Ofcom’s enforcement powers under the Online Safety Act
The Online Safety Act sets out Ofcom’s enforcement powers in Chapter Six (Sections 130-151). Ofcom recently consulted on its approach to enforcement and the proposed draft guidance as part of its consultation on illegal harms. In Volume 6 (Information gathering and enforcement powers and approach to supervision), the regulator says:
"Ofcom’s general approach to enforcement is guided by our regulatory principles. We operate with a bias against intervention but with a willingness to intervene promptly and effectively when required. We will always seek the least intrusive regulatory methods to achieve our objectives and will strive to ensure that interventions are evidence-based, proportionate, consistent, accountable and transparent in both deliberation and outcome. These regulatory principles will also apply to online safety enforcement."
(Volume 6, 29.3)
At paragraph 29.6, Ofcom acknowledged that, while they would take “a reasonable and proportionate approach to the exercise of enforcement powers under the Act”, this would need to be “balanced against the need for Ofcom to take swift action where UK users are exposed to the risk of serious harm.” Ofcom has developed a prioritisation framework to help it decide which compliance matters it will likely take action about; in particular, Ofcom noted the need for a higher level of protection for children (Vol 6, para 29.22). Ofcom also intends to adopt a supervisory approach, being “a set of activities to manage Ofcom’s relationships with services to understand and mitigate future risks and secure improvements in Ofcom’s focus areas of Governance, Design and Operations, Choice and Trust …” (Vol 6, para 30.4). It remains to be seen if or how the supervisory approach affects Ofcom’s approach to enforcement priorities.
Annex 11, which is the draft guidance on enforcement, includes a useful flow chart of the enforcement process on page 7, which we describe further below.
 
    
Indicative timescales for each stage are not included but it is reasonable to assume that, for non-compliant companies, it will take some time for Ofcom to work through each stage and reach the end of the process (the confirmation decision and the imposition of penalties or other action); in particular, should Ofcom require a service provider to take action as part of the enforcement process, Ofcom would need to allow some time for the provider to implement that requirement. Certainly, Ofcom notes that as regards the coming into force of the regime they “acknowledge that services may require a reasonable period to put in place appropriate systems and processes to bring them into full compliance with these duties. This is likely to particularly be the case for smaller services and those new to regulation.” (Vol 6, para 29.12), a point which is likely relevant to the requirement to adapt processes too.
The Framework
Section 131 lists the “enforceable requirements” in the Online Safety Act (OSA) – these are mainly the risk assessment duties, the safety duties and the supporting duties plus the obligation to report CSEA content to the NCA, the provisions relating to terms of service, transparency reports, fees and compliance with information notices. The provisions in ss 174-5, according to which the Secretary of State may give Ofcom directions and which may have knock on effects for service providers, are not listed, but the Part 5 duty is. Ofcom may enforce these duties; they do not give rise to new civil causes of action (nor do they displace any existing claims that could arise under civil law – if any). Those the subject of a decision have a right of appeal (s 168) – this presumably will introduce a delay into enforcement processes until any such appeal has been resolved and some services may choose to litigate for this reason even if their chances of winning the appeal are slim. Note that these duties on the whole apply to processes or the running of a system – they do not give Ofcom the power to specify that particular items of content must be taken down – though presumably Ofcom can flag when a service is not dealing adequately with a class of material and make suggestions how to improve the systems with regard to that class of material – a point made by Ofcom in its recent consultation (Vol 6, paras 29.25-26). There is, for example, no equivalent in the OSA to the notice system in the DSA for illegal content or in TERREG for terrorism content. Ofcom would have enforcement powers around the effectiveness of regulated services own complaints and reporting processes.
The OSA envisages that Ofcom will issue a provisional notice of contravention (s 130) before issuing a confirmation decision (s 132). The provisional notice is issued before Ofcom has come to a final decision on whether there is a violation or not (Explanatory Notes, para 613); it is thus also part of the investigation process. Ofcom has stated that it will send such a notice “where we consider there are reasonable grounds to believe that the subject of an investigation failed, or is failing, to comply with one of more of its obligations” (Vol 6, para 29.29). The notice will be sent to the provider to give it the opportunity to make representations (and Ofcom has said it will provide it with evidence relied on (Vol 6, para 29.32), but third parties could be notified (Vol 6, para 29.30). It would be helpful to know the circumstances in which Ofcom is likely notify interested parties. According to s 133, the confirmation decision can require a provider to take steps (though there are controls around the use of “proactive technology” – see s 136) to remedy the failure and there are specific provisions with regard to failure to carry out a risk assessment properly, or to do the children’s access assessment (see Vol 6, para 29.38-39). Ofcom has the power to impose penalties, and there is the possibility of criminal offences in relation to failure to comply with a requirement imposed by a confirmation decision. Given that the OSA envisages that there should be an initial notice, a period in which the service provider should respond, then a final notice presumably with a timeframe for compliance, this system is not built for emergency interventions.
The OSA also provides for “business disruption measures” which seem relevant for services which refuse to engage with Ofcom processes, especially those outside the jurisdiction. There are two types of measure and both provide also for the possibility of interim measures:
- service restriction orders (ss 144-45); and
- access restriction orders (ss 146-7).
