2)
An individual named as a senior manager of an entity commits an offence if—
(a)
the entity commits an offence under section 109(1) (failure to comply with information notice), and
(b)
the individual has failed to take all reasonable steps to prevent that offence being committed.
(3)
It is a defence for an individual charged with an offence under subsection (2) to show that the individual was a senior manager within the meaning of section 103 for such a short time after the information notice in question was given that the individual could not reasonably have been expected to take steps to prevent that offence being committed.
(4)
An individual named as a senior manager of an entity commits an offence if—
(a)
the entity commits an offence under section 109(3) (false information), and
(b)
the individual has failed to take all reasonable steps to prevent that offence being committed.
(5)
An individual named as a senior manager of an entity commits an offence if—
(a)
the entity commits an offence under section 109(4) (encrypted information), and
(b)
the individual has failed to take all reasonable steps to prevent that offence being committed.
(6)
An individual named as a senior manager of an entity commits an offence if—
(a)
the entity commits an offence under section 109(5) (destruction etc of information), and
(b)
the individual has failed to take all reasonable steps to prevent that offence being committed.
(7)
(8)
It is a defence for an individual charged with an offence under this section to show that the individual had no knowledge of being named as a senior manager in a response to the information notice in question.
(9)
See also section 201 (supplementary provision about defences).
111Offences in connection with notices under Schedule 12
(1)
A person commits an offence if the person fails without reasonable excuse to comply with a requirement of an audit notice.
(2)
A person commits an offence if, in response to an audit notice—
(a)
the person provides information that is false in a material respect, and
(b)
at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(3)
A person commits an offence if—
(a)
the person suppresses, destroys or alters, or causes or permits the suppression, destruction or alteration of, any information required to be provided, or document required to be produced, by a notice to which this subsection applies, and
(b)
the person’s intention was to prevent OFCOM from being provided with the information or document or (as the case may be) from being provided with it as it was before the alteration.
(4)
The reference in subsection (3) to suppressing information or a document includes a reference to destroying the means of reproducing information recorded otherwise than in a legible form.
(5)
Subsection (3) applies to—
(a)
a notice under paragraph 3 of Schedule 12 (information required for inspection), and
(b)
an audit notice (see paragraph 4 of that Schedule).
(6)
If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person, within such period as may be specified by the order, to comply with a requirement of a notice under paragraph 3 of Schedule 12 or an audit notice (as the case may be).
112Other information offences
(1)
A person commits an offence if the person intentionally obstructs or delays a person in the exercise of the power conferred by section 102(7)(a) (copying a document etc).
(2)
A person commits an offence if the person fails without reasonable excuse to comply with a requirement under section 106 (interviews).
(3)
A person commits an offence if, in purported compliance with a requirement under section 106—
(a)
the person provides information that is false in a material respect, and
(b)
at the time the person provides it, the person knows that it is false in a material respect or is reckless as to whether it is false in a material respect.
(4)
If a person is convicted of an offence under this section, the court may, on an application by the prosecutor, make an order requiring the person, within such period as may be specified by the order, to permit the making of a copy of a document, or to comply with a requirement under section 106 (as the case may be).
113Penalties for information offences
(1)
(a)
on summary conviction in England and Wales, to a fine;
(b)
on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;
(c)
on conviction on indictment, to a fine.
(2)
A person who commits an offence under section 109(3), (4) or (5), 110(4), (5) or (6), 111(2) or (3) or 112(1) is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)
on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
(3)
(a)
on summary conviction in England and Wales, to a fine;
(b)
on summary conviction in Scotland, to a fine not exceeding level 5 on the standard scale;
(c)
on summary conviction in Northern Ireland, to a fine not exceeding level 5 on the standard scale.
Disclosure of information
114Co-operation and disclosure of information: overseas regulators
(1)
OFCOM may co-operate with an overseas regulator, including by disclosing online safety information to that regulator, for the purposes of—
(a)
facilitating the exercise by the overseas regulator of any of that regulator’s online regulatory functions, or
(b)
criminal investigations or proceedings relating to a matter to which the overseas regulator’s online regulatory functions relate.
(2)
The power conferred by subsection (1) applies only in relation to an overseas regulator for the time being specified in regulations made by the Secretary of State.
(3)
Where information is disclosed to a person in reliance on subsection (1), the person may not—
(a)
use the information for a purpose other than the purpose for which it was disclosed, or
(b)
further disclose the information,
except with OFCOM’s consent (which may be general or specific) or in accordance with an order of a court or tribunal.
(4)
Except as provided by subsection (5), a disclosure of information under subsection (1) does not breach—
(a)
any obligation of confidence owed by the person making the disclosure, or
(b)
any other restriction on the disclosure of information (however imposed).
(5)
Subsection (1) does not authorise a disclosure of information that—
(a)
would contravene the restriction imposed by section 116 (intelligence service information),
(b)
would contravene the data protection legislation (but in determining whether a disclosure would do so, the power conferred by that subsection is to be taken into account), or
(c)
is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(6)
Section 18 of the Anti-terrorism, Crime and Security Act 2001 (restriction on disclosure of information for overseas purposes) has effect in relation to a disclosure authorised by subsection (1)(b) as it has effect in relation to a disclosure authorised by any of the provisions to which section 17 of that Act applies.
(7)
In this section—
“online regulatory functions”, in relation to an overseas regulator, means functions of that regulator which correspond to OFCOM’s online safety functions;
“online safety information” means information held by OFCOM in connection with any of OFCOM’s online safety functions;
“overseas regulator” means a person exercising functions in a country outside the United Kingdom which correspond to any of OFCOM’s online safety functions;
“the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).
115Disclosure of information
(1)
Section 393 of the Communications Act (general restrictions on disclosure of information) is amended as follows.
(2)
In subsection (1)—
(a)
at the end of paragraph (c) omit “or”,
(b)
at the end of paragraph (d) insert “or”
, and
(c)
“(e)
the Online Safety Act 2023,”.
(3)
In subsection (2)(e), after “this Act” insert “or the Online Safety Act 2023”
.
(4)
“(ha)
a person appointed under—
(i)
paragraph 1 of Schedule 3 to the Coroners and Justice Act 2009, or
(ii)
section 2 of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.));
(hb)
the procurator fiscal, within the meaning of the enactment mentioned in subsection (5)(s);”.
(5)
In subsection (5)—
(a)
“(ca)
the Coroners Act (Northern Ireland) 1959;”,
(b)
“(nb)
Part 1 of the Coroners and Justice Act 2009;”, and
(c)
“(s)
the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2).”
(6)
In subsection (6)(a), after “390” insert “, or under section 149 of or Schedule 11 to the Online Safety Act 2023”
.
(7)
In subsection (6)(b), at the end insert “or the Online Safety Act 2023”
.
116Intelligence service information
(1)
OFCOM may not disclose information received (directly or indirectly) from, or that relates to, an intelligence service unless the intelligence service consents to the disclosure.
(2)
If OFCOM have disclosed information described in subsection (1) to a person, the person must not further disclose the information unless the intelligence service consents to the disclosure.
(3)
If OFCOM would contravene subsection (1) by publishing in its entirety—
(a)
a statement required to be published by section 47(5), or
(b)
a report mentioned in section 164(5),
OFCOM must, before publication, remove or obscure the information which by reason of subsection (1) they must not disclose.
(4)
In this section—
“information” means information held by OFCOM in connection with an online safety matter;
“intelligence service” means—
(a)
the Security Service,
(b)
the Secret Intelligence Service, or
(c)
the Government Communications Headquarters.
117Provision of information to the Secretary of State
(1)
Section 24B of the Communications Act (provision of information to assist in formulation of policy) is amended as follows.
(2)
In subsection (2)—
(a)
at the end of paragraph (d) omit “or”,
(b)
at the end of paragraph (e) insert “or”
, and
(c)
“(f)
the Online Safety Act 2023,”.
(3)
“(4)
Subsection (2) does not apply to information—
(a)
obtained by OFCOM—
(i)
in the exercise of a power conferred by section 100 of the Online Safety Act 2023 for the purpose mentioned in subsection (6)(c) of that section (information in connection with a consultation about a threshold figure for the purposes of charging fees under that Act), or
(ii)
in the exercise of a power conferred by section 175(5) of that Act (information in connection with circumstances presenting a threat), and
(b)
reasonably required by the Secretary of State.”
118Amendment of Enterprise Act 2002
“Online Safety Act 2023.”
119Information for users of regulated services
(1)
Section 26 of the Communications Act (publication of information and advice for consumers etc) is amended as follows.
(2)
“(da)
United Kingdom users of regulated services;”.
(3)
“(7)
In this section the following terms have the same meaning as in the Online Safety Act 2023—
“regulated service” (see section 4 of that Act);
“United Kingdom user” (see section 227 of that Act).”
120Admissibility of statements
(1)
An explanation given, or information provided, by a person in response to a requirement imposed under or by virtue of section 100, 101 or 106 or paragraph 2(4)(e) or (f), 3(2), 4(2)(i) or (j) or 7(d) of Schedule 12, may, in criminal proceedings, only be used in evidence against that person—
(a)
on a prosecution for an offence under a provision listed in subsection (2), or
(b)
on a prosecution for any other offence where—
(i)
in giving evidence that person makes a statement inconsistent with that explanation or information, and
(ii)
evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person’s behalf.
(2)
Those provisions are—
(a)
section 69(1),
(b)
section 109(3),
(c)
section 110(4),
(d)
section 111(2),
(e)
section 112(3),
(f)
paragraph 18(1)(c) of Schedule 12,
(g)
section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),
(h)
section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), and
(i)
Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).
CHAPTER 5Regulated user-to-user services and regulated search services: notices to deal with terrorism content and CSEA content
121Notices to deal with terrorism content or CSEA content (or both)
(1)
If OFCOM consider that it is necessary and proportionate to do so, they may give a notice described in subsection (2), (3) or (4) relating to a regulated user-to-user service or a regulated search service to the provider of the service.
(2)
A notice under subsection (1) that relates to a regulated user-to-user service is a notice requiring the provider of the service—
(a)
to do any or all of the following—
(i)
use accredited technology to identify terrorism content communicated publicly by means of the service and to swiftly take down that content;
(ii)
use accredited technology to prevent individuals from encountering terrorism content communicated publicly by means of the service;
(iii)
use accredited technology to identify CSEA content, whether communicated publicly or privately by means of the service, and to swiftly take down that content;
(iv)
use accredited technology to prevent individuals from encountering CSEA content, whether communicated publicly or privately, by means of the service; or
(b)
to use the provider’s best endeavours to develop or source technology for use on or in relation to the service or part of the service, which—
(i)
achieves the purpose mentioned in paragraph (a)(iii) or (iv), and
(ii)
meets the standards published by the Secretary of State (see section 125(13)).
(3)
A notice under subsection (1) that relates to a regulated search service is a notice requiring the provider of the service—
(a)
to do either or both of the following—
(i)
use accredited technology to identify search content of the service that is terrorism content and to swiftly take measures designed to secure, so far as possible, that search content of the service no longer includes terrorism content identified by the technology;
(ii)
use accredited technology to identify search content of the service that is CSEA content and to swiftly take measures designed to secure, so far as possible, that search content of the service no longer includes CSEA content identified by the technology; or
(b)
to use the provider’s best endeavours to develop or source technology for use on or in relation to the service which—
(i)
achieves the purpose mentioned in paragraph (a)(ii), and
(ii)
meets the standards published by the Secretary of State (see section 125(13)).
(4)
A notice under subsection (1) that relates to a combined service is a notice requiring the provider of the service—
(a)
to do any or all of the things described in subsection (2)(a) in relation to the user-to-user part of the service, or to use best endeavours to develop or source technology as described in subsection (2)(b) for use on or in relation to that part of the service;
(b)
to do either or both of the things described in subsection (3)(a) in relation to the search engine of the service, or to use best endeavours to develop or source technology as described in subsection (3)(b) for use on or in relation to the search engine of the service;
(c)
to do any or all of the things described in subsection (2)(a) in relation to the user-to-user part of the service and either or both of the things described in subsection (3)(a) in relation to the search engine of the service; or
(d)
to use best endeavours to develop or source—
(i)
technology as described in subsection (2)(b) for use on or in relation to the user-to-user part of the service, and
(ii)
technology as described in subsection (3)(b) for use on or in relation to the search engine of the service.
(5)
For the purposes of subsections (2) and (3), a requirement to use accredited technology may be complied with by the use of the technology alone or by means of the technology together with the use of human moderators.
(6)
See—
(a)
section 122, which requires OFCOM to obtain a skilled person’s report before giving a notice under subsection (1),
(b)
section 123, which requires OFCOM to give a warning notice before giving a notice under subsection (1), and
(c)
section 124 for provision about matters which OFCOM must consider before giving a notice under subsection (1).
(7)
A notice under subsection (1) that relates to a user-to-user service (or to the user-to-user part of a combined service) and requires the use of technology in relation to terrorism content must identify the content, or parts of the service that include content, that OFCOM consider is communicated publicly on that service (see section 232).
(8)
122Requirement to obtain skilled person’s report
(1)
(2)
The purpose of the report is to assist OFCOM in deciding whether to give a notice under section 121(1), and to advise about the requirements that might be imposed by such a notice if it were to be given.
123Warning notices
(1)
OFCOM may give a notice under section 121(1) to a provider relating to a service or part of a service only after giving a warning notice to the provider that they intend to give such a notice relating to that service or that part of it.
(2)
A warning notice under subsection (1) relating to the use of accredited technology (see section 121(2)(a) and (3)(a)) must—
(a)
contain a summary of the report obtained by OFCOM under section 122,
(b)
contain details of the technology that OFCOM are considering requiring the provider to use,
(c)
specify whether the technology is to be required in relation to terrorism content or CSEA content (or both),
(d)
specify any other requirements that OFCOM are considering imposing (see section 125(2) to (4)),
(e)
specify the period for which OFCOM are considering imposing the requirements (see section 125(7)),
(f)
state that the provider may make representations to OFCOM (with any supporting evidence), and
(g)
specify the period within which representations may be made.
(3)
A warning notice under subsection (1) relating to the development or sourcing of technology (see section 121(2)(b)and (3)(b)) must—
(a)
contain a summary of the report obtained by OFCOM under section 122,
(b)
describe the proposed purpose for which the technology must be developed or sourced (see section 121(2)(a)(iii) and (iv) and (3)(a)(ii)),
(c)
specify steps that OFCOM consider the provider needs to take in order to comply with the requirement described in section 121(2)(b) or (3)(b), or both those requirements (as the case may be),
(d)
specify the proposed period within which the provider must take each of those steps,
(e)
specify any other requirements that OFCOM are considering imposing,
(f)
state that the provider may make representations to OFCOM (with any supporting evidence), and
(g)
specify the period within which representations may be made.
(4)
A notice under section 121(1) that relates to both the user-to-user part of a combined service and the search engine of the service (as described in section 121(4)(c) or (d)) may be given to the provider of the service only if—
(a)
two separate warning notices have been given to the provider (one relating to the user-to-user part of the service and the other relating to the search engine), or
(b)
a single warning notice relating to both the user-to-user part of the service and the search engine has been given to the provider.
(5)
A notice under section 121(1) may not be given to a provider until the period allowed by the warning notice for the provider to make representations has expired.
124Matters relevant to a decision to give a notice under section 121(1)
(1)
This section specifies the matters which OFCOM must particularly consider in deciding whether it is necessary and proportionate to give a notice under section 121(1) relating to a Part 3 service to the provider of the service.
(2)
In the case of a notice requiring the use of accredited technology, the matters are as follows—
(a)
the kind of service it is;
(b)
the functionalities of the service;
(c)
the user base of the service;
(d)
in the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the prevalence of relevant content on the service, and the extent of its dissemination by means of the service;
(e)
in the case of a notice relating to a search service (or to the search engine of a combined service), the prevalence of search content of the service that is relevant content;
(f)
the level of risk of harm to individuals in the United Kingdom presented by relevant content, and the severity of that harm;
(g)
the systems and processes used by the service which are designed to identify and remove relevant content;
(h)
the contents of the skilled person’s report obtained as required by section 122;
(i)
the extent to which the use of the specified technology would or might result in interference with users’ right to freedom of expression within the law;
(j)
the level of risk of the use of the specified technology resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data);
(k)
in the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the extent to which the use of the specified technology would or might—
(i)
have an adverse impact on the availability of journalistic content on the service, or
(ii)
result in a breach of the confidentiality of journalistic sources;
(l)
whether the use of any less intrusive measures than the specified technology would be likely to achieve a significant reduction in the amount of relevant content.
(3)
(a)
in the case of a user-to-user service (or the user-to-user part of a combined service), relevant content present on the service;
(b)
in the case of a search service (or the search engine of a combined service), search content of the service that is relevant content.
(4)
In the case of a notice relating to the development or sourcing of technology, subsection (2) applies—
(a)
as if references to relevant content were to CSEA content, and
(5)
In this section—
“journalistic content” has the meaning given by section 19;
“relevant content” means terrorism content or CSEA content or both those kinds of content (depending on the kind, or kinds, of content in relation to which the specified technology is to operate);
“specified technology” means the technology to be specified in the notice under section 121(1).
125Notices under section 121(1): supplementary
(1)
In this section “a notice” means a notice under section 121(1) (including a further notice under that provision).
(2)
If a provider is already using accredited technology in relation to the service in question, a notice may require the provider to use it more effectively (specifying the ways in which that must be done).
(3)
A notice relating to a user-to-user service (or to the user-to-user part of a combined service) may also require a provider to operate an effective complaints procedure allowing for United Kingdom users to challenge the provider for taking down content which they have generated, uploaded or shared on the service.
(4)
A notice relating to a search service (or to the search engine of a combined service) may also require a provider to operate an effective complaints procedure allowing for an interested person (see section 227(7)) to challenge measures taken or in use by the provider that result in content relating to that interested person no longer appearing in search results of the service.
(5)
A notice given to a provider of a Part 3 service requiring the use of accredited technology is to be taken to require the provider to make such changes to the design or operation of the service as are necessary for the technology to be used effectively.
(6)
A notice requiring the use of accredited technology must—
(a)
give OFCOM’s reasons for their decision to give the notice,
(b)
contain details of the requirements imposed by the notice,
(c)
contain details of the technology to be used,
(d)
contain details about the manner in which the technology is to be implemented,
(e)
specify a reasonable period for compliance with the notice,
(f)
specify the period for which the notice is to have effect,
(g)
contain details of the rights of appeal under section 168,
(h)
contain information about when OFCOM intend to review the notice (see section 126), and
(i)
contain information about the consequences of not complying with the notice (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(7)
A notice requiring the use of accredited technology may impose requirements for a period of up to 36 months beginning with the last day of the period specified in the notice in accordance with subsection (6)(e).
(8)
A notice relating to the development or sourcing of technology must—
(a)
give OFCOM’s reasons for their decision to give the notice,
(b)
describe the purpose for which technology is required to be developed or sourced (see section 121(2)(a)(iii) and (iv) and (3)(a)(ii),
(c)
(d)
specify a reasonable period within which each of the steps specified in the notice must be taken,
(e)
contain details of any other requirements imposed by the notice,
(f)
contain details of the rights of appeal under section 168,
(g)
contain information about when OFCOM intend to review the notice (see section 126), and
(h)
contain information about the consequences of not complying with the notice (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(9)
In deciding what period or periods to specify for steps to be taken in accordance with subsection (8)(d), OFCOM must, in particular, consider—
(a)
the size and capacity of the provider, and
(b)
the state of development of technology capable of achieving the purpose described in the notice in accordance with subsection (8)(b).
(10)
A notice may impose requirements only in relation to the design and operation of a Part 3 service—
(a)
in the United Kingdom, or
(b)
as it affects United Kingdom users of the service.
(11)
OFCOM may vary or revoke a notice given to a provider by notifying the provider to that effect.
(12)
For the purposes of this Chapter, technology is “accredited” if it is accredited (by OFCOM or another person appointed by OFCOM) as meeting minimum standards of accuracy in the detection of terrorism content or CSEA content (as the case may be).
(13)
Those minimum standards of accuracy must be such standards as are for the time being approved and published by the Secretary of State, following advice from OFCOM.
126Review and further notice under section 121(1)
(1)
This section applies where OFCOM have given a provider of a Part 3 service a notice under section 121(1).
(2)
The power conferred by section 125(11) includes power to revoke the notice if there are reasonable grounds for believing that the provider is failing to comply with it.
(3)
(4)
Except where a notice under section 121(1) is revoked as mentioned in subsection (2), OFCOM must carry out a review of the provider’s compliance with the notice—
(a)
in the case of a notice requiring the use of accredited technology, before the end of the period for which the notice has effect;
(b)
in the case of a notice relating to the development or sourcing of technology, before the last date by which any step specified in the notice is required to be taken.
(5)
In the case of a notice requiring the use of accredited technology, the review must consider—
(a)
the extent to which the technology specified in the notice has been used, and
(b)
the effectiveness of its use.
(6)
Following the review, and after consultation with the provider, OFCOM may give the provider a further notice under section 121(1) if they consider that it is necessary and proportionate to do so (taking into account the matters mentioned in section 124).
(7)
(8)
A further notice under section 121(1) may impose different requirements from an earlier notice under that provision.
(9)
Sections 122 (skilled person’s report) and 123 (warning notices) do not apply in relation to a further notice under section 121(1).
127OFCOM’s guidance about functions under this Chapter
(1)
OFCOM must produce guidance for providers of Part 3 services about how OFCOM propose to exercise their functions under this Chapter.
(2)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult the Information Commissioner.
(3)
OFCOM must keep the guidance under review.
(4)
OFCOM must publish the guidance (and any revised or replacement guidance).
(5)
In exercising their functions under this Chapter, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.
128OFCOM’s annual report
(1)
OFCOM must produce and publish an annual report about—
(a)
the exercise of their functions under this Chapter, and
(2)
OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.
(3)
For further provision about reports under this section, see section 164.
129Interpretation of this Chapter
In this Chapter—
“search content” has the same meaning as in Part 3 (see section 57);
“search results” has the meaning given by section 57(3);
“terrorism content” and “CSEA content” have the same meaning as in Part 3 (see section 59).
CHAPTER 6Enforcement powers
Provisional notices and confirmation decisions
130Provisional notice of contravention
(1)
OFCOM may give a notice under this section (a “provisional notice of contravention”) relating to a regulated service to the provider of the service if they consider that there are reasonable grounds for believing that the provider has failed, or is failing, to comply with any enforceable requirement (see section 131) that applies in relation to the service.
(2)
OFCOM may also give a provisional notice of contravention to a person on either of the grounds in subsection (3).
(3)
The grounds are that—
(a)
the person has been given an information notice and OFCOM consider that there are reasonable grounds for believing that the person has failed, or is failing, to comply with either of the duties set out in section 102(8) (duties in relation to information notices), or
(b)
the person is required by a skilled person appointed under section 104 to give assistance to the skilled person, and OFCOM consider that there are reasonable grounds for believing that the person has failed, or is failing, to comply with the duty set out in subsection (7) of that section to give such assistance.
(4)
A provisional notice of contravention given to a person must—
(a)
specify the duty or requirement with which (in OFCOM’s opinion) the person has failed, or is failing, to comply, and
(b)
give OFCOM’s reasons for their opinion that the person has failed, or is failing, to comply with it.
(5)
(6)
A provisional notice of contravention may specify steps that OFCOM consider the person needs to take in order to—
(a)
comply with the duty or requirement, or
(b)
remedy the failure to comply with it.
(7)
A provisional notice of contravention may state that OFCOM propose to impose a penalty on the person, and in such a case the notice must—
(a)
state the reasons why OFCOM propose to impose a penalty,
(b)
state whether OFCOM propose to impose a penalty of a single amount, a penalty calculated by reference to a daily rate, or both penalties (see section 137(1)),
(c)
indicate the amount of a penalty that OFCOM propose to impose, including (in relation to a penalty calculated by reference to a daily rate) the daily rate and how the penalty would be calculated,
(d)
in relation to a penalty calculated by reference to a daily rate, specify or describe the period for which OFCOM propose that the penalty should be payable, and
(e)
state the reasons for proposing a penalty of that amount, including any aggravating or mitigating factors that OFCOM propose to take into account.
(8)
A provisional notice of contravention given to a person must—
(a)
state that the person may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice, and
(b)
specify the period within which such representations may be made.
(9)
A provisional notice of contravention may be given in respect of a failure to comply with more than one enforceable requirement.
(10)
Where a provisional notice of contravention is given in respect of a continuing failure, the notice may be given in respect of any period during which the failure has continued, and must specify that period.
