SCHEDULES

Section 42

SCHEDULE 4U.K.Codes of practice under section 41: principles, objectives, content

General principlesU.K.

1In preparing a draft of a code of practice or amendments of a code of practice, OFCOM must—

(a)consider the appropriateness of provisions of the code of practice to different kinds and sizes of Part 3 services and to providers of differing sizes and capacities, and

(b)have regard to the principles mentioned in paragraph 2.

2U.K.The principles are as follows—

(a)providers of Part 3 services must be able to understand which provisions of the code of practice apply in relation to a particular service they provide;

(b)the measures described in the code of practice must be sufficiently clear, and at a sufficiently detailed level, that providers understand what those measures entail in practice;

(c)the measures described in the code of practice must be proportionate and technically feasible: measures that are proportionate or technically feasible for providers of a certain size or capacity, or for services of a certain kind or size, may not be proportionate or technically feasible for providers of a different size or capacity or for services of a different kind or size;

(d)the measures described in the code of practice that apply in relation to Part 3 services of various kinds and sizes must be proportionate to OFCOM’s assessment (under section 98) of the risk of harm presented by services of that kind or size.

Online safety objectivesU.K.

3OFCOM must ensure that measures described in codes of practice are compatible with pursuit of the online safety objectives.

4U.K.The online safety objectives for regulated user-to-user services are as follows—

(a)a service should be designed and operated in such a way that—

(i)the systems and processes for regulatory compliance and risk management are effective and proportionate to the kind and size of service,

(ii)the systems and processes are appropriate to deal with the number of users of the service and its user base,

(iii)United Kingdom users (including children) are made aware of, and can understand, the terms of service,

(iv)there are adequate systems and processes to support United Kingdom users,

(v)(in the case of a Category 1 service) users are offered options to increase their control over the content they encounter and the users they interact with,

(vi)the service provides a higher standard of protection for children than for adults,

(vii)the different needs of children at different ages are taken into account,

(viii)there are adequate controls over access to the service by adults, and

(ix)there are adequate controls over access to, and use of, the service by children, taking into account use of the service by, and impact on, children in different age groups;

(b)a service should be designed and operated so as to protect individuals in the United Kingdom who are users of the service from harm, including with regard to—

(i)algorithms used by the service,

(ii)functionalities of the service, and

(iii)other features relating to the operation of the service.

5U.K.The online safety objectives for regulated search services are as follows—

(a)a service should be designed and operated in such a way that—

(i)the systems and processes for regulatory compliance and risk management are effective and proportionate to the kind and size of service,

(ii)the systems and processes are appropriate to deal with the number of users of the service and its user base,

(iii)United Kingdom users (including children) are made aware of, and can understand, the publicly available statement referred to in sections 27 and 29,

(iv)there are adequate systems and processes to support United Kingdom users,

(v)the service provides a higher standard of protection for children than for adults, and

(vi)the different needs of children at different ages are taken into account;

(b)a service should be assessed to understand its use by, and impact on, children in different age groups;

(c)a search engine should be designed and operated so as to protect individuals in the United Kingdom who are users of the service from harm, including with regard to—

(i)algorithms used by the search engine,

(ii)functionalities relating to searches (such as a predictive search functionality), and

(iii)the indexing, organisation and presentation of search results.

6U.K.In the case of a combined service—

(a)the online safety objectives set out in paragraph 4 do not apply in relation to the search engine;

(b)the online safety objectives set out in paragraph 5 apply in relation to the search engine, and accordingly references in that paragraph to a search service are to be read as references to the search engine;

(c)the reference in paragraph 5(a)(iii) to a publicly available statement includes a reference to provisions of the terms of service which relate to the search engine.

7U.K.The Secretary of State may by regulations amend paragraph 4 or 5 so as to vary the online safety objectives for regulated user-to-user services or regulated search services, and such regulations may make consequential amendments of paragraph 6.

8U.K.If regulations are made amending the online safety objectives, OFCOM must, as soon as reasonably practicable after the regulations come into force, consider whether a review of the codes of practice published under section 46 is required and, if OFCOM consider that it is required, carry out a review to assess whether any amendments are needed to reflect the revised objectives.

