Under the Online Safety Act 2023 (OSA), Ofcom is required to prepare and issue Codes of Practice (CoP) for Part 3 service providers (U2U and search services), setting out measures recommended for compliance with specified duties, bearing in mind the principles in Schedule 4. The CoPs relate to the design, operation and use of services in the UK (or as they affect UK users of the service) but apply to providers of such services regardless of whether or not they are inside the UK.

The significance of the CoPs in the context of the OSA duties is addressed in section 49, which envisages two ways in which in-scope providers can comply with their relevant statutory duties: (a) compliance through recommended measures; and (b) compliance through alternative measures, but with caveats.

So, service providers have a choice. They can choose to implement the measures recommended in Ofcom’s CoPs (and if they chose to do so, they will be treated as complying with the relevant duty) or service providers may seek to comply with a relevant duty in another way, subject to explaining what steps they have taken and how these steps align with their statutory obligations.

1. Compliance through recommended measures

Section 49 serves as the bridge between duties outlined in the Act and compliance measures for service providers. It articulates that compliance with relevant duties is achieved by adopting the measures recommended in the CoPs. Specifically, it states that a service provider:

“is to be treated as complying with a relevant duty if the provider takes or uses the measures described in a code of practice which are recommended for the purpose of compliance with the duty in question”.

This means that services that choose to implement measures recommended to them for the kinds of illegal harms and their size or level of risk indicated in the regulator’s CoPs will be deemed as compliant with the relevant duty and Ofcom will not take enforcement action for breach of that relevant duty against those services.

According to the general interpretation provisions of the Act under section 236(1), any reference to a “measure” includes:

“a reference to any system or process relevant to the operation of an internet service or any step or action which may be taken by a provider of an internet service to comply with duties or requirements under this Act” (our emphasis).

One implication of this provision in this context is that the obligations to take or use measures – notably those set out in non-exhaustive lists under sections 10(4), 12(8) for U2U as well as 27(4), 29(4) for search services - are not limited to specific types of technology but extend to processes as well. Ofcom’s recommended measures, mapped against the relevant duties in indexes of recommended measures - see Annex 7, pp 6-10 (U2U) and Annex 8, pp 6-9 (search) – include not only tech, e.g., hash matching for CSEAM and keyword detection regarding articles for use in frauds, but also process-driven recommendations, like internal monitoring and assurance, dedicated reporting channels etc.¹

Ofcom is not precluded from offering illustrative examples of good or best practices when making recommendations of a procedural nature, providing those recommendations meet the requirements of clarity in Schedule 4, para 2b.
Indeed, it is arguable that Ofcom could make more use of objective-focussed process obligations to cover gaps in mitigations that are currently found in the recommended measures. There are many instances where a functionality has been found to be problematic in Vol 2 and for the purposes of the risk register, but where Vol 4 finds the evidence of those solutions not to be specific enough so as to justify making a specific technical recommendation.

Also, Ofcom can iterate on CoPs. In the event of identifying potential risks in services that are not adequately addressed by the existing CoPs, and where transparency measures prove ineffective, Ofcom has the authority to update and enhance the Codes (see sections 47(1) and 48 of the Act). This, of course, has the disadvantage of introducing further delays to the effective implementation of the regime.

Where service providers implement measures recommended to them in the CoPs, which include safeguards for the protection of freedom of expression and users’ privacy, the OSA provides that they will also be treated as complying with the duties set out in sections 22(2) and 33(2) (freedom of expression) and sections 22(3) and 33(3) (privacy) for U2U and search services respectively.

Providers of U2U and search services are obliged to keep written records explaining which of the measures recommended in a CoP they are taking for the purposes of complying with their duties (sections 23(3) and 34(3) of the OSA). In addition, they must regularly review compliance with the duties and do so again after making any significant change to their service (sections 23(6) and 34(6) of the Act).

2. Alternative measures with caveats

While providers are encouraged to adhere to the recommended measures, they are “not obliged to follow” a CoP (OSA EN, para. 302). Should a provider choose to adopt a different approach from what is recommended by Ofcom, it does not necessarily indicate a failure in fulfilling their duties. Section 49(5) of the OSA acknowledges that service providers may seek to comply with a relevant duty by adopting alternative measures but when “acting otherwise” the Act emphasises that service providers also need to comply with the duty to have particular regard to the importance of protecting users’ rights to freedom of expression within the law and users’ privacy.

Both U2U and search service providers are required to maintain records of any alternative measures taken. These should outline actions taken and demonstrate how these measures align with the relevant duties (sections 23(4) and 34(4) of the OSA). Similar to services opting to comply with CoP recommended measures, those choosing to act otherwise, need to schedule regular reviews to ensure a continuous cycle of implementation, monitoring and review.

Ofcom will assess the appropriateness of alternative measures by considering their extent across all areas of service, as mentioned in sections 10(4), 12(8), 27(4) or 29(4) of the Act; and, where relevant, the extent to which users’ freedom of expression and privacy rights have been safeguarded.