Public Accounts Committee
Oral evidence: Preparedness for online safety regulation, HC 73
Wednesday 6 December 2023
Ordered by the House of Commons to be published on 6 December 2023.
Members present: Dame Meg Hillier (Chair); Sir Geoffrey Clifton-Brown; Mr Jonathan Djanogly; Ben Lake; Nick Smith.
Louise Bladen, Director, NAO, Ed Pinney, representing the Treasury Officer of Accounts, and Kate Mathers, NAO, were in attendance.
Questions 1-89
Witnesses
I: Sarah Connolly, Director for Security and Online Harms, Department for Science, Innovation and Technology, Dame Melanie Dawes, Chief Executive, Ofcom, Sarah Munby, Permanent Secretary, Department for Science, Innovation and Technology and Jessica Smith, Principal for Online Safety, Ofcom.
Report by the Comptroller and Auditor General
Preparedness for online safety regulation (HC 1660)
Witnesses: Sarah Connolly, Dame Melanie Dawes, Sarah Munby and Jessica Smith.
Chair: Welcome to the Public Accounts Committee on Wednesday 6 December 2023. Today we are looking at online safety regulation, which is very timely, given that the Online Safety Act 2023 received Royal Assent in October. This session is reconvened from around then, when prorogation happened; we had to move the meeting to today. That has given us and Ofcom time to get a bit further on. We are pleased to see that certain information has now been released by Ofcom, so we will be able to take it a bit further than the very useful National Audit Office Report, which lays out all the challenges. As well as looking at how Ofcom and the Department are dealing with the challenges of the Act, it is also an object lesson in how a regulator has to gear itself up for a major new piece of legislation, expanding in size and cost and dealing with something that is, frankly, world-beating and groundbreaking—the sort of thing that sends a chill down the spine of the Public Accounts Committee, but hopefully a real lesson for Whitehall on what goes well and what does not. If we have time, we want to go into some of those wider lessons as well.
I would like to welcome our witnesses today. We have Dame Melanie Dawes, who is the permanent secretary—sorry, the chief executive of Ofcom, but who has been a permanent secretary in the past. Forgive me, Dame Melanie. We also have Sarah Munby, the permanent secretary at the Department for Science, Innovation and Technology—I got that right, with all these new titles. She was previously at the Department for Business, Energy and Industrial Strategy, and moved when the Departments changed. She is here with Sarah Connolly, the director for security and online harms at the Department for Science, Innovation and Technology, who has been involved with the internet and online issues since before this role—is that right, Ms Connolly?
Sarah Connolly indicated assent.
Chair: We also have Jessica Smith, who is accompanying Dame Melanie Dawes, and is the principal for online safety at Ofcom. She deals with these issues day to day and is very much shaping this new agenda. A very warm welcome to you all.
Before we go into the main session, Sir Geoffrey has a couple of questions for you in particular, Dame Melanie. I think he has alerted you to the issue. Over to you, Sir Geoffrey, the deputy Chair.
Q1 Sir Geoffrey Clifton-Brown: Good morning, everybody, and particularly Dame Melanie. Ms Munby, I wrote to your Secretary of State, who very kindly replied. To set the issue out very briefly, there is a particularly beautiful Cotswolds AONB village that has hardly a pole in it—it is quite unique—and already has a Government-subsidised ducted broadband system installed by Gigaclear. The problem is that it was not required to use ducts big enough for an alternative system to be put in place. The regulations allow an alternative broadband provider to come in almost without needing to get any planning permission—it is a permitted development. Both the county council, in terms of highways, and the district council, in terms of planning, have confirmed to me that their powers to stop this happening are almost non-existent. I had a public meeting, and the villagers are absolutely up in arms about this.
There are two or three issues that need to be addressed. First, Ms Munby, the Secretary of State kindly said that Ofcom should look at this. You have emergency powers to stop this, or at least put a hold on it. I had a public meeting on the Friday, and by Monday morning, this very aggressive company, Full Fibre, had already started erecting poles. You have powers to stop this. I think this is going to become a national problem: more and more companies are going to do this. First, I ask you again if you would consider looking at your powers to stop this happening, at least until everybody can be satisfied that it is absolutely necessary.
Secondly, on competition, it seems to me that the priority, certainly in rural areas, ought to be getting broadband rolled out full stop, let alone trying to provide competition. Would you look at making anybody who uses Government subsidy to put in any sort of ducted system make it big enough to accommodate an alternative provider to provide competition? Additionally, I know it is probably not within your remit to talk to the Department for Levelling Up, Housing and Communities about planning, but it is perhaps in Ms Munby’s remit. I think this should be removed from permitted development and subject to full planning control, so that people in a village like mine at least have some say in the process. That was part of the anger—real anger—at the meeting: they really had no say in the process, yet they were going to have these poles, often very close to their house, lighting their living room without them having any say in the matter.
