Introduction
The Online Safety Act 2023 (OSA) represents the United Kingdom’s ambitious and contentious attempt to regulate the digital frontier. Arriving after a "long and quite tortuous six-year passage from policy development to the statute book" ([onlinesafetyact.net](https://www.onlinesafetyact.net/documents/959/Guide_to_the_OSA_and_its_implementation_-_October_2025_-_web_version.pdf)), the Act establishes a new regulatory framework with the overarching purpose of making the use of internet services safer for individuals in the UK ([legislation.gov.uk](https://www.legislation.gov.uk/ukpga/2023/50/2023-10-26/data.xht)). At its heart is the laudable and politically potent objective of protecting children from the manifest harms present online. However, in pursuing this aim, the Act ventures into the delicate constitutional territory of balancing competing fundamental rights. It explicitly states that the duties it imposes seek to secure not only safety but also that "users’ rights to freedom of expression and privacy are protected" (Online Safety Act 2023, s.1(3)(b)(ii)).
This essay will argue that the Online Safety Act 2023, despite its stated intentions, fails to strike a sustainable and proportionate balance between its primary goal of child protection and the fundamental rights to privacy and freedom of expression. The legislative architecture, centred on a risk-based ‘duty of care’ enforced by the regulator, Ofcom, creates powerful structural incentives for service providers to engage in disproportionate content moderation and privacy-intrusive practices like age assurance. While the Act contains provisions intended to safeguard expressive and privacy rights, these are ultimately subordinate to the overriding imperative to mitigate risk. Consequently, the OSA establishes a framework where rights to privacy and free speech are not treated as foundational limits on state power, but rather as factors to be balanced away in the pursuit of safety. This imbalance stems from a legislative approach that, as some scholars note, focuses on managing the symptoms of online harm rather than addressing its systemic causes ([onlinelibrary.wiley.com](https://onlinelibrary.wiley.com/doi/10.1002/poi3.404)), leading to a regime that risks chilling legitimate speech and normalising a new level of digital surveillance.
The Architecture of Child Protection under the OSA
To evaluate the Act's balance, one must first comprehend the extensive and demanding nature of its child protection framework. The OSA applies to providers of "user-to-user" services (where content generated by one user can be encountered by another) and "search services" with links to the UK ([legislation.gov.uk](https://www.legislation.gov.uk/ukpga/2023/50/2023-10-26/data.xht)). A central pillar of the regime is a tiered system of duties, with the most stringent obligations falling on services deemed "likely to be accessed by children" (Online Safety Act 2023, s.11).
The determination of this likelihood is the first critical step. All in-scope providers must conduct a "children's access assessment" ([ofcom.org.uk](https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act)). If a service is found likely to be accessible by children, a cascade of further duties is triggered. The provider must then undertake a "suitable and sufficient" children’s risk assessment (Online Safety Act 2023, s.11). This is not a superficial exercise; it requires providers to assess the risk of children encountering various categories of harmful content, considering factors from the user base to the functionalities of the service itself. Ofcom guidance specifies that providers must assign a risk level—"negligible, low, medium, or high"—to each kind of harmful content ([ofcom.org.uk](https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act)).
The content is divided into several tiers, most notably "primary priority content harmful to children," which includes material relating to suicide, self-harm, eating disorders, and pornography (Online Safety Act 2023, s.60). The duty concerning this content is particularly onerous. Section 12(3) of the Act requires providers to use "proportionate measures relating to the design or operation of the service" to prevent children of any age from encountering such content. The move from risk mitigation to prevention marks a significant escalation in regulatory expectation. Unlike duties concerning illegal content, this is a duty to prevent access to content that may be legal for adults to view and share.
The practical implementation of these duties is guided by Ofcom's Codes of Practice, which detail "proportionate measures" providers can adopt, covering areas like content moderation systems, recommender algorithms, user tools, and critically, age assurance ([ofcom.org.uk](https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act)). While providers can choose alternative measures, they must be able to justify them as equally effective, creating a strong safe-harbour incentive to follow Ofcom’s lead. This architecture places service providers in the position of front-line enforcers, tasked with assessing, managing, and preventing harms defined in broad terms by Parliament and detailed by the regulator, under the threat of fines up to £18 million or 10% of global turnover.
A Disproportionate Price: The Erosion of Privacy
While the objective of protecting children from harmful content is unimpeachable, the mechanisms chosen to achieve it carry a profound and arguably disproportionate cost for the right to privacy, enshrined in Article 8 of the European Convention on Human Rights (ECHR). The most significant privacy intrusion stems from the Act's reliance on age assurance technologies.
