Metaverse Platforms Online Safety Bill 

UK Metaverse Platforms Online Safety Bill

Loading

UK Metaverse Platforms Online Safety Bill

Make provision for and in connection with the regulation by OFCOM of
certain internet services; for and in connection with communications offences;
and for connected purposes.

B

by the Queen’s most Excellent Majesty, by and with the advice and
consent of the Lords Spiritual and Temporal, and Commons, in this present
Parliament assembled, and by the authority of the same, as follows:—
E IT ENACTED

PART 1
INTRODUCTION
1

Overview of Act
(1)

Parts 2 to 9 and 11 and 12 of this Act contain provision about the regulation by
OFCOM of certain internet services.

(2)

Part 2 contains key definitions, including the definition of a user-to-user
service, a search service, a Part 3 service and a regulated service.

(3)

Part 3 imposes duties of care on providers of user-to-user services and search
services and requires OFCOM to issue codes of practice about those duties.

(4)

Part 4 imposes further duties on providers of user-to-user services and search
services.

(5)

Part 5 imposes duties on providers of internet services (including user-to-user
services and search services) that publish certain pornographic content.

(6)

Part 6, which imposes requirements to pay fees to OFCOM, applies to
providers of internet services to which the duties in Part 3, 4 or 5 apply
(“regulated services”).

(7)

Part 7 is about OFCOM’s powers and duties in relation to regulated services
(including powers to obtain information and enforcement powers).

Bill 121

58/3

5

10

15

2

Part 1 — Introduction

(8)

Part 8 is about appeals and complaints relating to regulated services.

(9)

Part 9 is about the Secretary of State’s functions in relation to regulated
services.

(10)

Part 10 contains communications offences.

(11)

Parts 11 and 12 contain supplementary provisions including an index of terms
defined in this Act (see section 193).

5

PART 2
KEY DEFINITIONS
2

“User-to-user service” and “search service”
(1)

In this Act “user-to-user service” means an internet service by means of which
content that is generated directly on the service by a user of the service, or
uploaded to or shared on the service by a user of the service, may be
encountered by another user, or other users, of the service.

(2)

For the purposes of subsection (1)—
(a) it does not matter if content is actually shared with another user or
users as long as a service has a functionality that allows such sharing;
(b) it does not matter what proportion of content on a service is content
described in that subsection.

(3)

For the meaning of “content” and “encounter”, see section 192.

(4)

In this Act “search service” means an internet service that is, or includes, a
search engine (see section 186).

(5)

Subsections (6) and (7) have effect to determine whether an internet service
that—
(a) is of a kind described in subsection (1), and
(b) includes a search engine,
is a user-to-user service or a search service for the purposes of this Act.

(6)

(7)
3

It is a search service if the only content described in subsection (1) that is
enabled by the service is content of any of the following kinds—
(a) content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails, SMS
and MMS messages, one-to-one live aural communications) and
related identifying content;
(b) content arising in connection with any of the activities described in
paragraph 4(1) of Schedule 1 (comments etc on provider content);
(c) content present on a part of the service in relation to which the
conditions in paragraph 7(2) of Schedule 1 are met (internal business
service conditions).

10

15

20

25

30

35

Otherwise, it is a user-to-user service.
“Regulated service”, “Part 3 service” etc

(1)

This section applies for the purposes of this Act.

(2)

A user-to-user service is a “regulated user-to-user service”, and a search service
is a “regulated search service”, if the service—

40

Part 2 — Key definitions

(a)
(b)

3

has links with the United Kingdom (see subsections (5) and (6)), and
is not—
(i) a service of a description that is exempt as provided for by
Schedule 1, or
(ii) a service of a kind described in Schedule 2 (services combining
user-generated content or search content not regulated by this
Act with pornographic content that is regulated).

(3)

“Part 3 service” means a regulated user-to-user service or a regulated search
service.

(4)

“Regulated service” means—
(a) a regulated user-to-user service,
(b) a regulated search service, or
(c) an internet service, other than a regulated user-to-user service or a
regulated search service, that is within section 67(2) (including a service
of a kind described in Schedule 2).

(5)

(6)

(7)

(8)

4

For the purposes of subsection (2), a user-to-user service or a search service
“has links with the United Kingdom” if—
(a) the service has a significant number of United Kingdom users, or
(b) United Kingdom users form one of the target markets for the service (or
the only target market).
For the purposes of subsection (2), a user-to-user service or a search service also
“has links with the United Kingdom” if—
(a) the service is capable of being used in the United Kingdom by
individuals, and
(b) there are reasonable grounds to believe that there is a material risk of
significant harm to individuals in the United Kingdom presented by—
(i) in the case of a user-to-user service, user-generated content
present on the service or (if the service includes a search engine)
search content of the service;
(ii) in the case of a search service, search content of the service.
A regulated user-to-user service that includes a public search engine is referred
to in this Act as a “combined service”.
“Public search engine” means a search engine other than one in relation to
which the conditions in paragraph 7(2) of Schedule 1 (internal business service
conditions) are met.

5

10

15

20

25

30

35

In this section—
“search content” has the same meaning as in Part 3 (see section 51);
“user-generated content” has the meaning given by section 49 (see
subsections (3) and (4) of that section).
Disapplication of Act to certain parts of services

(1)

This Act does not apply in relation to a part of a Part 3 service if the conditions
in paragraph 7(2) of Schedule 1 (internal business service conditions) are met
in relation to that part.

(2)

This Act does not apply in relation to a part of a regulated search service if—
(a) the only user-generated content enabled by that part of the service is
content of any of the following kinds—

40

45

4

Part 2 — Key definitions

(i)

(b)
(3)

content mentioned in paragraph 1, 2 or 3 of Schedule 1 (emails,
SMS and MMS messages, one-to-one live aural
communications) and related identifying content;
(ii) content arising in connection with any of the activities
described in paragraph 4(1) of Schedule 1 (comments etc on
provider content); and
no regulated provider pornographic content is published or displayed
on that part of the service.

In this section—
“regulated provider pornographic content” and “published or displayed”
have the same meaning as in Part 5 (see section 66);
“user-generated content” has the meaning given by section 49 (see
subsections (3) and (4) of that section).

5

10

PART 3
PROVIDERS OF REGULATED USER-TO-USER SERVICES AND REGULATED SEARCH SERVICES:

15

DUTIES OF CARE

CHAPTER 1
INTRODUCTION
5

Overview of Part 3
(1)

This Part imposes duties of care on providers of regulated user-to-user services
and regulated search services and requires OFCOM to issue codes of practice
relating to some of those duties.

(2)

Chapter 2 imposes duties of care on providers of regulated user-to-user
services in relation to content and activity on their services.

(3)

Chapter 3 imposes duties of care on providers of regulated search services in
relation to content and activity on their services.

(4)

Chapter 4 imposes duties on providers of regulated user-to-user services and
regulated search services to assess whether a service is likely to be accessed by
children.

(5)

Chapter 5 imposes duties on providers of certain regulated user-to-user
services and regulated search services relating to fraudulent advertising.

(6)

Chapter 6 requires OFCOM to issue codes of practice relating to particular
duties and explains what effects the codes of practice have.

(7)

Chapter 7 is about the interpretation of this Part, and it includes definitions of
the following key terms—
“illegal content”, “terrorism content”, “CSEA content” and “priority illegal
content” (see section 52);
“primary priority content that is harmful to children”, “priority content
that is harmful to children” and “content that is harmful to children”
(see section 53);
“priority content that is harmful to adults” and “content that is harmful to
adults” (see section 54);
“search content” (see section 51).

20

25

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

5

CHAPTER 2
PROVIDERS OF USER-TO-USER SERVICES: DUTIES OF CARE
User-to-user services: which duties apply, and scope of duties
6

Providers of user-to-user services: duties of care
(1)

Subsections (2) to (6) apply to determine which of the duties set out in this
Chapter (and, in the case of combined services, Chapter 3) must be complied
with by providers of regulated user-to-user services.

(2)

All providers of regulated user-to-user services must comply with the
following duties in relation to each such service which they provide—
(a) the duties about illegal content risk assessments set out in section 8,
(b) the duties about illegal content set out in section 9,
(c) the duty about content reporting set out in section 17,
(d) the duties about complaints procedures set out in section 18,
(e) the duties about freedom of expression and privacy set out in section
19(2), (3) and (4), and
(f) the duties about record-keeping and review set out in section 20.

(3)

Additional duties must be complied with by providers of particular kinds of
regulated user-to-user services, as follows.

(4)

All providers of regulated user-to-user services that are likely to be accessed by
children must comply with the following duties in relation to each such service
which they provide—
(a) the duties about children’s risk assessments set out in section 10, and
(b) the duties to protect children’s online safety set out in section 11.

(5)

All providers of Category 1 services must comply with the following duties in
relation to each such service which they provide—
(a) the duties about adults’ risk assessments set out in section 12,
(b) the duties to protect adults’ online safety set out in section 13,
(c) the duties to empower adult users set out in section 14,
(d) the duties to protect content of democratic importance set out in section
15,
(e) the duties to protect journalistic content set out in section 16, and
(f) the duties about freedom of expression and privacy set out in section
19(5), (6) and (7).

(6)

All providers of combined services must comply with the following duties in
relation to the search engine of each such service which they provide—
(a) if the service is not likely to be accessed by children, the duties set out
in Chapter 3 referred to in section 21(2);
(b) if the service is likely to be accessed by children, the duties set out in
Chapter 3 referred to in section 21(2) and (3).

(7)

For the meaning of “likely to be accessed by children”, see section 33.

(8)

For the meaning of “Category 1 service”, see section 82 (register of categories
of services).

5

10

15

20

25

30

35

40

6

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

7

Scope of duties of care
(1)

(2)

(3)

A duty set out in this Chapter which must be complied with in relation to a
user-to-user service that includes regulated provider pornographic content
does not extend to—
(a) the regulated provider pornographic content, or
(b) the design, operation or use of the service so far as relating to that
content.
See Part 5 for the duties which relate to regulated provider pornographic
content, and the meaning of that term.
A duty set out in this Chapter which must be complied with in relation to a
combined service does not extend to—
(a) the search content of the service,
(b) any other content that, following a search request, may be encountered
as a result of subsequent interactions with internet services, or
(c) anything relating to the design, operation or use of the search engine.
A duty set out in this Chapter which must be complied with in relation to a
user-to-user service extends only to—
(a) the design, operation and use of the service in the United Kingdom, and
(b) in the case of a duty that is expressed to apply in relation to users of a
service, the design, operation and use of the service as it affects United
Kingdom users of the service.

5

10

15

20

Illegal content duties for all user-to-user services
8

Illegal content risk assessment duties
(1)

This section sets out the duties about risk assessments which apply in relation
to all regulated user-to-user services.

(2)

A duty to carry out a suitable and sufficient illegal content risk assessment at a
time set out in, or as provided by, Schedule 3.

(3)

A duty to take appropriate steps to keep an illegal content risk assessment up
to date, including when OFCOM make any significant change to a risk profile
that relates to services of the kind in question.

(4)

Before making any significant change to any aspect of a service’s design or
operation, a duty to carry out a further suitable and sufficient illegal content
risk assessment relating to the impacts of that proposed change.

(5)

An “illegal content risk assessment” of a service of a particular kind means an
assessment of the following matters, taking into account the risk profile that
relates to services of that kind—
(a) the user base;
(b) the level of risk of individuals who are users of the service encountering
the following by means of the service—
(i) each kind of priority illegal content (with each kind separately
assessed), and
(ii) other illegal content,
taking into account (in particular) algorithms used by the service, and
how easily, quickly and widely content may be disseminated by means
of the service;

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(c)
(d)
(e)
(f)
(g)

7

the level of risk of harm to individuals presented by illegal content of
different kinds;
the level of risk of functionalities of the service facilitating the presence
or dissemination of illegal content, identifying and assessing those
functionalities that present higher levels of risk;
the different ways in which the service is used, and the impact of such
use on the level of risk of harm that might be suffered by individuals;
the nature, and severity, of the harm that might be suffered by
individuals from the matters identified in accordance with paragraphs
(b) to (e);
how the design and operation of the service (including the business
model, governance, use of proactive technology, measures to promote
users’ media literacy and safe use of the service, and other systems and
processes) may reduce or increase the risks identified.

(6)

In this section references to risk profiles are to the risk profiles for the time
being published under section 84 which relate to the risk of harm to individuals
presented by illegal content.

(7)

See also—
(a) section 20(2) (records of risk assessments), and
(b) Schedule 3 (timing of providers’ assessments).

9

5

10

15

20

Safety duties about illegal content
(1)

This section sets out the duties about illegal content which apply in relation to
all regulated user-to-user services.

(2)

A duty, in relation to a service, to take or use proportionate measures to
effectively mitigate and manage the risks of harm to individuals, as identified
in the most recent illegal content risk assessment of the service.

(3)

A duty to operate a service using proportionate systems and processes
designed to—
(a) prevent individuals from encountering priority illegal content by
means of the service;
(b) minimise the length of time for which any priority illegal content is
present;
(c) where the provider is alerted by a person to the presence of any illegal
content, or becomes aware of it in any other way, swiftly take down
such content.

(4)

The duties set out in subsections (2) and (3) apply across all areas of a service,
including the way it is operated and used as well as content present on the
service, and (among other things) require the provider of a service to take or
use measures in the following areas, if it is proportionate to do so—
(a) regulatory compliance and risk management arrangements,
(b) design of functionalities, algorithms and other features,
(c) policies on terms of use,
(d) policies on user access to the service or to particular content present on
the service, including blocking users from accessing the service or
particular content,
(e) content moderation, including taking down content,
(f) functionalities allowing users to control the content they encounter,

25

30

35

40

45

8

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(g)
(h)
(5)

(6)

user support measures, and
staff policies and practices.

A duty to include provisions in the terms of service specifying how individuals
are to be protected from illegal content, addressing each paragraph of
subsection (3), and (in relation to paragraphs (a) and (b)) separately addressing
terrorism content, CSEA content (see section 52 and Schedule 6) and other
priority illegal content.
A duty to apply the provisions of the terms of service referred to in subsection
(5) consistently in relation to content which the provider reasonably considers
is illegal content or a particular kind of illegal content.

(7)

A duty to include provisions in the terms of service giving information about
any proactive technology used by a service for the purpose of compliance with
a duty set out in subsection (2) or (3) (including the kind of technology, when
it is used, and how it works).

(8)

A duty to ensure that the provisions of the terms of service referred to in
subsections (5) and (7) are clear and accessible.

(9)

In determining what is proportionate for the purposes of this section, the
following factors, in particular, are relevant—
(a) all the findings of the most recent illegal content risk assessment
(including as to levels of risk and as to nature, and severity, of potential
harm to individuals), and
(b) the size and capacity of the provider of a service.

(10)

In this section “illegal content risk assessment” has the meaning given by
section 8.

(11)

See also, in relation to duties set out in this section, section 19 (duties about
freedom of expression and privacy).

5

10

15

20

25

User-to-user services likely to be accessed by children
10

Children’s risk assessment duties
(1)

This section sets out the duties about risk assessments which apply in relation
to regulated user-to-user services that are likely to be accessed by children (in
addition to the duties about risk assessments set out in section 8 and, in the case
of services likely to be accessed by children which are Category 1 services,
section 12).

(2)

A duty to carry out a suitable and sufficient children’s risk assessment at a time
set out in, or as provided by, Schedule 3.

(3)

A duty to take appropriate steps to keep a children’s risk assessment up to
date, including when OFCOM make any significant change to a risk profile
that relates to services of the kind in question.

(4)

Before making any significant change to any aspect of a service’s design or
operation, a duty to carry out a further suitable and sufficient children’s risk
assessment relating to the impacts of that proposed change.

(5)

Where a children’s risk assessment of a service identifies the presence of nondesignated content that is harmful to children, a duty to notify OFCOM of—

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(a)
(b)
(6)

9

the kinds of such content identified, and
the incidence of those kinds of content on the service.

A “children’s risk assessment” of a service of a particular kind means an
assessment of the following matters, taking into account the risk profile that
relates to services of that kind—
(a) the user base, including the number of users who are children in
different age groups;
(b) the level of risk of children who are users of the service encountering
the following by means of the service—
(i) each kind of primary priority content that is harmful to children
(with each kind separately assessed),
(ii) each kind of priority content that is harmful to children (with
each kind separately assessed), and
(iii) non-designated content that is harmful to children,
giving separate consideration to children in different age groups, and
taking into account (in particular) algorithms used by the service and
how easily, quickly and widely content may be disseminated by means
of the service;
(c) the level of risk of harm to children presented by different kinds of
content that is harmful to children, giving separate consideration to
children in different age groups;
(d) the level of risk of harm to children presented by content that is harmful
to children which particularly affects individuals with a certain
characteristic or members of a certain group;
(e) the level of risk of functionalities of the service facilitating the presence
or dissemination of content that is harmful to children, identifying and
assessing those functionalities that present higher levels of risk,
including functionalities—
(i) enabling adults to search for other users of the service
(including children), and
(ii) enabling adults to contact other users (including children) by
means of the service;
(f) the different ways in which the service is used, and the impact of such
use on the level of risk of harm that might be suffered by children;
(g) the nature, and severity, of the harm that might be suffered by children
from the matters identified in accordance with paragraphs (b) to (f),
giving separate consideration to children in different age groups;
(h) how the design and operation of the service (including the business
model, governance, use of proactive technology, measures to promote
users’ media literacy and safe use of the service, and other systems and
processes) may reduce or increase the risks identified.

(7)

In this section references to risk profiles are to the risk profiles for the time
being published under section 84 which relate to the risk of harm to children
presented by content that is harmful to children.

(8)

See also—
(a) section 20(2) (records of risk assessments), and
(b) Schedule 3 (timing of providers’ assessments).

5

10

15

20

25

30

35

40

45

10

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

11

Safety duties protecting children
(1)

This section sets out the duties to protect children’s online safety which apply
in relation to regulated user-to-user services that are likely to be accessed by
children.

(2)

A duty, in relation to a service, to take or use proportionate measures to
effectively—
(a) mitigate and manage the risks of harm to children in different age
groups, as identified in the most recent children’s risk assessment of the
service, and
(b) mitigate the impact of harm to children in different age groups
presented by content that is harmful to children present on the service.

(3)

(4)

(5)

A duty to operate a service using proportionate systems and processes
designed to—
(a) prevent children of any age from encountering, by means of the service,
primary priority content that is harmful to children (for example, by
using age verification, or another means of age assurance);
(b) protect children in age groups judged to be at risk of harm from other
content that is harmful to children (or from a particular kind of such
content) from encountering it by means of the service (for example, by
using age assurance).
The duties set out in subsections (2) and (3) apply across all areas of a service,
including the way it is operated and used as well as content present on the
service, and (among other things) require the provider of a service to take or
use measures in the following areas, if it is proportionate to do so—
(a) regulatory compliance and risk management arrangements,
(b) design of functionalities, algorithms and other features,
(c) policies on terms of use,
(d) policies on user access to the service or to particular content present on
the service, including blocking users from accessing the service or
particular content,
(e) content moderation, including taking down content,
(f) functionalities allowing for control over content that is encountered,
especially by children,
(g) user support measures, and
(h) staff policies and practices.
A duty to include provisions in the terms of service specifying—
(a) how children of any age are to be prevented from encountering
primary priority content that is harmful to children (with each kind of
primary priority content separately covered);
(b) how children in age groups judged to be at risk of harm from priority
content that is harmful to children (or from a particular kind of such
content) are to be protected from encountering it, where they are not
prevented from doing so (with each kind of priority content separately
covered);
(c) how children in age groups judged to be at risk of harm from nondesignated content that is harmful to children (or from a particular kind
of such content) are to be protected from encountering it, where they
are not prevented from doing so.

5

10

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

11

(6)

A duty to apply the provisions of the terms of service referred to in subsection
(5) consistently in relation to content which the provider reasonably considers
is content that is harmful to children or a particular kind of content that is
harmful to children.

(7)

A duty to include provisions in the terms of service giving information about
any proactive technology used by a service for the purpose of compliance with
a duty set out in subsection (2) or (3) (including the kind of technology, when
it is used, and how it works).

(8)

A duty to ensure that the provisions of the terms of service referred to in
subsections (5) and (7) are clear and accessible.

(9)

In determining what is proportionate for the purposes of this section, the
following factors, in particular, are relevant—
(a) all the findings of the most recent children’s risk assessment (including
as to levels of risk and as to nature, and severity, of potential harm to
children), and
(b) the size and capacity of the provider of a service.

(10)

(11)

5

10

15

So far as a duty set out in this section relates to non-designated content that is
harmful to children, the duty is to be taken to extend only to addressing risks
of harm from the kinds of such content that have been identified in the most
recent children’s risk assessment (if any have been identified).

20

References in subsections (3)(b) and (5)(b) and (c) to children in age groups
judged to be at risk of harm from content that is harmful to children are
references to children in age groups judged to be at risk of such harm as
assessed by the provider of a service in the most recent children’s risk
assessment of the service.

25

(12)

The duties set out in subsections (3) and (5) are to be taken to extend only to
content that is harmful to children where the risk of harm is presented by the
nature of the content (rather than the fact of its dissemination).

(13)

The duties set out in this section extend only to such parts of a service as it is
possible for children to access.

30

(14)

For the purposes of subsection (13), a provider is only entitled to conclude that
it is not possible for children to access a service, or a part of it, if there are
systems or processes in place (for example, age verification, or another means
of age assurance) that achieve the result that children are not normally able to
access the service or that part of it.

35

(15)

In this section “children’s risk assessment” has the meaning given by section
10.

(16)

See also, in relation to duties set out in this section, section 19 (duties about
freedom of expression and privacy).
Category 1 services

12

Adults’ risk assessment duties
(1)

This section sets out the duties about risk assessments which apply in relation
to Category 1 services (in addition to the duties about risk assessments set out

40

12

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

in section 8 and, in the case of Category 1 services likely to be accessed by
children, section 10).
(2)

A duty to carry out a suitable and sufficient adults’ risk assessment at a time
set out in, or as provided by, Schedule 3.

(3)

A duty to take appropriate steps to keep an adults’ risk assessment up to date,
including when OFCOM make any significant change to a risk profile that
relates to services of the kind in question.

(4)

Before making any significant change to any aspect of a service’s design or
operation, a duty to carry out a further suitable and sufficient adults’ risk
assessment relating to the impacts of that proposed change.

(5)

An “adults’ risk assessment” of a service of a particular kind means an
assessment of the following matters, taking into account the risk profile that
relates to services of that kind—
(a) the user base;
(b) the level of risk of adults who are users of the service encountering, by
means of the service, each kind of priority content that is harmful to
adults (with each kind separately assessed), taking into account (in
particular) algorithms used by the service, and how easily, quickly and
widely content may be disseminated by means of the service;
(c) the level of risk of harm to adults presented by different kinds of
priority content that is harmful to adults;
(d) the level of risk of harm to adults presented by priority content that is
harmful to adults which particularly affects individuals with a certain
characteristic or members of a certain group;
(e) the level of risk of functionalities of the service facilitating the presence
or dissemination of priority content that is harmful to adults,
identifying and assessing those functionalities that present higher
levels of risk;
(f) the different ways in which the service is used, and the impact of such
use on the level of risk of harm that might be suffered by adults;
(g) the nature, and severity, of the harm that might be suffered by adults
from the matters identified in accordance with paragraphs (b) to (f);
(h) how the design and operation of the service (including the business
model, governance, use of proactive technology, measures to promote
users’ media literacy and safe use of the service, and other systems and
processes) may reduce or increase the risks identified.

(6)

In this section references to risk profiles are to the risk profiles for the time
being published under section 84 which relate to the risk of harm to adults
presented by priority content that is harmful to adults.

(7)

See also—
(a) section 20(2) (records of risk assessments), and
(b) Schedule 3 (timing of providers’ assessments).

13

5

10

15

20

25

30

35

40

Safety duties protecting adults
(1)

This section sets out the duties to protect adults’ online safety which apply in
relation to Category 1 services.

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

13

(2)

A duty to summarise in the terms of service the findings of the most recent
adults’ risk assessment of a service (including as to levels of risk and as to
nature, and severity, of potential harm to adults).

(3)

A duty to include provisions in the terms of service specifying, in relation to
each kind of priority content that is harmful to adults that is to be treated in a
way described in subsection (4), which of those kinds of treatment is to be
applied.

(4)

These are the kinds of treatment of content referred to in subsection (3)—
(a) taking down the content;
(b) restricting users’ access to the content;
(c) limiting the recommendation or promotion of the content;
(d) recommending or promoting the content.

(5)

(6)

A duty to explain in the terms of service the provider’s response to the risks
relating to priority content that is harmful to adults (as identified in the most
recent adults’ risk assessment of the service), by reference to—
(a) any provisions of the terms of service included in compliance with the
duty set out in subsection (3), and
(b) any other provisions of the terms of service designed to mitigate or
manage those risks.
If provisions are included in the terms of service in compliance with the duty
set out in subsection (3), a duty to ensure that those provisions—
(a) are clear and accessible, and
(b) are applied consistently in relation to content which the provider
reasonably considers is priority content that is harmful to adults or a
particular kind of priority content that is harmful to adults.

(7)

If the provider of a service becomes aware of any non-designated content that
is harmful to adults present on the service, a duty to notify OFCOM of—
(a) the kinds of such content identified, and
(b) the incidence of those kinds of content on the service.

(8)

In this section—
“adults’ risk assessment” has the meaning given by section 12;
“non-designated content that is harmful to adults” means content that is
harmful to adults other than priority content that is harmful to adults.

(9)

See also, in relation to duties set out in this section, section 19 (duties about
freedom of expression and privacy).

14

5

10

15

20

25

30

35

User empowerment duties
(1)

This section sets out the duties to empower adult users which apply in relation
to Category 1 services.

(2)

A duty to include in a service, to the extent that it is proportionate to do so,
features which adult users may use or apply if they wish to increase their
control over harmful content.

(3)

The features referred to in subsection (2) are those which, if used or applied by
a user, result in the use by the service of systems or processes designed to—

40

14

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(a)
(b)

reduce the likelihood of the user encountering priority content that is
harmful to adults, or particular kinds of such content, by means of the
service, or
alert the user to the harmful nature of priority content that is harmful
to adults that the user may encounter by means of the service.

(4)

A duty to ensure that all features included in a service in compliance with the
duty set out in subsection (2) are made available to all adult users.

(5)

A duty to include clear and accessible provisions in the terms of service
specifying which features are offered in compliance with the duty set out in
subsection (2), and how users may take advantage of them.

(6)

A duty to include in a service features which adult users may use or apply if
they wish to filter out non-verified users.

(7)

The features referred to in subsection (6) are those which, if used or applied by
a user, result in the use by the service of systems or processes designed to—
(a) prevent non-verified users from interacting with content which that
user generates, uploads or shares on the service, and
(b) reduce the likelihood of that user encountering content which nonverified users generate, upload or share on the service.

(8)

In determining what is proportionate for the purposes of subsection (2), the
following factors, in particular, are relevant—
(a) all the findings of the most recent adults’ risk assessment (including as
to levels of risk and as to nature, and severity, of potential harm to
adults), and
(b) the size and capacity of the provider of a service.

(9)

In this section “non-verified user” means a user who has not verified their
identity to the provider of a service (see section 57(1)).

(10)

In this section references to features include references to functionalities and
settings.

15

5

10

15

20

25

Duties to protect content of democratic importance
(1)

This section sets out the duties to protect content of democratic importance
which apply in relation to Category 1 services.

(2)

A duty to operate a service using proportionate systems and processes
designed to ensure that the importance of the free expression of content of
democratic importance is taken into account when making decisions about—
(a) how to treat such content (especially decisions about whether to take it
down or restrict users’ access to it), and
(b) whether to take action against a user generating, uploading or sharing
such content.

(3)

A duty to ensure that the systems and processes mentioned in subsection (2)
apply in the same way to a wide diversity of political opinion.

(4)

A duty to include provisions in the terms of service specifying the policies and
processes that are designed to take account of the principle mentioned in
subsection (2), including, in particular, how that principle is applied to
decisions mentioned in that subsection.

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(5)

(6)

15

A duty to ensure that—
(a) the provisions of the terms of service referred to in subsection (4) are
clear and accessible, and
(b) those provisions are applied consistently in relation to content which
the provider reasonably considers is content of democratic importance.
For the purposes of this section content is “content of democratic importance”,
in relation to a user-to-user service, if—
(a) the content is—
(i) news publisher content in relation to that service, or
(ii) regulated user-generated content in relation to that service; and
(b) the content is or appears to be specifically intended to contribute to
democratic political debate in the United Kingdom or a part or area of
the United Kingdom.

(7)

In this section, the reference to “taking action” against a user is to giving a
warning to a user, or suspending or banning a user from using a service, or in
any way restricting a user’s ability to use a service.

(8)

For the meaning of “news publisher content” and “regulated user-generated
content”, see section 49.

16

5

10

15

Duties to protect journalistic content
(1)

This section sets out the duties to protect journalistic content which apply in
relation to Category 1 services.

(2)

A duty to operate a service using proportionate systems and processes
designed to ensure that the importance of the free expression of journalistic
content is taken into account when making decisions about—
(a) how to treat such content (especially decisions about whether to take it
down or restrict users’ access to it), and
(b) whether to take action against a user generating, uploading or sharing
such content.

(3)

A duty, in relation to a decision by a provider to take down content or to
restrict access to it, to make a dedicated and expedited complaints procedure
available to a person who considers the content to be journalistic content and
who is—
(a) the user who generated, uploaded or shared the content on the service,
or
(b) the creator of the content (see subsections (12) and (13)).

20

25

30

35

(4)

A duty to make a dedicated and expedited complaints procedure available to
users of a service in relation to a decision by the provider of the service to take
action against a user because of content generated, uploaded or shared by the
user which the user considers to be journalistic content.

(5)

A duty to ensure that—
(a) if a complaint about a decision mentioned in subsection (3) is upheld,
the content is swiftly reinstated on the service;
(b) if a complaint about a decision mentioned in subsection (4) is upheld,
the action against the user is swiftly reversed.

40

(6)

A duty to include provisions in the terms of service specifying—

45

16

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(a)
(b)
(c)
(7)

(8)

by what methods content present on the service is to be identified as
journalistic content;
how the importance of the free expression of journalistic content is to
be taken into account when making decisions mentioned in subsection
(2);
the policies and processes for handling complaints in relation to
content which is, or is considered to be, journalistic content.

A duty to ensure that—
(a) the provisions of the terms of service referred to in subsection (6) are
clear and accessible, and
(b) those provisions are applied consistently in relation to content which
the provider reasonably considers is journalistic content.
For the purposes of this section content is “journalistic content”, in relation to
a user-to-user service, if—
(a) the content is—
(i) news publisher content in relation to that service, or
(ii) regulated user-generated content in relation to that service;
(b) the content is generated for the purposes of journalism; and
(c) the content is UK-linked.

5

10

15

(9)

For the purposes of this section content is “UK-linked” if—
(a) United Kingdom users of the service form one of the target markets for
the content (or the only target market), or
(b) the content is or is likely to be of interest to a significant number of
United Kingdom users.

20

(10)

In this section references to “taking action” against a user are to giving a
warning to a user, or suspending or banning a user from using a service, or in
any way restricting a user’s ability to use a service.

25

(11)

In this section the reference to the “creator” of content is to be read in
accordance with subsections (12) and (13).

(12)

The creator of news publisher content is the recognised news publisher in
question.

(13)

The creator of content other than news publisher content is—
(a) an individual who—
(i) created the content, and
(ii) is in the United Kingdom; or
(b) an entity which—
(i) created the content, and
(ii) is incorporated or formed under the law of any part of the
United Kingdom.

(14)

For the meaning of “news publisher content”, “regulated user-generated
content” and “recognised news publisher”, see sections 49 and 50.

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

17

Duties about content reporting and complaints procedures
17

Duty about content reporting
(1)

This section sets out the duty about content reporting which applies in relation
to all regulated user-to-user services.

(2)

A duty to operate a service using systems and processes that allow users and
affected persons to easily report content which they consider to be content of a
kind specified below (with the duty extending to different kinds of content
depending on the kind of service, as indicated by the headings).

5

All services
(3)

Illegal content.

10

Services likely to be accessed by children
(4)

Content that is harmful to children, present on a part of a service that it is
possible for children to access.
Category 1 services

(5)

Content that is harmful to adults.

15

Interpretation etc
(6)

(7)

(8)

18

In this section “affected person” means a person, other than a user of the service
in question, who is in the United Kingdom and who is—
(a) the subject of the content,
(b) a member of a class or group of people with a certain characteristic
targeted by the content,
(c) a parent of, or other adult with responsibility for, a child who is a user
of the service or is the subject of the content, or
(d) an adult providing assistance in using the service to another adult who
requires such assistance, where that other adult is a user of the service
or is the subject of the content.
For the purposes of subsection (4), a provider is only entitled to conclude that
it is not possible for children to access a service, or a part of it, if there are
systems or processes in place (for example, age verification, or another means
of age assurance) that achieve the result that children are not normally able to
access the service or that part of it.

20

25

30

See also, in relation to the duty set out in this section, section 19 (duties about
freedom of expression and privacy).
Duties about complaints procedures

(1)

This section sets out the duties about complaints procedures which apply in
relation to all regulated user-to-user services.

(2)

A duty to operate a complaints procedure in relation to a service that—
(a) allows for relevant kinds of complaint to be made (as set out under the
headings below),

35

18

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(b)
(c)
(3)

provides for appropriate action to be taken by the provider of the
service in response to complaints of a relevant kind, and
is easy to access, easy to use (including by children) and transparent.

A duty to include in the terms of service provisions which are easily accessible
(including to children) specifying the policies and processes that govern the
handling and resolution of complaints of a relevant kind.

5

All services
(4)

The following kinds of complaint are relevant for all services—
(a) complaints by users and affected persons about content present on a
service which they consider to be illegal content;
(b) complaints by users and affected persons if they consider that the
provider is not complying with a duty set out in—
(i) section 9 (illegal content),
(ii) section 17 (content reporting), or
(iii) section 19(2), (3) or (4) (freedom of expression and privacy);
(c) complaints by a user who has generated, uploaded or shared content
on a service if that content is taken down on the basis that it is illegal
content;
(d) complaints by a user of a service if the provider has given a warning to
the user, suspended or banned the user from using the service, or in any
other way restricted the user’s ability to use the service, as a result of
content generated, uploaded or shared by the user which the provider
considers to be illegal content;
(e) complaints by a user who has generated, uploaded or shared content
on a service if—
(i) the use of proactive technology on the service results in that
content being taken down, given a lower priority in other users’
feeds or being otherwise restricted, and
(ii) the user considers that the proactive technology has been used
in a way not contemplated by, or in breach of, the terms of
service (for example, by affecting content not of a kind specified
in the terms of service as a kind of content in relation to which
the technology would operate).

10

15

20

25

30

Services likely to be accessed by children
(5)

The following kinds of complaint are relevant for services that are likely to be
accessed by children—
(a) complaints by users and affected persons about content, present on a
part of a service that it is possible for children to access, which they
consider to be content that is harmful to children;
(b) complaints by users and affected persons if they consider that the
provider is not complying with a duty set out in section 11 (children’s
online safety);
(c) complaints by a user who has generated, uploaded or shared content
on a service if that content is taken down, or access to it is restricted, on
the basis that it is content that is harmful to children;
(d) complaints by a user of a service if the provider has given a warning to
the user, suspended or banned the user from using the service, or in any
other way restricted the user’s ability to use the service, as a result of

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(e)

19

content generated, uploaded or shared by the user which the provider
considers to be content that is harmful to children;
complaints by a user who is unable to access content because measures
used to comply with a duty set out in section 11(3) have resulted in an
incorrect assessment of the user’s age.

5

Category 1 services
(6)

The following kinds of complaint are relevant for Category 1 services—
(a) complaints by users and affected persons about content present on a
service which they consider to be content that is harmful to adults;
(b) complaints by users and affected persons if they consider that the
provider is not complying with a duty set out in—
(i) section 13 (adults’ online safety),
(ii) section 14 (user empowerment),
(iii) section 15 (content of democratic importance),
(iv) section 16 (journalistic content), or
(v) section 19(5), (6) or (7) (freedom of expression and privacy);
(c) complaints by a user who has generated, uploaded or shared content
on a service if that content is taken down, or access to it is restricted, on
the basis that it is content that is harmful to adults;
(d) complaints by a user of a service if the provider has given a warning to
the user, suspended or banned the user from using the service, or in any
other way restricted the user’s ability to use the service, as a result of
content generated, uploaded or shared by the user which the provider
considers to be content that is harmful to adults.
Interpretation etc

15

20

25

(7)

In this section “affected person” has the meaning given by section 17.

(8)

For the purposes of subsection (5)(a), a provider is only entitled to conclude
that it is not possible for children to access a service, or a part of it, if there are
systems or processes in place (for example, age verification, or another means
of age assurance) that achieve the result that children are not normally able to
access the service or that part of it.

(9)

10

30

See also, in relation to duties set out in this section, section 19 (duties about
freedom of expression and privacy).
Cross-cutting duties

19

Duties about freedom of expression and privacy
(1)

35

This section sets out the duties about freedom of expression and privacy which
apply in relation to regulated user-to-user services as indicated by the
headings.
All services

(2)

When deciding on, and implementing, safety measures and policies, a duty to
have regard to the importance of protecting users’ right to freedom of
expression within the law.

40

20

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(3)

(4)

When deciding on, and implementing, safety measures and policies, a duty to
have regard to the importance of protecting users from a breach of any
statutory provision or rule of law concerning privacy that is relevant to the use
or operation of a user-to-user service (including, but not limited to, any such
provision or rule concerning the processing of personal data).
A duty to include clear and accessible provisions in the terms of service
informing users about their right to bring a claim for breach of contract if
content which they generate, upload or share is taken down, or access to it is
restricted, in breach of the terms of service.
Additional duties for Category 1 services

(5)

(6)

(7)

5

A duty—
(a) when deciding on safety measures and policies, to carry out an
assessment of the impact that such measures or policies would have
on—
(i) users’ right to freedom of expression within the law, and
(ii) the privacy of users; and
(b) to carry out an assessment of the impact of adopted safety measures
and policies on the matters mentioned in paragraph (a)(i) and (ii).
A duty to—
(a) keep an impact assessment up to date, and
(b) publish impact assessments.
A duty to specify in a publicly available statement the positive steps that the
provider has taken in response to an impact assessment to—
(a) protect users’ right to freedom of expression within the law, and
(b) protect the privacy of users.

10

15

20

25

Interpretation
(8)

(9)

20

In this section—
“impact assessment” means an impact assessment under subsection (5);
“safety measures and policies” means measures and policies designed to
secure compliance with any of the duties set out in—
(a) section 9 (illegal content),
(b) section 11 (children’s online safety),
(c) section 13 (adults’ online safety),
(d) section 17 (content reporting), or
(e) section 18 (complaints procedures).

30

35

Any reference in this section to the privacy of users or steps taken to protect the
privacy of users is to be construed in accordance with subsection (3).
Record-keeping and review duties

(1)

This section sets out the record-keeping and review duties which apply in
relation to all regulated user-to-user services.

(2)

A duty to make and keep a written record, in an easily understandable form,
of every risk assessment under section 8, 10 or 12.

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 2 — Providers of user-to-user services: duties of care

(3)

(4)

(5)

(6)

21

A duty to make and keep a written record of any measures taken or in use to
comply with a relevant duty which—
(a) are described in a code of practice and recommended for the purpose
of compliance with the duty in question, and
(b) apply in relation to the provider and the service in question.
In this section such measures are referred to as “applicable measures in a code
of practice”.
If alternative measures have been taken or are in use to comply with a relevant
duty, a duty to make and keep a written record containing the following
information—
(a) the applicable measures in a code of practice that have not been taken
or are not in use,
(b) the alternative measures that have been taken or are in use,
(c) how those alternative measures amount to compliance with the duty in
question, and
(d) how the provider has complied with section 45(5) (freedom of
expression and privacy).
If alternative measures have been taken or are in use to comply with a duty set
out in section 9(2) or (3) or 11(2) or (3), the record required under subsection (4)
of this section must also indicate whether such measures have been taken or
are in use in every area listed in subsection (4) of those sections in relation to
which there are applicable measures in a code of practice.
A duty to review compliance with the relevant duties in relation to a service—
(a) regularly, and
(b) as soon as reasonably practicable after making any significant change
to any aspect of the design or operation of the service.

(7)

OFCOM may provide that particular descriptions of providers of user-to-user
services are exempt from any or all of the duties set out in this section, and may
revoke such an exemption.

(8)

OFCOM must publish details of any exemption or revocation under subsection
(7), including reasons for the revocation of an exemption.

(9)

In this section—
“alternative measures” means measures other than measures which are
(in relation to the provider and the service in question) applicable
measures in a code of practice;
“code of practice” means a code of practice published under section 42;
“relevant duties” means the duties set out in—
(a) section 9 (illegal content),
(b) section 11 (children’s online safety),
(c) section 13 (adults’ online safety),
(d) section 14 (user empowerment),
(e) section 15 (content of democratic importance),
(f) section 16 (journalistic content),
(g) section 17 (content reporting), and
(h) section 18 (complaints procedures).