Dame Melanie Dawes: Thank you for raising the issue. I am well aware that that you wrote to me a couple of weeks ago, and because you have asked us very specifically to consider using our powers, we are looking into that right now. I do not want to comment on what action we might take. Perhaps, I can just comment more generally on the issues.
You are right that the Government have introduced permitted development rights to facilitate the roll-out of fibre, which, at national level, we can absolutely see needs to happen and is happening. At national level, Ofcom’s framework does support competition because we think that that is a really good overall framework within which the operators will then get moving, and it has worked—they have got moving. That is at the national level, but I can completely understand the issues for your constituents at this local level.
On the sharing of ducts and poles that are already there, as you know, that is a requirement on Openreach but not on other providers. It is one that is working, and we have 29% of poles and around 35% of ducts being used by other operators—those are the percentages of Openreach’s infrastructure. The ducts are the passages in the ground and the poles are the things that we are familiar with that we see in the streets. That efficiency and indeed reduced disruption to the public is bearing fruit on Openreach’s network.
As you said, it does not apply in your area because there are two smaller networks that are rolling out fibre in this particular part of your constituency—in one case it has already been rolled out, and in the other case the network is trying to roll it out. We have heard the issues, but I am not sure whether we can do anything. The permitted development rights mean that the decision on whether to roll out a new system is not something that I believe we can dispute, but how they do it and whether they do the consultation properly is definitely covered. We are looking at this now, and I will get back to you as quickly as I can.
Q2 Sir Geoffrey Clifton-Brown: Chair, I know that we do not want to spend too long on this ahead of the main inquiry, but I have a brief question to both witnesses. In your case, Dame Melanie, if taxpayers’ money is being used to subsidise the installation of a broadband system, surely, in the interests of competition, you could insist that the ducts be big enough to take an alternative provider?
Dame Melanie Dawes: That would be a question for the Government. I do not know whether taxpayers’ money is involved in either of these two operators’ plans and actually—
Sir Geoffrey Clifton-Brown: Well, not in the second, but in the first—Gigaclear—underground ducts were definitely involved.
Dame Melanie Dawes: That would be a condition that the Government put in place for the contracts. In this case, I think it will be an historical contract, but I am not sure about that. We can take that one away. I do not know whether Sarah wants to comment?
Sarah Munby: I do not know the details of the specific contract that we are discussing. I am very happy to look at it, as Melanie describes, and I completely understand the concerns that you are outlining. At the same time, we also need to be cautious about making roll-outs that, as you say, people urgently need more expensive. That is the balance that we are seeking to draw here, but I am very happy to take that away and reflect on it.
Q3 Sir Geoffrey Clifton-Brown: There are two issues here really. First, the competition aspect and ducts—if you could look at that specifically. It seems that, had that been the case, we would not have needed all these poles for the alternative provider, because they would have simply been able to shoot their fibre through the existing ducts. Secondly, on the planning aspects, even if it is going to be permitted development, could you look at and recommend perhaps, if you feel it is appropriate, making recommendations to the Department for Levelling Up that, even under permitted developments, the local planning authorities have a little bit more power to impose sensible conditions?
Sarah Munby: I am very happy to look at that. I think the balance that we need to draw there is ensuring that, through whatever we do through planning, we do not slow down the roll-out. I completely understand that—
Sir Geoffrey Clifton-Brown: Well, this happened from a Friday public meeting to the Monday morning. That is how aggressive this company was.
Sarah Munby: Understood.
Q4 Chair: Thank you, Sir Geoffrey. I think that you have understood the strength of feeling there. As Sir Geoffrey says, maybe it is the canary in the mine for some of the challenges—balancing planning versus the need for broadband.
We now move into our fascinating main session. As I said at the beginning, it is timely for us to be looking at this topic. We are also trying to get ahead of what is now realistically going to be 2028 before the full cost recovery, and lots of the changes will actually be seen towards the end of the next Parliament. It is interesting when you look at the timeline; 2020-2028 is a long programme before we are really even bedding in the full process. We appreciate where we are at. We want to be looking very closely at what you have done up until now, Dame Melanie, and as outlined in the National Audit Office Report, picking up on issues since the Act was passed, but also looking forward a little bit if we have time. You have been working on this since 2020, so you had prior notice, but the legislation was obviously delayed because it was quite challenging to deliver. Can you explain first what you had to think about three years ago, and secondly what the impact has been of the delays to the Act? Presumably some of it has been good, because you have had more time to prepare; on the other hand, that has driven up your costs. Can you take that question first, Dame Melanie? Then perhaps Ms Smith can add some thoughts.
Dame Melanie Dawes: We have had a close and collaborative relationship with the Department throughout. I should pay credit to Sarah Connolly and her team in particular. Sarah has been there throughout, and that has made a huge difference. The expertise is there in the Department.
