The UK Online Safety Act 2023 (OSA or Act) is a landmark law reshaping how platforms like X (formerly Twitter), Instagram, Threads and Bluesky operate in the UK. It also impacts search applications, pornographic content, gaming platforms and AI generated content platforms.
With a strong focus on protecting democratic content, increasing transparency, and curbing hate speech, the Act imposes strict obligations on platforms to balance user safety with free expression. One of the primary focuses of the OSA is to protect children from harmful content however it also aims to protect against hate speech and threats to democracy.
This know-how page explores how the changes required by the OSA will affect the policies, algorithms, and content management system for social media platforms and AI generated applications with a focus on its impact for adults and social media and social networks.
Major Compliance Deadline: Providers now have a duty to assess the risk of illegal harms on their services, with a deadline of 16 March 2025. Providers will need to take the safety measures set out in the Codes or use other effective measures to protect users from illegal content and activity.
The OSA represents a significant regulatory shift, especially for platforms like regulated internet services that play a pivotal role in public discourse.
By enhancing transparency, refining algorithms, and protecting democratic content, regulated internet services have the opportunity to demonstrate leadership in compliance and user safety. However, navigating these new requirements will require substantial effort, resources, and innovation.
As Ofcom enforces the Act, the response of regulated internet services providers will set a precedent for how social media platforms can adapt to an evolving regulatory landscape.
However, there are significant concerns that Ofcom (and by extension the UK Govt) will be slow and timid in its roll out of key aspects of the OSA and in its guidance and enforcement action.
Humility is clearly not going to work with persons that wish to undermine democratic institutions and freedom of expression. Any further delays in rolling out the core obligations (particularly for Category 1 services) are going to be deeply damaging to UK democracy.
Read: Time for tech firms to act: UK online safety regulation comes into force
Is Ofcom about to delay action on fake and anonymous accounts until 2027?
Their new ‘Duty of Care’
Illegal content (including hate crimes)
Protecting children from ‘harmful content’ including grooming, bullying and harassment
Ensuring transparency
Protecting journalistic content and democratic discourse; and
Managing algorithmic impacts.
Other than the duty of care and the requirement to protect all UK persons from illegal content and children from online harm, the full scope of the duties depends on the categorisation of the services provider.
The OSA requires providers to take extra measures to protect children even if the content is not illegal content.
The OSA requires services to proactively prevent children from encountering primary priority content, which includes pornography, content promoting self-harm, eating disorders, or suicide. This is a central focus of the legislation for protecting children from the most harmful content.
The OSA mandates services to protect children from priority content, such as bullying, hate speech, and violent content. Services are expected to tailor these protections to specific age groups based on the risks identified.
The OSA also obligates services to assess risks associated with non-designated harmful content through children’s risk assessments and implement measures to mitigate these risks.
Regulated Services: Encompasses internet services, user-to-user services, and search services that meet specific thresholds defined in the Act.
User-to-User Services: These are internet services where users can generate, upload, or share content accessible to others on the same platform.
Examples include social media platforms, forums, and collaborative applications.
This includes AI image and AI content generation platforms (like grok, chatgpt, gemini etc).
The definition is comprehensive, capturing services even if user interaction is not a primary feature. Exemptions apply to limited functions like private business communications and one-to-one messaging services such as email and SMS/MMS.
Search Services: These include any internet service functioning as a search engine, allowing users to search across websites or databases.
This category extends beyond traditional search engines (like Google) to any platform offering a search or filtering capability, such as websites with tag-based filtering.
Services operating as both user-to-user and search services are classified as “combined services” and must comply with the obligations of both categories
Internet Services: An internet service, other than a regulated user-to-user service or a regulated search service, that is within 80 (2) or Schedule 2 (primarily related to pornographic content).
See Frequently Asked Questions (FAQs) further below for out of scope services.
All online regulated services within scope of the OSA must protect UK users from illegal content and, where applicable, protect children from online harm. However, additional more detailed obligations apply to specified categories of service provider.
The OSA, and additional regulations to be published pursuant to it, are expected to categorise services providers as follows:
Category 1: Services with a significant number of UK users and functionalities that pose higher risks of harm. Ofcom has advised that this category should capture services that meet one of the following criteria:
Use content recommender systems and have more than 34 million UK users (approximately 50% of the UK population).
