Insights Content moderation and data protection: UK Information Commissioner’s Office publishes guidance


The UK Information Commissioner’s Office has published its first guidance on content moderation, providing practical advice on compliance with UK GDPR and the Data Protection Act 2018. It applies to those who carry out content moderation or who provide moderation products and services, and to both data controllers and processors. Content moderation is defined to mean analysis of user-generated content to assess whether it meets certain standards (usually those set out in the provider’s terms of service or content policies) and any action taken as a result of this analysis (e.g. removal, service bans, feature blocking or visibility reduction). The guidance applies to manual and automated moderation.

The guidance is aimed at those who are carrying out their obligations under the Online Safety Act 2023 (“OSA”) but applies to other types of moderation. It does not set out a service provider’s obligations under the OSA but, rather, the data protection obligations which may arise in the course of complying with the OSA where it involves personal data.

Content moderation might involve various types of personal data such as IP address, online ID or information linked to a user’s account such as age, location and previous activity. The guidance reminds us that pseudonymised information is personal information and therefore subject to the law. Content moderation may also involve the processing of special category data (e.g. health data in the form of information relating to a person who may be at risk of suicide or self-harm or posts where identifiable users are expressing political views) and criminal offence information (e.g. pursuant to the OSA requirement to make illegal content judgments).

The guidance points out that a Data Protection Impact Assessment is almost certainly required for content moderation but explains when that may not be the case.

Under the GDPR, processing of personal data must be lawful, fair and transparent. The guidance states that the lawful bases most likely to be relevant to content moderation processing are legal obligation (e.g. to comply with OSA duties) and legitimate interests (e.g. to enforce the provider’s terms of service). The legal obligation basis could even cover processing needed to apply measures recommended in Ofcom’s Codes of Practice under the OSA as the Codes enable providers to comply with the OSA’s legal requirements. To rely on legitimate interest, the data must be used in ways people would reasonably expect (so clarity within terms of service are relevant) and that do not have an unjustified adverse impact on people’s rights and freedoms. In theory, the existence of a contract could also be a lawful basis, but legal obligation or legitimate interests are likely to be more suitable. Consent as a lawful basis is unlikely to apply as providers are unlikely to be offering users a free choice as to whether they can process their data for content moderation. The guidance outlines the further conditions the services provider must satisfy if the processing involves special category data or criminal offence information.

To ensure the processing is fair, the provider must ensure the content moderation systems are accurate and unbiased, and the guidance suggests moderator training and regular audits of moderator decisions. As with other types of processing, the provider must tell users about how they the provider is using their information, what decisions are made from such use and how users can exercise their data protection rights. This involves clearly stating the purpose of the processing (e.g. to comply with the OSA or to enforce terms of service) which should be regularly reviewed to ensure purposes have not evolved beyond those originally specified.

The guidance goes on to address many further requirements of the law as they apply to content moderation, including, as with other ICO guidance, useful case studies, covering data minimisation, accuracy, how long the data may be kept, security, identifying the controller, rights of data subjects, sharing information and transfer outside the UK and automated decision-making.

For more information, click here.