(11)
Where a provisional notice of contravention is given to a person in respect of a failure to comply with a duty or requirement (“the first notice”), a further provisional notice of contravention in respect of a failure to comply with that same duty or requirement may be given to the person only—
(a)
in respect of a separate instance of the failure after the first notice was given,
(b)
where a period was specified in the first notice in accordance with subsection (10), in respect of the continuation of the failure after the end of that period, or
(c)
if the first notice has been withdrawn (without a confirmation decision being given to the person in respect of the failure).
131Requirements enforceable by OFCOM against providers of regulated services
(1)
References in this Chapter to “enforceable requirements” are to—
(a)
the duties or requirements set out in the provisions of this Act specified in the table in subsection (2), and
(b)
the requirements mentioned in subsection (3).
(2)
Here is the table—
Provision | Subject matter |
---|---|
Section 9 | Illegal content risk assessments |
Section 10 | Illegal content |
Section 11 | Children’s risk assessments |
Section 12 | Children’s online safety |
Section 14 | Assessments related to duty in section 15(2) |
Section 15 | User empowerment |
Section 17 | Content of democratic importance |
Section 18 | News publisher content |
Section 19 | Journalistic content |
Section 20 | Content reporting |
Section 21 | Complaints procedures |
Section 22 | Freedom of expression and privacy |
Section 23 | Record-keeping and review |
Section 26 | Illegal content risk assessments |
Section 27 | Illegal content |
Section 28 | Children’s risk assessments |
Section 29 | Children’s online safety |
Section 31 | Content reporting |
Section 32 | Complaints procedures |
Section 33 | Freedom of expression and privacy |
Section 34 | Record-keeping and review |
Section 36 | Children’s access assessments |
Section 38 | Fraudulent advertising |
Section 39 | Fraudulent advertising |
Section 64 | User identity verification |
Section 66 | Reporting CSEA content to NCA |
Section 71 | Acting against users only in accordance with terms of service |
Section 72 | Terms of service |
Section 75 | Information about use of service by deceased child users |
Transparency reports | |
Section 81 | Provider pornographic content |
Section 83 | Fees: notification of OFCOM |
Section 102(8) | Information notices |
Section 104(7) | Assistance to skilled person |
Section 105(1) | Co-operation with investigation |
(3)
The requirements referred to in subsection (1)(b) are—
(a)
requirements of a notice under section 104(5)(a) to appoint a skilled person;
(b)
requirements of a notice given by virtue of section 175(3) (duty to make public statement);
(c)
requirements of a notice under section 175(5) (information in connection with circumstances presenting a threat);
132Confirmation decisions
(1)
This section applies if—
(a)
OFCOM have given a provisional notice of contravention to a person in relation to a failure to comply with a duty or requirement (or with duties or requirements), and
(b)
the period allowed for representations has expired.
A duty or requirement to which the provisional notice of contravention relates is referred to in this section as a “notified requirement”.
(2)
If, after considering any representations and evidence, OFCOM decide not to give the person a notice under this section, they must inform the person of that fact.
(3)
If OFCOM are satisfied that the person has failed, or has been failing, to comply with a notified requirement, OFCOM may give the person a notice under this section (a “confirmation decision”) confirming that that is OFCOM’s opinion.
(4)
A confirmation decision and a notice under section 121(1) may be given in respect of the same failure.
(5)
A confirmation decision given to a person may—
(a)
require the person to take steps as mentioned in section 133;
(b)
require the person to pay a penalty as mentioned in section 137;
(c)
require the person to do both those things (or neither of them).
(6)
See sections 134 and 135 for further provision which a confirmation decision may include in cases of failure to comply with duties about risk assessments or children’s access assessments.
133Confirmation decisions: requirements to take steps
(1)
A confirmation decision may require the person to whom it is given to take such steps as OFCOM consider appropriate (including steps relating to the use of a system or process) for either or both of the following purposes—
(a)
complying with a notified requirement;
(b)
remedying the failure to comply with a notified requirement.
(2)
But see section 136 in relation to OFCOM’s power to include in a confirmation decision requirements as described in subsection (1) relating to the use of proactive technology.
(3)
A confirmation decision may impose requirements as described in subsection (1) only in relation to the design or operation of a regulated service—
(a)
in the United Kingdom, or
(b)
as it affects United Kingdom users of the service.
(4)
A confirmation decision that includes requirements as described in subsection (1) must—
(a)
specify the steps that are required,
(b)
give OFCOM’s reasons for their decision to impose those requirements,
(c)
(d)
specify each notified requirement to which the steps relate,
(e)
specify the period during which the failure to comply with a notified requirement has occurred, and whether the failure is continuing,
(f)
specify a reasonable period within which each of the steps specified in the decision must be taken or, if a step requires the use of a system or process, a reasonable period within which the system or process must begin to be used (but see subsection (5) in relation to information duties),
(g)
(if relevant) specify the period for which a system or process must be used,
(h)
contain details of the rights of appeal under section 168, and
(i)
contain information about the consequences of not complying with the requirements included in the decision (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(5)
A confirmation decision that requires a person to take steps for the purpose of complying with an information duty may require the person to take those steps immediately.
(6)
If the condition in subsection (7) is met in relation to a requirement imposed by a confirmation decision which is of a kind described in subsection (1), OFCOM must designate the requirement as a “CSEA requirement” for the purposes of section 138(3) (offence of failure to comply with confirmation decision).
(7)
The condition referred to in subsection (6) is that the requirement is imposed (whether or not exclusively) in relation to either or both of the following—
(a)
a failure to comply with section 10(2)(a) or (3)(a) in respect of CSEA content, or in respect of priority illegal content which includes CSEA content;
(b)
a failure to comply with section 10(2)(b) in respect of an offence specified in Schedule 6 (CSEA offences), or in respect of priority offences which include such an offence.
(8)
A person to whom a confirmation decision is given has a duty to comply with requirements included in the decision which are of a kind described in subsection (1).
(9)
The duty under subsection (8) is enforceable in civil proceedings by OFCOM—
(a)
for an injunction,
(b)
for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or
(c)
for any other appropriate remedy or relief.
(10)
In this section—
“CSEA content”, “priority illegal content” and “priority offence” have the same meaning as in Part 3 (see section 59);
“information duty” means a duty set out in section 102(8);
“notified requirement” has the meaning given by section 132.
134Confirmation decisions: risk assessments
(1)
This section applies if—
(a)
OFCOM are satisfied that a provider of a Part 3 service has failed to comply with a risk assessment duty,
(b)
based on evidence resulting from OFCOM’s investigation into that failure, OFCOM have identified a risk of serious harm to individuals in the United Kingdom arising from a particular aspect of the service (“the identified risk”), and
(c)
OFCOM consider that the identified risk is not effectively mitigated or managed.
(2)
A confirmation decision given to the provider of the service—
(a)
if the identified risk relates to matters required to be covered by an illegal content risk assessment, may include a determination that the duty set out in section 10(2)(b) or (c) or 27(2) (as the case may be) applies as if an illegal content risk assessment carried out by the provider had identified that risk;
(b)
(3)
A confirmation decision which includes a determination as mentioned in subsection (2) must—
(a)
give details of the identified risk,
(b)
specify the duty to which the determination relates, and
(c)
specify the date by which measures (at the provider’s discretion) to comply with that duty must be taken or must begin to be used.
(4)
A determination as mentioned in subsection (2) ceases to have effect on the date on which the provider of the service complies with the risk assessment duty with which the provider had previously failed to comply (and accordingly, from that date the duty to which the determination relates applies without the modification mentioned in that subsection).
(5)
In this section—
“children’s risk assessment” has the meaning given by section 11 or 28 (as the case may be);
“illegal content risk assessment” has the meaning given by section 9 or 26 (as the case may be);
“risk assessment duty” means a duty set out in—
(a)
section 9,
(b)
section 11,
(c)
section 26, or
(d)
section 28.
135Confirmation decisions: children’s access assessments
(1)
This section applies if OFCOM are satisfied that a provider of a Part 3 service has failed to comply with a duty set out in section 36 (duties about children’s access assessments).
(2)
If OFCOM include in a confirmation decision a requirement to take steps relating to the carrying out of a children’s access assessment of a service, they must require that assessment to be completed within three months of the date of the confirmation decision.
(3)
OFCOM may vary a confirmation decision which includes a requirement as mentioned in subsection (2) to extend the deadline for completion of a children’s access assessment.
(4)
Subsection (5) applies if, based on evidence that OFCOM have about a service resulting from their investigation into compliance with a duty set out in section 36, OFCOM consider that—
(a)
it is possible for children to access the service or a part of it, and
(b)
the child user condition is met in relation to—
(i)
the service, or
(ii)
a part of the service that it is possible for children to access.
(5)
OFCOM may include in the confirmation decision given to the provider of the service—
(a)
a determination that the duties set out in sections 11 and 12, or (as the case may be) sections 28 and 29, must be complied with—
(i)
from the date of the confirmation decision, or
(ii)
from a later date specified in that decision;
(b)
provision about the circumstances in which that determination may be treated as no longer applying in relation to the service.
(6)
Subsection (4) is to be interpreted consistently with section 35.
(7)
In this section, “children’s access assessment” has the meaning given by section 35.
136Confirmation decisions: proactive technology
(1)
This section sets out what powers OFCOM have to include in a confirmation decision a requirement to take steps to use a kind, or one of the kinds, of proactive technology specified in the decision (a “proactive technology requirement”).
(2)
A proactive technology requirement may be imposed in a confirmation decision if—
(a)
the decision is given to the provider of an internet service within section 80(2), and
(b)
the decision is imposed for the purpose of complying with, or remedying the failure to comply with, the duty set out in section 81(2) (provider pornographic content).
(3)
The following provisions of this section set out constraints on OFCOM’s power to include a proactive technology requirement in a confirmation decision in any case not within subsection (2).
(4)
A proactive technology requirement may be imposed in a confirmation decision only if the decision is given to the provider of a Part 3 service.
(5)
A proactive technology requirement may be imposed in a confirmation decision only for the purpose of complying with, or remedying the failure to comply with, any of the duties set out in—
(6)
Proactive technology may be required to be used on or in relation to any Part 3 service or any part of such a service, but if and to the extent that the technology operates (or may operate) by analysing content that is user-generated content in relation to the service, or metadata relating to such content, the technology may not be required to be used except to analyse—
(a)
user-generated content communicated publicly, and
(b)
metadata relating to user-generated content communicated publicly.
(7)
Before imposing a proactive technology requirement in relation to a service in a confirmation decision, OFCOM must particularly consider the matters mentioned in subsection (8), so far as they are relevant.
(8)
The matters are as follows—
(a)
the kind of service it is;
(b)
the functionalities of the service;
(c)
the user base of the service;
(d)
the prevalence of relevant content on the service and the extent of its dissemination by means of the service, or (as the case may be) the prevalence of search content of the service that is relevant content;
(e)
the level of risk of harm to individuals in the United Kingdom presented by relevant content present on the service, or (as the case may be) search content of the service that is relevant content, and the severity of that harm;
(f)
the degree of accuracy, effectiveness and lack of bias achieved by the kind of technology specified in the decision;
(g)
the extent to which the use of the kind of proactive technology specified in the decision would or might result in interference with users’ right to freedom of expression within the law;
(h)
the level of risk of the use of the kind of proactive technology specified in the decision resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data);
(i)
whether the use of any less intrusive measures than the proactive technology specified in the decision would be likely to result in compliance with, or would be likely to effectively remedy the failure to comply with, the duty in question.
(9)
A confirmation decision that imposes a proactive technology requirement on a provider may also impose requirements about review of the technology by the provider.
(10)
A confirmation decision relating to a service which requires the use of technology of a kind mentioned in subsection (6) must identify the content, or parts of the service that include content, that OFCOM consider is communicated publicly on that service (see section 232).
(11)
In this section—
“content that is harmful to children” has the same meaning as in Part 3 (see section 60);
“fraudulent advertisement” has the meaning given by section 38 or 39 (depending on the kind of service in question);
“illegal content” has the same meaning as in Part 3 (see section 59);
“relevant content” means illegal content, content that is harmful to children or content consisting of fraudulent advertisements, or any or all of those kinds of content (depending on the duties (as mentioned in subsection (5)) for the purposes of which the proactive technology requirement is imposed);
“search content” has the same meaning as in Part 3 (see section 57);
“user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).
137Confirmation decisions: penalties
(1)
A confirmation decision may require the person to whom it is given to do either or both of the following, depending on what was proposed in the provisional notice of contravention (see paragraph 3 of Schedule 13)—
(a)
pay to OFCOM a penalty of a single amount in sterling determined by OFCOM (a “single penalty”) and specified in the confirmation decision;
(b)
if the confirmation decision includes a requirement of the kind described in section 133(1)(a) in respect of a continuous failure to comply with a notified requirement, pay a daily rate penalty to OFCOM if that same failure continues after the compliance date.
(2)
A “daily rate penalty” means a penalty of an amount in sterling determined by OFCOM and calculated by reference to a daily rate.
(3)
A confirmation decision may impose separate single penalties for failure to comply with separate notified requirements specified in the decision.
(4)
Where a provisional notice of contravention is given in respect of a period of continuing failure to comply with a notified requirement, no more than one single penalty may be imposed by a confirmation decision in respect of the period of failure specified in the provisional notice of contravention.
(5)
A confirmation decision that imposes a penalty must—
(a)
give OFCOM’s reasons for their decision to impose the penalty,
(b)
specify each notified requirement to which the penalty relates,
(c)
specify the period during which the failure to comply with a notified requirement has occurred, and whether the failure is continuing,
(d)
state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,
(e)
specify a reasonable period within which the penalty must be paid,
(f)
contain details of the rights of appeal under section 168, and
(g)
contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(6)
The period specified under subsection (5)(e) for the payment of a single penalty must be at least 28 days beginning with the day on which the confirmation decision is given.
(7)
(8)
As well as containing the information mentioned in subsection (5), a confirmation decision that imposes a daily rate penalty in respect of a continuous failure to comply with a notified requirement must—
(a)
state the daily rate of the penalty and how the penalty is calculated;
(b)
state that the person will be liable to pay the penalty if that same failure continues after the compliance date;
(c)
state the date from which the penalty begins to be payable, which must not be earlier than the day after the compliance date;
(d)
provide for the penalty to continue to be payable at the daily rate until—
(i)
the date on which the notified requirement is complied with,
(ii)
if the penalty is imposed in respect of a failure to comply with more than one notified requirement, the date on which the last of those requirements is complied with, or
(iii)
an earlier date specified in the confirmation decision.
(9)
In this section—
“compliance date”, in relation to a notified requirement, means—
(a)
in a case where the confirmation decision requires steps to be taken immediately to comply with that requirement (see section 133(5)), the date of the confirmation decision;
(b)
in any other case, the last day of the period specified in the confirmation decision in accordance with section 133(4)(f) for compliance with that requirement;
“notified requirement” has the meaning given by section 132.
138Confirmation decisions: offences
(1)
A person to whom a confirmation decision is given commits an offence if, without reasonable excuse, the person fails to comply with a requirement imposed by the decision which—
(a)
is of a kind described in section 133(1), and
(b)
is imposed (whether or not exclusively) in relation to a failure to comply with a children’s online safety duty.
(2)
A “children’s online safety duty” means a duty set out in—
(a)
section 12(3)(a),
(b)
section 12(3)(b),
(c)
section 81(2), or
(d)
section 81(4).
(3)
A person to whom a confirmation decision is given commits an offence if, without reasonable excuse, the person fails to comply with a CSEA requirement imposed by the decision (see section 133(6) and (7)).
(4)
A person who commits an offence under this section is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)
on conviction on indictment, to imprisonment for a term not exceeding 2 years or a fine (or both).
Penalty notices etc
139Penalty for failure to comply with confirmation decision
(1)
This section applies if—
(a)
OFCOM have given a confirmation decision to a person,
(b)
the decision includes requirements of a kind described in section 133(1) (requirements to take steps),
(c)
OFCOM are satisfied that the person has failed to comply with one or more of those requirements, and
(d)
OFCOM have not imposed a daily rate penalty under section 137(1)(b) in respect of that failure.
(2)
OFCOM may give the person a penalty notice under this section in respect of the failure to comply with the confirmation decision, requiring the person to pay to OFCOM a penalty of a single amount in sterling determined by OFCOM.
(3)
But OFCOM may give such a notice to the person only after—
(a)
notifying the person that they propose to give a penalty notice under this section, specifying the reasons for doing so and indicating the amount of the proposed penalty, and
(b)
giving the person an opportunity to make representations (with any supporting evidence).
(4)
A penalty notice under this section must—
(a)
give OFCOM’s reasons for their decision to impose the penalty,
(b)
state the amount of the penalty,
(c)
state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,
(d)
specify the period within which the penalty must be paid,
(e)
contain details of the rights of appeal under section 168, and
(f)
contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(5)
The period specified under subsection (4)(d) must be at least 28 days beginning with the day on which the penalty notice is given.
140Penalty for failure to comply with notice under section 121(1)
(1)
This section applies if—
(a)
OFCOM have given a notice under section 121(1) relating to a Part 3 service to the provider of that service (notices to deal with terrorism content and CSEA content), and
(b)
OFCOM are satisfied that the provider has failed, or is failing, to comply with the notice.
(2)
OFCOM may give the provider a notice under this subsection stating that they propose to impose a penalty on the provider in respect of that failure.
(3)
The provider may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice.
(4)
Subsection (5) applies if—
(a)
the period allowed for representations has expired, and
(b)
OFCOM are still satisfied as to the failure mentioned in subsection (1).
(5)
OFCOM may give the provider a penalty notice under this subsection requiring the provider to pay to OFCOM a penalty of an amount in sterling determined by OFCOM.
(6)
The penalty may consist of any of the following, depending on what was specified in the notice about the proposed penalty—
(a)
a single amount;
(b)
an amount calculated by reference to a daily rate;
(c)
a combination of a single amount and an amount calculated by reference to a daily rate.
(7)
See section 142 for information which must be included in notices under this section.
(8)
141Non-payment of fee
(1)
This section applies if—
(a)
the provider of a regulated service is liable to pay a fee to OFCOM under section 84 or Schedule 10 in respect of the current charging year (within the meaning of Part 6) or a previous charging year, and
(b)
in OFCOM’s opinion, the provider has not paid the full amount of the fee that the provider is liable to pay.
(2)
OFCOM may give the provider a notice under this subsection specifying—
(a)
the outstanding amount of the fee that OFCOM consider the provider is due to pay to them under section 84 or Schedule 10, and
(b)
the period within which the provider must pay it.
(3)
A notice under subsection (2)—
(a)
may be given in respect of liabilities that relate to different charging years;
(b)
may also state that OFCOM propose to impose a penalty on the provider.
(4)
The provider may make representations to OFCOM (with any supporting evidence) about the matters contained in the notice.
(5)
Subsection (6) applies if—
(a)
the notice under subsection (2) stated that OFCOM propose to impose a penalty,
(b)
the period allowed for representations has expired, and
(c)
OFCOM are satisfied that an amount of the fee is still due to them.
(6)
OFCOM may give the provider a penalty notice under this subsection requiring the provider to pay to OFCOM a penalty of an amount in sterling determined by OFCOM.
(7)
The penalty may consist of any of the following, depending on what was specified in the notice about the proposed penalty—
(a)
a single amount;
(b)
an amount calculated by reference to a daily rate;
(c)
a combination of a single amount and an amount calculated by reference to a daily rate.
(8)
A penalty notice under subsection (6) may require the payment of separate single amounts in respect of liabilities that relate to different charging years.
(9)
See section 142 for information which must be included in notices under this section.
(10)
Nothing in this section affects OFCOM’s power to bring proceedings (whether before or after the imposition of a penalty by a notice under subsection (6)) for the recovery of the whole or part of an amount due to OFCOM under section 84 or Schedule 10.
(11)
But OFCOM may not bring such proceedings unless a provider has first been given a notice under subsection (2) specifying the amount due to OFCOM.
142Information to be included in notices under sections 140 and 141
(1)
Subsection (2) applies in relation to—
(a)
a notice under section 140(2), and
(b)
a notice under section 141(2) stating that OFCOM propose to impose a penalty.
(2)
Such a notice must—
(a)
state the reasons why OFCOM propose to impose the penalty,
(b)
state whether OFCOM propose that the penalty should consist of a single amount, an amount calculated by reference to a daily rate, or a combination of the two,
(c)
indicate the amount of the proposed penalty, including (in relation to an amount calculated by reference to a daily rate) the daily rate and how the penalty would be calculated,
(d)
in relation to an amount calculated by reference to a daily rate, specify or describe the period for which OFCOM propose that the amount should be payable,
(e)
state the reasons for proposing a penalty of that amount, including any aggravating or mitigating factors that OFCOM propose to take into account, and
(f)
specify the period within which representations in relation to the proposed penalty may be made.
(3)
(a)
give OFCOM’s reasons for their decision to impose the penalty,
(b)
state whether the penalty consists of a single amount, an amount calculated by reference to a daily rate, or a combination of the two, and how it is calculated,
(c)
in relation to a single amount, state that amount,
(d)
in relation to an amount calculated by reference to a daily rate, state the daily rate,
(e)
state the reasons for the amount of the penalty, including any aggravating or mitigating factors that OFCOM have taken into account,
(f)
specify a reasonable period within which the penalty must be paid,
(g)
contain details of the rights of appeal under section 168, and
(h)
contain information about the consequences of not paying the penalty (including information about the further kinds of enforcement action that it would be open to OFCOM to take).
(4)
A penalty notice under section 141(6) must also specify the amount of the fee that is (in OFCOM’s opinion) due to be paid to OFCOM.
(5)
The period specified under subsection (3)(f) for the payment of a single amount must be at least 28 days beginning with the day on which the penalty notice is given.
(6)
(7)
Such a notice must—
(a)
state the date from which the amount begins to be payable, which must not be earlier than the day after the day on which the notice is given;
(b)
provide for the amount to continue to be payable at the daily rate until—
(i)
(in the case of a notice under section 140(5)) the date on which OFCOM are satisfied that the provider is complying with the notice under section 121(1), or (in the case of a notice under section 141(6)) the date on which the full amount of the fee (as specified in the penalty notice) has been paid to OFCOM, or
(ii)
an earlier date specified in the penalty notice.
Amount of penalties etc
143Amount of penalties etc
Schedule 13 contains provision about the amount of penalties that OFCOM may impose under this Chapter, and makes further provision about such penalties.
Business disruption measures
144Service restriction orders
(1)
OFCOM may apply to the court for an order under this section (a “service restriction order”) in relation to a regulated service where they consider that—
(a)
the grounds in subsection (3) apply in relation to the service, or
(b)
in the case of a Part 3 service, the grounds in subsection (4) apply in relation to the service.
(2)
A service restriction order is an order imposing requirements on one or more persons who provide an ancillary service (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (11)).
(3)
The grounds mentioned in subsection (1)(a) are that—
(a)
the provider of the regulated service has failed to comply with an enforceable requirement that applies in relation to the regulated service,
(b)
the failure is continuing, and
(c)
any of the following applies—
(i)
the provider has failed to comply with a requirement imposed by a confirmation decision that is of a kind described in section 133(1) relating to the failure;
(ii)
the provider has failed to pay a penalty imposed by a confirmation decision relating to the failure (and the confirmation decision did not impose any requirements of a kind described in section 133(1));
(iii)
the provider would be likely to fail to comply with requirements imposed by a confirmation decision if given;
(iv)
the circumstances of the failure or the risks of harm to individuals in the United Kingdom are such that it is appropriate to make the application without having given a provisional notice of contravention, without having given a confirmation decision, or (having given a confirmation decision imposing requirements) without waiting to ascertain compliance with those requirements.
(4)
The grounds mentioned in subsection (1)(b) are that—
(a)
the provider of the Part 3 service has failed to comply with a notice under section 121(1) that relates to the service (notices to deal with terrorism content and CSEA content), and
(b)
the failure is continuing.
(5)
An application by OFCOM for a service restriction order must—
(a)
specify the regulated service in relation to which the application is made (“the relevant service”),
(b)
specify the provider of that service (“the non-compliant provider”),
(c)
specify the grounds on which the application is based, and contain evidence about those grounds,
(d)
specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)
contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an ancillary service in relation to the relevant service, and specify any such ancillary service provided,
(f)
specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)
in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(6)
The court may make a service restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(b)
that the person provides an ancillary service in relation to the relevant service,
(c)
that it is appropriate to make the order for the purpose of preventing harm to individuals in the United Kingdom, and the order is proportionate to the risk of such harm,
(d)
in the case of an application made on the ground in subsection (3)(c)(iii) or (iv), that it is appropriate to make the order before a provisional notice of contravention or confirmation decision has been given, or before compliance with requirements imposed by a confirmation decision has been ascertained (as the case may be), and
(e)
if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(7)
When considering whether to make a service restriction order in relation to the relevant service, and when considering what provision it should contain, the court must take into account (among other things) the rights and obligations of all relevant parties, including those of—
(a)
the non-compliant provider,
(b)
the person or persons on whom the court is considering imposing the requirements, and
(c)
United Kingdom users of the relevant service.
