Now that the Act has received Royal Assent, it is largely up to Ofcom, as regulator, to help define the expectations on companies, and ensure the new rules are followed.
Ofcom says it plans to move quickly to implement the new rules, so what does that mean in practice, and what are the likely timeframes?
What will Ofcom do next?
While the onus is on companies to decide what safety measures they need given the risks they face, Ofcom expects implementation of the Act to ensure people in the UK are safer online by delivering four outcomes:
- stronger safety governance in online firms;
- online services designed and operated with safety in mind;
- choice for users so they can have meaningful control over their online experiences; and
- transparency regarding the safety measures services use, and the action Ofcom is taking to improve them, in order to build trust.
To achieve this, and help it ensure a proportionate approach to enforcement, Ofcom will issue draft guidance and codes of practice on how companies that are in-scope of the new rules are expected to comply with their duties. These will go through a period of consultation and crystalise into final guidance, which in-scope companies and services will be required to follow.
The timetable for implementation and enforcement
Ofcom will do all of this in three phases:
Phase 1: illegal harms duties
On 9 November 2023, Ofcom will publish draft codes and guidance on these duties and how it expects in-scope companies to manage them. For example, Ofcom will publish analysis of the causes and impacts of online harm in order to support in-scope companies in carrying out appropriate risk assessments, as well as issuing guidance on the processes for how Ofcom expects those companies to assess the relevant risk of harm to their users, and steps they can take to mitigate those risks. Ofcom will also publish draft guidelines on its approach to enforcement. It will do this all by 9 November 2023, but Ofcom will consult on those documents and plans, before finalising those documents in the Autumn of 2024.
The new codes of practice will be subject to approval by the Secretary of State for Science, Innovation and Technology, and if the Secretary of State approves them, if all goes according to plan, they will be laid before Parliament.
Phase 2: a focus on child safety, pornography and the protection of women and girls
Child protection duties on the part of in-scope platforms and companies will involve new age assurance guidance. This new guidance is expected to be published in or around December 2023, followed by an opportunity for interested stakeholders to respond to them the following year. Other draft codes of practice relating to protection of children are expected in Spring 2024.
In parallel with these developments, Ofcom will consult on the causes and impacts of online harm to children, and issue draft guidance on how risk assessments should include and how they should be carried out.
By Spring 2025, Ofcom should have finalised its codes of practice on the protection of children and it will then move to publish more draft guidance, this time focusing specifically on the protection of woman and girls.
Phase 3: transparency, user empowerment, and other duties on categorised services
A small proportion of regulated services will be designated Category 1, 2A or 2B services if they meet certain thresholds set out in secondary legislation to be made by Government. The third and final stage of Ofcom’s implementation strategy focuses on additional requirements that fall exclusively on those few highly regulated services.
The additional requirements are expected to include duties to take steps such as producing transparency reports, provide user empowerment tools, be seen to be operating in line with terms of service, protect certain types of journalistic content; and implement measures to prevent fraudulent advertising. Ofcom expects to issue a call for evidence regarding its approach to these duties in early 2024 and to issue a consultation on draft transparency guidance in the summer of 2024.
Ofcom is required to produce a register of categorised services, and it will advise the UK government on the thresholds for these categories in early 2024. The government will then make secondary legislation on categorisation – a process expected to take place some time around mid-2024 (general elections permitting!).
If that goes to plan, Ofcom will then publish the register of categorised services by the end of 2024, publish draft proposals regarding the additional duties on these services in early 2025; and issue transparency notices in mid 2025.
Best laid plans
It will be a busy time for the new regulator, platforms and other stakeholders, and interested parties, and it remains to be seen whether and how talk of general elections will impact these plans and timeframes.