What we had to do in 2020 was start from scratch. Nobody has really regulated in this space in the way our Parliament has legislated for. There are some other regulators internationally, but they are not doing what we are now planning to do on this scale and with this ambition. We had to start by researching the harms—that is where we always start at Ofcom. What does the consumer think? What is the experience of young people? What is the experience of adults? We had to think about what solutions there were to harm done online, how it was currently being tackled and how it was being measured. We set up a programme of engagement with some of the bigger platforms, and then we had to start to think about solutions and to research what best practice was so that we would be able to produce some codes. Through all that, we had to recruit and gather expertise.
Looking back, although the delays to the timetable, and indeed the changes to the scope of the Bill, created quite a challenge for us in staying on track, on the other hand I think it was actually probably quite helpful that we had that extra time. Because we were already, I believe, an effective regulator—we had good legal and economics, and some technology expertise; a lot of people with expertise of starting regulatory systems from scratch—we were able to move quite fast. That said, having a bit more time helped us to be readier on day one—we have come out with two consultations already—than we would otherwise have been. Although the costs before Royal Assent are higher than they would otherwise have been, a lot of the work that we have done in the past three years would have come later; it is just a question of timing. We wouldn’t have moved as fast. So I am not sure it is a higher cost—it is largely just a shift of the work from after Royal Assent to before Royal Assent.
Q5 Chair: Is there anything you want to add, Ms Smith? Presumably, it has been an exciting time to be at Ofcom.
Jessica Smith: It has been a very exciting time. I would add that the Bill grew in scope through its passage, as well. Additional duties were added on, such as the inclusion of provider-published pornography, which we launched a consultation on yesterday. As the duties increased, we had to reflect that in the scope of our preparations as well.
Q6 Chair: Ms Connolly, you have also been steeped in this for some time now. As we have heard, the Act was extended, and there was a lot of political debate about it. We are not here to discuss the policy, but there is a huge impact from that on the regulator. Using your experience in a Department, how, when you are making the policy, are you thinking about the impact on the regulator and the funding that Ofcom will need to do things that have increased in scope?
Sarah Connolly: I have been involved for quite a number of years at this point. I have two reflections, I suppose. Once Ofcom was confirmed as the regulator, we consciously worked closely; we have had governance structures in place for years, but on a day-to-day basis the teams worked well together, in part to manage the pressures that we knew we would face, and indeed did, through the passage of the Bill. So we were well equipped to understand, as that was happening in real time, what it would do to Ofcom’s ability to regulate and the speed with which it could regulate.
Secondly, we also all understood that we wanted to be as ready as we possibly could be on the day after Royal Assent, and Ofcom was. That is partly because we were very focused on trying to do everything we could to make sure that that was the case, including providing funding as early as we did.
Q7 Chair: You say, “Once Ofcom was confirmed as the regulator.” From the outside, it seems apparent that Ofcom was the right place for this regulation to be, but did you at any point consider setting up a separate regulatory system?
Sarah Connolly: Yes, of course we did, because the right thing to do is to work through all of the options. So yes, we did, but Ministers came to the conclusion relatively early on in the process that Ofcom was the right place.
Q8 Chair: Finally on this point, Dame Melanie, when you became head of Ofcom, this was in the ether. You were appointed chief executive and now your empire has grown considerably as a result of this. What has been the challenge for you and your top team? You mentioned recruitment and planning, but do you want to expand on that?
Dame Melanie Dawes: Yes, I was appointed when Ofcom was not quite confirmed. The Government said they were minded to make us the regulator. That full confirmation did not come until December 2020. It has been a challenge because it has been a major programme of work and preparation, and it has involved a very big recruitment programme, but that has been an opportunity for us at Ofcom to improve the overall shape and make-up of the organisation. We now have a workforce that is more spread across the country and has more people who have come from technology companies. We have been able to grow our tech and data expertise, which will help us in our other functions as well. We have gone from around 950 people to what will probably be around 1,500—about a 50% increase in our overall headcount. It does not make us as big as some other regulators, including the Financial Conduct Authority, but we are clearly a sizeable organisation. It is one that I think is manageable and, as I say, it is more diverse in every single way than it was three years ago.
Q9 Chair: You have had this extra time to prepare pre the Bill, but the date for the regulatory regime has slipped from 2025 to 2026. We will talk about the impact that that might have on the fees coming in. Given that you have had longer to prepare, why has it slipped? What has been the main reason for that?
Dame Melanie Dawes: The commitment in the Bill that we will stick to is that the protection of children and the illegal harms parts of the Bill will be in place 18 months after Royal Assent. That takes you to the end of April 2025. If the Bill had been enacted sooner, the 18 months would have had to be longer because we would not have been as ready. That 18 months is the bare minimum you need to have a sequence of consultations to come out with the proposals, to reflect on those, to hear the evidence and then to come back and pass those to the Secretary of State. That is a minimum requirement. Some of it will happen sooner than 18 months. The illegal harms codes that we published a few weeks ago could happen within a year, provided that the responses do not turn our work upside down in a way that we are currently not predicting. That should happen within 12 months or thereabouts. That is about as quick as it could be, to be honest.