The duty to prevent children from encountering certain types of content logically necessitates a mechanism to differentiate between child and adult users. Consequently, Ofcom’s guidance makes it clear that for services hosting such content, "highly effective age assurance" measures are expected ([ofcom.org.uk](https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act)). This moves beyond simple self-declaration. The Act itself defines "age verification" as using measures to "verify the exact age of a user," although it also refers to the broader concept of age estimation ([onlinelibrary.wiley.com](https://onlinelibrary.wiley.com/doi/10.1002/poi3.404)). Robust age verification can involve the processing of highly sensitive personal data, such as passport or driving licence details, facial recognition scans, or analysis of other biometric information. The widespread implementation of such systems would require millions of adults to "prove" their age simply to access lawful content online.
This constitutes a significant interference with the Article 8 right to a private life. It degrades online anonymity, which, while sometimes abused, is also a crucial enabler for vulnerable individuals, whistle-blowers, and those exploring sensitive identities or political views without fear of reprisal. The creation of vast, centralised or federated databases of age-verified identity data presents an enormous security risk, creating a high-value target for malicious actors. Furthermore, it risks a chilling effect on behaviour, as users become aware that their access to content is tied to their verifiable, real-world identity. A system that requires users to present digital identity papers to browse content fundamentally alters the nature of the internet from an open space of inquiry to a gated community.
The Act’s defenders would argue that the interference is justified under Article 8(2) as being necessary for the protection of health, morals, or the rights and freedoms of others—namely, children. The requirement for measures to be "proportionate" is also baked into the legislation. However, the proportionality of mandating a form of mass identity verification is highly questionable. The "likely to be accessed by children" test is broad and poorly defined, potentially catching a vast swathe of the internet that is not primarily aimed at children but is not strictly adult-only. Critics from organisations such as the Open Rights Group highlight that this threshold puts an extensive burden on services to consider and mitigate risks, pushing them towards the most robust—and invasive—solutions to ensure compliance ([openrightsgroup.org](https://www.openrightsgroup.org/publications/online-safety-act-a-guide-for-organisations-working-with-the-act/)). By obliging platforms to solve this problem, the state effectively outsources a policy of mass identification that would be politically incendiary if pursued directly. The balance struck here appears to heavily favour the aim of child protection at the expense of a universal erosion of privacy for all adult users.
Another Casualty of Safety: The Chilling of Free Expression
In parallel with its impact on privacy, the OSA's architecture poses a substantial threat to freedom of expression, protected by Article 10 ECHR. While the Act contains saving provisions for "content of democratic importance" and "journalistic content" (ss. 17-18), the core mechanics of the duty of care model create a powerful systemic bias towards censorship.
The primary mechanism of harm to free expression is the creation of a strong incentive for risk-averse behaviour by platforms. Faced with duties to assess and mitigate risks of "harmful" content and the threat of crippling fines, a rational commercial actor will not tread the fine line of what is legally permissible. Instead, it will err on the side of caution, removing any content that could conceivably be flagged by Ofcom as contributing to a risky environment. This is the quintessential "chilling effect," where lawful speech is suppressed not by direct state prohibition, but by a regulatory environment that makes hosting it too risky. Platforms are transformed from neutral conduits into proactive arbiters of acceptable speech, guided by a desire to minimise regulatory liability above all else.
This problem is exacerbated by the vagueness of the content categories that platforms must manage. While "illegal content" has a basis in existing criminal law, the categories of content "harmful to children" are far broader and more subjective. The "primary priority" category includes material that is "indirectly" encouraging suicide or describing methods of eating disorders ([ofcom.org.uk](https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act)). Deciding what content falls into these categories is an inherently subjective exercise. A documentary about anorexia, a support group for people with depression, or even news reporting on a tragic event could all be construed as falling foul of these definitions.
For an interference with Article 10 rights to be lawful, it must be "prescribed by law," pursue a legitimate aim, and be "necessary in a democratic society." The OSA's framework is arguably deficient on the first and third limbs. The broad and ambiguous definitions of harmful content, with the details left to Ofcom's Codes of Practice, may not meet the ECHR's requirement for legal certainty and foreseeability. Users and even platforms themselves cannot know with sufficient clarity what speech is permitted and what is not. Furthermore, a system that incentivises the wholesale removal of legal-but-controversial content by private entities, without robust, transparent, and timely appeal processes, is unlikely to be considered a "necessary" or proportionate means of achieving the legitimate aim of child protection. The Act's purported protections for freedom of expression (s.1(3)(b)(ii)) risk becoming hollow assurances, structurally overwhelmed by the proactive and punitive duties to ensure safety.
A Flawed Balance: Systemic Failures and Delegated Power
The imbalance within the OSA is not merely an unfortunate side-effect; it is a product of its fundamental design philosophy. The Act represents a "systems-based" approach, seeking to regulate the design and operation of platforms to make them safer. However, as Lorna Woods and Martin Husovec argue, the Act remains hampered by a "legacy focus on content controls" ([onlinelibrary.wiley.com](https://onlinelibrary.wiley.com/doi/10.1002/poi3.404)). Rather than tackling the root causes of harm amplification—such as the engagement-maximising algorithms at the heart of platform business models—it focuses on a downstream solution of identifying and removing problematic content. This approach inevitably pits the desire for safety against the rights of users whose content and data are being policed.
