The ICO has published its response to Ofcom’s consultation on protecting people from illegal harms online, part of Ofcom’s extensive programme of work to implement the Online Safety Act 2023. As previously reported by Wiggin, this consultation focuses on how user-to-user and search services should approach their duties relating to illegal content under the Act.

The consultation document itself ran to hundreds of pages, but the ICO response is a much more manageable – but no less thorough – 26 pages long. Perhaps unsurprisingly, the general thrust of the ICO’s response is to stress the importance of service providers regulated under the Act to comply fully with, and at all times give regard to, their data protection obligations, operating a “data protection by design and default approach when implementing online safety systems and processes”.

As the ICO points out, compliance with online safety duties under the Act will “inevitably involve the processing of personal data”, perhaps including special category or criminal offence data, and so it expects service providers to familiarise themselves with the relevant data protection legislation and ICO guidance.

Beyond this more general reminder, the ICO highlights particular areas where Ofcom might need to give greater attention to privacy matters, not only to ensure that the data protection rights of individuals are protected, but also so that service providers have sufficient guidance to satisfy themselves that they have complied with all of their obligations. Examples include offering greater guidance as to how to assess whether content is communicated “publicly” or “privately” and ensuring that the requirement to use data to conduct risk assessments or track evidence of new and increasing illegal harm does not lead to service providers becoming incentivised to collect even more data than they would otherwise hold. In this regard, the ICO stresses that the data minimisation principle requires services to “limit their use of personal data to what is relevant, adequate and necessary. Where personal data can be anonymised, or pseudonymised, this will support data minimisation under data protection law”.

Whilst not disagreeing with Ofcom that encrypted messaging and anonymity/pseudonymity functions were risks for illegal harm, the ICO was concerned that the case not be overstated so as to deter services from deploying these functionalities given that they also have their advantages. Instead, the ICO recommends that the guidance clarifies that the online safety regime does not restrict or prohibit the use of these functionalities, but requires appropriate safeguards to be put in place.

The ICO also expressed concern that the proposed measures relating to automatic content moderation did not take sufficient account of the effect on privacy rights. As the ICO has pointed out in its own content moderation guidance (previously reported upon by Wiggin), content moderation involves the processing of personal data at all stages, and the ICO disagrees that the potential impact of automated scanning is, as Ofcom put it, “slight”. In the ICO’s view, automated scanning carries risks for the rights and freedoms of individuals which can be exacerbated at scale, in addition to risks of unwarranted surveillance, invisible processing, and the loss of control of personal data. Furthermore, any measures relating to automatic content moderation must be compatible with UK GDPR Article 22 which grants data subjects the right not to be subject to a decision based solely on automated processing which has a legal or similarly significant effect on them.

Ultimately, the ICO’s response reflects its previously-stated commitment (see here) to work with Ofcom to ensure that the new online safety regime both keeps users safe and protects their privacy, and where those two ideals might come into conflict, to work “hand-in-hand” with Ofcom to make sure that users of online services are protected as much as possible.

To read the ICO’s response in full, click here.