Q10 Chair: Obviously service providers of different sizes will have slightly different regulatory regimes. Some of the smaller ones are quite worried about the burden. In fact, some of the big ones have given us evidence and been public about what they consider a burden. When will they know where they fit and what they will have to do to comply?
Jessica Smith: There are two things to say on that. We are working really hard to make our consultations as accessible as they can be. We have various online tools, such as scope checker, to allow services that are smaller and do not necessarily have the resources to check very quickly whether they are in scope of the regulations. We are also working with trade bodies such as Trade UK to make sure that we can reach some of the smaller services, so that they can participate fully in our consultations.
As for when services will know where they are on categorisation—there are additional duties in the Bill for category 1 services, which are some of the largest and furthest-reaching services—a process for establishing that is set out in the legislation. We need to do research, which we are currently undertaking, to provide advice for the Secretary of State, so that they can make regulations to establish the thresholds for inclusion in the categories. We intend to provide that advice by the end of February, four months after Royal Assent. The Secretary of State will then make the regulations, and we will publish the final register of categorised services by the end of next year.
Q11 Chair: You are hoping to get the secondary legislation through. Obviously, we have an election next year, but timings will allow for that, you think. In February, you hope to have that through.
Jessica Smith: Yes. We are actively planning around that, and we expect that we will still be able to do this.
Q12 Chair: But if there is a delay in the election—that is entirely out of your hands, and ours—there would presumably be a delay in providers meeting your regulatory requirements.
Jessica Smith: We are planning around different election scenarios, and we think we will be able to do this by the end of 2024. If something happens and we are not able to do it, that will affect only those additional duties on categorised services, so the illegal content and protection of children duties will still apply to all services in the regime.
Q13 Chair: So the two priority areas will be unaffected, but it is not impossible to have a scenario where that secondary legislation comes in right at the end of next year, because of when the election is. Also, lots of things happen around elections; things may not not go smoothly afterwards. That would risk putting back some of the other regulatory requirements.
Jessica Smith: That is a risk, yes.
Q14 Chair: It is worth having that on the record, though it is out of your hands. Some of the providers have said that they are worried that you will ask them for information that it is hard for them to gather—that you are asking for the wrong thing. We often see this on this Committee. Whitehall wants some data—we are all very keen on data—but the providers say, “This is not easy for us to collect,” or “You are putting more of a burden on us than you should.” How are you engaging with them, to try to bridge that gap? Indeed, is there a gap? Do you agree with the people who say that?
Jessica Smith: There are two things to say on that. First, we have stood up our supervision teams, which are actively engaging with services now, so there is a single point of contact.
Q15 Chair: But that is for the big providers, isn’t it?
Jessica Smith: For supervised services, which is a representative sample of providers, so it includes big providers, but also some of the smaller providers, including some of the pornographers and other services that will be in scope of the regime; it is not just the big providers. That is a really important source of information for us, so that we can understand the impact of what we are putting out, and how it affects different services.
The second thing to say is that we have our information-gathering powers, and we will issue requests for information to services. That will be co-ordinated very carefully, so that we are prioritising the information that is required, and taking account of the burden on services.
Dame Melanie Dawes: This is one of the benefits of our preparation. We were able to run what we call platform pilots with a number of the bigger platforms over the last few years, so that we have an understanding of the kind of data that they typically collect, which is good in some respects but does not cover some of the things that we, the regulator, will be looking for. That time spent understanding what they do will inform the way that we seek information from them.
It is important to say, as Jessica did, that risk will guide what we do. The supervised services that we have chosen are representative of the industry, but they include some smaller, riskier providers that we are aware of, as well as the big platforms. We will not ask large numbers of smaller companies for information at this stage, because that would probably not be proportionate. We will focus on what we need to get the consultations right, and to gear up for the biggest and riskiest compliance issues once the codes have taken force.
Q16 Chair: A huge challenge in this legislative area is that a lot of these providers are not UK-based. We, as consumers, can all access providers across the world. Ms Smith, how will they know that they have to comply with UK law on this? How are you reaching out to them?
Jessica Smith: This is a challenge of which we are very cognisant. As you say, many of the larger services, and lots of the smaller services, are based outside the UK. We are still able to make contact with those services and to reach out to them, and our teams are doing a fair amount of international travel. We still believe that we can set up productive working relationships with many of the services we are supervising.
Q17 Chair: In a way, this is just a challenge of the legislation. It will be interesting to see, over time, how this is managed.
Dame Melanie Dawes: It is a challenge to do with the nature of the problem. This is an international industry. Hardly any of the companies are based in the UK—some are, but most are not—but their obligations are very clear in UK law, if they want to provide a service to UK consumers. It is unusual for a regulator to regulate foreign-based companies. In the past, we have regulated the telecoms and media companies that we know and love and that were based in the UK, so this is different.
