Full Report
As duties under the U.K.’s Online Safety Act (OSA) related to tackling illegal content came into force Monday, the internet watchdog, Ofcom, said it has launched a new enforcement program focused on online storage and file-sharing services. The regulator said its evidence shows that file-sharing and file-storage services are “particularly susceptible” to being used for […] © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Regulation/Compliance: Online Safety Act (OSA) – CSAM Enforcement Program
## Overview
This regulation summary focuses on the enforcement program launched by the UK's internet watchdog, Ofcom, targeting online storage and file-sharing services. The enforcement action is based on duties under the UK's **Online Safety Act (OSA)** related to tackling illegal content, specifically image-based child sexual abuse material (CSAM).
## Key Details
- Issuing Authority: **Ofcom** (Office of Communications), the UK's internet watchdog, enforcing the **Online Safety Act (OSA)**.
- Effective Date: Duties related to tackling illegal content under the OSA came into force on **Monday** (implied to be March 17, 2025, based on the article date context).
- Jurisdiction: **United Kingdom (UK)**.
- Status: **In Effect** (Enforcement program has been launched).
## Requirements
### Mandatory Requirements (Derived from Ofcom's immediate enforcement focus)
1. **Implement Safety Measures:** Storage and file-sharing services must put in place safety measures aimed at preventing offenders from disseminating CSAM on their services.
2. **Submit to Information Requests:** Services subject to the program must respond to formal information requests from Ofcom regarding existing or planned measures to tackle CSAM.
3. **Submit Illegal Harm Risk Assessments:** Affected services are required to submit assessments detailing the risks of illegal harm (CSAM dissemination) on their platforms.
### Recommended Practices
1. **Proactive Monitoring:** Services should continuously monitor and adapt their preventative measures based on empirical evidence of how CSAM is being disseminated.
2. **Cooperation with Regulator:** Maintain transparent communication and preparedness for formal inquiries from Ofcom.
## Affected Organizations
- Industries: **Online storage and file-sharing services**.
- Organization Size: Not explicitly detailed, but the scale of penalties suggests major global turnover (implying large or international operations are significantly at risk).
- Geographic Scope: Organizations providing services within the **UK** jurisdiction, as enforced by Ofcom under the OSA.
## Compliance Timeline
- **Now/Immediate:** Duties under the OSA related to tackling illegal content are in force.
- **Imminent/Short Term:** Ofcom has begun sending letters to "a number" of services, putting them **on notice** that formal information requests are forthcoming.
- **To Be Determined:** Specific internal deadlines for responding to Ofcom's formal information requests and submitting risk assessments will be set within those requests.
- **Final deadline:** Full compliance under the OSA is mandated subsequent to the introduction of these duties.
## Implementation Guidance
### Assessment Phase
- **Identify Susceptibility:** Services must assess how "particularly susceptible" they are to being used for sharing image-based CSAM.
- **Gap Analysis:** Evaluate existing safety measures against the requirements implied by the OSA duties concerning illegal content moderation.
### Implementation Phase
- **Develop/Enhance Controls:** Implement robust technical and procedural controls specifically designed to detect, remove, and prevent the dissemination of CSAM.
- **Risk Documentation:** Formalize and document the illegal harm risk assessments for submission to Ofcom.
### Validation Phase
- **Ofcom Scrutiny:** Validation will primarily occur through Ofcom's formal information requests and subsequent review of submitted materials and implemented measures.
## Technical Requirements
While the article does not list specific mandated technical controls, compliance under the OSA context generally requires:
1. **Content Moderation Tools:** Implementation of technology capable of identifying and flagging known CSAM.
2. **Reporting Mechanisms:** Robust systems for internal escalation and external reporting of discovered illegal material.
## Penalties & Enforcement
- Fines: **Up to 10% of global annual turnover.**
- Other Consequences: Potential for regulatory sanctions for failure to comply with the OSA.
- Enforcement: Conducted by **Ofcom** through a targeted **enforcement program** involving formal information requests and scrutiny of implemented safety measures.
## Related Standards
- **Online Safety Act (OSA):** The primary legislative framework governing these duties in the UK.
- **(Implied Frameworks):** Compliance efforts will likely necessitate aligning with established best practices for content moderation, security, and child protection as defined by relevant UK governmental and industry standards, though none are explicitly named in this context.
## Resources
- Official Documentation: The **Online Safety Act (OSA)**, as passed by the UK Parliament.
- Guidance Documents: Ofcom’s specific guidance or codes of practice related to the CSA (Child Sexual Abuse) provisions of the OSA (not directly linked in the article).
- Tools: Tools used for CSAM hashing/matching (e.g., those supplied by tech safety organizations).
## Practical Recommendations
1. **Immediate Internal Review:** Storage and file-sharing services must immediately review their current operational structure to identify any potential routes for CSAM dissemination.
2. **Prepare Documentation:** Begin compiling all relevant documentation regarding current anti-CSAM safety measures and drafting preliminary illegal harm risk assessments in anticipation of Ofcom's formal requests.
3. **Prioritize Response:** Treat any communication from Ofcom regarding this enforcement program as URGENT due to the statutory deadlines and severe financial penalties associated with non-compliance.