Following the publication of its initial response in February 2020, the government has now published a full response to its consultation on the Online Harms White Paper.

The UK government confirmed its plans to introduce a new regulatory framework, enshrined in law through the upcoming Online Safety Bill (the “OSB”), which will make companies take responsibility for the safety of their users. This will be done by imposing a statutory duty of care upon in-scope companies and will usher in a new age of accountability. The new framework will be introduced in 2021 and will be overseen and enforced by OFCOM.

 Who will the Online Safety Bill apply to?

The government’s new regulatory framework will apply to companies whose services:

  • Host user-generated content which can be accessed by users in the UK;
  • Facilitate public or private online interaction between service users, one or more of whom is in the UK; and/or
  • Involve the provision of search engines.

The OSB will apply to any in-scope companies which provide services to UK users, regardless of where they are based in the world. Examples of in-scope services include: social media platforms, consumer cloud storage sites, video sharing platforms, online instant messaging services, video games allowing interaction with other players, and online marketplaces. Despite this seemingly broad scope, the government anticipates that only a small proportion of UK companies (fewer than 3%) will fall within the scope of the OSB when factoring in the exemptions set out below.

 Exemptions under the Online Safety Bill

The new regulatory framework will not apply to:

  • Business-to-business services;
  • Services which play a functional role in enabling online activity, such as internet service providers;
  • Many low-risk businesses (such as retailers who offer only product and service reviews);
  • Content published by a news publisher on its own site (e.g. on a newspaper or broadcaster’s website) and user comments on that content. In order to protect media freedom, legislation will include robust protections for journalistic content shared on in-scope services;
  • Online services managed by educational institutions, where those institutions are already subject to sufficient safeguarding duties or expectations; and
  • Email and telephony.

What harmful content or activity will the Online Safety Bill apply to?

The OSB will provide a general definition of which harmful content will be in scope. Content will be deemed to be harmful where it gives rise to a reasonably foreseeable risk of a significant adverse physical or psychological impact on individuals. Secondary legislation will set out a limited number of prioritised categories of harm which pose the greatest risk to users. These prioritised categories will be:

  • Criminal offences (including child sexual exploitation and abuse, terrorism, hate crime and sale of illegal drugs and weapons);
  • Harmful content and activity affecting children, such as pornography or violence; and
  • Harmful content and activity that is legal when accessed by adults but which may be harmful to them, such as abuse and content about eating disorders, self-harm or suicide.

The OSB will not deal with harms that are covered by other regimes, such as breaches of intellectual property rights, data protection legislation, defamation, fraud, cyber breaches or hacking.

A Tiered System and Duties upon In-Scope Companies

The government will categorise content and activities into “Category 1 Services” and “Category 2 Services”. Most companies will be deemed to be providers of the latter.

All in-scope companies will be required to take proportionate steps in order to address illegal content and activity, and to protect children from harmful content. Those companies which are deemed to be providers of Category 1 Services will, in addition, be subject to more onerous obligations, including:

  • The need to take steps in relation to content or activity which is legal but which may be harmful to adults;
  • Taking proactive steps to address illegal content;
  • Providing extra protections for children; and
  • Submitting transparency reports to OFCOM on how they are addressing online harms.

To comply with the duty of care, all in-scope companies will be required to understand the risks of harm to their users and to have systems/processes in place to improve user safety. The OSB will set out several guiding principles and codes of practice which companies must have regard to when implementing these. In the meantime, the UK government has released interim codes of practice on terrorist content and activity online, as well as child abuse and exploitation.


OFCOM will have a range of enforcement mechanisms available to it, which include:

  • Fines of up to £18 million or 10% of global turnover (whichever is higher);
  • Business disruption measures (including directions to withdraw services or directions to block services from being accessed in the UK); and
  • Power to issue directions and notices of non-compliance.

OFCOM will not investigate individual cases of alleged non-compliance but will implement a “super-complaints” function to enable organisations acting on behalf of several users to raise systemic compliance concerns. OFCOM will also establish mechanisms for user advocacy, to ensure users’ experiences and concerns are being heard and acted upon.  The government will moreover establish a statutory appeals procedure.

The government has also suggested that it may introduce criminal sanctions which could be leveraged against senior management of those companies which fail to meet their statutory duty of care.

Next Steps

The OSB, which will set out the statutory framework for the government’s full response to its consultation, is due to be introduced in 2021. It is worth noting that the legislative process of enacting the OSB will provide a number of opportunities for debate and amendments. The Law Commission is also expected to provide clarity on whether or not to introduce additional criminal offences to adequately protect victims from online harms.

In the meantime, companies whose services are caught by the new regime should begin to take preparatory steps to ensure compliance for when the OSB is formally introduced. Such steps include:

  • Ensuring compliance with the interim codes of practice published thus far; and
  • Preparing or revising existing policies, procedures and systems governing the use of such platforms.


How can we help?

If you have any questions in relation to the issues raised in this article, please contact Andrew Dunlop or your usual Burges Salmon contact.

This article was written by Olivia Ward and Vishal Babu