The Online Safety Act: scrutiny, safeguards and civil liberties 

By: Kate Dewsnip

On 27 October 2023 the controversial Online Safety Bill received Royal Assent and was enacted into law. The Online Safety Act 2023 (OSA), which the Government claims will make the UK the ‘safest place in the world to be online’, imposes various duties of care on ‘service users’ (social media operators) to prevent and remove ‘illegal content’ and ‘content and activity that is harmful to children’. The purpose of the Act is ultimately to ensure online safety, not just for children, but for all internet users. 

Under s.1 of the Act, Ofcom, the UK’s independent media regulator, is tasked with overseeing and ensuring compliance with the new legal regime. Prior to the Act’s implementation, Ofcom is obligated to publish draft guidance documents and codes of practice that will detail the specific statutory duties service users will be subject to under the new legal framework. All of these draft codes of conduct and guidance must be consulted on and receive Parliamentary approval before the OSA’s statutory regime will become operational.

On 9 November, Ofcom published the first of four draft codes and guidance documents related to ‘illegal harms.’ The summary document, issued alongside the draft codes and guidance, provides a user-friendly guide for companies affected by the new regulations that highlights and explains the forthcoming legal changes. Ofcom will now commence a period of major consultation on these specific draft guidelines and codes of practice before laying them before Parliament. 

The passage of new legislation to ensure online safety was long overdue. The rapid advancement of technology, coupled with the failure of service users to self-regulate, created a dangerous and risky online environment that urgently required independent regulation. Indeed, the Government’s legislative intent has been clear for a long time as the OSA was first referenced in a 2017 government Green paper. Rather unusually, however, the Act took over five years to pass through all stages of the legislative process as it was subject to extensive pre-legislative scrutiny. The resulting Act is extremely large and (arguably overly) complex and, despite extensive scrutiny, has still attracted significant criticism. Not only have those working within the social media industry been critical, but human rights campaigners have condemned the Act’s failure to safeguard individuals’ freedom of expression. 

In this blog I intend to take a closer look at the passage of the OSA, examining the pre-legislative scrutiny mechanisms it was subject to, and exploring the various objections that were raised by interested parties throughout the legislative process.

The OSA’s passage

The OSA was first introduced to Parliament on 12 May 2021, but prior to the publication of the draft bill, the Government published the Online Harms White Paper which laid out their policy agenda and proposed legislative framework. Consultation on these proposals then commenced. The Government published responses to the consultation process in part in April 2019 and in full in December 2020. It was at this point that freedom of expression concerns were initially raised in response to the proposals. The Government responded by assuring interested parties that safeguards for fundamental rights had been built throughout the new framework. It was also decided following initial consultation that Ofcom would be appointed as the official regulator of the new regime. Interestingly, the Government also expressed a commitment at the consultation stage to incorporate any new criminal offences made by the Law Commission into the body of the Bill.

Following the consultation stage, the Bill was subject to formal pre-legislative scrutiny by the Joint Committee on the Draft Online Safety Bill. The Committee’s final report ultimately made 127 separate recommendations after holding over 30 hours of public evidence, reading over 200 pieces of written evidence and speaking to over 50 expert witnesses. 

Prior to recommending any substantive changes, the Committee was keen to highlight that, in their view, the Bill was ‘overly complex’ and ‘lacked clarity’ in certain aspects. An initial recommendation was consequently made to restructure the Bill: objectives should be set out clearly at the beginning of the Bill in order to enhance clarity and accessibility. In relation to the content of the Bill, key recommendations included the following: incorporate the new communications offences recommended by the Law Commission; societal harms caused by ‘fake news’ should be addressed in the Bill; and the planned Clause 11 provision that dealt with ‘legal but harmful’ content should be removed and replaced (content that encourages self-harm, eating disorders and suicide would fall into this category). The Committee also stressed throughout their report that more guarantees regarding the safeguarding of fundamental rights should be provided within the Bill. 

In total, the Government chose to accept 66 of the Joint Committee’s recommendations. In particular, the Government accepted recommendations relating to the incorporation of new criminal offences, anonymity provisions and (in part) ‘legal but harmful’ content. The Government did not agree with the Committee’s recommendation to restructure the Bill as they believed complexity was necessary to create a workable framework. Furthermore, they chose not to accept the Committee’s recommendation to include ‘societal harms’ under the umbrella of ‘illegal harms’ regulated by the Bill due to potential infringement of Article 10 rights. 