5

10

15

20

25

30

35

40

45

22

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

CHAPTER 3
PROVIDERS OF SEARCH SERVICES: DUTIES OF CARE
Search services: which duties apply, and scope of duties
21

Providers of search services: duties of care
(1)

Subsections (2) and (3) apply to determine which of the duties set out in this
Chapter must be complied with by providers of regulated search services.

(2)

All providers of regulated search services must comply with the following
duties in relation to each such service which they provide—
(a) the duties about illegal content risk assessments set out in section 23,
(b) the duties about illegal content set out in section 24,
(c) the duty about content reporting set out in section 27,
(d) the duties about complaints procedures set out in section 28,
(e) the duties about freedom of expression and privacy set out in section
29, and
(f) the duties about record-keeping and review set out in section 30.

(3)

(4)
22

In addition, all providers of regulated search services that are likely to be
accessed by children must comply with the following duties in relation to each
such service which they provide—
(a) the duties about children’s risk assessments set out in section 25, and
(b) the duties to protect children’s online safety set out in section 26.

5

10

15

20

For the meaning of “likely to be accessed by children”, see section 33.
Scope of duties of care

(1)

(2)

A duty set out in this Chapter which must be complied with in relation to a
search service extends only to—
(a) the search content of the service,
(b) the design, operation and use of the search engine in the United
Kingdom, and
(c) in the case of a duty that is expressed to apply in relation to users of a
service, the design, operation and use of the search engine as it affects
United Kingdom users of the service.
For the purposes of the application of this Chapter in relation to the search
engine of a combined service (see section 6(6))—
(a) a duty set out in this Chapter which requires a matter to be included in
a publicly available statement may be satisfied by including the matter
in the terms of service;
(b) references in this Chapter (except in section 21) to a search service are
to be read as references to the search engine;
(c) references in this Chapter (except in section 21) to the provider of a
search service are to be read as references to the provider of the
combined service.

25

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

23

Illegal content duties for all search services
23

Illegal content risk assessment duties
(1)

This section sets out the duties about risk assessments which apply in relation
to all regulated search services.

(2)

A duty to carry out a suitable and sufficient illegal content risk assessment at a
time set out in, or as provided by, Schedule 3.

(3)

A duty to take appropriate steps to keep an illegal content risk assessment up
to date, including when OFCOM make any significant change to a risk profile
that relates to services of the kind in question.

(4)

Before making any significant change to any aspect of a service’s design or
operation, a duty to carry out a further suitable and sufficient illegal content
risk assessment relating to the impacts of that proposed change.

(5)

An “illegal content risk assessment” of a service of a particular kind means an
assessment of the following matters, taking into account the risk profile that
relates to services of that kind—
(a) the level of risk of individuals who are users of the service encountering
search content of the following kinds—
(i) each kind of priority illegal content (with each kind separately
assessed), and
(ii) other illegal content,
taking into account (in particular) risks presented by algorithms used
by the service, and the way that the service indexes, organises and
presents search results;
(b) the level of risk of functionalities of the service facilitating individuals
encountering search content that is illegal content, identifying and
assessing those functionalities that present higher levels of risk;
(c) the nature, and severity, of the harm that might be suffered by
individuals from the matters identified in accordance with paragraphs
(a) and (b);
(d) how the design and operation of the service (including the business
model, governance, use of proactive technology, measures to promote
users’ media literacy and safe use of the service, and other systems and
processes) may reduce or increase the risks identified.

(6)

In this section references to risk profiles are to the risk profiles for the time
being published under section 84 which relate to the risk of harm to individuals
presented by illegal content.

(7)

See also—
(a) section 30(2) (records of risk assessments), and
(b) Schedule 3 (timing of providers’ assessments).

24

Safety duties about illegal content
(1)

This section sets out the duties about illegal content which apply in relation to
all regulated search services.

(2)

A duty, in relation to a service, to take or use proportionate measures to
effectively mitigate and manage the risks of harm to individuals, as identified
in the most recent illegal content risk assessment of the service.

5

10

15

20

25

30

35

40

45

24

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

(3)

(4)

A duty to operate a service using proportionate systems and processes
designed to minimise the risk of individuals encountering search content of the
following kinds—
(a) priority illegal content;
(b) other illegal content that the provider knows about (having been
alerted to it by another person or become aware of it in any other way).
The duties set out in subsections (2) and (3) apply across all areas of a service,
including the way the search engine is operated and used as well as search
content of the service, and (among other things) require the provider of a
service to take or use measures in the following areas, if it is proportionate to
do so—
(a) regulatory compliance and risk management arrangements,
(b) design of functionalities, algorithms and other features relating to the
search engine,
(c) functionalities allowing users to control the content they encounter in
search results,
(d) content prioritisation,
(e) user support measures, and
(f) staff policies and practices.

(5)

A duty to include provisions in a publicly available statement specifying how
individuals are to be protected from search content that is illegal content.

(6)

A duty to apply the provisions of the statement referred to in subsection (5)
consistently in relation to search content which the provider reasonably
considers is illegal content or a particular kind of illegal content.

(7)

A duty to include provisions in a publicly available statement giving
information about any proactive technology used by a service for the purpose
of compliance with a duty set out in subsection (2) or (3) (including the kind of
technology, when it is used, and how it works).

(8)

A duty to ensure that the provisions of the publicly available statement
referred to in subsections (5) and (7) are clear and accessible.

(9)

In determining what is proportionate for the purposes of this section, the
following factors, in particular, are relevant—
(a) all the findings of the most recent illegal content risk assessment
(including as to levels of risk and as to nature, and severity, of potential
harm to individuals), and
(b) the size and capacity of the provider of a service.

(10)

In this section “illegal content risk assessment” has the meaning given by
section 23.

(11)

See also, in relation to duties set out in this section, section 29 (duties about
freedom of expression and privacy).

5

10

15

20

25

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

25

Search services likely to be accessed by children
25

Children’s risk assessment duties
(1)

This section sets out the duties about risk assessments which apply in relation
to regulated search services that are likely to be accessed by children (in
addition to the duties about risk assessments set out in section 23).

(2)

A duty to carry out a suitable and sufficient children’s risk assessment at a time
set out in, or as provided by, Schedule 3.

(3)

A duty to take appropriate steps to keep a children’s risk assessment up to
date, including when OFCOM make any significant change to a risk profile
that relates to services of the kind in question.

(4)

Before making any significant change to any aspect of a service’s design or
operation, a duty to carry out a further suitable and sufficient children’s risk
assessment relating to the impacts of that proposed change.

(5)

A “children’s risk assessment” of a service of a particular kind means an
assessment of the following matters, taking into account the risk profile that
relates to services of that kind—
(a) the level of risk of children who are users of the service encountering
search content of the following kinds—
(i) each kind of primary priority content that is harmful to children
(with each kind separately assessed),
(ii) each kind of priority content that is harmful to children (with
each kind separately assessed), and
(iii) non-designated content that is harmful to children,
giving separate consideration to children in different age groups, and
taking into account (in particular) risks presented by algorithms used
by the service and the way that the service indexes, organises and
presents search results;
(b) the level of risk of children who are users of the service encountering
search content that is harmful to children which particularly affects
individuals with a certain characteristic or members of a certain group;
(c) the level of risk of functionalities of the service facilitating children
encountering search content that is harmful to children, identifying and
assessing those functionalities that present higher levels of risk;
(d) the nature, and severity, of the harm that might be suffered by children
from the matters identified in accordance with paragraphs (a) to (c),
giving separate consideration to children in different age groups;
(e) how the design and operation of the service (including the business
model, governance, use of proactive technology, measures to promote
users’ media literacy and safe use of the service, and other systems and
processes) may reduce or increase the risks identified.

(6)

In this section references to risk profiles are to the risk profiles for the time
being published under section 84 which relate to the risk of harm to children
presented by content that is harmful to children.

(7)

See also—
(a) section 30(2) (records of risk assessments), and
(b) Schedule 3 (timing of providers’ assessments).

5

10

15

20

25

30

35

40

45

26

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

26

Safety duties protecting children
(1)

This section sets out the duties to protect children’s online safety which apply
in relation to regulated search services that are likely to be accessed by
children.

(2)

A duty, in relation to a service, to take or use proportionate measures to
effectively—
(a) mitigate and manage the risks of harm to children in different age
groups, as identified in the most recent children’s risk assessment of the
service, and
(b) mitigate the impact of harm to children in different age groups
presented by search content that is harmful to children.

(3)

(4)

(5)

A duty to operate a service using proportionate systems and processes
designed to—
(a) minimise the risk of children of any age encountering search content
that is primary priority content that is harmful to children;
(b) minimise the risk of children in age groups judged to be at risk of harm
from other content that is harmful to children (or from a particular kind
of such content) encountering search content of that kind.
The duties set out in subsections (2) and (3) apply across all areas of a service,
including the way the search engine is operated and used as well as search
content of the service, and (among other things) require the provider of a
service to take or use measures in the following areas, if it is proportionate to
do so—
(a) regulatory compliance and risk management arrangements,
(b) design of functionalities, algorithms and other features relating to the
search engine,
(c) functionalities allowing for control over content that is encountered in
search results, especially by children,
(d) content prioritisation,
(e) user support measures, and
(f) staff policies and practices.
A duty to include provisions in a publicly available statement specifying how
children are to be protected from search content of the following kinds—
(a) primary priority content that is harmful to children (with each kind of
primary priority content separately covered),
(b) priority content that is harmful to children (with each kind of priority
content separately covered), and
(c) non-designated content that is harmful to children.

(6)

A duty to apply the provisions of the statement referred to in subsection (5)
consistently in relation to search content which the provider reasonably
considers is content that is harmful to children or a particular kind of content
that is harmful to children.

(7)

A duty to include provisions in a publicly available statement giving
information about any proactive technology used by a service for the purpose
of compliance with a duty set out in subsection (2) or (3) (including the kind of
technology, when it is used, and how it works).

(8)

A duty to ensure that the provisions of the publicly available statement
referred to in subsections (5) and (7) are clear and accessible.

5

10

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

(9)

(10)

27

In determining what is proportionate for the purposes of this section, the
following factors, in particular, are relevant—
(a) all the findings of the most recent children’s risk assessment (including
as to levels of risk and as to nature, and severity, of potential harm to
children), and
(b) the size and capacity of the provider of a service.
So far as a duty set out in this section relates to non-designated content that is
harmful to children, the duty is to be taken to extend only to addressing risks
of harm from the kinds of such content that have been identified in the most
recent children’s risk assessment (if any have been identified).

5

10

(11)

The reference in subsection (3)(b) to children in age groups judged to be at risk
of harm from content that is harmful to children is a reference to children in age
groups judged to be at risk of such harm as assessed by the provider of a
service in the most recent children’s risk assessment of the service.

(12)

The duties set out in subsection (3) are to be taken to extend only to content that
is harmful to children where the risk of harm is presented by the nature of the
content (rather than the fact of its dissemination).

(13)

The duties set out in this section extend only to such parts of a service as it is
possible for children to access.

(14)

For the purposes of subsection (13), a provider is only entitled to conclude that
it is not possible for children to access a service, or a part of it, if there are
systems or processes in place (for example, age verification, or another means
of age assurance) that achieve the result that children are not normally able to
access the service or that part of it.

20

(15)

In this section “children’s risk assessment” has the meaning given by section
25.

25

(16)

See also, in relation to duties set out in this section, section 29 (duties about
freedom of expression and privacy).

15

Duties about content reporting and complaints procedures
27

Duty about content reporting
(1)

This section sets out the duty about content reporting which applies in relation
to all regulated search services.

(2)

A duty to operate a service using systems and processes that allow users and
affected persons to easily report search content which they consider to be
content of a kind specified below (with the duty extending to content that is
harmful to children depending on the kind of service, as indicated by the
headings).

30

35

All services
(3)

Illegal content.
Services likely to be accessed by children

(4)

Content that is harmful to children.

40

28

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

Interpretation etc
(5)

(6)

28

In this section “affected person” means a person, other than a user of the service
in question, who is in the United Kingdom and who is—
(a) the subject of the content,
(b) a member of a class or group of people with a certain characteristic
targeted by the content,
(c) a parent of, or other adult with responsibility for, a child who is a user
of the service or is the subject of the content, or
(d) an adult providing assistance in using the service to another adult who
requires such assistance, where that other adult is a user of the service
or is the subject of the content.

5

10

See also, in relation to the duty set out in this section, section 29 (duties about
freedom of expression and privacy).
Duties about complaints procedures

(1)

This section sets out the duties about complaints procedures which apply in
relation to all regulated search services.

(2)

A duty to operate a complaints procedure in relation to a service that—
(a) allows for relevant kinds of complaint to be made (as set out under the
headings below),
(b) provides for appropriate action to be taken by the provider of the
service in response to complaints of a relevant kind, and
(c) is easy to access, easy to use (including by children) and transparent.

(3)

A duty to make the policies and processes that govern the handling and
resolution of complaints of a relevant kind publicly available and easily
accessible (including to children).

15

20

25

All services
(4)

The following kinds of complaint are relevant for all services—
(a) complaints by users and affected persons about search content which
they consider to be illegal content;
(b) complaints by users and affected persons if they consider that the
provider is not complying with a duty set out in—
(i) section 24 (illegal content),
(ii) section 27 (content reporting), or
(iii) section 29 (freedom of expression and privacy);
(c) complaints by an interested person if the provider of a search service
takes or uses measures in order to comply with a duty set out in section
24 that result in content relating to that interested person no longer
appearing in search results or being given a lower priority in search
results;
(d) complaints by an interested person if—
(i) the use of proactive technology on a search service results in
content relating to that interested person no longer appearing in
search results or being given a lower priority in search results,
and
(ii) the interested person considers that the proactive technology
has been used in a way not contemplated by, or in breach of, the

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

29

provider’s policies on its use (for example, by affecting content
not of a kind specified in those policies as a kind of content in
relation to which the technology would operate).
Services likely to be accessed by children
(5)

The following kinds of complaint are relevant for services that are likely to be
accessed by children—
(a) complaints by users and affected persons about search content which
they consider to be content that is harmful to children;
(b) complaints by users and affected persons if they consider that the
provider is not complying with a duty set out in section 26 (children’s
online safety);
(c) complaints by an interested person if the provider of a search service
takes or uses measures in order to comply with a duty set out in section
26 that result in content relating to that interested person no longer
appearing in search results or being given a lower priority in search
results;
(d) complaints by a user who is unable to access content because measures
used to comply with a duty set out in section 26(3) have resulted in an
incorrect assessment of the user’s age.
Interpretation etc

5

10

15

20

(6)

In this section—
“affected person” has the meaning given by section 27;
“interested person” has the meaning given by section 184(7).

(7)

See also, in relation to duties set out in this section, section 29 (duties about
freedom of expression and privacy).

25

Cross-cutting duties
29

Duties about freedom of expression and privacy
(1)

This section sets out the duties about freedom of expression and privacy which
apply in relation to all regulated search services.

(2)

When deciding on, and implementing, safety measures and policies, a duty to
have regard to the importance of protecting the rights of users and interested
persons to freedom of expression within the law.

(3)

When deciding on, and implementing, safety measures and policies, a duty to
have regard to the importance of protecting users from a breach of any
statutory provision or rule of law concerning privacy that is relevant to the use
or operation of a search service (including, but not limited to, any such
provision or rule concerning the processing of personal data).

(4)

In this section—
“interested person” has the meaning given by section 184(7);
“safety measures and policies” means measures and policies designed to
secure compliance with any of the duties set out in—
(a) section 24 (illegal content),
(b) section 26 (children’s online safety),
(c) section 27 (content reporting), or

30

35

40

30

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

(d)
30

section 28 (complaints procedures).

Record-keeping and review duties
(1)

This section sets out the record-keeping and review duties which apply in
relation to all regulated search services.

(2)

A duty to make and keep a written record, in an easily understandable form,
of every risk assessment under section 23 or 25.

(3)

A duty to make and keep a written record of any measures taken or in use to
comply with a relevant duty which—
(a) are described in a code of practice and recommended for the purpose
of compliance with the duty in question, and
(b) apply in relation to the provider and the service in question.
In this section such measures are referred to as “applicable measures in a code
of practice”.

(4)

If alternative measures have been taken or are in use to comply with a relevant
duty, a duty to make and keep a written record containing the following
information—
(a) the applicable measures in a code of practice that have not been taken
or are not in use,
(b) the alternative measures that have been taken or are in use,
(c) how those alternative measures amount to compliance with the duty in
question, and
(d) how the provider has complied with section 45(5) (freedom of
expression and privacy).

(5)

If alternative measures have been taken or are in use to comply with a duty set
out in section 24(2) or (3) or 26(2) or (3), the record required under subsection
(4) of this section must also indicate whether such measures have been taken
or are in use in every area listed in subsection (4) of those sections in relation to
which there are applicable measures in a code of practice.

(6)

A duty to review compliance with the relevant duties in relation to a service—
(a) regularly, and
(b) as soon as reasonably practicable after making any significant change
to any aspect of the design or operation of the service.

(7)

OFCOM may provide that particular descriptions of providers of search
services are exempt from any or all of the duties set out in this section, and may
revoke such an exemption.

(8)

OFCOM must publish details of any exemption or revocation under subsection
(7), including reasons for the revocation of an exemption.

(9)

In this section—
“alternative measures” means measures other than measures which are
(in relation to the provider and the service in question) applicable
measures in a code of practice;
“code of practice” means a code of practice published under section 42;
“relevant duties” means the duties set out in—
(a) section 24 (illegal content),
(b) section 26 (children’s online safety),

5

10

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 3 — Providers of search services: duties of care

(c)
(d)

31

section 27 (content reporting), and
section 28 (complaints procedures).
CHAPTER 4
CHILDREN’S ACCESS ASSESSMENTS

31

Children’s access assessments
(1)

(2)

(3)

(4)

(5)

32

In this Part, a “children’s access assessment” means an assessment of a Part 3
service—
(a) to determine whether it is possible for children to access the service or
a part of the service, and
(b) if it is possible for children to access the service or a part of the service,
to determine whether the child user condition is met in relation to the
service or a part of the service.
A provider is only entitled to conclude that it is not possible for children to
access a service, or a part of it, if there are systems or processes in place (for
example, age verification, or another means of age assurance) that achieve the
result that children are not normally able to access the service or that part of it.
The “child user condition” is met in relation to a service, or a part of a service,
if—
(a) there is a significant number of children who are users of the service or
of that part of it, or
(b) the service, or that part of it, is of a kind likely to attract a significant
number of users who are children.
For the purposes of subsection (3)—
(a) the reference to a “significant” number includes a reference to a number
which is significant in proportion to the total number of United
Kingdom users of a service or (as the case may be) a part of a service;
(b) whether the test in paragraph (a) of that subsection is met is to be based
on evidence about who actually uses a service, rather than who the
intended users of the service are.
In this Chapter—
(a) references to children are to children in the United Kingdom;
(b) references to a part of a service do not include any part of a service that
is not, or is not included in, a user-to-user part of a service or a search
engine.
Duties about children’s access assessments

(1)

A provider of a Part 3 service must carry out the first children’s access
assessment at a time set out in, or as provided by, Schedule 3.

(2)

Subsections (3) and (4) apply to a provider of a Part 3 service during any period
when the service is not treated as likely to be accessed by children (see section
33).

(3)

The provider must carry out children’s access assessments of the service not
more than one year apart.

5

10

15

20

25

30

35

40

32

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 4 — Children’s access assessments

(4)

The provider must carry out a children’s access assessment of the service—
(a) before making any significant change to any aspect of the service’s
design or operation to which such an assessment is relevant,
(b) in response to evidence about reduced effectiveness of any systems or
processes that are in place as mentioned in section 31(2), or
(c) in response to evidence about a significant increase in the number of
children using the service.

(5)

If a person is the provider of more than one Part 3 service, children’s access
assessments must be carried out for each service separately.

(6)

Children’s access assessments must be suitable and sufficient for the purposes
of this Part.

(7)

A provider must make and keep a written record, in an easily understandable
form, of every children’s access assessment.

33

5

10

Meaning of “likely to be accessed by children”
(1)

For the purposes of this Part, a Part 3 service is to be treated as “likely to be
accessed by children” in the following three cases (with the result that the
duties set out in sections 10 and 11, or (as the case may be) sections 25 and 26,
apply in relation to the service).

(2)

The first case is where a children’s access assessment carried out by the
provider of the service concludes that—
(a) it is possible for children to access the service or a part of it, and
(b) the child user condition is met in relation to—
(i) the service, or
(ii) a part of the service that it is possible for children to access.
This subsection is to be interpreted consistently with section 31.

(3)

In that case, the service is to be treated as likely to be accessed by children from
the date on which the children’s access assessment is completed.

(4)

The second case is where the provider of the service fails to carry out the first
children’s access assessment as required by section 32(1).

(5)

In that case—
(a) the service is to be treated as likely to be accessed by children from the
date by which the first children’s access assessment was required to
have been completed (see Part 1 of Schedule 3), and
(b) the service is to continue to be treated as likely to be accessed by
children by reason of subsection (4) until such time as the provider
completes the first children’s access assessment of the service.

(6)

The third case is where, following an investigation into a failure to comply with
a duty set out in section 32, OFCOM determine that a service should be treated
as likely to be accessed by children: see section 116(4) and (5).

(7)

In that case, the service is to be treated as likely to be accessed by children from
the date of, or specified in, the confirmation decision given to the provider of
the service (as the case may be: see section 116(5)).

15

20

25

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 5 — Duties about fraudulent advertising

33

CHAPTER 5
DUTIES ABOUT FRAUDULENT ADVERTISING
34

Duties about fraudulent advertising: Category 1 services
(1)

(2)

(3)

A provider of a Category 1 service must operate the service using
proportionate systems and processes designed to—
(a) prevent individuals from encountering content consisting of
fraudulent advertisements by means of the service;
(b) minimise the length of time for which any such content is present;
(c) where the provider is alerted by a person to the presence of such
content, or becomes aware of it in any other way, swiftly take down
such content.
A provider of a Category 1 service must include clear and accessible provisions
in the terms of service giving information about any proactive technology used
by the service for the purpose of compliance with the duty set out in subsection
(1) (including the kind of technology, when it is used, and how it works).
In relation to a Category 1 service, an advertisement is a “fraudulent
advertisement” if—
(a) it is a paid-for advertisement (see section 192),
(b) it amounts to an offence specified in section 36 (construed in
accordance with section 52: see subsections (3) and (9) of that section),
and
(c) it is not regulated user-generated content (see section 49) in relation to
the service.

(4)

If a person is the provider of more than one Category 1 service, the duties set
out in this section apply in relation to each such service.

(5)

In determining what is proportionate for the purposes of this section, the
following factors, in particular, are relevant—
(a) the nature, and severity, of potential harm to individuals presented by
different kinds of fraudulent advertisement, and
(b) the degree of control a provider has in relation to the placement of
advertisements on the service.

(6)

In the case of a Category 1 service which is a combined service, the duties set
out in this section do not extend to—
(a) fraudulent advertisements that may be encountered in search results of
the service or, following a search request, as a result of subsequent
interactions with internet services, or
(b) anything relating to the design, operation or use of the search engine.
But if the service is also a Category 2A service, the duties set out in section 35
apply as well as the duties set out in this section.

(7)

The duties set out in this section extend only to the design, operation and use
of a Category 1 service in the United Kingdom.

(8)

For the meaning of “Category 1 service”, see section 82 (register of categories
of services).

5

10

15

20

25

30

35

40

34

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 5 — Duties about fraudulent advertising

35

Duties about fraudulent advertising: Category 2A services
(1)

(2)

(3)

(4)

A provider of a Category 2A service must operate the service using
proportionate systems and processes designed to—
(a) prevent individuals from encountering content consisting of
fraudulent advertisements in or via search results of the service;
(b) if any such content may be encountered in or via search results of the
service, minimise the length of time that that is the case;
(c) where the provider is alerted by a person to the fact that such content
may be so encountered, or becomes aware of that fact in any other way,
swiftly ensure that individuals are no longer able to encounter such
content in or via search results of the service.
A provider of a Category 2A service must include clear and accessible
provisions in a publicly available statement giving information about any
proactive technology used by the service for the purpose of compliance with
the duty set out in subsection (1) (including the kind of technology, when it is
used, and how it works).
In relation to a Category 2A service, an advertisement is a “fraudulent
advertisement” if—
(a) it is a paid-for advertisement (see section 192), and
(b) it amounts to an offence specified in section 36 (construed in
accordance with section 52: see subsections (3) and (9) of that section).
The references to encountering fraudulent advertisements “in or via search
results” of a search service—
(a) are references to encountering fraudulent advertisements—
(i) in search results of the service, or
(ii) as a result of interacting with a paid-for advertisement in search
results of the service (for example, by clicking on it);
(b) do not include references to encountering fraudulent advertisements as
a result of any subsequent interactions with an internet service other
than the search service.

(5)

If a person is the provider of more than one Category 2A service, the duties set
out in this section apply in relation to each such service.

(6)

In determining what is proportionate for the purposes of this section, the
following factors, in particular, are relevant—
(a) the nature, and severity, of potential harm to individuals presented by
different kinds of fraudulent advertisement, and
(b) the degree of control a provider has in relation to the placement of
advertisements on the service.

(7)

The duties set out in this section extend only to the design, operation and use
of a Category 2A service in the United Kingdom.

(8)

For the meaning of “Category 2A service”, see section 82 (register of categories
of services).

36

5

10

15

20

25

30

35

40

Fraud etc offences
(1)

This section specifies offences for the purposes of this Chapter (see sections
34(3)(b) and 35(3)(b)).

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 5 — Duties about fraudulent advertising

(2)

(3)

(4)

35

An offence under any of the following provisions of the Financial Services and
Markets Act 2000—
(a) section 23 (contravention of prohibition on carrying on regulated
activity unless authorised or exempt);
(b) section 24 (false claims to be authorised or exempt);
(c) section 25 (contravention of restrictions on financial promotion).
An offence under any of the following provisions of the Fraud Act 2006—
(a) section 2 (fraud by false representation);
(b) section 4 (fraud by abuse of position);
(c) section 7 (making or supplying articles for use in frauds);
(d) section 9 (participating in fraudulent business carried on by sole trader
etc).
An offence under any of the following provisions of the Financial Services Act
2012—
(a) section 89 (misleading statements);
(b) section 90 (misleading impressions).

(5)

An offence of attempting or conspiring to commit an offence specified in
subsection (2), (3) or (4).

(6)

An offence under Part 2 of the Serious Crime Act 2007 (encouraging or
assisting) in relation to an offence specified in subsection (2), (3) or (4), or (in
Scotland) inciting a person to commit such an offence.

(7)

An offence of aiding, abetting, counselling or procuring the commission of an
offence specified in subsection (2), (3) or (4), or (in Scotland) being involved art
and part in the commission of such an offence.
CHAPTER 6

5

10

15

20

25

CODES OF PRACTICE AND GUIDANCE
Codes of practice
37

Codes of practice about duties
(1)

OFCOM must prepare and issue a code of practice for providers of Part 3
services describing measures recommended for the purpose of compliance
with duties set out in section 9 or 24 (illegal content) so far as relating to
terrorism content.

(2)

OFCOM must prepare and issue a code of practice for providers of Part 3
services describing measures recommended for the purpose of compliance
with duties set out in section 9 or 24 (illegal content) so far as relating to CSEA
content.

(3)

OFCOM must prepare and issue one or more codes of practice for providers of
Part 3 services describing measures recommended for the purpose of
compliance with the relevant duties (except to the extent that measures for the
purpose of compliance with such duties are described in a code of practice
prepared under subsection (1) or (2)).

30

35

40

36

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(4)

OFCOM must prepare and issue a code of practice for providers of Category 1
services and providers of Category 2A services describing measures
recommended for the purpose of compliance with the duties set out in Chapter
5 (fraudulent advertising).

(5)

Where a code of practice under this section is in force, OFCOM may—
(a) prepare a draft of amendments of the code of practice;
(b) prepare a draft of a code of practice under subsection (1), (2), (3) or (4)
as a replacement for a code of practice previously issued under the
subsection in question;
(c) withdraw the code of practice.

(6)

In the course of preparing a draft of a code of practice or amendments of a code
of practice under this section, OFCOM must consult—
(a) the Secretary of State,
(b) persons who appear to OFCOM to represent providers of Part 3
services,
(c) persons who appear to OFCOM to represent the interests of United
Kingdom users of Part 3 services,
(d) persons who appear to OFCOM to represent the interests of children
(generally or with particular reference to online safety matters),
(e) persons who appear to OFCOM to represent the interests of persons
who have suffered harm as a result of content to which the code of
practice is relevant,
(f) persons whom OFCOM consider to have relevant expertise in equality
issues and human rights, in particular—
(i) the right to freedom of expression set out in Article 10 of the
Convention, and
(ii) the right to respect for a person’s private and family life, home
and correspondence set out in Article 8 of the Convention,
(g) the Information Commissioner,
(h) persons whom OFCOM consider to have expertise in public health,
science or medicine that is relevant to online safety matters,
(i) persons whom OFCOM consider to have expertise in innovation, or
emerging technology, that is relevant to online safety matters, and
(j) such other persons as OFCOM consider appropriate.

(7)

In the course of preparing a draft of a code of practice or amendments to which
this subsection applies, OFCOM must also consult persons whom OFCOM
consider to have expertise in the enforcement of the criminal law and the
protection of national security that is relevant to online safety matters.

(8)

Subsection (7) applies to—
(a) a code of practice under subsection (1) and amendments of such a code,
(b) a code of practice under subsection (2) and amendments of such a code,
(c) a code of practice under subsection (3) that describes measures
recommended for the purpose of compliance with duties set out in
section 9 or 24 (illegal content),
(d) amendments of a code of practice under subsection (3), if and to the
extent that those amendments relate to measures recommended for the
purpose of compliance with duties set out in section 9 or 24, and
(e) a code of practice under subsection (4) and amendments of such a code.

5

10

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(9)
(10)

38

37

Subsections (6) and (7) are subject to section 44 (minor amendments of code of
practice).
In this section “the relevant duties” means the duties set out in—
(a) sections 9 and 24 (illegal content),
(b) sections 11 and 26 (children’s online safety),
(c) section 13 (adults’ online safety),
(d) section 14 (user empowerment),
(e) section 15 (content of democratic importance),
(f) section 16 (journalistic content),
(g) sections 17 and 27 (content reporting), and
(h) sections 18 and 28 (complaints procedures).

5

10

Codes of practice: principles, objectives, content
Schedule 4 contains—
(a) provision about the principles OFCOM must consider when preparing
codes of practice under section 37,
(b) the online safety objectives (and a power for the Secretary of State by
regulations to revise those objectives),
(c) provision about the measures that may be described in codes of
practice (including, in particular, constraints on the recommendation of
the use of proactive technology), and
(d) other provision related to codes of practice.

39

15

20

Procedure for issuing codes of practice
(1)

Where OFCOM have prepared a draft of a code of practice under section 37,
they must submit the draft to the Secretary of State.

(2)

Unless the Secretary of State intends to give a direction to OFCOM under
section 40(1) in relation to the draft, the Secretary of State must, as soon as
reasonably practicable, lay the draft before Parliament.

(3)

If, within the 40-day period, either House of Parliament resolves not to
approve the draft—
(a) OFCOM must not issue the code of practice in the form of that draft,
and
(b) OFCOM must prepare another draft of the code of practice under
section 37.

(4)

(5)

If no such resolution is made within that period—
(a) OFCOM must issue the code of practice in the form of the draft laid
before Parliament, and
(b) the code of practice comes into force at the end of the period of 21 days
beginning with the day on which it is issued.
In this section, “the 40-day period” means—
(a) if the draft is laid before both Houses of Parliament on the same day,
the period of 40 days beginning with that day, or
(b) if the draft is laid before the Houses of Parliament on different days, the
period of 40 days beginning with the later of those days.

25

30

35

40

38

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(6)

In calculating the 40-day period, no account is to be taken of any period during
which Parliament is dissolved or prorogued or during which both Houses of
Parliament are adjourned for more than 4 days.

(7)

This section applies in relation to a draft of amendments of a code of practice
prepared under section 37 as it applies in relation to a draft of a code of practice
prepared under that section.

(8)

This section is subject to section 44 (minor amendments of codes of practice).

40

5

Secretary of State’s powers of direction
(1)

The Secretary of State may direct OFCOM to modify a draft of a code of
practice submitted under section 39(1) if the Secretary of State believes that
modifications are required—
(a) for reasons of public policy, or
(b) in the case of a terrorism or CSEA code of practice, for reasons of
national security or public safety.

(2)

But if a draft of a terrorism or CSEA code of practice is submitted under section
39(1) following a review under section 43(2), the Secretary of State may only
direct OFCOM to modify the draft if the Secretary of State believes that
modifications are required for reasons of national security or public safety.

(3)

If, following a review of a terrorism or CSEA code of practice under section
43(2), OFCOM submit a statement to the Secretary of State under section
43(3)(b) (“OFCOM’s review statement”), the Secretary of State may direct
OFCOM to modify the code of practice if the Secretary of State believes that
modifications are required for reasons of national security or public safety.

(4)

A direction given under subsection (3)—
(a) must be given within the period of 45 days beginning with the day on
which OFCOM’s review statement is submitted to the Secretary of
State, and
(b) must make particular reference to OFCOM’s review statement.

(5)

(6)

A direction given under this section—
(a) may not require OFCOM to include in a code of practice provision
about a particular measure recommended to be taken or used by
providers of Part 3 services, and
(b) must set out the Secretary of State’s reasons for requiring
modifications, except in a case where the Secretary of State considers
that doing so would be against the interests of national security, public
safety or relations with the government of a country outside the United
Kingdom.
If the Secretary of State gives a direction under this section, OFCOM must, as
soon as reasonably practicable—
(a) comply with the direction,
(b) submit to the Secretary of State a draft of the code of practice modified
in accordance with the direction,
(c) submit to the Secretary of State a document containing—
(i) (except in a case mentioned in subsection (5)(b)) details of the
direction, and

10

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

39

(ii)

(d)

details about how the draft has been revised in response to the
direction, and
inform the Secretary of State about modifications that OFCOM have
made to the draft that are not in response to the direction (if there are
any).

(7)

The Secretary of State may give OFCOM one or more further directions
requiring OFCOM to modify the draft of the code of practice.

(8)

Such further directions may only be given for the reasons set out in subsection
(1), (2) or (3) (as the case may be), and subsections (5) and (6) apply again in
relation to such further directions.

(9)

When the Secretary of State is satisfied that no further modifications to the
draft are required, the Secretary of State must, as soon as reasonably
practicable, lay before Parliament—
(a) the modified draft,
(b) any document submitted by OFCOM as mentioned in subsection (6)(c),
and
(c) in the case of a direction under subsection (3), OFCOM’s review
statement.

(10)

Before laying OFCOM’s review statement before Parliament, the Secretary of
State may, with OFCOM’s agreement, remove or obscure information in the
statement (whether by redaction or otherwise) in order to prevent the
disclosure of matters that the Secretary of State considers would be against the
interests of national security, public safety or relations with the government of
a country outside the United Kingdom.

(11)

This section applies in relation to a draft of amendments of a code of practice
submitted under section 39(1) as it applies in relation to a draft of a code of
practice submitted under that provision.

(12)

In this section “terrorism or CSEA code of practice” means a code of practice
under section 37(1) or (2).

41

Procedure for issuing codes of practice following direction under section 40
(1)

This section sets out the procedure that applies where a draft of a code of
practice is laid before Parliament under section 40(9).

(2)

If the draft contains modifications made following a direction given under
section 40(1)(a), the affirmative procedure applies.

(3)

If the draft contains modifications made following a direction given under
section 40(1)(b), (2) or (3), the negative procedure applies.

(4)

The “affirmative procedure” is as follows—
(a) a code of practice in the form of the draft laid before Parliament must
not be issued by OFCOM unless the draft has been approved by a
resolution of each House of Parliament;
(b) if the draft is so approved, the code of practice comes into force at the
end of the period of 21 days beginning with the day on which it is
issued;
(c) if the draft is not so approved, OFCOM must prepare another draft of
the code of practice under section 37.

5

10

15

20

25

30

35

40

45

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(5)

The “negative procedure” is as follows—
(a) if, within the 40-day period, either House of Parliament resolves not to
approve the draft—
(i) OFCOM must not issue the code of practice in the form of that
draft, and
(ii) OFCOM must prepare another draft of the code of practice
under section 37;
(b) if no such resolution is made within that period—
(i) OFCOM must issue the code of practice in the form of the draft
laid before Parliament, and
(ii) the code of practice comes into force at the end of the period of
21 days beginning with the day on which it is issued.

(6)

“The 40-day period” has the same meaning as in section 39 (see subsections (5)
and (6) of that section).

(7)

This section applies in relation to a draft of amendments of a code of practice
laid before Parliament under section 40(9) as it applies in relation to a draft of
a code of practice laid under that provision.

42

5

10

15

Publication of codes of practice
(1)

OFCOM must publish each code of practice issued under section 39 or 41
within the period of three days beginning with the day on which it is issued.

(2)

Where amendments of a code of practice are issued under either of those
sections, OFCOM must publish the amended code of practice within the period
of three days beginning with the day on which the amendments are issued.

(3)

Where a code of practice is withdrawn, OFCOM must publish a notice to that
effect.

43

20

25

Review of codes of practice
(1)

OFCOM must keep under review each code of practice published under
section 42.

(2)

The Secretary of State may require OFCOM to review a terrorism or CSEA code
of practice published under section 42 if the Secretary of State considers a
review to be necessary for reasons of national security or public safety (and the
Secretary of State must notify OFCOM whether the reasons fall into the
category of national security or public safety).

(3)

OFCOM must carry out a review of the code of practice under subsection (2) as
soon as reasonably practicable, and when it is completed—
(a) if OFCOM consider that changes are required, they must prepare a
draft of amendments to the code of practice or a draft of a replacement
code of practice under section 37, or
(b) if OFCOM consider that no changes are required, they must submit to
the Secretary of State a statement which explains the reasons for that
conclusion.

(4)

Subsection (5) applies if—
(a) OFCOM submit a statement under subsection (3)(b) to the Secretary of
State,

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(b)
(c)

41

the period of 45 days beginning with the day on which the statement
was submitted has elapsed, and
the Secretary of State has not given a direction under section 40(3).

(5)

OFCOM must publish the statement as soon as reasonably practicable after the
end of the period mentioned in subsection (4)(b), making it clear which code of
practice the statement relates to.

(6)

In advance of publication, the Secretary of State may make representations to
OFCOM about the desirability of removing or obscuring information in the
statement (whether by redaction or otherwise) in order to prevent the
disclosure of matters that the Secretary of State considers would be against the
interests of national security, public safety or relations with the government of
a country outside the United Kingdom (and see also section 100(3)).

(7)

44

This section applies if—
(a) OFCOM propose to amend a code of practice under section 37, and
(b) OFCOM consider that the minor nature of the proposal means that—
(i) consultation is unnecessary, and
(ii) the proposed amendments should not be required to be laid
before Parliament.

(2)

OFCOM must notify the Secretary of State of the proposed amendments.

(3)

If the Secretary of State agrees with OFCOM that it is appropriate—
(a) the consultation requirements set out in section 37(6) and (7) do not
apply in relation to the proposed amendments, and
(b) section 39 does not apply to the amendments, once prepared.

(4)

If the Secretary of State agrees with OFCOM as mentioned in subsection (3),
OFCOM may prepare and issue the amendments of the code of practice.

(5)

Amendments of a code of practice issued under this section come into force at
the end of the period of 21 days beginning with the day on which the
amendments are issued.

(6)

Section 42(2) applies in relation to amendments of a code of practice issued
under this section as it applies in relation to amendments of a code of practice
issued under section 39 or 41.

45

10

In this section “terrorism or CSEA code of practice” means a code of practice
under section 37(1) or (2).
Minor amendments of codes of practice

(1)

5

Relationship between duties and codes of practice

15

20

25

30

35

Duties set out in Chapters 2 and 3
(1)

A provider of a Part 3 service is to be treated as complying with a relevant duty
if the provider takes or uses the measures described in a code of practice which
are recommended for the purpose of compliance with the duty in question.

(2)

A provider of a user-to-user service—
(a) is to be treated as complying with the duty set out in section 19(2)
(freedom of expression) if the provider takes or uses such of the

40

42

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(b)

(3)

relevant recommended measures as incorporate safeguards to protect
users’ right to freedom of expression within the law;
is to be treated as complying with the duty set out in section 19(3)
(privacy) if the provider takes or uses such of the relevant
recommended measures as incorporate safeguards to protect the
privacy of users.

A provider of a search service—
(a) is to be treated as complying with the duty set out in section 29(2)
(freedom of expression) if the provider takes or uses such of the
relevant recommended measures as incorporate safeguards to protect
the rights of users and interested persons to freedom of expression
within the law;
(b) is to be treated as complying with the duty set out in section 29(3)
(privacy) if the provider takes or uses such of the relevant
recommended measures as incorporate safeguards to protect the
privacy of users.

