The Online Safety Act introduces new rules for providers of online user-to-user, search and pornography services, to help keep people in the UK safe from content which is illegal in the UK, and to protect children from the most harmful content such as pornography, suicide and self-harm material.
Wherever in the world a service is based, if it has ‘links with the UK’, it now has duties to protect people in the UK who are users of the service. Having links with the UK includes having a significant number of UK users, or where the UK is a target market. These rules will also apply to user-to-user and search services that are capable of being used by individuals in the UK and which pose a material risk of significant harm to them.
The Act only requires that services take action to protect users in the UK - it does not require them to protect users anywhere else in the world. The measures that Ofcom recommends providers take to comply with their duties only relate to the design or operation of the service in the UK or as it affects UK users.
Ofcom believes its flexible approach to risk assessment and mitigation allow services to take appropriate and proportionate steps to protect UK users from illegal content. Some services might seek to prevent people in the UK from accessing their sites, such as by restricting access from UK IP addresses (known as a 'geoblock'), instead of taking steps to protect UK users when using their service. That is their choice.
Ofcom recognises that virtual private networks (VPNs) are commonly used in the UK (as in many other countries) and can offer privacy and anonymity benefits. However, as VPNs allow users to access sites and apps without revealing their location, they can enable people to access online services in a way which means they do not benefit from protections required by the Online Safety Act and may be able to avoid IP-based access restrictions.
Ofcom’s Online Safety Enforcement Guidance sets out how Ofcom will normally approach enforcement under the Act to support the achievement of its statutory objectives, including the adequate protection of UK citizens from harm presented by content on regulated services through the appropriate use by providers of regulated services of systems and processes designed to reduce the risks of such harm. We also have regard to the matters in section 3(3) of the Communications Act 2003, which include principles under which our regulatory activities should be transparent, accountable, proportionate, consistent, and targeted only at cases in which action is needed.
When considering a service's compliance with the Online Safety Act where it has restricted access for people with UK IP addresses, Ofcom will monitor the restrictions on a case-by-case basis to assess whether they are maintained consistently and to satisfy itself the service is not promoting ways of avoiding the access restrictions. Services which choose to restrict access for people in the UK must not actively promote or encourage ways for UK users to avoid those same protections or restrictions, such as by providing information about or links to a VPN.
Ofcom will prioritise cases where action by Ofcom can be expected to increase online safety protections for people in the UK, particularly children. If a service restricts access to people in the UK, we will consider the presence of the restrictions when assessing whether enforcement action can be expected to result in further improvements in online safety for people in the UK, especially children. We would be likely to continue to prioritise such cases against services which do not consistently maintain such access restrictions or actively promote or encourage ways their UK users can avoid those restrictions, such as by providing information about or links to a VPN.
We recognise the breadth and complexity of the online safety rules and that there is a diverse range of services in scope. New regulation can create uncertainty and navigating the requirements can be challenging. Ofcom is committed to working with providers to help them comply with the Online Safety Act and protect their users in the UK. We have therefore developed a range of tools and resources to make it easier for them to understand – and comply with – their obligations. We also recently published a guide to help small services navigate the Online Safety Act.