(8)
A service restriction order made in relation to the relevant service must—
(a)
identify the non-compliant provider,
(b)
identify the persons on whom the requirements are imposed, and any ancillary service to which the requirements relate,
(c)
require such persons to take the steps specified in the order, or to put in place arrangements, that have the effect of withdrawing the ancillary service to the extent that it relates to the relevant service (or part of it), or preventing the ancillary service from promoting or displaying content that relates to the relevant service (or part of it) in any way,
(d)
specify the date by which the requirements in the order must be complied with, and
(e)
specify the date on which the order expires, or the period for which the order has effect.
(9)
The steps that may be specified or arrangements that may be required to be put in place—
(a)
include steps or arrangements that will or may require the termination of an agreement (whether or not made before the coming into force of this section), or the prohibition of the performance of such an agreement, and
(b)
are limited, so far as that is possible, to steps or arrangements relating to the operation of the relevant service as it affects United Kingdom users.
(10)
OFCOM must inform the Secretary of State as soon as reasonably practicable after a service restriction order has been made.
(11)
For the purposes of this section, a service is an “ancillary service” in relation to a regulated service if the service facilitates the provision of the regulated service (or part of it), whether directly or indirectly, or displays or promotes content relating to the regulated service (or to part of it).
(12)
Examples of ancillary services include—
(a)
services, provided (directly or indirectly) in the course of a business, which enable funds to be transferred in relation to a regulated service,
(b)
search engines which generate search results displaying or promoting content relating to a regulated service,
(c)
user-to-user services which make content relating to a regulated service available to users, and
(d)
services which use technology to facilitate the display of advertising on a regulated service (for example, an ad server or an ad network).
(13)
In this section “the court” means—
(a)
in England and Wales, the High Court or the county court,
(b)
in Scotland, the Court of Session or a sheriff, and
(c)
in Northern Ireland, the High Court or a county court.
145Interim service restriction orders
(1)
OFCOM may apply to the court for an interim order under this section (an “interim service restriction order”) in relation to a regulated service where they consider that—
(a)
the grounds in subsection (3) apply in relation to the service, or
(b)
in the case of a Part 3 service, the grounds in subsection (4) apply in relation to the service.
(2)
An interim service restriction order is an interim order imposing requirements on one or more persons who provide an ancillary service (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (9)).
(3)
The grounds mentioned in subsection (1)(a) are that—
(a)
it is likely that the provider of the regulated service is failing to comply with an enforceable requirement that applies in relation to the regulated service, and
(b)
the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure before applying for the order.
(4)
The grounds mentioned in subsection (1)(b) are that—
(a)
it is likely that the provider of the Part 3 service is failing to comply with a notice under section 121(1) that relates to the service (notices to deal with terrorism content and CSEA content), and
(b)
the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it would not be appropriate to wait to establish the failure before applying for the order.
(5)
An application by OFCOM for an interim service restriction order must—
(a)
specify the regulated service in relation to which the application is made (“the relevant service”),
(b)
specify the provider of that service (“the non-compliant provider”),
(c)
specify the grounds on which the application is based, and contain evidence about those grounds,
(d)
specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)
contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an ancillary service in relation to the relevant service, and specify any such ancillary service provided,
(f)
specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)
in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(6)
The court may make an interim service restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(b)
that the person provides an ancillary service in relation to the relevant service,
(c)
that there are prima facie grounds to suggest that an application for a service restriction order under section 144 would be successful,
(d)
that the level of risk of harm to individuals in the United Kingdom relating to the likely failure mentioned in subsection (3)(a) or (4)(a) (whichever applies), and the nature and severity of that harm, are such that it is not appropriate to wait for the failure to be established before making the order, and
(e)
if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(7)
An interim service restriction order ceases to have effect on the earlier of—
(a)
the date specified in the order, or the date on which the period specified in the order expires (as the case may be), and
(b)
the date on which the court makes a service restriction order under section 144 in relation to the relevant service that imposes requirements on the same persons on whom requirements are imposed by the interim order, or dismisses the application for such an order.
(8)
(9)
146Access restriction orders
(1)
OFCOM may apply to the court for an order under this section (an “access restriction order”) in relation to a regulated service where they consider that—
(b)
either—
(i)
a service restriction order under section 144 or an interim service restriction order under section 145 has been made in relation to the failure, and it was not sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure, or
(ii)
the likely consequences of the failure are such that if a service restriction order or an interim service restriction order were to be made, it would be unlikely to be sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure,
(2)
An access restriction order is an order imposing requirements on one or more persons who provide an access facility (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (10)).
(3)
An application by OFCOM for an access restriction order must—
(a)
specify the regulated service in relation to which the application is made (“the relevant service”),
(b)
specify the provider of that service (“the non-compliant provider”),
(c)
specify the grounds on which the application is based, and contain evidence about those grounds,
(d)
specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)
contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an access facility in relation to the relevant service, and specify any such access facility provided,
(f)
specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)
in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(4)
The court may make an access restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(a)
as to the grounds in subsection (1),
(b)
that the person provides an access facility in relation to the relevant service,
(c)
that it is appropriate to make the order for the purpose of preventing significant harm to individuals in the United Kingdom, and the order is proportionate to the risk of such harm,
(d)
in the case of an application made on the ground in subsection (3)(c)(iii) or (iv) of section 144 (by virtue of subsection (1)(a)), that it is appropriate to make the order before a provisional notice of contravention or confirmation decision has been given, or before compliance with requirements imposed by a confirmation decision has been ascertained (as the case may be), and
(e)
if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(5)
When considering whether to make an access restriction order in relation to the relevant service, and when considering what provision it should contain, the court must take into account (among other things) the rights and obligations of all relevant parties, including those of—
(a)
the non-compliant provider,
(b)
the person or persons on whom the court is considering imposing the requirements, and
(c)
United Kingdom users of the relevant service.
(6)
An access restriction order made in relation to the relevant service must—
(a)
identify the non-compliant provider,
(b)
identify the persons on whom the requirements are imposed, and any access facility to which the requirements relate,
(c)
require such persons to take the steps specified in the order, or to put in place arrangements, to withdraw, adapt or manipulate the access facility in order to impede users’ access (by means of that facility) to the relevant service (or to part of it),
(d)
specify the date by which the requirements in the order must be complied with, and
(e)
specify the date on which the order expires, or the period for which the order has effect.
(7)
The steps that may be specified or arrangements that may be required to be put in place—
(a)
include steps or arrangements that will or may require the termination of an agreement (whether or not made before the coming into force of this section), or the prohibition of the performance of such an agreement,
(b)
are limited, so far as that is possible, to steps or arrangements that impede the access of United Kingdom users, and
(c)
are limited, so far as that is possible, to steps or arrangements that do not affect such users’ ability to access any other internet services.
(8)
OFCOM must inform the Secretary of State as soon as reasonably practicable after an access restriction order has been made.
(9)
Where a person who provides an access facility takes steps or puts in place arrangements required by an access restriction order, OFCOM may, by notice, require that person to (where possible) notify persons in the United Kingdom who attempt to access the relevant service via that facility of the access restriction order (and where a confirmation decision has been given to the non-compliant provider, the notification must refer to that decision).
(10)
For the purposes of this section, a facility is an “access facility” in relation to a regulated service if the person who provides the facility is able to withdraw, adapt or manipulate it in such a way as to impede access (by means of that facility) to the regulated service (or to part of it) by United Kingdom users of that service.
(11)
Examples of access facilities include—
(a)
internet access services by means of which a regulated service is made available, and
(b)
app stores through which a mobile app for a regulated service may be downloaded or otherwise accessed.
(12)
In this section—
“the court” means—
(a)
in England and Wales, the High Court or the county court,
(b)
in Scotland, the Court of Session or a sheriff, and
(c)
in Northern Ireland, the High Court or a county court;
“facility” means any kind of service, infrastructure or apparatus enabling users of a regulated service to access the regulated service;
“internet access service” means a service that provides access to virtually all (or just some) of the end points of the internet.
147Interim access restriction orders
(1)
OFCOM may apply to the court for an interim order under this section (an “interim access restriction order”) in relation to a regulated service where they consider that—
(b)
either—
(i)
a service restriction order under section 144 or an interim service restriction order under section 145 has been made in relation to the likely failure, and it was not sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure, or
(ii)
the likely consequences of such a failure would be such that if a service restriction order or an interim service restriction order were to be made, it would be unlikely to be sufficient to prevent significant harm arising to individuals in the United Kingdom as a result of the failure,
(2)
An interim access restriction order is an interim order imposing requirements on one or more persons who provide an access facility (whether from within or outside the United Kingdom) in relation to a regulated service (see subsection (8)).
(3)
An application by OFCOM for an interim access restriction order must—
(a)
specify the regulated service in relation to which the application is made (“the relevant service”),
(b)
specify the provider of that service (“the non-compliant provider”),
(c)
specify the grounds on which the application is based, and contain evidence about those grounds,
(d)
specify the persons on whom (in OFCOM’s opinion) the requirements of the order should be imposed,
(e)
contain evidence as to why OFCOM consider that the persons mentioned in paragraph (d) provide an access facility in relation to the relevant service, and specify any such access facility provided,
(f)
specify the requirements which OFCOM consider that the order should impose on such persons, and
(g)
in the case of an application made without notice having been given to the non-compliant provider, or to the persons mentioned in paragraph (d), state why no notice has been given.
(4)
The court may make an interim access restriction order imposing requirements on a person in relation to the relevant service if the court is satisfied—
(a)
(c)
that the person provides an access facility in relation to the relevant service,
(d)
that there are prima facie grounds to suggest that an application for an access restriction order under section 146 would be successful,
(e)
that the level of risk of harm to individuals in the United Kingdom relating to the likely failure, and the nature and severity of that harm, are such that it is not appropriate to wait for the failure to be established before making the order, and
(f)
if no notice of the application has been given to the non-compliant provider, or to the persons on whom requirements are being imposed, that it is appropriate to make the order without notice.
(5)
An interim access restriction order ceases to have effect on the earlier of—
(a)
the date specified in the order, or the date on which the period specified in the order expires (as the case may be), and
(b)
the date on which the court makes an access restriction order under section 146 in relation to the relevant service that imposes requirements on the same persons on whom requirements are imposed by the interim order, or dismisses an application for such an order.
(6)
(7)
Where a person who provides an access facility takes steps or puts in place arrangements required by an interim access restriction order, OFCOM may, by notice, require that person to (where possible) notify persons in the United Kingdom who attempt to access the relevant service via that facility of the interim access restriction order.
(8)
148Interaction with other action by OFCOM
(1)
Where OFCOM apply for a business disruption order in respect of a failure by a provider of a regulated service to comply with an enforceable requirement, nothing in sections 144 to 147 is to be taken to prevent OFCOM also giving the provider—
(a)
a confirmation decision in respect of the failure, or
(b)
a penalty notice under section 139 in relation to a confirmation decision in respect of the failure.
(2)
Where OFCOM apply for a business disruption order in respect of a failure by a provider of a Part 3 service to comply with a notice under section 121(1) (notices to deal with terrorism content and CSEA content), nothing in sections 144 to 147 is to be taken to prevent OFCOM also giving the provider either or both of the following—
(a)
a further notice under section 121(1) (see section 126);
(b)
a penalty notice under section 140(5).
(3)
In this section, a “business disruption order” means—
(a)
a service restriction order under section 144,
(b)
an interim service restriction order under section 145,
(c)
an access restriction order under section 146, or
(d)
an interim access restriction order under section 147.
Publication of enforcement action
149Publication by OFCOM of details of enforcement action
(1)
Subsections (2) and (3) apply where OFCOM have given a person (and not withdrawn) any of the following—
(a)
a confirmation decision;
(b)
a penalty notice under section 139;
(c)
a penalty notice under section 140(5);
(d)
a penalty notice under section 141(6).
(2)
OFCOM must publish details identifying the person and describing—
(a)
the failure (or failures) to which the decision or notice relates, and
(b)
OFCOM’s response.
(3)
But OFCOM may not publish anything that, in OFCOM’s opinion—
(b)
is otherwise not appropriate for publication.
(4)
A matter is confidential under this subsection if—
(a)
it relates specifically to the affairs of a particular body, and
(b)
publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that body.
(5)
A matter is confidential under this subsection if—
(a)
it relates to the private affairs of an individual, and
(b)
publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that individual.
(6)
Where OFCOM have given a person a provisional notice of contravention but have not given the person a confirmation decision, OFCOM may publish details identifying the person and describing the reasons for the provisional notice.
(7)
OFCOM must notify the person concerned that information has been published under this section.
150Publication by providers of details of enforcement action
(1)
This section applies where—
(a)
OFCOM have given a person (and not withdrawn) any of the following—
(i)
a confirmation decision;
(ii)
a penalty notice under section 139;
(iii)
a penalty notice under section 140(5);
(iv)
a penalty notice under section 141(6), and
(b)
the appeal period in relation to the decision or notice has ended.
(2)
OFCOM may give to the person a notice (a “publication notice”) requiring the person to—
(a)
publish details describing—
(i)
the failure (or failures) to which the decision or notice mentioned in subsection (1)(a) relates, and
(ii)
OFCOM’s response, or
(b)
otherwise notify users of the service to which the decision or notice mentioned in subsection (1)(a) relates of those details.
(3)
(4)
A publication notice must—
(a)
specify the decision or notice mentioned in subsection (1)(a) to which it relates,
(b)
specify or describe the details that must be published or notified,
(c)
specify the form and manner in which the details must be published or notified,
(d)
specify a date by which the details must be published or notified, and
(e)
contain information about the consequences of not complying with the notice.
(5)
Where a publication notice requires a person to publish details under subsection (2)(a) the notice may also specify a period during which publication in the specified form and manner must continue.
(6)
Where a publication notice requires a person to give notification of details under subsection (2)(b) the notice may only require that notification to be given to United Kingdom users of the service (see section 227).
(7)
A publication notice may not require a person to publish or give notification of anything that, in OFCOM’s opinion—
(b)
is otherwise not appropriate for publication or notification.
(8)
A matter is confidential under this subsection if—
(a)
it relates specifically to the affairs of a particular body, and
(b)
publication or notification of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that body.
(9)
A matter is confidential under this subsection if—
(a)
it relates to the private affairs of an individual, and
(b)
publication or notification of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that individual.
(10)
A person to whom a publication notice is given has a duty to comply with it.
(11)
The duty under subsection (10) is enforceable in civil proceedings by OFCOM—
(a)
for an injunction,
(b)
for specific performance of a statutory duty under section 45 of the Court of Session Act 1988, or
(c)
for any other appropriate remedy or relief.
(12)
For the purposes of subsection (1)(b) “the appeal period”, in relation to a decision or notice mentioned in subsection (1)(a), means—
(a)
the period during which any appeal relating to the decision or notice may be made, or
(b)
where such an appeal has been made, the period ending with the determination or withdrawal of that appeal.
Guidance
151OFCOM’s guidance about enforcement action
(1)
OFCOM must produce guidance for providers of regulated services about how OFCOM propose to exercise their functions under this Chapter.
(2)
The guidance must, in particular, give information about the factors that OFCOM would consider it appropriate to take into account when taking, or considering taking, enforcement action relating to a person’s failure to comply with different kinds of enforceable requirements.
(3)
In relation to any enforcement action by OFCOM which relates to a failure by a provider of a regulated service to comply with a relevant duty, the guidance must include provision explaining how OFCOM will take into account the impact (or possible impact) of such a failure on children.
(4)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult—
(a)
the Secretary of State,
(b)
the Information Commissioner, and
(c)
such other persons as OFCOM consider appropriate.
(5)
OFCOM must publish the guidance (and any revised or replacement guidance).
(6)
Guidelines prepared by OFCOM under section 392 of the Communications Act (amount of penalties) may, so far as relating to penalties imposed under this Chapter, be included in the same document as guidance under this section.
(7)
In exercising their functions under this Chapter, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.
(8)
In this section, a “relevant duty” means—
(a)
a duty set out in section 10 or 27 (illegal content),
(b)
a duty set out in section 12 or 29 (children’s online safety), or
(c)
a duty set out in section 81(2) (children’s access to provider pornographic content).
CHAPTER 7Committees, research and reports
152Advisory committee on disinformation and misinformation
(1)
OFCOM must, in accordance with the following provisions of this section, exercise their powers under paragraph 14 of the Schedule to the Office of Communications Act 2002 (committees of OFCOM) to establish and maintain a committee to provide the advice specified in this section.
(2)
The committee is to consist of—
(a)
a chairman appointed by OFCOM, and
(b)
such number of other members appointed by OFCOM as OFCOM consider appropriate.
(3)
In appointing persons to be members of the committee, OFCOM must have regard to the desirability of ensuring that the members of the committee include—
(a)
persons representing the interests of United Kingdom users of regulated services,
(b)
persons representing providers of regulated services, and
(c)
persons with expertise in the prevention and handling of disinformation and misinformation online.
(4)
The function of the committee is to provide advice to OFCOM (including other committees established by OFCOM) about—
(a)
how providers of regulated services should deal with disinformation and misinformation on such services,
(b)
OFCOM’s exercise of the power conferred by section 77 to require information about a matter listed in Part 1 or 2 of Schedule 8, so far as relating to disinformation and misinformation, and
(c)
OFCOM’s exercise of their functions under section 11 of the Communications Act (duties to promote media literacy) in relation to countering disinformation and misinformation on regulated services.
(5)
The committee must publish a report within the period of 18 months after being established, and after that must publish periodic reports.
153Functions of the Content Board
(1)
Section 13 of the Communications Act (functions of the Content Board) is amended as follows.
(2)
At the beginning of subsection (2), insert “Subject to subsection (3A),”
.
(3)
“(3A)
OFCOM may, but need not, confer on the Content Board functions in relation to matters that concern the nature or kind of online content in relation to which OFCOM have functions under the Online Safety Act 2023 (see Parts 3 and 5 of that Act).”
(4)
“(8)
In this section references to “matters mentioned in subsection (2)” do not include references to the matters mentioned in subsection (3A).”
154Research about users’ experiences of regulated services
(1)
Section 14 of the Communications Act (consumer research) is amended as follows.
(2)
“(6B)
OFCOM must make arrangements for ascertaining—
(a)
the state of public opinion from time to time concerning providers of regulated services and their manner of operating their services;
(b)
the experiences of United Kingdom users of regulated services in relation to their use of such services;
(c)
the experiences of United Kingdom users of regulated user-to-user services and regulated search services in relation to the handling of complaints made by them to providers of such services; and
(d)
the interests and experiences of United Kingdom users of regulated services in relation to matters that are incidental to or otherwise connected with their experiences of using such services.
(6C)
OFCOM’s report under paragraph 12 of the Schedule to the Office of Communications Act 2002 for each financial year must contain a statement by OFCOM about the research that has been carried out in that year under subsection (6B).”
(3)
“(8A)
In subsection (6B) the following terms have the same meaning as in the Online Safety Act 2023—
“provider” (see section 226 of that Act);
“regulated service”, “regulated user-to-user service” and “regulated search service” (see section 4 of that Act);
“United Kingdom user” (see section 227 of that Act).”
155Consumer consultation
(1)
Section 16 of the Communications Act (consumer consultation) is amended as follows.
(2)
“(da)
regulated services;”.
(3)
“(5A)
As regards OFCOM’s functions under the Online Safety Act 2023 in relation to regulated services—
(a)
the reference in subsection (5) to “the contents” of a thing includes a reference to specific pieces of online content, but
(b)
subsection (5) is not to be read as preventing the Consumer Panel from being able to give advice about any matter that more generally concerns—
(i)
different kinds of online content in relation to which OFCOM have functions under that Act (see Parts 3 and 5 of that Act), and
(ii)
the impact that different kinds of such content may have on United Kingdom users of regulated services.”
(4)
“(12A)
OFCOM’s report under paragraph 12 of the Schedule to the Office of Communications Act 2002 for each financial year must contain a statement by OFCOM about the arrangements for consultation that have been made in that year under this section, so far as the arrangements relate to regulated services.”
(5)
In subsection (13), in the definition of “domestic and small business consumer”, in paragraph (b)(i), after “available” insert “or a provider of a regulated service”
.
(6)
“(14)
In this section the following terms have the same meaning as in the Online Safety Act 2023—
“provider”, in relation to a regulated service (see section 226 of that Act);
“regulated service” (see section 4 of that Act);
“United Kingdom user” (see section 227 of that Act).”
156OFCOM’s statement about freedom of expression and privacy
OFCOM’s report under paragraph 12 of the Schedule to the Office of Communications Act 2002 for each financial year must contain a statement by OFCOM about the steps they have taken, and the processes they operate, to ensure that their online safety functions have been exercised in that year compatibly with Articles 8 and 10 of the Convention (so far as relevant).
157OFCOM’s reports about use of age assurance
(1)
OFCOM must produce and publish a report assessing—
(a)
how providers of regulated services have used age assurance for the purpose of compliance with their duties set out in this Act,
(b)
how effective the use of age assurance has been for that purpose, and
(c)
whether there are factors that have prevented or hindered the effective use of age assurance, or a particular kind of age assurance, for that purpose,
(and in this section, references to a report are to a report described in this subsection).
(2)
A report must, in particular, consider whether the following have prevented or hindered the effective use of age assurance—
(a)
the costs to providers of using it, and
(b)
the need to protect users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data).
(3)
Unless the Secretary of State requires the production of a further report (see subsection (6)), the requirement in subsection (1) is met by producing and publishing one report within the period of 18 months beginning with the day on which sections 12 and 81(2) come into force (or if those provisions come into force on different days, the period of 18 months beginning with the later of those days).
(4)
In preparing a report, OFCOM must consult—
(a)
the Information Commissioner, and
(b)
such other persons as OFCOM consider appropriate.
(5)
OFCOM must send a copy of a report to the Secretary of State, and the Secretary of State must lay it before Parliament.
(6)
The Secretary of State may require OFCOM to produce and publish a further report in response to—
(a)
the development of age assurance technology, or
(b)
evidence of the reduced effectiveness of such technology.
(7)
But such a requirement may not be imposed—
(a)
within the period of three years beginning with the date on which the first report is published, or
(b)
more frequently than once every three years.
(8)
For further provision about reports under this section, see section 164.
(9)
In this section “age assurance” means age verification or age estimation.
158OFCOM’s reports about news publisher content and journalistic content
(1)
OFCOM must produce and publish a report assessing the impact of the regulatory framework provided for in this Act on the availability and treatment of news publisher content and journalistic content on Category 1 services (and in this section, references to a report are to a report described in this subsection).
(2)
Unless the Secretary of State requires the production of a further report (see subsection (6)), the requirement in subsection (1) is met by producing and publishing one report within the period of two years beginning with the day on which sections 18 and 19 come into force (or if those sections come into force on different days, the period of two years beginning with the later of those days).
(3)
A report must, in particular, consider how effective the duties to protect such content set out in sections 18 and 19 are at protecting it.
(4)
In preparing a report, OFCOM must consult—
(a)
persons who represent recognised news publishers,
(b)
persons who appear to OFCOM to represent creators of journalistic content,
(c)
persons who appear to OFCOM to represent providers of Category 1 services, and
(d)
such other persons as OFCOM consider appropriate.
(5)
OFCOM must send a copy of a report to the Secretary of State, and the Secretary of State must lay it before Parliament.
(6)
The Secretary of State may require OFCOM to produce and publish a further report if the Secretary of State considers that the regulatory framework provided for in this Act is, or may be, having a detrimental effect on the availability and treatment of news publisher content or journalistic content on Category 1 services.
(7)
But such a requirement may not be imposed—
(a)
within the period of three years beginning with the date on which the first report is published, or
(b)
more frequently than once every three years.
(8)
For further provision about reports under this section, see section 164.
(9)
In this section—
“journalistic content” has the meaning given by section 19;
“news publisher content” has the meaning given by section 55;
“recognised news publisher” has the meaning given by section 56.
(10)
For the meaning of “Category 1 service”, see section 95 (register of categories of services).