5

10

15

Duties set out in Chapter 5
(4)

A provider of a Category 1 service or a Category 2A service (or a provider of a
service which is both a Category 1 service and a Category 2A service) is to be
treated as complying with a duty set out in Chapter 5 if the provider takes or
uses the measures described in a fraudulent advertising code of practice which
are recommended for the purpose of compliance with the duty in question.

20

Alternative measures
(5)

(6)

A provider of a Part 3 service who seeks to comply with a relevant duty by
acting otherwise than by taking or using a measure described in a code of
practice or a fraudulent advertising code of practice which is recommended for
the purpose of compliance with the duty must have regard to the importance
of the following (where relevant)—
(a) protecting the right of users and (in the case of search services)
interested persons to freedom of expression within the law, and
(b) protecting the privacy of users.
When assessing whether a provider of a Part 3 service is compliant with a
relevant duty where the provider has acted otherwise than by taking or using
a measure described in a code of practice or a fraudulent advertising code of
practice which is recommended for the purpose of compliance with the duty,
OFCOM must consider the extent to which the alternative measures taken or
in use by the provider—
(a) extend across all areas of a service as mentioned in section 9(4), 11(4),
24(4) or 26(4) (if relevant to the duty in question), and
(b) (where appropriate) incorporate safeguards for the protection of the
matters mentioned in subsection (5)(a) and (b).

25

30

35

40

Interpretation
(7)

(8)

In subsections (1) to (4), references to taking or using measures recommended
for the purpose of compliance with a duty, or to taking or using relevant
recommended measures, are to taking or using such of those measures as are
relevant to the provider and the service in question.
In this section—

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(a)

(b)
(9)

46

43

references to protecting the privacy of users are to protecting users
from a breach of any statutory provision or rule of law concerning
privacy that is relevant to the use or operation of a user-to-user service
or search service (including, but not limited to, any such provision or
rule concerning the processing of personal data);
references to a search service include references to a combined service
(see section 6(6)).

In this section—
“Chapter 2 safety duty” means a duty set out in—
(a) section 9 (illegal content),
(b) section 11 (children’s online safety), or
(c) section 13 (adults’ online safety);
“Chapter 3 safety duty” means a duty set out in—
(a) section 24 (illegal content), or
(b) section 26 (children’s online safety);
“code of practice” means a code of practice published under section 42,
except a fraudulent advertising code of practice;
“fraudulent advertising code of practice” means a code of practice
prepared under section 37(4) and published under section 42;
“relevant duty” means—
(a) a Chapter 2 safety duty,
(b) a Chapter 3 safety duty,
(c) a duty set out in section 14 (user empowerment),
(d) a duty set out in section 15 (content of democratic importance),
(e) a duty set out in section 16 (journalistic content),
(f) a duty set out in section 17 or 27 (content reporting), or
(g) a duty set out in section 18 or 28 (complaints procedures);
“relevant recommended measures” means the measures described in a
code of practice which are recommended for the purpose of compliance
with—
(a) in the case of a user-to-user service, a Chapter 2 safety duty;
(b) in the case of a search service, a Chapter 3 safety duty.

5

10

15

20

25

30

Effects of codes of practice
(1)

A failure by a provider of a Part 3 service to act in accordance with a provision
of a code of practice does not of itself make the provider liable to legal
proceedings in a court or tribunal.

(2)

A code of practice is admissible in evidence in legal proceedings.

(3)

In any proceedings in a court or tribunal, the court or tribunal must take into
account a provision of a code of practice in determining a question arising in
the proceedings if—
(a) the question relates to a time when the provision was in force, and
(b) the provision appears to the court or tribunal to be relevant to the
question.

(4)

OFCOM must take into account a provision of a code of practice in
determining a question arising in connection with their exercise of any relevant
function if—

35

40

45

44

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

(a)
(b)
(5)

47

the question relates to a time when the provision was in force, and
the provision appears to OFCOM to be relevant to the question.

In this section—
“code of practice” means a code of practice published under section 42;
“relevant functions” means OFCOM’s functions under—
(a) Chapter 4 of Part 7 (information),
(b) Chapter 5 of Part 7 (notices to deal with terrorism content and
CSEA content),
(c) Chapter 6 of Part 7 (enforcement), and
(d) Chapter 2 of Part 8 (super-complaints).

5

10

Duties and the first codes of practice
(1)

A duty mentioned in subsection (3) applies to providers of Part 3 services from
the day on which a code of practice prepared under section 37(3) that is the first
code of practice relating to that duty comes into force.

(2)

In the case of the duties set out in sections 9 and 24, subsection (1) is subject to
subsections (5) and (6).

(3)

The duties referred to in subsection (1) are the duties set out in—
(a) sections 9 and 24 (illegal content),
(b) sections 11 and 26 (children’s online safety),
(c) section 13 (adults’ online safety),
(d) section 14 (user empowerment),
(e) section 15 (content of democratic importance),
(f) section 16 (journalistic content),
(g) sections 17 and 27 (content reporting), and
(h) sections 18 and 28 (complaints procedures).

(4)

For the purposes of subsection (1) a code of practice is the first code of practice
relating to a duty if—
(a) it describes measures recommended for the purpose of compliance
with that duty, and
(b) it is the first code of practice prepared under section 37(3) that describes
measures for that purpose.

(5)

The duties set out in sections 9 and 24, so far as relating to terrorism content,
apply to providers of Part 3 services from the day on which the first code of
practice prepared under section 37(1) comes into force.

(6)

The duties set out in sections 9 and 24, so far as relating to CSEA content, apply
to providers of Part 3 services from the day on which the first code of practice
prepared under section 37(2) comes into force.

(7)

The duties set out in Chapter 5 (fraudulent advertising) apply to providers of
a Category 1 service and providers of a Category 2A service (and to providers
of a service which is both a Category 1 service and a Category 2A service) from
the day on which the first code of practice prepared under section 37(4) comes
into force.

(8)

In relation to the provider of a particular Part 3 service, references in this
section to duties applying to providers of Part 3 services (or to providers of
Category 1 services or Category 2A services) are to such duties as apply in

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 6 — Codes of practice and guidance

45

relation to that service in accordance with sections 6 and 21 or (as the case may
be) Chapter 5.
Guidance
48

OFCOM’s guidance: record-keeping duties and children’s access assessments
(1)

OFCOM must produce guidance for providers of Part 3 services to assist them
in complying with—
(a) their duties set out in section 20 or 30 (record-keeping and review), and
(b) their duties set out in section 32 (children’s access assessments).

(2)

Before producing the guidance (including revised or replacement guidance),
OFCOM must consult the Information Commissioner.

(3)

OFCOM must publish the guidance (and any revised or replacement
guidance).

5

10

CHAPTER 7
INTERPRETATION OF PART 3
49

“Regulated user-generated content”, “user-generated content”, “news
publisher content”
(1)

This section applies for the purposes of this Part.

(2)

“Regulated user-generated content”, in relation to a regulated user-to-user
service, means user-generated content, except—
(a) emails,
(b) SMS messages,
(c) MMS messages,
(d) one-to-one live aural communications (see subsection (5)),
(e) comments and reviews on provider content (see subsection (6)),
(f) identifying content that accompanies content within any of paragraphs
(a) to (e), and
(g) news publisher content (see subsection (8)).

(3)

(4)

“User-generated content”, in relation to a user-to-user service, means content—
(a) that is—
(i) generated directly on the service by a user of the service, or
(ii) uploaded to or shared on the service by a user of the service,
and
(b) that may be encountered by another user, or other users, of the service
by means of the service.
For the purposes of subsection (3)—
(a) the reference to content generated, uploaded or shared by a user
includes content generated, uploaded or shared by means of software
or an automated tool applied by the user;
(b) a bot is to be regarded as a user of a service if—
(i) the bot’s functions include interacting with user-generated
content, and

15

20

25

30

35

40

46

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

(ii)
(5)

the bot is not operated by or on behalf of the provider of the
service.

“One-to-one live aural communications”, in relation to a user-to-user service,
means content—
(a) consisting of speech or other sounds conveyed in real time between two
users of the service by means of the service,
(b) that is not a recording, and
(c) that is not accompanied by user-generated content of any other
description, except identifying content.

(6)

“Comments and reviews on provider content”, in relation to a user-to-user
service, means content present on the service consisting of comments on, or
reviews of, provider content (together with any further comments on such
comments or reviews).

(7)

In subsection (6) “provider content” means content published on a service by
the provider of the service or by a person acting on behalf of the provider
(including where the publication of the content is effected or controlled by
means of software or an automated tool or algorithm applied by the provider
or by a person acting on behalf of the provider).
For the purposes of subsection (6), content that is user-generated content in
relation to a service is not to be regarded as provider content in relation to that
service.

(8)

“News publisher content”, in relation to a regulated user-to-user service,
means any content present on the service that is within subsection (9) or (10).

(9)

Content is within this subsection if it was generated directly on the service by
a user of the service that is a recognised news publisher.

(10)

Content is within this subsection if—
(a) the content was uploaded to or shared on the service by a user of the
service, and
(b) the content either—
(i) reproduces in full an article or written item that was originally
published by a recognised news publisher (and is not a
screenshot or photograph of that article or item or of part of it),
(ii) is a recording of an item originally broadcast by a recognised
news publisher (and is not an excerpt of such a recording), or
(iii) is a link to a full article or written item originally published by
a recognised news publisher, or to a full recording of an item
originally broadcast by a recognised news publisher.

(11)

For the meaning of “recognised news publisher”, see section 50.

(12)

In this section—
“MMS message” means a Multimedia Messaging Service message (that
may include images, sounds and short videos) that may be sent
between telephone numbers allocated in accordance with a national or
international numbering plan;
“SMS message” means a Short Message Service text message composed
principally of letters or numbers that may be sent between telephone
numbers allocated in accordance with a national or international
numbering plan.

5

10

15

20

25

30

35

40

45

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

50

47

“Recognised news publisher”
(1)

(2)

(3)

(4)

(5)

In this Part, “recognised news publisher” means any of the following entities—
(a) the British Broadcasting Corporation,
(b) Sianel Pedwar Cymru,
(c) the holder of a licence under the Broadcasting Act 1990 or 1996 who
publishes news-related material in connection with the broadcasting
activities authorised under the licence, and
(d) any other entity which—
(i) meets all of the conditions in subsection (2), and
(ii) is not an excluded entity (see subsection (3)).
The conditions referred to in subsection (1)(d)(i) are that the entity—
(a) has as its principal purpose the publication of news-related material,
and such material—
(i) is created by different persons, and
(ii) is subject to editorial control,
(b) publishes such material in the course of a business (whether or not
carried on with a view to profit),
(c) is subject to a standards code,
(d) has policies and procedures for handling and resolving complaints,
(e) has a registered office or other business address in the United
Kingdom,
(f) is the person with legal responsibility for material published by it in the
United Kingdom, and
(g) publishes—
(i) the entity’s name, the address mentioned in paragraph (e) and
the entity’s registered number (if any), and
(ii) the name and address of any person who controls the entity
(including, where such a person is an entity, the address of that
person’s registered or principal office and that person’s
registered number (if any)).
An “excluded entity” is an entity—
(a) which is a proscribed organisation under the Terrorism Act 2000 (see
section 3 of that Act), or
(b) the purpose of which is to support a proscribed organisation under that
Act.
For the purposes of subsection (2)—
(a) news-related material is “subject to editorial control” if there is a person
(whether or not the publisher of the material) who has editorial or
equivalent responsibility for the material, including responsibility for
how it is presented and the decision to publish it;
(b) “control” has the same meaning as it has in the Broadcasting Act 1990
by virtue of section 202 of that Act.
In this section—
“news-related material” means material consisting of—
(a) news or information about current affairs,
(b) opinion about matters relating to the news or current affairs, or
(c) gossip about celebrities, other public figures or other persons in
the news;

5

10

15

20

25

30

35

40

45

48

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

“publish” means publish by any means (including by broadcasting), and
references to a publisher and publication are to be construed
accordingly;
“standards code” means—
(a) a code of standards that regulates the conduct of publishers,
that is published by an independent regulator, or
(b) a code of standards that regulates the conduct of the entity in
question, that is published by the entity itself.
51

5

“Search content”, “search results” etc
(1)

This section applies for the purposes of this Part.

(2)

“Search content” means content that may be encountered in or via search
results of a search service, except—
(a) paid-for advertisements (see section 192),
(b) content on the website of a recognised news publisher (see section 50),
and
(c) content that—
(i) reproduces in full an article or written item that was originally
published by a recognised news publisher (and is not a
screenshot or photograph of that article or item or of part of it),
(ii) is a recording of an item originally broadcast by a recognised
news publisher (and is not an excerpt of such a recording), or
(iii) is a link to a full article or written item originally published by
a recognised news publisher, or to a full recording of an item
originally broadcast by a recognised news publisher.

(3)

“Search results”, in relation to a search service, means content presented to a
user of the service by operation of the search engine in response to a search
request made by the user.

(4)

“Search” means search by any means, including by input of text or images or
by speech, and references to a search request are to be construed accordingly.

(5)

In subsection (2), the reference to encountering content “via search results”—
(a) is to encountering content as a result of interacting with search results
(for example, by clicking on them);
(b) does not include a reference to encountering content as a result of
subsequent interactions with an internet service other than the search
service.

(6)

52

10

15

20

25

30

35

In this section references to a search service include references to a user-to-user
service that includes a search engine.
“Illegal content” etc

(1)

This section applies for the purposes of this Part.

(2)

“Illegal content” means content that amounts to a relevant offence.

(3)

Content consisting of certain words, images, speech or sounds amounts to a
relevant offence if—
(a) the use of the words, images, speech or sounds amounts to a relevant
offence,

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

(b)
(c)
(d)
(4)

49

(in the case of a user-to-user service) the use of the words, images,
speech or sounds, when taken together with other regulated usergenerated content present on the service, amounts to a relevant offence,
the possession, viewing or accessing of the content constitutes a
relevant offence, or
the publication or dissemination of the content constitutes a relevant
offence.

“Relevant offence” means—
(a) an offence specified in Schedule 5 (terrorism offences),
(b) an offence specified in Schedule 6 (offences related to child sexual
exploitation and abuse),
(c) an offence specified in Schedule 7 (other priority offences), or
(d) an offence, not within paragraph (a), (b) or (c), of which the victim or
intended victim is an individual (or individuals).

(5)

“Terrorism content” means content that amounts to an offence specified in
Schedule 5.

(6)

“CSEA content” means content that amounts to an offence specified in
Schedule 6.

(7)

“Priority illegal content” means—
(a) terrorism content,
(b) CSEA content, and
(c) content that amounts to an offence specified in Schedule 7.

(8)

(9)

An offence is not to be regarded as a relevant offence within subsection (4)(d)
if—
(a) the offence concerns—
(i) the infringement of intellectual property rights,
(ii) the safety or quality of goods (as opposed to what kind of goods
they are), or
(iii) the performance of a service by a person not qualified to
perform it; or
(b) it is an offence under the Consumer Protection from Unfair Trading
Regulations 2008 (S.I. 2008/1277).
For the purposes of determining whether content amounts to an offence, no
account is to be taken of whether or not anything done in relation to the content
takes place in any part of the United Kingdom.

(10)

Subsection (11) applies in relation to a regulated user-to-user service (but, in
the case of a combined service, does not apply in relation to the search content
of the service).

(11)

References to “illegal content”, “terrorism content”, “CSEA content” and
“priority illegal content” are to be read as—
(a) limited to content within the definition in question that is regulated
user-generated content in relation to the service, and
(b) including material which, if it were present on the service, would be
content within paragraph (a) (and this section is to be read with such
modifications as may be necessary for the purpose of this paragraph).

5

10

15

20

25

30

35

40

45

50

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

(12)

53

In this section “offence” means an offence under the law of any part of the
United Kingdom.
“Content that is harmful to children” etc

(1)

This section applies for the purposes of this Part.

(2)

“Primary priority content that is harmful to children” means content of a
description designated in regulations made by the Secretary of State as
primary priority content that is harmful to children.

(3)

“Priority content that is harmful to children” means content of a description
designated in regulations made by the Secretary of State as priority content
that is harmful to children.

(4)

(5)

“Content that is harmful to children” means—
(a) primary priority content that is harmful to children,
(b) priority content that is harmful to children, or
(c) content, not within paragraph (a) or (b), of a kind which presents a
material risk of significant harm to an appreciable number of children
in the United Kingdom.
For the purposes of this section—
(a) illegal content (see section 52) is not to be regarded as within subsection
(4)(c), and
(b) content is not to be regarded as within subsection (4)(c) if the risk of
harm flows from—
(i) the content’s potential financial impact,
(ii) the safety or quality of goods featured in the content, or
(iii) the way in which a service featured in the content may be
performed (for example, in the case of the performance of a
service by a person not qualified to perform it).

(6)

“Non-designated content that is harmful to children” means content within
subsection (4)(c).

(7)

Subsection (8) applies in relation to a regulated user-to-user service (but, in the
case of a combined service, does not apply in relation to the search content of
the service).

(8)

References to “primary priority content that is harmful to children”, “priority
content that is harmful to children”, “content that is harmful to children” and
“non-designated content that is harmful to children” are to be read as—
(a) limited to content within the definition in question that is regulated
user-generated content in relation to the service, and
(b) including material which, if it were present on the service, would be
content within paragraph (a) (and this section is to be read with such
modifications as may be necessary for the purpose of this paragraph).

(9)

54

Sections 55 and 56 contain further provision about regulations made under this
section.
“Content that is harmful to adults” etc

(1)

This section applies for the purposes of this Part.

5

10

15

20

25

30

35

40

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

51

(2)

“Priority content that is harmful to adults” means content of a description
designated in regulations made by the Secretary of State as priority content
that is harmful to adults.

(3)

“Content that is harmful to adults” means—
(a) priority content that is harmful to adults, or
(b) content, not within paragraph (a), of a kind which presents a material
risk of significant harm to an appreciable number of adults in the
United Kingdom.

(4)

(5)

(6)

55

For the purposes of this section—
(a) illegal content (see section 52) is not to be regarded as within subsection
(3)(b), and
(b) content is not to be regarded as within subsection (3)(b) if the risk of
harm flows from—
(i) the content’s potential financial impact,
(ii) the safety or quality of goods featured in the content, or
(iii) the way in which a service featured in the content may be
performed (for example, in the case of the performance of a
service by a person not qualified to perform it).
References to “priority content that is harmful to adults” and “content that is
harmful to adults” are to be read as—
(a) limited to content within the definition in question that is regulated
user-generated content in relation to a regulated user-to-user service,
and
(b) including material which, if it were present on a regulated user-to-user
service, would be content within paragraph (a) (and this section is to be
read with such modifications as may be necessary for the purpose of
this paragraph).

10

15

20

25

Sections 55 and 56 contain further provision about regulations made under this
section.
Regulations under sections 53 and 54

(1)

5

The Secretary of State may specify a description of content in regulations under
section 53(2) (primary priority content that is harmful to children) only if the
Secretary of State considers that, in relation to Part 3 services—
(a) there is a material risk of significant harm to an appreciable number of
children presented by content of that description that is regulated usergenerated content or search content, and
(b) it is appropriate for the duties set out in sections 11(3)(a) and 26(3)(a)
(duty in relation to children of all ages) to apply in relation to content
of that description.

30

35

(2)

The Secretary of State may specify a description of content in regulations under
section 53(3) (priority content that is harmful to children) only if the Secretary
of State considers that, in relation to Part 3 services, there is a material risk of
significant harm to an appreciable number of children presented by content of
that description that is regulated user-generated content or search content.

40

(3)

The Secretary of State may specify a description of content in regulations under
section 54(2) (priority content that is harmful to adults) only if the Secretary of
State considers that, in relation to regulated user-to-user services, there is a

45

52

Part 3 — Providers of regulated user-to-user services and regulated search services: duties of care
Chapter 7 — Interpretation of Part 3

material risk of significant harm to an appreciable number of adults presented
by content of that description that is regulated user-generated content.
(4)

The Secretary of State may not specify a description of content in regulations
under section 53 or 54 if—
(a) any content of that description is illegal content (see section 52), or
(b) the risk of harm presented by content of that description flows from—
(i) the content’s potential financial impact,
(ii) the safety or quality of goods featured in the content, or
(iii) the way in which a service featured in the content may be
performed (for example, in the case of the performance of a
service by a person not qualified to perform it).

(5)

The Secretary of State must consult OFCOM before making regulations under
section 53 or 54.

(6)

In this section references to children or adults are to children or adults in the
United Kingdom.

56

5

10

15

Regulations under sections 53 and 54: OFCOM’s review and report
(1)

In this section “regulations” means regulations under section 53 or 54.

(2)

For so long as regulations are in force, OFCOM must carry out reviews of—
(a) the incidence on regulated user-to-user services of—
(i) content that is harmful to children, and
(ii) content that is harmful to adults,
(b) the incidence on regulated search services and combined services of
search content that is harmful to children, and
(c) the severity of harm that individuals in the United Kingdom suffer, or
may suffer, as a result of those kinds of content.

(3)

OFCOM must produce and publish a report on the outcome of each review.

(4)

The report must include advice as to whether, in OFCOM’s opinion, it is
appropriate to make changes to the regulations, specifying the changes that
OFCOM recommend.

(5)

The reports must be published not more than three years apart.

(6)

The first report must be published before the end of the period of three years
beginning with the day on which the first statutory instrument containing
regulations is made.

(7)

OFCOM must send a copy of each report to the Secretary of State.

20

25

30

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 1 — Providers of Category 1 services: user identity verification

53

PART 4
OTHER DUTIES OF PROVIDERS OF REGULATED USER-TO-USER SERVICES AND REGULATED
SEARCH SERVICES

CHAPTER 1
PROVIDERS OF CATEGORY 1 SERVICES: USER IDENTITY VERIFICATION
57

5

User identity verification
(1)

A provider of a Category 1 service must offer all adult users of the service the
option to verify their identity (if identity verification is not required for access
to the service).

(2)

The verification process may be of any kind (and in particular, it need not
require documentation to be provided).

(3)

A provider of a Category 1 service must include clear and accessible provisions
in the terms of service explaining how the verification process works.

(4)

If a person is the provider of more than one Category 1 service, the duties set
out in this section apply in relation to each such service.

(5)

The duty set out in subsection (1) applies in relation to all adult users, not just
those who begin to use a service after that duty begins to apply.

(6)

The duties set out in this section extend only to—
(a) the user-to-user part of a service, and
(b) the design, operation and use of a service in the United Kingdom.

(7)

For the purposes of this section a person is an “adult user” of a service if the
person is an adult in the United Kingdom who—
(a) is a user of the service, or
(b) seeks to begin to use the service (for example by setting up an account).

(8)

For the meaning of “Category 1 service”, see section 82 (register of categories
of services).

58

10

15

20

25

OFCOM’s guidance about user identity verification
(1)

OFCOM must produce guidance for providers of Category 1 services to assist
them in complying with the duty set out in section 57(1).

(2)

In producing the guidance (including revised or replacement guidance),
OFCOM must have particular regard to the desirability of ensuring that
providers of Category 1 services offer users a form of identity verification
likely to be available to vulnerable adult users.

(3)

Before producing the guidance (including revised or replacement guidance),
OFCOM must consult—
(a) the Information Commissioner,
(b) persons whom OFCOM consider to have technological expertise
relevant to the duty set out in section 57(1),
(c) persons who appear to OFCOM to represent the interests of vulnerable
adult users of Category 1 services, and

30

35

40

54

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 1 — Providers of Category 1 services: user identity verification

(d)
(4)

such other persons as OFCOM consider appropriate.

OFCOM must publish the guidance (and any revised or replacement
guidance).
CHAPTER 2
REPORTING CHILD SEXUAL EXPLOITATION AND ABUSE CONTENT

59

5

Requirement to report CSEA content to the NCA
(1)

(2)

A UK provider of a regulated user-to-user service must operate the service
using systems and processes which secure (so far as possible) that the provider
reports all detected and unreported CSEA content present on the service to the
NCA.

10

A non-UK provider of a regulated user-to-user service must operate the service
using systems and processes which secure (so far as possible) that the provider
reports all detected and unreported UK-linked CSEA content present on the
service to the NCA (and does not report to the NCA CSEA content which is not
UK-linked).

15

(3)

A UK provider of a regulated search service must operate the service using
systems and processes which secure (so far as possible) that the provider
reports all detected and unreported CSEA content present on websites or
databases capable of being searched by the search engine to the NCA.

(4)

A non-UK provider of a regulated search service must operate the service
using systems and processes which secure (so far as possible) that the provider
reports all detected and unreported UK-linked CSEA content present on
websites or databases capable of being searched by the search engine to the
NCA (and does not report to the NCA CSEA content which is not UK-linked).

20

(5)

A UK provider of a combined service must comply with the requirement under
subsection (3) in relation to the search engine of the service.

25

(6)

A non-UK provider of a combined service must comply with the requirement
under subsection (4) in relation to the search engine of the service.

(7)

Providers’ reports under this section—
(a) must meet the requirements set out in regulations under section 60, and
(b) must be sent to the NCA in the manner, and within the time frames, set
out in those regulations.

(8)

(9)
(10)

If a person is the provider of more than one regulated user-to-user service or
regulated search service, requirements under this section apply in relation to
each such service.
Terms used in this section are defined in section 63.
This section applies only in relation to CSEA content detected on or after the
date on which this section comes into force.

30

35

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 2 — Reporting child sexual exploitation and abuse content

60

55

Regulations about reports to the NCA
(1)

The Secretary of State must make regulations in connection with the reports
that are to be made to the NCA (including by non-UK providers) as required
by section 59.

(2)

The regulations may make provision about—
(a) the information to be included in the reports,
(b) the format of the reports,
(c) the manner in which the reports must be sent to the NCA,
(d) the time frames for sending the reports to the NCA (including
provision about cases of particular urgency),
(e) the records that providers must keep in relation to the reports, or the
details that providers must retain as evidence that they have made the
reports, and
(f) such other matters relating to the reports as the Secretary of State
considers appropriate.

(3)

61

10

15

Before making the regulations, the Secretary of State must consult—
(a) the NCA,
(b) OFCOM, and
(c) such other persons as the Secretary of State considers appropriate.
NCA: information sharing
In section 16 of the Crime and Courts Act 2013 (interpretation of Part 1), in
subsection (1), in the definition of “permitted purpose”, after paragraph (o)
insert—
“(oa) the exercise of any function of OFCOM (the Office of
Communications) under the Online Safety Act 2022;”.

62

5

20

25

Offence in relation to CSEA reporting
(1)

(2)

A person commits an offence if, in purported compliance with a requirement
under section 59—
(a) the person provides information that is false in a material respect, and
(b) at the time the person provides it, the person knows that it is false in a
material respect or is reckless as to whether it is false in a material
respect.
A person who commits an offence under this section is liable—
(a) on summary conviction in England and Wales, to imprisonment for a
term not exceeding the general limit in a magistrates’ court or a fine (or
both);
(b) on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum (or
both);
(c) on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory
maximum (or both);
(d) on conviction on indictment, to imprisonment for a term not exceeding
two years or a fine (or both).

30

35

40

56

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 2 — Reporting child sexual exploitation and abuse content

63

Interpretation of this Chapter
(1)

This section applies for the purposes of this Chapter.

(2)

A provider of a regulated user-to-user service or a regulated search service is a
“UK provider” of the service if the provider is—
(a) an individual or individuals who are habitually resident in the United
Kingdom, or
(b) an entity incorporated or formed under the law of any part of the
United Kingdom.

(3)

Otherwise, a provider of a regulated user-to-user service or a regulated search
service is a “non-UK provider” of the service.

(4)

CSEA content is “detected” by a provider when the provider becomes aware of
the content, whether by means of the provider’s systems or processes or as a
result of another person alerting the provider.

(5)

CSEA content is “unreported”, in relation to a provider, if the reporting of that
content is not covered by arrangements (mandatory or voluntary)—
(a) by which the provider reports content relating to child sexual
exploitation or abuse to a foreign agency, or
(b) by which an entity that is a group undertaking in relation to the
provider reports content relating to child sexual exploitation or abuse
to—
(i) the NCA, or
(ii) a foreign agency.

(6)

(7)

(8)

CSEA content is “UK-linked” if a provider has evidence of a link between the
content and the United Kingdom, based on any of the following—
(a) the place where the content was published, generated, uploaded or
shared;
(b) the nationality of a person suspected of committing the related offence;
(c) the location of a person suspected of committing the related offence;
(d) the location of a child who is a suspected victim of the related offence.
For the purposes of paragraphs (b), (c) and (d) an offence is “related” to CSEA
content if the content amounts to that offence (construed in accordance with
section 52: see subsections (3) and (9) of that section).
In this Chapter—
“CSEA content” has the same meaning as in Part 3 (see section 52);
“foreign agency” means a person exercising functions in a country outside
the United Kingdom which correspond to the NCA’s functions insofar
as they relate to receiving and disseminating reports about CSEA
content;
“group undertaking” has the meaning given by section 1161(5) of the
Companies Act 2006;
“NCA” means the National Crime Agency.
Sections 1161(5) and 1162 of, and Schedule 7 to, the Companies Act 2006—
(a) are to apply in relation to an entity which is not an undertaking (as
defined in section 1161(1) of that Act) as they apply in relation to an
undertaking, and
(b) are to be read with any necessary modifications if applied to an entity
formed under the law of a country outside the United Kingdom.

5

10

15

20

25

30

35

40

45

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 3 — Transparency reporting

57

CHAPTER 3
TRANSPARENCY REPORTING
64

Transparency reports about certain Part 3 services
(1)

Once a year, OFCOM must give every provider of a relevant service a notice
which requires the provider to produce a report about the service (a
“transparency report”).

(2)

If a person is the provider of more than one relevant service, a notice must be
given to the provider in respect of each such service.

(3)

In response to a notice relating to a relevant service, the provider of the service
must produce a transparency report which must—
(a) contain information of a kind specified or described in the notice,
(b) be in the format specified in the notice,
(c) be submitted to OFCOM by the date specified in the notice, and
(d) be published in the manner and by the date specified in the notice.

(4)

A provider must ensure that the information provided in a transparency report
is—
(a) complete, and
(b) accurate in all material respects.

(5)

A “relevant service” means—
(a) a Category 1 service (see section 82(10)(a));
(b) a Category 2A service (see section 82(10)(b));
(c) a Category 2B service (see section 82(10)(c)).

(6)

In a notice which relates to a Category 1 service or a Category 2B service,
OFCOM may only specify or describe user-to-user information.
But in the case of a service described in subsection (9), that subsection applies
instead.

(7)

In a notice which relates to a regulated search service that is a Category 2A
service, OFCOM may only specify or describe search engine information.

(8)

In a notice which relates to a combined service that is a Category 2A service,
and is not also a Category 1 service or a Category 2B service, OFCOM may only
specify or describe search engine information.

(9)

In a notice which relates to a combined service that is a Category 2A service, as
well as being a Category 1 service or a Category 2B service, OFCOM may
specify or describe user-to-user information or search engine information, or
both those kinds of information.

(10)

(11)

In subsections (6) to (9)—
(a) “user-to-user information” means information which—
(i) is about the matters listed in Part 1 of Schedule 8, and
(ii) relates to the user-to-user part of a service;
(b) “search engine information” means information which—
(i) is about the matters listed in Part 2 of Schedule 8, and
(ii) relates to the search engine of a service.
Part 3 of Schedule 8 makes further provision about transparency reports.

5

10

15

20

25

30

35

40

58

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 3 — Transparency reporting

(12)

The Secretary of State may by regulations amend subsection (1) so as to change
the frequency of the transparency reporting process.

(13)

The Secretary of State must consult OFCOM before making regulations under
subsection (12).

(14)

In this section “notice” means a notice under subsection (1).

65

5

OFCOM’s guidance about transparency reports
(1)

(2)

OFCOM must produce guidance about—
(a) how OFCOM will determine which information they will require
transparency reports under section 64 to contain, including—
(i) the principles that they will apply in relation to each of the
factors mentioned in paragraph 31 of Schedule 8, and
(ii) the steps that they will take to engage with providers of relevant
services before requiring information in a notice under section
64(1);
(b) how information from transparency reports produced by providers of
relevant services under section 64 will be used to produce OFCOM’s
transparency reports (see section 136); and
(c) any other matter that OFCOM consider to be relevant to the production
and publication of transparency reports under section 64 or 136.
Before producing the guidance (including revised or replacement guidance),
OFCOM must consult such of the following as they consider appropriate—
(a) providers of regulated user-to-user services, and of regulated search
services,
(b) persons who appear to OFCOM to represent such providers,
(c) persons who appear to OFCOM to represent the interests of children
(generally or with particular reference to online safety matters),
(d) persons whom OFCOM consider to have expertise in equality issues
and human rights, in particular—
(i) the right to freedom of expression set out in Article 10 of the
Convention, and
(ii) the right to respect for a person’s private and family life, home
and correspondence set out in Article 8 of the Convention,
(e) the Information Commissioner,
(f) persons who appear to OFCOM to represent the interests of those with
protected characteristics (within the meaning of Part 2 of the Equality
Act 2010), and
(g) persons whom OFCOM consider to have expertise in the enforcement
of the criminal law and the protection of national security that is
relevant to online safety matters,
and OFCOM must also consult such other persons as OFCOM consider
appropriate.

(3)

OFCOM must publish the guidance (and any revised or replacement
guidance).

(4)

In exercising their functions under section 64 or 136, OFCOM must have regard
to the guidance for the time being published under this section.

10

15

20

25

30

35

40

45

Part 4 — Other duties of providers of regulated user-to-user services and regulated search services
Chapter 3 — Transparency reporting

(5)

59

In this section, “relevant service” has the same meaning as in section 64 (see
subsection (5) of that section).
PART 5

DUTIES OF PROVIDERS OF REGULATED SERVICES: CERTAIN PORNOGRAPHIC CONTENT
66

“Pornographic content”, “provider pornographic content”, “regulated
provider pornographic content”
(1)

This section applies for the purposes of this Part.

(2)

“Pornographic content” means content of such a nature that it is reasonable to
assume that it was produced solely or principally for the purpose of sexual
arousal.

(3)

(4)

(5)

(6)

(7)

67

“Provider pornographic content”, in relation to an internet service, means
pornographic content that is published or displayed on the service by the
provider of the service or by a person acting on behalf of the provider
(including pornographic content published or displayed on the service by
means of software or an automated tool or algorithm applied by the provider
or by a person acting on behalf of the provider).
“Regulated provider pornographic content”, in relation to an internet service,
means provider pornographic content other than—
(a) content consisting only of text, or
(b) paid-for advertisements (see section 192).
References to pornographic content that is “published or displayed” on a
service—
(a) include, in particular—
(i) references to pornographic content that is only visible or
audible to users as a result of interacting with content that is
blurred, distorted or obscured (for example, by clicking on such
content), but only where the pornographic content is present on
the service, and
(ii) references to pornographic content that is embedded on the
service;
(b) do not include references to pornographic content that appears in
search results of a search service or a combined service.
Pornographic content that is user-generated content in relation to an internet
service is not to be regarded as provider pornographic content in relation to
that service.

5

10

15

20

25

30

35

In this section—
“search results” has the meaning given by section 51(3);
“user-generated content” has the meaning given by section 49 (see
subsections (3) and (4) of that section).
Scope of duties about regulated provider pornographic content

(1)

A provider of an internet service within subsection (2) must comply with the
duties set out in section 68 in relation to the service.

(2)

An internet service is within this subsection if—

40

60

Part 5 — Duties of providers of regulated services: certain pornographic content

(a)
(b)
(c)

regulated provider pornographic content is published or displayed on
the service,
the service is not exempt, and
the service has links with the United Kingdom.

(3)

A service is “exempt” for the purposes of this Part if it is —
(a) a user-to-user service or a search service of a description that is exempt
as provided for by Schedule 1, or
(b) an internet service of a kind described in Schedule 9.

(4)

A service “has links with the United Kingdom” for the purposes of this Part if
either of the following conditions is met in relation to the service—
(a) the service has a significant number of United Kingdom users, or
(b) United Kingdom users form one of the target markets for the service (or
the only target market).

(5)

This Part does not apply in relation to a part of a regulated service if—
(a) in the case of a Part 3 service, the conditions in paragraph 7(2) of
Schedule 1 (internal business service conditions) are met in relation to
that part;
(b) in the case of an internet service other than a Part 3 service, the
conditions in paragraph 1(2) of Schedule 9 (internal business service
conditions) are met in relation to that part.

(6)

This Part does not apply in relation to a part of a regulated service if that part
is an on-demand programme service within the meaning of section 368A of the
Communications Act.

(7)

If a person is the provider of more than one internet service within subsection
(2), the duties set out in section 68 apply in relation to each such service.

(8)

The duties set out in section 68 extend only to the design, operation and use of
an internet service in the United Kingdom.

68

5

10

15

20

25

Duties about regulated provider pornographic content
(1)

This section sets out the duties which apply in relation to internet services
within section 67(2).

(2)

A duty to ensure that children are not normally able to encounter content that
is regulated provider pornographic content in relation to the service (for
example, by using age verification).

(3)

A duty to make and keep a written record, in an easily understandable form,
of—
(a) the measures taken or in use, and the policies implemented, to comply
with the duty set out in subsection (2), and
(b) the way in which the provider, when deciding on and implementing
the measures and policies referred to in paragraph (a), has had regard
to the importance of protecting United Kingdom users from a breach of
any statutory provision or rule of law concerning privacy that is
relevant to the use or operation of a regulated service (including, but
not limited to, any such provision or rule concerning the processing of
personal data).

30

35

40

Part 5 — Duties of providers of regulated services: certain pornographic content

69

61

OFCOM’s guidance about duties set out in section 68
(1)

OFCOM must produce guidance for providers of internet services within
section 67(2) to assist them in complying with their duties set out in section 68.

(2)

The guidance must include—
(a) examples of measures and policies that may be appropriate for the
purpose of compliance with the duty set out in section 68(2),
(b) examples of ways in which a provider may have regard to the
importance of protecting users as mentioned in section 68(3)(b),
(c) principles that OFCOM propose to apply when determining whether a
provider has complied with each of the duties set out in section 68, and
(d) examples of circumstances in which OFCOM are likely to consider that
a provider has not complied with each of those duties.

(3)

(4)

Before producing the guidance (including revised or replacement guidance),
OFCOM must consult—
(a) the Secretary of State,
(b) persons who appear to OFCOM to represent providers of internet
services within section 67(2),
(c) persons who appear to OFCOM to represent adult users of internet
services within section 67(2),
(d) persons who appear to OFCOM to represent the interests of children
(generally or with particular reference to online safety matters),
(e) the Information Commissioner,
(f) persons whom OFCOM consider to have expertise in innovation, or
emerging technology, that is relevant to online safety matters, and
(g) such other persons as OFCOM consider appropriate.
But if OFCOM propose to revise the guidance, and consider that the minor
nature of the proposal means that consultation is unnecessary—
(a) OFCOM must notify the Secretary of State of the proposed changes,
and
(b) if the Secretary of State agrees that it is appropriate, the consultation
requirements set out in subsection (3) do not apply in relation to the
proposed changes.

(5)

OFCOM must keep the guidance under review.

(6)

OFCOM must publish the guidance (and any revised or replacement
guidance).

5

10

15

20

25

30

35

PART 6
DUTIES OF PROVIDERS OF REGULATED SERVICES: FEES
70

Duty to notify OFCOM
(1)

A provider of a regulated service must notify OFCOM in relation to a charging
year which is—
(a) the first fee-paying year in relation to that provider, or
(b) any charging year after the first fee-paying year where—

40

62

Part 6 — Duties of providers of regulated services: fees

(i)
(ii)

(2)

(3)

the previous charging year was not a fee-paying year in relation
to the provider, and the charging year in question is a feepaying year in relation to the provider, or
the previous charging year was a fee-paying year in relation to
the provider, and the charging year in question is not a feepaying year in relation to the provider.

A “fee-paying year”, in relation to a provider, means a charging year where
both of the following conditions apply—
(a) the provider’s qualifying worldwide revenue for the qualifying period
that relates to that charging year is equal to or greater than the
threshold figure that has effect for that charging year (see section 73),
and
(b) the provider is not exempt (see subsection (6)).
A notification under subsection (1) in relation to a charging year must include
details of all regulated services provided by the provider, and where it is a
notification under subsection (1)(a) or (b)(i), it must also include—
(a) details of the provider’s qualifying worldwide revenue for the
qualifying period that relates to that charging year, and
(b) supporting evidence, documents or other information of a kind
described in, or about matters described in, regulations made by the
Secretary of State.

5

10

15

20

(4)

Section 72 makes provision about a statement by OFCOM setting out what is
meant by “qualifying worldwide revenue” and “qualifying period” in this
section and section 71.

(5)

A notification under subsection (1) must be provided to OFCOM—
(a) in relation to the initial charging year, within four months of the date
on which the first threshold figure under section 73 is published;
(b) in relation to subsequent charging years, at least six months before the
beginning of the charging year to which the notification relates.

25

(6)

OFCOM may provide that particular descriptions of providers of regulated
services are exempt for the purposes of this section and section 71 where—
(a) OFCOM consider that an exemption for such providers is appropriate,
and
(b) the Secretary of State approves the exemption.

