Privacy & Information Security Law Blog

On November 25, 2022, the UK Information Commissioner’s Office (“ICO”) and the UK’s communications regulator, Ofcom, issued a joint statement setting out how they intend to work together to “ensure coherence between the data protection and the new online safety regimes.” The regulators noted that the statement is primarily intended for online service providers that are likely to be regulated under the online safety regime, but it also will be of interest to other stakeholders as an indication of their joint direction.

According to the statement, in anticipation of Ofcom taking on new duties in 2023 under the Online Safety Bill, the ambitions of the partnership are twofold:

1. The regulators want users of online services to have confidence that their safety and privacy will be upheld and that the regulators will take prompt and effective action when providers fail in their obligations.
2. The regulators want providers of online services of all sizes to comply with their obligations and to continue to innovate and grow, supported by regulatory clarity and free from undue burden.

To achieve this, the ICO and Ofcom will work closely together to achieve maximum alignment and consistency between the data protection and online safety regimes. They will:

• Maximize coherence by:
  • ensuring their policies are consistent with each other’s regulatory requirements and consult closely when preparing codes and guidance. Ofcom will prepare codes of practice and guidance for online services on compliance with the online safety regime and will consult with the ICO, among others, in preparation of these. The ICO will also prepare guidance on data protection expectations for online services deploying safety technologies (e.g., age assurance, content moderation) and will consult Ofcom and others on its preparation;
  • seeking solutions that enhance users’ safety and preserve their privacy; and
  • providing clarity on how compliance can be achieved with both regimes where there are tensions between privacy and safety objectives.
• Promote compliance by setting clear expectations for industry on what must be done to meet both the online safety and data protection requirements. This includes particular support through the transition for small and emerging companies to help them thrive and grow. The regulators will take action against services that do not meet the obligations, sharing information and intelligence, as appropriate, and coordinating approaches to enforcement.

According to the statement, the ICO and Ofcom will reaffirm their cooperation through a renewed memorandum of understanding which will be updated next year in light of Ofcom’s new responsibilities under the Online Safety Bill.