Allow users to forward or reshare user-generated content, use content recommender systems, and have more than 7 million UK users (approximately 10% of the UK population).
Category 2A: Services with a moderate reach and risk profile, likely to be the highest reach search services. Ofcom recommends that this category include search services (excluding vertical search engines) with over 7 million UK users.
Category 2B: Services with a moderate reach and risk profile, likely to be other user-to-user services with potentially risky functionalities or characteristics. Ofcom recommends that this category target services allowing direct messaging, with over 3 million UK users.
Once the thresholds are set, Ofcom will publish a register of categorized services in the summer of 2025. Ofcom anticipates that the final thresholds will result in 35 to 60 services being categorised. Most in-scope service providers will not be categorised (as they will not be sufficiently large) and so will not be subject to the additional category duties (summarised below).
Ofcom Guide to Categories and Requirements
Ofcom have recently published a summary of their decisions in their Illegal Harms statement (the “Statement”) which outlines which services they relate to. It sets out:
The detailed measures they are recommending for user-to-user (U2U) services;
The detailed measures they are recommending for search services;
Their guidance for risk assessment duties, applicable to all U2U and search services; and
Their guidance for record-keeping and review duties, applicable to all U2U and search services.
The guidance sets out more than 40 safety measures that must be introduced by March 2025.
Governance and Accountability
Regular reviews of risk management activities and internal monitoring.
Clear designation of an individual responsible for illegal content safety and reporting.
Documented responsibilities and codes of conduct for staff.
Tracking of emerging illegal harms.
Content Moderation
Implementation of content moderation systems (both human and automated).
Establishment of internal content policies and performance targets.
Prioritisation and resourcing of content review efforts.
Training for content moderation staff and provision of materials for volunteers.
Reporting and Complaints
Mechanisms for user complaints and reporting of illegal content.
Clear communication and timelines for handling complaints.
Processes for handling appeals and specific types of complaints.
User Controls and Support
Safety features for child users (e.g., default settings).
Terms of service that are clear and accessible.
Support services for child users.
Tools for user blocking and muting.
Additional Measures
Specific measures for recommender systems (e.g., safety metrics collection).
Removal of accounts associated with proscribed organizations.
Labeling schemes for notable users and monetized content.
Dedicated reporting channels for trusted flaggers.
Search-Specific Measures
Moderation of search results and predictive search suggestions.
Provision of content warnings and crisis prevention information.
Publicly available statements about content safety measures.
Ofcom Statement: Protecting people from illegal harms online
Free Speech: Regulated category 1 service providers must safeguard diverse political opinions, journalistic content, and democratic discourse while complying with moderation obligations.
Algorithm Transparency: All categorised service providers must provide detailed disclosures about how algorithms identify harmful content, moderate misinformation, and serve recommendations will be required.
Protect Children from Harm: All providers must take extra measures to protect children even if the content is not illegal content.
Harmful and Criminal Content Management: All providers must implement robust systems to detect and remove illegal criminal content and provide clear reporting tools for users. Category 1 providers must also take extra measures to enable adult users to reduce their exposure to legal but potentially harmful content.
User Control & Identity Verification: Category 1 providers must empower users with tools to manage their online experience such as use of personalised filters and ID verification.
Codes of Practice: Managing and understanding the practical compliance obligations for providers and users will be with reference to Ofcom guidance and codes of practice which assist to interpret the law. Under the OSA, Ofcom is required to prepare and issue the following separate Codes of Practice:
Codes of Practice for terrorism content
Codes of Practice for child sexual exploitation and abuse (CSEA) content
Codes of Practice for the purpose of compliance with the relevant duties relating to illegal content and harms.
Illegal content is defined broadly to encompass a wide range of what are known as priority offences. These include:
Terrorism: Content that promotes, glorifies, or incites terrorism
Child Sexual Exploitation and Abuse (CSEA): Material depicting or promoting child abuse
Sexual Exploitation of Adults
Threats, Abuse & Harassment including Hate Crimes: Content that incites violence or hatred based on protected characteristics.