Engagement with many across the industry has been constructive so far. Looking at the international context, when I talk to the bigger platforms, they like the UK regime, because they know that we are independent. We are not part of the Government or the civil service, and we have a track record of using evidence. The legislation is based on systems and processes, which gives them flexibility in what they deliver. There is a good balance in what Parliament has legislated for. We have high-level ambition—really different expectations of these companies—but also the right kind of flexibility in how the companies do this, and the regulator has the right experience to make it work. This is not an easy job, but I think it can work, and we are bringing all the experience we have to bear.
Chair: I am aware of time, so I will bring in Ms Connolly. I think it will be interesting for the Department to pick this point up, and to hear from it.
Sarah Connolly: I really support what Melanie has said, particularly on international engagement. I know that Ofcom is doing a lot of it. The Department has also done a lot, including in the early days, when we were beginning to think about the policy development. It is not a coincidence that quite a lot of the nascent legislation in this space, particularly around Europe and in Ireland and elsewhere, looks and feels quite a lot like the Online Safety Act. We recognised quite early on that it was a global problem, and the more that we could come up with an international approach, the easier it was for the companies and the more effective the regulatory approach.
Chair: That is heartening to hear, because often Whitehall does not work internationally, so it is interesting that that has been happening. Thank you very much indeed.
Q18 Mr Djanogly: Dame Melanie, you touched on the response you have been getting from service providers. Could you go into a little more detail on what you have been asking them, and on the feedback you are getting in terms of their size? I know you will be monitoring some more than others.
Dame Melanie Dawes: We launched our first two consultations—one yesterday on the requirements on commercial pornography providers to ensure age verification at age 18. The language used in the Act is “highly effective” age verification. Prior to that, in early November, there was our first blueprint for what needs to happen to tackle illegal harms. It is a bit early to know their reactions. We have a three-month consultation on each of those, but over the next few months we will gauge the true reaction to the detail of our proposals. I cannot really give you any information on that at this point.
More generally, I think that big companies, such as Google, Meta and TikTok, know that regulation is coming. It has come in the EU as well. They know that things have to change, and they have been constructive in wanting to talk to us and explain what they do already. This is not a blank sheet of paper; the industry does do things in this space. It is just that they are not enough and not consistent. For example, things like scanning for child sexual abuse imagery happens in some parts of the industry, such as on social media and on the bigger platforms, but it does not happen on the file-sharing platforms. It is very rare for pornography sites to be using that kind of widely available technology.
The job we have to do—this is really what was behind our blueprint—is to take what the industry is already doing, put the evidence behind it, and then get everybody doing it, in order to raise the bar and raise the standard. That is the first step for us as the regulator. What we are proposing is quite practical. Most of it is tested already, and most of it is not necessarily that expensive. We are being risk-based, so we are not requiring the same things of smaller platforms as we are of the biggest platforms, where the UK public spend most of their time and where the risks are greatest. We are trying to make sure that this works for the industry, while also raising standards and delivering for the public. I am not sure I have quite answered your direct question. I think I have given you more of a general explanation.
Q19 Mr Djanogly: I think you have, but you seem to be portraying very positive feedback. I am looking at the NAO Report; paragraph 3.10 says, “However, several industry representatives expressed concern about the potential burden of compliance and the demands this would place on their resources.” That was in July. I do not know what “several” means, but is that still the case? Are you still getting negative feedback?
Dame Melanie Dawes: There will definitely be some companies who do not feel that this is something they can manage.
Q20 Mr Djanogly: Can you quantify that to me?
Dame Melanie Dawes: We will do everything we can to make it manageable and to be proportionate, but this is a change. There has not been regulation before. This is going to increase costs overall across the industry, obviously for good reason. Our job is to get that balance right.
Q21 Mr Djanogly: Can you be more specific about numbers and size, and what the companies are saying they do not like?
Dame Melanie Dawes: Some of the concern has been around specific issues. It was as much to do with issues such as encryption or specific service design features; there was quite a lot of debate in Parliament about where the line should be drawn. Probably, the debate that the NAO was hearing there was partly about the design of the legislation. Some of it will just have been a fear that regulation means that they will be required to do things that they are currently not required to do, and about how they will manage that.
Even quite big platforms, such as Signal, have probably fewer than 100 staff. As a regulator, it is important for us to recognise that the capability is not there yet, but it is also right for us to say, “You need to put some of that in place.” As we have regulated some of the video-sharing platforms already, we have done this with some quite small companies, such as BitChute. We have made sure that they have resources in place that they did not before. That is partly what needs to happen.