159OFCOM’s transparency reports
(1)
OFCOM must produce transparency reports based on information contained in the transparency reports produced by providers of Part 3 services under section 77.
(2)
OFCOM’s transparency reports must contain—
(a)
a summary of conclusions drawn from the transparency reports produced under section 77 regarding patterns or trends which OFCOM have identified in such reports,
(b)
a summary of measures mentioned in such transparency reports which OFCOM consider to be good industry practice, and
(c)
any other information from such transparency reports which OFCOM consider it appropriate to include.
(3)
OFCOM’s first transparency report must be published by the end of the period of one year beginning with—
(a)
the day on which the first report under section 77 is published by a provider of a Part 3 service (see subsection (3)(d) of that section), or
(b)
if later, the earliest date specified by OFCOM for submission of a report under section 77 in a notice given to a provider (see subsection (3)(c) of that section).
(4)
OFCOM must publish a transparency report at least once a year after the publication of their first transparency report.
(5)
For further provision about reports under this section, see section 164.
160OFCOM’s report about reporting and complaints procedures
(1)
OFCOM must produce a report assessing the measures taken or in use by providers of Part 3 services to enable users and others to—
(a)
report particular kinds of content present on such services, and
(b)
make complaints to providers of such services.
(2)
OFCOM’s report must take into account the experiences of users and others in reporting content and making complaints to providers of Part 3 services, including—
(a)
how clear the procedures are for reporting content and making complaints,
(b)
how easy it is to do those things, and
(c)
whether providers are taking appropriate and timely action in response to reports and complaints that are made.
(3)
The report must include advice from OFCOM about whether they consider that the Secretary of State should make regulations under section 217 (duty about alternative dispute resolution procedure).
(4)
In the report, OFCOM may make recommendations that they consider would improve the experiences of users and others in reporting content or making complaints to providers of Part 3 services, or would deliver better outcomes in relation to reports or complaints that are made.
(5)
In preparing the report under this section, OFCOM must consult—
(a)
the Secretary of State,
(b)
persons who appear to OFCOM to represent the interests of United Kingdom users of Part 3 services,
(c)
persons who appear to OFCOM to represent the interests of children (generally or with particular reference to online safety matters),
(d)
the Information Commissioner, and
(e)
such other persons as OFCOM consider appropriate.
(6)
The report may draw on OFCOM’s research under section 14 of the Communications Act (see subsection (6B) of that section).
(7)
The report is not required to address any matters which are the subject of a report by OFCOM under section 158 (report about the availability and treatment of news publisher content and journalistic content).
(8)
OFCOM must publish the report within the period of two years beginning with the day on which this section comes into force.
(9)
OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.
(10)
The Secretary of State must publish a statement responding to the report within the period of three months beginning with the day on which the report is published, and the statement must include a response to OFCOM’s advice about whether to make regulations under section 217.
(11)
The statement must be published in such manner as the Secretary of State considers appropriate for bringing it to the attention of persons who may be affected by it.
(12)
For further provision about the report under this section, see section 164.
(13)
References in this section to “users and others” are to United Kingdom users and individuals in the United Kingdom.
161OFCOM’s report about use of app stores by children
(1)
OFCOM must produce a report about the use of app stores by children.
(2)
In particular, the report must—
(a)
assess what role app stores play in children encountering content that is harmful to children, search content that is harmful to children or regulated provider pornographic content by means of regulated apps which the app stores make available,
(b)
assess the extent to which age assurance is currently used by providers of app stores, and how effective it is, and
(c)
explore whether children’s online safety would be better protected by the greater use of age assurance or particular kinds of age assurance by such providers, or by other measures.
(3)
OFCOM must publish the report during the period beginning two years, and ending three years, after the day on which sections 12 and 29 come into force (or if those sections come into force on different days, the later of those days).
(4)
For further provision about the report under this section, see section 164.
(5)
In this section—
“age assurance” means age verification or age estimation;
“app” includes an app for use on any kind of device, and “app store” is to be read accordingly;
“content that is harmful to children” has the same meaning as in Part 3 (see section 60);
“regulated app” means an app for a regulated service;
“regulated provider pornographic content” has the same meaning as in Part 5 (see section 79);
“search content” has the same meaning as in Part 3 (see section 57).
(6)
In this section references to children are to children in the United Kingdom.
162OFCOM’s report about researchers’ access to information
(1)
OFCOM must produce a report—
(a)
describing how, and to what extent, persons carrying out independent research into online safety matters are currently able to obtain information from providers of regulated services to inform their research,
(b)
exploring the legal and other issues which currently constrain the sharing of information for such purposes, and
(c)
assessing the extent to which greater access to information for such purposes might be achieved.
(2)
For the purposes of this section a person carries out “independent research” if the person carries out research on behalf of a person other than a provider of a regulated service.
(3)
In preparing the report, OFCOM must consult—
(a)
the Information Commissioner,
(b)
the Centre for Data Ethics and Innovation,
(c)
United Kingdom Research and Innovation,
(d)
persons who appear to OFCOM to represent providers of regulated services, and
(e)
such other persons as OFCOM consider appropriate.
(4)
OFCOM must publish the report within the period of 18 months beginning with the day on which this section comes into force.
(5)
OFCOM must send a copy of the report to the Secretary of State, and the Secretary of State must lay it before Parliament.
(6)
For further provision about the report under this section, see section 164.
(7)
OFCOM must produce guidance about the matters dealt with by the report for providers of regulated services and persons carrying out independent research into online safety matters.
(8)
Before producing the guidance (including revised guidance) OFCOM must consult the persons mentioned in subsection (3).
(9)
OFCOM must publish the guidance (and any revised guidance).
(10)
OFCOM must include in each transparency report under section 159 an assessment of the effectiveness of the guidance.
163OFCOM’s report in connection with investigation into a death
(1)
Subsection (2) applies if OFCOM receive—
(a)
a notice from a senior coroner under paragraph 1(2) of Schedule 5 to the Coroners and Justice Act 2009 in connection with an investigation into the death of a person;
(b)
a request for information in connection with the investigation of a procurator fiscal into, or an inquiry held or to be held in relation to, the death of a person;
(c)
a notice from a coroner under section 17A(2) of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.)) in connection with—
(i)
an investigation to determine whether an inquest into the death of a person is necessary, or
(ii)
an inquest in relation to the death of a person.
(2)
OFCOM may produce a report for use by the coroner or procurator fiscal, dealing with any matters that they consider may be relevant.
(3)
In subsection (1)(b) “inquiry” means an inquiry held, or to be held, under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2).
164OFCOM’s reports
(1)
OFCOM may from time to time produce and publish reports about online safety matters.
(2)
(3)
A matter is confidential under this subsection if—
(a)
it relates specifically to the affairs of a particular body, and
(b)
publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that body.
(4)
A matter is confidential under this subsection if—
(a)
it relates to the private affairs of an individual, and
(b)
publication of that matter would or might, in OFCOM’s opinion, seriously and prejudicially affect the interests of that individual.
(5)
The reports referred to in subsection (2) are—
(a)
a report under section 128 (report in connection with notices to deal with terrorism content and CSEA content),
(b)
a report under section 157 (report about use of age assurance),
(c)
a report under section 158 (report about news publisher content and journalistic content),
(d)
a report under section 159 (transparency report),
(e)
a report under section 160 (report about reporting and complaints procedures),
(f)
a report under section 161 (report about use of app stores by children),
(g)
a report under section 162 (report about researchers’ access to information), and
(h)
a report produced under this section.
(6)
See also section 116(3) (restriction on publishing intelligence service information).
CHAPTER 8Media literacy
165Media literacy
(1)
(2)
“A1
In this section—
(a)
subsection (1) imposes duties on OFCOM which apply in relation to material published by means of the electronic media (including by means of regulated services), and
(b)
subsections (1A) to (1E) expand on those duties, and impose further duties on OFCOM, in relation to regulated services only.”
(3)
“(1A)
OFCOM must take such steps, and enter into such arrangements, as they consider most likely to be effective in heightening the public’s awareness and understanding of ways in which they can protect themselves and others when using regulated services, in particular by helping them to—
(a)
understand the nature and impact of harmful content and the harmful ways in which regulated services may be used, especially content and activity disproportionately affecting particular groups, including women and girls;
(b)
reduce their and others’ exposure to harmful content and to the use of regulated services in harmful ways, especially content and activity disproportionately affecting particular groups, including women and girls;
(c)
use or apply—
(i)
features included in a regulated service, including features mentioned in section 15(2) of the Online Safety Act 2023, and
(ii)
tools or apps, including tools such as browser extensions,
so as to mitigate the harms mentioned in paragraph (b);
(d)
establish the reliability, accuracy and authenticity of content;
(e)
understand the nature and impact of disinformation and misinformation, and reduce their and others’ exposure to it;
(f)
understand how their personal information may be protected.
(1B)
OFCOM must take such steps, and enter into such arrangements, as they consider most likely to encourage the development and use of technologies and systems for supporting users of regulated services to protect themselves and others as mentioned in paragraph (a), (b), (c), (d) or (e) of subsection (1A), including technologies and systems which—
(a)
provide further context to users about content they encounter;
(b)
help users to identify, and provide further context about, content of democratic importance present on regulated user-to-user services;
(c)
signpost users to resources, tools or information raising awareness about how to use regulated services so as to mitigate the harms mentioned in subsection (1A)(b).
(1C)
OFCOM’s duty under subsection (1A) is to be performed in the following ways (among others)—
(a)
pursuing activities and initiatives,
(b)
commissioning others to pursue activities and initiatives,
(c)
taking steps designed to encourage others to pursue activities and initiatives, and
(d)
making arrangements for the carrying out of research (see section 14(6)(a)).
(1D)
OFCOM must draw up, and from time to time review and revise, a statement recommending ways in which others, including providers of regulated services, might develop, pursue and evaluate activities or initiatives relevant to media literacy in relation to regulated services.
(1E)
OFCOM must publish the statement and any revised statement in such manner as they consider appropriate for bringing it to the attention of the persons who, in their opinion, are likely to be affected by it.”
(4)
“(3)
In this section and in section 11A, “regulated service” means—
(a)
a regulated user-to-user service, or
(b)
a regulated search service.
“Regulated user-to-user service” and “regulated search service” have the same meaning as in the Online Safety Act 2023 (see section 4 of that Act).
(4)
In this section—
(a)
“content”, in relation to regulated services, means regulated user-generated content, search content or fraudulent advertisements;
(b)
the following terms have the same meaning as in the Online Safety Act 2023—
“content of democratic importance” (see section 17 of that Act);
“fraudulent advertisement” (see sections 38 and 39 of that Act);
“harm” (see section 234 of that Act) (and “harmful” is to be interpreted consistently with that section);
“provider” (see section 226 of that Act);
“regulated user-generated content” (see section 55 of that Act);
“search content” (see section 57 of that Act).”
(5)
In the heading, for “Duty” substitute “Duties”
.
(6)
In section 14 of the Communications Act (consumer research), in subsection (6)(a), after “11(1)” insert “, (1A) and (1B)”
.
166Media literacy strategy and media literacy statement
“11ARegulated services: media literacy strategy and media literacy statement
(1)
OFCOM must prepare and publish a media literacy strategy within the period of one year beginning with the day on which the Online Safety Act 2023 is passed.
(2)
A media literacy strategy is a plan setting out how OFCOM propose to exercise their functions under section 11 in the period covered by the plan, which must be not more than three years.
(3)
In particular, a media literacy strategy must state OFCOM’s objectives and priorities for the period it covers.
(4)
Before the end of the period covered by a media literacy strategy, OFCOM must prepare and publish a media literacy strategy for a further period, ensuring that each successive strategy covers a period beginning immediately after the end of the last one.
(5)
In preparing or revising a media literacy strategy, OFCOM must consult such persons as they consider appropriate.
(6)
OFCOM’s annual report must contain a media literacy statement.
(7)
A media literacy statement is a statement by OFCOM—
(a)
summarising what they have done in the financial year to which the report relates in the exercise of their functions under section 11, and
(b)
assessing what progress has been made towards achieving the objectives and priorities set out in their media literacy strategy in that year.
(8)
A media literacy statement must include a summary and an evaluation of the activities and initiatives pursued or commissioned by OFCOM in the exercise of their functions under section 11 in the financial year to which the report relates.
(9)
The first annual report that is required to contain a media literacy statement is the report for the financial year during which OFCOM’s first media literacy strategy is published, and that first statement is to relate to the period from publication day until the end of that financial year.
(10)
But if OFCOM’s first media literacy strategy is published during the second half of a financial year—
(a)
the first annual report that is required to contain a media literacy statement is the report for the next financial year, and
(b)
that first statement is to relate to the period from publication day until the end of that financial year.
(11)
References in this section to OFCOM’s functions under section 11 are to those functions so far as they relate to regulated services.
(12)
In this section—
“annual report” means OFCOM’s annual report under paragraph 12 of the Schedule to the Office of Communications Act 2002;
“financial year” means a year ending with 31 March.”
PART 8Appeals and super-complaints
CHAPTER 1Appeals
167Appeals against OFCOM decisions relating to the register under section 95
(1)
This section applies to the following decisions of OFCOM—
(a)
a decision to include a regulated user-to-user service in the part of the register referred to in section 95(2)(a) (Category 1 services);
(b)
a decision not to remove a regulated user-to-user service from that part of the register;
(c)
a decision to include a regulated search service or a combined service in the part of the register referred to in section 95(2)(b) (Category 2A services);
(d)
a decision not to remove a regulated search service or a combined service from that part of the register;
(e)
a decision to include a regulated user-to-user service in the part of the register referred to in section 95(2)(c) (Category 2B services);
(f)
a decision not to remove a regulated user-to-user service from that part of the register.
(2)
The provider of the service to which the decision relates may appeal to the Upper Tribunal against the decision.
(3)
(4)
“Special requirement” means—
(a)
in the case of an appeal against a decision mentioned in subsection (1)(a)—
(i)
any duty or requirement of this Act that applies in relation to Category 1 services but not in relation to any other regulated services, or
(ii)
any duty or requirement of this Act that applies in relation to Category 1 services, Category 2A services and Category 2B services but not in relation to any other regulated services;
(b)
in the case of an appeal against a decision mentioned in subsection (1)(c)—
(i)
any duty or requirement of this Act that applies in relation to Category 2A services but not in relation to any other regulated services, or
(ii)
any duty or requirement of this Act that applies in relation to Category 1 services, Category 2A services and Category 2B services but not in relation to any other regulated services;
(c)
in the case of an appeal against a decision mentioned in subsection (1)(e), any duty or requirement of this Act that applies in relation to Category 1 services, Category 2A services and Category 2B services but not in relation to any other regulated services.
(5)
The Upper Tribunal must decide the appeal by applying the same principles as would be applied—
(a)
by the High Court on an application for judicial review, or
(b)
in Scotland, on an application to the supervisory jurisdiction of the Court of Session.
(6)
On an appeal under this section, the Upper Tribunal may—
(a)
dismiss the appeal, or
(b)
quash the decision being challenged.
(7)
Where a decision is quashed, the Upper Tribunal must remit the decision to OFCOM for reconsideration with such directions (if any) as the Tribunal considers appropriate.
168Appeals against OFCOM notices
(1)
An appeal to the Upper Tribunal against OFCOM’s decision to give to a person—
(a)
a notice under section 121(1) (notices to deal with terrorism content and CSEA content),
(b)
a confirmation decision, or
(c)
a penalty notice,
may be brought by any person with a sufficient interest in the decision.
(2)
An appeal under subsection (1) by a person other than the person given the notice or decision in question may be brought only with the permission (or leave) of the Upper Tribunal.
(3)
The Upper Tribunal must decide the appeal by applying the same principles as would be applied—
(a)
by the High Court on an application for judicial review, or
(b)
in Scotland, on an application to the supervisory jurisdiction of the Court of Session.
(4)
On an appeal under this section, the Upper Tribunal may—
(a)
dismiss the appeal, or
(b)
quash the decision being challenged.
(5)
Where a decision is quashed, the Upper Tribunal must remit the decision to OFCOM for reconsideration with such directions (if any) as the Tribunal considers appropriate.
(6)
CHAPTER 2Super-complaints
169Power to make super-complaints
(1)
An eligible entity may make a complaint to OFCOM that any feature of one or more regulated services, or any conduct of one or more providers of such services, or any combination of such features and such conduct is, appears to be, or presents a material risk of—
(a)
causing significant harm to users of the services or members of the public, or a particular group of such users or members of the public;
(b)
significantly adversely affecting the right to freedom of expression within the law of users of the services or members of the public, or of a particular group of such users or members of the public; or
(c)
otherwise having a significant adverse impact on users of the services or members of the public, or on a particular group of such users or members of the public.
(2)
But a complaint under subsection (1) that relates to a single regulated service or that relates to a single provider of one or more regulated services is only admissible if OFCOM consider that—
(a)
the complaint is of particular importance, or
(b)
the complaint relates to the impacts on a particularly large number of users of the service or members of the public.
(3)
An entity is an “eligible entity” if the entity meets criteria specified in regulations made by the Secretary of State.
(4)
Regulations under subsection (3) must specify as one of the criteria that the entity must be a body representing the interests of users of regulated services, or members of the public, or a particular group of such users or members of the public.
(5)
Before making regulations under subsection (3), the Secretary of State must consult—
(a)
OFCOM, and
(b)
such other persons as the Secretary of State considers appropriate.
(6)
In this section—
“conduct” includes acts and omissions;
“users” means United Kingdom users (see section 227), except in subsection (1)(a) where “users” means individuals in the United Kingdom who are users of a service.
170Procedure for super-complaints
(1)
The Secretary of State must make regulations containing provision about procedural matters relating to complaints under section 169.
(2)
Such regulations may, in particular, include provision about the following matters—
(a)
notification to OFCOM of an intention to make a complaint under section 169;
(b)
the form and manner of such a complaint, including requirements for supporting evidence in relation to—
(ii)
criteria specified in regulations under subsection (3) of that section;
(c)
steps that OFCOM must take in relation to such a complaint, including requirements for publication of responses;
(d)
time limits for taking steps in relation to such a complaint (or provision about how such time limits are to be determined) including time limits in relation to the determination of—
(i)
whether a complaint is a complaint that is within section 169(1),
(ii)
where applicable, whether a complaint is admissible under section 169(2), and
(iii)
whether an entity is an eligible entity (see section 169(3)).
(3)
Before making regulations under subsection (1), the Secretary of State must consult—
(a)
OFCOM, and
(b)
such other persons as the Secretary of State considers appropriate.
171OFCOM’s guidance about super-complaints
(1)
OFCOM must produce guidance about complaints under section 169, which must include guidance about—
(a)
the criteria specified in regulations under section 169(3),
(b)
procedural matters relating to such complaints, and
(c)
any other aspect of such complaints that OFCOM consider it appropriate to include.
(2)
OFCOM must publish the guidance (and any revised or replacement guidance).
PART 9Secretary of State's functions in relation to regulated services
Strategic priorities
172Statement of strategic priorities
(1)
The Secretary of State may designate a statement for the purposes of this section if the requirements set out in section 173 (consultation and parliamentary procedure) are satisfied.
(2)
The statement is a statement prepared by the Secretary of State that sets out strategic priorities of His Majesty’s Government in the United Kingdom relating to online safety matters.
(3)
The statement may, among other things, set out particular outcomes identified with a view to achieving the strategic priorities.
(4)
This section does not restrict the Secretary of State’s powers under any other provision of this Act or any other enactment.
(5)
A statement designated under subsection (1) must be published in such manner as the Secretary of State considers appropriate.
(6)
A statement designated under subsection (1) may be amended (including by replacing the whole or a part of the statement with new material) by a subsequent statement designated under that subsection, and this section and sections 92 and 173 apply in relation to any such subsequent statement as they apply in relation to the original statement.
(7)
(8)
An earlier amendment may be made under subsection (6) if—
(a)
since that day—
(i)
a Parliamentary general election has taken place, or
(ii)
there has been a significant change in the policy of His Majesty’s Government affecting online safety matters, or
(b)
the Secretary of State considers that the statement, or any part of it, conflicts with any of OFCOM’s general duties (within the meaning of section 3 of the Communications Act).
173Consultation and parliamentary procedure
(1)
This section sets out the requirements that must be satisfied in relation to a statement before the Secretary of State may designate it under section 172.
(2)
The Secretary of State must consult—
(a)
OFCOM, and
(b)
such other persons as the Secretary of State considers appropriate,
on a draft of the statement.
(3)
The Secretary of State must allow OFCOM a period of at least 40 days to respond to any consultation under subsection (2)(a).
(4)
After that period has ended the Secretary of State—
(a)
must make any changes to the draft that appear to the Secretary of State to be necessary in view of responses to the consultation, and
(b)
must then lay the draft before Parliament.
(5)
The Secretary of State must then wait until the end of the 40-day period and may not designate the statement if, within that period, either House of Parliament resolves not to approve it.
(6)
“The 40-day period” is the period of 40 days beginning with the day on which the draft is laid before Parliament (or, if it is not laid before each House on the same day, the later of the days on which it is laid).
(7)
In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.
Directions to OFCOM
174Directions about advisory committees
(1)
The Secretary of State may give OFCOM a direction requiring OFCOM to establish a committee to provide them with advice about online safety matters of a kind specified in the direction.
(2)
The Secretary of State must consult OFCOM before giving or varying such a direction.
(3)
A committee required to be established by a direction is to consist of the following members, unless the direction specifies otherwise—
(a)
a chairman appointed by OFCOM, and
(b)
such number of other members appointed by OFCOM as OFCOM consider appropriate.
(4)
A committee required to be established by a direction must, unless the direction specifies otherwise, publish a report within the period of 18 months after being established, and after that must publish periodic reports.
(5)
The Secretary of State may vary or revoke a direction given under this section.
175Directions in special circumstances
(1)
The Secretary of State may give a direction to OFCOM under subsection (2) or (3) if the Secretary of State has reasonable grounds for believing that circumstances exist that present a threat—
(a)
to the health or safety of the public, or
(b)
to national security.
(2)
A direction under this subsection is a direction requiring OFCOM, in exercising their media literacy functions, to give priority for a specified period to specified objectives designed to address the threat presented by the circumstances mentioned in subsection (1).
(3)
A direction under this subsection is a direction requiring OFCOM to give a public statement notice to—
(a)
a specified provider of a regulated service, or
(b)
providers of regulated services generally.
(4)
A “public statement notice” is a notice requiring a provider of a regulated service to make a publicly available statement, by a date specified in the notice, about steps the provider is taking in response to the threat presented by the circumstances mentioned in subsection (1).
(5)
OFCOM may, by a public statement notice or a subsequent notice, require a provider of a regulated service to provide OFCOM with such information as they may require for the purpose of responding to that threat.
(6)
(7)
(8)
If the Secretary of State varies or revokes a direction given under subsection (3), OFCOM may, in consequence, vary or revoke a public statement notice that they have given by virtue of the direction.
(9)
In subsection (2) “media literacy functions” means OFCOM’s functions under section 11 of the Communications Act (duties to promote media literacy), so far as functions under that section relate to regulated services.
(10)
Guidance
176Secretary of State’s guidance
(1)
The Secretary of State may issue guidance to OFCOM about—
(a)
OFCOM’s exercise of their functions under this Act,
(b)
OFCOM’s exercise of their powers under section 1(3) of the Communications Act (functions and general powers of OFCOM) to carry out research in connection with online safety matters or to arrange for others to carry out research in connection with such matters, and
(c)
OFCOM’s exercise of their functions under section 11 of the Communications Act (media literacy) in relation to regulated services.
(2)
In the rest of this section, “the guidance” means any such guidance as is mentioned in subsection (1), except that it does not include guidance under section 87 (guidance to OFCOM about fees).
(3)
The Secretary of State must consult OFCOM before issuing, revising or replacing the guidance.
(4)
The guidance may not be revised or replaced more frequently than once every three years unless—
(a)
the guidance needs to be corrected because of an amendment, repeal or modification of any provision of this Act or of section 11 of the Communications Act, or
(b)
the revision or replacement is by agreement between the Secretary of State and OFCOM.
(5)
The guidance must be issued as one document.
(6)
The Secretary of State must lay the guidance (including revised or replacement guidance) before Parliament.
(7)
The Secretary of State must publish the guidance (and any revised or replacement guidance).
(8)
In exercising any functions to which the guidance relates, or deciding whether to exercise them, OFCOM must have regard to the guidance for the time being published under this section.
Annual report
177Annual report on the Secretary of State’s functions
“(f)
the Online Safety Act 2023.”