30

(7)

OFCOM may revoke such an exemption where they consider that it is no
longer appropriate and the Secretary of State approves the revocation.

35

(8)

Exemptions, or revocations of exemptions, which are approved by the
Secretary of State are to take effect from the beginning of a particular charging
year.

(9)

Details of an exemption or revocation must be published by OFCOM at least
six months before the beginning of the first charging year for which the
exemption or revocation is to have effect.

(10)

But subsection (9) does not apply in relation to any exemptions which are to
have effect for the initial charging year.

(11)

The Secretary of State must consult OFCOM before making regulations under
subsection (3)(b).

40

45

Part 6 — Duties of providers of regulated services: fees

(12)

71

63

For the purposes of this section and section 71, the “provider” of a regulated
service, in relation to a charging year, includes a person who is the provider of
the service for part of that year.
Duty to pay fees

(1)

OFCOM may require a provider of a regulated service to pay a fee in respect
of a charging year which is a fee-paying year.

(2)

Where OFCOM require a provider of a regulated service to pay a fee in respect
of a charging year, the fee is to be equal to the amount produced by a
computation—
(a) made by reference to—
(i) the provider’s qualifying worldwide revenue for the qualifying
period relating to that charging year, and
(ii) any other factors that OFCOM consider appropriate, and
(b) made in the manner that OFCOM consider appropriate.

(3)

For the purposes of this section and section 70—
(a) the amount of a provider’s qualifying worldwide revenue for a
qualifying period, or
(b) the amount of a fee to be paid to OFCOM, or of an instalment of such a
fee,
is, in the event of a disagreement between the provider and OFCOM, the
amount determined by OFCOM.

(4)

When determining fees payable under this section, OFCOM must do so in
accordance with a statement of principles as mentioned in section 75(1).

(5)

Where a person is the provider of a regulated service for part of a charging year
only, OFCOM may refund all or part of a fee paid to OFCOM under this section
by that provider in respect of that year.

(6)

In this section, “fee-paying year” has the same meaning as in section 70.

72

5

10

15

20

25

OFCOM’s statement about “qualifying worldwide revenue” etc
(1)

For the purposes of sections 70 and 71, OFCOM must produce a statement
giving information about—
(a) the amounts which do, or do not, comprise a person’s “qualifying
worldwide revenue”, and
(b) the period which is the “qualifying period” in relation to a charging
year.

(2)

Provision contained in the statement as mentioned in subsection (1)(a) is also
to apply for the purposes of determining the amount of penalties which
OFCOM may impose under Chapter 6 of Part 7 (see paragraph 4 of Schedule
13), and must include provision about the application of that term to a group
of entities for the purposes of paragraph 5 of that Schedule.

35

(3)

The statement may make different provision in relation to different kinds of
regulated services.

40

(4)

Before producing the statement (including a revised or replacement
statement), OFCOM must consult—
(a) the Secretary of State,

30

64

Part 6 — Duties of providers of regulated services: fees

(b)
(c)

the Treasury, and
such other persons as OFCOM consider appropriate.

(5)

OFCOM must keep the statement under review.

(6)

OFCOM must publish the statement (and any revised or replacement
statement).

(7)

OFCOM must send a copy of the statement (and any revised or replacement
statement) to the Secretary of State, and the Secretary of State must lay it before
Parliament.

73

5

Threshold figure
(1)

OFCOM must carry out a consultation to inform the setting of the threshold
figure for the purposes of sections 70 and 71, consulting such persons as they
consider appropriate.

(2)

After the completion of the consultation, and having taken advice from
OFCOM, the Secretary of State must determine the figure that the Secretary of
State considers appropriate to be the threshold figure for those purposes.

(3)

The Secretary of State must—
(a) publish, in such manner as the Secretary of State considers appropriate,
a statement specifying the threshold figure, and
(b) lay a copy of that statement before Parliament.

(4)

The Secretary of State must keep the threshold figure under review.

(5)

If the Secretary of State considers that it may be appropriate to revise the
threshold figure, the Secretary of State may request OFCOM to carry out a
further consultation, and subsections (1) to (3) apply again.

(6)

A threshold figure is to take effect from the beginning of a particular charging
year.

(7)

A statement specifying a threshold figure must be published at least nine
months before the beginning of the first charging year for which that figure is
to have effect.

(8)

But subsection (7) does not apply in relation to the first threshold figure
published under this section.

74

10

15

20

25

30

Secretary of State’s guidance about fees
(1)

The Secretary of State must issue guidance to OFCOM about the principles to
be included in a statement of principles that OFCOM propose to apply in
determining fees payable under section 71 (see section 75).

(2)

The Secretary of State must consult OFCOM before issuing, revising or
replacing the guidance.

(3)

The guidance may not be revised or replaced more frequently than once every
three years unless—
(a) the guidance needs to be corrected because of an amendment, repeal or
modification of any provision of this Part, or
(b) the revision or replacement is by agreement between the Secretary of
State and OFCOM.

35

40

Part 6 — Duties of providers of regulated services: fees

65

(4)

The Secretary of State must lay the guidance (including revised or replacement
guidance) before Parliament.

(5)

The Secretary of State must publish the guidance (and any revised or
replacement guidance).

(6)

In exercising any functions under this Part, OFCOM must have regard to the
guidance for the time being published under this section.

75

5

OFCOM’s fees statements
(1)

(2)

(3)

OFCOM may not require a provider of a regulated service to pay a fee under
section 71 unless there is in force a statement of the principles that OFCOM
propose to apply in determining fees payable under that section.
Those principles must be such as appear to OFCOM to be likely to secure, on
the basis of such estimates of the likely costs as it is practicable for them to
make—
(a) that on a year by year basis, the aggregate amount of the fees payable
to OFCOM under section 71 is sufficient to meet, but does not exceed,
the annual cost to OFCOM of the exercise of their online safety
functions;
(b) that the fees required under section 71 are justifiable and proportionate
having regard to the functions in respect of which they are imposed;
(c) that the relationship between meeting the cost of the exercise of those
functions and the amounts of the fees is transparent.
A statement of principles mentioned in subsection (1) must (among other
things)—
(a) include details relating to the computation model used to calculate fees
payable under section 71, including details of factors mentioned in
subsection (2)(a)(ii) of that section (if any),
(b) include details about the meaning of “qualifying worldwide revenue”
and “qualifying period”, as set out in the statement under section 72 for
the purposes of sections 70 and 71, and
(c) specify the threshold figure published in accordance with section 73.

(4)

Before making or revising such a statement of principles, OFCOM must
consult such persons as they consider appropriate.

(5)

Such a statement of principles may make different provision in relation to
different kinds of regulated services.

(6)

OFCOM must publish such a statement of principles (and any revised or
replacement statement).

(7)

As soon as reasonably practicable after the end of each charging year, OFCOM
must publish a statement setting out, in respect of that year—
(a) the aggregate amount of the fees payable under section 71 for that year
that has been received by OFCOM,
(b) the aggregate amount of the fees payable under that section for that
year that remains outstanding and is likely to be paid or recovered, and
(c) the cost to OFCOM of the exercise of their online safety functions.

(8)

Any deficit or surplus shown (after applying this subsection for all previous
years) by a statement under subsection (7) must be carried forward and taken

10

15

20

25

30

35

40

45

66

Part 6 — Duties of providers of regulated services: fees

into account in determining what is required to satisfy the requirement
imposed by virtue of subsection (2)(a) in relation to the following year.
(9)

76

For the purposes of this section—
(a) OFCOM’s costs of the exercise of their online safety functions during a
charging year include the costs of preparations for the exercise of their
online safety functions incurred during that year; and
(b) OFCOM’s costs of preparations for the exercise of their online safety
functions incurred after the day on which this section comes into force
but before the charging year in which those functions were first
exercised are to be treated as if they were incurred during that year.

5

10

Recovery of OFCOM’s initial costs
Schedule 10 makes provision about fees chargeable to providers of regulated
services in connection with OFCOM’s recovery of costs incurred on
preparations for the exercise of their online safety functions.

77

Meaning of “charging year” and “initial charging year”
In this Part—
“charging year” means any period of 12 months beginning with 1 April,
except such a period that falls before the initial charging year;
“initial charging year” means the period of 12 months beginning with 1
April specified by OFCOM in a notice published for the purposes of
this Part.

15

20

PART 7
OFCOM’S POWERS AND DUTIES IN RELATION TO REGULATED SERVICES
CHAPTER 1
GENERAL DUTIES
78

25

General duties of OFCOM under section 3 of the Communications Act
(1)

Section 3 of the Communications Act (general duties of OFCOM) is amended
in accordance with subsections (2) to (8).

(2)

In subsection (2), after paragraph (f) insert—
“(g) the adequate protection of citizens from harm presented by
content on regulated services, through the appropriate use by
providers of such services of systems and processes designed to
reduce the risk of such harm.”

(3)

In subsection (4)(c), at the beginning insert “(subject to subsection (5A))”.

(4)

After subsection (4) insert—
“(4A)

In performing their duties under subsection (1) in relation to matters to
which subsection (2)(g) is relevant, OFCOM must have regard to such
of the following as appear to them to be relevant in the circumstances—
(a) the risk of harm to citizens presented by content on regulated
services;

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 1 — General duties

(b)
(c)

(d)

(e)
(f)

(5)

(8)

5

10

15

20

Subsection (4)(c) does not apply in relation to the carrying out of any of
OFCOM’s online safety functions.”

After subsection (6) insert—
“(6ZA)

(7)

the need for a higher level of protection for children than for
adults;
the need for it to be clear to providers of regulated services how
they may comply with their duties set out in Chapter 2, 3, 4 or 5
of Part 3, Chapter 1 of Part 4, or Part 5 of the Online Safety Act
2022;
the need to exercise their functions so as to secure that providers
of regulated services may comply with such duties by taking
measures, or using measures, systems or processes, which are
(where relevant) proportionate to—
(i) the size or capacity of the provider in question, and
(ii) the level of risk of harm presented by the service in
question, and the severity of the potential harm;
the desirability of promoting the use by providers of regulated
services of technologies which are designed to reduce the risk of
harm to citizens presented by content on regulated services;
the extent to which providers of regulated services
demonstrate, in a way that is transparent and accountable, that
they are complying with their duties set out in Chapter 2, 3, 4 or
5 of Part 3, Chapter 1 of Part 4, or Part 5 of the Online Safety Act
2022.”

After subsection (5) insert—
“(5A)

(6)

67

25

Where it appears to OFCOM, in relation to the carrying out of any of
their online safety functions, that any of their general duties conflict
with their duty under section 24, priority must be given to their duty
under that section.”

In subsection (14), at the appropriate places insert—
““content on regulated services” means—
(a) regulated user-generated content present on regulated
services,
(b) search content of regulated services,
(c) fraudulent advertisements present on regulated
services, and
(d) regulated provider pornographic content present on
regulated services;”;
““online safety functions” has the meaning given by section 191 of
the Online Safety Act 2022, except that it does not include
OFCOM’s general duties;”.

30

35

40

After subsection (14) insert—
“(15)

In this section the following terms have the same meaning as in the
Online Safety Act 2022—
“content” (see section 192 of that Act);
“fraudulent advertisement” (see sections 34 and 35 of that Act);
“harm” (see section 190 of that Act);

45

68

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 1 — General duties

“provider”, in relation to a regulated service (see section 183 of
that Act);
“regulated user-generated content” (see section 49 of that Act);
“regulated provider pornographic content” (see section 66 of that
Act);
“regulated service” (see section 3 of that Act);
“search content” (see section 51 of that Act).”
(9)

In section 6 of the Communications Act (duties to review regulatory
burdens)—
(a) in subsection (2), after “this section” insert “(except their online safety
functions)”, and
(b) after subsection (10) insert—
“(11)

79
(1)

This section applies where a statement has been designated under section
144(1) (Secretary of State’s statement of strategic priorities).

(2)

OFCOM must have regard to the statement when carrying out their online
safety functions.

(3)

Within the period of 40 days beginning with the day on which the statement is
designated, or such longer period as the Secretary of State may allow, OFCOM
must—
(a) explain in writing what they propose to do in consequence of the
statement, and
(b) publish a copy of that explanation.

80

10

In this section “online safety functions” has the same meaning
as in section 3.”

Duties in relation to strategic priorities

(4)

5

OFCOM must, as soon as reasonably practicable after the end of—
(a) the period of 12 months beginning with the day on which the first
statement is designated under section 144(1), and
(b) every subsequent period of 12 months,
publish a review of what they have done during the period in question in
consequence of the statement.

15

20

25

30

Duty to carry out impact assessments
(1)

Section 7 of the Communications Act (duty to carry out impact assessments) is
amended as follows.

(2)

In subsection (2), at the beginning insert “Subject to subsection (2A),”.

(3)

After subsection (2) insert—
“(2A)

A proposal to do any of the following is important for the purposes of
this section—
(a) to prepare a code of practice under section 37 of the Online
Safety Act 2022;
(b) to prepare amendments of such a code of practice; or
(c) to prepare a code of practice as a replacement for such a code of
practice.”

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 1 — General duties

(4)

69

After subsection (4) insert—
“(4A)

(4B)

An assessment under subsection (3)(a) that relates to a proposal
mentioned in subsection (2A) must include an assessment of the likely
impact of implementing the proposal on small businesses and micro
businesses.
An assessment under subsection (3)(a) that relates to a proposal to do
anything else for the purposes of, or in connection with, the carrying
out of OFCOM’s online safety functions (within the meaning of section
191 of the Online Safety Act 2022) must, so far as the proposal relates to
such functions, include an assessment of the likely impact of
implementing the proposal on small businesses and micro businesses.”

5

10

CHAPTER 2
REGISTER OF CATEGORIES OF REGULATED USER-TO-USER SERVICES AND REGULATED
SEARCH SERVICES

81

Meaning of threshold conditions etc
(1)

Schedule 11 contains provision about regulations specifying the threshold
conditions that a Part 3 service must meet to be included in the relevant part of
the register established by OFCOM under section 82, and associated provision
about the publication of OFCOM’s advice.

(2)

In this Chapter, “Category 1 threshold conditions”, “Category 2A threshold
conditions” and “Category 2B threshold conditions” have the same meaning as
in Schedule 11 (see paragraph 1(1), (2) and (3) of that Schedule).

(3)

For the purposes of this Chapter—
(a) a regulated user-to-user service meets the Category 1 threshold
conditions if those conditions are met in relation to the user-to-user part
of the service;
(b) a regulated search service or a combined service meets the Category 2A
threshold conditions if those conditions are met in relation to the search
engine of the service;
(c) a regulated user-to-user service meets the Category 2B threshold
conditions if those conditions are met in relation to the user-to-user part
of the service;
(d) references to OFCOM assessing a service (to determine if it meets, or no
longer meets, the relevant threshold conditions) are accordingly to be
read as references to OFCOM assessing the relevant part (or parts) of a
service.

82

15

20

25

30

35

Register of categories of certain Part 3 services
(1)

As soon as reasonably practicable after the first regulations under Schedule 11
come into force, OFCOM must comply with subsections (2) to (4).

(2)

OFCOM must establish a register of particular categories of Part 3 services
with—
(a) one part for regulated user-to-user services meeting the Category 1
threshold conditions,

40

70

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 2 — Register of categories of regulated user-to-user services and regulated search services

(b)
(c)
(3)

one part for regulated search services and combined services meeting
the Category 2A threshold conditions, and
one part for regulated user-to-user services meeting the Category 2B
threshold conditions.

OFCOM must assess Part 3 services, as follows—
(a) OFCOM must assess each regulated user-to-user service which they
consider is likely to meet the Category 1 threshold conditions, to
determine whether the service does, or does not, meet those conditions;
(b) OFCOM must assess each regulated search service and combined
service which they consider is likely to meet the Category 2A threshold
conditions, to determine whether the service does, or does not, meet
those conditions;
(c) OFCOM must assess each regulated user-to-user service which they
consider is likely to meet the Category 2B threshold conditions, to
determine whether the service does, or does not, meet those conditions.

(4)

If OFCOM consider that a service meets the relevant threshold conditions, they
must add entries relating to that service to the relevant part of the register
established under subsection (2).

(5)

But—
(a) if OFCOM consider that a regulated user-to-user service meets the
Category 1 threshold conditions and the Category 2B threshold
conditions (only), entries relating to that service are to be added to the
part of the register established under subsection (2)(a) (only);
(b) if OFCOM consider that a combined service meets the Category 1
threshold conditions, the Category 2A threshold conditions and the
Category 2B threshold conditions, entries relating to that service are to
be added to the parts of the register established under subsection (2)(a)
and (b) (only).

(6)

If OFCOM consider that a combined service—
(a) meets the Category 2A threshold conditions, and
(b) meets either the Category 1 threshold conditions or the Category 2B
threshold conditions (but not both),
entries relating to that service are to be added to the part of the register
established under subsection (2)(b) and to the part of the register established
under subsection (2)(a) or (c) (whichever applies).

(7)

Each part of the register must contain—
(a) the name, and a description, of each service that, in OFCOM’s opinion,
meets the relevant threshold conditions, and
(b) the name of the provider of each such service.

(8)

OFCOM must publish the register.

(9)

When assessing whether a Part 3 service does, or does not, meet the relevant
threshold conditions, OFCOM must take such steps as are reasonably
practicable to obtain or generate information or evidence for the purposes of
the assessment.

(10)

In this Act—
(a) a “Category 1 service” means a regulated user-to-user service for the
time being included in the part of the register established under
subsection (2)(a);

5

10

15

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 2 — Register of categories of regulated user-to-user services and regulated search services

(b)
(c)

83

71

a “Category 2A service” means a regulated search service or a
combined service for the time being included in the part of the register
established under subsection (2)(b);
a “Category 2B service” means a regulated user-to-user service for the
time being included in the part of the register established under
subsection (2)(c).

5

Duty to maintain register
(1)

(2)

(3)

(4)

If regulations are made under paragraph 1(1) of Schedule 11 which amend or
replace regulations previously made under that provision, OFCOM must, as
soon as reasonably practicable after the date on which the amending or
replacement regulations come into force—
(a) assess each regulated user-to-user service which they consider is likely
to meet the new Category 1 threshold conditions, to determine whether
the service does, or does not, meet those conditions, and
(b) make any necessary changes to the register.
If regulations are made under paragraph 1(2) of Schedule 11 which amend or
replace regulations previously made under that provision, OFCOM must, as
soon as reasonably practicable after the date on which the amending or
replacement regulations come into force—
(a) assess each regulated search service and combined service which they
consider is likely to meet the new Category 2A threshold conditions, to
determine whether the service does, or does not, meet those conditions,
and
(b) make any necessary changes to the register.
If regulations are made under paragraph 1(3) of Schedule 11 which amend or
replace regulations previously made under that provision, OFCOM must, as
soon as reasonably practicable after the date on which the amending or
replacement regulations come into force—
(a) assess each regulated user-to-user service which they consider is likely
to meet the new Category 2B threshold conditions, to determine
whether the service does, or does not, meet those conditions, and
(b) make any necessary changes to the register.
At any other time, if OFCOM consider that a Part 3 service not included in a
particular part of the register is likely to meet the threshold conditions relevant
to that part, OFCOM must—
(a) assess the service accordingly, and
(b) (subject to section 82(5)) if they consider that the service meets the
relevant conditions, add entries relating to that service to that part of
the register.

(5)

Nothing in subsection (3) or (4) requires OFCOM to assess a Category 1 service
to determine whether the service meets the Category 2B threshold conditions.

(6)

A provider of a Part 3 service included in the register may at any time request
OFCOM to remove entries relating to that service from the register, or from a
particular part of the register.

(7)

If OFCOM are satisfied, on the basis of evidence submitted by a provider with
such a request, that since the registration day there has been a change to the

10

15

20

25

30

35

40

45

72

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 2 — Register of categories of regulated user-to-user services and regulated search services

service or to regulations under paragraph 1 of Schedule 11 which appears
likely to be relevant, OFCOM must—
(a) assess the service, and
(b) notify the provider of OFCOM’s decision.
(8)

OFCOM must remove entries relating to a Part 3 service from the relevant part
of the register if, following an assessment of the service, they consider that it no
longer meets the threshold conditions relevant to that part.

(9)

Section 82(9) applies to an assessment under this section as it applies to an
assessment under section 82.

(10)

OFCOM must re-publish the register each time a change is made to it.

(11)

See section 139 for provision about appeals against a decision to include a
service in the register (or in a particular part of the register), or not to remove
a service from the register (or from a particular part of the register).

(12)

In this section—
“the register” means the register established under section 82;
“the registration day”, in relation to a Part 3 service, means—
(a) the day on which entries relating to the service were added to
the register, or to the particular part of the register in question,
or
(b) if later, the day on which OFCOM last completed an assessment
of the service under subsection (1), (2), (3) or (7).

5

10

15

20

CHAPTER 3
RISK ASSESSMENTS OF REGULATED USER-TO-USER SERVICES AND REGULATED SEARCH
SERVICES

84

OFCOM’s register of risks, and risk profiles, of Part 3 services
(1)

OFCOM must carry out risk assessments to identify and assess the following
risks of harm presented by Part 3 services of different kinds—
(a) the risk of harm to individuals in the United Kingdom presented by
illegal content;
(b) the risk of harm to children in the United Kingdom, in different age
groups, presented by content that is harmful to children;
(c) the risk of harm to adults in the United Kingdom presented by content
that is harmful to adults present on regulated user-to-user services.

(2)

The risk assessments must, among other things, identify characteristics of
different kinds of Part 3 services that are relevant to such risks of harm, and
assess the impact of those kinds of characteristics on such risks.

(3)

OFCOM—
(a) may combine assessment of any or all of the risks of harm mentioned
in subsection (1), or may carry out separate assessments of those risks;
(b) in the case of the risks of harm mentioned in subsection (1)(a) and (b),
may assess regulated user-to-user services and regulated search
services separately or together.

25

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 3 — Risk assessments of regulated user-to-user services and regulated search services

73

(4)

The findings of each risk assessment are to be reflected, as soon as reasonably
practicable after completion, in a register of risks of Part 3 services prepared
and published by OFCOM.

(5)

As soon as reasonably practicable after completing their assessment of a risk of
harm mentioned in a particular paragraph of subsection (1), OFCOM must
prepare risk profiles for Part 3 services which relate to that risk of harm.

(6)

But in preparing the risk profiles which relate to the risk of harm mentioned in
subsection (1)(c), OFCOM must not take into account anything relating to nondesignated content that is harmful to adults.

(7)

For the purposes of the risk profiles, OFCOM may group Part 3 services
together in whichever way they consider appropriate, taking into account—
(a) the characteristics of the services, and
(b) the risk levels and other matters identified in the relevant risk
assessment.

10

(8)

OFCOM must publish risk profiles prepared under this section.

15

(9)

OFCOM must from time to time review and revise the risk assessments and
risk profiles so as to keep them up to date.

(10)

References in this section to Part 3 services—
(a) in the case of a risk assessment or risk profiles which relate only to
regulated user-to-user services or to regulated search services, are to be
read as references to the kind of service in question;
(b) in the case of a risk assessment or risk profiles which relate only to the
risk of harm mentioned in subsection (1)(c), are to be read as references
to regulated user-to-user services.

(11)

References in this section to regulated search services include references to the
search engine of combined services.

(12)

In this section the “characteristics” of a service include its functionalities, user
base, business model, governance and other systems and processes.

(13)

In this section—
“content that is harmful to adults” and “priority content that is harmful to
adults” have the same meaning as in Part 3 (see section 54);
“content that is harmful to children” has the same meaning as in Part 3
(see section 53);
“illegal content” has the same meaning as in Part 3 (see section 52);
“non-designated content that is harmful to adults” means content that is
harmful to adults other than priority content that is harmful to adults.

85

5

20

25

30

35

OFCOM’s guidance about risk assessments
(1)

(2)

As soon as reasonably practicable after OFCOM have published the first risk
profiles relating to the risk of harm from illegal content, OFCOM must produce
guidance to assist providers of Part 3 services in complying with their duties to
carry out illegal content risk assessments under section 8 or 23.
As soon as reasonably practicable after OFCOM have published the first risk
profiles relating to the risk of harm to children, OFCOM must produce
guidance to assist providers of Part 3 services in complying with their duties to
carry out children’s risk assessments under section 10 or 25.

40

45

74

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 3 — Risk assessments of regulated user-to-user services and regulated search services

(3)

As soon as reasonably practicable after OFCOM have published the first risk
profiles relating to the risk of harm to adults, OFCOM must produce guidance
to assist providers of Category 1 services in complying with their duties to
carry out adults’ risk assessments under section 12.

(4)

Before producing any guidance under this section (including revised or
replacement guidance), OFCOM must consult the Information Commissioner.

(5)

OFCOM must revise guidance under this section from time to time in response
to further risk assessments under section 84 or to revisions of the risk profiles.

(6)

OFCOM must publish guidance under this section (and any revised or
replacement guidance).

(7)

If the risk profiles mentioned in subsection (1) or (2) relate to regulated user-touser services only or to regulated search services only, those subsections are to
be read as requiring the production of guidance relating only to regulated userto-user services or to regulated search services, as the case may be.

(8)

References in subsection (7) to regulated search services include references to
the search engine of combined services.

(9)

In this section—
“risk of harm from illegal content” means the risk of harm mentioned in
section 84(1)(a);
“risk of harm to children” means the risk of harm mentioned in section
84(1)(b);
“risk of harm to adults” means the risk of harm mentioned in section
84(1)(c);
“risk profiles” means risk profiles prepared under section 84.
CHAPTER 4

5

10

15

20

25

INFORMATION
Information power and information notices
86

Power to require information
(1)

OFCOM may by notice under this subsection (an “information notice”) require
a person within subsection (4) to provide them with any information that they
require for the purpose of exercising, or deciding whether to exercise, any of
their online safety functions.

(2)

The power conferred by subsection (1) includes power to require a person
within subsection (4) to obtain or generate information.

(3)

But the power conferred by subsection (1) must be exercised in a way that is
proportionate to the use to which the information is to be put in the exercise of
OFCOM’s functions.

(4)

The persons within this subsection are—
(a) a provider of a user-to-user service or a search service,
(b) a provider of an internet service on which regulated provider
pornographic content is published or displayed,

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(c)
(d)
(e)
(f)

(5)

75

a person who provides an ancillary service (within the meaning of
section 124) in relation to a regulated service (see subsections (11) and
(12) of that section),
a person who provides an access facility (within the meaning of section
126) in relation to a regulated service (see subsections (10) and (11) of
that section),
a person who was within any of paragraphs (a) to (d) at a time to which
the required information relates, and
a person not within any of paragraphs (a) to (e) who appears to
OFCOM to have, or to be able to generate or obtain, information
required by them as mentioned in subsection (1).

The information that may be required by OFCOM under subsection (1)
includes, in particular, information that they require for any one or more of the
following purposes—
(a) the purpose of assessing compliance with—
(i) any duty or requirement set out in Chapter 2, 3, 4 or 5 of Part 3,
(ii) any duty set out in section 57 (user identity verification),
(iii) any requirement under section 59 (reporting CSEA content),
(iv) any requirement relating to transparency reporting (see section
64(3) and (4)), or
(v) any duty set out in section 68 (provider pornographic content);
(b) the purpose of assessing compliance with a requirement under section
70 (duty to notify OFCOM in relation to the charging of fees);
(c) the purpose of a consultation about a threshold figure as mentioned in
section 73 (threshold figure for the purposes of charging fees);
(d) the purpose of ascertaining the amount of a person’s qualifying
worldwide revenue for the purposes of—
(i) section 71 (duty to pay fees), or
(ii) paragraph 4 or 5 of Schedule 13 (amount of penalties etc);
(e) the purpose of assessing compliance with any requirements imposed
on a person by—
(i) a notice under section 104(1) (notices to deal with terrorism
content and CSEA content), or
(ii) a confirmation decision;
(f) the purpose of assessing the accuracy and effectiveness of technology
required to be used by—
(i) a notice under section 104(1), or
(ii) a confirmation decision;
(g) the purpose of dealing with complaints made to OFCOM under section
141 (super-complaints);
(h) the purpose of OFCOM’s advice to the Secretary of State about
provision to be made by regulations under paragraph 1 of Schedule 11
(threshold conditions for categories of Part 3 services);
(i) the purpose of determining whether a Part 3 service meets threshold
conditions specified in regulations under paragraph 1 of Schedule 11;
(j) the purpose of preparing a code of practice under section 37;
(k) the purpose of preparing guidance in relation to online safety matters;
(l) the purpose of carrying out research, or preparing a report, in relation
to online safety matters;

5

10

15

20

25

30

35

40

45

76

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(m)

the purpose of complying with OFCOM’s duty under section 11 of the
Communications Act, so far as relating to regulated services (duty to
promote media literacy).

(6)

See also section 88 (power to include a requirement to name a senior manager).

(7)

The power conferred by subsection (1) does not include power to require the
provision of information in respect of which a claim to legal professional
privilege, or (in Scotland) to confidentiality of communications, could be
maintained in legal proceedings.

(8)

In this section—
“information” includes documents, and any reference to providing
information includes a reference to producing a document (and see also
section 87(9));
“regulated provider pornographic content” and “published or displayed”
have the same meaning as in Part 5 (see section 66).

87

Information notices
(1)

An information notice may require information in any form (including in
electronic form).

(2)

An information notice must—
(a) specify or describe the information to be provided,
(b) specify why OFCOM require the information,
(c) specify the form and manner in which it must be provided, and
(d) contain information about the consequences of not complying with the
notice.

5

10

15

20

(3)

An information notice must specify when the information must be provided
(which may be on or by a specified date, within a specified period, or at
specified intervals).

(4)

An information notice may specify a place at which, and a person to whom,
information is to be provided.

(5)

A person to whom a document is produced in response to an information
notice may—
(a) take copies of, or extracts from, the document;
(b) require the person producing the document, or a person who is or was
an officer of that person, or (in the case of a partnership) a person who
is or was a partner, to give an explanation of it.

(6)

A person to whom an information notice is given has a duty—
(a) to provide the information in accordance with the requirements of the
notice, and
(b) to ensure that the information provided is accurate in all material
respects.

35

(7)

OFCOM may cancel an information notice by notice to the person to whom it
was given.

40

(8)

In this section—
“information” includes documents, and any reference to providing
information includes a reference to producing a document;

25

30

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

77

“officer”, in relation to an entity, includes a director, a manager, an
associate, a secretary or, where the affairs of the entity are managed by
its members, a member.
(9)

88

In relation to information recorded otherwise than in a legible form, references
in this section to producing a document are to producing a copy of the
information—
(a) in a legible form, or
(b) in a form from which it can readily be produced in a legible form.

5

Requirement to name a senior manager
(1)

This section applies where—
(a) OFCOM give a provider of a regulated service an information notice,
and
(b) the provider is an entity.

(2)

OFCOM may include in the information notice a requirement that the provider
must name, in their response to the notice, an individual who the provider
considers to be a senior manager of the entity and who may reasonably be
expected to be in a position to ensure compliance with the requirements of the
notice.

(3)

If OFCOM impose a requirement to name an individual, the information notice
must—
(a) require the provider to inform such an individual, and
(b) include information about the consequences for such an individual of
the entity’s failure to comply with the requirements of the notice (see
section 94).

(4)

An individual is a “senior manager” of an entity if the individual plays a
significant role in—
(a) the making of decisions about how the entity’s relevant activities are to
be managed or organised, or
(b) the actual managing or organising of the entity’s relevant activities.

25

(5)

An entity’s “relevant activities” are activities relating to the entity’s compliance
with the regulatory requirements imposed by this Act in connection with the
regulated service to which the information notice in question relates.

30

10

15

20

Skilled persons’ reports
89

Reports by skilled persons
(1)

OFCOM may exercise the powers in this section where they consider that it is
necessary to do so for either or both of the following purposes—
(a) assisting OFCOM in identifying and assessing a failure, or possible
failure, by a provider of a regulated service to comply with a relevant
requirement, or
(b) developing OFCOM’s understanding of—
(i) the nature and level of risk of a provider of a regulated service
failing to comply with a relevant requirement, and
(ii) ways to mitigate such a risk.

35

40

78

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(2)

But the powers in this section may be exercised for a purpose mentioned in
subsection (1)(b) only where OFCOM consider that the provider in question
may be at risk of failing to comply with a relevant requirement.

(3)

OFCOM may appoint a skilled person to provide them with a report about
matters relevant to the purpose for which the powers under this section are
exercised (“the relevant matters”), and, where OFCOM make such an
appointment, they must notify the provider about the appointment and the
relevant matters to be explored in the report.

(4)

Alternatively, OFCOM may give a notice to the provider—
(a) requiring the provider to appoint a skilled person to provide OFCOM
with a report in such form as may be specified in the notice, and
(b) specifying the relevant matters to be explored in the report.

(5)

(6)

References in this section to a skilled person are to a person—
(a) appearing to OFCOM to have the skills necessary to prepare a report
about the relevant matters, and
(b) where the appointment is to be made by the provider, nominated or
approved by OFCOM.
It is the duty of—
(a) the provider of the service (“P”),
(b) any person who works for (or used to work for) P, or is providing (or
used to provide) services to P related to the relevant matters, and
(c) other providers of internet services,
to give the skilled person all such assistance as the skilled person may
reasonably require to prepare the report.

5

10

15

20

(7)

The provider of the service is liable for the payment, directly to the skilled
person, of the skilled person’s remuneration and expenses relating to the
preparation of the report.

(8)

Subsections (9) to (11) apply in relation to an amount due to a skilled person
under subsection (7).

(9)

In England and Wales, such an amount is recoverable—
(a) if the county court so orders, as if it were payable under an order of that
court;
(b) if the High Court so orders, as if it were payable under an order of that
court.

30

(10)

In Scotland, such an amount may be enforced in the same manner as an extract
registered decree arbitral bearing a warrant for execution issued by the sheriff
court of any sheriffdom in Scotland.

35

(11)

In Northern Ireland, such an amount is recoverable—
(a) if a county court so orders, as if it were payable under an order of that
court;
(b) if the High Court so orders, as if it were payable under an order of that
court.

(12)

In this section “relevant requirement” means—
(a) a duty or requirement set out in any of the following—
(i) section 8, 10, 12, 23 or 25 (risk assessments);
(ii) section 9 or 24 (illegal content);

25

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(b)
(c)

79

(iii) section 11 or 26 (children’s online safety);
(iv) section 13 (adults’ online safety);
(v) section 14 (user empowerment);
(vi) section 17 or 27 (content reporting);
(vii) section 18 or 28 (complaints procedures);
(viii) section 20 or 30 (record-keeping and review);
(ix) section 32 (children’s access assessments);
(x) section 34 or 35 (fraudulent advertising);
(xi) section 57 (user identity verification);
(xii) section 59 (reporting CSEA content);
(xiii) section 64(3) or (4) (transparency reports);
(xiv) section 68(2) (children’s access to pornographic content);
a requirement under section 70 to notify OFCOM in connection with
the charging of fees (see subsections (1), (3) and (5) of that section); or
a requirement imposed by a notice under section 104(1) (notices to deal
with terrorism content and CSEA content).

5

10

15

Investigations and interviews
90

Investigations
(1)

If OFCOM open an investigation into whether a provider of a regulated service
has failed, or is failing, to comply with any requirement mentioned in
subsection (2), the provider must co-operate fully with the investigation.

(2)

The requirements are—
(a) a requirement imposed by a notice under section 104(1) (notices to deal
with terrorism content and CSEA content), and
(b) an enforceable requirement as defined in section 112 (except the
requirement in subsection (1) of this section).

91

20

25

Power to require interviews
(1)

(2)

The power conferred by this section is exercisable by OFCOM for the purposes
of an investigation that they are carrying out into the failure, or possible failure,
of a provider of a regulated service to comply with a relevant requirement.

30

OFCOM may give an individual within subsection (4) a notice requiring the
individual—
(a) to attend at a time and place specified in the notice, and
(b) to answer questions and provide explanations about any matter
relevant to the investigation.

35

(3)

A notice under this section must—
(a) indicate the subject matter and purpose of the interview, and
(b) contain information about the consequences of not complying with the
notice.

(4)

The individuals within this subsection are—
(a) if the provider of the service is an individual or individuals, that
individual or those individuals,
(b) an officer of the provider of the service,

40

80

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(c)
(d)
(e)

if the provider of the service is a partnership, a partner,
an employee of the provider of the service, and
an individual who was within any of paragraphs (a) to (d) at a time to
which the required information or explanation relates.

(5)

If OFCOM give a notice to an individual within subsection (4)(b), (c) or (d),
they must give a copy of the notice to the provider of the service.

(6)

An individual is not required under this section to disclose information in
respect of which a claim to legal professional privilege, or (in Scotland) to
confidentiality of communications, could be maintained in legal proceedings.

(7)

In this section—
“officer”, in relation to an entity, includes a director, a manager, an
associate, a secretary or, where the affairs of the entity are managed by
its members, a member;
“relevant requirement” has the meaning given by section 89(12).
Powers of entry, inspection and audit

92

5

10

15

Powers of entry, inspection and audit
Schedule 12 makes provision about—
(a) OFCOM’s powers of entry and inspection, and
(b) the carrying out of audits by OFCOM.
Information offences and penalties

93

20

Offences in connection with information notices
(1)

A person commits an offence if the person fails to comply with a requirement
of an information notice.

(2)

It is a defence for a person charged with an offence under subsection (1) to
show that—
(a) it was not reasonably practicable to comply with the requirements of
the information notice at the time required by the notice, but
(b) the person has subsequently taken all reasonable steps to comply with
those requirements.

(3)

A person commits an offence if, in response to an information notice—
(a) the person provides information that is false in a material respect, and
(b) at the time the person provides it, the person knows that it is false in a
material respect or is reckless as to whether it is false in a material
respect.

30

(4)

A person commits an offence if, in response to an information notice, the
person—
(a) provides information which is encrypted such that it is not possible for
OFCOM to understand it, or produces a document which is encrypted
such that it is not possible for OFCOM to understand the information it
contains, and
(b) the person’s intention was to prevent OFCOM from understanding
such information.

35

25

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(5)

81

A person commits an offence if—
(a) the person suppresses, destroys or alters, or causes or permits the
suppression, destruction or alteration of, any information required to
be provided, or document required to be produced, by an information
notice, and
(b) the person’s intention was to prevent OFCOM from being provided
with the information or document or (as the case may be) from being
provided with it as it was before the alteration.

(6)

The reference in subsection (5) to suppressing information or a document
includes a reference to destroying the means of reproducing information
recorded otherwise than in a legible form.

(7)

Offences under this section may be committed only in relation to an
information notice which—
(a) relates to—
(i) a user-to-user service,
(ii) a search service, or
(iii) an internet service on which regulated provider pornographic
content is published or displayed; and
(b) is given to the provider of that service.

(8)

If a person is convicted of an offence under this section, the court may, on an
application by the prosecutor, make an order requiring the person to comply
with a requirement of an information notice within such period as may be
specified by the order.

(9)

See also section 164 (supplementary provision about defences).

(10)

94

In this section, “regulated provider pornographic content” and “published or
displayed” have the same meaning as in Part 5 (see section 66).

5

10

15

20

25

Senior managers’ liability: information offences
(1)

(2)

(3)

(4)

In this section “an individual named as a senior manager of an entity” means
an individual who, as required by an information notice, is named as a senior
manager of an entity in a response to that notice (see section 88).

30

An individual named as a senior manager of an entity commits an offence if—
(a) the entity commits an offence under section 93(1) (failure to comply
with information notice), and
(b) the individual has failed to take all reasonable steps to prevent that
offence being committed.

35

It is a defence for an individual charged with an offence under subsection (2)
to show that the individual was a senior manager within the meaning of
section 88 for such a short time after the information notice in question was
given that the individual could not reasonably have been expected to take steps
to prevent that offence being committed.

40

An individual named as a senior manager of an entity commits an offence if—
(a) the entity commits an offence under section 93(3) (false information),
and
(b) the individual has failed to take all reasonable steps to prevent that
offence being committed.

45

82

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(5)

(6)

An individual named as a senior manager of an entity commits an offence if—
(a) the entity commits an offence under section 93(4) (encrypted
information), and
(b) the individual has failed to take all reasonable steps to prevent that
offence being committed.

5

An individual named as a senior manager of an entity commits an offence if—
(a) the entity commits an offence under section 93(5) (destruction etc of
information), and
(b) the individual has failed to take all reasonable steps to prevent that
offence being committed.

10

(7)

It is a defence for an individual charged with an offence under subsection (4),
(5) or (6) to show that the individual was not a senior manager within the
meaning of section 88 at the time at which the act constituting the offence
occurred.

(8)

It is a defence for an individual charged with an offence under this section to
show that the individual had no knowledge of being named as a senior
manager in a response to the information notice in question.

(9)

See also section 164 (supplementary provision about defences).

95

15

Offences in connection with notices under Schedule 12
(1)

A person commits an offence if the person fails without reasonable excuse to
comply with a requirement of an audit notice.