Sarah Munby: We are now, of course, entering a very different phase. Up until recently, this has been legislation under active debate in Parliament. Many different groups, including those who will be regulated, have quite rightly had all sorts of views about the direction of the legislation. It has changed during its passage, as the Chair said. All that has been kind of live. From an industry point of view, it is a really helpful step to now have clarity about where we have landed and, increasingly from what Ofcom are putting out, clarity on the specifics of what is required of whom. This now turns into practice and routine, and will ultimately become as much a part of the operating model as our other well-established regulatory regimes are.
Q22 Ben Lake: Dame Melanie, we received quite a bit of evidence from various companies, and the point was made that smaller organisations might feel a burden differently from larger organisations. Are you tailoring your approach at all to recognise that fact, and if so, how?
Dame Melanie Dawes: We are. The blueprint we set out at the beginning of November has different requirements for the biggest and riskiest companies, and for the smaller ones. It is important to bring in risk as well as size. For example, some quite small platforms can be a very good environment for perpetrators to share child sexual abuse imagery in. Child grooming is a very important focus for our first consultation; sometimes, a perpetrator will find a child on a mainstream site and then move them to a smaller site, where the safeguards are not in place. We have set out proposals that vary depending on size, but also on the degree of risk on the platform. The smaller platforms will need to see what the risks are, and if they do have risky features and functionalities, they will need to address that.
Ben Lake: Thank you. I will return to that point later.
Q23 Sir Geoffrey Clifton-Brown: Dame Melanie, I think you were absolutely right to focus on the risk, rather than the size of the company. In this highly technological world, everything is much more mobile and—following up on the Chair’s question—a lot of these providers are not based in this country. They will be small and mobile. They will move, and they may have one or two people controlling them. How, realistically, can you regulate those sorts of organisations?
Dame Melanie Dawes: This is a very challenging job. I would not want in any way to leave the Committee with a sense that we are complacent about this. We will have to use data and automation to understand the industry and to assess risk, and those are two slightly different steps.
We are already using data and automating our understanding of it to understand the industry, and things like where children are spending their time, and what the different patterns across the sector are. We have databases with millions and millions of apps, services and websites, which we are analysing, so that we can understand where the risks are, because of course most of the internet is not providing user-to-user services, search services or pornography services under the scope of the Bill.
That is the first step: understanding the nature of the industry that we are regulating. That is work that we are already doing. We will then have to develop systems for flagging risk. We will do that in two ways—first, by using people who are out there on the frontline already. That is companies such as the Internet Watch Foundation and the NSPCC, and law enforcement agencies in the UK and internationally, such as the National Crime Agency and its international counterparts. They understand, given their areas of expertise, where the risks are moving, because the true crime here is highly international—
Sir Geoffrey Clifton-Brown: And mobile.
Dame Melanie Dawes: Highly international and highly mobile, as you say, Sir Geoffrey. But there is expertise out there already, and mobilising it, bringing it together and working with other regulators—this is why we set up a global network of regulators from Ofcom—is part of what we need to do. We will also need to develop techniques for automating our understanding of risk. We are looking at how we can automate a system that allows us to go in and check whether there is age verification on pornography sites, for example, and how we can use large language models to analyse terms and conditions, so we can go straight to the companies that do not even have a policy on terror and illegal hate speech, let alone the right systems and processes to address it.
Using data and using trusted partners is how we will try to understand overall where risk is moving. We are already doing some of that, and some of it is very much in development, because this is not really what the industry does itself at the moment, at a system level. It looks at rather different things in its own companies.
Sarah Munby: If I may add an obvious but important point, the Act does not change the criminal law, or the law enforcement activities that form an important part of tackling what you are talking about. Indeed, it strengthens the obligations on platforms to report child sexual exploitation and abuse, so it is aiming to make things easier for law enforcement, which will always be an important partner when you are talking about the very highest risk and most criminal activity.
Q24 Sir Geoffrey Clifton-Brown: May I come to you, Ms Smith? Following on from your conversation with the Chair about timing, when will individual internet users, particularly parents, start to notice a difference? I understand the difficulty with secondary legislation, consultation and everything else, but when, realistically, will the ordinary internet user notice a difference because of this Act?
Jessica Smith: We have set out our timelines for the implementation of the various codes of guidance that we need to produce. There are a lot of individual deliverables for Ofcom. We said when we issued our first consultations that this is our blueprint for action—practical steps that services can take to protect users. There is no reason why they cannot take them now. The obligations are very clear, and the steps we have set out are extremely practical. The duties will be fully enforced in 18 months’ time. If they want to get ready, they can start to do that now.
Q25 Sir Geoffrey Clifton-Brown: Absolutely; they have an obligation now. Can I take you to a case that has had recent publicity? This was a site on how to commit suicide. What powers do you have now, and what powers will you have under the Act, to get that site taken down?
Jessica Smith: This was a particularly egregious case, and it was a really commendable piece of journalism by the BBC and others that brought it to our attention. We made contact with the site in question. They kept a banner at the top of their site about their attitude towards compliance with the legislation, and we contacted them on that basis. We will approach services with an engagement-first attitude. We would not normally move straight to an enforcement case, especially given where we are in the implementation of the regime.