Content of codes of practiceU.K.

9(1)Codes of practice that describe measures recommended for the purpose of compliance with a duty set out in section 10(2) or (3) (illegal content) must include measures in each of the areas of a service listed in section 10(4).

(2)Codes of practice that describe measures recommended for the purpose of compliance with a duty set out in section 12(2) or (3) (children’s online safety) must include measures in each of the areas of a service listed in section 12(8).

(3)Codes of practice that describe measures recommended for the purpose of compliance with a duty set out in section 27(2) or (3) (illegal content) must include measures in each of the areas of a service listed in section 27(4).

(4)Codes of practice that describe measures recommended for the purpose of compliance with a duty set out in section 29(2) or (3) (children’s online safety) must include measures in each of the areas of a service listed in section 29(4).

(5)Sub-paragraphs (1) to (4) apply to the extent that inclusion of the measures in question is consistent with paragraph 1(a) and the principles mentioned in paragraph 2(c) and (d).

10(1)Measures described in a code of practice which are recommended for the purpose of compliance with any of the relevant duties must be designed in the light of the principles mentioned in sub-paragraph (2) and (where appropriate) incorporate safeguards for the protection of the matters mentioned in those principles.U.K.

(2)The principles are—

(a)the importance of protecting the right of users and (in the case of search services or combined services) interested persons to freedom of expression within the law, and

(b)the importance of protecting the privacy of users.

(3)In sub-paragraph (2)(b) the reference to protecting the privacy of users is to protecting users from a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of a user-to-user service or a search service (including, but not limited to, any such provision or rule concerning the processing of personal data).

(4)In this paragraph “the relevant duties” means the duties set out in—

(a)sections 10 and 27 (illegal content),

(b)sections 12 and 29 (children’s online safety),

(c)section 15 (user empowerment),

(d)section 17 (content of democratic importance),

(e)section 19 (journalistic content),

(f)sections 20 and 31 (content reporting),

(g)sections 21 and 32 (complaints procedures), and

(h)sections 38 and 39 (fraudulent advertising).

11U.K.Measures described in a code of practice may relate only to the design or operation of a Part 3 service—

(a)in the United Kingdom, or

(b)as it affects United Kingdom users of the service.

Content of codes of practice: age assuranceU.K.

12(1)This paragraph is about the inclusion of age assurance in a code of practice as a measure recommended for the purpose of compliance with any of the duties set out in section 12(2) or (3) or 29(2) or (3), and sub-paragraph (2) sets out some further principles, in addition to those in paragraphs 1 and 2 (general principles) and 10(2) (freedom of expression and privacy), which are particularly relevant.

(2)In deciding whether to recommend the use of age assurance, or which kinds of age assurance to recommend, OFCOM must have regard to the following—

(a)the principle that age assurance should be effective at correctly identifying the age or age-range of users;

(b)relevant standards set out in the latest version of the code of practice under section 123 of the Data Protection Act 2018 (age-appropriate design code);

(c)the need to strike the right balance between—

(i)the levels of risk and the nature, and severity, of potential harm to children which the age assurance is designed to guard against, and

(ii)protecting the right of users and (in the case of search services or the search engine of combined services) interested persons to freedom of expression within the law;

(d)the principle that more effective kinds of age assurance should be used to deal with higher levels of risk of harm to children;

(e)the principle that age assurance should be easy to use, including by children of different ages and with different needs;

(f)the principle that age assurance should work effectively for all users regardless of their characteristics or whether they are members of a certain group;

(g)the principle of interoperability between different kinds of age assurance.

(3)In a code of practice that describes measures for the purpose of compliance with the duty set out in section 12(3)(a), OFCOM must recommend (among other things) age verification or age estimation which is such of a kind, and which is to be used in such a way, that it is highly effective at correctly determining whether or not a particular user is a child (see section 12(6)).

(4)In deciding which kinds and uses of age verification or age estimation to recommend for the purpose of compliance with the duty set out in section 12(3)(a), OFCOM must have regard to their guidance under section 82 that gives examples of kinds and uses of age verification and age estimation that are, or are not, highly effective at correctly determining whether or not a particular user is a child.