This focus on content-level symptoms obliges platforms to build vast apparatuses for monitoring, filtering, and moderating—precisely the activities that create friction with privacy and free expression. The Act's safety duties are proactive and continuous, whereas the protections for rights feel reactive and aspirational. A platform’s legal team will advise compliance with the clear, enforceable duties to avoid fines, not heroic defence of a user's borderline speech based on a vague statutory nod to "democratic importance." The balance is thus structurally pre-determined in favour of risk mitigation.
Furthermore, the Act's extensive delegation of power to Ofcom is a source of significant concern for the constitutional balance. Parliament has set out the broad principles, but the substantive detail of what compliance looks like—the specific metrics for risk, the required functionalities of moderation tools, the standards for age verification—is being developed by a regulator through Codes of Practice and guidance ([onlinesafetyact.net](https://www.onlinesafetyact.net/documents/959/Guide_to_the_OSA_and_its_implementation_-_October_2025_-_web_version.pdf)). While this provides necessary flexibility, it also means that crucial policy decisions affecting fundamental rights are being made by a non-majoritarian body, albeit one subject to parliamentary oversight. This raises questions of democratic legitimacy. When the definitions of permissible speech and the requirements for online privacy are shaped by a regulator's interpretation of "proportionality," the rule of law is stretched, and accountability is diffused. The Act entrusts Ofcom with the near-impossible task of finding the "right balance" on a case-by-case basis, a task that arguably should have been more clearly delineated by the legislature through firmer statutory safeguards for rights.
Conclusion
The Online Safety Act 2023 was born of a genuine and pressing need to address the harms, particularly to children, that have flourished in the largely unregulated online world. In this, its ambition is commendable. However, in its final form, the Act fails to strike a just and sustainable balance between this objective and the fundamental rights to privacy and freedom of expression. Its core framework, the duty of care, creates a regulatory environment where service providers are heavily incentivised to over-censor lawful content and deploy privacy-invasive technologies to a degree that is disproportionate to the risks they are intended to mitigate.
The Act’s structural design prioritises the goal of child protection to such an extent that privacy and free speech are demoted from fundamental rights to mere factors in a risk management calculation. The requirement for widespread age assurance threatens to create a system of digital surveillance, eroding the anonymity that fosters open inquiry and protects vulnerable users. The pressure on platforms to police vaguely defined "harmful" content will inevitably chill legitimate debate and artistic expression, outsourcing censorship to private corporations whose primary motivation will be regulatory compliance, not the defence of expressive freedom. While the Act pays lip service to protecting these rights, its mechanics work against them. A truly balanced solution would require not just a mandate to consider rights, but firm statutory limits on interference, greater legal certainty, and a more direct legislative engagement with the algorithmic systems that drive harm, rather than an over-reliance on content moderation. As the OSA’s implementation proceeds and Ofcom’s enforcement powers come fully into force, the UK may discover that in its quest to make the internet safe, it has inadvertently sacrificed some of the very freedoms that make it valuable.
References
- legislation.gov.uk (2023) [Online Safety Act 2023](https://www.legislation.gov.uk/ukpga/2023/50/2023-10-26/data.xht). Available at: https://www.legislation.gov.uk/ukpga/2023/50/2023-10-26/data.xht.
- Ofcom (n.d.) [Protection of children duties under the Online Safety Act](https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act). Available at: https://www.ofcom.org.uk/online-safety/protecting-children/protection-of-children-duties-under-the-online-safety-act.
- Open Rights Group (2024) [Online Safety Act: A Guide for Organisations Working with the Act](https://www.openrightsgroup.org/publications/online-safety-act-a-guide-for-organisations-working-with-the-act/). Available at: https://www.openrightsgroup.org/publications/online-safety-act-a-guide-for-organisations-working-with-the-act/.
- Simmons & Simmons LLP (2023) [A GUIDE TO THE ONLINE SAFETY ACT AND ITS IMPLEMENTATION: TWO YEAR ANNIVERSARY EDITION October 2025](https://www.onlinesafetyact.net/documents/959/Guide_to_the_OSA_and_its_implementation_-_October_2025_-_web_version.pdf). onlinesafetyact.net. Available at: https://www.onlinesafetyact.net/documents/959/Guide_to_the_OSA_and_its_implementation_-_October_2025_-_web_version.pdf.
- Woods, L. and Husovec, M. (2024) '[Treating the symptoms or the disease? Analysing the UK Online Safety Act's approach to digital regulation](https://onlinelibrary.wiley.com/doi/10.1002/poi3.404)', Policy & Internet, 16(2), pp. 200-218. Available at: https://onlinelibrary.wiley.com/doi/10.1002/poi3.404.