We managed to make contact with the site in question, which was not particularly easy because they were extremely small and not based in the UK. They then changed the banner and announced that they were blocking users from the UK. That is a situation that we will continue to monitor. There will be sites and services that choose not to comply with the Online Safety Act and the requirements that we have set out in our codes and guidance. We have a suite of enforcement powers that we can use, but we are not currently in a position to use them until everything is fully in force.
Q26 Sir Geoffrey Clifton-Brown: Can I move on to another aspect? Under the Act, you will only be able to receive complaints from organisations about systematic abuses arising from service providers and impacting on online safety. You have no specific powers to take action or compel regulated service providers to take action on individual pieces of content or to get providers to offer redress to individual users on a case-by-case basis. One of the weaknesses of the system is that the public out there, at the moment, have expectations about making a complaint. You say that they should make it first to their service provider. If the service provider then declines to do anything about it, they can make a complaint to you and you do something about it. But that isn’t the case, is it?
Chair: Do you want to explain how the online complaints portal will work? As Sir Geoffrey said, people might think they will get a response but from what we are reading, you don’t. Do you want to just pick that up in the answer?
Jessica Smith: To set out what is required, first, the illegal harms consultation contains measures on how services should handle complaints. It expects services to make it easy to complain about particular pieces of content, that they communicate effectively with the user who has complained and that they take action on the basis of complaints where they find that the complaint is justified. We set very clear expectations about how services should approach individual complaints. Our contact centre will be set up so that users are able to submit complaints to Ofcom. What we are not able to do and what we are not resourced to do is to act on individual complaints. That is not to say that that is not a really important source of data for us as part of the early warning and risk-flagging systems that Melanie was talking about earlier. We will look at the data that comes into us on individual complaints through our contact centre.
Secondly, the Act needs to allow for super-complaints. Certain organisations will be designated as having the ability to collate lots of complaints about either a particular platform or issue, and to submit a super-complaint to us. That is something that we can then take action on ourselves.
Finally, once the Act is fully enforced, we have a duty to review the user redress mechanisms and the complaints mechanisms that exist across the industry. Then we need to produce a report on that that we can submit to the Secretary of State so they can decide whether further action is needed on individual complaints.
Q27 Sir Geoffrey Clifton-Brown: The Chair kindly intervened in my question to mention your online complaints portal. I would be interested to know how many complaints you would get on that portal before you took action. Would it be 10, 100 or 1,000? Some egregious site is set up, the internet provider refuses to take it down and you get flooded with complaints. At what level would you start to take action? What is the threshold?
Jessica Smith: I do not think we would set a specific threshold for the level of complaints needed. Complaints data will form part of our overall risk management. We would look at complaints data alongside a range of other forms of data. If a particularly egregious issue arose on the basis of a complaint or a number of complaints, that would be put through our information triage process to determine whether action would be taken.
Dame Melanie Dawes: To add to what Jessica just said, we have explicitly set up what we are calling the triage team in Ofcom. We have learnt from our regulation of video-sharing platforms that we expect to get information and intelligence from all sorts of sources, so we have set up a place where all those things can go. That will include a sudden surge in complaints on a new issue. It might also include a bit of investigative journalism that raises a question. It is there to handle things that come from outside the more formal scanning processes that I talked about earlier, so that we can calibrate and ask ourselves questions like, “How big is this issue? How many users does it affect? How big a breach might it be of our rules? Can we act? Can we be effective?”
I will be honest: it will not be easy for us to tackle very small websites that are based in the US and are not clear even about where their headquarters are. We will ask ourselves all those questions—we already do in relation to some of this—and that will be how we decide which issues we follow up and which ones we don’t think we can have any impact on. Complaints will be part of that.
Q28 Sir Geoffrey Clifton-Brown: I think there will be a bit of disappointment. After all, if someone sees a dreadful television programme, they can complain to you, and you will take action for that individual. But if I, as an individual, come across some dreadful site that I think will damage my children, I complain to my provider, they don’t know anything about it, and then I complain to you, you cannot act on my individual complaint. There is going to be some disappointment with what the Act will actually achieve. What will you do to manage public expectations in that respect?
Dame Melanie Dawes: We need everybody’s help in explaining what the Act does and does not do. We will not be able to take complaints on individual pieces of content or individual videos, as we do with TV. There is good reason for that. Just in the time that we have been speaking, Facebook alone will have moderated hundreds of thousands of pieces of content. The scale is enormous. Instead, we are relying on them to do that and put in place the right systems and processes, which include content moderation and proper action on complaints.
Chair: We know what you do, but how will you respond to expectations?
Dame Melanie Dawes: When it comes to a site that is a concern, that is a bigger question. If people come to us, either through our customer portal or directly to Ofcom, and say, “We are very concerned about this website,” we will triage that sort of thing through the system I described earlier.