(5)Nothing in sub-paragraph (2) is to be read as allowing OFCOM to recommend, for the purpose of compliance with the duty set out in section 12(3)(a) by providers subject to the requirement in section 12(4), a kind or use of age verification or age estimation which does not meet the requirement to be highly effective as mentioned in section 12(6).

(6)A code of practice that recommends the use of age assurance for the purpose of compliance with the duties set out in section 12(2) or (3) must also describe measures recommended for the purpose of compliance with the duties set out in—

(a)section 12(9), (11) and (13) (inclusion of clear information in terms of service), and

(b)section 21(2) and (3) (see, in particular, section 21(5)(e) (complaints about age assurance)).

(7)A code of practice that recommends the use of age assurance for the purpose of compliance with the duties set out in section 29(2) or (3) must also describe measures recommended for the purpose of compliance with the duties set out in—

(a)section 29(5) and (8) (inclusion of clear information in publicly available statement), and

(b)section 32(2) and (3) (see, in particular, section 32(5)(d) (complaints about age assurance)).

(8)A code of practice may—

(a)refer to industry or technical standards for age assurance (where they exist);

(b)elaborate on the principles mentioned in paragraphs (a) and (c) to (g) of sub-paragraph (2).

(9)In this paragraph “age assurance” means age verification or age estimation, and see in particular section 230(4) (self-declaration of age not to be regarded as age verification or age estimation).

Content of codes of practice: proactive technologyU.K.

13(1)If OFCOM consider it appropriate to do so, and in accordance with the principles to which they must have regard (see paragraphs 1 and 2 and, in particular, 10(2)), they may include in a code of practice a measure describing the use of a kind of technology.

(2)But there are constraints, set out in the rest of this paragraph, on OFCOM’s power to include in a code of practice a measure describing the use of proactive technology as a way (or one of the ways) of complying with a duty set out in this Act (a “proactive technology measure”).

(3)A proactive technology measure may be recommended only for the purpose of compliance with any of the duties set out in—

(a)section 10(2) or (3) (illegal content),

(b)section 12(2) or (3) (children’s online safety),

(c)section 27(2) or (3) (illegal content),

(d)section 29(2) or (3) (children’s online safety), or

(e)section 38(1) or 39(1) (fraudulent advertising).

(4)A proactive technology measure may relate to the use of a kind of technology on or in relation to any Part 3 service or any part of such a service, but if the technology operates (or may operate) by analysing user-generated content or metadata relating to such content, the measure may not recommend the use of the technology to analyse user-generated content communicated privately, or metadata relating to user-generated content communicated privately.

(5)A proactive technology measure may be included in a code of practice in relation to Part 3 services of a particular kind or size only if OFCOM are satisfied that use of the technology in question by such services would be proportionate to the risk of harm that the measure is designed to safeguard against (taking into account, in particular, the risk profile for the time being published by OFCOM under section 98 relating to such services).

(6)In deciding whether to include a proactive technology measure in a code of practice, OFCOM must have regard to the degree of accuracy, effectiveness and lack of bias achieved by the technology in question, and may—

(a)refer in the code of practice to industry or technical standards for the technology (where they exist);

(b)set out principles in the code of practice designed to ensure that the technology or its use is (so far as possible) accurate, effective and free of bias.

(7)Sub-paragraph (6) does not apply in relation to proactive technology which is a kind of age verification or age estimation technology.

GeneralU.K.

14A code of practice may make different provision for different purposes and may, in particular—

(a)make different provision with regard to—

(i)user-to-user services, and

(ii)search services;

(b)make different provision with regard to user-to-user services of different kinds or search services of different kinds; and

(c)otherwise differentiate between Part 3 services, and between providers of such services, in such manner as OFCOM consider appropriate.

15U.K.A code of practice may apply in relation to a person who provides a Part 3 service from outside the United Kingdom.

InterpretationU.K.

16In this Schedule—

• “code of practice” means a code of practice under section 41;

• “search results” has the meaning given by section 57(3);

• “user-generated content” has the meaning given by section 55 (see subsections (3) and (4) of that section).