lolloj - Fotolia
Constant changes to the timetable and scope of the UK government’s Online Safety Bill (OSB) is hindering Ofcom’s ability to prepare for its new responsibilities and functions, says the National Audit Office (NAO).
Since the UK government published its Online Harms whitepaper in April 2019, setting out its intentions for the legislation, the OSB has been through a number of significant changes, and has been delayed on multiple occasions.
For example, while both Lords and MPs were expressing frustration about delays to the legislation since at least June 2020, after failing to get the government to commit to a concrete timeline, further details were not unveiled until December, with the first draft remaining unpublished until May 2021.
When it was officially introduced to Parliament in March 2022, a number of criminal offences were added to make senior managers liable for destroying evidence, failing to attend or providing false information in interviews with Ofcom, and for obstructing the regulator when it enters company offices for audits or inspections; building on three previous criminal offences that were added that February.
The passage of the Bill was then paused by the government four months later in July 2022, following legislative timetabling issues. Later in November 2022, the obligation on companies to police “legal but harmful” content – which has attracted significant criticism from Parliamentary committees, campaign groups and tech professionals – was dropped from the Bill.
While the OSB is now expected to become law in October in 2023, the full regulatory regime will be stood up in phases over the following two years.
In a report published 12 July 2023, the NAO examined the preparations undertaken so far by Ofcom to implement the upcoming OSB, finding that while the online harms regulator “has made a good start”, its efforts are being hobbled by uncertainty around the Bill’s timetabling and ultimate scope.
The NAO noted, for example, that Ofcom completed an organisational restructuring in September 2020 to embed online safety and expand its technology group; has already prepared a “substantial initial evidence base” to inform its enforcement of the new regime; undertaken early engagement with industry; and created a new Online Safety Group in April 2023 with responsibility for strategy delivery and policy development.
However, it also noted that Ofcom’s preliminary estimate for the number of online services which could be subject to the new regime is more than 100,000, although this could be higher, and that it will need to produce north of 40 regulatory documents (including codes of practice and guidance) for service providers.
“The great majority of these [100,000 services] will be based overseas and will not have been regulated by Ofcom before, and are therefore unfamiliar with it. Monitoring this scale of services will require automated data collection and analysis systems, and the IT capability to support these, which Ofcom is currently developing,” it said, adding that the cumulative costs of preparing for and implementing the OSB could total £169m by 2025, with £56m already incurred by the end of 2023.
Given the scope of the regime, the NAO has said further investment and staff are needed to ensure the new regime works as intended, but that uncertainty around the OSB is preventing Ofcom’s preparations in these areas.
“It has been difficult for Ofcom to estimate and then recruit the number of people it requires as the scope of the regime and Ofcom’s responsibilities have changed over time,” said the NAO. “For example, according to Ofcom, at the start of July 2023 it still needed to work out the staffing requirements arising from amendments to the Bill announced by the government at the end of June, and estimating the required staffing levels remained difficult as the regime’s scope was still uncertain as further additions could still be made to the Bill.”
The NAO added that while Ofcom recruited 346 extra staff between July 2020 and March 2023 based on its estimates of what would be required at the time, increases in the regulatory regime’s scope and the establishment of a dedicated supervision unit since then means a further 104 staff will be needed; bring the total to 450 by the end of 2024.
“To successfully implement the regulatory regime, Ofcom must be able to attract the right talent with the right skills and expertise, including knowledge and understanding of the technology sector. Not only does Ofcom require a significant number of extra staff, but many of these are in new areas, such as online safety technology and data,” it said, adding that “there is also a risk that continuing extensions to the legislative process could cause recruited staff to disengage or leave”.
Read more about Ofcom
- Tech companies and NGOs urge rewrite of Online Safety Bill to protect encrypted comms: The Online Safety Bill faces amendments in the House of Lords amid concerns that it could weaken the security of end-to-end encrypted communications for UK citizens.
- Ofcom's interim UK cloud market report flags competition concerns about AWS and Microsoft: Ofcom has flagged concerns about anti-competitive behaviour from AWS and Microsoft in its interim report into the inner workings of the UK cloud infrastructure market.
- Microsoft and AWS caution Ofcom against referring UK cloud market over to CMA: As the UK cloud market braces itself for the publication of Ofcom's final report into the state of the market, Amazon and Microsoft's responses to regulator's interim findings have been made public.
Gareth Davies, head of NAO, added: “Ofcom will need to manage several risks in a way that delivers value for money. It will need to move quickly to cover any gaps in its preparations should the scope change between now and implementation … As ever, access to good quality data will be essential for Ofcom to monitor the compliance of services and to evaluate its own effectiveness.”
To deal with the remaining gaps in preparedness, the NAO has made a number of recommendations for Ofcom in four different areas.
Regarding its external communication, for example, the NAO recommended that Ofcom should manage the public’s expectations about the regime’s impact and Ofcom’s role during implementation, a well as further develop its plans to inform industry about its requirements.
On skills and capacity building, the NAO said Ofcom should identify how it will reach the capability and capacity it needs and keep this relevant and up to date; while on financial management it added that Ofcom should establish how it will manage the financial risks presented by the additional year of setup and increased staffing need, as well as clarify its long-term funding plan.
“[Ofcom] has also yet to secure the funding it needs for the extra staff it has identified it will require,” said the NAO. “It will need to regulate a very large number of services, the great majority of which have not been regulated before and are unfamiliar with Ofcom and how it works, and which have no UK corporate or economic presence. It will need to cover its costs by introducing fees so that the regime becomes self-financing. It will also need to obtain good-quality data to monitor the compliance of services and to evaluate its own effectiveness and that of the regime.”
In a recommendation directed at the Department for Science, Innovation & Technology (DSIT), the NAO added that it should “work with Ofcom to identify how the data Ofcom plans to collect as part of its evaluation activities will support DSIT’s own evaluation of the effectiveness of the regime and the achievement of its policy objectives”.