ICO and Ofcom set out collaboration on supervision of online services

The ICO and Ofcom have published a joint statement on how they will collaborate to implement the vision they set out in their 2022 statement for a clear and coherent regulatory landscape for online services, ensuring compliance with both regimes. 

Whilst the ICO regulates the processing of personal data, Ofcom is the regulator responsible for enforcing the Online Safety Act 2023 (OSA) (see our previous blog). The OSA imposes duties of care on online service providers, with the aim of protecting users, particularly children, from harmful or illegal content and fraudulent advertising. In many cases, personal data will be involved in acts within the scope of the OSA and so the ICO and Ofcom have overlapping remits.

The two regulators plan to identify and regularly review collaboration themes, i.e. topics that are of interest to both because of their thematic and substantive relevance to both the data privacy and online safety regimes. The initial collaboration themes have been identified, and relevant staff from both regulators will meet regularly to discuss them, as well as to identify any other emerging Collaboration Themes. 

The initial themes that the ICO and Ofcom have identified are:

Age assurance – including age verification and age estimation so that services can be tailored to the user and restrictions put in place based on age.

Recommender systems – these are systems that use algorithms to curate recommendations of content to users.

Proactive tech and relevant AI tools – Proactive technology is defined in the OSA, and essentially covers content identification, user profiling and behavioural identification technologies.

Default settings and geo location settings for children – this covers services’ default settings for children.

Online safety privacy duties – the OSA requires services to have regard to the importance of protecting users from a breach of privacy when setting standards and policies.

Upholding terms, policies and community standards – both the OSA and the ICO’s Children’s Code contain requirements as to a service’s terms and conditions.

These initial Collaboration Themes reflect those on which Ofcom has previously consulted in the context of the OSA, and are expected to evolve over time. Whilst they are not expressly identified as priorities, and each regulator may well have its separate priorities in the online space too, they do show areas that we can expect the ICO and Ofcom to focus on in the coming months. It would therefore be prudent for online service providers to proactively assess their approach in these areas to ensure that they are ready for scrutiny. 

Online service providers who have questions around any of these themes may also want to consider using the new joint advisory service launched by the Digital Regulation Cooperation Forum (DRCF). The DRCF is another example of where the ICO and CMA collaborate (alongside the CMA and FCA). It recently launched its AI and Digital Hub to support innovators by providing informal advice on complex regulatory questions that cross more than one of these regulators’ remit. Therefore, if an organisation has a complex regulatory query which has online safety and data privacy aspects, that organisation could seek to submit this through the hub in order to received co-ordinated and tailored advice from the ICO and Ofcom.