Service restriction orders relate to services provided to the regulated service provider – so advertising services or payment services for example (see s 144(12) and Explanatory Notes para 660). Ofcom gives the following example: search engines could be required to remove a non-compliant provider from its search results (Vol 6, para 29.51(a)). If a service restriction order has been unsuccessful in persuading the regulated service to comply, the final option is access restriction – these orders are addressed to those who provide an access facility (eg internet access or an app store – see s 146(11) and Explanatory Notes para 663).The Explanatory Notes comment that “[i]n order to apply for an access restriction order, OFCOM must consider that a service restriction order under section 144 or 145 would not be sufficient to prevent significant harm to individuals in the United Kingdom” (Explanatory Notes, para 664) and that “[t]hey are designed only to be used for the most serious instances of user harm” (Explanatory Notes, para 659). Court orders are required here whether we are looking at service restriction or access restriction; there have been questions about process relating to ex parte hearings, emergency hearings and whether Ofcom can apply for ‘bulk’ orders. This probably turns into a question of court rules and processes.
The conditions which must be satisfied in relation to a service restriction order are set out in s 144(3) or (4). Section 144(3), which can be used in relation to any regulated service, sets out a three-stage test:
- that there is a breach of an enforceable obligation;
- the failure is continuing; and
- any of a list of 4 criteria applies:- failure to comply with confirmation decisions;
- failure to pay a fine;
- provider would be likely to fail to comply with a confirmation decision if given; or
- risk of significant harm.
 
Subsection 4 relates only to a Part 3 service and is specific to terrorism and CSAE content. Under s 144(4), Ofcom need demonstrate only two issues:
- failure to comply with a s 121 notice (notices whereby Ofcom may require a service provider to use specific technology to tackle terrorism/CSAEM); and
- the failure is continuing.
Note that while the assumption seems to be that these orders will be used after a confirmation notice has been issued and not complied with, the OSA does foresee the possibility that the orders can be used in a couple of circumstances without waiting for a provisional notice and confirmation notice not to work. The first is where “the provider would be likely to fail to comply with the requirements imposed by a confirmation decision if given” ( s 144(3)(c)(iii)), which means that using this route might provide a short cut in the process; the fact that there is a court order involved provides safeguards. It seems that this might be relevant where a provider has a history of a failure to comply (Vol6, para 29.53). Having said that, service restrictions in principle should be used first. Here, it is not clear how long Ofcom needs to try to let such an order work before trying to apply for an access restriction order.
Another criterion can ground an application for a service disruption order: where “the circumstances of the failure or the risks of harm to individuals in the United Kingdom are such that it is appropriate to make the application …” (s 144(3)(c)(iv)). The Explanatory Notes give no details as to when this might arise and it is not clear how different the underpinning circumstances between this basis for an application and that in s 144(3)(c)(iii) might be. The key difference seems to be that for s 144(3)(c)(iii), Ofcom would have to adduce some evidence of the likelihood of the service provider not complying, but the nature of the harm is not in issue. Conversely, where there is a focus on harm, the intention of the service provider seems less relevant.
It also remains possible for Ofcom to apply for an access restriction order, without having applied for a service restriction order first, where the grounds in s 144(3) or (4) apply and the use of a service restriction order or an interim service order “would be likely to be sufficient to prevent significant harm arising to individuals in the United Kingdom” (s 146(1)(b)(ii)).
Interim measures are possible in relation to both service restriction orders (s 145) and access orders (s 147). For an interim service disruption order, Ofcom must demonstrate that the following apply:
- likely that there is a failure to comply with an enforceable requirement; and
- high level of risk of severe harm;
There is a separate route relating to s 121 notices. Interim access restriction orders may be made where the court is satisfied the service is likely to be non-compliant and the resulting harm is significant (s 147(1)). The Explanatory Notes state that an interim service restriction order can be used “in circumstances where it is not appropriate to wait for a failure to comply with an enforceable requirement to be established before making the order” (Explanatory Notes, para 661). There does seem to be some overlap between the circumstances described here and those that would trigger s 144(3)(c)(iii). An interim order lasts until either the date the court states the order should expire, or the date at which an order under s 144 is made or dismissed. Presumably there is an expectation that an interim order would be made for a specific period because leaving such an order open-ended would remove the pressure on Ofcom to apply for a s 144 order. As Ofcom notes, interim orders are intended to be temporary (Vol 6, para 29.51(b) and (d)).
A super-complaint mechanism exists whereby designated entities (and the outcome of the DSIT consultation on who should be a designated entity is not yet known) may make a complaint to Ofcom in relation to the operation of certain features, but only in cases where the complaint is “of particular importance”. It is not a mechanism designed to tackle individual items of content – instead it is looking to particular issues around system design/the way the services are run. Moreover, the complaint triggers Ofcom to look at the issue and does not result in an automatic finding that there is a problem.
Assessment
The OSA provides a range of enforcement tools, some of which are designed to tackle overseas established services and those services which deliberately choose not to comply. In general terms, enforcement seems to be built on a model of gradually increasing pressure on providers, as Ofcom moves through provisional and confirmation orders, with the possibility of fines and then the possibility of criminal offences and the two categories of business disruption measures. This process, which is built to encourage compliance and to respect due process, takes time and in some cases this lengthy process may not be appropriate. There are possibilities to take more extreme measures without always going through the confirmation order process. Where there is a history of non-compliance is one situation, but what if there is a “phoenix” problem – that the provider of the service reconstitutes itself? Presumably this sort of argument could be made before a court, but there remains the prior issue of identifying such phoenix operations (and then evidencing that). The other option relates to “significant harm”. In all instances where Ofcom may act in relation to significant harm, the language seems to focus on the degree of harm rather than the number of users affected but presumably to become a priority a certain quantity of people will need to be affected. It is unclear what factors Ofcom will take into account here, but its prioritisation framework suggests that impact on children would be a significant factor (Vol 6, para 29.52). In the end, much will depend on this – as well as the court’s views as to the level of proof required to satisfy the texts in the OSA.