Review
178Review
(1)
The Secretary of State must review the operation of—
(a)
the regulatory framework provided for in this Act, and
(b)
section 11 of the Communications Act, to the extent that that section relates to regulated services.
(2)
The review—
(a)
must not be carried out before the end of the period of two years beginning with the day on which the last of the provisions of Part 3 comes into force, but
(b)
must be carried out before the end of the period of five years beginning with that day.
(3)
The review must, in particular, consider how effective the regulatory framework provided for in this Act is at—
(a)
securing that regulated services are operated using systems and processes that, so far as relevant—
(i)
minimise the risk of harm to individuals in the United Kingdom presented by content on regulated services,
(ii)
provide higher levels of protection for children than for adults,
(iii)
provide transparency and accountability to users in relation to actions taken to comply with duties set out in Chapter 2, 3, 4 or 5 of Part 3, Chapter 1, 3 or 4 of Part 4, or Part 5,
(iv)
protect the right of users and (in the case of search services or combined services) interested persons to freedom of expression within the law, and
(v)
protect users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a regulated service (including, but not limited to, any such provision or rule concerning the processing of personal data); and
(b)
ensuring that regulation of services is proportionate, having regard to the level of risk of harm presented by regulated services of different kinds and to the size and capacity of providers.
(4)
The review must also, in particular, consider—
(a)
the effectiveness of—
(i)
the information gathering and information sharing powers available to OFCOM, and
(ii)
the enforcement powers available to OFCOM; and
(b)
the extent to which OFCOM have had regard to the desirability of encouraging innovation by providers of regulated services.
(5)
In carrying out the review, the Secretary of State must consult—
(a)
OFCOM, and
(b)
such other persons as the Secretary of State considers appropriate.
(6)
In carrying out the review, the Secretary of State must take into account any report published by OFCOM under section 158 (reports about news publisher content and journalistic content).
(7)
The Secretary of State must produce and publish a report on the outcome of the review.
(8)
The report must be laid before Parliament.
(9)
In subsection (3) “content on regulated services” means—
(a)
regulated user-generated content present on regulated services,
(b)
search content of regulated services,
(c)
fraudulent advertisements present on regulated services, and
(d)
regulated provider pornographic content published or displayed on regulated services.
(10)
In subsection (9)—
“fraudulent advertisement” has the meaning given by section 38 or 39 (depending on the kind of service in question);
“regulated user-generated content” has the same meaning as in Part 3 (see section 55);
“regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79);
“search content” has the same meaning as in Part 3 (see section 57).
PART 10Communications offences
False and threatening communications offences
179False communications offence
(1)
A person commits an offence if—
(a)
the person sends a message (see section 182),
(b)
the message conveys information that the person knows to be false,
(c)
at the time of sending it, the person intended the message, or the information in it, to cause non-trivial psychological or physical harm to a likely audience, and
(d)
the person has no reasonable excuse for sending the message.
(2)
For the purposes of this offence an individual is a “likely audience” of a message if, at the time the message is sent, it is reasonably foreseeable that the individual—
(a)
would encounter the message, or
(b)
in the online context, would encounter a subsequent message forwarding or sharing the content of the message.
(3)
In a case where several or many individuals are a likely audience, it is not necessary for the purposes of subsection (1)(c) that the person intended to cause harm to any one of them in particular (or to all of them).
(4)
See section 180 for exemptions from the offence under this section.
(5)
A person who commits an offence under this section is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both);
(b)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding level 5 on the standard scale (or both).
(6)
In subsection (5)(a) “the maximum term for summary offences” means—
(a)
if the offence is committed before the time when section 281(5) of the Criminal Justice Act 2003 comes into force, 6 months;
(b)
if the offence is committed after that time, 51 weeks.
(7)
Proceedings for an offence under this section may be brought within the period of 6 months beginning with the date on which evidence sufficient in the opinion of the prosecutor to justify the proceedings comes to the prosecutor’s knowledge.
(8)
But such proceedings may not be brought by virtue of subsection (7) more than 3 years after the commission of the offence.
(9)
A certificate signed by the prosecutor as to the date on which the evidence in question came to the prosecutor’s knowledge is conclusive evidence of the date on which it did so; and a certificate to that effect and purporting to be so signed is to be treated as being so signed unless the contrary is proved.
180Exemptions from offence under section 179
(1)
A recognised news publisher cannot commit an offence under section 179.
(2)
An offence under section 179 cannot be committed by the holder of a licence under the Broadcasting Act 1990 or 1996 in connection with anything done under the authority of the licence.
(3)
An offence under section 179 cannot be committed by the holder of a multiplex licence in connection with anything done under the authority of the licence.
(4)
An offence under section 179 cannot be committed by the provider of an on-demand programme service in connection with anything done in the course of providing such a service.
(5)
An offence under section 179 cannot be committed in connection with the showing of a film made for cinema to members of the public.
181Threatening communications offence
(1)
A person commits an offence if—
(a)
the person sends a message (see section 182),
(b)
the message conveys a threat of death or serious harm, and
(c)
at the time of sending it, the person—
(i)
intended an individual encountering the message to fear that the threat would be carried out (whether or not by the person sending the message), or
(ii)
was reckless as to whether an individual encountering the message would fear that the threat would be carried out (whether or not by the person sending the message).
(2)
“Serious harm” means—
(a)
serious injury amounting to grievous bodily harm within the meaning of the Offences against the Person Act 1861,
(b)
rape,
(c)
assault by penetration within the meaning of section 2 of the Sexual Offences Act 2003, or
(d)
serious financial loss.
(3)
In proceedings for an offence under this section relating to a threat of serious financial loss, it is a defence for the person to show that—
(a)
the threat was used to reinforce a reasonable demand, and
(b)
the person reasonably believed that the use of the threat was a proper means of reinforcing the demand.
(4)
If evidence is adduced which is sufficient to raise an issue with respect to the defence under subsection (3), the court must assume that the defence is satisfied unless the prosecution proves beyond reasonable doubt that it is not.
(5)
A person who commits an offence under this section is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(c)
on conviction on indictment, to imprisonment for a term not exceeding 5 years or a fine (or both).
182Interpretation of sections 179 to 181
(1)
This section applies for the purposes of sections 179 to 181, and references in this section to an offence are to an offence under section 179 or 181.
(2)
A person “sends a message” if the person—
(a)
sends, transmits or publishes a communication (including an oral communication) by electronic means, or
(b)
sends, or gives to an individual, a letter or a thing of any other description,
and references to a message are to be read accordingly.
(3)
A person also “sends a message” if the person—
(a)
causes a communication (including an oral communication) to be sent, transmitted or published by electronic means, or
(b)
causes a letter or a thing of any other description to be—
(i)
sent, or
(ii)
given to an individual.
(4)
But a provider of an internet service by means of which a communication is sent, transmitted or published is not to be regarded as a person who sends a message.
(5)
“Encounter”, in relation to a message, means read, view, hear or otherwise experience the message.
(6)
It does not matter whether the content of a message is created by the person who sends it (so for example, in the online context, an offence may be committed by a person who forwards another person’s direct message or shares another person’s post).
(7)
In the application of sections 179 to 181 to the sending by electronic means of a message consisting of or including a hyperlink to other content—
(a)
references to the message are to be read as including references to content accessed directly via the hyperlink, and
(b)
an individual who is a likely audience in relation to the hyperlink for the purposes of section 179 is to be assumed to be a likely audience in relation to the linked content.
(8)
In the application of sections 179 to 181 to the sending of an item on which data is stored electronically, references to the message are to be read as including content accessed by means of the item to which the recipient is specifically directed by the sender (and in this subsection “sending” includes “giving”, and “sender” is to be read accordingly).
(9)
In the online context, the date on which a person commits an offence in relation to a message is the date on which the message is first sent by the person.
(10)
“Recognised news publisher” has the meaning given by section 56.
(11)
“Multiplex licence” means a licence under section 8 of the Wireless Telegraphy Act 2006 which authorises the provision of a multiplex service within the meaning of section 42(6) of that Act.
(12)
“On-demand programme service” has the same meaning as in the Communications Act (see section 368A of that Act), and a person is the “provider” of an on-demand programme service if the person has given notification of the person’s intention to provide that service in accordance with section 368BA of that Act.
Offences of sending or showing flashing images
183Offences of sending or showing flashing images electronically
(1)
A person (A) commits an offence if—
(a)
A sends a communication by electronic means which consists of or includes flashing images (see subsection (13)),
(b)
either condition 1 or condition 2 is met, and
(c)
A has no reasonable excuse for sending the communication.
(2)
Condition 1 is that—
(a)
at the time the communication is sent, it is reasonably foreseeable that an individual with epilepsy would be among the individuals who would view it, and
(b)
A sends the communication with the intention that such an individual will suffer harm as a result of viewing the flashing images.
(3)
Condition 2 is that, when sending the communication—
(a)
A believes that an individual (B)—
(i)
whom A knows to be an individual with epilepsy, or
(ii)
whom A suspects to be an individual with epilepsy,
will, or might, view it, and
(b)
A intends that B will suffer harm as a result of viewing the flashing images.
(4)
In subsections (2)(a) and (3)(a), references to viewing the communication are to be read as including references to viewing a subsequent communication forwarding or sharing the content of the communication.
(5)
The exemptions contained in section 180 apply to an offence under subsection (1) as they apply to an offence under section 179.
(6)
For the purposes of subsection (1), a provider of an internet service by means of which a communication is sent is not to be regarded as a person who sends a communication.
(7)
In the application of subsection (1) to a communication consisting of or including a hyperlink to other content, references to the communication are to be read as including references to content accessed directly via the hyperlink.
(8)
A person (A) commits an offence if—
(a)
A shows an individual (B) flashing images by means of an electronic communications device,
(b)
when showing the images—
(i)
A knows that B is an individual with epilepsy, or
(ii)
A suspects that B is an individual with epilepsy,
(c)
when showing the images, A intends that B will suffer harm as a result of viewing them, and
(d)
A has no reasonable excuse for showing the images.
(9)
An offence under subsection (1) or (8) cannot be committed by a healthcare professional acting in that capacity.
(10)
A person who commits an offence under subsection (1) or (8) is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(c)
on conviction on indictment, to imprisonment for a term not exceeding 5 years or a fine (or both).
(11)
It does not matter for the purposes of this section whether flashing images may be viewed at once (for example, a GIF that plays automatically) or only after some action is performed (for example, pressing play).
(12)
In this section—
(a)
references to sending a communication include references to causing a communication to be sent;
(b)
references to showing flashing images include references to causing flashing images to be shown.
(13)
In this section—
“electronic communications device” means equipment or a device that is capable of transmitting images by electronic means;
“flashing images” means images which carry a risk that an individual with photosensitive epilepsy who viewed them would suffer a seizure as a result;
“harm” means—
(a)
a seizure, or
(b)
alarm or distress;
“individual with epilepsy” includes, but is not limited to, an individual with photosensitive epilepsy;
“send” includes transmit and publish (and related expressions are to be read accordingly).
Offence of encouraging or assisting serious self-harm
184Offence of encouraging or assisting serious self-harm
(1)
A person (D) commits an offence if—
(a)
D does a relevant act capable of encouraging or assisting the serious self-harm of another person, and
(b)
D’s act was intended to encourage or assist the serious self-harm of another person.
(2)
D “does a relevant act” if D—
(a)
communicates in person,
(b)
sends, transmits or publishes a communication by electronic means,
(c)
shows a person such a communication,
(d)
publishes material by any means other than electronic means,
(e)
sends, gives, shows or makes available to a person—
(i)
material published as mentioned in paragraph (d), or
(ii)
any form of correspondence, or
(f)
sends, gives or makes available to a person an item on which data is stored electronically.
(3)
“Serious self-harm” means self-harm amounting to—
(a)
in England and Wales and Northern Ireland, grievous bodily harm within the meaning of the Offences Against the Person Act 1861, and
(b)
in Scotland, severe injury,
and includes successive acts of self-harm which cumulatively reach that threshold.
(4)
The person referred to in subsection (1)(a) and (b) need not be a specific person (or class of persons) known to, or identified by, D.
(5)
D may commit an offence under this section whether or not serious self-harm occurs.
(6)
If a person (D1) arranges for a person (D2) to do an act that is capable of encouraging or assisting the serious self-harm of another person and D2 does that act, D1 is to be treated as also having done it.
(7)
In the application of subsection (1) to an act by D involving an electronic communication or a publication in physical form, it does not matter whether the content of the communication or publication is created by D (so for example, in the online context, the offence under this section may be committed by forwarding another person’s direct message or sharing another person’s post).
(8)
In the application of subsection (1) to the sending, transmission or publication by electronic means of a communication consisting of or including a hyperlink to other content, the reference in subsection (2)(b) to the communication is to be read as including a reference to content accessed directly via the hyperlink.
(9)
In the application of subsection (1) to an act by D involving an item on which data is stored electronically, the reference in subsection (2)(f) to the item is to be read as including a reference to content accessed by means of the item to which the person in receipt of the item is specifically directed by D.
(10)
A provider of an internet service by means of which a communication is sent, transmitted or published is not to be regarded as a person who sends, transmits or publishes it.
(11)
Any reference in this section to doing an act that is capable of encouraging the serious self-harm of another person includes a reference to doing so by threatening another person or otherwise putting pressure on another person to seriously self-harm.
“Seriously self-harm” is to be interpreted consistently with subsection (3).
(12)
Any reference to an act in this section, except in subsection (3), includes a reference to a course of conduct, and references to doing an act are to be read accordingly.
(13)
In subsection (3) “act” includes omission.
(14)
A person who commits an offence under this section is liable—
(a)
on summary conviction in England and Wales, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on summary conviction in Scotland, to imprisonment for a term not exceeding 12 months or a fine not exceeding the statutory maximum (or both);
(c)
on summary conviction in Northern Ireland, to imprisonment for a term not exceeding 6 months or a fine not exceeding the statutory maximum (or both);
(d)
on conviction on indictment, to imprisonment for a term not exceeding 5 years or a fine (or both).
Further provision
185Extra-territorial application and jurisdiction
(1)
(2)
A person is within this subsection if the person is—
(a)
an individual who is habitually resident in England and Wales or Northern Ireland, or
(b)
a body incorporated or constituted under the law of England and Wales or Northern Ireland.
(3)
(4)
A person is within this subsection if the person is—
(a)
an individual who is habitually resident in the United Kingdom, or
(b)
a body incorporated or constituted under the law of any part of the United Kingdom.
(5)
Proceedings for an offence committed under section 179, 181 or 183(1) outside the United Kingdom may be taken, and the offence may for incidental purposes be treated as having been committed, at any place in England and Wales or Northern Ireland.
(6)
Proceedings for an offence committed under section 184 outside the United Kingdom may be taken, and the offence may for incidental purposes be treated as having been committed, at any place in the United Kingdom.
(7)
In the application of subsection (6) to Scotland, any such proceedings against a person may be taken, and the offence may for incidental purposes be treated as having been committed—
(a)
in any sheriff court district in which the person is apprehended or is in custody, or
(b)
in such sheriff court district as the Lord Advocate may determine.
(8)
In subsection (7) “sheriff court district” is to be construed in accordance with the Criminal Procedure (Scotland) Act 1995 (see section 307(1) of that Act).
186Liability of corporate officers
(1)
If an offence under section 179, 181, 183 or 184 is committed by a body corporate and it is proved that the offence—
(a)
has been committed with the consent or connivance of an officer of the body corporate, or
(b)
is attributable to any neglect on the part of an officer of the body corporate,
the officer (as well as the body corporate) commits the offence and is liable to be proceeded against and punished accordingly.
(2)
“Officer”, in relation to a body corporate, means—
(a)
a director, manager, associate, secretary or other similar officer, or
(b)
a person purporting to act in any such capacity.
In paragraph (a) “director”, in relation to a body corporate whose affairs are managed by its members, means a member of the body corporate.
(3)
If an offence under section 184 is committed by a Scottish partnership and it is proved that the offence—
(a)
has been committed with the consent or connivance of a partner of the partnership, or
(b)
is attributable to any neglect on the part of a partner of the partnership,
the partner (as well as the partnership) commits the offence and is liable to be proceeded against and punished accordingly.
(4)
“Partner”, in relation to a Scottish partnership, includes any person who was purporting to act as a partner.
Offences to be inserted into Sexual Offences Act 2003
187Sending etc photograph or film of genitals
“66ASending etc photograph or film of genitals
(1)
A person (A) who intentionally sends or gives a photograph or film of any person’s genitals to another person (B) commits an offence if—
(a)
A intends that B will see the genitals and be caused alarm, distress or humiliation, or
(b)
A sends or gives such a photograph or film for the purpose of obtaining sexual gratification and is reckless as to whether B will be caused alarm, distress or humiliation.
(2)
References to sending or giving such a photograph or film to another person include, in particular—
(a)
sending it to another person by any means, electronically or otherwise,
(b)
showing it to another person, and
(c)
placing it for a particular person to find.
(3)
“Photograph” includes the negative as well as the positive version.
(4)
“Film” means a moving image.
(5)
References to a photograph or film also include—
(a)
an image, whether made or altered by computer graphics or in any other way, which appears to be a photograph or film,
(b)
a copy of a photograph, film or image within paragraph (a), and
(c)
data stored by any means which is capable of conversion into a photograph, film or image within paragraph (a).
(6)
A person who commits an offence under this section is liable—
(a)
on summary conviction, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on conviction on indictment, to imprisonment for a term not exceeding two years.”
188Sharing or threatening to share intimate photograph or film
“66BSharing or threatening to share intimate photograph or film
(1)
A person (A) commits an offence if—
(a)
A intentionally shares a photograph or film which shows, or appears to show, another person (B) in an intimate state,
(b)
B does not consent to the sharing of the photograph or film, and
(c)
A does not reasonably believe that B consents.
(2)
A person (A) commits an offence if—
(a)
A intentionally shares a photograph or film which shows, or appears to show, another person (B) in an intimate state,
(b)
A does so with the intention of causing B alarm, distress or humiliation, and
(c)
B does not consent to the sharing of the photograph or film.
(3)
A person (A) commits an offence if—
(a)
A intentionally shares a photograph or film which shows, or appears to show, another person (B) in an intimate state,
(b)
A does so for the purpose of A or another person obtaining sexual gratification,
(c)
B does not consent to the sharing of the photograph or film, and
(d)
A does not reasonably believe that B consents.
(4)
A person (A) commits an offence if—
(a)
A threatens to share a photograph or film which shows, or appears to show, another person (B) in an intimate state, and
(b)
A does so—
(i)
with the intention that B or another person who knows B will fear that the threat will be carried out, or
(ii)
being reckless as to whether B or another person who knows B will fear that the threat will be carried out.
(5)
(6)
(a)
“consent” to the sharing of a photograph or film includes general consent covering the particular act of sharing as well as specific consent to the particular act of sharing, and
(b)
whether a belief is reasonable is to be determined having regard to all the circumstances including any steps A has taken to ascertain whether B consents.
(7)
Where a person is charged with an offence under subsection (4), it is not necessary for the prosecution to prove—
(a)
that the photograph or film mentioned in the threat exists, or
(b)
if it does exist, that it is in fact a photograph or film which shows or appears to show a person in an intimate state.
(8)
It is a defence for a person charged with an offence under subsection (1) to prove that the person had a reasonable excuse for sharing the photograph or film.
(9)
A person who commits an offence under subsection (1) is liable on summary conviction to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both).
(10)
(a)
on summary conviction, to imprisonment for a term not exceeding the general limit in a magistrates’ court or a fine (or both);
(b)
on conviction on indictment, to imprisonment for a term not exceeding 2 years.
(11)
In subsection (9) “the maximum term for summary offences” means—
(a)
if the offence is committed before the time when section 281(5) of the Criminal Justice Act 2003 comes into force, six months;
(b)
if the offence is committed after that time, 51 weeks.
(12)
(13)
66CSharing or threatening to share intimate photograph or film: exemptions
(1)
A person (A) who shares a photograph or film which shows, or appears to show, another person (B) in an intimate state does not commit an offence under section 66B(1), (2) or (3) if—
(a)
the photograph or film was taken in a place to which the public or a section of the public had or were permitted to have access (whether on payment or otherwise),
(b)
B had no reasonable expectation of privacy from the photograph or film being taken, and
(c)
B was, or A reasonably believes that B was, in the intimate state voluntarily.
(2)
For the purposes of subsection (1)(b), whether a person had a reasonable expectation of privacy from a photograph or film being taken is to be determined by reference to the circumstances that the person sharing the photograph or film reasonably believes to have existed at the time the photograph or film was taken.
(3)
A person (A) who shares a photograph or film which shows, or appears to show, another person (B) in an intimate state does not commit an offence under section 66B(1), (2) or (3) if—
(a)
the photograph or film had, or A reasonably believes that the photograph or film had, been previously publicly shared, and
(b)
B had, or A reasonably believes that B had, consented to the previous sharing.
(4)
A person (A) who shares a photograph or film which shows, or appears to show, another person (B) in an intimate state does not commit an offence under section 66B(1) if—
(a)
B is a person under 16,
(b)
B lacks, or A reasonably believes that B lacks, capacity to consent to the sharing of the photograph or film, and
(c)
the photograph or film is shared—
(i)
with a healthcare professional acting in that capacity, or
(ii)
otherwise in connection with the care or treatment of B by a healthcare professional.
(5)
(6)
A person who threatens to share a photograph or film which shows, or appears to show, another person in an intimate state does not commit an offence under section 66B(4) if, by reason of this section, the person would not commit an offence under section 66B(1), (2) or (3) by sharing the photograph or film in the circumstances conveyed by the threat.
66DSharing or threatening to share intimate photograph or film: interpretation
(1)
(2)
A person “shares” something if the person, by any means, gives or shows it to another person or makes it available to another person.
(3)
But a provider of an internet service by means of which a photograph or film is shared is not to be regarded as a person who shares it.
(4)
“Photograph” and “film” have the same meaning as in section 66A (see subsections (3) to (5) of that section).
(5)
Except where a photograph or film falls within subsection (8), a photograph or film shows, or appears to show, another person in an intimate state if it shows or appears to show—
(a)
the person participating or engaging in an act which a reasonable person would consider to be a sexual act,
(b)
the person doing a thing which a reasonable person would consider to be sexual,
(c)
all or part of the person’s exposed genitals, buttocks or breasts,
(d)
the person in an act of urination or defecation, or
(e)
the person carrying out an act of personal care associated with the person’s urination, defecation or genital or anal discharge.
(6)
For the purposes of subsection (5)(c) the reference to all or part of a person’s “exposed” genitals, buttocks or breasts includes—
(a)
a reference to all or part of the person’s genitals, buttocks or breasts visible through wet or otherwise transparent clothing,
(b)
the case where all or part of the person’s genitals, buttocks or breasts would be exposed but for the fact that they are covered only with underwear, and
(c)
the case where all or part of the person’s genitals, buttocks or breasts would be exposed but for the fact that they are obscured, provided that the area obscured is similar to or smaller than an area that would typically be covered by underwear worn to cover a person’s genitals, buttocks or breasts (as the case may be).
(7)
In subsection (6)(c) “obscured” means obscured by any means, other than by clothing that a person is wearing, including, in particular, by an object, by part of a person’s body or by digital alteration.
(8)
A photograph or film falls within this subsection if (so far as it shows or appears to show a person in an intimate state) it shows or appears to show something, other than breastfeeding, that is of a kind ordinarily seen in public.
(9)
For the purposes of subsection (8) “breastfeeding” includes the rearranging of clothing in the course of preparing to breastfeed or having just finished breastfeeding.”
Repeals and amendments in connection with offences
189Repeals in connection with offences under sections 179 and 181
(1)
Section 127(2)(a) and (b) of the Communications Act (false messages) is repealed so far as it extends to England and Wales and Northern Ireland.
(2)
The following provisions of the Malicious Communications Act 1988 are repealed—
(a)
section 1(1)(a)(ii),
(b)
section 1(1)(a)(iii), and
(c)
section 1(2).
(3)
The following provisions of the Malicious Communications (Northern Ireland) Order 1988 (S.I. 1988/1849 (N.I. 18)) are repealed—
(a)
Article 3(1)(a)(ii),
(b)
Article 3(1)(a)(iii), and
(c)
Article 3(2).
190Repeals in connection with offences under section 188
Sections 33 to 35 of the Criminal Justice and Courts Act 2015 (disclosing or threatening to disclose private sexual photographs and films with intent to cause distress) are repealed.
191Consequential amendments
(1)
Part 1 of Schedule 14 contains amendments consequential on sections 179, 181 and 183.
(2)
Part 2 of Schedule 14 contains amendments consequential on section 184.