Unlawful Pornographic Content: image based sexual offences.
Fraud: Deceptive or misleading content intended to defraud users.
Suicide: Assisting or encouraging suicide.
Buying/Selling unlawful items: e.g. buying or selling drugs or weapons.
See the Ofcom Background Guidance (‘Protecting people from illegal harms online’) for more information.
Illegal Content Judgments
Providers must conduct “suitable and sufficient” Illegal Content Risk Assessments (ICRAs) that consider the risks of users encountering illegal content, including “priority illegal content”.
Providers must make illegal content judgments based on “reasonable grounds to infer,” a lower threshold than the criminal standard of “beyond reasonable doubt.” This means that there must be reasonable grounds to infer that:
The conduct element of a relevant offense is present or satisfied.
The state of mind element of that same offense is present or satisfied.
There are no reasonable grounds to infer that a relevant defense is present or satisfied.
Freedom of expression and privacy must be considered when making these judgments.
When service providers are alerted to the presence of illegal content or are aware of its presence in any other way, they have a duty to operate using proportionate systems and processes designed to “swiftly take down” any such content. This is referred to as the “takedown duty”.
Ofcom has issued the Illegal Content Judgements Guidance (ICJG) to support providers in understanding their regulatory obligations when making judgments about whether content is illegal under the OSA. It provides guidance on how to identify and handle illegal content, while considering freedom of expression and privacy. The ICJG outlines the legal framework for various offenses, the importance of context, jurisdictional issues, and the handling of reports and flags. It also offers specific guidance on various offense categories including the conduct and mental elements, as well as relevant defences.
User to User services: For the purposes of brevity given the scope of the OSA, I will focus on user to user services Codes and Guidance (as the most relevant category for social network platforms like X). The Illegal content Codes of Practice for search services is available here.
The draft Illegal content Codes of Practice for user-to-user services has been published with measures recommended for providers to comply with the following duties:
The illegal content safety duties set out in section 10(2) to (9) of the Act;
The duty for content reporting set out in section 20 of the Act, relating to illegal content; and
The duties about complaints procedures set out in section 21 of the Act, relating to the complaints requirements in section 21(4).
Section 3 of the document provides an index of recommended measures, including the application, relevant codes, and relevant duties for each measure. The recommended measures cover a range of areas, including governance and accountability, content moderation, reporting and complaints, recommender systems, settings, functionalities and user support, terms of service, user access, and user controls.
The recommended measures are set out in Section 4 of the document and are divided by thematic area:
Governance and Accountability
Large services should conduct an annual review of risk management activities related to illegal harm in the UK.
All services should designate an individual accountable for compliance with illegal content safety and reporting/complaints duties.
Large or multi-risk services should:
have written statements of responsibilities for senior managers involved in risk management.
have an internal monitoring and assurance function to assess the effectiveness of harm mitigation measures.
track and report evidence of new or increasing illegal content.
have a code of conduct setting standards for protecting users from illegal harm.
provide compliance training to individuals involved in service design and operation.
Content Moderation
All services should have a content moderation function to review and assess suspected illegal content and take it down swiftly.
Large or multi-risk services should:
set and record internal content policies, performance targets, and prioritize content for review.
provide training and materials for content moderators (including volunteers) and use hash-matching to detect CSAM.
Reporting and Complaints
All services should have accessible and user-friendly systems for reporting and complaints, and take appropriate action on complaints.
Larger services and those at risk of illegal harm should provide information about complaint outcomes and allow users to opt out of communications.
Specific requirements apply to handling complaints that are appeals or relate to proactive technology.
Recommender Systems
Services conducting on-platform testing of recommender systems and at risk of multiple harms should collect and analyse safety metrics.
Settings, Functionalities and User Support
Services with age-determination capabilities and at risk of grooming should implement safety defaults for child users and provide support.
All services should have terms of service that address illegal content and complaints, and these terms should be clear and accessible.
User Access
All services should remove accounts of proscribed organizations.
User Controls
Large services at risk of specific harms should offer blocking, muting, and comment-disabling features.
Notable User and Monetised Labelling Schemes
Large services with labelling schemes for notable or monetized users should have policies to reduce the risk of harm associated with these schemes.