Following the Joint Committee’s report, the House of Commons Digital, Culture, Media and Sport Committee (DCMS Committee) also published a pre-legislative report on the Bill. The DCMS Committee echoed a number of the Joint Committee’s concerns but took a number of their recommendations even further. In particular, it was recommended that the definition of ‘legal but harmful’ should explicitly include content that undermines national security, public health, public order and content that intends to interfere with elections. 

By the time the Online Safety Bill reached the final stages of its legislative journey, the Bill had been significantly amended from the first draft that entered Parliament in May 2021. Most notably, in November 2022, the Government made the decision to remove all provisions relating to ‘legal but harmful’ content. Parliamentary concern around the threat the ‘legal but harmful’ provisions posed to free speech ultimately slowed the Bill’s progression and led the Government to remove them all together. Labour have since been highly critical of this decision arguing it ‘weakened’ the Bill, giving a ‘free pass to abusers’ and that its passage was taking the public ‘for a ride’. 

Despite dropping a number of the more contentious provisions prior to enactment, many still claim the OSA presents a significant threat to personal privacy by facilitating censorship and encouraging Government intrusion. Specifically s.116 of the Act seemingly requires service providers to break end-to-end encryption in order to scan public and private channels for illegal content which, many claim, threatens privacy and cyber-security in the UK. It also risks significant state surveillance. A number of messaging platforms, including WhatsApp, have threatened to remove their service from the UK if they are forced to break encryption. Despite these threats, the Government has insisted that s.116 of the Act poses no genuine risk of surveillance and nor does it breach privacy rights. 

Analysis

There’s no denying that the OSA was subject to an extraordinary amount of pre-legislative scrutiny, nor is it deniable that, as a result of this heightened scrutiny, the Act took an abnormally long time to reach the statute book. Thus, an interesting question arises: was the enhanced scrutiny valuable enough to justify the additional time taken? 

Clearly extensive scrutiny was highly beneficial at the policy setting stage as the Government was able to consult extensively with industry experts, stakeholders and the wider public and was responsive to policy suggestions. Undoubtedly the ability to consult at an early stage positively impacted the eventual Act’s workability and political coherence. Similarly, the ability to incorporate the Law Commission’s recommendations into the Bill was clearly highly influential to the entire legislative framework. The Government did also choose to accept a significant number of select committee recommendations during the pre-legislative stage. Key recommendations made by both the Joint Committee and the DCMS were incorporated which will have aided the overall clarity and efficacy of the Bill’s legal and political policy. Last, the Government were receptive to various amendments tabled by parliamentarians during the later legislative stages. 

Conversely, not all of the key committee recommendations were accepted. In particular, the Government’s failure to restructure the OSA to make it more accessible and coherent raises rule of law concerns (and potentially issues of fair warning in relation to the newly created criminal offences). Furthermore, despite such extensive consultation and scrutiny, many are still unhappy with the content of the OSA. As noted above, the decision to remove the more ‘contentious’ elements of the Bill relating to ‘legal but harmful’ has garnered widespread criticism, whereas as many others still believe the Act poses a significant threat to rights and civil liberties. In particular, concerns subsist around the breaking of end-to-end encryption. Until Ofcom publishes their draft codes of practice that relate to s.116 of the Act, and the picture becomes clearer about how it will be utilised in practice, it is too soon to judge the validity of these claims. In theory, however, this provision has the potential to significantly interfere with an individuals’ right to privacy. It will be interesting to observe whether s.116 will be subject to any future legal challenges in the courts.

On a separate but related note, some have flagged the Act’s over-reliance on secondary legislation and non-statutory guidance as concerning. Indeed, total reliance on Ofcom, an unelected body, to regulate and enforce the new statutory regime is constitutionally dubious. Arguably greater scope for parliamentary oversight should have been built into the Act. 

Ultimately time will tell whether the OSA proves to be a success. Perhaps the production of an effective and workable legal framework will vindicate the legislative time lost to scrutiny, but at a time when new regulation was desperately required, the amount of time taken for the OSA to reach the statute books is hard to ignore. 

Kate Dewsnip. 

Kate is a Graduate Teaching Fellow and PhD candidate at the University of Liverpool School of Law and Social Justice. She is a contributing writer for the Constitution Society. 

The Constitution Society is committed to the promotion of informed debate and is politically impartial. Any views expressed in this article are the personal views of the author and not those of The Constitution Society.