(2)

A person commits an offence if, in response to an audit notice—
(a) the person provides information that is false in a material respect, and
(b) at the time the person provides it, the person knows that it is false in a
material respect or is reckless as to whether it is false in a material
respect.

(3)

A person commits an offence if—
(a) the person suppresses, destroys or alters, or causes or permits the
suppression, destruction or alteration of, any information required to
be provided, or document required to be produced, by a notice to
which this subsection applies, and
(b) the person’s intention was to prevent OFCOM from being provided
with the information or document or (as the case may be) from being
provided with it as it was before the alteration.

(4)

The reference in subsection (3) to suppressing information or a document
includes a reference to destroying the means of reproducing information
recorded otherwise than in a legible form.

(5)

Subsection (3) applies to—
(a) a notice under paragraph 3 of Schedule 12 (information required for
inspection), and
(b) an audit notice (see paragraph 4 of that Schedule).

(6)

If a person is convicted of an offence under this section, the court may, on an
application by the prosecutor, make an order requiring the person, within such
period as may be specified by the order, to comply with a requirement of a
notice under paragraph 3 of Schedule 12 or an audit notice (as the case may be).

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

96

83

Other information offences
(1)

A person commits an offence if the person intentionally obstructs or delays a
person in the exercise of the power conferred by section 87(5)(a) (copying a
document etc).

(2)

A person commits an offence if the person fails without reasonable excuse to
comply with a requirement under section 91 (interviews).

(3)

A person commits an offence if, in purported compliance with a requirement
under section 91—
(a) the person provides information that is false in a material respect, and
(b) at the time the person provides it, the person knows that it is false in a
material respect or is reckless as to whether it is false in a material
respect.

(4)

97

If a person is convicted of an offence under this section, the court may, on an
application by the prosecutor, make an order requiring the person, within such
period as may be specified by the order, to permit the making of a copy of a
document, or to comply with a requirement under section 91 (as the case may
be).

5

10

15

Penalties for information offences
(1)

(2)

(3)

A person who commits an offence under section 93(1), 94(2) or 95(1) is liable—
(a) on summary conviction in England and Wales, to a fine;
(b) on summary conviction in Scotland or Northern Ireland, to a fine not
exceeding the statutory maximum;
(c) on conviction on indictment, to a fine.
A person who commits an offence under section 93(3), (4) or (5), 94(4), (5) or (6),
95(2) or (3) or 96(1) is liable—
(a) on summary conviction in England and Wales, to imprisonment for a
term not exceeding the general limit in a magistrates’ court or a fine (or
both);
(b) on summary conviction in Scotland, to imprisonment for a term not
exceeding 12 months or a fine not exceeding the statutory maximum (or
both);
(c) on summary conviction in Northern Ireland, to imprisonment for a
term not exceeding 6 months or a fine not exceeding the statutory
maximum (or both);
(d) on conviction on indictment, to imprisonment for a term not exceeding
two years or a fine (or both).
A person who commits an offence under section 96(2) or (3) is liable—
(a) on summary conviction in England and Wales, to a fine;
(b) on summary conviction in Scotland, to a fine not exceeding level 5 on
the standard scale;
(c) on summary conviction in Northern Ireland, to a fine not exceeding
level 5 on the standard scale.

20

25

30

35

40

84

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

Disclosure of information
98

Co-operation and disclosure of information: overseas regulators
(1)

OFCOM may co-operate with an overseas regulator, including by disclosing
online safety information to that regulator, for the purposes of—
(a) facilitating the exercise by the overseas regulator of any of that
regulator’s online regulatory functions, or
(b) criminal investigations or proceedings relating to a matter to which the
overseas regulator’s online regulatory functions relate.

5

(2)

The power conferred by subsection (1) applies only in relation to an overseas
regulator for the time being specified in regulations made by the Secretary of
State.

10

(3)

Where information is disclosed to a person in reliance on subsection (1), the
person may not—
(a) use the information for a purpose other than the purpose for which it
was disclosed, or
(b) further disclose the information,
except with OFCOM’s consent (which may be general or specific) or in
accordance with an order of a court or tribunal.

15

(4)

Except as provided by subsection (5), a disclosure of information under
subsection (1) does not breach—
(a) any obligation of confidence owed by the person making the
disclosure, or
(b) any other restriction on the disclosure of information (however
imposed).

(5)

Subsection (1) does not authorise a disclosure of information that—
(a) would contravene the restriction imposed by section 100 (intelligence
service information),
(b) would contravene the data protection legislation (but in determining
whether a disclosure would do so, the power conferred by that
subsection is to be taken into account), or
(c) is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the
Investigatory Powers Act 2016.

(6)

(7)

Section 18 of the Anti-terrorism, Crime and Security Act 2001 (restriction on
disclosure of information for overseas purposes) has effect in relation to a
disclosure authorised by subsection (1)(b) as it has effect in relation to a
disclosure authorised by any of the provisions to which section 17 of that Act
applies.
In this section—
“online regulatory functions”, in relation to an overseas regulator, means
functions of that regulator which correspond to OFCOM’s online safety
functions;
“online safety information” means information held by OFCOM in
connection with any of OFCOM’s online safety functions;
“overseas regulator” means a person exercising functions in a country
outside the United Kingdom which correspond to any of OFCOM’s
online safety functions;

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

85

“the data protection legislation” has the same meaning as in the Data
Protection Act 2018 (see section 3 of that Act).
99

Disclosure of information
(1)

Section 393 of the Communications Act (general restrictions on disclosure of
information) is amended as follows.

(2)

In subsection (1)—
(a) at the end of paragraph (c) omit “or”,
(b) at the end of paragraph (d) insert “or”, and
(c) after paragraph (d) insert—
“(e) the Online Safety Act 2022,”.

(3)

In subsection (2)(e), after “this Act” insert “or the Online Safety Act 2022”.

(4)

In subsection (6)(a), after “390” insert “, or under section 129 of or Schedule 11
to the Online Safety Act 2022”.

(5)

In subsection (6)(b), at the end insert “or the Online Safety Act 2022”.

100

Intelligence service information

(1)

OFCOM may not disclose information received (directly or indirectly) from, or
that relates to, an intelligence service unless the intelligence service consents to
the disclosure.

(2)

If OFCOM have disclosed information described in subsection (1) to a person,
the person must not further disclose the information unless the intelligence
service consents to the disclosure.

(3)

If OFCOM would contravene subsection (1) by publishing in its entirety—
(a) a statement required to be published by section 43(5), or
(b) a report mentioned in section 138(5),
OFCOM must, before publication, remove or obscure the information which
by reason of subsection (1) they must not disclose.

(4)

101

In this section—
“information” means information held by OFCOM in connection with an
online safety matter;
“intelligence service” means—
(a) the Security Service,
(b) the Secret Intelligence Service, or
(c) the Government Communications Headquarters.

5

10

15

20

25

30

Provision of information to the Secretary of State

(1)

Section 24B of the Communications Act (provision of information to assist in
formulation of policy) is amended as follows.

(2)

In subsection (2)—
(a) at the end of paragraph (d) omit “or”,
(b) at the end of paragraph (e) insert “or”, and
(c) after paragraph (e) insert—
“(f) the Online Safety Act 2022,”.

35

40

86

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(3)

After subsection (2) insert—
“(3)

102

But subsection (2) does not apply to information—
(a) obtained by OFCOM—
(i) in the exercise of a power conferred by section 86 of the
Online Safety Act 2022 for the purpose mentioned in
subsection (5)(c) of that section (information in
connection with a consultation about a threshold figure
for the purposes of charging fees under that Act), or
(ii) in the exercise of a power conferred by section 147(5) of
that Act (information in connection with circumstances
presenting a threat), and
(b) reasonably required by the Secretary of State.”

Section 26 of the Communications Act (publication of information and advice
for consumers etc) is amended as follows.

(2)

In subsection (2), after paragraph (d) insert—
“(da) United Kingdom users of regulated services;”.

(3)

After subsection (6) insert—
“(7)

(1)

(2)

10

Information for users of regulated services

(1)

103

5

In this section the following terms have the same meaning as in the
Online Safety Act 2022—
“regulated service” (see section 3 of that Act);
“United Kingdom user” (see section 184 of that Act).”

15

20

Admissibility of statements
An explanation given, or information provided, by a person in response to a
requirement imposed under or by virtue of section 86 or 91 or paragraph
2(4)(e) or (f), 4(2)(g) or (h) or 7(d) of Schedule 12, may, in criminal proceedings,
only be used in evidence against that person—
(a) on a prosecution for an offence under a provision listed in subsection
(2), or
(b) on a prosecution for any other offence where—
(i) in giving evidence that person makes a statement inconsistent
with that explanation or information, and
(ii) evidence relating to that explanation or information is adduced,
or a question relating to it is asked, by that person or on that
person’s behalf.
Those provisions are—
(a) section 62(1),
(b) section 93(3),
(c) section 94(4),
(d) section 95(2),
(e) section 96(3),
(f) paragraph 18 of Schedule 12,
(g) section 5 of the Perjury Act 1911 (false statements made otherwise than
on oath),

25

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 4 — Information

(h)
(i)

87

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995
(false statements made otherwise than on oath), and
Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714
(N.I. 19)) (false statutory declarations and other false unsworn
statements).

5

CHAPTER 5
REGULATED USER-TO-USER SERVICES AND REGULATED SEARCH SERVICES: NOTICES TO DEAL
WITH TERRORISM CONTENT AND CSEA CONTENT
104

Notices to deal with terrorism content or CSEA content (or both)

(1)

If OFCOM consider that it is necessary and proportionate to do so, they may
give a notice described in subsection (2), (3) or (4) relating to a regulated userto-user service or a regulated search service to the provider of the service.

(2)

A notice under subsection (1) that relates to a regulated user-to-user service is
a notice requiring the provider of the service to do either or both of the
following—
(a) use accredited technology to identify terrorism content communicated
publicly by means of the service and to swiftly take down that content;
(b) use accredited technology to identify CSEA content, whether
communicated publicly or privately by means of the service, and to
swiftly take down that content.

(3)

(4)

(5)

A notice under subsection (1) that relates to a regulated search service is a
notice requiring the provider of the service to do either or both of the
following—
(a) use accredited technology to identify search content of the service that
is terrorism content and to swiftly take measures designed to secure, so
far as possible, that search content of the service no longer includes
terrorism content identified by the technology;
(b) use accredited technology to identify search content of the service that
is CSEA content and to swiftly take measures designed to secure, so far
as possible, that search content of the service no longer includes CSEA
content identified by the technology.
A notice under subsection (1) that relates to a combined service is a notice
requiring the provider of the service to do any of the following—
(a) use accredited technology as described in subsection (2)(a) or (b), or
both, in relation to the user-to-user part of the service;
(b) use accredited technology as described in subsection (3)(a) or (b), or
both, in relation to the search engine of the service;
(c) use accredited technology as described in subsection (2)(a) or (b), or
both, in relation to the user-to-user part of the service, and use
accredited technology as described in subsection (3)(a) or (b), or both,
in relation to the search engine.
For the purposes of subsections (2) and (3), a requirement to take down
terrorism or CSEA content, or to take measures to secure that search content
does not include terrorism or CSEA content, may be complied with by the use
of accredited technology alone or by means of the technology together with the

10

15

20

25

30

35

40

45

88

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 5 — Regulated user-to-user services and regulated search services: notices to deal with terrorism content
and CSEA content

use of human moderators to review terrorism or CSEA content (as the case may
be) identified by the technology.
(6)

See section 105 for provision about matters which OFCOM must consider
before giving a notice under subsection (1).

(7)

OFCOM may give a notice under subsection (1) to a provider relating to a
service, or (in the case of a notice described in subsection (4)(a) or (b)) part of a
service, only after giving a warning notice to the provider that they intend to
give such a notice relating to that service or that part of it.

(8)

The warning notice under subsection (7) must—
(a) contain details of the technology that OFCOM are considering
requiring the provider to use,
(b) specify whether the technology is to be required in relation to terrorism
content or CSEA content (or both),
(c) specify any other requirements that OFCOM are considering imposing
(see section 106(2) to (4)),
(d) specify the period for which OFCOM are considering imposing the
requirements (see section 106(6)),
(e) state that the provider may make representations to OFCOM (with any
supporting evidence), and
(f) specify the period within which representations may be made.

(9)

A notice under subsection (1) that relates to both the user-to-user part of a
combined service and the search engine of the service (as described in
subsection (4)(c)) may be given to the provider of the service only if—
(a) two separate warning notices have been given to the provider (one
relating to the user-to-user part of the service and the other relating to
the search engine), or
(b) a single warning notice relating to both the user-to-user part of the
service and the search engine has been given to the provider.

(10)

A notice under subsection (1) may not be given to a provider until the period
allowed by the warning notice for the provider to make representations has
expired.

(11)

A notice under subsection (1) relating to terrorism content present on a service
must identify the content, or parts of the service that include content, that
OFCOM consider is communicated publicly on that service (see section 188).

(12)

For the meaning of “accredited” technology, see section 106(9) and (10).

105

5

10

15

20

25

30

35

Matters relevant to a decision to give a notice under section 104(1)

(1)

This section specifies the matters which OFCOM must particularly consider in
deciding whether it is necessary and proportionate to give a notice under
section 104(1) relating to a Part 3 service to the provider of the service.

(2)

The matters are as follows—
(a) the kind of service it is;
(b) the functionalities of the service;
(c) the user base of the service;
(d) in the case of a notice relating to a user-to-user service (or to the userto-user part of a combined service), the prevalence of relevant content

40

45

89
Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 5 — Regulated user-to-user services and regulated search services: notices to deal with terrorism content
and CSEA content

(e)
(f)
(g)
(h)
(i)

(j)

(3)

(4)

106

on the service, and the extent of its dissemination by means of the
service;
in the case of a notice relating to a search service (or to the search engine
of a combined service), the prevalence of search content of the service
that is relevant content;
the level of risk of harm to individuals in the United Kingdom
presented by relevant content, and the severity of that harm;
the systems and processes used by the service which are designed to
identify and remove relevant content;
the extent to which the use of the specified technology would or might
result in interference with users’ right to freedom of expression within
the law;
the level of risk of the use of the specified technology resulting in a
breach of any statutory provision or rule of law concerning privacy that
is relevant to the use or operation of the service (including, but not
limited to, any such provision or rule concerning the processing of
personal data);
whether the use of any less intrusive measures than the specified
technology would be likely to achieve a significant reduction in the
amount of relevant content.

The references to relevant content in subsection (2)(f), (g) and (j) are to—
(a) in the case of a user-to-user service (or the user-to-user part of a
combined service), relevant content present on the service;
(b) in the case of a search service (or the search engine of a combined
service), search content of the service that is relevant content.
In this section—
“relevant content” means terrorism content or CSEA content or both those
kinds of content (depending on the kind, or kinds, of content in relation
to which the specified technology is to operate);
“specified technology” means the technology to be specified in the notice
under section 104(1).

5

10

15

20

25

30

Notices under section 104(1): supplementary

(1)

In this section “a notice” means a notice under section 104(1) (including a
further notice under that provision).

(2)

If a provider is already using accredited technology in relation to the service in
question, a notice may require the provider to use it more effectively
(specifying the ways in which that must be done).

(3)

A notice relating to a user-to-user service (or to the user-to-user part of a
combined service) may also require a provider to operate an effective
complaints procedure allowing for United Kingdom users to challenge the
provider for taking down content which they have generated, uploaded or
shared on the service.

40

A notice relating to a search service (or to the search engine of a combined
service) may also require a provider to operate an effective complaints
procedure allowing for an interested person (see section 184(7)) to challenge
measures taken or in use by the provider that result in content relating to that
interested person no longer appearing in search results of the service.

45

(4)

35

90

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 5 — Regulated user-to-user services and regulated search services: notices to deal with terrorism content
and CSEA content

(5)

A notice must—
(a) give OFCOM’s reasons for their decision to give the notice,
(b) contain details of the requirements imposed by the notice,
(c) contain details of the technology to be used,
(d) contain details about the manner in which the technology is to be
implemented,
(e) specify a reasonable period for compliance with the notice,
(f) specify the period for which the notice is to have effect,
(g) contain details of the rights of appeal under section 140,
(h) contain information about when OFCOM intend to review the notice
(see section 107), and
(i) contain information about the consequences of not complying with the
notice (including information about the further kinds of enforcement
action that it would be open to OFCOM to take).

(6)

A notice may impose requirements for a period of up to 36 months beginning
with the last day of the period specified in the notice in accordance with
subsection (5)(e).

(7)

A notice may impose requirements only in relation to the operation of a Part 3
service—
(a) in the United Kingdom, or
(b) as it affects United Kingdom users of the service.

(8)

OFCOM may vary or revoke a notice given to a provider by notifying the
provider to that effect.

(9)

For the purposes of section 104 and this section, technology is “accredited” if it
is accredited (by OFCOM or another person appointed by OFCOM) as meeting
minimum standards of accuracy in the detection of terrorism content or CSEA
content (as the case may be).

(10)

Those minimum standards of accuracy must be such standards as are for the
time being approved and published by the Secretary of State, following advice
from OFCOM.

107

5

10

15

20

25

30

Review and further notice under section 104(1)

(1)

This section applies where OFCOM have given a provider of a Part 3 service a
notice under section 104(1).

(2)

The power conferred by section 106(8) includes power to revoke the notice if
there are reasonable grounds for believing that the provider is failing to
comply with it.

(3)

If a notice is revoked as mentioned in subsection (2), OFCOM may give the
provider a further notice under section 104(1) if they consider that it is
necessary and proportionate to do so (taking into account the matters
mentioned in section 105).

(4)

Except where a notice under section 104(1) is revoked as mentioned in
subsection (2), OFCOM must, before the end of the period for which the notice
has effect, carry out a review of the provider’s use of technology as required by
the notice.

(5)

The review must consider—

35

40

45

91
Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 5 — Regulated user-to-user services and regulated search services: notices to deal with terrorism content
and CSEA content

(a)
(b)

the extent to which the technology specified in the notice has been used,
and
the effectiveness of its use.

(6)

Following the review, and after consultation with the provider, OFCOM may
give the provider a further notice under section 104(1) if they consider that it is
necessary and proportionate to do so (taking into account the matters
mentioned in section 105).

(7)

If a further notice under section 104(1) is given, subsections (3) to (6) apply
again.

(8)

A further notice under section 104(1) may require the use of different
accredited technology from an earlier notice under that provision.

(9)

Section 104(7) to (10) (warning notice) do not apply in relation to a further
notice under section 104(1).

108

OFCOM must produce guidance for providers of Part 3 services about how
OFCOM propose to exercise their functions under this Chapter.

(2)

Before producing the guidance (including revised or replacement guidance),
OFCOM must consult the Information Commissioner.

(3)

OFCOM must keep the guidance under review.

(4)

OFCOM must publish the guidance (and any revised or replacement
guidance).

(5)

In exercising their functions under this Chapter, or deciding whether to
exercise them, OFCOM must have regard to the guidance for the time being
published under this section.

(1)

OFCOM’s annual report
OFCOM must produce and publish an annual report about—
(a) the exercise of their functions under this Chapter, and
(b) technology which meets, or is in the process of development so as to
meet, minimum standards of accuracy (see subsections (9) and (10) of
section 106) for the purposes of this Chapter.

(2)

OFCOM must send a copy of the report to the Secretary of State, and the
Secretary of State must lay it before Parliament.

(3)

For further provision about reports under this section, see section 138.

110

10

OFCOM’s guidance about functions under this Chapter

(1)

109

5

15

20

25

30

Interpretation of this Chapter
In this Chapter—
“search content” has the same meaning as in Part 3 (see section 51);
“search results” has the meaning given by section 51(3);
“terrorism content” and “CSEA content” have the same meaning as in Part
3 (see section 52).

35

92

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

CHAPTER 6
ENFORCEMENT POWERS
Provisional notices and confirmation decisions
111

Provisional notice of contravention

(1)

OFCOM may give a notice under this section (a “provisional notice of
contravention”) relating to a regulated service to the provider of the service if
they consider that there are reasonable grounds for believing that the provider
has failed, or is failing, to comply with any enforceable requirement (see
section 112) that applies in relation to the service.

5

(2)

OFCOM may also give a provisional notice of contravention to a person on
either of the grounds in subsection (3).

10

(3)

The grounds are that—
(a) the person has been given an information notice and OFCOM consider
that there are reasonable grounds for believing that the person has
failed, or is failing, to comply with either of the duties set out in section
87(6) (duties in relation to information notices), or
(b) the person is required by a skilled person appointed under section 89
to give assistance to the skilled person, and OFCOM consider that there
are reasonable grounds for believing that the person has failed, or is
failing, to comply with the duty set out in subsection (6) of that section
to give such assistance.

(4)

A provisional notice of contravention given to a person must—
(a) specify the duty or requirement with which (in OFCOM’s opinion) the
person has failed, or is failing, to comply, and
(b) give OFCOM’s reasons for their opinion that the person has failed, or
is failing, to comply with it.

(5)

A provisional notice of contravention may also contain details as mentioned in
subsection (6) or (7), or both.

(6)

A provisional notice of contravention may specify steps that OFCOM consider
the person needs to take in order to—
(a) comply with the duty or requirement, or
(b) remedy the failure to comply with it.

(7)

A provisional notice of contravention may state that OFCOM propose to
impose a penalty on the person, and in such a case the notice must—
(a) state the reasons why OFCOM propose to impose a penalty,
(b) state whether OFCOM propose to impose a penalty of a single amount,
a penalty calculated by reference to a daily rate, or both penalties (see
section 118(1)),
(c) indicate the amount of a penalty that OFCOM propose to impose,
including (in relation to a penalty calculated by reference to a daily
rate) the daily rate and how the penalty would be calculated,
(d) in relation to a penalty calculated by reference to a daily rate, specify or
describe the period for which OFCOM propose that the penalty should
be payable, and

15

20

25

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(e)

(8)

93

state the reasons for proposing a penalty of that amount, including any
aggravating or mitigating factors that OFCOM propose to take into
account.

A provisional notice of contravention given to a person must—
(a) state that the person may make representations to OFCOM (with any
supporting evidence) about the matters contained in the notice, and
(b) specify the period within which such representations may be made.

(9)

A provisional notice of contravention may be given in respect of a failure to
comply with more than one enforceable requirement.

(10)

Where a provisional notice of contravention is given in respect of a continuing
failure, the notice may be given in respect of any period during which the
failure has continued, and must specify that period.

(11)

Where a provisional notice of contravention is given to a person in respect of a
failure to comply with a duty or requirement (“the first notice”), a further
provisional notice of contravention in respect of a failure to comply with that
same duty or requirement may be given to the person only—
(a) in respect of a separate instance of the failure after the first notice was
given,
(b) where a period was specified in the first notice in accordance with
subsection (10), in respect of the continuation of the failure after the end
of that period, or
(c) if the first notice has been withdrawn (without a confirmation decision
being given to the person in respect of the failure).

112

5

10

15

20

Requirements enforceable by OFCOM against providers of regulated services

(1)

References in this Chapter to “enforceable requirements” are to—
(a) the duties or requirements set out in the provisions of this Act specified
in the table in subsection (2), and
(b) the requirements mentioned in subsection (3).

(2)

Here is the table—

Provision

Subject matter

Section 8

Illegal content risk assessments

Section 9

Illegal content

Section 10

Children’s risk assessments

Section 11

Children’s online safety

Section 12

Adults’ risk assessments

Section 13

Adults’ online safety

Section 14

User empowerment

Section 15

Content of democratic importance

Section 16

Journalistic content

25

30

35

94

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

Provision

(3)

Subject matter

Section 17

Content reporting

Section 18

Complaints procedures

Section 19

Freedom of expression and privacy

Section 20

Record-keeping and review

Section 23

Illegal content risk assessments

Section 24

Illegal content

Section 25

Children’s risk assessments

Section 26

Children’s online safety

Section 27

Content reporting

Section 28

Complaints procedures

Section 29

Freedom of expression and privacy

Section 30

Record-keeping and review

Section 32

Children’s access assessments

Section 34

Fraudulent advertising

Section 35

Fraudulent advertising

Section 57

User identity verification

Section 59

Reporting CSEA content to NCA

Section 64(3) and (4)

Transparency reports

Section 68

Provider pornographic content

Section 70

Fees: notification of OFCOM

Section 87(6)

Information notices

Section 89(6)

Assistance to skilled person

Section 90(1)

Co-operation with investigation

The requirements referred to in subsection (1)(b) are—
(a) requirements of a notice under section 89(4)(a) to appoint a skilled
person;
(b) requirements of a notice given by virtue of section 147(3) (duty to make
public statement);
(c) requirements of a notice under section 147(5) (information in
connection with circumstances presenting a threat);
(d) requirements imposed by a person acting—
(i) in the exercise of powers conferred by paragraph 2 of Schedule
12 (entry and inspection without warrant), or

5

10

15

20

25

30

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(ii)

113
(1)

95

in the execution of a warrant issued under paragraph 5 of that
Schedule.

Confirmation decisions
This section applies if—
(a) OFCOM have given a provisional notice of contravention to a person in
relation to a failure to comply with a duty or requirement (or with
duties or requirements), and
(b) the period allowed for representations has expired.
A duty or requirement to which the provisional notice of contravention relates
is referred to in this section as a “notified requirement”.

(2)

If, after considering any representations and evidence, OFCOM decide not to
give the person a notice under this section, they must inform the person of that
fact.

(3)

If OFCOM are satisfied that the person has failed, or has been failing, to comply
with a notified requirement, OFCOM may give the person a notice under this
section (a “confirmation decision”) confirming that that is OFCOM’s opinion.

(4)

A confirmation decision and a notice under section 104(1) may be given in
respect of the same failure.

(5)

A confirmation decision given to a person may—
(a) require the person to take steps as mentioned in section 114;
(b) require the person to pay a penalty as mentioned in section 118;
(c) require the person to do both those things (or neither of them).

(6)

114
(1)

See sections 115 and 116 for further provision which a confirmation decision
may include in cases of failure to comply with duties about risk assessments or
children’s access assessments.

5

10

15

20

25

Confirmation decisions: requirements to take steps
A confirmation decision may require the person to whom it is given to take
such steps as OFCOM consider appropriate (including steps relating to the use
a system or process) for either or both of the following purposes—
(a) complying with a notified requirement;
(b) remedying the failure to comply with a notified requirement.

(2)

But see section 117 for constraints on OFCOM’s power to include in a
confirmation decision requirements as described in subsection (1) relating to
the use of proactive technology.

(3)

A confirmation decision may impose requirements as described in subsection
(1) only in relation to the design or operation of a regulated service—
(a) in the United Kingdom, or
(b) as it affects United Kingdom users of the service.

(4)

A confirmation decision that includes requirements as described in subsection
(1) must—
(a) specify the steps that are required,
(b) give OFCOM’s reasons for their decision to impose those requirements,
(c) specify each notified requirement to which the steps relate,

30

35

40

96

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(d)
(e)

(f)
(g)
(h)

specify the period during which the failure to comply with a notified
requirement has occurred, and whether the failure is continuing,
specify a reasonable period within which each of the steps specified in
the decision must be taken or, if a step requires the use of a system or
process, a reasonable period within which the system or process must
begin to be used (but see subsection (5) in relation to information
duties),
(if relevant) specify the period for which a system or process must be
used,
contain details of the rights of appeal under section 140, and
contain information about the consequences of not complying with the
requirements included in the decision (including information about the
further kinds of enforcement action that it would be open to OFCOM to
take).

5

10

(5)

A confirmation decision that requires a person to take steps for the purpose of
complying with an information duty may require the person to take those steps
immediately.

(6)

A person to whom a confirmation decision is given has a duty to comply with
requirements included in the decision which are of a kind described in
subsection (1).

20

The duty under subsection (6) is enforceable in civil proceedings by OFCOM—
(a) for an injunction,
(b) for specific performance of a statutory duty under section 45 of the
Court of Session Act 1988, or
(c) for any other appropriate remedy or relief.

25

(7)

(8)

115
(1)

(2)

15

In this section—
“information duty” means a duty set out in section 87(6);
“notified requirement” has the meaning given by section 113.
Confirmation decisions: risk assessments
This section applies if—
(a) OFCOM are satisfied that a provider of a Part 3 service has failed to
comply with a risk assessment duty,
(b) based on evidence resulting from OFCOM’s investigation into that
failure, OFCOM have identified a risk of serious harm to individuals in
the United Kingdom arising from a particular aspect of the service (“the
identified risk”), and
(c) OFCOM consider that the identified risk is not effectively mitigated or
managed.
A confirmation decision given to the provider of the service—
(a) if the identified risk relates to illegal content, may include a
determination that the duty set out in section 9(2) or 24(2) (as the case
may be) applies as if an illegal content risk assessment carried out by
the provider had identified that risk;
(b) if the identified risk relates to content that is harmful to children, may
include a determination that the duty set out in section 11(2)(a) or
26(2)(a) (as the case may be) applies as if a children’s risk assessment
carried out by the provider had identified that risk.

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(3)

(4)

(5)

116

97

A confirmation decision which includes a determination as mentioned in
subsection (2) must—
(a) give details of the identified risk,
(b) specify the duty to which the determination relates, and
(c) specify the date by which measures (at the provider’s discretion) to
comply with that duty must be taken or must begin to be used.
A determination as mentioned in subsection (2) ceases to have effect on the
date on which the provider of the service complies with the risk assessment
duty with which the provider had previously failed to comply (and
accordingly, from that date the duty to which the determination relates applies
without the modification mentioned in that subsection).
In this section—
“children’s risk assessment” has the meaning given by section 10 or 25 (as
the case may be);
“content that is harmful to children” has the same meaning as in Part 3
(see section 53);
“illegal content” has the same meaning as in Part 3 (see section 52);
“illegal content risk assessment” has the meaning given by section 8 or 23
(as the case may be);
“risk assessment duty” means a duty set out in—
(a) section 8,
(b) section 10,
(c) section 23, or
(d) section 25.
Confirmation decisions: children’s access assessments

(1)

This section applies if OFCOM are satisfied that a provider of a Part 3 service
has failed to comply with a duty set out in section 32 (duties about children’s
access assessments).

(2)

If OFCOM include in a confirmation decision a requirement to take steps
relating to the carrying out of a children’s access assessment of a service, they
must require that assessment to be completed within three months of the date
of the confirmation decision.

(3)

OFCOM may vary a confirmation decision which includes a requirement as
mentioned in subsection (2) to extend the deadline for completion of a
children’s access assessment.

(4)

(5)

Subsection (5) applies if, based on evidence that OFCOM have about a service
resulting from their investigation into compliance with a duty set out in section
32, OFCOM consider that—
(a) it is possible for children to access the service or a part of it, and
(b) the child user condition is met in relation to—
(i) the service, or
(ii) a part of the service that it is possible for children to access.
OFCOM may include in the confirmation decision given to the provider of the
service—
(a) a determination that the duties set out in sections 10 and 11, or (as the
case may be) sections 25 and 26, must be complied with—

5

10

15

20

25

30

35

40

45

98

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(b)

(i) from the date of the confirmation decision, or
(ii) from a later date specified in that decision;
provision about the circumstances in which that determination may be
treated as no longer applying in relation to the service.

(6)

Subsection (4) is to be interpreted consistently with section 31.

(7)

In this section, “children’s access assessment” has the meaning given by section
31.

117

Confirmation decisions: proactive technology

(1)

This section sets out constraints on OFCOM’s power to include in a
confirmation decision a requirement to take steps to use a kind, or one of the
kinds, of proactive technology specified in the decision (a “proactive
technology requirement”).

(2)

A proactive technology requirement may be imposed in a confirmation
decision only if the decision is given to the provider of a Part 3 service.

(3)

A proactive technology requirement may be imposed in a confirmation
decision only for the purpose of complying with, or remedying the failure to
comply with, any of the duties set out in—
(a) section 9(2) or (3) (illegal content),
(b) section 11(2) or (3) (children’s online safety),
(c) section 24(2) or (3) (illegal content),
(d) section 26(2) or (3) (children’s online safety), or
(e) section 34(1) or 35(1) (fraudulent advertising).

(4)

5

Proactive technology may be required to be used on or in relation to any Part
3 service or any part of such a service, but if and to the extent that the
technology operates (or may operate) by analysing content that is usergenerated content in relation to the service, or metadata relating to such
content, the technology may not be required to be used except to analyse—
(a) user-generated content communicated publicly, and
(b) metadata relating to user-generated content communicated publicly.

(5)

Before imposing a proactive technology requirement in relation to a service in
a confirmation decision, OFCOM must particularly consider the matters
mentioned in subsection (6), so far as they are relevant.

(6)

The matters are as follows—
(a) the kind of service it is;
(b) the functionalities of the service;
(c) the user base of the service;
(d) the prevalence of relevant content on the service and the extent of its
dissemination by means of the service, or (as the case may be) the
prevalence of search content of the service that is relevant content;
(e) the level of risk of harm to individuals in the United Kingdom
presented by relevant content present on the service, or (as the case
may be) search content of the service that is relevant content, and the
severity of that harm;
(f) the degree of accuracy, effectiveness and lack of bias achieved by the
kind of technology specified in the decision;

10

15

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(g)
(h)

(i)

(7)

99

the extent to which the use of the kind of proactive technology specified
in the decision would or might result in interference with users’ right
to freedom of expression within the law;
the level of risk of the use of the kind of proactive technology specified
in the decision resulting in a breach of any statutory provision or rule
of law concerning privacy that is relevant to the use or operation of the
service (including, but not limited to, any such provision or rule
concerning the processing of personal data);
whether the use of any less intrusive measures than the proactive
technology specified in the decision would be likely to result in
compliance with, or would be likely to effectively remedy the failure to
comply with, the duty in question.

A confirmation decision that imposes a proactive technology requirement on a
provider may also impose requirements about review of the technology by the
provider.

(8)

A confirmation decision relating to a service which requires the use of
technology of a kind mentioned in subsection (4) must identify the content, or
parts of the service that include content, that OFCOM consider is
communicated publicly on that service (see section 188).

(9)

In this section—
“content that is harmful to children” has the same meaning as in Part 3
(see section 53);
“fraudulent advertisement” has the meaning given by section 34 or 35
(depending on the kind of service in question);
“illegal content” has the same meaning as in Part 3 (see section 52);
“relevant content” means illegal content, content that is harmful to
children or content consisting of fraudulent advertisements, or any or
all of those kinds of content (depending on the duties (as mentioned in
subsection (3)) for the purposes of which the proactive technology
requirement is imposed);
“search content” has the same meaning as in Part 3 (see section 51);
“user-generated content” has the meaning given by section 49 (see
subsections (3) and (4) of that section).

118
(1)

5

10

15

20

25

30

Confirmation decisions: penalties
A confirmation decision may require the person to whom it is given to do
either or both of the following, depending on what was proposed in the
provisional notice of contravention (see paragraph 3 of Schedule 13)—
(a) pay to OFCOM a penalty of a single amount in sterling determined by
OFCOM (a “single penalty”) and specified in the confirmation decision;
(b) if the confirmation decision includes a requirement of the kind
described in section 114(1)(a) in respect of a continuous failure to
comply with a notified requirement, pay a daily rate penalty to
OFCOM if that same failure continues after the compliance date.

(2)

A “daily rate penalty” means a penalty of an amount in sterling determined by
OFCOM and calculated by reference to a daily rate.

(3)

A confirmation decision may impose separate single penalties for failure to
comply with separate notified requirements specified in the decision.

35

40

45

100

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(4)

Where a provisional notice of contravention is given in respect of a period of
continuing failure to comply with a notified requirement, no more than one
single penalty may be imposed by a confirmation decision in respect of the
period of failure specified in the provisional notice of contravention.

(5)

A confirmation decision that imposes a penalty must—
(a) give OFCOM’s reasons for their decision to impose the penalty,
(b) specify each notified requirement to which the penalty relates,
(c) specify the period during which the failure to comply with a notified
requirement has occurred, and whether the failure is continuing,
(d) state the reasons for the amount of the penalty, including any
aggravating or mitigating factors that OFCOM have taken into account,
(e) specify a reasonable period within which the penalty must be paid,
(f) contain details of the rights of appeal under section 140, and
(g) contain information about the consequences of not paying the penalty
(including information about the further kinds of enforcement action
that it would be open to OFCOM to take).

(6)

The period specified under subsection (5)(e) for the payment of a single penalty
must be at least 28 days beginning with the day on which the confirmation
decision is given.

(7)

If a confirmation decision imposes a single penalty and a daily rate penalty, the
information mentioned in subsection (5)(a), (b), (d) and (e) must be given in
respect of each kind of penalty.

(8)

As well as containing the information mentioned in subsection (5), a
confirmation decision that imposes a daily rate penalty in respect of a
continuous failure to comply with a notified requirement must—
(a) state the daily rate of the penalty and how the penalty is calculated;
(b) state that the person will be liable to pay the penalty if that same failure
continues after the compliance date;
(c) state the date from which the penalty begins to be payable, which must
not be earlier than the day after the compliance date;
(d) provide for the penalty to continue to be payable at the daily rate
until—
(i) the date on which the notified requirement is complied with,
(ii) if the penalty is imposed in respect of a failure to comply with
more than one notified requirement, the date on which the last
of those requirements is complied with, or
(iii) an earlier date specified in the confirmation decision.

(9)

In this section—
“compliance date”, in relation to a notified requirement, means—
(a) in a case where the confirmation decision requires steps to be
taken immediately to comply with that requirement (see section
114(5)), the date of the confirmation decision;
(b) in any other case, the last day of the period specified in the
confirmation decision in accordance with section 114(4)(e) for
compliance with that requirement;
“notified requirement” has the meaning given by section 113.

5

10

15

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

101

Penalty notices etc
119
(1)

Penalty for failure to comply with confirmation decision
This section applies if—
(a) OFCOM have given a confirmation decision to a person,
(b) the decision includes requirements of a kind described in section 114(1)
(requirements to take steps),
(c) OFCOM are satisfied that the person has failed to comply with one or
more of those requirements, and
(d) OFCOM have not imposed a daily rate penalty under section 118(1)(b)
in respect of that failure.

5

10

(2)

OFCOM may give the person a penalty notice under this section in respect of
the failure to comply with the confirmation decision, requiring the person to
pay to OFCOM a penalty of a single amount in sterling determined by
OFCOM.

(3)

But OFCOM may give such a notice to the person only after—
(a) notifying the person that they intend to give a penalty notice under this
section, specifying the reasons for doing so and indicating the amount
of the proposed penalty, and
(b) giving the person an opportunity to make representations.

15

(4)

A penalty notice under this section must—
(a) give OFCOM’s reasons for their decision to impose the penalty,
(b) state the amount of the penalty,
(c) state the reasons for the amount of the penalty, including any
aggravating or mitigating factors that OFCOM have taken into account,
(d) specify the period within which the penalty must be paid,
(e) contain details of the rights of appeal under section 140, and
(f) contain information about the consequences of not paying the penalty
(including information about the further kinds of enforcement action
that it would be open to OFCOM to take).

20

The period specified under subsection (4)(d) must be at least 28 days beginning
with the day on which the penalty notice is given.

30

(5)

120
(1)

25

Penalty for failure to comply with notice under section 104(1)
This section applies if—
(a) OFCOM have given a notice under section 104(1) relating to a Part 3
service to the provider of that service (notices to deal with terrorism
content and CSEA content), and
(b) at any time during the period for which the notice has effect, OFCOM
are satisfied that the provider has failed, or is failing, to comply with the
notice.

(2)

OFCOM may give the provider a notice under this subsection stating that they
propose to impose a penalty on the provider in respect of that failure.

(3)

The provider may make representations to OFCOM (with any supporting
evidence) about the matters contained in the notice.

(4)

Subsection (5) applies if—

35

40

102

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(a)
(b)
(5)

(6)

the period allowed for representations has expired, and
OFCOM are still satisfied as to the failure mentioned in subsection (1).

OFCOM may give the provider a penalty notice under this subsection
requiring the provider to pay to OFCOM a penalty of an amount in sterling
determined by OFCOM.
The penalty may consist of any of the following, depending on what was
specified in the notice about the proposed penalty—
(a) a single amount;
(b) an amount calculated by reference to a daily rate;
(c) a combination of a single amount and an amount calculated by
reference to a daily rate.

(7)

See section 122 for information which must be included in notices under this
section.

(8)

Nothing in this section is to be taken to prevent OFCOM from giving the
provider a further notice under section 104(1) (see section 107), as well as
giving a penalty notice under subsection (5).

121
(1)

(2)

(3)

5

10

15

Non-payment of fee
This section applies if—
(a) the provider of a regulated service is liable to pay a fee to OFCOM
under section 71 or Schedule 10 in respect of the current charging year
(within the meaning of Part 6) or a previous charging year, and
(b) in OFCOM’s opinion, the provider has not paid the full amount of the
fee that the provider is liable to pay.
OFCOM may give the provider a notice under this subsection specifying—
(a) the outstanding amount of the fee that OFCOM consider the provider
is due to pay to them under section 71 or Schedule 10, and
(b) the period within which the provider must pay it.
A notice under subsection (2)—
(a) may be given in respect of liabilities that relate to different charging
years;
(b) may also state that OFCOM propose to impose a penalty on the
provider.

20

25

30

(4)

The provider may make representations to OFCOM (with any supporting
evidence) about the matters contained in the notice.