Implementing the recommended measures will involve the processing of personal data, and service providers are expected to comply fully with data protection law when taking measures for the purpose of complying with their online safety duties.
The purpose of ICRAs are to help service providers understand how different kinds of illegal harm could arise on their service and what safety measures need to be put in place to protect users. ICRA’s must be ‘suitable and sufficient’ for a provider to meet their OSA obligations.
The Risk Assessment Guidance and Risk Profiles recommends that service providers consider two main types of evidence when conducting a risk assessment:
Core inputs: This type of evidence should be considered by all service providers and includes risk factors identified through the relevant Risk Profile, user complaints and reports, user data (such as age, language, and groups at risk), retrospective analysis of incidents of harm, relevant sections of Ofcom’s Register of Risks, evidence drawn from existing controls, and other relevant information (including other characteristics of the service that may increase or decrease the risk of harm).
Enhanced inputs: This type of evidence should be considered by large service providers and those who have identified multiple specific risk factors for a kind of illegal content. Examples of enhanced inputs include results of product testing, results of content moderation systems, consultation with internal experts on risks and technical mitigations, views of independent experts, internal and external commissioned research, outcomes of external audit or other risk assurance processes, consultation with users, and results of engagement with relevant representative groups.
The different types of illegal content that must be assessed are:
The 17 kinds of priority illegal content: Terrorism, Child Sexual Exploitation and Abuse (CSEA) (including Grooming, Child Sexual Abuse Material (CSAM), Hate, Harassment, stalking, threats and abuse, Controlling or coercive behaviour, Intimate image abuse, Extreme pornography, Sexual exploitation of adults, Human trafficking, Unlawful immigration, Fraud and financial offences, Proceeds of crime, Drugs and psychoactive substances, Firearms, knives and other weapons, Encouraging or assisting suicide, Foreign interference, and Animal cruelty.
Other illegal content: This includes non-priority illegal content as described in the Register of Risks and potentially other offences depending on the specific service and evidence available.
Additional factors that service providers should consider when carrying out an illegal content risk assessment:
Service characteristics: The characteristics of the service, such as its user base (e.g., age, language, vulnerable groups), functionalities (e.g., live streaming, anonymous posting), and business model, can affect the level of risk.
Risk factors: The Risk Profiles published by Ofcom identify specific risk factors associated with each type of illegal content. Service providers should consider these risk factors and any additional factors specific to their service.
Likelihood and impact of harm: The assessment should consider the likelihood of each type of illegal content occurring on the service and the potential impact of that content on users and others.
Existing controls: The effectiveness of any existing measures to mitigate or control illegal content should be considered.
Evidence: Service providers should use a variety of evidence to inform their risk assessment, including user complaints, data analysis, and external research.
Categorised service providers also have the following additional duties regarding their illegal content risk assessments:
Publication of Summary: They must publish a summary of their most recent illegal content risk assessment. Category 1 services must include this summary in their terms of service, while Category 2A services must include it in a publicly available statement. The summary should include the findings of the assessment, including the levels of risk and the nature and severity of potential harm to individuals.
Provision of Assessment to Ofcom: They must provide Ofcom with a copy of their risk assessment record as soon as reasonably practicable after completing or revising it.
The Online Services Act (s.61) defines content that is harmful to children as:
‘Primary priority content’ being:
Pornographic content
Content which encourages, promotes or provides instructions for suicide.
Content which encourages, promotes or provides instructions for an act of deliberate self-injury.
Content which encourages, promotes or provides instructions for an eating disorder or behaviours associated with an eating disorder.
Section 62 defines other priority content that can be harmful to children and must be managed appropriately. It includes:
Bullying and cyberbullying
Abusive or hateful content
Content depicting or encouraging serious violence
Content promoting dangerous stunts or challenges
Content encouraging the ingestion or exposure to harmful substances
Platforms must ensure that access to this type of content is age-appropriate and that protections are in place for children
The OSA prioritises protecting UK users from online harms.