(3)
Part 3 of Schedule 14 contains amendments consequential on sections 187 and 188.
(4)
Part 4 of Schedule 14 contains amendments consequential on section 190.
PART 11Supplementary and general
Providers' judgements about the status of content
192Providers’ judgements about the status of content
(1)
This section sets out the approach to be taken where—
(a)
a system or process operated or used by a provider of a Part 3 service for the purpose of compliance with relevant requirements,
(b)
a risk assessment required to be carried out by Part 3, or
(c)
an assessment required to be carried out by section 14,
involves a judgement by a provider about whether content is content of a particular kind.
(2)
Such judgements are to be made on the basis of all relevant information that is reasonably available to a provider.
(3)
In construing the reference to information that is reasonably available to a provider, the following factors, in particular, are relevant—
(a)
the size and capacity of the provider, and
(b)
whether a judgement is made by human moderators, by means of automated systems or processes or by means of automated systems or processes together with human moderators.
(4)
Subsections (5) to (7) apply (as well as subsection (2)) in relation to judgements by providers about whether content is—
(a)
illegal content, or illegal content of a particular kind, or
(b)
a fraudulent advertisement.
(5)
In making such judgements, the approach to be followed is whether a provider has reasonable grounds to infer that content is content of the kind in question (and a provider must treat content as content of the kind in question if reasonable grounds for that inference exist).
(6)
Reasonable grounds for that inference exist in relation to content and an offence if, following the approach in subsection (2), a provider—
(a)
has reasonable grounds to infer that all elements necessary for the commission of the offence, including mental elements, are present or satisfied, and
(b)
does not have reasonable grounds to infer that a defence to the offence may be successfully relied upon.
(7)
In the case of content generated by a bot or other automated tool, the tests mentioned in subsection (6)(a) and (b) are to be applied in relation to the conduct or mental state of a person who may be assumed to control the bot or tool (or, depending what a provider knows in a particular case, the actual person who controls the bot or tool).
(8)
In considering a provider’s compliance with relevant requirements to which this section is relevant, OFCOM may take into account whether providers’ judgements follow the approaches set out in this section (including judgements made by means of automated systems or processes, alone or together with human moderators).
(9)
In this section—
“fraudulent advertisement” has the meaning given by section 38 or 39 (depending on the kind of service in question);
“illegal content” has the same meaning as in Part 3 (see section 59);
“relevant requirements” means—
(a)
duties and requirements under this Act, and
(b)
requirements of a notice given by OFCOM under this Act.
193OFCOM’s guidance about illegal content judgements
(1)
OFCOM must produce guidance for providers of Part 3 services about the matters dealt with in section 192 so far as relating to illegal content judgements.
(2)
“Illegal content judgements” means—
(a)
judgements of a kind mentioned in subsection (4) of that section, and
(3)
Before producing the guidance (including revised or replacement guidance), OFCOM must consult such persons as they consider appropriate.
(4)
OFCOM must publish the guidance (and any revised or replacement guidance).
Time-limits for first guidance
194Time for publishing first guidance under certain provisions of this Act
(1)
OFCOM must publish guidance to which this section applies within the period of 18 months beginning with the day on which this Act is passed.
(2)
This section applies to—
(a)
the first guidance under section 52(3)(a) (record-keeping and review);
(b)
the first guidance under section 52(3)(b) (children’s access assessments);
(c)
the first guidance under section 53(1) (content harmful to children);
(d)
the first guidance under section 82 (provider pornographic content);
(e)
the first guidance under section 99(1) (illegal content risk assessments under section 9);
(f)
the first guidance under section 99(2) (illegal content risk assessments under section 26);
(g)
the first guidance under section 99(3) (children’s risk assessments);
(h)
the first guidance under section 151 (enforcement);
(i)
the first guidance under section 193 relating to illegal content judgements within the meaning of subsection (2)(a) of that section (illegal content and fraudulent advertisements).
(3)
If OFCOM consider that it is necessary to extend the period mentioned in subsection (1) in relation to guidance mentioned in any of paragraphs (a) to (i) of subsection (2), OFCOM may extend the period in relation to that guidance by up to 12 months by making and publishing a statement.
But this is subject to subsection (6).
(4)
A statement under subsection (3) must set out—
(a)
the reasons why OFCOM consider that it is necessary to extend the period mentioned in subsection (1) in relation to the guidance concerned, and
(b)
the period of extension.
(5)
A statement under subsection (3) may be published at the same time as (or incorporate) a statement under section 43(12) (extension of time to prepare certain codes of practice).
(6)
But a statement under subsection (3) may not be made in relation to guidance mentioned in a particular paragraph of subsection (2) if—
(a)
a statement has previously been made under subsection (3) (whether in relation to guidance mentioned in the same or a different paragraph of subsection (2)), or
(b)
a statement has previously been made under section 43(12).
Liability of providers etc
195Providers that are not legal persons
(1)
In this section a “relevant entity” means an entity that—
(a)
is the provider of a regulated service, and
(b)
is not a legal person under the law under which it is formed.
(2)
If a penalty notice is given to a relevant entity (in the name of the entity), the penalty must be paid out of the entity’s funds.
(3)
If a notice is given by OFCOM to a relevant entity (in the name of the entity) under any provision of this Act, the notice continues to have effect despite a change in the membership of the entity.
(4)
If a penalty notice is given jointly to two or more officers or members of a relevant entity, those individuals are jointly and severally liable to pay the penalty under it.
(5)
In subsection (4) the reference to officers or members of a relevant entity includes a reference to employees of such an entity or any other individuals associated with such an entity.
(6)
In this section a “penalty notice” means—
(a)
a confirmation decision that imposes a penalty (see sections 132(5)(b) and 137),
(b)
a penalty notice under section 139,
(c)
a penalty notice under section 140(5), or
(d)
a penalty notice under section 141(6).
196Individuals providing regulated services: liability
(1)
(2)
Any duty or requirement imposed on such a provider under any of the provisions specified in subsection (3), or any liability of such a provider to pay a fee under section 84 or Schedule 10, is to be taken to be imposed on, or to be a liability of, all the individuals jointly and severally.
(3)
The provisions are—
(a)
Chapter 2 of Part 3 (providers of user-to-user services: duties of care);
(b)
Chapter 3 of Part 3 (providers of search services: duties of care);
(c)
Chapter 4 of Part 3 (children’s access assessments);
(d)
Chapter 5 of Part 3 (duties about fraudulent advertising);
(e)
Chapter 1 of Part 4 (user identity verification);
(f)
Chapter 2 of Part 4 (reporting CSEA content);
(g)
Chapter 3 of Part 4 (terms of service: transparency, accountability and freedom of expression);
(h)
Chapter 4 of Part 4 (deceased child users);
(i)
Chapter 5 of Part 4 (transparency reporting);
(j)
section 81 (provider pornographic content);
(k)
section 83 (duty to notify OFCOM).
(4)
A notice in respect of a matter that may or must be given by OFCOM under any provision of this Act may be given—
(a)
to only one of the individuals,
(b)
jointly to two or more of them, or
(c)
jointly to all of them,
but a separate notice may not be given to each of the individuals in respect of the matter.
(5)
If a penalty notice is given jointly to two or more individuals, those individuals are jointly and severally liable to pay the penalty under it.
(6)
In subsection (5) a “penalty notice” means—
(a)
a confirmation decision that imposes a penalty (see sections 132(5)(b) and 137),
(b)
a penalty notice under section 139,
(c)
a penalty notice under section 140(5), or
(d)
a penalty notice under section 141(6).
197Liability of parent entities etc
Schedule 15 contains provision about—
(a)
the giving of joint provisional notices of contravention to parent entities etc,
(b)
the liability of parent entities for failures by subsidiary entities,
(c)
the liability of subsidiary entities for failures by parent entities,
(d)
the liability of fellow subsidiary entities for failures by subsidiary entities, and
(e)
the liability of controlling individuals for failures by entities.
198Former providers of regulated services
(1)
A power conferred by Chapter 6 of Part 7 (enforcement powers) to give a notice to a provider of a regulated service is to be read as including power to give a notice to a person who was, at the relevant time, a provider of such a service but who has ceased to be a provider of such a service (and that Chapter and Schedules 13 and 15 are to be read accordingly).
(2)
“The relevant time” means—
(a)
the time of the failure to which the notice relates, or
(b)
in the case of a notice which relates to the requirement in section 105(1) to co-operate with an investigation, the time of the failure or possible failure to which the investigation relates.
Offences
199Information offences: supplementary
(1)
Proceedings against a person for an offence under section 109(1) or paragraph 18(1)(b) of Schedule 12 may be brought only if—
(a)
OFCOM have given the person a provisional notice of contravention in respect of the failure to comply with the requirements of an information notice or the requirements imposed by a person acting under Schedule 12 (as the case may be),
(b)
OFCOM have given the person a confirmation decision in respect of that failure imposing requirements of a kind described in section 133(1) and the time allowed for compliance with the decision has expired without those requirements having been complied with,
(c)
OFCOM have not imposed a penalty on the person in respect of that failure,
(d)
a service restriction order under section 144 has not been made in relation to a regulated service provided by the person in respect of that failure, and
(e)
an access restriction order under section 146 has not been made in relation to a regulated service provided by the person in respect of that failure.
(2)
(3)
Where a penalty has been imposed on a person in respect of an act or omission constituting an offence under section 69 or 109 or paragraph 18 of Schedule 12, no proceedings may be brought against the person for that offence.
(4)
Where a penalty has been imposed on an entity in respect of an act or omission constituting an offence under section 109, no proceedings for an offence under section 110 may be brought against an individual in respect of a failure to prevent that offence.
(5)
A penalty may not be imposed on a person in respect of an act or omission constituting an offence under section 69 or 109 or paragraph 18 of Schedule 12 if—
(a)
proceedings for the offence have been brought against the person but have not been concluded, or
(b)
the person has been convicted of the offence.
(6)
In this section “penalty” means a penalty imposed by—
(a)
a confirmation decision (see sections 132(5)(b) and 137), or
(b)
a penalty notice under section 139.
200Offence of failure to comply with confirmation decision: supplementary
(1)
Where a penalty has been imposed on a person by a penalty notice under section 139 in respect of a failure constituting an offence under section 138 (failure to comply with certain requirements of a confirmation decision), no proceedings may be brought against the person for that offence.
(2)
A penalty may not be imposed on a person by a penalty notice under section 139 in respect of a failure constituting an offence under section 138 if—
(a)
proceedings for the offence have been brought against the person but have not been concluded, or
(b)
the person has been convicted of the offence.
(3)
Where a service restriction order under section 144 or an access restriction order under section 146 has been made in relation to a regulated service provided by a person in respect of a failure constituting an offence under section 138, no proceedings may be brought against the person for that offence.
201Defences
(1)
Subsection (2) applies where a person relies on a defence under section 109 or 110.
(2)
If evidence is adduced which is sufficient to raise an issue with respect to the defence, the court must assume that the defence is satisfied unless the prosecution proves beyond reasonable doubt that it is not.
202Liability of corporate officers for offences
(1)
In this section a “relevant entity” means an entity that is—
(a)
the provider of a regulated service, and
(b)
a legal person under the law under which it is formed.
(2)
If an offence is committed by a relevant entity and it is proved that the offence—
(a)
has been committed with the consent or connivance of an officer of the entity, or
(b)
is attributable to any neglect on the part of an officer of the entity,
the officer (as well as the entity) commits the offence and (subject to section 199(1)) is liable to be proceeded against and punished accordingly.
(3)
In relation to an entity which is a body corporate, “officer” means—
(a)
a director, manager, associate, secretary or other similar officer, or
(b)
a person purporting to act in any such capacity.
In paragraph (a) “director”, in relation to a body corporate whose affairs are managed by its members, means a member of the body corporate.
(4)
In relation to a partnership which is not regarded as a body corporate under the law under which it is formed, “officer” means—
(a)
a partner, or
(b)
a person purporting to act as a partner.
(5)
In this section—
“body corporate” includes an entity incorporated outside the United Kingdom;
“offence” means an offence under this Act, except under Part 10.
203Application of offences to providers that are not legal persons
(1)
In this section a “relevant entity” means an entity that—
(a)
is the provider of a regulated service, and
(b)
is not a legal person under the law under which it is formed.
(2)
Proceedings for an offence alleged to have been committed by a relevant entity must be brought against the entity in its own name (and not in that of any of its officers or members).
(3)
For the purposes of such proceedings—
(a)
rules of court relating to the service of documents have effect as if the entity were a body corporate; and
(b)
the following provisions apply as they apply in relation to a body corporate—
(i)
section 33 of the Criminal Justice Act 1925 and Schedule 3 to the Magistrates’ Courts Act 1980;
(ii)
section 18 of the Criminal Justice Act (Northern Ireland) 1945 (c. 15 (N.I.)) and Article 166 of, and Schedule 4 to, the Magistrates’ Courts (Northern Ireland) Order 1981 (S.I. 1981/1675 (N.I. 26)).
(4)
A fine imposed on a relevant entity on its conviction of an offence must be paid out of the entity’s funds.
(5)
If an offence is committed by a relevant entity and it is proved that the offence—
(a)
has been committed with the consent or connivance of an officer of the entity, or
(b)
is attributable to any neglect on the part of an officer of the entity,
the officer (as well as the entity) commits the offence and (subject to section 199(1)) is liable to be proceeded against and punished accordingly.
(6)
In relation to a partnership, “officer” means—
(a)
a partner, or
(b)
a person purporting to act as a partner.
(7)
In relation to a relevant entity other than a partnership, “officer” means—
(a)
an officer of the entity or a person concerned in the management or control of the entity, or
(b)
a person purporting to act in such a capacity.
(8)
(9)
In this section “offence” means an offence under this Act, except under Part 10.
Extra-territorial application
204Extra-territorial application
(1)
References in this Act to an internet service, a user-to-user service or a search service include such a service provided from outside the United Kingdom (as well as such a service provided from within the United Kingdom).
(2)
The power to require the production of documents by an information notice includes power to require the production of documents held outside the United Kingdom.
(3)
The power conferred by section 106 includes power to require the attendance for interview of an individual who is outside the United Kingdom.
(4)
Sections 133(9) and 150(11) (requirements enforceable in civil proceedings against a person) apply whether or not the person is in the United Kingdom.
205Offences: extra-territorial application and jurisdiction
(1)
Sections 69, 109 and 112 apply to acts done by a person in the United Kingdom or elsewhere (information offences).
(2)
Section 110 applies to acts done by an individual in the United Kingdom or elsewhere (offences by senior managers of providers of regulated services).
(3)
Section 138 applies to acts done by a person in the United Kingdom or elsewhere (offence of failure to comply with confirmation decision).
(4)
(5)
In the case of an offence under section 69, 109, 110, 112 or 138 which is committed outside the United Kingdom—
(a)
proceedings for the offence may be taken at any place in the United Kingdom, and
(b)
the offence may for all incidental purposes be treated as having been committed at any such place.
(6)
In the application of subsection (5) to Scotland, any such proceedings against a person may be taken—
(a)
in any sheriff court district in which the person is apprehended or is in custody, or
(b)
in such sheriff court district as the Lord Advocate may determine.
(7)
In this section—
“act” includes a failure to act;
“sheriff court district” is to be construed in accordance with the Criminal Procedure (Scotland) Act 1995 (see section 307(1) of that Act).
Payment of sums into Consolidated Fund
206Payment of sums into the Consolidated Fund
(1)
Section 400 of the Communications Act (destination of penalties etc) is amended as follows.
(2)
“(j)
an amount paid to OFCOM in respect of a penalty imposed by them under Chapter 6 of Part 7 of the Online Safety Act 2023;
(k)
an amount paid to OFCOM in respect of an additional fee charged under Schedule 10 to the Online Safety Act 2023.”
(3)
In subsection (2), after “applies” insert “(except an amount mentioned in subsection (1)(j) or (k))”
.
(4)
“(3A)
Where OFCOM receive an amount mentioned in subsection (1)(j) or (k), it must be paid into the Consolidated Fund of the United Kingdom.”
(5)
In the heading, omit “licence”.
Publication by OFCOM
207Publication by OFCOM
Anything required by this Act to be published by OFCOM must be published in such manner as OFCOM consider appropriate for bringing it to the attention of the persons who, in their opinion, are likely to be affected by it.
Service of notices
208Service of notices
(1)
This section applies in relation to a notice that may or must be given by OFCOM to a person under any provision of this Act.
(2)
OFCOM may give a notice to a person by—
(a)
delivering it by hand to the person,
(b)
leaving it at the person’s proper address,
(c)
sending it by post to the person at that address, or
(d)
sending it by email to the person’s email address.
(3)
A notice to a body corporate may be given to any officer of that body.
(4)
A notice to a partnership may be given to any partner or to a person who has the control or management of the partnership business.
(5)
A notice to an entity that is not a legal person under the law under which it is formed (other than a partnership) may be given to any member of the governing body of the entity.
(6)
In the case of a notice given to a person who is a provider of a regulated service, the person’s proper address for the purposes of paragraphs (b) and (c) of subsection (2), and section 7 of the Interpretation Act 1978 in its application to those paragraphs, is any address (within or outside the United Kingdom) at which OFCOM believe, on reasonable grounds, that the notice will come to the attention of the person or (where the person is an entity) any director or other officer of that entity.
(7)
In the case of a notice given to a person other than a provider of a regulated service, a person’s proper address for the purposes of paragraphs (b) and (c) of subsection (2), and section 7 of the Interpretation Act 1978 in its application to those paragraphs, is—
(a)
in the case of an entity, the address of the entity’s registered or principal office;
(b)
in any other case, the person’s last known address.
(8)
In the case of an entity registered or carrying on business outside the United Kingdom, or with offices outside the United Kingdom, the reference in subsection (7) to its principal office includes its principal office in the United Kingdom or, if the entity has no office in the United Kingdom, any place in the United Kingdom at which OFCOM believe, on reasonable grounds, that the notice will come to the attention of any director or other officer of that entity.
(9)
In the case of a notice given to an individual under section 106 (interviews), the reference in subsection (7) to the person’s last known address is to the individual’s home address or, if the individual is currently connected with a provider of a regulated service, the address of the provider’s registered or principal office.
(10)
For the purposes of subsection (2)(d), a person’s email address is—
(a)
any email address published for the time being by that person as an address for contacting that person, or
(b)
if there is no such published address, any email address by means of which OFCOM believe, on reasonable grounds, that the notice will come to the attention of that person or (where that person is an entity) any director or other officer of that entity.
(11)
A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved.
(12)
In this section—
“director” includes any person occupying the position of a director, by whatever name called;
“officer”, in relation to an entity, includes a director, a manager, a partner, an associate, a secretary or, where the affairs of the entity are managed by its members, a member.
Repeals and amendments
209Amendments of Part 4B of the Communications Act
Schedule 16 contains amendments of Part 4B of the Communications Act.
210Repeal of Part 4B of the Communications Act
(1)
In the Communications Act, omit Part 4B (video-sharing platform services).
(2)
In the Audiovisual Media Services Regulations 2020 (S.I. 2020/1062), omit Part 4 (which inserts Part 4B into the Communications Act).
(3)
In this Act, omit—
(a)
section 209, and
(b)
Schedule 16.
(4)
In the Audiovisual Media Services (Amendment) (EU Exit) Regulations 2020 (S.I. 2020/1536), omit regulation 4.
211Repeal of Part 4B of the Communications Act: transitional provision etc
(1)
Schedule 17 contains transitional, transitory and saving provision—
(a)
about the application of this Act and Part 4B of the Communications Act during a period before the repeal of Part 4B of the Communications Act (or, in the case of Part 3 of Schedule 17, in respect of charging years as mentioned in that Part);
(b)
in connection with the repeal of Part 4B of the Communications Act.
(2)
The Secretary of State may by regulations make transitional, transitory or saving provision of the kind mentioned in subsection (1)(a) and (b).
(3)
Regulations under subsection (2) may amend or repeal—
(a)
Part 3 of Schedule 3;
(b)
Schedule 17.
(4)
Regulations under subsection (2) may, in particular, make provision about—
(a)
the application of Schedule 17 in relation to a service if the transitional period in relation to that service ends on a date before the date when section 210 comes into force;
(b)
the application of Part 3 of Schedule 17, including further provision about the calculation of a provider’s non-Part 4B qualifying worldwide revenue for the purposes of paragraph 19 of that Schedule;
(c)
the application of Schedule 10 (recovery of OFCOM’s initial costs), and in particular how fees chargeable under that Schedule may be calculated, in respect of charging years to which Part 3 of Schedule 17 relates.
212Repeals: Digital Economy Act 2017
(1)
The Digital Economy Act 2017 is amended as follows.
(2)
Omit—
(a)
Part 3 (online pornography), and
(b)
section 119(10) and (11) (power to extend that Part to the Channel Islands or the Isle of Man).
(3)
Omit section 103 (code of practice for providers of online social media platforms).
213Offence under the Obscene Publications Act 1959: OFCOM defence
(1)
(2)
“(5A)
A person shall not be convicted of an offence against this section of the publication of an obscene article if the person proves that—
(a)
at the time of the offence charged, the person was a member of OFCOM, employed or engaged by OFCOM, or assisting OFCOM in the exercise of any of their online safety functions (within the meaning of section 235 of the Online Safety Act 2023), and
(b)
the person published the article for the purposes of OFCOM’s exercise of any of those functions.”
(3)
In subsection (7)—
(a)
the words after “In this section” become paragraph (a), and
(b)
“;
(b)
“OFCOM” means the Office of Communications.”
214Offences regarding indecent photographs of children: OFCOM defence
England and Wales
(1)
Section 1B of the Protection of Children Act 1978 (defence to offence relating to indecent photographs of children) is amended in accordance with subsections (2) and (3).
(2)
In subsection (1)—
(a)
for “he”, in each place, substitute “the defendant”
;
(b)
for “him”, in each place, substitute “the defendant”
;
(c)
omit “or” at the end of paragraph (b);
(d)
“, or
(d)
the defendant—
(i)
was at the time of the offence charged a member of OFCOM, employed or engaged by OFCOM, or assisting OFCOM in the exercise of any of their online safety functions (within the meaning of section 235 of the Online Safety Act 2023), and
(ii)
made the photograph or pseudo-photograph for the purposes of OFCOM’s exercise of any of those functions.”
(3)
“(3)
In this section “OFCOM” means the Office of Communications.”
Scotland
(4)
Section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs of children) is amended in accordance with subsections (5) and (6).
(5)
“(4A)
Where a person is charged with an offence under subsection (1)(a) of making an indecent photograph or pseudo-photograph of a child, it shall be a defence for the person to prove that—
(a)
at the time of the offence charged, the person was a member of OFCOM, employed or engaged by OFCOM, or assisting OFCOM in the exercise of any of their online safety functions (within the meaning of section 235 of the Online Safety Act 2023), and
(b)
the person made the photograph or pseudo-photograph for the purposes of OFCOM’s exercise of any of those functions.”
(6)
“(e)
“OFCOM” means the Office of Communications.”
Northern Ireland
(7)
Article 3A of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (defence to offence relating to indecent photographs of children) is amended in accordance with subsections (8) and (9).
(8)
In paragraph (1)—
(a)
for “he”, in each place, substitute “the defendant”
;
(b)
for “him”, in each place, substitute “the defendant”
;
(c)
omit “or” at the end of sub-paragraph (b);
(d)
“, or
(d)
the defendant—
(i)
was at the time of the offence charged a member of OFCOM, employed or engaged by OFCOM, or assisting OFCOM in the exercise of any of their online safety functions (within the meaning of section 235 of the Online Safety Act 2023), and
(ii)
made the photograph or pseudo-photograph for the purposes of OFCOM’s exercise of any of those functions.”
(9)
“(3)
In this Article “OFCOM” means the Office of Communications.”
Power to amend Act to regulate app stores
215Power to regulate app stores
(1)
Subject to the following provisions of this section and section 216, the Secretary of State may by regulations amend any provision of this Act to make provision for or in connection with the regulation of internet services that are app stores.
(2)
Regulations under this section may not be made before OFCOM have published a report under section 161 (report about use of app stores by children).
(3)
Regulations under this section may be made only if the Secretary of State, having considered that report, considers that there is a material risk of significant harm to an appreciable number of children presented by either of the following, or by both taken together—
(a)
harmful content present on app stores, or
(b)
harmful content encountered by means of regulated apps available in app stores.
(4)
Before making regulations under this section the Secretary of State must consult—
(a)
persons who appear to the Secretary of State to represent providers of app stores,
(b)
persons who appear to the Secretary of State to represent the interests of children (generally or with particular reference to online safety matters),
(c)
OFCOM,
(d)
the Information Commissioner,
(e)
the Children’s Commissioner, and
(f)
such other persons as the Secretary of State considers appropriate.