(5)

Subsection (6) applies if—
(a) the notice under subsection (2) stated that OFCOM propose to impose
a penalty,
(b) the period allowed for representations has expired, and
(c) OFCOM are satisfied that an amount of the fee is still due to them.

35

(6)

OFCOM may give the provider a penalty notice under this subsection
requiring the provider to pay to OFCOM a penalty of an amount in sterling
determined by OFCOM.

40

(7)

The penalty may consist of any of the following, depending on what was
specified in the notice about the proposed penalty—

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(a)
(b)
(c)

103

a single amount;
an amount calculated by reference to a daily rate;
a combination of a single amount and an amount calculated by
reference to a daily rate.

(8)

A penalty notice under subsection (6) may require the payment of separate
single amounts in respect of liabilities that relate to different charging years.

(9)

See section 122 for information which must be included in notices under this
section.

(10)

Nothing in this section affects OFCOM’s power to bring proceedings (whether
before or after the imposition of a penalty by a notice under subsection (6)) for
the recovery of the whole or part of an amount due to OFCOM under section
71 or Schedule 10.

(11)

But OFCOM may not bring such proceedings unless a provider has first been
given a notice under subsection (2) specifying the amount due to OFCOM.

122

Information to be included in notices under sections 120 and 121

(1)

Subsection (2) applies in relation to—
(a) a notice under section 120(2), and
(b) a notice under section 121(2) stating that OFCOM propose to impose a
penalty.

(2)

Such a notice must—
(a) state the reasons why OFCOM propose to impose the penalty,
(b) state whether OFCOM propose that the penalty should consist of a
single amount, an amount calculated by reference to a daily rate, or a
combination of the two,
(c) indicate the amount of the proposed penalty, including (in relation to
an amount calculated by reference to a daily rate) the daily rate and
how the penalty would be calculated,
(d) in relation to an amount calculated by reference to a daily rate, specify
or describe the period for which OFCOM propose that the amount
should be payable,
(e) state the reasons for proposing a penalty of that amount, including any
aggravating or mitigating factors that OFCOM propose to take into
account, and
(f) specify the period within which representations in relation to the
proposed penalty may be made.

(3)

A penalty notice under section 120(5) or 121(6) must—
(a) give OFCOM’s reasons for their decision to impose the penalty,
(b) state whether the penalty consists of a single amount, an amount
calculated by reference to a daily rate, or a combination of the two, and
how it is calculated,
(c) in relation to a single amount, state that amount,
(d) in relation to an amount calculated by reference to a daily rate, state the
daily rate,
(e) state the reasons for the amount of the penalty, including any
aggravating or mitigating factors that OFCOM have taken into account,
(f) specify a reasonable period within which the penalty must be paid,

5

10

15

20

25

30

35

40

45

104

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(g)
(h)

contain details of the rights of appeal under section 140, and
contain information about the consequences of not paying the penalty
(including information about the further kinds of enforcement action
that it would be open to OFCOM to take).

(4)

A penalty notice under section 121(6) must also specify the amount of the fee
that is (in OFCOM’s opinion) due to be paid to OFCOM.

(5)

The period specified under subsection (3)(f) for the payment of a single
amount must be at least 28 days beginning with the day on which the penalty
notice is given.

(6)

Subsection (7) applies in relation to a penalty notice under section 120(5) or
121(6) that includes a requirement to pay an amount calculated by reference to
a daily rate.

(7)

Such a notice must—
(a) state the date from which the amount begins to be payable, which must
not be earlier than the day after the day on which the notice is given;
(b) provide for the amount to continue to be payable at the daily rate
until—
(i) (in the case of a notice under section 120(5)) the date on which
OFCOM are satisfied that the provider is complying with the
notice under section 104(1), or (in the case of a notice under
section 121(6)) the date on which the full amount of the fee (as
specified in the penalty notice) has been paid to OFCOM, or
(ii) an earlier date specified in the penalty notice.

5

10

15

20

Amount of penalties etc
123

Amount of penalties etc

25

Schedule 13 contains provision about the amount of penalties that OFCOM
may impose under this Chapter, and makes further provision about such
penalties.
Business disruption measures
124
(1)

Service restriction orders
OFCOM may apply to the court for an order under this section (a “service
restriction order”) in relation to a regulated service where they consider that—
(a) the grounds in subsection (3) apply in relation to the service, or
(b) in the case of a Part 3 service, the grounds in subsection (4) apply in
relation to the service.

(2)

A service restriction order is an order imposing requirements on one or more
persons who provide an ancillary service (whether from within or outside the
United Kingdom) in relation to a regulated service (see subsection (11)).

(3)

The grounds mentioned in subsection (1)(a) are that—
(a) the provider of the regulated service has failed to comply with an
enforceable requirement that applies in relation to the regulated
service,

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(b)
(c)

(4)

(5)

(6)

105

the failure is continuing, and
any of the following applies—
(i) the provider has failed to comply with a requirement imposed
by a confirmation decision that is of a kind described in section
114(1) relating to the failure;
(ii) the provider has failed to pay a penalty imposed by a
confirmation decision relating to the failure (and the
confirmation decision did not impose any requirements of a
kind described in section 114(1));
(iii) the provider would be likely to fail to comply with
requirements imposed by a confirmation decision if given;
(iv) the circumstances of the failure or the risks of harm to
individuals in the United Kingdom are such that it is
appropriate to make the application without having given a
provisional notice of contravention, without having given a
confirmation decision, or (having given a confirmation decision
imposing requirements) without waiting to ascertain
compliance with those requirements.

The grounds mentioned in subsection (1)(b) are that—
(a) the provider of the Part 3 service has failed to comply with a notice
under section 104(1) that relates to the service (notices to deal with
terrorism content and CSEA content), and
(b) the failure is continuing.
An application by OFCOM for a service restriction order must—
(a) specify the regulated service in relation to which the application is
made (“the relevant service”),
(b) specify the provider of that service (“the non-compliant provider”),
(c) specify the grounds on which the application is based, and contain
evidence about those grounds,
(d) specify the persons on whom (in OFCOM’s opinion) the requirements
of the order should be imposed,
(e) contain evidence as to why OFCOM consider that the persons
mentioned in paragraph (d) provide an ancillary service in relation to
the relevant service, and specify any such ancillary service provided,
(f) specify the requirements which OFCOM consider that the order should
impose on such persons, and
(g) in the case of an application made without notice having been given to
the non-compliant provider, or to the persons mentioned in paragraph
(d), state why no notice has been given.
The court may make a service restriction order imposing requirements on a
person in relation to the relevant service if the court is satisfied—
(a) as to the grounds in subsection (3) or the grounds in subsection (4) (as
the case may be),
(b) that the person provides an ancillary service in relation to the relevant
service,
(c) that it is appropriate to make the order for the purpose of preventing
harm to individuals in the United Kingdom, and the order is
proportionate to the risk of such harm,
(d) in the case of an application made on the ground in subsection (3)(c)(iii)
or (iv), that it is appropriate to make the order before a provisional

5

10

15

20

25

30

35

40

45

50

106

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(e)

(7)

(8)

(9)

notice of contravention or confirmation decision has been given, or
before compliance with requirements imposed by a confirmation
decision has been ascertained (as the case may be), and
if no notice of the application has been given to the non-compliant
provider, or to the persons on whom requirements are being imposed,
that it is appropriate to make the order without notice.

When considering whether to make a service restriction order in relation to the
relevant service, and when considering what provision it should contain, the
court must take into account (among other things) the rights and obligations of
all relevant parties, including those of—
(a) the non-compliant provider,
(b) the person or persons on whom the court is considering imposing the
requirements, and
(c) United Kingdom users of the relevant service.
A service restriction order made in relation to the relevant service must—
(a) identify the non-compliant provider,
(b) identify the persons on whom the requirements are imposed, and any
ancillary service to which the requirements relate,
(c) require such persons to take the steps specified in the order, or to put in
place arrangements, that have the effect of withdrawing the ancillary
service to the extent that it relates to the relevant service (or part of it),
or preventing the ancillary service from promoting or displaying
content that relates to the relevant service (or part of it) in any way,
(d) specify the date by which the requirements in the order must be
complied with, and
(e) specify the date on which the order expires, or the period for which the
order has effect.
The steps that may be specified or arrangements that may be required to be put
in place—
(a) include steps or arrangements that will or may require the termination
of an agreement (whether or not made before the coming into force of
this section), or the prohibition of the performance of such an
agreement, and
(b) are limited, so far as that is possible, to steps or arrangements relating
to the operation of the relevant service as it affects United Kingdom
users.

(10)

OFCOM must inform the Secretary of State as soon as reasonably practicable
after a service restriction order has been made.

(11)

For the purposes of this section, a service is an “ancillary service” in relation to
a regulated service if the service facilitates the provision of the regulated
service (or part of it), whether directly or indirectly, or displays or promotes
content relating to the regulated service (or to part of it).

(12)

Examples of ancillary services include—
(a) services, provided (directly or indirectly) in the course of a business,
which enable funds to be transferred in relation to a regulated service,
(b) search engines which generate search results displaying or promoting
content relating to a regulated service,
(c) user-to-user services which make content relating to a regulated service
available to users, and

5

10

15

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(d)
(13)

125
(1)

107

services which use technology to facilitate the display of advertising on
a regulated service (for example, an ad server or an ad network).

In this section “the court” means—
(a) in England and Wales, the High Court or the county court,
(b) in Scotland, the Court of Session or a sheriff, and
(c) in Northern Ireland, the High Court or a county court.
Interim service restriction orders
OFCOM may apply to the court for an interim order under this section (an
“interim service restriction order”) in relation to a regulated service where they
consider that—
(a) the grounds in subsection (3) apply in relation to the service, or
(b) in the case of a Part 3 service, the grounds in subsection (4) apply in
relation to the service.

(2)

An interim service restriction order is an interim order imposing requirements
on one or more persons who provide an ancillary service (whether from within
or outside the United Kingdom) in relation to a regulated service (see
subsection (9)).

(3)

The grounds mentioned in subsection (1)(a) are that—
(a) it is likely that the provider of the regulated service is failing to comply
with an enforceable requirement that applies in relation to the
regulated service, and
(b) the level of risk of harm to individuals in the United Kingdom relating
to the likely failure, and the nature and severity of that harm, are such
that it would not be appropriate to wait to establish the failure before
applying for the order.

(4)

(5)

5

The grounds mentioned in subsection (1)(b) are that—
(a) it is likely that the provider of the Part 3 service is failing to comply with
a notice under section 104(1) that relates to the service (notices to deal
with terrorism content and CSEA content), and
(b) the level of risk of harm to individuals in the United Kingdom relating
to the likely failure, and the nature and severity of that harm, are such
that it would not be appropriate to wait to establish the failure before
applying for the order.
An application by OFCOM for an interim service restriction order must—
(a) specify the regulated service in relation to which the application is
made (“the relevant service”),
(b) specify the provider of that service (“the non-compliant provider”),
(c) specify the grounds on which the application is based, and contain
evidence about those grounds,
(d) specify the persons on whom (in OFCOM’s opinion) the requirements
of the order should be imposed,
(e) contain evidence as to why OFCOM consider that the persons
mentioned in paragraph (d) provide an ancillary service in relation to
the relevant service, and specify any such ancillary service provided,
(f) specify the requirements which OFCOM consider that the order should
impose on such persons, and

10

15

20

25

30

35

40

45

108

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(g)

(6)

(7)

(8)

(9)

126
(1)

in the case of an application made without notice having been given to
the non-compliant provider, or to the persons mentioned in paragraph
(d), state why no notice has been given.

The court may make an interim service restriction order imposing
requirements on a person in relation to the relevant service if the court is
satisfied—
(a) as to the ground in subsection (3)(a) or the ground in subsection (4)(a)
(as the case may be),
(b) that the person provides an ancillary service in relation to the relevant
service,
(c) that there are prima facie grounds to suggest that an application for a
service restriction order under section 124 would be successful,
(d) that the level of risk of harm to individuals in the United Kingdom
relating to the likely failure mentioned in subsection (3)(a) or (4)(a)
(whichever applies), and the nature and severity of that harm, are such
that it is not appropriate to wait for the failure to be established before
making the order, and
(e) if no notice of the application has been given to the non-compliant
provider, or to the persons on whom requirements are being imposed,
that it is appropriate to make the order without notice.
An interim service restriction order ceases to have effect on the earlier of—
(a) the date specified in the order, or the date on which the period specified
in the order expires (as the case may be), and
(b) the date on which the court makes a service restriction order under
section 124 in relation to the relevant service that imposes requirements
on the same persons on whom requirements are imposed by the
interim order, or dismisses the application for such an order.
Subsections (7) to (10) of section 124 apply in relation to an interim service
restriction order under this section as they apply in relation to a service
restriction order under that section.

5

10

15

20

25

30

In this section, “ancillary service” and “the court” have the same meaning as in
section 124 (see subsections (11), (12) and (13) of that section).
Access restriction orders
OFCOM may apply to the court for an order under this section (an “access
restriction order”) in relation to a regulated service where they consider that—
(a) the grounds in section 124(3) or (4) apply in relation to the service, and
(b) either—
(i) a service restriction order under section 124 or an interim
service restriction order under section 125 has been made in
relation to the failure, and it was not sufficient to prevent
significant harm arising to individuals in the United Kingdom
as a result of the failure, or
(ii) the likely consequences of the failure are such that if a service
restriction order or an interim service restriction order were to
be made, it would be unlikely to be sufficient to prevent
significant harm arising to individuals in the United Kingdom
as a result of the failure,

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

109

and in this paragraph, “the failure” means the failure mentioned in
section 124(3)(a) or (4)(a) (as the case may be).
(2)

(3)

(4)

(5)

(6)

An access restriction order is an order imposing requirements on one or more
persons who provide an access facility (whether from within or outside the
United Kingdom) in relation to a regulated service (see subsection (10)).
An application by OFCOM for an access restriction order must—
(a) specify the regulated service in relation to which the application is
made (“the relevant service”),
(b) specify the provider of that service (“the non-compliant provider”),
(c) specify the grounds on which the application is based, and contain
evidence about those grounds,
(d) specify the persons on whom (in OFCOM’s opinion) the requirements
of the order should be imposed,
(e) contain evidence as to why OFCOM consider that the persons
mentioned in paragraph (d) provide an access facility in relation to the
relevant service, and specify any such access facility provided,
(f) specify the requirements which OFCOM consider that the order should
impose on such persons, and
(g) in the case of an application made without notice having been given to
the non-compliant provider, or to the persons mentioned in paragraph
(d), state why no notice has been given.
The court may make an access restriction order imposing requirements on a
person in relation to the relevant service if the court is satisfied—
(a) as to the grounds in subsection (1),
(b) that the person provides an access facility in relation to the relevant
service,
(c) that it is appropriate to make the order for the purpose of preventing
significant harm to individuals in the United Kingdom, and the order
is proportionate to the risk of such harm,
(d) in the case of an application made on the ground in subsection (3)(c)(iii)
or (iv) of section 124 (by virtue of subsection (1)(a)), that it is
appropriate to make the order before a provisional notice of
contravention or confirmation decision has been given, or before
compliance with requirements imposed by a confirmation decision has
been ascertained (as the case may be), and
(e) if no notice of the application has been given to the non-compliant
provider, or to the persons on whom requirements are being imposed,
that it is appropriate to make the order without notice.
When considering whether to make an access restriction order in relation to the
relevant service, and when considering what provision it should contain, the
court must take into account (among other things) the rights and obligations of
all relevant parties, including those of—
(a) the non-compliant provider,
(b) the person or persons on whom the court is considering imposing the
requirements, and
(c) United Kingdom users of the relevant service.
An access restriction order made in relation to the relevant service must—
(a) identify the non-compliant provider,

5

10

15

20

25

30

35

40

45

110

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(b)
(c)

(d)
(e)
(7)

identify the persons on whom the requirements are imposed, and any
access facility to which the requirements relate,
require such persons to take the steps specified in the order, or to put in
place arrangements, to withdraw, adapt or manipulate the access
facility in order to impede users’ access (by means of that facility) to the
relevant service (or to part of it),
specify the date by which the requirements in the order must be
complied with, and
specify the date on which the order expires, or the period for which the
order has effect.

The steps that may be specified or arrangements that may be required to be put
in place—
(a) include steps or arrangements that will or may require the termination
of an agreement (whether or not made before the coming into force of
this section), or the prohibition of the performance of such an
agreement,
(b) are limited, so far as that is possible, to steps or arrangements that
impede the access of United Kingdom users, and
(c) are limited, so far as that is possible, to steps or arrangements that do
not affect such users’ ability to access any other internet services.

(8)

OFCOM must inform the Secretary of State as soon as reasonably practicable
after an access restriction order has been made.

(9)

Where a person who provides an access facility takes steps or puts in place
arrangements required by an access restriction order, OFCOM may, by notice,
require that person to (where possible) notify persons in the United Kingdom
who attempt to access the relevant service via that facility of the access
restriction order (and where a confirmation decision has been given to the noncompliant provider, the notification must refer to that decision).

(10)

For the purposes of this section, a facility is an “access facility” in relation to a
regulated service if the person who provides the facility is able to withdraw,
adapt or manipulate it in such a way as to impede access (by means of that
facility) to the regulated service (or to part of it) by United Kingdom users of
that service.

(11)

Examples of access facilities include—
(a) internet access services by means of which a regulated service is made
available, and
(b) application stores through which a mobile application for a regulated
service may be downloaded or otherwise accessed.

(12)

In this section—
“the court” means—
(a) in England and Wales, the High Court or the county court,
(b) in Scotland, the Court of Session or a sheriff, and
(c) in Northern Ireland, the High Court or a county court;
“facility” means any kind of service, infrastructure or apparatus enabling
users of a regulated service to access the regulated service;
“internet access service” means a service that provides access to virtually
all (or just some) of the end points of the internet.

5

10

15

20

25

30

35

40

45

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

127
(1)

111

Interim access restriction orders
OFCOM may apply to the court for an interim order under this section (an
“interim access restriction order”) in relation to a regulated service where they
consider that—
(a) the grounds in section 125(3) or (4) apply in relation to the service, and
(b) either—
(i) a service restriction order under section 124 or an interim
service restriction order under section 125 has been made in
relation to the likely failure, and it was not sufficient to prevent
significant harm arising to individuals in the United Kingdom
as a result of the failure, or
(ii) the likely consequences of such a failure would be such that if a
service restriction order or an interim service restriction order
were to be made, it would be unlikely to be sufficient to prevent
significant harm arising to individuals in the United Kingdom
as a result of the failure,
and in this section, “the likely failure” means the likely failure
mentioned in section 125(3)(a) or (4)(a) (as the case may be).

(2)

An interim access restriction order is an interim order imposing requirements
on one or more persons who provide an access facility (whether from within or
outside the United Kingdom) in relation to a regulated service (see subsection
(8)).

(3)

An application by OFCOM for an interim access restriction order must—
(a) specify the regulated service in relation to which the application is
made (“the relevant service”),
(b) specify the provider of that service (“the non-compliant provider”),
(c) specify the grounds on which the application is based, and contain
evidence about those grounds,
(d) specify the persons on whom (in OFCOM’s opinion) the requirements
of the order should be imposed,
(e) contain evidence as to why OFCOM consider that the persons
mentioned in paragraph (d) provide an access facility in relation to the
relevant service, and specify any such access facility provided,
(f) specify the requirements which OFCOM consider that the order should
impose on such persons, and
(g) in the case of an application made without notice having been given to
the non-compliant provider, or to the persons mentioned in paragraph
(d), state why no notice has been given.

(4)

The court may make an interim access restriction order imposing requirements
on a person in relation to the relevant service if the court is satisfied—
(a) that the ground in section 125(3)(a) or (4)(a) (as the case may be) applies
in relation to the service,
(b) as to the ground in subsection (1)(b)(i) or (ii),
(c) that the person provides an access facility in relation to the relevant
service,
(d) that there are prima facie grounds to suggest that an application for an
access restriction order under section 126 would be successful,
(e) that the level of risk of harm to individuals in the United Kingdom
relating to the likely failure, and the nature and severity of that harm,

5

10

15

20

25

30

35

40

45

112

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

(f)

(5)

(6)

(7)

(8)

128
(1)

(2)

(3)

are such that it is not appropriate to wait for the failure to be established
before making the order, and
if no notice of the application has been given to the non-compliant
provider, or to the persons on whom requirements are being imposed,
that it is appropriate to make the order without notice.

An interim access restriction order ceases to have effect on the earlier of—
(a) the date specified in the order, or the date on which the period specified
in the order expires (as the case may be), and
(b) the date on which the court makes an access restriction order under
section 126 in relation to the relevant service that imposes requirements
on the same persons on whom requirements are imposed by the
interim order, or dismisses an application for such an order.

5

10

Subsections (5) to (8) of section 126 apply in relation to an interim access
restriction order under this section as they apply in relation to an access
restriction order under that section.

15

Where a person who provides an access facility takes steps or puts in place
arrangements required by an interim access restriction order, OFCOM may, by
notice, require that person to (where possible) notify persons in the United
Kingdom who attempt to access the relevant service via that facility of the
interim access restriction order.

20

In this section, “access facility” and “the court” have the same meaning as in
section 126 (see subsections (10), (11) and (12) of that section).
Interaction with other action by OFCOM
Where OFCOM apply for a business disruption order in respect of a failure by
a provider of a regulated service to comply with an enforceable requirement,
nothing in sections 124 to 127 is to be taken to prevent OFCOM also giving the
provider—
(a) a confirmation decision in respect of the failure, or
(b) a penalty notice under section 119 in relation to a confirmation decision
in respect of the failure.
Where OFCOM apply for a business disruption order in respect of a failure by
a provider of a Part 3 service to comply with a notice under section 104(1)
(notices to deal with terrorism content and CSEA content), nothing in sections
124 to 127 is to be taken to prevent OFCOM also giving the provider either or
both of the following—
(a) a further notice under section 104(1) (see section 107);
(b) a penalty notice under section 120(5).
In this section, a “business disruption order” means—
(a) a service restriction order under section 124,
(b) an interim service restriction order under section 125,
(c) an access restriction order under section 126, or
(d) an interim access restriction order under section 127.

25

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

113

Publication of enforcement action
129
(1)

(2)

Publication of details of enforcement action
Subsections (2) and (3) apply where OFCOM have given a person any of the
following—
(a) a confirmation decision;
(b) a penalty notice under section 119;
(c) a penalty notice under section 120(5);
(d) a penalty notice under section 121(6).
OFCOM must publish details identifying the person and describing—
(a) the failure (or failures) to which the decision or notice relates, and
(b) OFCOM’s response.

(3)

But OFCOM may not publish anything that, in OFCOM’s opinion—
(a) is confidential in accordance with subsections (4) and (5), or
(b) is otherwise not appropriate for publication.

(4)

A matter is confidential under this subsection if—
(a) it relates specifically to the affairs of a particular body, and
(b) publication of that matter would or might, in OFCOM’s opinion,
seriously and prejudicially affect the interests of that body.

(5)

A matter is confidential under this subsection if—
(a) it relates to the private affairs of an individual, and
(b) publication of that matter would or might, in OFCOM’s opinion,
seriously and prejudicially affect the interests of that individual.

(6)

(7)

Where OFCOM have given a person a provisional notice of contravention but
have not given the person a confirmation decision, OFCOM may publish
details identifying the person and describing the reasons for the provisional
notice.

5

10

15

20

25

OFCOM must notify the person concerned that information has been
published under this section.
Guidance

130

OFCOM’s guidance about enforcement action

(1)

OFCOM must produce guidance for providers of regulated services about how
OFCOM propose to exercise their functions under this Chapter.

(2)

The guidance must, in particular, give information about the factors that
OFCOM would consider it appropriate to take into account when taking, or
considering taking, enforcement action relating to a person’s failure to comply
with different kinds of enforceable requirements.

(3)

In relation to any enforcement action by OFCOM which relates to a failure by
a provider of a regulated service to comply with a relevant duty, the guidance
must include provision explaining how OFCOM will take into account the
impact (or possible impact) of such a failure on children.

30

35

40

114

(4)

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 6 — Enforcement powers

Before producing the guidance (including revised or replacement guidance),
OFCOM must consult—
(a) the Secretary of State,
(b) the Information Commissioner, and
(c) such other persons as OFCOM consider appropriate.

(5)

OFCOM must publish the guidance (and any revised or replacement
guidance).

(6)

Guidelines prepared by OFCOM under section 392 of the Communications Act
(amount of penalties) may, so far as relating to penalties imposed under this
Chapter, be included in the same document as guidance under this section.

(7)

In exercising their functions under this Chapter, or deciding whether to
exercise them, OFCOM must have regard to the guidance for the time being
published under this section.

(8)

In this section, a “relevant duty” means—
(a) a duty set out in section 9 or 24 (illegal content),
(b) a duty set out in section 11 or 26 (children’s online safety), or
(c) a duty set out in section 68(2) (children’s access to provider
pornographic content).

5

10

15

CHAPTER 7
COMMITTEES, RESEARCH AND REPORTS
131
(1)

Advisory committee on disinformation and misinformation
OFCOM must, in accordance with the following provisions of this section,
exercise their powers under paragraph 14 of the Schedule to the Office of
Communications Act 2002 (committees of OFCOM) to establish and maintain
a committee to provide the advice specified in this section.

(2)

The committee is to consist of—
(a) a chairman appointed by OFCOM, and
(b) such number of other members appointed by OFCOM as OFCOM
consider appropriate.

(3)

In appointing persons to be members of the committee, OFCOM must have
regard to the desirability of ensuring that the members of the committee
include—
(a) persons representing the interests of United Kingdom users of
regulated services,
(b) persons representing providers of regulated services, and
(c) persons with expertise in the prevention and handling of
disinformation and misinformation online.

(4)

20

The function of the committee is to provide advice to OFCOM (including other
committees established by OFCOM) about—
(a) how providers of regulated services should deal with disinformation
and misinformation on such services,
(b) OFCOM’s exercise of the power conferred by section 64 to require
information about a matter listed in Part 1 or 2 of Schedule 8, so far as
relating to disinformation and misinformation, and

25

30

35

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 7 — Committees, research and reports

(c)

(5)

132

115

OFCOM’s exercise of their functions under section 11 of the
Communications Act (duty to promote media literacy) in relation to
countering disinformation and misinformation on regulated services.

The committee must publish a report within the period of 18 months after
being established, and after that must publish periodic reports.
Functions of the Content Board

(1)

Section 13 of the Communications Act (functions of the Content Board) is
amended as follows.

(2)

At the beginning of subsection (2), insert “Subject to subsection (3A),”.

(3)

After subsection (3) insert—
“(3A)

(4)

15

In this section references to “matters mentioned in subsection (2)” do
not include references to the matters mentioned in subsection (3A).”

Research about users’ experiences of regulated services

(1)

Section 14 of the Communications Act (consumer research) is amended as
follows.

(2)

After subsection (6A) insert—
“(6B)

(6C)

(3)

10

OFCOM may, but need not, confer on the Content Board functions in
relation to matters that concern the nature or kind of online content in
relation to which OFCOM have functions under the Online Safety Act
2022 (see Parts 3 and 5 of that Act).”

After subsection (7) insert—
“(8)

133

5

OFCOM must make arrangements for ascertaining—
(a) the state of public opinion from time to time concerning
providers of regulated services and their manner of operating
their services;
(b) the experiences of United Kingdom users of regulated services
in relation to their use of such services;
(c) the experiences of United Kingdom users of regulated user-touser services and regulated search services in relation to the
handling of complaints made by them to providers of such
services; and
(d) the interests and experiences of United Kingdom users of
regulated services in relation to matters that are incidental to or
otherwise connected with their experiences of using such
services.

25

30

35

OFCOM’s report under paragraph 12 of the Schedule to the Office of
Communications Act 2002 for each financial year must contain a
statement by OFCOM about the research that has been carried out in
that year under subsection (6B).”

After subsection (8) insert—
“(8A)

20

In subsection (6B) the following terms have the same meaning as in the
Online Safety Act 2022—
“provider” (see section 183 of that Act);

40

116

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 7 — Committees, research and reports

“regulated service”, “regulated user-to-user service”
“regulated search service” (see section 3 of that Act);
“United Kingdom user” (see section 184 of that Act).”
134

and

Consumer consultation

(1)

Section 16 of the Communications Act (consumer consultation) is amended as
follows.

(2)

In subsection (4), after paragraph (d) insert—
“(da) regulated services;”.

(3)

After subsection (5) insert—
“(5A)

(4)

(6)

OFCOM’s report under paragraph 12 of the Schedule to the Office of
Communications Act 2002 for each financial year must contain a
statement by OFCOM about the arrangements for consultation that
have been made in that year under this section, so far as the
arrangements relate to regulated services.”

In subsection (13), in the definition of “domestic and small business consumer”,
in paragraph (b)(i), after “available” insert “or a provider of a regulated
service”.

15

20

25

30

After subsection (13) insert—
“(14)

135

10

After subsection (12) insert—
“(12A)

(5)

As regards OFCOM’s functions under the Online Safety Act 2022 in
relation to regulated services—
(a) the reference in subsection (5) to “the contents” of a thing
includes a reference to specific pieces of online content, but
(b) subsection (5) is not to be read as preventing the Consumer
Panel from being able to give advice about any matter that more
generally concerns—
(i) different kinds of online content in relation to which
OFCOM have functions under that Act (see Parts 3 and
5 of that Act), and
(ii) the impact that different kinds of such content may have
on United Kingdom users of regulated services.”

5

In this section the following terms have the same meaning as in the
Online Safety Act 2022—
“provider”, in relation to a regulated service (see section 183 of
that Act);
“regulated service” (see section 3 of that Act);
“United Kingdom user” (see section 184 of that Act).”

35

OFCOM’s statement about freedom of expression and privacy
OFCOM’s report under paragraph 12 of the Schedule to the Office of
Communications Act 2002 for each financial year must contain a statement by
OFCOM about the steps they have taken, and the processes they operate, to
ensure that their online safety functions have been exercised in that year
compatibly with Articles 8 and 10 of the Convention (so far as relevant).

40

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 7 — Committees, research and reports

136

117

OFCOM’s transparency reports

(1)

OFCOM must produce transparency reports based on information contained
in the transparency reports produced by providers of Part 3 services under
section 64.

(2)

OFCOM’s transparency reports must contain—
(a) a summary of conclusions drawn from the transparency reports
produced under section 64 regarding patterns or trends which OFCOM
have identified in such reports,
(b) a summary of measures mentioned in such transparency reports which
OFCOM consider to be good industry practice, and
(c) any other information from such transparency reports which OFCOM
consider it appropriate to include.

(3)

OFCOM’s first transparency report must be published by the end of the period
of one year beginning with—
(a) the day on which the first report under section 64 is published by a
provider of a Part 3 service (see subsection (3)(d) of that section), or
(b) if later, the earliest date specified by OFCOM for submission of a report
under section 64 in a notice given to a provider (see subsection (3)(c) of
that section).

(4)

OFCOM must publish a transparency report at least once a year after the
publication of their first transparency report.

(5)

For further provision about reports under this section, see section 138.

137
(1)

(2)

(3)

(4)

5

10

15

20

OFCOM’s report about researchers’ access to information
OFCOM must produce a report—
(a) describing how, and to what extent, persons carrying out independent
research into online safety matters are currently able to obtain
information from providers of regulated services to inform their
research,
(b) exploring the legal and other issues which currently constrain the
sharing of information for such purposes, and
(c) assessing the extent to which greater access to information for such
purposes might be achieved.
For the purposes of this section a person carries out “independent research” if
the person carries out research on behalf of a person other than a provider of a
regulated service.
In preparing the report, OFCOM must consult—
(a) the Information Commissioner,
(b) the Centre for Data Ethics and Innovation,
(c) United Kingdom Research and Innovation,
(d) persons who appear to OFCOM to represent providers of regulated
services, and
(e) such other persons as OFCOM consider appropriate.
OFCOM must publish the report within the period of two years beginning with
the day on which this section comes into force.

25

30

35

40

118

Part 7 — OFCOM’s powers and duties in relation to regulated services
Chapter 7 — Committees, research and reports

(5)

OFCOM must send a copy of the report to the Secretary of State, and the
Secretary of State must lay it before Parliament.

(6)

For further provision about the report under this section, see section 138.

(7)

Following the publication of the report, OFCOM may produce guidance about
the matters dealt with by the report for providers of regulated services and
persons carrying out independent research into online safety matters.

(8)

If OFCOM decide to produce such guidance, they must—
(a) consult persons as mentioned in subsection (3),
(b) publish the guidance (and any revised guidance), and
(c) include in each transparency report under section 136 an assessment of
the effectiveness of the guidance.

(9)
138

OFCOM’s reports
OFCOM may from time to time produce and publish reports about online
safety matters.

(2)

In publishing a report mentioned in subsection (5), OFCOM must have regard
to the need to exclude from publication, so far as that is practicable, the matters
which are confidential in accordance with subsections (3) and (4).

(3)

A matter is confidential under this subsection if—
(a) it relates specifically to the affairs of a particular body, and
(b) publication of that matter would or might, in OFCOM’s opinion,
seriously and prejudicially affect the interests of that body.

(5)

(6)

10

Subsection (8)(a) also applies if OFCOM decide to revise the guidance.

(1)

(4)

5

A matter is confidential under this subsection if—
(a) it relates to the private affairs of an individual, and
(b) publication of that matter would or might, in OFCOM’s opinion,
seriously and prejudicially affect the interests of that individual.
The reports referred to in subsection (2) are—
(a) a report under section 109 (report in connection with notices to deal
with terrorism content and CSEA content),
(b) a report under section 136 (transparency report),
(c) a report under section 137 (report about researchers’ access to
information), and
(d) a report produced under this section.
See also section 100(3) (restriction on publishing intelligence service
information).

15

20

25

30

35

119

Part 8 — Appeals and super-complaints
Chapter 1 — Appeals

PART 8
APPEALS AND SUPER-COMPLAINTS
CHAPTER 1
APPEALS
139
(1)

Appeals against OFCOM decisions relating to the register under section 82
This section applies to the following decisions of OFCOM—
(a) a decision to include a regulated user-to-user service in the part of the
register referred to in section 82(2)(a) (Category 1 services);
(b) a decision not to remove a regulated user-to-user service from that part
of the register;
(c) a decision to include a regulated search service or a combined service
in the part of the register referred to in section 82(2)(b) (Category 2A
services);
(d) a decision not to remove a regulated search service or a combined
service from that part of the register;
(e) a decision to include a regulated user-to-user service in the part of the
register referred to in section 82(2)(c) (Category 2B services);
(f) a decision not to remove a regulated user-to-user service from that part
of the register.

(2)

The provider of the service to which the decision relates may appeal to the
Upper Tribunal against the decision.

(3)

Where an appeal is made under subsection (1)(a), (c) or (e), any special
requirements need not be complied with until the determination or
withdrawal of the appeal.

(4)

“Special requirement” means—
(a) in the case of an appeal against a decision mentioned in subsection
(1)(a)—
(i) any duty or requirement of this Act that applies in relation to
Category 1 services but not in relation to any other regulated
services, or
(ii) any duty or requirement of this Act that applies in relation to
Category 1 services, Category 2A services and Category 2B
services but not in relation to any other regulated services;
(b) in the case of an appeal against a decision mentioned in subsection
(1)(c)—
(i) any duty or requirement of this Act that applies in relation to
Category 2A services but not in relation to any other regulated
services, or
(ii) any duty or requirement of this Act that applies in relation to
Category 1 services, Category 2A services and Category 2B
services but not in relation to any other regulated services;
(c) in the case of an appeal against a decision mentioned in subsection
(1)(e), any duty or requirement of this Act that applies in relation to
Category 1 services, Category 2A services and Category 2B services but
not in relation to any other regulated services.

5

10

15

20

25

30

35

40

45

120

(5)

Part 8 — Appeals and super-complaints
Chapter 1 — Appeals

The Upper Tribunal must decide the appeal by applying the same principles as
would be applied—
(a) by the High Court on an application for judicial review, or
(b) in Scotland, on an application to the supervisory jurisdiction of the
Court of Session.

(6)

On an appeal under this section, the Upper Tribunal may—
(a) dismiss the appeal, or
(b) quash the decision being challenged.

(7)

Where a decision is quashed, the Upper Tribunal must remit the decision to
OFCOM for reconsideration with such directions (if any) as the Tribunal
considers appropriate.

140
(1)

10

Appeals against OFCOM notices
An appeal to the Upper Tribunal against OFCOM’s decision to give to a
person—
(a) a notice under section 104(1) (notices to deal with terrorism content and
CSEA content),
(b) a confirmation decision, or
(c) a penalty notice,
may be brought by any person with a sufficient interest in the decision.

(2)

An appeal under subsection (1) by a person other than the person given the
notice or decision in question may be brought only with the permission (or
leave) of the Upper Tribunal.

(3)

The Upper Tribunal must decide the appeal by applying the same principles as
would be applied—
(a) by the High Court on an application for judicial review, or
(b) in Scotland, on an application to the supervisory jurisdiction of the
Court of Session.

(4)

5

On an appeal under this section, the Upper Tribunal may—
(a) dismiss the appeal, or
(b) quash the decision being challenged.

(5)

Where a decision is quashed, the Upper Tribunal must remit the decision to
OFCOM for reconsideration with such directions (if any) as the Tribunal
considers appropriate.

(6)

In this section “penalty notice” means a penalty notice under section 119, 120(5)
or 121(6).

15

20

25

30

35

CHAPTER 2
SUPER-COMPLAINTS
141
(1)

Power to make super-complaints
An eligible entity may make a complaint to OFCOM that any feature of one or
more regulated services, or any conduct of one or more providers of such
services, or any combination of such features and such conduct is, appears to
be, or presents a material risk of—

40

Part 8 — Appeals and super-complaints
Chapter 2 — Super-complaints

(a)
(b)
(c)

121

causing significant harm to users of the services or members of the
public, or a particular group of such users or members of the public;
significantly adversely affecting the right to freedom of expression
within the law of users of the services or members of the public, or of a
particular group of such users or members of the public; or
otherwise having a significant adverse impact on users of the services
or members of the public, or on a particular group of such users or
members of the public.

(2)

But a complaint under subsection (1) that relates to a single regulated service
or that relates to a single provider of one or more regulated services is only
admissible if OFCOM consider that—
(a) the complaint is of particular importance, or
(b) the complaint relates to the impacts on a particularly large number of
users of the service or members of the public.

(3)

An entity is an “eligible entity” if the entity meets criteria specified in
regulations made by the Secretary of State.

(4)

Regulations under subsection (3) must specify as one of the criteria that the
entity must be a body representing the interests of users of regulated services,
or members of the public, or a particular group of such users or members of the
public.

(5)

Before making regulations under subsection (3), the Secretary of State must
consult—
(a) OFCOM, and
(b) such other persons as the Secretary of State considers appropriate.

(6)

In this section—
“conduct” includes acts and omissions;
“users” means United Kingdom users (see section 184), except in
subsection (1)(a) where “users” means individuals in the United
Kingdom who are users of a service.

142

Procedure for super-complaints

(1)

The Secretary of State must make regulations containing provision about
procedural matters relating to complaints under section 141.

(2)

Such regulations may, in particular, include provision about the following
matters—
(a) notification to OFCOM of an intention to make a complaint under
section 141;
(b) the form and manner of such a complaint, including requirements for
supporting evidence in relation to—
(i) matters mentioned in subsections (1) and (2) of section 141, and
(ii) criteria specified in regulations under subsection (3) of that
section;
(c) steps that OFCOM must take in relation to such a complaint, including
requirements for publication of responses;
(d) time limits for taking steps in relation to such a complaint (or provision
about how such time limits are to be determined) including time limits
in relation to the determination of—

5

10

15

20

25

30

35

40

45

122

Part 8 — Appeals and super-complaints
Chapter 2 — Super-complaints

(i)
(ii)
(iii)
(3)

143
(1)

(2)

whether a complaint is a complaint that is within section 141(1),
where applicable, whether a complaint is admissible under
section 141(2), and
whether an entity is an eligible entity (see section 141(3)).

Before making regulations under subsection (1), the Secretary of State must
consult—
(a) OFCOM, and
(b) such other persons as the Secretary of State considers appropriate.

5

OFCOM’s guidance about super-complaints
OFCOM must produce guidance about complaints under section 141, which
must include guidance about—
(a) the criteria specified in regulations under section 141(3),
(b) procedural matters relating to such complaints, and
(c) any other aspect of such complaints that OFCOM consider it
appropriate to include.

10

15

OFCOM must publish the guidance (and any revised or replacement
guidance).
PART 9
SECRETARY OF STATE’S FUNCTIONS IN RELATION TO REGULATED SERVICES
Strategic priorities

144

20

Statement of strategic priorities

(1)

The Secretary of State may designate a statement for the purposes of this
section if the requirements set out in section 145 (consultation and
parliamentary procedure) are satisfied.

(2)

The statement is a statement prepared by the Secretary of State that sets out
strategic priorities of Her Majesty’s Government in the United Kingdom
relating to online safety matters.