(1)This Act provides for a new regulatory framework which has the general purpose of making the use of internet services regulated by this Act safer for individuals in the United Kingdom. (2)To achieve that purpose, this Act (among other things)—
(a)imposes duties which, in broad terms, require providers of services regulated by this Act to identify, mitigate and manage the risks of harm (including risks which particularly affect individuals with a certain characteristic) from—
(i)illegal content and activity, and
(ii)content and activity that is harmful to children, and
(b)confers new functions and powers on the regulator, OFCOM.
Identity verification is linked to user empowerment features, as platforms must offer adult users the ability to:
Ofcom is expected to provide guidance for Category 1 services on implementing identity verification, with a focus on ensuring availability for vulnerable adult users.
General Considerations
The OSA imposes specific obligations on Category 1 services due to their reach and influence. These rules aim to safeguard the diversity of opinions and the integrity of democratic debate whilst minimising harmful speech. See also ‘Democratic Threats‘ below.
Key Requirements
Content of Democratic Importance: Providers must ensure moderation processes do not disproportionately suppress political opinions or stifle democratic discussion. This includes protecting content from verified news publishers, journalistic pieces, and user-generated contributions to political debates.
Equal Treatment of Opinions: Decisions about content moderation must respect free expression and avoid bias against particular political viewpoints. This includes avoiding overzealous removals under policies aimed at combating misinformation or hate speech.
Protection of Journalistic Content: Articles and posts deemed to have journalistic value must not be unjustly removed or suppressed, ensuring the platform remains a space for investigative reporting and public interest stories. Platforms must protect:
Verified news publishers’ content.
Journalistic content, even if shared by individual users.
User-generated contributions to political debates.
While regulated internet services are required to remove illegal or harmful content, the OSA emphasises the need to uphold free speech. Providers must develop policies and systems that balance protecting users from harm and allowing diverse viewpoints to flourish.
The requirement for transparency reports that include moderation policies and actions will be crucial here
Detailed Reporting: all categorised regulated internet services must publish annual transparency reports explaining their algorithms’ role in content moderation and misinformation detection. These reports should detail the volume of flagged and removed content, alongside the impact of moderation algorithms on users.
Proactive Technology Disclosure: providers must disclose any automated systems, such as machine learning tools, used to detect harmful or illegal content.
Terms of Service Clarity: providers must clearly explain its policies on algorithmic decision-making, especially regarding content of democratic importance and misinformation
The Act promotes user choice and control by requiring platforms to provide tools that help users manage their online experience. For example:
Users can thereby gain more insight into how recommendation systems work.
Platforms could be required to offer non-personalised feeds that reduce reliance on algorithm-driven content.
Category 1 services must provide adult users with control features that effectively:
Reduce the likelihood of encountering specific types of legal but potentially harmful content, such as content promoting suicide, self-harm, or eating disorders.
Offer features to filter out interactions with non-verified users.
Clearly explain the available control features and their usage in the terms of service.
Algorithms are central to how regulated internet services moderate content, serve recommendations, and filter harmful material. The Act introduces transparency and accountability measures to ensure these algorithms and systems are safe and fair:
Providers must be transparent about how their algorithms function and the potential impact on users’ exposure to illegal content.
They must include provisions in their terms of service or publicly available statements that specify how individuals are protected from illegal content, including details about the design and operation of algorithms used.
Additionally, they must provide information about any proactive technology used for compliance, including how it works, and ensure this information is clear and accessible.
Category 1 providers have an additional duty to summarise the findings of their most recent ICRAs in their terms of service, including the level of risk associated with illegal content. Factors like the speed and reach of content distribution facilitated by algorithms must be considered. These assessments must be updated regularly to reflect changes in Ofcom’s Codes of Practice (COPs), risk profiles, and the provider’s business practices.
Safer Algorithms for Children: If regulated internet services are accessed by children, their algorithms must minimise exposure to harmful content. This includes age-appropriate design measures and risk assessments targeting features that could harm younger users.
AI Chatbots: It is very likely services such as ChatGPT, Gemini, Perplexity etc will be categorised as a user-to-user service, as they allow users to interact with a Generative AI chatbot and share chatbot-generated text and images and other user genrated content with other users.
Art: Services such as Midjourney (Art) are also in scope.
Generative AI Tools and Pornographic Content: Services featuring AI tools capable of generating pornographic material are additionally regulated and must implement highly effective age assurance measures to prevent children from accessing such content.
