Navigating the privacy challenges under the UK’s Online Safety Act 2023 – a balancing act?

What happened

• The UK Online Safety Act 2023 (OSA) became law on 26 October 2023
• The OSA sets out extensive new obligations on certain online service providers which require them to protect their users by identifying, mitigating and managing risks that relate to illegal and harmful online content
• The OSA has an extraterritorial reach so it can regulate approximately 100,000 organisations worldwide
• Implementation is not immediate; a phased implementation plan will span 3 years to give providers time to adjust to and comply with the new obligations
• An initial consultation closes in February 2024 and a second consultation on child safety is due to start before the end of 2023
• Some provisions have already caused privacy concerns. S121 empowers Ofcom to use accredited technology to identify, remove or prevent users from viewing certain content including terrorism and child sexual exploitation and abuse material 
• Where Ofcom is able to scan private messages this could conflict with user privacy rights. Some end to end encrypted messaging applications might find it difficult to comply with the OSA

Why it matters

• The OSA’s aim is to protect children and adults online. It will make social media companies more responsible for users’ safety on their platforms
• It is vitally important that content that is harmful to children such as pornographic content, bullying content, content that promotes suicide, self harm or eating disorders – is not available to them
• The OSA aims to make the UK the safest place in the world to be online, but it remains to be seen how Ofcom will interpret and apply the legislation
• It will be important to achieve the delicate balance between ensuring online safety and protecting users’ privacy 

A guide to the Online Safety Act can be found at A guide to the Online Safety Bill – GOV.UK (www.gov.uk)

What happened

• It has been reported that the Metropolitan Police’s ‘Prevent’ document was shared with a number of official databases without the knowledge of, or consent of the individuals involved
• ‘Prevent’ is a national programme that aims to stop people from becoming terrorists or supporting terrorism. It works to ensure that people who are susceptible to radicalisation are offered appropriate help and communities are protected against radicalising influences
• Most people do not usually know that they have been referred and in the majority of cases, there is no further action
• Information held by the programme is generally very sensitive and it relates to thousands of individuals who have been referred to the government’s controversial anti-radicalisation ‘Prevent’ programme
• The sharing of this sensitive data has been much wider than previously known with personal data being secretly sent to airports, ports and immigration services as well as officials at the Home Office and the Foreign, Commonwealth and Development Office
• The sharing of the particular document; ‘Prevent case management guidance’ with the ports authority watchlist has meant that individuals are more likely to be searched at airports and targeted with counter-terrorism powers and this allows the police to stop people without the need for ‘reasonable suspicion’

Why it matters

• It is likely that this sharing of sensitive data by the Metropolitan Police is unlawful because it has been done without the knowledge or consent of those involved
• Additionally, the sharing of information across the police force was wider than only counter terrorism units and even local officers were able to access the information
• It is wrong that this type of data is used by the police as a ‘trawling exercise’. The sharing of personal data must be necessary and proportionate
• There must be at least one lawful basis for sharing personal data. This is often consent but if the safety of an individual is at risk it might be possible to share information without consent
• A data protection impact assessment (DPIA) should be completed to assess the necessity of the data sharing and to assess and mitigate the risks involved

Further information about the Prevent duty can be found at;

Prevent duty – GOV.UK (www.gov.uk)

Information about data protection  impact assessments and how to complete them can be found at;

Data protection impact assessments | ICO

What happened

• In Nov 2023, 100 political, technology and businesses leaders met in the UK for the global AI Safety Summit
• Their aim was to produce a global policy consensus i.e. the Bletchley Declaration – on keeping AI applications safe for humans to use
• Although the Bletchley Declaration is symbolic, it shows that global leaders are willing to act on the potential harm that AI might cause.
• It is important that AI is developed and used in a manner which is ‘human centric’, trustworthy and responsible. It is acknowledged that international cooperation is crucial
• There are many benefits of AI; it can be used to improve operational efficiency, deliver effective training and improve quality control functions
• UK regulators have proposed a ‘pro-innovation’ policy framework governing the use of AI. It sets out 5 overarching principles; (i) safety, security and robustness, (ii) appropriate transparency and explainability, (iii) fairness, (iv) accountability and governance (v) contestability and redress
• The UK has invested £100m to deliver a dedicated UK AI Research Resource; a new national supercomputer research facility including the UK’s fastest supercomputer – the Isambard-AI to be based in Bristol
• At the Summit, a new AI Safety Institute was also announced and this will test the safety of frontier AI models and analyse the risks from social harms

Why it matters

• The AI Summit has evidenced the importance of AI being developed and used in a manner that is ‘human centric, trustworthy and responsible’
• The Summit has also shown the importance of international cooperation and it has addressed concerns in areas such as cybersecurity and biotechnology as well as where AI systems may increase risks such as disinformation
• The UK’s pro-innovation approach seems to be complex, but if effectively navigated, it will provide opportunities to UK businesses
• Some businesses have called for greater clarity on the UK’s position but the UK intends to take an iterative approach to avoid heavy handed legislation that could stifle innovation
• The plan is also for regulators to issue practical guidance, tools and resources (such as risk assessment templates) to organisations in the next year to help them implement the 5 principles
• If it is necessary, legislation might be introduced, to ensure regulators consider the principles in a consistent way

Going forward

It will be important to watch how the Bletchley Declaration shapes responses to AI risks.  These might take the form of guidance notes, regulations or cross-cutting legislation.  Either way, it is hoped that the declaration can provide a basic framework for accountability and the increased global scrutiny that it represents can provide an opportunity for organisations to consider current and future AI applications

Further details of the AI Safety Summit can be found at;

The Bletchley Declaration by Countries Attending the AI Safety Summit, 1-2 November 2023 – GOV.UK (www.gov.uk)