(3)

The statement may, among other things, set out particular outcomes identified
with a view to achieving the strategic priorities.

(4)

This section does not restrict the Secretary of State’s powers under any other
provision of this Act or any other enactment.

(5)

A statement designated under subsection (1) must be published in such
manner as the Secretary of State considers appropriate.

(6)

A statement designated under subsection (1) may be amended (including by
replacing the whole or a part of the statement with new material) by a
subsequent statement designated under that subsection, and this section and
sections 79 and 145 apply in relation to any such subsequent statement as they
apply in relation to the original statement.

(7)

Except as provided by subsection (8), no amendment may be made under
subsection (6) within the period of five years beginning with the day on which
a statement was most recently designated under subsection (1).

25

30

35

40

Part 9 — Secretary of State’s functions in relation to regulated services

(8)

145

123

An earlier amendment may be made under subsection (6) if—
(a) since that day—
(i) a Parliamentary general election has taken place, or
(ii) there has been a significant change in the policy of Her
Majesty’s government affecting online safety matters, or
(b) the Secretary of State considers that the statement, or any part of it,
conflicts with any of OFCOM’s general duties (within the meaning of
section 3 of the Communications Act).

5

Consultation and parliamentary procedure

(1)

This section sets out the requirements that must be satisfied in relation to a
statement before the Secretary of State may designate it under section 144.

(2)

The Secretary of State must consult—
(a) OFCOM, and
(b) such other persons as the Secretary of State considers appropriate,
on a draft of the statement.

(3)

The Secretary of State must allow OFCOM a period of at least 40 days to
respond to any consultation under subsection (2)(a).

(4)

After that period has ended the Secretary of State—
(a) must make any changes to the draft that appear to the Secretary of State
to be necessary in view of responses to the consultation, and
(b) must then lay the draft before Parliament.

(5)

The Secretary of State must then wait until the end of the 40-day period and
may not designate the statement if, within that period, either House of
Parliament resolves not to approve it.

(6)

“The 40-day period” is the period of 40 days beginning with the day on which
the draft is laid before Parliament (or, if it is not laid before each House on the
same day, the later of the days on which it is laid).

(7)

When calculating the 40-day period, any period during which Parliament is
dissolved or prorogued or during which both Houses are adjourned for more
than 4 days is to be ignored.

10

15

20

25

30

Directions to OFCOM
146
(1)

Directions about advisory committees
The Secretary of State may give OFCOM a direction requiring OFCOM to
establish a committee to provide them with advice about online safety matters
of a kind specified in the direction.

(2)

The Secretary of State must consult OFCOM before giving or varying such a
direction.

(3)

A committee required to be established by a direction is to consist of the
following members, unless the direction specifies otherwise—
(a) a chairman appointed by OFCOM, and
(b) such number of other members appointed by OFCOM as OFCOM
consider appropriate.

35

40

124

Part 9 — Secretary of State’s functions in relation to regulated services

(4)

A committee required to be established by a direction must, unless the
direction specifies otherwise, publish a report within the period of 18 months
after being established, and after that must publish periodic reports.

(5)

The Secretary of State may vary or revoke a direction given under this section.

147
(1)

Directions in special circumstances
The Secretary of State may give a direction to OFCOM under subsection (2) or
(3) if the Secretary of State has reasonable grounds for believing that
circumstances exist that present a threat—
(a) to the health or safety of the public, or
(b) to national security.

(2)

A direction under this subsection is a direction requiring OFCOM, in
exercising their media literacy functions, to give priority for a specified period
to specified objectives designed to address the threat presented by the
circumstances mentioned in subsection (1).

(3)

A direction under this subsection is a direction requiring OFCOM to give a
public statement notice to—
(a) a specified provider of a regulated service, or
(b) providers of regulated services generally.

(4)

A “public statement notice” is a notice requiring a provider of a regulated
service to make a publicly available statement, by a date specified in the notice,
about steps the provider is taking in response to the threat presented by the
circumstances mentioned in subsection (1).

(5)

OFCOM may, by a public statement notice or a subsequent notice, require a
provider of a regulated service to provide OFCOM with such information as
they may require for the purpose of responding to that threat.

(6)

If a direction under subsection (2) or (3) is given on the ground mentioned in
subsection (1)(a), the Secretary of State must publish the reasons for giving the
direction.

(7)

The Secretary of State may vary or revoke a direction given under subsection
(2) or (3).

(8)

If the Secretary of State varies or revokes a direction given under subsection (3),
OFCOM may, in consequence, vary or revoke a public statement notice that
they have given by virtue of the direction.

(9)

In subsection (2) “media literacy functions” means OFCOM’s functions under
section 11 of the Communications Act (duty to promote media literacy), so far
as functions under that section relate to regulated services.

(10)

In subsections (2) and (3) “specified” means specified in a direction under this
section.

5

10

15

20

25

30

35

Guidance
148
(1)

Secretary of State’s guidance
The Secretary of State may issue guidance to OFCOM about—
(a) OFCOM’s exercise of their functions under this Act,

40

Part 9 — Secretary of State’s functions in relation to regulated services

(b)

(c)
(2)

125

OFCOM’s exercise of their powers under section 1(3) of the
Communications Act (functions and general powers of OFCOM) to
carry out research in connection with online safety matters or to
arrange for others to carry out research in connection with such
matters, and
OFCOM’s exercise of their functions under section 11 of the
Communications Act (media literacy) in relation to regulated services.

In the rest of this section, “the guidance” means any such guidance as is
mentioned in subsection (1), except that it does not include guidance under
section 74 (guidance to OFCOM about fees).

(3)

The Secretary of State must consult OFCOM before issuing, revising or
replacing the guidance.

(4)

The guidance may not be revised or replaced more frequently than once every
three years unless—
(a) the guidance needs to be corrected because of an amendment, repeal or
modification of any provision of this Act or of section 11 of the
Communications Act, or
(b) the revision or replacement is by agreement between the Secretary of
State and OFCOM.

(5)

The guidance must be issued as one document.

(6)

The Secretary of State must lay the guidance (including revised or replacement
guidance) before Parliament.

(7)

The Secretary of State must publish the guidance (and any revised or
replacement guidance).

(8)

In exercising any functions to which the guidance relates, or deciding whether
to exercise them, OFCOM must have regard to the guidance for the time being
published under this section.

5

10

15

20

25

Annual report
149

Annual report on the Secretary of State’s functions
In section 390 of the Communications Act (annual report on the Secretary of
State’s functions), in subsection (2), after paragraph (e) insert—
“(f) the Online Safety Act 2022.”

30

Review
150

Review

(1)

The Secretary of State must review the operation of—
(a) the regulatory framework provided for in this Act, and
(b) section 11 of the Communications Act, to the extent that that section
relates to regulated services.

(2)

The review—

35

126

Part 9 — Secretary of State’s functions in relation to regulated services

(a)
(b)
(3)

(4)

(5)

must not be carried out before the end of the period of two years
beginning with the day on which the last of the provisions of Part 3
comes into force, but
must be carried out before the end of the period of five years beginning
with that day.

The review must, in particular, consider how effective the regulatory
framework provided for in this Act is at—
(a) securing that regulated services are operated using systems and
processes that, so far as relevant—
(i) minimise the risk of harm to individuals in the United Kingdom
presented by content on regulated services,
(ii) provide higher levels of protection for children than for adults,
(iii) provide transparency and accountability to users in relation to
actions taken to comply with duties set out in Chapter 2, 3, 4 or
5 of Part 3, Chapter 1 of Part 4, or Part 5,
(iv) protect the right of users and (in the case of search services or
combined services) interested persons to freedom of expression
within the law, and
(v) protect users from a breach of any statutory provision or rule of
law concerning privacy that is relevant to the use or operation
of a regulated service (including, but not limited to, any such
provision or rule concerning the processing of personal data);
and
(b) ensuring that regulation of services is proportionate, having regard to
the level of risk of harm presented by regulated services of different
kinds and to the size and capacity of providers.

10

15

20

25

The review must also, in particular, consider—
(a) the effectiveness of—
(i) the information gathering and information sharing powers
available to OFCOM, and
(ii) the enforcement powers available to OFCOM; and
(b) the extent to which OFCOM have had regard to the desirability of
encouraging innovation by providers of regulated services.

30

In carrying out the review, the Secretary of State must consult—
(a) OFCOM, and
(b) such other persons as the Secretary of State considers appropriate.

35

(6)

The Secretary of State must produce and publish a report on the outcome of the
review.

(7)

The report must be laid before Parliament.

(8)

In subsection (3) “content on regulated services” means—
(a) regulated user-generated content present on regulated services,
(b) search content of regulated services,
(c) fraudulent advertisements present on regulated services, and
(d) regulated provider pornographic content published or displayed on
regulated services.

(9)

5

In subsection (8)—

40

45

Part 9 — Secretary of State’s functions in relation to regulated services

127

“fraudulent advertisement” has the meaning given by section 34 or 35
(depending on the kind of service in question);
“regulated user-generated content” has the same meaning as in Part 3 (see
section 49);
“regulated provider pornographic content” and “published or displayed”
have the same meaning as in Part 5 (see section 66);
“search content” has the same meaning as in Part 3 (see section 51).

5

PART 10
COMMUNICATIONS OFFENCES
Harmful, false and threatening communications offences
151
(1)

10

Harmful communications offence
A person commits an offence if—
(a) the person sends a message (see section 154),
(b) at the time of sending the message—
(i) there was a real and substantial risk that it would cause harm to
a likely audience, and
(ii) the person intended to cause harm to a likely audience, and
(c) the person has no reasonable excuse for sending the message.

(2)

For the purposes of this offence an individual is a “likely audience” of a
message if, at the time the message is sent, it is reasonably foreseeable that the
individual—
(a) would encounter the message, or
(b) in the online context, would encounter a subsequent message
forwarding or sharing the content of the message.

(3)

In a case where several or many individuals are a likely audience, it is not
necessary for the purposes of subsection (1)(b)(ii) that the person intended to
cause harm to any one of them in particular (or to all of them).

(4)

“Harm” means psychological harm amounting to at least serious distress.

(5)

In deciding whether a person has a reasonable excuse for sending a message,
one of the factors that the court must consider (if it is relevant in a particular
case) is whether the message is, or is intended to be, a contribution to a matter
of public interest (but that does not determine the point).

(6)

The following cannot commit an offence under this section—
(a) a recognised news publisher as defined by section 50;
(b) the holder of a licence under the Broadcasting Act 1990 or 1996;
(c) the holder of a licence under section 8 of the Wireless Telegraphy Act
2006;
(d) the provider of an on-demand programme service.

(7)

An offence under this section cannot be committed in connection with the
showing of a film made for cinema to members of the public.

(8)

A person who commits an offence under this section is liable—

15

20

25

30

35

40

128

Part 10 — Communications offences

(a)
(b)

152
(1)

(2)

on summary conviction, to imprisonment for a term not exceeding the
maximum summary term for either-way offences or a fine (or both);
on conviction on indictment, to imprisonment for a term not exceeding
two years or a fine (or both).

False communications offence
A person commits an offence if—
(a) the person sends a message (see section 154),
(b) the message conveys information that the person knows to be false,
(c) at the time of sending it, the person intended the message, or the
information in it, to cause non-trivial psychological or physical harm to
a likely audience, and
(d) the person has no reasonable excuse for sending the message.
For the purposes of this offence an individual is a “likely audience” of a
message if, at the time the message is sent, it is reasonably foreseeable that the
individual—
(a) would encounter the message, or
(b) in the online context, would encounter a subsequent message
forwarding or sharing the content of the message.

(3)

In a case where several or many individuals are a likely audience, it is not
necessary for the purposes of subsection (1)(c) that the person intended to
cause harm to any one of them in particular (or to all of them).

(4)

The following cannot commit an offence under this section—
(a) a recognised news publisher as defined by section 50;
(b) the holder of a licence under the Broadcasting Act 1990 or 1996;
(c) the holder of a licence under section 8 of the Wireless Telegraphy Act
2006;
(d) the provider of an on-demand programme service.

(5)

An offence under this section cannot be committed in connection with the
showing of a film made for cinema to members of the public.

(6)

A person who commits an offence under this section is liable on summary
conviction to imprisonment for a term not exceeding the maximum term for
summary offences or a fine (or both).

(7)

In subsection (6) “the maximum term for summary offences” means—
(a) if the offence is committed before the time when section 281(5) of the
Criminal Justice Act 2003 comes into force, 6 months;
(b) if the offence is committed after that time, 51 weeks.

(8)

Proceedings for an offence under this section may be brought within the period
of 6 months beginning with the date on which evidence sufficient in the
opinion of the prosecutor to justify the proceedings comes to the prosecutor’s
knowledge.

(9)

But such proceedings may not be brought by virtue of subsection (8) more than
3 years after the commission of the offence.

(10)

A certificate signed by the prosecutor as to the date on which the evidence in
question came to the prosecutor’s knowledge is conclusive evidence of the date

5

10

15

20

25

30

35

40

Part 10 — Communications offences

129

on which it did so; and a certificate to that effect and purporting to be so signed
is to be treated as being so signed unless the contrary is proved.
153
(1)

(2)

Threatening communications offence
A person commits an offence if—
(a) the person sends a message (see section 154),
(b) the message conveys a threat of death or serious harm, and
(c) at the time of sending it, the person—
(i) intended an individual encountering the message to fear that
the threat would be carried out, or
(ii) was reckless as to whether an individual encountering the
message would fear that the threat would be carried out.
“Serious harm” means—
(a) serious injury amounting to grievous bodily harm within the meaning
of the Offences against the Person Act 1861,
(b) rape,
(c) assault by penetration within the meaning of section 2 of the Sexual
Offences Act 2003, or
(d) serious financial loss.

(3)

In proceedings for an offence under this section relating to a threat of serious
financial loss, it is a defence for the person to show that—
(a) the threat was used to reinforce a reasonable demand, and
(b) the person reasonably believed that the use of the threat was a proper
means of reinforcing the demand.

(4)

If evidence is adduced which is sufficient to raise an issue with respect to the
defence under subsection (3), the court must assume that the defence is
satisfied unless the prosecution proves beyond reasonable doubt that it is not.

(5)

A person who commits an offence under this section is liable—
(a) on summary conviction, to imprisonment for a term not exceeding the
maximum summary term for either-way offences or a fine (or both);
(b) on conviction on indictment, to imprisonment for a term not exceeding
five years or a fine (or both).

154

5

10

15

20

25

30

Interpretation of sections 151 to 153

(1)

This section applies for the purposes of sections 151 to 153, and references in
this section to an offence are to an offence under any of those sections.

(2)

A person “sends a message” if the person—
(a) sends, transmits or publishes a communication (including an oral
communication) by electronic means, or
(b) sends a letter or a thing of any other description,
and references to a message are to be read accordingly.

35

(3)

A person also “sends a message” if the person—
(a) causes a communication (including an oral communication) to be sent,
transmitted or published by electronic means, or
(b) causes a letter or a thing of any other description to be sent.

40

130

Part 10 — Communications offences

(4)

But a provider of an internet service by means of which a communication is
sent, transmitted or published is not to be regarded as a person who sends a
message.

(5)

“Encounter”, in relation to a message, means read, view, hear or otherwise
experience the message.

(6)

It does not matter whether the content of a message is created by the person
who sends it (so for example, in the online context, an offence may be
committed by a person who forwards another person’s direct message or
shares another person’s post).

(7)

In the application of sections 151 to 153 to the sending, transmission or
publication by electronic means of a message consisting of or including a
hyperlink to other content—
(a) references to the message are to be read as including references to
content accessed directly via the hyperlink, and
(b) an individual who is a likely audience in relation to the hyperlink for
the purposes of section 151 or 152 is to be assumed to be a likely
audience in relation to the linked content.

(8)

In the application of sections 151 to 153 to the sending of an item on which data
is stored electronically, references to the message are to be read as including
content accessed by means of the item to which the recipient is specifically
directed by the sender.

(9)

In the online context, the date on which a person commits an offence in relation
to a message is the date on which the message is first sent, transmitted or
published by the person.

(10)

“On-demand programme service” has the same meaning as in the
Communications Act (see section 368A of that Act), and a person is the
“provider” of an on-demand programme service if the person has given
notification of the person’s intention to provide that service in accordance with
section 368BA of that Act.

155

Extra-territorial application and jurisdiction

(1)

Sections 151(1), 152(1) and 153(1) apply to an act done outside the United
Kingdom, but only if the act is done by a United Kingdom person.

(2)

In subsection (1) “United Kingdom person” means—
(a) an individual who is habitually resident in England and Wales, or
(b) a body incorporated or constituted under the law of England and
Wales.

(3)

156
(1)

5

10

15

20

25

30

35

Proceedings for an offence committed under section 151, 152 or 153 outside the
United Kingdom may be taken, and the offence may for incidental purposes be
treated as having been committed, at any place in England and Wales.
Liability of corporate officers
If an offence under section 151, 152 or 153 is committed by a body corporate
and it is proved that the offence—
(a) has been committed with the consent or connivance of an officer of the
body corporate, or

40

Part 10 — Communications offences

131

(b)

is attributable to any neglect on the part of an officer of the body
corporate,
the officer (as well as the body corporate) commits the offence and is liable to
be proceeded against and punished accordingly.
(2)

“Officer”, in relation to a body corporate, means—
(a) a director, manager, associate, secretary or other similar officer, or
(b) a person purporting to act in any such capacity.
In paragraph (a) “director”, in relation to a body corporate whose affairs are
managed by its members, means a member of the body corporate.
Offence of sending etc photograph or film of genitals

157

5

10

Sending etc photograph or film of genitals
In the Sexual Offences Act 2003, after section 66 insert—
“66A Sending etc photograph or film of genitals
(1)

(2)

A person (A) who intentionally sends or gives a photograph or film of
any person’s genitals to another person (B) commits an offence if—
(a) A intends that B will see the genitals and be caused alarm,
distress or humiliation, or
(b) A sends or gives such a photograph or film for the purpose of
obtaining sexual gratification and is reckless as to whether B
will be caused alarm, distress or humiliation.
References to sending or giving such a photograph or film to another
person include, in particular—
(a) sending it to another person by any means, electronically or
otherwise,
(b) showing it to another person, and
(c) placing it for a particular person to find.

(3)

“Photograph” includes the negative as well as the positive version.

(4)

“Film” means a moving image.

(5)

References to a photograph or film also include—
(a) an image, whether made by computer graphics or in any other
way, which appears to be a photograph or film,
(b) a copy of a photograph, film or image within paragraph (a), and
(c) data stored by any means which is capable of conversion into a
photograph, film or image within paragraph (a).

(6)

A person who commits an offence under this section is liable—
(a) on summary conviction, to imprisonment for a term not
exceeding the general limit in a magistrates’ court or a fine (or
both);
(b) on conviction on indictment, to imprisonment for a term not
exceeding two years.

15

20

25

30

35

40

132

Part 10 — Communications offences

Repeals and amendments in connection with offences
158
(1)

(2)
159

Repeals in connection with offences under sections 151, 152 and 153
The following provisions of section 127 of the Communications Act (improper
use of electronic communications network) are repealed so far as they extend
to England and Wales—
(a) subsection (1), and
(b) subsection (2)(a) and (b).

5

The Malicious Communications Act 1988 is repealed.
Consequential amendments

(1)

Part 1 of Schedule 14 contains amendments consequential on sections 151, 152
and 153.

(2)

Part 2 of Schedule 14 contains amendments consequential on section 157.

10

PART 11
SUPPLEMENTARY AND GENERAL
Liability of providers etc
160

Providers that are not legal persons

(1)

In this section a “relevant entity” means an entity that—
(a) is the provider of a regulated service, and
(b) is not a legal person under the law under which it is formed.

(2)

If a penalty notice is given to a relevant entity (in the name of the entity), the
penalty must be paid out of the entity’s funds.

(3)

If a notice is given by OFCOM to a relevant entity (in the name of the entity)
under any provision of this Act, the notice continues to have effect despite a
change in the membership of the entity.

(4)

If a penalty notice is given jointly to two or more officers or members of a
relevant entity, those individuals are jointly and severally liable to pay the
penalty under it.

(5)

In subsection (4) the reference to officers or members of a relevant entity
includes a reference to employees of such an entity or any other individuals
associated with such an entity.

(6)

15

In this section a “penalty notice” means—
(a) a confirmation decision that imposes a penalty (see sections 113(5)(b)
and 118),
(b) a penalty notice under section 119,
(c) a penalty notice under section 120(5), or
(d) a penalty notice under section 121(6).

20

25

30

35

Part 11 — Supplementary and general

161

133

Individuals providing regulated services: liability

(1)

This section applies in relation to two or more individuals who together are the
provider of a regulated service (see section 183(3), (5), (7), (9) and (11)).

(2)

Any duty or requirement imposed on such a provider under any of the
provisions specified in subsection (3), or any liability of such a provider to pay
a fee under section 71 or Schedule 10, is to be taken to be imposed on, or to be
a liability of, all the individuals jointly and severally.

(3)

The provisions are—
(a) Chapter 2 of Part 3 (providers of user-to-user services: duties of care);
(b) Chapter 3 of Part 3 (providers of search services: duties of care);
(c) Chapter 4 of Part 3 (children’s access assessments);
(d) Chapter 5 of Part 3 (duties about fraudulent advertising);
(e) Chapter 1 of Part 4 (user identity verification);
(f) Chapter 2 of Part 4 (reporting CSEA content);
(g) Chapter 3 of Part 4 (transparency reporting);
(h) section 68 (provider pornographic content);
(i) section 70 (duty to notify OFCOM).

(4)

A notice in respect of a matter that may or must be given by OFCOM under any
provision of this Act may be given—
(a) to only one of the individuals,
(b) jointly to two or more of them, or
(c) jointly to all of them,
but a separate notice may not be given to each of the individuals in respect of
the matter.

(5)

If a penalty notice is given jointly to two or more individuals, those individuals
are jointly and severally liable to pay the penalty under it.

(6)

In subsection (5) a “penalty notice” means—
(a) a confirmation decision that imposes a penalty (see sections 113(5)(b)
and 118),
(b) a penalty notice under section 119,
(c) a penalty notice under section 120(5), or
(d) a penalty notice under section 121(6).

162

5

10

15

20

25

30

Liability of parent entities etc
Schedule 15 contains provision about—
(a) the giving of joint provisional notices of contravention to parent entities
etc,
(b) the liability of parent entities for failures by subsidiary entities,
(c) the liability of subsidiary entities for failures by parent entities,
(d) the liability of fellow subsidiary entities for failures by subsidiary
entities, and
(e) the liability of controlling individuals for failures by entities.

35

40

134

Part 11 — Supplementary and general

Offences
163
(1)

Information offences: supplementary
Proceedings against a person for an offence under section 93(1) or paragraph
18(1)(b) of Schedule 12 may be brought only if—
(a) OFCOM have given the person a provisional notice of contravention in
respect of the failure to comply with the requirements of an information
notice or the requirements imposed by a person acting under Schedule
12 (as the case may be),
(b) OFCOM have given the person a confirmation decision in respect of
that failure imposing requirements of a kind described in section 114(1)
and the time allowed for compliance with the decision has expired
without those requirements having been complied with,
(c) OFCOM have not imposed a penalty on the person in respect of that
failure,
(d) a service restriction order under section 124 has not been made in
relation to a regulated service provided by the person in respect of that
failure, and
(e) an access restriction order under section 126 has not been made in
relation to a regulated service provided by the person in respect of that
failure.

(2)

Proceedings for an offence under section 94(2) (failure by named senior
manager to prevent offence under section 93(1)) may be brought only if the
conditions in subsection (1) are met in respect of the offence under section
93(1).

(3)

Where a penalty is imposed on a person in respect of an act or omission
constituting an offence under section 62 or 93 or paragraph 18 of Schedule 12,
no proceedings may be brought against the person for that offence.

(4)

Where a penalty is imposed on an entity in respect of an act or omission
constituting an offence under section 93, no proceedings for an offence under
section 94 may be brought against an individual in respect of a failure to
prevent that offence.

(5)

(6)

164

A penalty may not be imposed on a person in respect of an act or omission
constituting an offence under section 62 or 93 or paragraph 18 of Schedule 12
if—
(a) proceedings for the offence have been brought against the person but
have not been concluded, or
(b) the person has been convicted of the offence.
In this section “penalty” means a penalty imposed by—
(a) a confirmation decision (see sections 113(5)(b) and 118), or
(b) a penalty notice under section 119.

5

10

15

20

25

30

35

40

Defences

(1)

Subsection (2) applies where a person relies on a defence under section 93 or 94.

(2)

If evidence is adduced which is sufficient to raise an issue with respect to the
defence, the court must assume that the defence is satisfied unless the
prosecution proves beyond reasonable doubt that it is not.

45

Part 11 — Supplementary and general

165

135

Liability of corporate officers for offences

(1)

In this section a “relevant entity” means an entity that is—
(a) the provider of a regulated service, and
(b) a legal person under the law under which it is formed.

(2)

If an offence is committed by a relevant entity and it is proved that the
offence—
(a) has been committed with the consent or connivance of an officer of the
entity, or
(b) is attributable to any neglect on the part of an officer of the entity,
the officer (as well as the entity) commits the offence and (subject to section
163(1)) is liable to be proceeded against and punished accordingly.

(3)

(4)

(5)

166

In relation to an entity which is a body corporate, “officer” means—
(a) a director, manager, associate, secretary or other similar officer, or
(b) a person purporting to act in any such capacity.
In paragraph (a) “director”, in relation to a body corporate whose affairs are
managed by its members, means a member of the body corporate.
In relation to a partnership which is not regarded as a body corporate under
the law under which it is formed, “officer” means—
(a) a partner, or
(b) a person purporting to act as a partner.

10

15

20

In this section—
“body corporate” includes an entity incorporated outside the United
Kingdom;
“offence” means an offence under this Act, except under Part 10.
Application of offences to providers that are not legal persons

(1)

In this section a “relevant entity” means an entity that—
(a) is the provider of a regulated service, and
(b) is not a legal person under the law under which it is formed.

(2)

Proceedings for an offence alleged to have been committed by a relevant entity
must be brought against the entity in its own name (and not in that of any of its
officers or members).

(3)

For the purposes of such proceedings—
(a) rules of court relating to the service of documents have effect as if the
entity were a body corporate; and
(b) the following provisions apply as they apply in relation to a body
corporate—
(i) section 33 of the Criminal Justice Act 1925 and Schedule 3 to the
Magistrates’ Courts Act 1980;
(ii) section 18 of the Criminal Justice Act (Northern Ireland) 1945
(c. 15 (N.I.)) and Article 166 of, and Schedule 4 to, the
Magistrates’ Courts (Northern Ireland) Order 1981 (S.I. 1981/
1675 (N.I. 26)).

(4)

5

A fine imposed on a relevant entity on its conviction of an offence must be paid
out of the entity’s funds.

25

30

35

40

136
(5)

(6)

Part 11 — Supplementary and general

If an offence is committed by a relevant entity and it is proved that the
offence—
(a) has been committed with the consent or connivance of an officer of the
entity, or
(b) is attributable to any neglect on the part of an officer of the entity,
the officer (as well as the entity) commits the offence and (subject to section
163(1)) is liable to be proceeded against and punished accordingly.
In relation to a partnership, “officer” means—
(a) a partner, or
(b) a person purporting to act as a partner.

(7)

In relation to a relevant entity other than a partnership, “officer” means—
(a) an officer of the entity or a person concerned in the management or
control of the entity, or
(b) a person purporting to act in such a capacity.

(8)

Subsection (2) is not to be read as prejudicing any liability of an officer under
subsection (5).

(9)

In this section “offence” means an offence under this Act, except under Part 10.

5

10

15

Extra-territorial application
167

Extra-territorial application

(1)

References in this Act to an internet service, a user-to-user service or a search
service include such a service provided from outside the United Kingdom (as
well as such a service provided from within the United Kingdom).

(2)

The power to require the production of documents by an information notice
includes power to require the production of documents held outside the
United Kingdom.

(3)

The power conferred by section 91 includes power to require the attendance for
interview of an individual who is outside the United Kingdom.

(4)

Section 114(7) (requirements enforceable in civil proceedings against a person)
applies whether or not the person is in the United Kingdom.

168

Information offences: extra-territorial application and jurisdiction

(1)

Sections 62, 93 and 96 apply to acts done by a person in the United Kingdom or
elsewhere (information offences).

(2)

Section 94 applies to acts done by an individual in the United Kingdom or
elsewhere (offences by senior managers of providers of regulated services).

(3)

Sections 165(2) and 166(5), so far as relating to an offence under a section
specified in subsection (1) of this section, apply to acts done by an individual
in the United Kingdom or elsewhere (liability of directors etc of providers of
regulated services).

(4)

In the case of an offence under section 62, 93, 94 or 96 which is committed
outside the United Kingdom—

20

25

30

35

40

137

Part 11 — Supplementary and general

(a)
(b)

proceedings for the offence may be taken at any place in the United
Kingdom, and
the offence may for all incidental purposes be treated as having been
committed at any such place.

(5)

In the application of subsection (4) to Scotland, any such proceedings against a
person may be taken—
(a) in any sheriff court district in which the person is apprehended or is in
custody, or
(b) in such sheriff court district as the Lord Advocate may determine.

5

(6)

In this section—
“act” includes a failure to act;
“sheriff court district” is to be construed in accordance with the Criminal
Procedure (Scotland) Act 1995 (see section 307(1) of that Act).

10

Payment of sums into Consolidated Fund
169

Payment of sums into the Consolidated Fund

(1)

Section 400 of the Communications Act (destination of penalties etc) is
amended as follows.

(2)

In subsection (1), after paragraph (i) insert—
“(j) an amount paid to OFCOM in respect of a penalty imposed by
them under Chapter 6 of Part 7 of the Online Safety Act 2022;
(k) an amount paid to OFCOM in respect of an additional fee
charged under Schedule 10 to the Online Safety Act 2022.”

(3)

In subsection (2), after “applies” insert “(except an amount mentioned in
subsection (1)(j) or (k))”.

(4)

After subsection (3) insert—
“(3A)

(5)

15

20

25

Where OFCOM receive an amount mentioned in subsection (1)(j) or (k),
it must be paid into the Consolidated Fund of the United Kingdom.”

In the heading, omit “licence”.
Publication by OFCOM

170

30

Publication by OFCOM
Anything required by this Act to be published by OFCOM must be published
in such manner as OFCOM consider appropriate for bringing it to the attention
of the persons who, in their opinion, are likely to be affected by it.
Service of notices

171

Service of notices

(1)

This section applies in relation to a notice that may or must be given by
OFCOM to a person under any provision of this Act.

(2)

OFCOM may give a notice to a person by—

35

138

Part 11 — Supplementary and general

(a)
(b)
(c)
(d)

delivering it by hand to the person,
leaving it at the person’s proper address,
sending it by post to the person at that address, or
sending it by email to the person’s email address.

(3)

A notice to a body corporate may be given to any officer of that body.

(4)

A notice to a partnership may be given to any partner or to a person who has
the control or management of the partnership business.

(5)

A notice to an entity that is not a legal person under the law under which it is
formed (other than a partnership) may be given to any member of the
governing body of the entity.

(6)

(7)

(8)

(9)

(10)

In the case of a notice given to a person who is a provider of a regulated service,
the person’s proper address for the purposes of paragraphs (b) and (c) of
subsection (2), and section 7 of the Interpretation Act 1978 in its application to
those paragraphs, is any address (within or outside the United Kingdom) at
which OFCOM believe, on reasonable grounds, that the notice will come to the
attention of the person or (where the person is an entity) any director or other
officer of that entity.
In the case of a notice given to a person other than a provider of a regulated
service, a person’s proper address for the purposes of paragraphs (b) and (c) of
subsection (2), and section 7 of the Interpretation Act 1978 in its application to
those paragraphs, is—
(a) in the case of an entity, the address of the entity’s registered or principal
office;
(b) in any other case, the person’s last known address.
In the case of an entity registered or carrying on business outside the United
Kingdom, or with offices outside the United Kingdom, the reference in
subsection (7) to its principal office includes its principal office in the United
Kingdom or, if the entity has no office in the United Kingdom, any place in the
United Kingdom at which OFCOM believe, on reasonable grounds, that the
notice will come to the attention of any director or other officer of that entity.
In the case of a notice given to an individual under section 91 (interviews), the
reference in subsection (7) to the person’s last known address is to the
individual’s home address or, if the individual is currently connected with a
provider of a regulated service, the address of the provider’s registered or
principal office.
For the purposes of subsection (2)(d), a person’s email address is—
(a) any email address published for the time being by that person as an
address for contacting that person, or
(b) if there is no such published address, any email address by means of
which OFCOM believe, on reasonable grounds, that the notice will
come to the attention of that person or (where that person is an entity)
any director or other officer of that entity.

(11)

A notice sent by email is treated as given 48 hours after it was sent, unless the
contrary is proved.

(12)

In this section—
“director” includes any person occupying the position of a director, by
whatever name called;

5

10

15

20

25

30

35

40

45

139

Part 11 — Supplementary and general

“officer”, in relation to an entity, includes a director, a manager, a partner,
an associate, a secretary or, where the affairs of the entity are managed
by its members, a member.
Repeals and amendments
172

Repeal of Part 4B of the Communications Act

(1)

In the Communications Act, omit Part 4B (video-sharing platform services).

(2)

In the Audiovisual Media Services Regulations 2020 (S.I. 2020/1062), omit Part
4 (which inserts Part 4B into the Communications Act).

173

Repeals: Digital Economy Act 2017

(1)

The Digital Economy Act 2017 is amended as follows.

(2)

Omit—
(a) Part 3 (online pornography), and
(b) section 119(10) (power to extend that Part to the Channel Islands or the
Isle of Man).

(3)

Omit section 103 (code of practice for providers of online social media
platforms).

174

Section 2 of the Obscene Publications Act 1959 (prohibition of publication of
obscene matter) is amended in accordance with subsections (2) and (3).

(2)

After subsection (5) insert—
“(5A)

175

A person shall not be convicted of an offence against this section of the
publication of an obscene article if the person proves that—
(a) at the time of the offence charged, the person was a member of
OFCOM, employed or engaged by OFCOM, or assisting
OFCOM in the exercise of any of their online safety functions
(within the meaning of section 191 of the Online Safety Act
2022), and
(b) the person published the article for the purposes of OFCOM’s
exercise of any of those functions.”

In subsection (7)—
(a) the words after “In this section” become paragraph (a), and
(b) at the end of that paragraph, insert “;
(b) “OFCOM” means the Office of Communications.”

15

20

25

30

Offences regarding indecent photographs of children: OFCOM defence
England and Wales

(1)

10

Offence under the Obscene Publications Act 1959: OFCOM defence

(1)

(3)

5

Section 1B of the Protection of Children Act 1978 (defence to offence relating to
indecent photographs of children) is amended in accordance with subsections
(2) and (3).

35

140
(2)

(3)

Part 11 — Supplementary and general

In subsection (1)—
(a) for “he”, in each place, substitute “the defendant”;
(b) for “him”, in each place, substitute “the defendant”;
(c) omit “or” at the end of paragraph (b);
(d) at the end of paragraph (c) insert “, or
(d) the defendant—
(i) was at the time of the offence charged a member
of OFCOM, employed or engaged by OFCOM,
or assisting OFCOM in the exercise of any of
their online safety functions (within the meaning
of section 191 of the Online Safety Act 2022), and
(ii) made the photograph or pseudo-photograph for
the purposes of OFCOM’s exercise of any of
those functions.”
After subsection (2) insert—
“(3)

5

10

15

In this section “OFCOM” means the Office of Communications.”

Scotland
(4)

Section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs
of children) is amended in accordance with subsections (5) and (6).

(5)

After subsection (4) insert—
“(4A)

(6)

Where a person is charged with an offence under subsection (1)(a) of
making an indecent photograph or pseudo-photograph of a child, it
shall be a defence for the person to prove that—
(a) at the time of the offence charged, the person was a member of
OFCOM, employed or engaged by OFCOM, or assisting
OFCOM in the exercise of any of their online safety functions
(within the meaning of section 191 of the Online Safety Act
2022), and
(b) the person made the photograph or pseudo-photograph for the
purposes of OFCOM’s exercise of any of those functions.”

20

25

30

In subsection (8), after paragraph (d) insert—
“(e) “OFCOM” means the Office of Communications.”
Northern Ireland

(7)

Article 3A of the Protection of Children (Northern Ireland) Order 1978 (S.I.
1978/1047 (N.I. 17)) (defence to offence relating to indecent photographs of
children) is amended in accordance with subsections (8) and (9).

(8)

In paragraph (1)—
(a) for “he”, in each place, substitute “the defendant”;
(b) for “him”, in each place, substitute “the defendant”;
(c) omit “or” at the end of sub-paragraph (b);
(d) at the end of sub-paragraph (c) insert “, or
(d) the defendant—
(i) was at the time of the offence charged a member
of OFCOM, employed or engaged by OFCOM,
or assisting OFCOM in the exercise of any of

35

40

45

141

Part 11 — Supplementary and general

(ii)

(9)

their online safety functions (within the meaning
of section 191 of the Online Safety Act 2022), and
made the photograph or pseudo-photograph for
the purposes of OFCOM’s exercise of any of
those functions.”

5

After paragraph (2) insert—
“(3)

In this Article “OFCOM” means the Office of Communications.”
Powers to amend Act

176

Powers to amend section 36

(1)

The Secretary of State may by regulations amend section 36 (fraud etc
offences).
But the power to add an offence to that section is limited by subsections (2) and
(3).

(2)

An offence may be added to section 36 only if the Secretary of State considers
it appropriate to do so because of—
(a) the prevalence on Category 1 services of content (other than regulated
user-generated content) consisting of paid-for advertisements that
amount to that offence, or the prevalence in or via search results of
Category 2A services of paid-for advertisements that amount to that
offence,
(b) the risk of harm to individuals in the United Kingdom presented by
such advertisements, and
(c) the severity of that harm.

(3)

(4)

177
(1)

An offence may not be added to section 36 if—
(a) the offence concerns—
(i) the infringement of intellectual property rights,
(ii) the safety or quality of goods (as opposed to what kind of goods
they are), or
(iii) the performance of a service by a person not qualified to
perform it; or
(b) it is an offence under the Consumer Protection from Unfair Trading
Regulations 2008 (S.I. 2008/1277).
In this section—
(a) “regulated user-generated content” has the same meaning as in Part 3
(see section 49);
(b) the words “in or via search results” are to be construed in accordance
with section 35;
(c) references to advertisements that amount to an offence are to be
construed in accordance with section 52 (see subsections (3) and (9) of
that section).
Powers to amend or repeal provisions relating to exempt content or services
The Secretary of State may by regulations—
(a) amend section 49(5), or

10

15

20

25

30

35

40

142

Part 11 — Supplementary and general

(b)

repeal section 49(2)(d) and (5), and make a consequential amendment
of sections 2(6), 4(2)(a) and 49(2)(f),
if the Secretary of State considers that it is appropriate to do so because of the
risk of harm to individuals in the United Kingdom presented by one-to-one
live aural communications.
(2)

(3)

The Secretary of State may by regulations—
(a) amend section 49(6) or (7), or
(b) repeal section 49(2)(e), (6) and (7), and make a consequential
amendment of sections 2(6), 4(2)(a) and 49(2)(f),
if the Secretary of State considers that it is appropriate to do so because of the
risk of harm to individuals in the United Kingdom presented by comments and
reviews on provider content.
The Secretary of State may by regulations amend Part 1 of Schedule 1 to
provide for a further description of user-to-user service or search service to be
exempt, if the Secretary of State considers that the risk of harm to individuals
in the United Kingdom presented by a service of that description is low.

(4)

Regulations under subsection (3) may amend sections 2, 4 and 49 and Schedule
2 in connection with the amendment of Part 1 of Schedule 1.

(5)

The Secretary of State may by regulations amend Schedule 9 to provide for a
further description of internet service to be included, if the Secretary of State
considers that the risk of harm to children in the United Kingdom presented by
regulated provider pornographic content published or displayed on a service
of that description is low.

(6)

If the condition in subsection (7) is met, the Secretary of State may by
regulations amend or repeal any of the following—
(a) paragraph 3 of Schedule 1 (services offering only one-to-one live aural
communications);
(b) paragraph 4 of that Schedule (limited functionality services);
(c) any provision of that Schedule added in exercise of the power
conferred by subsection (3).

5

10

15

20

25

30

(7)

The condition is that the Secretary of State considers that it is appropriate to
amend or repeal the provision in question (as the case may be) because of the
risk of harm to individuals in the United Kingdom presented by a service of the
description in question.

(8)

Regulations under subsection (6) may amend or repeal a provision of Schedule
2 in connection with the amendment or repeal of a provision of Part 1 of
Schedule 1.

(9)

Regulations under subsection (6)(c) may amend or repeal a provision of
sections 2, 4 and 49 in connection with the amendment or repeal of a provision
of Part 1 of Schedule 1.

40

The Secretary of State may by regulations amend or repeal any provision of
Schedule 9 added in exercise of the power conferred by subsection (5), if the
Secretary of State considers that it is appropriate to do so because of the risk of
harm to children in the United Kingdom presented by regulated provider
pornographic content published or displayed on a service of that description.