(5)
In this section and in section 216—
“amend” includes repeal and apply (with or without modifications);
“app” includes an app for use on any kind of device, and “app store” is to be read accordingly;
“content that is harmful to children” has the same meaning as in Part 3 (see section 60);
“harmful content” means—
(a)
content that is harmful to children,
(b)
search content that is harmful to children, and
(c)
regulated provider pornographic content;
“regulated app” means an app for a regulated service;
“regulated provider pornographic content” has the same meaning as in Part 5 (see section 79);
“search content” has the same meaning as in Part 3 (see section 57).
(6)
In this section and in section 216 references to children are to children in the United Kingdom.
216Power to regulate app stores: supplementary
(1)
In this section (except in subsection (4)(c)) “regulations” means regulations under section 215(1).
(2)
Provision may be made by regulations only for or in connection with the purposes of minimising or mitigating the risks of harm to children presented by harmful content as mentioned in section 215(3)(a) and (b).
(3)
Regulations may not have the effect that any body other than OFCOM is the regulator in relation to app stores.
(4)
Regulations may—
(a)
make provision exempting specified descriptions of app stores from regulation under this Act;
(b)
make provision amending Part 2, section 55 or Schedule 1 in connection with provision mentioned in paragraph (a);
(c)
make provision corresponding or similar to provision which may be made by regulations under paragraph 1 of Schedule 11 (“threshold conditions”), with the effect that only app stores which meet specified conditions are regulated by this Act.
(5)
Regulations may make provision having the effect that app stores provided from outside the United Kingdom are regulated by this Act (as well as app stores provided from within the United Kingdom), but, if they do so, must contain provision corresponding or similar to section 4(5) and (6) (UK links).
(6)
The provision that may be made by regulations includes provision—
(a)
imposing on providers of app stores duties corresponding or similar to duties imposed on providers of Part 3 services by—
(i)
section 11 or 12 (children’s online safety: user-to-user services) or any of sections 20 to 23 so far as relating to section 11 or 12;
(ii)
section 28 or 29 (children’s online safety: search services) or any of sections 31 to 34 so far as relating to section 28 or 29;
(b)
imposing on providers of app stores duties corresponding or similar to duties imposed on providers of internet services within section 80(2) by section 81 (duties about regulated provider pornographic content);
(c)
imposing on providers of app stores requirements corresponding or similar to requirements imposed on providers of regulated services by, or by OFCOM under, Part 6 (fees);
(d)
imposing on OFCOM duties in relation to app stores corresponding or similar to duties imposed in relation to Part 3 services by Chapter 3 of Part 7 (OFCOM’s register of risks, and risk profiles);
(e)
conferring on OFCOM functions in relation to app stores corresponding or similar to the functions that OFCOM have in relation to regulated services under—
(i)
Chapter 4 of Part 7 (information), or
(ii)
Chapter 6 of Part 7 (enforcement), including provisions of that Chapter conferring power for OFCOM to impose monetary penalties;
(f)
about OFCOM’s production of guidance or a code of practice relating to any aspect of the regulation of app stores that is included in the regulations.
(7)
The provision that may be made by regulations includes provision having the effect that app stores fall within the definition of “Part 3 service” or “regulated service” for the purposes of specified provisions of this Act (with the effect that specified provisions of this Act which apply in relation to Part 3 services or regulated services, or to providers of Part 3 services or regulated services, also apply in relation to app stores or to providers of app stores).
(8)
Regulations may not amend or make provision corresponding or similar to—
(a)
Chapter 2 of Part 4 (reporting CSEA content),
(b)
Chapter 5 of Part 7 (notices to deal with terrorism content and CSEA content), or
(c)
Part 10 (communications offences).
(9)
Regulations may make different provision with regard to app stores of different kinds.
(10)
In this section “specified” means specified in regulations.
Power to amend Act: alternative dispute resolution
217Power to impose duty about alternative dispute resolution procedure
(1)
The Secretary of State may by regulations amend this Act for or in connection with the imposition on providers of Category 1 services of an ADR duty.
(2)
An “ADR duty”—
(a)
is a duty requiring providers of Category 1 services to arrange for and engage in an alternative dispute resolution procedure in specified circumstances for the resolution of disputes about their handling of relevant complaints, and
(b)
may include a duty requiring such providers to meet the costs incurred by any other person in using a dispute resolution procedure which is so arranged.
(3)
Complaints are “relevant” for the purposes of subsection (2)(a) if they—
(a)
relate to a Category 1 service,
(b)
are of a specified kind, and
(c)
are made by persons of a specified kind.
(4)
Regulations under this section may not be made before the publication of a statement by the Secretary of State responding to OFCOM’s report under section 160 (report about reporting and complaints procedures in use by providers of Part 3 services: see subsection (10) of that section).
(5)
Before making regulations under this section the Secretary of State must consult—
(a)
OFCOM,
(b)
the Information Commissioner, and
(c)
such other persons as the Secretary of State considers appropriate.
(6)
If the power conferred by subsection (1) is exercised, the first regulations made under the power must—
(a)
require the use of a dispute resolution procedure which is impartial, and
(b)
prohibit the use of a dispute resolution procedure which restricts or excludes the availability of civil proceedings.
(7)
Provision made by regulations under this section may have the effect that the duties set out in any or all of sections 21, 22 and 23 which apply in relation to duties imposed by other provisions of Chapter 2 of Part 3 are also to apply in relation to the ADR duty, and accordingly the regulations may amend—
(a)
section 21(6),
(b)
the definition of “safety measures and policies” in section 22(8), or
(c)
the definition of “relevant duties” in section 23(11).
(8)
The provisions of this Act that may be amended by the regulations in connection with the imposition of the ADR duty include, but are not limited to, the following provisions (in addition to those mentioned in subsection (7))—
(a)
section 7(5),
(b)
section 104(13)(a), and
(c)
section 131(2).
(9)
If the power conferred by subsection (1) is exercised, the first regulations made under the power must require OFCOM to—
(a)
produce and publish guidance for providers of Category 1 services to assist them in complying with the ADR duty, and
(b)
consult the Secretary of State, the Information Commissioner and such other persons as OFCOM consider appropriate before producing the guidance.
(10)
Section 204(1) applies for the purposes of the references to Category 1 services in this section.
(11)
In this section “specified” means specified in regulations under this section.
(12)
For the meaning of “Category 1 service”, see section 95 (register of categories of services).
Other powers to amend Act
218Power to amend section 40
(1)
The Secretary of State may by regulations amend section 40 (fraud etc offences).
But the power to add an offence to that section is limited by subsections (2) and (3).
(2)
An offence may be added to section 40 only if the Secretary of State considers it appropriate to do so because of—
(a)
the prevalence on Category 1 services of content (other than regulated user-generated content) consisting of paid-for advertisements that amount to that offence, or the prevalence in or via search results of Category 2A services of paid-for advertisements that amount to that offence,
(b)
the risk of harm to individuals in the United Kingdom presented by such advertisements, and
(c)
the severity of that harm.
(3)
An offence may not be added to section 40 if—
(a)
the offence concerns—
(i)
the infringement of intellectual property rights,
(ii)
the safety or quality of goods (as opposed to what kind of goods they are), or
(iii)
the performance of a service by a person not qualified to perform it; or
(b)
it is an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277).
(4)
In this section—
(a)
“regulated user-generated content” has the same meaning as in Part 3 (see section 55);
(b)
the words “in or via search results” are to be construed in accordance with section 39;
(c)
references to advertisements that amount to an offence are to be construed in accordance with section 59 (see subsections (3), (11) and (12) of that section).
219Powers to amend sections 61 and 62
(1)
The Secretary of State may by regulations amend—
(a)
section 61 (primary priority content that is harmful to children);
(b)
section 62 (priority content that is harmful to children).
But the power to add a kind of content is limited by subsections (2) to (4).
(2)
A kind of content may be added to section 61 only if the Secretary of State considers that, in relation to Part 3 services—
(a)
there is a material risk of significant harm to an appreciable number of children presented by content of that kind that is regulated user-generated content or search content, and
(b)
it is appropriate for the duties set out in sections 12(3)(a) and 29(3)(a) (duty in relation to children of all ages) to apply in relation to content of that kind.
(3)
A kind of content may be added to section 62 only if the Secretary of State considers that, in relation to Part 3 services, there is a material risk of significant harm to an appreciable number of children presented by content of that kind that is regulated user-generated content or search content.
(4)
A kind of content may not be added to section 61 or 62 if the risk of harm presented by content of that kind flows from—
(a)
the content’s potential financial impact,
(b)
the safety or quality of goods featured in the content, or
(c)
the way in which a service featured in the content may be performed (for example, in the case of the performance of a service by a person not qualified to perform it).
(5)
The Secretary of State must consult OFCOM before making regulations under this section.
(6)
In this section references to children are to children in the United Kingdom.
(7)
In this section—
“regulated user-generated content” has the same meaning as in Part 3 (see section 55);
“search content” has the same meaning as in Part 3 (see section 57).
220Powers to amend or repeal provisions relating to exempt content or services
(1)
The Secretary of State may by regulations—
(a)
amend section 55(5), or
(b)
if the Secretary of State considers that it is appropriate to do so because of the risk of harm to individuals in the United Kingdom presented by one-to-one live aural communications.
(2)
(3)
Regulations under subsection (2) may not have the effect that comments and reviews on provider content present on a service of which the provider is a recognised news publisher become regulated user-generated content within the meaning of Part 3.
(4)
The Secretary of State may by regulations amend Part 1 of Schedule 1 to provide for a further description of user-to-user service or search service to be exempt, if the Secretary of State considers that the risk of harm to individuals in the United Kingdom presented by a service of that description is low.
(5)
Regulations under subsection (4) may amend sections 3, 5 and 55 and Schedule 2 in connection with the amendment of Part 1 of Schedule 1.
(6)
The Secretary of State may by regulations amend Schedule 9 to provide for a further description of internet service to be included, if the Secretary of State considers that the risk of harm to children in the United Kingdom presented by regulated provider pornographic content published or displayed on a service of that description is low.
(7)
If the condition in subsection (8) is met, the Secretary of State may by regulations amend or repeal either of the following—
(a)
paragraph 3 of Schedule 1 (services offering only one-to-one live aural communications);
(b)
any provision of that Schedule added in exercise of the power conferred by subsection (4).
(8)
The condition is that the Secretary of State considers that it is appropriate to amend or repeal the provision in question (as the case may be) because of the risk of harm to individuals in the United Kingdom presented by a service of the description in question.
(9)
Subject to subsection (10), the Secretary of State may by regulations amend paragraph 4 of Schedule 1 (limited functionality services) if the Secretary of State considers that it is appropriate because of the risk of harm to individuals in the United Kingdom presented by a service described in that paragraph.
(10)
Regulations under subsection (9) may not have the effect that a service described in paragraph 4 of Schedule 1 of which the provider is a recognised news publisher is no longer exempt under that paragraph.
(11)
Regulations under subsection (7) may amend or repeal a provision of Schedule 2 in connection with the amendment or repeal of a provision of Part 1 of Schedule 1.
(12)
Regulations under subsection (7)(b) may amend or repeal a provision of sections 3, 5 and 55 in connection with the amendment or repeal of a provision of Part 1 of Schedule 1.
(13)
The Secretary of State may by regulations amend or repeal any provision of Schedule 9 added in exercise of the power conferred by subsection (6), if the Secretary of State considers that it is appropriate to do so because of the risk of harm to children in the United Kingdom presented by regulated provider pornographic content published or displayed on a service of that description.
(14)
In this section—
“comments and reviews on provider content” and “one-to-one live aural communications” have the meaning given by section 55;
“recognised news publisher” has the meaning given by section 56;
“regulated provider pornographic content” and “published or displayed” have the same meaning as in Part 5 (see section 79).
221Powers to amend Part 2 of Schedule 1
England
(1)
The Secretary of State may by regulations amend the part of the list in Part 2 of Schedule 1 which relates to England—
(a)
if there has been an amendment or repeal of legislation, or of a provision of legislation, by reference to which a description of education or childcare is framed;
(b)
to add a further description of education or childcare, if the Secretary of State considers that it is appropriate to do so because of the application of enactments other than this Act, or guidance or requirements (however referred to) produced under enactments other than this Act, to persons providing education or childcare of that description;
(c)
to omit a description of education or childcare, if the Secretary of State considers that it is appropriate to do so because of the risk of harm to individuals in England presented by services provided by persons providing education or childcare of that description which are provided for the purposes of such education or childcare (other than a service described in paragraph 7 of Schedule 1).
(2)
In subsection (1)(b), “enactment” includes an enactment contained in subordinate legislation (within the meaning of the Interpretation Act 1978).
Scotland
(3)
The Scottish Ministers may by regulations amend the part of the list in Part 2 of Schedule 1 which relates to Scotland—
(a)
if there has been an amendment or repeal of legislation, or of a provision of legislation, by reference to which a description of education or childcare is framed;
(b)
to add a further description of education or childcare, if the Scottish Ministers consider that it is appropriate to do so because of the application of enactments other than this Act, or guidance or requirements (however referred to) produced under enactments other than this Act, to persons providing education or childcare of that description;
(c)
to omit a description of education or childcare, if the Scottish Ministers consider that it is appropriate to do so because of the risk of harm to individuals in Scotland presented by services provided by persons providing education or childcare of that description which are provided for the purposes of such education or childcare (other than a service described in paragraph 7 of Schedule 1).
(4)
In subsection (3)(b), “enactment” includes an enactment contained in, or in an instrument made under, an Act of the Scottish Parliament.
Wales
(5)
The Welsh Ministers may by regulations made by statutory instrument amend the part of the list in Part 2 of Schedule 1 which relates to Wales—
(a)
if there has been an amendment or repeal of legislation, or of a provision of legislation, by reference to which a description of education or childcare is framed;
(b)
to add a further description of education or childcare, if the Welsh Ministers consider that it is appropriate to do so because of the application of enactments other than this Act, or guidance or requirements (however referred to) produced under enactments other than this Act, to persons providing education or childcare of that description;
(c)
to omit a description of education or childcare, if the Welsh Ministers consider that it is appropriate to do so because of the risk of harm to individuals in Wales presented by services provided by persons providing education or childcare of that description which are provided for the purposes of such education or childcare (other than a service described in paragraph 7 of Schedule 1).
(6)
In subsection (5)(b), “enactment” includes an enactment contained in, or in an instrument made under, a Measure or Act of Senedd Cymru.
Northern Ireland
(7)
The relevant Department may by regulations amend the part of the list in Part 2 of Schedule 1 which relates to Northern Ireland—
(a)
if there has been an amendment or repeal of legislation, or of a provision of legislation, by reference to which a description of education or childcare is framed;
(b)
to add a further description of education or childcare, if the relevant Department considers that it is appropriate to do so because of the application of enactments other than this Act, or guidance or requirements (however referred to) produced under enactments other than this Act, to persons providing education or childcare of that description;
(c)
to omit a description of education or childcare, if the relevant Department considers that it is appropriate to do so because of the risk of harm to individuals in Northern Ireland presented by services provided by persons providing education or childcare of that description which are provided for the purposes of such education or childcare (other than a service described in paragraph 7 of Schedule 1).
(8)
In subsection (7), “the relevant Department” means—
(a)
where the amendment relates to childcare, primary education or secondary education, the Department of Education in Northern Ireland;
(b)
where the amendment relates to further education or higher education, the Department for the Economy in Northern Ireland with the concurrence of the Department of Agriculture, Environment and Rural Affairs in Northern Ireland, or the Department of Agriculture, Environment and Rural Affairs in Northern Ireland with the concurrence of the Department for the Economy in Northern Ireland;
(c)
where the amendment relates to education in agriculture and related subjects, the Department of Agriculture, Environment and Rural Affairs in Northern Ireland.
(9)
In subsection (7)(b), “enactment” includes an enactment contained in, or in an instrument made under, Northern Ireland legislation.
Interpretation
(10)
In this section, the following terms have the same meaning as in Schedule 1—
“childcare”;
“education”;
“education in agriculture and related subjects”;
“further education”;
“higher education”;
“primary education”;
“secondary education”.
222Powers to amend Schedules 5, 6 and 7
(1)
The Secretary of State may by regulations amend—
(a)
Schedule 5 (terrorism offences);
(b)
Part 1 of Schedule 6 (child sexual exploitation and abuse offences).
(2)
The Scottish Ministers may by regulations amend Part 2 of Schedule 6.
(3)
The Secretary of State may by regulations amend Schedule 7 (priority offences).
But an offence may be added to that Schedule only on the grounds in subsection (4) or (5), and subsection (6) limits the power to add an offence.
(4)
The first ground for adding an offence to Schedule 7 is that the Secretary of State considers it appropriate to do so because of—
(a)
the prevalence on regulated user-to-user services of regulated user-generated content that amounts to that offence, or the prevalence on regulated search services and combined services of search content that amounts to that offence,
(b)
the risk of harm to individuals in the United Kingdom presented by regulated user-generated content or search content that amounts to that offence, and
(c)
the severity of that harm.
(5)
The second ground for adding an offence to Schedule 7 is that the Secretary of State considers it appropriate to do so because of—
(a)
the prevalence of the use of regulated user-to-user services for the commission or facilitation of that offence,
(b)
the risk of harm to individuals in the United Kingdom presented by the use of such services for the commission or facilitation of that offence, and
(c)
the severity of that harm.
(6)
An offence may not be added to Schedule 7 if—
(a)
the offence concerns—
(i)
the infringement of intellectual property rights,
(ii)
the safety or quality of goods (as opposed to what kind of goods they are), or
(iii)
the performance of a service by a person not qualified to perform it; or
(b)
it is an offence under the Consumer Protection from Unfair Trading Regulations 2008 (S.I. 2008/1277).
(7)
The Secretary of State must consult the Scottish Ministers before making regulations under subsection (3) which—
(a)
add an offence that extends only to Scotland, or
(b)
amend or remove an entry specifying an offence that extends only to Scotland.
(8)
The Secretary of State must consult the Department of Justice in Northern Ireland before making regulations under subsection (3) which—
(a)
add an offence that extends only to Northern Ireland, or
(b)
amend or remove an entry specifying an offence that extends only to Northern Ireland.
(9)
In this section—
(a)
“regulated user-generated content” has the same meaning as in Part 3 (see section 55);
(b)
“search content” has the same meaning as in Part 3 (see section 57);
(c)
references to content that amounts to an offence are to be construed in accordance with section 59 (see subsections (3), (11) and (12) of that section).
Regulations
223Power to make consequential provision
(1)
The Secretary of State may by regulations make provision that is consequential on this Act or regulations under this Act.
(2)
The regulations may—
(a)
amend or repeal provision made by the Communications Act;
(b)
amend or revoke provision made under that Act.
(3)
The regulations may make transitional, transitory or saving provision.
224Regulations: general
(1)
Regulations under this Act may make different provision for different purposes and may, in particular—
(a)
make different provision with regard to—
(i)
user-to-user services,
(ii)
search services, and
(iii)
internet services, other than regulated user-to-user services or regulated search services, that are within section 80(2);
(b)
make different provision with regard to user-to-user services of different kinds;
(c)
make different provision with regard to search services of different kinds;
(d)
make different provision with regard to different kinds of services mentioned in paragraph (a)(iii);
(e)
make different provision with regard to different kinds of internet services within section 80(2).
(2)
A power to make regulations under this Act includes power to make supplementary, incidental, transitional, transitory or saving provision.
This subsection does not apply to regulations under section 223 (consequential provision).
(3)
Any power of the Secretary of State or OFCOM under this Act to make regulations is exercisable by statutory instrument.
(4)
The Statutory Instruments Act 1946 applies in relation to OFCOM’s powers to make regulations under this Act as if OFCOM were a Minister of the Crown.
(5)
The Documentary Evidence Act 1868 (proof of orders and regulations etc) has effect as if—
(a)
OFCOM were included in the first column of the Schedule to that Act;
(b)
OFCOM and persons authorised to act on their behalf were mentioned in the second column of that Schedule.
(6)
This section does not apply to regulations under section 240 (commencement and transitional provision).
225Parliamentary procedure for regulations
(1)
A statutory instrument containing (whether alone or with other provision)—
(a)
regulations under section 77(12),
(b)
regulations under section 85(1),
(c)
regulations under section 114(2),
(d)
regulations under section 169(3),
(e)
regulations under section 211(2),
(f)
regulations under section 215(1),
(g)
regulations under section 217(1),
(h)
regulations under section 218(1),
(i)
regulations under section 220(1), (2), (4), (6), (7), (9) or (13),
(j)
regulations under section 221(1),
(l)
regulations under section 223 that amend or repeal provision made by the Communications Act,
(m)
regulations under paragraph 7 of Schedule 4,
(n)
regulations under paragraph 38 of Schedule 8,
(o)
regulations under paragraph 7 of Schedule 10, or
(p)
regulations under paragraph 5(9) of Schedule 13,
may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.
(2)
A statutory instrument containing regulations under section 219(1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.
(3)
But a statutory instrument mentioned in subsection (2) may be made without a draft of the instrument being laid before, and approved by a resolution of, each House of Parliament if it contains a declaration that the Secretary of State is of the opinion that, because of urgency, it is necessary to make the regulations without a draft being so laid and approved.
(4)
After an instrument is made in accordance with subsection (3), it must be laid before Parliament.
(5)
Regulations contained in an instrument made in accordance with subsection (3) cease to have effect at the end of the period of 28 days beginning with the day on which the instrument is made unless, during that period, the instrument is approved by a resolution of each House of Parliament.
(6)
In calculating the period of 28 days, no account is to be taken of any whole days that fall within a period during which—
(a)
Parliament is dissolved or prorogued, or
(b)
either House of Parliament is adjourned for more than 4 days.
(7)
If regulations cease to have effect as a result of subsection (5), that does not—
(a)
affect the validity of anything previously done under or by virtue of the regulations, or
(b)
prevent the making of new regulations.
(8)
A statutory instrument containing the first regulations under paragraph 1(1) of Schedule 11 (whether alone or with regulations under paragraph 1(2) or (3) of that Schedule) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.
(9)
Any other statutory instrument containing regulations under paragraph 1(1) of Schedule 11 is subject to annulment in pursuance of a resolution of either House of Parliament.
(10)
A statutory instrument containing—
(a)
regulations under section 67(1),
(b)
regulations under section 85(2),
(c)
regulations under section 86,
(d)
regulations under section 170(1),
(e)
regulations under section 223 that do not amend or repeal provision made by the Communications Act,
(f)
regulations under paragraph 8(1) of Schedule 3, or
is subject to annulment in pursuance of a resolution of either House of Parliament.
(11)
As soon as a draft of a statutory instrument containing regulations under section 85(1) or paragraph 5(9) of Schedule 13 (whether alone or with provision under section 85(2)) is ready for laying before Parliament, OFCOM must send the draft to the Secretary of State, and the Secretary of State must lay the draft before Parliament.
(12)
Immediately after making a statutory instrument containing only regulations under section 85(2), OFCOM must send the instrument to the Secretary of State, and the Secretary of State must lay it before Parliament.
(13)
Regulations made by the Scottish Ministers under—
(a)
section 221(3), and
(b)
section 222(2),
are subject to the affirmative procedure (see section 29 of the Interpretation and Legislative Reform (Scotland) Act 2010 (asp 10)).
(14)
A statutory instrument containing regulations under section 221(5) may not be made by the Welsh Ministers unless a draft of the instrument has been laid before and approved by a resolution of Senedd Cymru.
(15)
The power of the relevant Department to make regulations under section 221(7) is exercisable by statutory rule for the purposes of the Statutory Rules (Northern Ireland) Order 1979 (S.I. 1979/1573 (N.I. 12)).
(16)
Regulations may not be made by the relevant Department under section 221(7) unless a draft of the regulations has been laid before and approved by a resolution of the Northern Ireland Assembly.
(17)
PART 12Interpretation and final provisions
Interpretation
226“Provider” of internet service
(1)
This section applies to determine who is the “provider” of an internet service for the purposes of this Act.
User-to-user services (other than combined services)
(2)
The provider of a user-to-user service is to be treated as being the entity that has control over who can use the user-to-user part of the service (and that entity alone).
(3)
If no entity has control over who can use the user-to-user part of a user-to-user service, but an individual or individuals have control over who can use that part, the provider of the service is to be treated as being that individual or those individuals.
Search services
(4)
The provider of a search service is to be treated as being the entity that has control over the operations of the search engine (and that entity alone).