Generative AI and Search Services: AI tools enabling searches across multiple websites or databases are considered search services under the OSA. This includes tools that modify or augment search results on existing search engines or offer live internet results on standalone platforms. Consequently, these AI-powered search services will need to comply with the relevant duties outlined in the Act.
Combating hate speech is a cornerstone of the OSA. Regulated providers must take decisive measures to reduce the prevalence of illegal hate speech and implement systems for detection, reporting, and removal of hate speech.
Key Duties for Platforms
Illegal Content Detection: Hate speech is classified as priority illegal content, requiring regulated internet services to identify and remove such material promptly.
Risk Assessments: Regulated providers must evaluate the risks of hate speech on their platform and develop proportionate systems to manage and mitigate these risks.
Clear Reporting Mechanisms: The platform must provide users with accessible tools to flag hate speech. Reports must be acted upon swiftly, with outcomes communicated transparently.
Transparency by Moderation
To meet the Act’s transparency standards, regulated services providers must:
Publish data on the volume and nature of hate speech flagged, reviewed, and removed.
Explain their systems for detecting and moderating hate speech in its transparency reports.
By addressing hate speech robustly, regulated services providers can align legal requirements with fostering a safer environment for users.
The process of bringing the Online Safety Act into law has been winding and subject to lengthy delays. Many of the provisions of the OSA came into force on January 10 2024 (including the new duty of care) for all regulated online services and many of the powers needed by Ofcom as the regulator responsible for enforcing the OSA. However, it has been subject to an implementation process which required Ofcom consultation and the issuance of Codes and guidance.
Major Deadline: All providers have a duty to assess the risk of illegal harms on their services, with a deadline of 16 March 2025. Providers will need to take the safety measures set out in the Codes or use other effective measures to protect users from illegal content and activity.
Additional key protections in respect of Category 1 providers (like X) are unlikely to be in force until 2026 or 2027. Further delay on major platforms now looks very dangerous (see below ‘Democratic Threats’).
The Secretary of State (Schedule 10) will determine regulations specifying Category 1, 2A, and 2B threshold conditions for different types of services. Commencement dates for remaining provisions of the Act will be set by future regulations under Section 240.
Phased roll-out: Regulated service providers must take steps to comply with new duties following Ofcom guidance, which is to be published in phases:
Phase 1: Illegal Harms (December 2024–March 2025)
December 2024: Ofcom will release the Illegal Harms Statement, including:
Illegal Harms Codes of Practice.
Guidance on illegal content risk assessments.
March 2025: Service providers must complete risk assessments and comply with the Codes or equivalent measures. Enforcement begins once Codes pass through Parliament.
Phase 2: Child Safety, Pornography, and Protection of Women and Girls (January–July 2025)
January 2025:
Final guidance on age assurance for publishers of pornography and children’s access assessments.
Services likely accessed by children must begin children’s risk assessments.
April 2025: Protection of Children Codes and risk assessment guidance published.
July 2025: Child protection duties become enforceable.
February 2025: Draft guidance on protecting women and girls will address specific harms affecting them.
Phase 3: Categorisation and Additional Duties (2024–2026)
End of 2024: Government to confirm thresholds for service categorisation (Category 1, 2A, or 2B).
Summer 2025: Categorised services register published; draft transparency notices follow shortly.
Early 2026: Proposals for additional duties on categorised services are expected to be released.
2027: Implementation of the proposals for Category provider obligations.
Ofcom Roadmap:
Ofcom state, in the 16 December 2024 Overview, that in early 2025, they will seek to enforce compliance with the rules by a combination of means, including:
Supervisory engagement with the largest and riskiest providers to ensure they understand Ofcom’s expectations and come into compliance quickly, pushing for improvements where needed;
Gathering and analysing the risk assessments of the largest and riskiest providers so they can consider whether they are identifying and mitigating illegal harms risks effectively;
Monitoring compliance and taking enforcement action across the sector if providers fail to complete their illegal harms risk assessment by 16 March 2025;
Focused engagement with certain high-risk providers to ensure they are complying with CSAM hash-matching measure, followed by enforcement action where needed; and
Further targeted enforcement action for breaches of the safety duties where they identify serious ongoing issues that represent significant risks to users, to push for improved user outcomes and deter poor compliance.