45

(10)

(11)

In this section, “regulated provider pornographic content” and “published or
displayed” have the same meaning as in Part 5 (see section 66).

35

Part 11 — Supplementary and general

178

143

Powers to amend Part 2 of Schedule 1
England

(1)

(2)

The Secretary of State may by regulations amend the part of the list in Part 2 of
Schedule 1 which relates to England—
(a) if there has been an amendment or repeal of legislation, or of a
provision of legislation, by reference to which a description of
education or childcare is framed;
(b) to add a further description of education or childcare, if the Secretary of
State considers that it is appropriate to do so because of the application
of enactments other than this Act, or guidance or requirements
(however referred to) produced under enactments other than this Act,
to persons providing education or childcare of that description;
(c) to omit a description of education or childcare, if the Secretary of State
considers that it is appropriate to do so because of the risk of harm to
individuals in England presented by services provided by persons
providing education or childcare of that description which are
provided for the purposes of such education or childcare (other than a
service described in paragraph 7 of Schedule 1).
In subsection (1)(b), “enactment” includes an enactment contained in
subordinate legislation (within the meaning of the Interpretation Act 1978).

5

10

15

20

Scotland
(3)

(4)

The Scottish Ministers may by regulations amend the part of the list in Part 2
of Schedule 1 which relates to Scotland—
(a) if there has been an amendment or repeal of legislation, or of a
provision of legislation, by reference to which a description of
education or childcare is framed;
(b) to add a further description of education or childcare, if the Scottish
Ministers consider that it is appropriate to do so because of the
application of enactments other than this Act, or guidance or
requirements (however referred to) produced under enactments other
than this Act, to persons providing education or childcare of that
description;
(c) to omit a description of education or childcare, if the Scottish Ministers
consider that it is appropriate to do so because of the risk of harm to
individuals in Scotland presented by services provided by persons
providing education or childcare of that description which are
provided for the purposes of such education or childcare (other than a
service described in paragraph 7 of Schedule 1).
In subsection (3)(b), “enactment” includes an enactment contained in, or in an
instrument made under, an Act of the Scottish Parliament.

25

30

35

40

Wales
(5)

The Welsh Ministers may by regulations made by statutory instrument amend
the part of the list in Part 2 of Schedule 1 which relates to Wales—
(a) if there has been an amendment or repeal of legislation, or of a
provision of legislation, by reference to which a description of
education or childcare is framed;
(b) to add a further description of education or childcare, if the Welsh
Ministers consider that it is appropriate to do so because of the

45

144

Part 11 — Supplementary and general

(c)

(6)

application of enactments other than this Act, or guidance or
requirements (however referred to) produced under enactments other
than this Act, to persons providing education or childcare of that
description;
to omit a description of education or childcare, if the Welsh Ministers
consider that it is appropriate to do so because of the risk of harm to
individuals in Wales presented by services provided by persons
providing education or childcare of that description which are
provided for the purposes of such education or childcare (other than a
service described in paragraph 7 of Schedule 1).

5

10

In subsection (5)(b), “enactment” includes an enactment contained in, or in an
instrument made under, a Measure or Act of Senedd Cymru.
Northern Ireland

(7)

(8)

(9)

The relevant Department may by regulations amend the part of the list in Part
2 of Schedule 1 which relates to Northern Ireland—
(a) if there has been an amendment or repeal of legislation, or of a
provision of legislation, by reference to which a description of
education or childcare is framed;
(b) to add a further description of education or childcare, if the relevant
Department considers that it is appropriate to do so because of the
application of enactments other than this Act, or guidance or
requirements (however referred to) produced under enactments other
than this Act, to persons providing education or childcare of that
description;
(c) to omit a description of education or childcare, if the relevant
Department considers that it is appropriate to do so because of the risk
of harm to individuals in Northern Ireland presented by services
provided by persons providing education or childcare of that
description which are provided for the purposes of such education or
childcare (other than a service described in paragraph 7 of Schedule 1).
In subsection (7), “the relevant Department” means—
(a) where the amendment relates to childcare, primary education or
secondary education, the Department of Education in Northern
Ireland;
(b) where the amendment relates to further education or higher education,
the Department for the Economy in Northern Ireland with the
concurrence of the Department of Agriculture, Environment and Rural
Affairs in Northern Ireland, or the Department of Agriculture,
Environment and Rural Affairs in Northern Ireland with the
concurrence of the Department for the Economy in Northern Ireland;
(c) where the amendment relates to education in agriculture and related
subjects, the Department of Agriculture, Environment and Rural
Affairs in Northern Ireland.
In subsection (7)(b), “enactment” includes an enactment contained in, or in an
instrument made under, Northern Ireland legislation.
Interpretation

(10)

In this section, the following terms have the same meaning as in Schedule 1—
“childcare”;
“education”;

15

20

25

30

35

40

45

Part 11 — Supplementary and general

145

“education in agriculture and related subjects”;
“further education”;
“higher education”;
“primary education”;
“secondary education”.
179

5

Powers to amend Schedules 5, 6 and 7

(1)

The Secretary of State may by regulations amend—
(a) Schedule 5 (terrorism offences);
(b) Part 1 of Schedule 6 (child sexual exploitation and abuse offences).

(2)

The Scottish Ministers may by regulations amend Part 2 of Schedule 6.

(3)

The Secretary of State may by regulations amend Schedule 7 (priority
offences).
But the power to add an offence to that Schedule is limited by subsections (4)
and (5).

(4)

An offence may be added to Schedule 7 only if the Secretary of State considers
it appropriate to do so because of—
(a) the prevalence on regulated user-to-user services of regulated usergenerated content that amounts to that offence, or the prevalence on
regulated search services and combined services of search content that
amounts to that offence,
(b) the risk of harm to individuals in the United Kingdom presented by
regulated user-generated content or search content that amounts to that
offence, and
(c) the severity of that harm.

15

An offence may not be added to Schedule 7 if—
(a) the offence concerns—
(i) the infringement of intellectual property rights,
(ii) the safety or quality of goods (as opposed to what kind of goods
they are), or
(iii) the performance of a service by a person not qualified to
perform it; or
(b) it is an offence under the Consumer Protection from Unfair Trading
Regulations 2008 (S.I. 2008/1277).

25

(5)

(6)

The Secretary of State must consult the Scottish Ministers before making
regulations under subsection (3) which—
(a) add an offence that extends only to Scotland, or
(b) amend or remove an entry specifying an offence that extends only to
Scotland.

(7)

The Secretary of State must consult the Department of Justice in Northern
Ireland before making regulations under subsection (3) which—
(a) add an offence that extends only to Northern Ireland, or
(b) amend or remove an entry specifying an offence that extends only to
Northern Ireland.

(8)

In this section—

10

20

30

35

40

146

Part 11 — Supplementary and general

(a)
(b)
(c)

“regulated user-generated content” has the same meaning as in Part 3
(see section 49);
“search content” has the same meaning as in Part 3 (see section 51);
references to content that amounts to an offence are to be construed in
accordance with section 52 (see subsections (3) and (9) of that section).

5

Regulations
180

Power to make consequential provision

(1)

The Secretary of State may by regulations make provision that is consequential
on this Act or regulations under this Act.

(2)

The regulations may—
(a) amend or repeal provision made by the Communications Act;
(b) amend or revoke provision made under that Act.

(3)

The regulations may make transitional, transitory or saving provision.

181
(1)

10

Regulations: general
Regulations under this Act may make different provision for different
purposes and may, in particular—
(a) make different provision with regard to—
(i) user-to-user services,
(ii) search services, and
(iii) internet services, other than regulated user-to-user services or
regulated search services, that are within section 67(2);
(b) make different provision with regard to user-to-user services of
different kinds;
(c) make different provision with regard to search services of different
kinds;
(d) make different provision with regard to different kinds of services
mentioned in paragraph (a)(iii);
(e) make different provision with regard to different kinds of internet
services within section 67(2).

15

(2)

A power to make regulations under this Act includes power to make
supplementary, incidental, transitional, transitory or saving provision.
This subsection does not apply to regulations under section 180 (consequential
provision).

30

(3)

Any power of the Secretary of State under this Act to make regulations is
exercisable by statutory instrument.

(4)

This section does not apply to regulations under section 196 (commencement
and transitional provision).

182
(1)

20

25

35

Parliamentary procedure for regulations
A statutory instrument containing (whether alone or with other provision)—
(a) regulations under section 64(12),
(b) regulations under section 98(2),

40

Part 11 — Supplementary and general

147

(c)
(d)
(e)
(f)
(g)
(h)

regulations under section 141(3),
regulations under section 176(1),
regulations under section 177(1), (2), (3), (5), (6) or (10),
regulations under section 178(1),
regulations under section 179(1) or (3),
regulations under section 180 that amend or repeal provision made by
the Communications Act,
(i) regulations under paragraph 7 of Schedule 4,
(j) regulations under paragraph 32 of Schedule 8, or
(k) regulations under paragraph 7 of Schedule 10,
may not be made unless a draft of the instrument has been laid before, and
approved by a resolution of, each House of Parliament.
(2)

(3)

15

But a statutory instrument mentioned in subsection (2) may be made without
a draft of the instrument being laid before, and approved by a resolution of,
each House of Parliament if it contains a declaration that the Secretary of State
is of the opinion that, because of urgency, it is necessary to make the
regulations without a draft being so laid and approved.

20

After an instrument is made in accordance with subsection (3), it must be laid
before Parliament.

(5)

Regulations contained in an instrument made in accordance with subsection
(3) cease to have effect at the end of the period of 28 days beginning with the
day on which the instrument is made unless, during that period, the
instrument is approved by a resolution of each House of Parliament.

(6)

In calculating the period of 28 days, no account is to be taken of any whole days
that fall within a period during which—
(a) Parliament is dissolved or prorogued, or
(b) either House of Parliament is adjourned for more than 4 days.

(7)

If regulations cease to have effect as a result of subsection (5), that does not—
(a) affect the validity of anything previously done under or by virtue of the
regulations, or
(b) prevent the making of new regulations.

(9)

10

A statutory instrument containing regulations under—
(a) section 53(2) or (3), or
(b) section 54(2),
may not be made unless a draft of the instrument has been laid before, and
approved by a resolution of, each House of Parliament.

(4)

(8)

5

A statutory instrument containing—
(a) regulations under section 60(1),
(b) regulations under section 70(3)(b),
(c) regulations under section 142(1),
(d) regulations under section 180 that do not amend or repeal provision
made by the Communications Act, or
(e) regulations under paragraph 1(1), (2) or (3) of Schedule 11,
is subject to annulment in pursuance of a resolution of either House of
Parliament.
Regulations made by the Scottish Ministers under—

25

30

35

40

45

148

Part 11 — Supplementary and general

(a) section 178(3), and
(b) section 179(2),
are subject to the affirmative procedure (see section 29 of the Interpretation and
Legislative Reform (Scotland) Act 2010 (asp 10)).
(10)

A statutory instrument containing regulations under section 178(5) may not be
made by the Welsh Ministers unless a draft of the instrument has been laid
before and approved by a resolution of Senedd Cymru.

(11)

The power of the relevant Department to make regulations under section
178(7) is exercisable by statutory rule for the purposes of the Statutory Rules
(Northern Ireland) Order 1979 (S.I. 1979/1573 (N.I. 12)).

(12)

Regulations may not be made by the relevant Department under section 178(7)
unless a draft of the regulations has been laid before and approved by a
resolution of the Northern Ireland Assembly.

(13)

In subsections (11) and (12), “the relevant Department” has the same meaning
as in section 178(7) (see subsection (8) of that section).

5

10

15

PART 12
INTERPRETATION AND FINAL PROVISIONS
Interpretation
183
(1)

“Provider” of internet service
This section applies to determine who is the “provider” of an internet service
for the purposes of this Act.

20

User-to-user services (other than combined services)
(2)

(3)

The provider of a user-to-user service is to be treated as being the entity that
has control over who can use the user-to-user part of the service (and that
entity alone).

25

If no entity has control over who can use the user-to-user part of a user-to-user
service, but an individual or individuals have control over who can use that
part, the provider of the service is to be treated as being that individual or those
individuals.
Search services

(4)

The provider of a search service is to be treated as being the entity that has
control over the operations of the search engine (and that entity alone).

(5)

If no entity has control over the operations of the search engine, but an
individual or individuals have control over those operations, the provider of
the search service is to be treated as being that individual or those individuals.

30

35

Combined services
(6)

The provider of a combined service is to be treated as being the entity that has
control over both—
(a) who can use the user-to-user part of the service, and
(b) the operations of the search engine,

40

Part 12 — Interpretation and final provisions

149

(and that entity alone).
(7)

If no entity has control over the matters mentioned in paragraphs (a) and (b) of
subsection (6), but an individual or individuals have control over both those
matters, the provider of the combined service is to be treated as being that
individual or those individuals.

5

Internet services other than user-to-user services or search services
(8)

The provider of an internet service, other than a user-to-user service or a search
service, is to be treated as being the entity that has control over which content
is published or displayed on the service.

(9)

If no entity has control over which content is published or displayed on such
an internet service, but an individual or individuals have control over which
content is published or displayed, the provider of the service is to be treated as
being that individual or those individuals.

10

Machine-generated services
(10)

The provider of an internet service that is generated by a machine is to be
treated as being the entity that controls the machine (and that entity alone).

(11)

If no entity controls the machine, but an individual or individuals control it, the
provider of the internet service is to be treated as being that individual or those
individuals.
Interpretation

(12)

A person who provides an access facility in relation to a user-to-user service,
within the meaning of section 126, is not to be regarded as a person who has
control over who can use the user-to-user part of the service for the purposes
of this section.

(13)

In this section “operations of the search engine” means operations which—
(a) enable users of a search service or a combined service to make search
requests, and
(b) generate responses to those requests.

(14)

In this section “published or displayed” is to be construed in accordance with
section 66(5) and (6).

184
(1)

15

20

25

30

“User”, “United Kingdom user” and “interested person”
For the purposes of this Act a user is a “United Kingdom user” of a service if—
(a) where the user is an individual, the individual is in the United
Kingdom;
(b) where the user is an entity, the entity is incorporated or formed under
the law of any part of the United Kingdom.

(2)

For the purposes of references in this Act to a user of a service it does not matter
whether a person is registered to use a service.

(3)

References in this Act to a user of a service do not include references to any of
the following when acting in the course of the provider’s business—
(a) where the provider of the service is an individual or individuals, that
individual or those individuals;

35

40

150

Part 12 — Interpretation and final provisions

(b)
(c)
(d)
(4)

where the provider is an entity, officers of the entity;
persons who work for the provider (including as employees or
volunteers);
any other person providing a business service to the provider such as a
contractor, consultant or auditor.

In subsection (3) “acting in the course of the provider’s business” means (as the
case may be)—
(a) acting in the course of the provider’s business of providing the service,
or
(b) acting in the course of a business, trade, profession or other concern—
(i) carried on (whether or not for profit) by the provider of the
service, and
(ii) for the purposes of which the service is provided.

(5)

In subsections (1) to (4) “service” (except in the term “business service”) means
internet service, user-to-user service or search service.

(6)

In subsection (3) “officer” includes a director, manager, partner, associate,
secretary or other similar officer.

(7)

In this Act “interested person”, in relation to a search service or a combined
service, means a person that is responsible for a website or database capable of
being searched by the search engine, provided that—
(a) in the case of an individual, the individual is in the United Kingdom;
(b) in the case of an entity, the entity is incorporated or formed under the
law of any part of the United Kingdom.

185

In this Act “internet service” means a service that is made available by means
of the internet.

(2)

For the purposes of subsection (1) a service is “made available by means of the
internet” even where it is made available by means of a combination of—
(a) the internet, and
(b) an electronic communications service.

186
(1)

(2)

10

15

20

“Internet service”

(1)

(3)

5

25

30

“Electronic communications service” has the same meaning as in the
Communications Act (see section 32(2) of that Act).
“Search engine”
In this Act “search engine”—
(a) includes a service or functionality which enables a person to search
some websites or databases (as well as a service or functionality which
enables a person to search (in principle) all websites or databases);
(b) does not include a service which enables a person to search just one
website or database.
For the purposes of this Act, a search engine is not to be taken to be “included”
in an internet service or a user-to-user service if the search engine is controlled
by a person who does not control other parts of the service.

35

40

Part 12 — Interpretation and final provisions

187
(1)

(2)

151

“Proactive technology”
In this Act “proactive technology” means—
(a) content moderation technology,
(b) user profiling technology, or
(c) behaviour identification technology,
but this is subject to subsections (3) and (7).
“Content moderation technology” means technology, such as algorithms,
keyword matching, image matching or image classification, which—
(a) analyses relevant content to assess whether it is illegal content or
content that is harmful to children, or
(b) analyses content to assess whether it is a fraudulent advertisement.

(3)

But content moderation technology is not to be regarded as proactive
technology if it is used in response to a report from a user or other person about
particular content.

(4)

“User profiling technology” means technology which analyses (any or all of)—
(a) relevant content,
(b) user data, or
(c) metadata relating to relevant content or user data,
for the purposes of building a profile of a user to assess characteristics such as
age.

(5)

(6)

Technology which—
(a) analyses data specifically provided by a user for the purposes of the
provider assessing or establishing the user’s age in order to decide
whether to allow the user to access a service (or part of a service) or
particular content, and
(b) does not analyse any other data or content,
is not to be regarded as user profiling technology.
“Behaviour identification technology” means technology which analyses (any
or all of)—
(a) relevant content,
(b) user data, or
(c) metadata relating to relevant content or user data,
to assess a user’s online behaviour or patterns of online behaviour (for
example, to assess whether a user may be involved in, or be the victim of,
illegal activity).

(7)

But behaviour identification technology is not to be regarded as proactive
technology if it is used in response to concerns identified by another person or
an automated tool about a particular user.

(8)

“Relevant content” means—
(a) in relation to a user-to-user service, content that is user-generated
content in relation to the service;
(b) in relation to a search service, the content of websites and databases
capable of being searched by the search engine.

(9)

“User data” means—
(a) data provided by users, including personal data (for example, data
provided when a user sets up an account), and

5

10

15

20

25

30

35

40

45

152

Part 12 — Interpretation and final provisions

(b)

data created, compiled or obtained by providers of Part 3 services and
relating to users (for example, data relating to when or where users
access a service or how they use it).

(10)

References in this Act to proactive technology include content moderation
technology, user profiling technology or behaviour identification technology
which utilises artificial intelligence or machine learning.

(11)

Accredited technology that may be required to be used in relation to the
detection of terrorism content or CSEA content (or both) by a notice under
section 104(1) is an example of content moderation technology.

(12)

The reference in subsection (8)(b) to a search service includes a reference to the
search engine of a combined service.

(13)

In this section—
“accredited” technology has the same meaning as in Chapter 5 of Part 7
(see section 106(9));
“content that is harmful to children” has the same meaning as in Part 3
(see section 53);
“fraudulent advertisement” has the meaning given by section 34 or 35
(depending on the kind of service in question);
“illegal content”, “terrorism content” and “CSEA content” have the same
meaning as in Part 3 (see section 52);
“user-generated content” has the meaning given by section 49 (see
subsections (3) and (4) of that section).

188
(1)

(2)

(3)

5

10

15

20

Content communicated “publicly” or “privately”
This section specifies factors which OFCOM must, in particular, consider when
deciding whether content is communicated “publicly” or “privately” by means
of a user-to-user service for the purposes of—
(a) section 104 (notice to deal with terrorism content),
(b) section 117 (requirement to use proactive technology), or
(c) paragraph 12(4) of Schedule 4 (recommendation of proactive
technology in codes of practice).
The factors are—
(a) the number of individuals in the United Kingdom who are able to
access the content by means of the service;
(b) any restrictions on who may access the content by means of the service
(for example, a requirement for approval or permission from a user, or
the provider, of the service);
(c) the ease with which the content may be forwarded to or shared with
users of the service other than those who originally encounter it.
The following factors do not count as restrictions on access—
(a) a requirement to log in to or register with a service (or part of a service);
(b) a requirement to make a payment or take out a subscription in order to
access a service (or part of a service) or to access particular content;
(c) inability to access a service (or part of a service) or to access particular
content except by using particular technology or a particular kind of
device (as long as that technology or device is generally available to the
public).

25

30

35

40

45

Part 12 — Interpretation and final provisions

189
(1)

(2)

(3)

(4)

190

153

“Functionality”
In this Act “functionality”, in relation to a user-to-user service, includes any
feature that enables interactions of any description between users of the service
by means of the service, and includes any feature enabling a user to do
anything listed in subsection (2).
The things are—
(a) creating a user profile, including an anonymous or pseudonymous
profile;
(b) searching within the service for user-generated content or other users
of the service;
(c) forwarding content to, or sharing content with, other users of the
service;
(d) sharing content on other internet services;
(e) sending direct messages to or speaking to other users of the service, or
interacting with them in another way (for example by playing a game);
(f) expressing a view on content, including, for example, by—
(i) applying a “like” or “dislike” button or other button of that
nature,
(ii) applying an emoji or symbol of any kind,
(iii) engaging in yes/no voting, or
(iv) rating or scoring content in any way (including giving star or
numerical ratings);
(g) sharing current or historic location information with other users of the
service, recording a user’s movements, or identifying which other users
of the service are nearby;
(h) following or subscribing to particular kinds of content or particular
users of the service;
(i) creating lists, collections, archives or directories of content or users of
the service;
(j) tagging or labelling content present on the service;
(k) uploading content relating to goods or services;
(l) applying or changing settings on the service which affect the
presentation of user-generated content on the service;
(m) accessing other internet services through content present on the service
(for example through hyperlinks).
In this Act “functionality”, in relation to a search service, includes (in
particular)—
(a) a feature that enables users to search websites or databases;
(b) a feature that makes suggestions relating to users’ search requests
(predictive search functionality).

5

10

15

20

25

30

35

40

In this section “user-generated content” has the meaning given by section 49
(see subsections (3) and (4) of that section).
“Harm” etc

(1)

This section applies for the purposes of this Act, apart from Part 10
(communications offences).

(2)

“Harm” means physical or psychological harm.

45

154
(3)

(4)

Part 12 — Interpretation and final provisions

References to harm presented by content, and any other references to harm in
relation to content, include references to harm arising or that may arise from
any one or combination of the following—
(a) the nature of the content;
(b) the fact of its dissemination;
(c) the manner of its dissemination (for example, content repeatedly sent
to an individual by one person or by different people).
References to harm presented by content, and any other references to harm in
relation to content, include references to harm arising or that may arise in the
following circumstances—
(a) where, as a result of the content, individuals act in a way that results in
harm to themselves or that increases the likelihood of harm to
themselves;
(b) where, as a result of the content, individuals do or say something to
another individual that results in harm to that other individual or that
increases the likelihood of such harm (including, but not limited to,
where individuals act in such a way as a result of content that is related
to that other individual’s characteristics or membership of a group).

(5)

References to a risk of harm, or to potential harm, are to be read in the same
way as references to harm.

(6)

In contexts where harm (or a risk of harm or potential harm) relates to children
or adults, subsections (3) and (4) are to be read as if they referred to children or
adults (as the case may be) instead of individuals.

191
(1)

(2)

5

10

15

20

“Online safety functions” and “online safety matters”
In this Act references to OFCOM’s “online safety functions”—
(a) are references to—
(i) the functions that OFCOM have under this Act,
(ii) the functions that OFCOM have under the provisions of the
Communications Act listed in subsection (2), so far as those
functions relate to regulated services or Part 3 services (as the
case may be), and
(iii) the functions that OFCOM have under section 3 of the
Communications Act (general duties), so far as duties under
that section relate to a function which is an online safety
function by reason of sub-paragraph (i) or (ii);
(b) include references to OFCOM’s power to do anything appearing to
them to be incidental or conducive to the carrying out of any of their
functions within paragraph (a)(i) or (ii) (see section 1(3) of the
Communications Act).

25

These are the provisions of the Communications Act referred to in subsection
(1)(a)(ii)—
(a) section 6 (duties to review regulatory burdens);
(b) section 7 (duty to carry out impact assessments);
(c) section 8 (duty to publish and meet promptness standards);
(d) section 11 (duty to promote media literacy);
(e) sections 12 and 13 (Content Board);
(f) section 14(6)(a) (research about media literacy);

40

30

35

45

Part 12 — Interpretation and final provisions

(g)
(h)
(i)
(j)
(k)
(l)
(3)

192
(1)

155

section 14(6B) (research about users’ experience of regulated services);
section 16 (consumer consultation);
section 20 (advisory committees for different parts of the United
Kingdom);
section 21 (advisory committee on elderly and disabled persons);
section 22 (representation on international and other bodies);
section 26 (publication of information and advice for consumers etc).

5

In this Act “online safety matters” means the matters to which OFCOM’s
online safety functions relate.
Interpretation: general
In this Act—
“adult” means a person aged 18 or over;
“age assurance” means measures designed to estimate or verify the age or
age-range of users of a service;
“audit notice” means a notice given under paragraph 4 of Schedule 12;
“capacity”: any reference to the capacity of a provider of a regulated
service is to—
(a) the financial resources of the provider, and
(b) the level of technical expertise which is available to the
provider, or which it is reasonable to expect would be available
to the provider given its size and financial resources;
“child” means a person under the age of 18;
“the Communications Act” means the Communications Act 2003;
“confirmation decision” means a notice given under section 113;
“content” means anything communicated by means of an internet service,
whether publicly or privately, including written material or messages,
oral communications, photographs, videos, visual images, music and
data of any description;
“the Convention” has the meaning given by section 21(1) of the Human
Rights Act 1998;
“country” includes territory;
“document” means anything in which information (in whatever form) is
recorded;
“encounter”, in relation to content, means read, view, hear or otherwise
experience content;
“entity” means a body or association of persons or an organisation,
regardless of whether the body, association or organisation is—
(a) formed under the law of any part of the United Kingdom or of
a country outside the United Kingdom, or
(b) a legal person under the law under which it is formed;
“identifying content” means content the function of which is to identify a
user of an internet service (for example, a user name or profile picture);
“information notice” means a notice given under section 86(1);
“maximum summary term for either-way offences”, with reference to
imprisonment for an offence, means—
(a) if the offence is committed before the time when paragraph
24(2) of Schedule 22 to the Sentencing Act 2020 comes into force,
6 months;

10

15

20

25

30

35

40

45

156

Part 12 — Interpretation and final provisions

(b) if the offence is committed after that time, 12 months;
“measure”: any reference to a measure includes a reference to any system
or process relevant to the operation of an internet service or any step or
action which may be taken by a provider of an internet service to
comply with duties or requirements under this Act;
“notice” means notice in writing;
“notify” means notify in writing, and “notification” is to be construed
accordingly;
“OFCOM” means the Office of Communications;
“paid-for advertisement”: an advertisement is a “paid-for advertisement”
in relation to an internet service if—
(a) the provider of the service receives any consideration
(monetary or non-monetary) for the advertisement (whether
directly from the advertiser or indirectly from another person),
and
(b) the placement of the advertisement is determined by systems or
processes that are agreed between the parties entering into the
contract relating to the advertisement;
“person” includes (in addition to an individual and a body of persons
corporate or unincorporate) any organisation or association of persons;
“personal data” has the meaning given by section 3(2) of the Data
Protection Act 2018;
“processing” has the meaning given by section 3(4) of the Data Protection
Act 2018;
“provisional notice of contravention” means a notice given under section
111;
“publicly available” means available to members of the public in the
United Kingdom;
“systems and/or processes”: any reference to systems and/or processes is
to human or automated systems and/or processes, and accordingly
includes technologies;
“taking down” (content): any reference to taking down content is to any
action that results in content being removed from a user-to-user service
or being permanently hidden so users of the service cannot encounter
it (and related expressions are to be read accordingly);
“terms of service”, in relation to a user-to-user service, means all
documents (whatever they are called) comprising the contract for use
of the service (or of part of it) by United Kingdom users;
“user-to-user part”, in relation to a user-to-user service, means the part of
the service on which content that is user-generated content in relation
to the service is present.
(2)

The definitions of “encounter” and “person” in subsection (1) do not apply for
the purposes of Part 10 (for the definition of “encounter” in that Part, see
section 154(5)).

(3)

References in this Act to a kind of user-to-user service or search service (or Part
3 service) include references to user-to-user services or search services grouped
together for the purposes of a risk profile prepared by OFCOM under section
84 (and references to different kinds of user-to-user services or search services
(or Part 3 services) are to be read accordingly).

5

10

15

20

25

30

35

40

45

157

Part 12 — Interpretation and final provisions

(4)

(5)

References in this Act to content (or content of a particular description) present
or prevalent on a user-to-user service (or on a part of it), or to the presence,
incidence or prevalence of content (or content of a particular description) on a
user-to-user service (or on a part of it), do not include, in the case of a user-touser service that includes a search engine—
(a) search content, or
(b) any other content that, following a search request, may be encountered
as a result of subsequent interactions with internet services.
In this subsection “search content” and “search request” have the same
meaning as in Part 3 (see section 51).
For the purposes of this Act—
(a) any reference to the use of or access to a service, or to content present,
published or displayed on a service, is to be taken to include use of or
access to the service or content on registering or on the making of a
payment or on subscription;
(b) any reference to content that is made available or that may be accessed,
encountered or shared, is to be taken to include content that is made
available or that may be accessed, encountered or shared for a limited
period of time only.

5

10

15

(6)

For the purposes of this Act, content that is user-generated content in relation
to an internet service does not cease to be such content in relation to the service
when published or displayed on the service by means of software or an
automated tool or algorithm applied by the provider of the service or applied
by a person acting on behalf of that provider.

20

(7)

Nothing in this Act (other than section 173) affects any prohibition or
restriction in relation to pornographic content (within the meaning of section
66(2)), or powers in relation to such content, under another enactment or rule
of law.

25

(8)

In this section, “user-generated content” has the meaning given by section 49
(see subsections (3) and (4) of that section).

193

30

Index of defined terms
The following table sets out terms defined or explained for this Act or for a Part
of this Act.

Term

Provision

adult

section 192

age assurance

section 192

audit notice

section 192

capacity (of a provider)

section 192

Category 1 service

section 82(10)(a)

Category 2A service

section 82(10)(b)

Category 2B service

section 82(10)(c)

35

40

158

Part 12 — Interpretation and final provisions

Term

Provision

charging year (in Part 6)

section 77

child

section 192

children’s access assessment (in Part 3)

section 31

combined service

section 3(7)

the Communications Act

section 192

confirmation decision

section 192

content

section 192

content that is harmful to adults (in Part 3)

section 54

content that is harmful to children (in Part 3)

section 53

the Convention

section 192

country

section 192

CSEA content (in Part 3)

section 52

document

section 192

encounter (content) (except in Part 10)

section 192

entity

section 192

functionality

section 189

harm (except in Part 10)

section 190

identifying content

section 192

illegal content (in Part 3)

section 52

information notice

section 192

initial charging year (in Part 6)

section 77

interested person

section 184

internet service

section 185 (see also
section 167(1))

likely to be accessed by children (in Part 3)

section 33

maximum summary term for either-way
offences

section 192

measure

section 192

news publisher content (in Part 3)

section 49(8) to (10)

non-designated content that is harmful to
children (in Part 3)

section 53

5

10

15

20

25

30

159

Part 12 — Interpretation and final provisions

Term

Provision

notice

section 192

notify, notification

section 192

OFCOM

section 192

online safety functions

section 191

online safety matters

section 191

paid-for advertisement

section 192

Part 3 service

section 3(3)

person (except in Part 10)

section 192

personal data

section 192

pornographic content (in Part 5)

section 66

primary priority content that is harmful to
children (in Part 3)

section 53

priority content that is harmful to adults (in
Part 3)

section 54

priority content that is harmful to children
(in Part 3)

section 53

priority illegal content (in Part 3)

section 52

proactive technology

section 187

processing (of data)

section 192

provider

section 183

provider pornographic content (in Part 5)

section 66

provisional notice of contravention

section 192

publicly available

section 192

publicly/privately
(in
communication of content)

relation

to

section 188

published or displayed (in relation to
pornographic content) (in Part 5)

section 66

recognised news publisher (in Part 3)

section 50

regulated provider pornographic content (in
Part 5)

section 66

regulated search service

section 3(2)

regulated service

section 3(4)

regulated user-generated content (in Part 3)

section 49

5

10

15

20

25

30

160

Part 12 — Interpretation and final provisions

Term

Provision

regulated user-to-user service

section 3(2)

search

section 51

search content

section 51

search engine

section 186

search request

section 51

search results

section 51

search service

section 2 (see also
section 167(1))

systems and/or processes

section 192

taking down (content)

section 192

terms of service

section 192

terrorism content (in Part 3)

section 52

United Kingdom user

section 184

user

section 184

user-generated content (in Part 3)

section 49(3) and (4)

user-to-user part (of a service)

section 192

user-to-user service

section 2 (see also
section 167(1))
Final provisions

194

10

15

20

Financial provisions
There is to be paid out of money provided by Parliament—
(a) any expenditure incurred under or by virtue of this Act by the Secretary
of State, and
(b) any increase attributable to this Act in the sums payable under any
other Act out of money so provided.

195

5

25

Extent

(1)

Except as provided by subsections (2) to (7), this Act extends to England and
Wales, Scotland and Northern Ireland.

(2)

In Part 10 (communications offences)—
(a) sections 151 to 156 extend to England and Wales only;
(b) section 158(1) extends to England and Wales only.

(3)

Section 158(2) extends to England and Wales and Northern Ireland.

30

Part 12 — Interpretation and final provisions

161

(4)

The following provisions extend to England and Wales only—
(a) section 157;
(b) section 174
(c) section 175(1) to (3).

(5)

Section 175(4) to (6) extends to Scotland only.

(6)

Section 175(7) to (9) extends to Northern Ireland only.

(7)

An amendment or repeal made by Schedule 14 has the same extent within the
United Kingdom as the provision amended or repealed.

(8)

The power conferred by section 411(6) of the Communications Act may be
exercised so as to extend to any of the Channel Islands or the Isle of Man the
repeal of provisions of section 127 of that Act made by section 158(1).

(9)

The power conferred by section 338 of the Criminal Justice Act 2003 may be
exercised so as to extend to any of the Channel Islands or the Isle of Man the
amendment of provisions of that Act made by paragraph 5 of Schedule 14.

(10)

The power conferred by section 60(6) of the Modern Slavery Act 2015 may be
exercised so as to extend to any of the Channel Islands or the Isle of Man the
amendment of Schedule 4 to that Act made by paragraph 7 of Schedule 14.

(11)

The power conferred by section 415(1) of the Sentencing Act 2020 may be
exercised so as to extend to any of the Channel Islands or the Isle of Man the
amendment of Schedule 18 to that Act made by paragraph 8 of Schedule 14.

196
(1)

5

10

15

20

Commencement and transitional provision
The following provisions come into force on the day on which this Act is
passed—
(a) Part 1;
(b) sections 2 and 3 and Schedules 1 and 2;
(c) Chapter 1 of Part 3;
(d) sections 49 to 51;
(e) section 52 and Schedules 5, 6 and 7;
(f) sections 53 to 55;
(g) section 66;
(h) section 67(4);
(i) section 167(1);
(j) section 173;
(k) sections 178 to 182;
(l) this Part.

(2)

The other provisions of this Act come into force on such day as the Secretary of
State may by regulations appoint.

(3)

The power to make regulations under subsection (2) includes power to appoint
different days for different purposes.

(4)

The Secretary of State may by regulations make transitional, transitory or
saving provision in connection with the coming into force of any provision of
this Act.

25

30

35

40

162

Part 12 — Interpretation and final provisions

(5)

The power to make regulations under subsection (4) includes power to make
different provision for different purposes.

(6)

Regulations under this section are to be made by statutory instrument.

197

Short title
This Act may be cited as the Online Safety Act 2022.

5

163

Schedule 1 — Exempt user-to-user and search services

SCHEDULES

SCHEDULE 1

Sections 2 and 3

EXEMPT USER-TO-USER AND SEARCH SERVICES
PART 1
DESCRIPTIONS OF SERVICES WHICH ARE EXEMPT

5

Email services
1

A user-to-user service is exempt if emails are the only user-generated
content (other than identifying content) enabled by the service.

SMS and MMS services
2

(1) A user-to-user service is exempt if SMS messages are the only usergenerated content (other than identifying content) enabled by the service.

10

(2) A user-to-user service is exempt if MMS messages are the only usergenerated content (other than identifying content) enabled by the service.
(3) A user-to-user service is exempt if SMS messages and MMS messages are the
only user-generated content (other than identifying content) enabled by the
service.

15

(4) “SMS message” and “MMS message” have the meaning given by section
49(12).
Services offering only one-to-one live aural communications
3

(1) A user-to-user service is exempt if one-to-one live aural communications are
the only user-generated content (other than identifying content) enabled by
the service.

20

(2) “One-to-one live aural communications” has the meaning given by section
49(5).
Limited functionality services
4

(1) A user-to-user service is exempt if the functionalities of the service are
limited, such that users are able to communicate by means of the service
only in the following ways—
(a) posting comments or reviews relating to provider content;
(b) sharing such comments or reviews on a different internet service;
(c) expressing a view on such comments or reviews, or on provider
content, by means of—

25

30

164

Schedule 1 — Exempt user-to-user and search services
Part 1 — Descriptions of services which are exempt

(i)

(d)

applying a “like” or “dislike” button or other button of that
nature,
(ii) applying an emoji or symbol of any kind,
(iii) engaging in yes/no voting, or
(iv) rating or scoring the content (or the comments or reviews) in
any way (including giving star or numerical ratings);
producing or displaying identifying content in connection with any
of the activities described in paragraphs (a) to (c).

(2) In sub-paragraph (1), “provider content” means content published on a
service by the provider of the service or by a person acting on behalf of the
provider (including where the publication of the content is effected or
controlled by means of software or an automated tool or algorithm applied
by the provider or by a person acting on behalf of the provider).
(3) For the purposes of this paragraph, content that is user-generated content in
relation to a service is not to be regarded as provider content in relation to
that service.

5

10

15

Services which enable combinations of user-generated content
5

A user-to-user service is exempt if the only user-generated content enabled
by the service is content of the following kinds—
(a) content mentioned in paragraph 1, 2 or 3 and related identifying
content;
(b) content arising in connection with any of the activities described in
paragraph 4(1).

20

Exception to exemptions in paragraphs 1 to 5
6

But a a user-to-user service described in any of paragraphs 1 to 5 is not
exempt if—
(a) regulated provider pornographic content is published or displayed
on the service, and
(b) the service has links with the United Kingdom within the meaning of
section 67(4).

25

30

Internal business services (entire user-to-user service or search service)
7

(1) A user-to-user service or a search service is exempt if the conditions in subparagraph (2) are met in relation to the service.
(2) The conditions are—
(a) the user-to-user service or search service is an internal resource or
tool for a business, or for more than one business carried on by the
same person,
(b) the person carrying on the business (or businesses) (“P”) is the
provider of the user-to-user service or search service, and
(c) the user-to-user service or search service is available only to a closed
group of people comprising some or all of the following—
(i) where P is an individual or individuals, that individual or
those individuals,
(ii) where P is an entity, officers of P,

35

40

Schedule 1 — Exempt user-to-user and search services
Part 1 — Descriptions of services which are exempt

(iii)
(iv)

165

persons who work for P (including as employees or
volunteers) for the purposes of any activities of the business
(or any of the businesses) in question, and
any other persons authorised by a person within subparagraph (i), (ii) or (iii) to use the service for the purposes of
any activities of the business (or any of the businesses) in
question (for example, a contractor, consultant or auditor, or
in the case of an educational institution, pupils or students).

(3) In this paragraph—
“business” includes trade, profession, educational institution or other
concern (whether or not carried on for profit);
“officer” includes a director, manager, partner, associate, secretary,
governor, trustee or other similar officer.

5

10

Internal business services (part of user-to-user service or search service)
8

(1) A user-to-user service is exempt if—
(a) the conditions in paragraph 7(2) are met in relation to a part of the
service,
(b) no user-generated content is enabled by the rest of the service, and
(c) no regulated provider pornographic content is published or
displayed on the rest of the service.
(2) A user-to-user service is also exempt if—
(a) the conditions in paragraph 7(2) are met in relation to a part of the
service,
(b) the only user-generated content enabled by the rest of the service is—
(i) content mentioned in paragraph 1, 2 or 3 and related
identifying content, or
(ii) content arising in connection with any of the activities
described in paragraph 4(1), and
(c) no regulated provider pornographic content is published or
displayed on the rest of the service.
(3) A search service is exempt if—
(a) the conditions in paragraph 7(2) are met in relation to a part of the
service that is a search engine,
(b) the service does not include a public search engine, and
(c) no regulated provider pornographic content is published or
displayed on the rest of the service.
(4) In this paragraph—
“public search engine” means a search engine other than one in relation
to which the conditions in paragraph 7(2) are met;
“the rest of the service” means all parts of the user-to-user service or
search service other than the part in relation to which the conditions
in paragraph 7(2) are met.

15

20

25

30

35

40

Services provided by public bodies
9

(1) A user-to-user service or a search service is exempt if—
(a) both of the following conditions are met in relation to the service