(5)
If no entity has control over the operations of the search engine, but an individual or individuals have control over those operations, the provider of the search service is to be treated as being that individual or those individuals.
Combined services
(6)
The provider of a combined service is to be treated as being the entity that has control over both—
(a)
who can use the user-to-user part of the service, and
(b)
the operations of the search engine,
(and that entity alone).
(7)
If no entity has control over the matters mentioned in paragraphs (a) and (b) of subsection (6), but an individual or individuals have control over both those matters, the provider of the combined service is to be treated as being that individual or those individuals.
Internet services other than user-to-user services or search services
(8)
The provider of an internet service, other than a user-to-user service or a search service, is to be treated as being the entity that has control over which content is published or displayed on the service.
(9)
If no entity has control over which content is published or displayed on such an internet service, but an individual or individuals have control over which content is published or displayed, the provider of the service is to be treated as being that individual or those individuals.
Machine-generated services
(10)
The provider of an internet service that is generated by a machine is to be treated as being the entity that controls the machine (and that entity alone).
(11)
If no entity controls the machine, but an individual or individuals control it, the provider of the internet service is to be treated as being that individual or those individuals.
Interpretation
(12)
A person who provides an access facility in relation to a user-to-user service, within the meaning of section 146, is not to be regarded as a person who has control over who can use the user-to-user part of the service for the purposes of this section.
(13)
In this section “operations of the search engine” means operations which—
(a)
enable users of a search service or a combined service to make search requests, and
(b)
generate responses to those requests.
(14)
In this section “published or displayed” is to be construed in accordance with section 79(6).
(15)
227“User”, “United Kingdom user” and “interested person”
(1)
For the purposes of this Act a user is a “United Kingdom user” of a service if—
(a)
where the user is an individual, the individual is in the United Kingdom;
(b)
where the user is an entity, the entity is incorporated or formed under the law of any part of the United Kingdom.
(2)
For the purposes of references in this Act to a user of a service it does not matter whether a person is registered to use a service.
(3)
References in this Act to a user of a service do not include references to any of the following when acting in the course of the provider’s business—
(a)
where the provider of the service is an individual or individuals, that individual or those individuals;
(b)
where the provider is an entity, officers of the entity;
(c)
persons who work for the provider (including as employees or volunteers);
(d)
any other person providing a business service to the provider such as a contractor, consultant or auditor.
(4)
In subsection (3) “acting in the course of the provider’s business” means (as the case may be)—
(a)
acting in the course of the provider’s business of providing the service, or
(b)
acting in the course of a business, trade, profession or other concern—
(i)
carried on (whether or not for profit) by the provider of the service, and
(ii)
for the purposes of which the service is provided.
(5)
(6)
In subsection (3) “officer” includes a director, manager, partner, associate, secretary or other similar officer.
(7)
In this Act “interested person”, in relation to a search service or a combined service, means a person that is responsible for a website or database capable of being searched by the search engine, provided that—
(a)
in the case of an individual, the individual is in the United Kingdom;
(b)
in the case of an entity, the entity is incorporated or formed under the law of any part of the United Kingdom.
228“Internet service”
(1)
In this Act “internet service” means a service that is made available by means of the internet.
(2)
For the purposes of subsection (1) a service is “made available by means of the internet” even where it is made available by means of a combination of—
(a)
the internet, and
(b)
an electronic communications service.
(3)
“Electronic communications service” has the same meaning as in the Communications Act (see section 32(2) of that Act).
229“Search engine”
(1)
In this Act “search engine”—
(a)
includes a service or functionality which enables a person to search some websites or databases (as well as a service or functionality which enables a person to search (in principle) all websites or databases);
(b)
does not include a service which enables a person to search just one website or database.
(2)
For the purposes of this Act, a search engine is not to be taken to be “included” in an internet service or a user-to-user service if the search engine is controlled by a person who does not control other parts of the service.
230“Age verification” and “age estimation”
(1)
This section applies for the purposes of this Act.
(2)
“Age verification” means any measure designed to verify the exact age of users of a regulated service.
(3)
“Age estimation” means any measure designed to estimate the age or age-range of users of a regulated service.
(4)
A measure which requires a user to self-declare their age (without more) is not to be regarded as age verification or age estimation.
231“Proactive technology”
(1)
In this Act “proactive technology” means—
(a)
content identification technology,
(b)
user profiling technology, or
(c)
behaviour identification technology,
(2)
“Content identification technology” means technology, such as algorithms, keyword matching, image matching or image classification, which analyses content to assess whether it is content of a particular kind (for example, illegal content).
(3)
But content identification technology is not to be regarded as proactive technology if it is used in response to a report from a user or other person about particular content.
(4)
“User profiling technology” means technology which analyses (any or all of)—
(a)
relevant content,
(b)
user data, or
(c)
metadata relating to relevant content or user data,
for the purposes of building a profile of a user to assess characteristics such as age.
(5)
Technology which—
(a)
analyses data specifically provided by a user for the purposes of the provider verifying or estimating the user’s age in order to decide whether to allow the user to access a service (or part of a service) or particular content, and
(b)
does not analyse any other data or content,
is not to be regarded as user profiling technology.
(6)
“Behaviour identification technology” means technology which analyses (any or all of)—
(a)
relevant content,
(b)
user data, or
(c)
metadata relating to relevant content or user data,
to assess a user’s online behaviour or patterns of online behaviour (for example, to assess whether a user may be involved in, or be the victim of, illegal activity).
(7)
But behaviour identification technology is not to be regarded as proactive technology if it is used in response to concerns identified by another person or an automated tool about a particular user.
(8)
“Relevant content” means—
(a)
in relation to a user-to-user service, content that is user-generated content in relation to the service;
(b)
in relation to a search service, the content of websites and databases capable of being searched by the search engine;
(c)
in relation to an internet service within section 80(2), content that is provider pornographic content in relation to the service.
(9)
“User data” means—
(a)
data provided by users, including personal data (for example, data provided when a user sets up an account), and
(b)
data created, compiled or obtained by providers of regulated services and relating to users (for example, data relating to when or where users access a service or how they use it).
(10)
References in this Act to proactive technology include content identification technology, user profiling technology or behaviour identification technology which utilises artificial intelligence or machine learning.
(11)
Accredited technology that may be required to be used in relation to the detection of terrorism content or CSEA content (or both) by a notice under section 121(1) is an example of content identification technology.
(12)
The reference in subsection (8)(b) to a search service includes a reference to the search engine of a combined service.
(13)
In this section—
“accredited” technology has the same meaning as in Chapter 5 of Part 7 (see section 125(12));
“illegal content”, “terrorism content” and “CSEA content” have the same meaning as in Part 3 (see section 59);
“user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).
232Content communicated “publicly” or “privately”
(1)
This section specifies factors which OFCOM must, in particular, consider when deciding whether content is communicated “publicly” or “privately” by means of a user-to-user service for the purposes of—
(a)
section 121 (notice to deal with terrorism content),
(b)
section 136 (requirement to use proactive technology), or
(c)
paragraph 13(4) of Schedule 4 (recommendation of proactive technology in codes of practice).
(2)
The factors are—
(a)
the number of individuals in the United Kingdom who are able to access the content by means of the service;
(b)
any restrictions on who may access the content by means of the service (for example, a requirement for approval or permission from a user, or the provider, of the service);
(c)
the ease with which the content may be forwarded to or shared with—
(i)
users of the service other than those who originally encounter it, or
(ii)
users of another internet service.
(3)
The following factors do not count as restrictions on access—
(a)
a requirement to log in to or register with a service (or part of a service);
(b)
a requirement to make a payment or take out a subscription in order to access a service (or part of a service) or to access particular content;
(c)
inability to access a service (or part of a service) or to access particular content except by using particular technology or a particular kind of device (as long as that technology or device is generally available to the public).
233“Functionality”
(1)
In this Act “functionality”, in relation to a user-to-user service, includes any feature that enables interactions of any description between users of the service by means of the service, and includes any feature enabling a user to do anything listed in subsection (2).
(2)
The things are—
(a)
creating a user profile, including an anonymous or pseudonymous profile;
(b)
searching within the service for user-generated content or other users of the service;
(c)
forwarding content to, or sharing content with, other users of the service;
(d)
sharing content on other internet services;
(e)
sending direct messages to or speaking to other users of the service, or interacting with them in another way (for example by playing a game);
(f)
expressing a view on content, including, for example, by—
(i)
applying a “like” or “dislike” button or other button of that nature,
(ii)
applying an emoji or symbol of any kind,
(iii)
engaging in yes/no voting, or
(iv)
rating or scoring content in any way (including giving star or numerical ratings);
(g)
sharing current or historic location information with other users of the service, recording a user’s movements, or identifying which other users of the service are nearby;
(h)
following or subscribing to particular kinds of content or particular users of the service;
(i)
creating lists, collections, archives or directories of content or users of the service;
(j)
tagging or labelling content present on the service;
(k)
uploading content relating to goods or services;
(l)
applying or changing settings on the service which affect the presentation of user-generated content on the service;
(m)
accessing other internet services through content present on the service (for example through hyperlinks).
(3)
In this Act “functionality”, in relation to a search service, includes (in particular)—
(a)
a feature that enables users to search websites or databases;
(b)
a feature that makes suggestions relating to users’ search requests (predictive search functionality).
(4)
234“Harm” etc
(1)
This section applies for the purposes of this Act, apart from Part 10 (communications offences).
(2)
“Harm” means physical or psychological harm.
(3)
References to harm presented by content, and any other references to harm in relation to content, include references to harm arising or that may arise from any one or combination of the following—
(a)
the nature of the content;
(b)
the fact of its dissemination;
(c)
the manner of its dissemination.
(4)
References to harm presented by content, and any other references to harm in relation to content, include references to cumulative harm arising or that may arise in the following circumstances—
(a)
where content, or content of a particular kind, is repeatedly encountered by an individual (including, but not limited to, where content, or a kind of content, is sent to an individual by one user or by different users or encountered as a result of algorithms used by, or functionalities of, a service);
(b)
where content of a particular kind is encountered by an individual in combination with content of a different kind (including, but not limited to, where a kind of content is sent to an individual by one user or by different users or encountered as a result of algorithms used by, or functionalities of, a service).
(5)
References to harm presented by content, and any other references to harm in relation to content, include references to harm arising or that may arise in the following circumstances—
(a)
where, as a result of the content, individuals act in a way that results in harm to themselves or that increases the likelihood of harm to themselves;
(b)
where, as a result of the content, individuals do or say something to another individual that results in harm to that other individual or that increases the likelihood of such harm (including, but not limited to, where individuals act in such a way as a result of content that is related to that other individual’s characteristics or membership of a group).
(6)
References to a risk of harm in relation to functionalities, and references to the risk of functionalities facilitating users encountering particular kinds of content (however expressed), include references to risks arising or that may arise due to multiple functionalities which, used in combination, increase the likelihood of harm arising (for example, as mentioned in subsection (4)).
(7)
References to a risk of harm, or to potential harm, are to be read in the same way as references to harm.
(8)
235“Online safety functions” and “online safety matters”
(1)
In this Act references to OFCOM’s “online safety functions”—
(a)
are references to—
(i)
the functions that OFCOM have under this Act,
(ii)
the functions that OFCOM have under the provisions of the Communications Act listed in subsection (2), so far as those functions relate to regulated services or Part 3 services (as the case may be), and
(2)
These are the provisions of the Communications Act referred to in subsection (1)(a)(ii)—
(a)
section 6 (duties to review regulatory burdens);
(b)
section 7 (duty to carry out impact assessments);
(c)
section 8 (duty to publish and meet promptness standards);
(d)
sections 11 and 11A (duties to promote media literacy);
(e)
sections 12 and 13 (Content Board);
(f)
section 14(6)(a) (research about media literacy);
(g)
section 14(6B) (research about users’ experience of regulated services);
(h)
section 16 (consumer consultation);
(i)
section 20 (advisory committees for different parts of the United Kingdom);
(j)
section 21 (advisory committee on elderly and disabled persons);
(k)
section 22 (representation on international and other bodies);
(l)
section 26 (publication of information and advice for consumers etc).
(3)
References to OFCOM’s “online safety functions” also include references to OFCOM’s duty to comply with any of the following, so far as relating to the use of a regulated service by a person who has died—
(a)
a notice from a senior coroner under paragraph 1(2) of Schedule 5 to the Coroners and Justice Act 2009 in connection with an investigation into a person’s death;
(b)
a request for information in connection with the investigation of a procurator fiscal into, or an inquiry held or to be held in relation to, a person’s death;
(c)
a notice from a coroner under section 17A(2) of the Coroners Act (Northern Ireland) 1959 (c. 15 (N.I.)) in connection with—
(i)
an investigation to determine whether an inquest into a person’s death is necessary, or
(ii)
an inquest in relation to a person’s death.
(4)
In this Act “online safety matters” means the matters to which OFCOM’s online safety functions relate.
(5)
In subsection (3)(b) “inquiry” means an inquiry held, or to be held, under the Inquiries into Fatal Accidents and Sudden Deaths etc. (Scotland) Act 2016 (asp 2).
236Interpretation: general
(1)
In this Act—
“adult” means a person aged 18 or over;
“audit notice” means a notice given under paragraph 4 of Schedule 12;
“automated tool” includes bot;
“capacity”: any reference to the capacity of a provider of a regulated service is to—
(a)
the financial resources of the provider, and
(b)
the level of technical expertise which is available to the provider, or which it is reasonable to expect would be available to the provider given its size and financial resources;
“child” means a person under the age of 18;
“the Communications Act” means the Communications Act 2003;
“confirmation decision” means a notice given under section 132;
“content” means anything communicated by means of an internet service, whether publicly or privately, including written material or messages, oral communications, photographs, videos, visual images, music and data of any description;
“the Convention” has the meaning given by section 21(1) of the Human Rights Act 1998;
“country” includes territory;
“document” means anything in which information (in whatever form) is recorded;
“encounter”, in relation to content, means read, view, hear or otherwise experience content;
“entity” means a body or association of persons or an organisation, regardless of whether the body, association or organisation is—
(a)
formed under the law of any part of the United Kingdom or of a country outside the United Kingdom, or
(b)
a legal person under the law under which it is formed;
“identifying content” means content the function of which is to identify a user of an internet service (for example, a user name or profile picture);
“information notice” means a notice given under section 100(1) or 101(1);
“measure”: any reference to a measure includes a reference to any system or process relevant to the operation of an internet service or any step or action which may be taken by a provider of an internet service to comply with duties or requirements under this Act;
“notice” means notice in writing;
“notify” means notify in writing, and “notification” is to be construed accordingly;
“OFCOM” means the Office of Communications;
“paid-for advertisement”: an advertisement is a “paid-for advertisement” in relation to an internet service if—
(a)
the provider of the service receives any consideration (monetary or non-monetary) for the advertisement (whether directly from the advertiser or indirectly from another person), and
(b)
the placement of the advertisement is determined by systems or processes that are agreed between the parties entering into the contract relating to the advertisement;
“person” includes (in addition to an individual and a body of persons corporate or unincorporate) any organisation or association of persons;
“personal data” has the meaning given by section 3(2) of the Data Protection Act 2018;
“pornographic content” means content of such a nature that it is reasonable to assume that it was produced solely or principally for the purpose of sexual arousal;
“processing” has the meaning given by section 3(4) of the Data Protection Act 2018;
“provisional notice of contravention” means a notice given under section 130;
“publicly available” means available to members of the public in the United Kingdom;
“systems and/or processes”: any reference to systems and/or processes is to human or automated systems and/or processes, and accordingly includes technologies;
“taking down” (content): any reference to taking down content is to any action that results in content being removed from a user-to-user service or being permanently hidden so users of the service cannot encounter it (and related expressions are to be read accordingly);
“terms of service”, in relation to a user-to-user service, means all documents (whatever they are called) comprising the contract for use of the service (or of part of it) by United Kingdom users;
“user-to-user part”, in relation to a user-to-user service, means the part of the service on which content that is user-generated content in relation to the service is present.
(2)
(3)
References in this Act to an individual with a certain characteristic include references to an individual with a combination of characteristics.
(4)
References in this Act to a kind of user-to-user service or search service (or Part 3 service) include references to user-to-user services or search services grouped together for the purposes of a risk profile prepared by OFCOM under section 98 (and references to different kinds of user-to-user services or search services (or Part 3 services) are to be read accordingly).
(5)
References in this Act to content (or content of a particular kind) present or prevalent on a user-to-user service (or on a part of it), or to the presence, incidence or prevalence of content (or content of a particular kind) on a user-to-user service (or on a part of it), do not include, in the case of a user-to-user service that includes a search engine—
(a)
search content, or
(b)
any other content that, following a search request, may be encountered as a result of subsequent interactions with internet services.
In this subsection “search content” and “search request” have the same meaning as in Part 3 (see section 57).
(6)
For the purposes of this Act—
(a)
any reference to the use of or access to a service, or to content present, published or displayed on a service, is to be taken to include use of or access to the service or content on registering or on the making of a payment or on subscription;
(b)
any reference to content that is made available or that may be accessed, encountered or shared, is to be taken to include content that is made available or that may be accessed, encountered or shared for a limited period of time only;
and references to restrictions on access to a service or to content are to be read accordingly.
(7)
For the purposes of this Act, content that is user-generated content in relation to an internet service does not cease to be such content in relation to the service when published or displayed on the service by means of—
(a)
software or an automated tool or algorithm applied by the provider of the service or by a person acting on behalf of the provider, or
(b)
an automated tool or algorithm made available on the service by the provider or by a person acting on behalf of the provider.
(8)
Nothing in this Act (other than section 212) affects any prohibition or restriction in relation to pornographic content, or powers in relation to such content, under another enactment or rule of law.
(9)
237Index of defined terms
The following table sets out terms defined or explained for this Act or for a Part of this Act.
Term | Provision |
---|---|
adult | section 236 |
age estimation | section 230 |
age verification | section 230 |
audit notice | section 236 |
automated tool | section 236 |
capacity (of a provider) | section 236 |
Category 1 service | section 95(10)(a) |
Category 2A service | section 95(10)(b) |
Category 2B service | section 95(10)(c) |
charging year (in Part 6) | section 90 |
child | section 236 |
children’s access assessment (in Part 3) | section 35 |
combined service | section 4(7) |
the Communications Act | section 236 |
confirmation decision | section 236 |
content | section 236 |
content that is harmful to children (in Part 3) | section 60 |
the Convention | section 236 |
country | section 236 |
CSEA content (in Part 3) | section 59 |
document | section 236 |
encounter (content) (except in Part 10) | section 236 |
entity | section 236 |
freedom of expression | section 236 |
functionality | section 233 |
harm (except in Part 10) | section 234 |
identifying content | section 236 |
illegal content (in Part 3) | section 59 |
information notice | section 236 |
initial charging year (in Part 6) | section 90 |
interested person | section 227 |
internet service | section 228 (see also section 204(1)) |
journalistic content (in Part 3) | section 19 |
likely to be accessed by children (in Part 3) | section 37 |
measure | section 236 |
news publisher content (in Part 3) | |
non-designated content that is harmful to children (in Part 3) | section 60 |
notice | section 236 |
notify, notification | section 236 |
OFCOM | section 236 |
online safety functions | section 235 |
online safety matters | section 235 |
paid-for advertisement | section 236 |
Part 3 service | section 4(3) |
person (except in Part 10) | section 236 |
personal data | section 236 |
pornographic content | section 236 |
primary priority content that is harmful to children (in Part 3) | section 61 |
priority content that is harmful to children (in Part 3) | section 62 |
priority illegal content (in Part 3) | section 59 |
priority offence (in Part 3) | section 59 |
proactive technology | section 231 |
processing (of data) | section 236 |
provider | section 226 |
provider pornographic content (in Part 5) | section 79 |
provisional notice of contravention | section 236 |
publicly available | section 236 |
publicly/privately (in relation to communication of content) | section 232 |
published or displayed (in relation to pornographic content) (in Part 5) | section 79 |
recognised news publisher (in Part 3) | section 56 |
regulated provider pornographic content (in Part 5) | section 79 |
regulated search service | section 4(2) |
regulated service | section 4(4) |
regulated user-generated content (in Part 3) | section 55 |
regulated user-to-user service | section 4(2) |
restricting users’ access to content (in Part 3) | section 58 |
search | section 57 |
search content | section 57 |
search engine | section 229 |
search request | section 57 |
search results | section 57 |
search service | section 3 (see also section 204(1)) |
systems and/or processes | section 236 |
taking down (content) | section 236 |
terms of service | section 236 |
terrorism content (in Part 3) | section 59 |
United Kingdom user | section 227 |
user | section 227 |
user-generated content (in Part 3) | |
user-to-user part (of a service) | section 236 |
user-to-user service | section 3 (see also section 204(1)) |
Final provisions
238Financial provisions
There is to be paid out of money provided by Parliament—
(a)
any expenditure incurred under or by virtue of this Act by the Secretary of State, and
(b)
any increase attributable to this Act in the sums payable under any other Act out of money so provided.
239Extent
(1)
Subject to the following provisions of this section, this Act extends to England and Wales, Scotland and Northern Ireland.
(2)
The following provisions extend to England and Wales and Northern Ireland—
(a)
sections 179 to 183;
(b)
section 189(1).
(3)
The following provisions extend to England and Wales only—
(a)
section 187;
(b)
section 188;
(c)
section 189(2);
(d)
section 190;
(e)
section 213;
(4)
(5)
The following provisions extend to Northern Ireland only—
(a)
section 189(3);
(6)
An amendment or repeal made by Schedule 14 has the same extent within the United Kingdom as the provision amended or repealed.
(7)
His Majesty may by Order in Council provide for any of the provisions of this Act to extend, with or without modifications, to the Bailiwick of Guernsey or to the Isle of Man.
(8)
Subsections (1) and (2) of section 224 apply to an Order in Council under subsection (7) as they apply to regulations under this Act.
(9)
The power conferred by section 411(6) of the Communications Act may be exercised so as to extend to the Bailiwick of Guernsey or the Isle of Man any amendment or repeal made by or under this Act of any part of that Act (with or without modifications).
(10)
The power conferred by section 338 of the Criminal Justice Act 2003 may be exercised so as to extend to the Bailiwick of Guernsey or the Isle of Man the amendments of provisions of that Act made by paragraph 17 of Schedule 14.
(11)
The power conferred by section 60(6) of the Modern Slavery Act 2015 may be exercised so as to extend to the Bailiwick of Guernsey or the Isle of Man the amendments of Schedule 4 to that Act made by paragraph 19 of Schedule 14.
(12)
The power conferred by section 415(1) of the Sentencing Act 2020 may be exercised so as to extend to the Bailiwick of Guernsey or the Isle of Man the amendments of Schedule 18 to that Act made by paragraph 20 of Schedule 14.
240Commencement and transitional provision
(1)
Except as provided by subsection (4), this Act comes into force on such day as the Secretary of State may by regulations appoint.
(2)
The power to make regulations under subsection (1) includes power to appoint different days for different purposes.
(3)
Regulations under subsection (1) may not bring section 210 into force before the end of the period of six months beginning with the date specified in regulations under paragraph 8(1) of Schedule 3.
(4)
The following provisions come into force on the day on which this Act is passed—
(a)
Parts 1 and 2;
(b)
Chapter 1 of Part 3;
(c)
section 41, except subsection (4) of that section;
(d)
section 42 and Schedule 4;
(e)
sections 43 to 48;
(g)
section 53, except subsection (2) of that section;
(h)
Chapter 7 of Part 3 and Schedules 5, 6 and 7;
(i)
section 70;
(j)
section 74;
(k)
section 79;
(l)
section 80(4);
(m)
section 82;
(n)
sections 90 and 91;
(o)
section 93;
(p)
section 94 and Schedule 11;
(q)
Chapter 3 of Part 7;
(r)
sections 115 to 117;
(s)
section 129;
(t)
section 151;
(u)
section 154 so far as relating to a duty imposed on OFCOM under Schedule 11;
(v)
sections 169 and 170;
(w)
section 193, except subsection (2)(b) of that section;
(x)
section 194;
(y)
section 204(1);
(z)
section 207;
z1
section 212;
z2
section 214;
z3
section 219;
z4
sections 221 to 225;
z5
this Part.
(5)
The Secretary of State may by regulations make transitional, transitory or saving provision in connection with the coming into force of any provision of this Act.
(6)
The power to make regulations under subsection (5) includes power to make different provision for different purposes.
(7)
Regulations under this section are to be made by statutory instrument.
241Short title
This Act may be cited as the Online Safety Act 2023.