“We will also use our transparency powers to shine a light on safety matters, share good practice, and highlight where improvements can be made.”
Compliance Monitoring
Ofcom, the UK’s communications regulator will closely monitor regulated internet services’s adherence to the Act. Breaches could result in substantial penalties, including fines of the greater of £18 million or up to 10% of global annual turnover (Sch. 13).
Balancing Act
Regulated providers face significant operational challenges:
Maintaining Free Speech: Striking the right balance between protecting free expression and removing harmful content is critical. Over-moderation risks alienating users, while under-moderation could attract regulatory action.
Transparency Burden: Producing detailed reports and disclosing algorithmic processes requires resources and technical clarity.
Algorithm Design: Algorithms must meet the dual demands of protecting children and fostering open debate. Regulated internet services may need to invest in redesigning its systems to comply with these requirements.
Despite concerns about notable interference in UK politics and stirring up anti-Islamic and anti-immigrant sentiment in the UK, Elon Musk is maintaining his aggression against the UK government (and the EU which has the Digital Services Act which in many respects is similar to the OSA).
In the summer of 2024, Musk personally and via his X platform helped to spread anti-immigrant, anti-Government and anti-Islamic misinformation by right-wing extremists about the tragic stabbings of a number of adults and children in Stockport. This culminated in a number of riots across the UK fed by far-right extremists. The young man responsible for the tragic events in Stockport was neither a Muslim or an immigrant.
Read: How Elon Musk Helped Fuel the U.K.’s Far-Right Riots
In respect of the EU DSA, the Commission has already found X to be in breach of misuse of verification checkmarks, blocking access for research & lack of transparency for advertising. And remains under investigation for not curbing (i) the spread of illegal content — hate speech or incitement of terrorism — (ii) information manipulation.
Despite the continuing and accelerating attacks by Musk against the EU and the UK as they try to rein in hate crimes, unlawful content, and misinformation on social media platforms, in the meantime Peter Kyle (the UK’s technology secretary) recently suggested that governments need to show a “sense of humility” with big tech companies and treat them more like nation states.
Marietje Schaake, a former Dutch member of the European parliament and now the international policy director at Stanford University Cyber Policy Center and international policy fellow at Stanford’s Institute for Human-Centred Artificial Intelligence HAI) commented on this statement as follows:
“I think it’s a baffling misunderstanding of the role of a democratically elected and accountable leader. Yes, these companies have become incredibly powerful, and as such I understand the comparison to the role of states, because increasingly these companies take decisions that used to be the exclusive domain of the state. But the answer, particularly from a government that is progressively leaning, should be to strengthen the primacy of democratic governance and oversight, and not to show humility. What is needed is self-confidence on the part of democratic government to make sure that these companies, these services, are taking their proper role within a rule of law-based system, and are not overtaking it.”
Hopefully the UK Government will be more aggressive in seeking to bring powerful unelected billionaires (like Elon Musk) and organisations to account.
It is essential that Ofcom help platforms get the balance right as in many cases the right to be offended by someone else’s views is a cornerstone of a democratic society.
“If we don’t believe in freedom of expression for people we despise, we don’t believe in it at all.”
(Noam Chomsky)
Difference between freedom of speech and abuse of freedom of speech
Clearly there is a big difference between the right for a man or woman on the street taking to a social media platform (or the streets) to express their concern about policies and politics from the misuse of platforms (or platform data) or political processes by powerful vested interests to skew public opinion and spread misinformation or even racial or religious prejudices.
With great wealth and power should come great transparency and responsibility (though in our current political landscape it appears the opposite is true). See Democratic Threats above for more analysis on this.
Protecting us from Government Monopolies on Permitted Opinions
In addition to the risk of misinformation, bias and skewed freedom of speech and opinion by operators of social media and AI platforms and apps we must also bear in mind the significant risk of Governments seeking to have a monopoly on which opinions are permitted. This risk is always extremely high, as witnessed, for example, by the anti-scientific approach to any debate in the UK (and US) during COVID. When science meets politics, science invariably suffers.
