Sign up to save your podcasts
Or
Share The Online Safety Act's tensions with the UK GDPR
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Online Safety Act's tensions with the UK GDPR
The Online Safety Act is why you might have been asked for your driver's licence on Reddit, X, and some... other websites. In this video, I explain how the OSA works and how it raises tensions with the UK GDPR.
The OSA applies to "user-to-user" and search services with "links to the UK". This covers websites from social media giants to tiny online message boards.
Through a series of risk assessments, in-scope services must identify and mitigate risks around illegal content and harms to children.
To ensure services enforce their terms and keep kids away from inappropriate stuff, the law requires Ofcom to recommend that they use "proactive technologies", which can include "user profiling technologies".
The ICO released guidance on how to implement these profiling tools last week. For me, the guidance highlights why the OSA puts some service providers in a tricky spot.
The OSA and Ofcom expect profiling technologies to be highly effective. The law's stated aims involve cleaning up the web and keeping kids safe.
The UK GDPR and the ICO expect profiling technologies to be minimally intrusive. Profiling is a high-risk, and can involve very sensitive personal data.
I don't think these goals are contradictory, but OSA-covered services will need to think carefully about meeting their obligations under both regimes.
Highly effective profiling technology might not *need* to be intrusive, but services will always need to find the least intrusive option to meet their aims. This adds an extra layer of complication to an already complicated compliance framework.
Watch this episode of the Privacy Partnership podcast for a quick primer on the OSA and the data protection issues the law raises.
View all episodes
By treborjnametab1The Online Safety Act is why you might have been asked for your driver's licence on Reddit, X, and some... other websites. In this video, I explain how the OSA works and how it raises tensions with the UK GDPR.
The OSA applies to "user-to-user" and search services with "links to the UK". This covers websites from social media giants to tiny online message boards.
Through a series of risk assessments, in-scope services must identify and mitigate risks around illegal content and harms to children.
To ensure services enforce their terms and keep kids away from inappropriate stuff, the law requires Ofcom to recommend that they use "proactive technologies", which can include "user profiling technologies".
The ICO released guidance on how to implement these profiling tools last week. For me, the guidance highlights why the OSA puts some service providers in a tricky spot.
The OSA and Ofcom expect profiling technologies to be highly effective. The law's stated aims involve cleaning up the web and keeping kids safe.
The UK GDPR and the ICO expect profiling technologies to be minimally intrusive. Profiling is a high-risk, and can involve very sensitive personal data.
I don't think these goals are contradictory, but OSA-covered services will need to think carefully about meeting their obligations under both regimes.
Highly effective profiling technology might not *need* to be intrusive, but services will always need to find the least intrusive option to meet their aims. This adds an extra layer of complication to an already complicated compliance framework.
Watch this episode of the Privacy Partnership podcast for a quick primer on the OSA and the data protection issues the law raises.