On 26 February 2025, Ofcom published guidance on its information gathering powers (the “Guidance”) under the Online Safety Act 2023 (“OSA”). The Guidance, which is effective immediately, was published alongside a statement which highlighted that online platforms will face “unprecedented scrutiny” from Ofcom under these extensive powers.
In addition to wide-ranging powers to request information, the OSA also confers on Ofcom powers to remotely inspect algorithms in real time and undertake audits of a platform’s safety measures and features. In certain cases, Ofcom can enter UK premises to access information and examine equipment. The Guidance outlines the factors Ofcom may take into account in deciding when and how to exercise these new powers and explains the legal duties imposed on regulated services and other third parties.
The Guidance was published a few days before Ofcom issued formal information notices to a number of in-scope services requiring them to provide their illegal content risk assessments. Ofcom has also recently issued draft information notices to online service providers in connection with the categorisation of providers as Category 1, 2A or 2B services to which additional duties apply under the OSA.
The Guidance was first introduced through a consultation in July 2024. In response to concerns raised during the consultation process, the Guidance has been updated in a few areas, such as in relation to when and how Ofcom will use its powers to require tests or demonstrations and protections in relation to Ofcom’s disclosures to overseas regulators.
Key changes since the draft Guidance
As a result of the consultation process, Ofcom has made several changes to the Guidance.
The key changes are:
- Protections for overseas disclosure
Detailed information on the protections the OSA provides in relation to Ofcom’s disclosure to overseas regulators. It clarifies that Ofcom can only disclose information to overseas regulators specified in regulations made by the Secretary of State and that overseas regulators must not use the disclosed information for purposes other than those for which it was provided, nor can they further disclose the information without Ofcom’s consent or a court order.
- Use of powers for tests and demonstrations
Unsurprisingly, a number of respondents (including the ICO) raised concerned about the novel “remote viewing information notice” which can be issued within a minimum of seven calendar days’ notice. Additional details have been added about when and how Ofcom will use its powers to require tests or demonstrations, including the use of datasets for these purposes and the general mechanics of these powers. Ofcom has clarified it will generally discuss test criteria with recipients to ensure clarity and feasibility for example, by issuing the information notice in draft form, and tests should usually be conducted in a test (not live) environment, unless there are specific reasons why this would not be feasible or appropriate, to minimise disruption to live services.
- User privacy and security of stakeholders’ systems
The Guidance provides more detail on Ofcom’s approach to user privacy and the security of stakeholders’ systems when exercising its powers, including Remote Viewing. Practical steps are outlined to ensure that, to the extent possible, irrelevant personal data is not viewed. Ofcom has also stated it generally expects that it will be sufficient to conduct remote viewing via a screen-sharing mechanism (e.g. on Teams). Additionally, references to the ICO’s guidance on “A Guide to Lawful Basis” and “A Guide to Data Security” are included, ensuring that stakeholders are aware of the data protection considerations involved.
- Alignment with Ofcom’s General Policy on Information Gathering
Certain changes have been made to mirror the approach taken in Ofcom's General Policy on Information Gathering, published in December 2024. This alignment ensures consistency across Ofcom's information gathering policies and practices. For example, the Guidance now includes provisions for considering whether to send the same information notice to all stakeholders of a particular type or to a subset of those stakeholders and the circumstances in which Ofcom considers it will be approach to issue a statutory information notice without issuing a draft first. It also highlights the importance of using existing internal and external information sources to avoid unnecessary duplication of effort and minimise the burden on stakeholders. Further, it explains that Ofcom will not accept unjustified or unsubstantiated claims of confidentiality, and that blanket claims of confidentiality covering entire documents or types of information are also unhelpful and will rarely be accepted.
- Coroner’s information notice power
Minor changes have been made to the Guidance on the Coroner’s Information Notice Power based on Ofcom’s experience of exercising this power. These adjustments include clarifications on the process for identifying the child whose death is under investigation and narrowing the timeframe for information requests to ensure feasibility and relevance. The statement also highlights the importance of close engagement and communication between Ofcom and coroners throughout the lifecycle of a case, ensuring that the process is clear and accessible for all parties involved.
Consequences of non-compliance
Failure to comply with an information notice from Ofcom in an accurate, complete, and timely manner can result in significant penalties. Non-compliance could lead to fines of up to £18 million or 10% of the company's global revenue, whichever is higher. In the most severe cases, there could also be criminal liability.
Conclusion
The new Guidance is effective immediately and in-scope services would be well advised to ensure they have the processes and procedures in place to respond quickly and effectively should they receive an information notice. Ofcom demonstrated its willingness to use its enforcement powers where service providers were found in breach of the information requirements under the VSP regime, and it has been clear it is ready and willing to use its new and enhanced powers under the OSA.
Ofcom emphasised the importance of these measures, stating, "Applying the information gathering powers set out in the [OSA] in an effective way is important for our regulatory functions under the [OSA] … We view our information gathering powers as a serious tool to investigate potential non-compliance and to help keep the public safe."
If you are keen to find out more about how to best prepare for the OSA, please contact one of the CMS team.
Co-authored by Florentina Terholli, Associate at CMS.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.