Civil liberties should not be easily swept away simply by asserting public health grounds or national security grounds.
Transparency and protection of democracy and free speech must also extend to the impact of indirect political and governmental influence over regulated service providers (i.e. outside of the normal permitted legal channels) and what views about ‘reality’ are permitted. Transparency reports by in-scope providers must include the impact of direct and indirect political pressure and influence.
The UK Online Safety Act 2023 will have a significant impact on platforms like X. The Act’s focus on user safety, transparency, and accountability will require X to make substantial changes to its content moderation practices, algorithmic transparency, and approach to democratic content. X’s compliance with the Act will be closely monitored by Ofcom, with potential penalties for breaches.
Ofcom has expressed concerns about the potential for Generative AI chatbots to be used to create harmful content, such as chatbots that mimic real people, including deceased children. These concerns highlight the Act’s focus on protecting users from harmful content generated by AI, even if it is technically ‘user-generated’ through the chatbot interface. The Impact on services like ChatGPT are set out below.
The Act will require services like ChatGPT to implement robust content moderation mechanisms to prevent the creation and dissemination of illegal content through its platform. This could include:
The Act’s emphasis on transparency will require services like ChatGPT to provide more information about its content moderation practices and the use of AI in its service. This could include:
Finding a balance between protecting users from harm and fostering innovation in Generative AI will be crucial. Overly restrictive measures could stifle the development and beneficial uses of AI chatbots.
Ofcom will closely monitor Google Search’s compliance with the Act. Penalties for breaches could include fines, service restriction orders, and even criminal sanctions for senior managers.
The UK Online Safety Act 2023 poses significant challenges and obligations for Google Search. The Act’s focus on user safety, transparency, and accountability will require substantial changes to content moderation practices, algorithmic transparency, and the approach to content of democratic importance. Google’s compliance with the Act will be closely scrutinized, emphasizing the need for a proactive and comprehensive approach to meeting its requirements.
The Act’s effectiveness will depend on Ofcom’s ability to enforce its provisions and adapt to the evolving online landscape.
While Midjourney’s primary function is image generation, its algorithms could still be subject to scrutiny under the Act, especially if they influence content recommendations or user exposure to potentially harmful imagery. The Act mandates that platforms consider how algorithms impact user exposure to illegal content and content harmful to children. Midjourney might need to assess how its algorithms could contribute to the spread of harmful content and implement safeguards to minimize risks. For example:
Key Considerations:
Platforms like Roblox and Fortnite will need to implement:
The Act emphasizes transparency and accountability, requiring platforms to be open about their content moderation practices and the risks they face.
Roblox and Fortnite will need to publish regular transparency reports detailing their efforts to combat illegal and harmful content. These reports could include:
Like other platforms, providers of pornography will need to take steps to mitigate and manage risks associated with illegal content, such as CSAM and extreme pornography. This includes:
The revenue models of these platforms could also be a risk factor. For example, platforms that rely heavily on advertising revenue may be incentivized to allow content to be uploaded in the most “friction-free” manner, potentially leading to less effective content moderation and an increased risk of illegal content.
Transparency and Reporting: Sites like Onlyfans and Pornhub will be required to be transparent about their content moderation practices and the volume of illegal content removed, potentially through transparency reports. This could involve:
Ofcom have just released a tool to check if your services are in scope:
Cryptoasset Theft Without Conversion: Rethinking Litigation Strategy After Ping Fai Yuen v Fun Yung Li Steven de Lara Head of Litigation, Trusts and Financial…
Weekly AI intelligence for lawyers, investors, and regulators.
Primary-source analysis of frontier models, AI law, regulatory
shifts, and investment signals. No noise — just signal.
The Gibraltar Gambling Act 2025 – A Structural Shift in Regulatory Scope and Supervision Andrew Tait Head of Betting & Gaming The enactment of the…
The Gibraltar Authorisation Regime (GAR) represents the permanent legislative framework enabling Gibraltar-based financial services firms, including payment service providers (PSPs) and e-money institutions (EMIs), to access the UK market following Brexit. It requires transparency and careful management by Gibraltar firms benefiting from UK market access.