How are we managing expectations? We are attempting to communicate this to the best of our ability. We are doing so with all the partners we work with across the industry. We are trying to make sure that the media understand it. Obviously, Parliament is extremely expert in this after the passage of the Act. But we do need everybody’s help. We perhaps need your help to explain what the Act does and doesn’t do. It is not that it is ineffective as legislation; it is just a bit different from some of what we are used to.
Q29 Sir Geoffrey Clifton-Brown: Your answer has spawned another question. In my original question, I was thinking about the number of people complaining about an individual problem. Equally, there is the problem that a tricky service provider might have a trickle of complaints on this, a trickle of complaints on that and a trickle of complaints on something else. What would trigger you to take action against that provider on a number of different sites that it was providing?
Dame Melanie Dawes: If there is a pattern of the service provider ignoring complaints about a particular site—
Sir Geoffrey Clifton-Brown: I am not talking about individual sites. I’m talking about general issues with a particular service provider.
Dame Melanie Dawes: Sorry, are you saying that it is not about a particular provider?
Sir Geoffrey Clifton-Brown: A specific provider but different sites that are causing trouble. I am talking about when you get a small number of complaints on one particular site, then on another one and then on another one, but that provider is providing all of them.
Dame Melanie Dawes: Oh, the creator—the producer of the content. That is a sort of pattern that we might look at, but really it is for the individual companies concerned to look at what is going on on their sites and to understand what their terms and conditions are, what their systems and processes for moderating are—and dealing with that accordingly. If there is a pattern across multiple sites—this is certainly true for something like child grooming, which is very much across different companies—but not so much that one company is responsible for all that, and not necessarily one single user, those are the sorts of patterns we think are relevant. I apologise if I am not being very clear.
Sir Geoffrey Clifton-Brown: No, you are being absolutely clear. Thank you.
Q30 Chair: On public expectations, a parallel area we have looked at, although it is not quite the same parallel, is Action Fraud. People quite often report in and do not hear anything. Forgive me for that paraphrasing of the issue, but it is a really big concern. There is a real sense of frustration, and people will be very upset about some of the content, such as suicide sites. These are very sensitive and upsetting for people. You can manage expectations, but practically, if I log something of concern on the portal, what do I get back? From the outside as a consumer, it seems that it goes into a big black hole, your clever systems and people do things with it and eventually, down the line, some action might be taken. Will there be any feedback to those consumers? What message do they get at the moment they put something in so that you are managing expectations right at that moment?
Dame Melanie Dawes: That is a very good question. The immediate message is there explaining what we will and will not do. I do not think we yet have a system that would go back later if we have taken action on something. To be honest, going back to individual complaints and relating them to a piece of compliance work we might do will not be straightforward. What we will always do at Ofcom is to be very transparent about the overall programme of work here, including, where appropriate, compliance and enforcement action. Our website will be as open as we possibly can be about all the things that we are doing. Can I promise now that we will relate particular actions back to individual complaints? I think that is probably too difficult, to be honest.
Q31 Chair: Will something pop up when you log on saying, “Recently we have had a lot of complaints about this site or this issue”, so that you feel you are not the only one or that they are already on top of this? That feedback loop is quite important. I think we are getting the impression, frankly, from both the Report and what you have said today, that you are doing a lot of really good work behind the scenes. Obviously a lot of it is still to be programmed, but the plans are solidly in place. There are a lot of challenges, and we will come on to the technology in a moment, but the other bit is the people who are reporting this in. As you say, there are thousands and thousands of instances, but what if people do not feel that confident? I will come to Ms Connolly or Ms Munby on this as well. The legislation has got to have some impact on the individual too.
Dame Melanie Dawes: You are making really useful points for us to reflect on. We are still quite early in the operation of this regime. What you suggest is extremely constructive, and we will take that away. You are absolutely right: the feedback loop and displaying that we are actually listening is important. Finding ways to do that is really important, and you have given me quite a lot of food for thought, to be honest. We will think about that. As you say, the work is good. In a way, it will never be enough for the huge scale of the problem but we can definitely think about explaining how it relates to public concern.
Q32 Chair: Ms Connolly and Ms Munby, you must have been thinking about this as you were shaping the Bill. You had to make a judgment—it is impossible to do what you do with broadcasters, as Sir Geoffrey outlined, and we recognise that. How did you work out where to draw that line?
Sarah Connolly: With difficulty, is the honest answer.
Chair: That is why we had delays in the Bill. There was a huge debate in Parliament.
Sarah Connolly: Exactly, and in the Lords as well. Throughout the passage there was this very legitimate question about exactly where one should draw the line and if an ombudsman function was a better way to go. Ultimately, where the legislation came out was in the right place; the scale and volume of potential complaints would overwhelm Ofcom or any other regulator.
Q33 Chair: Do you have a review point set in place? We are very bad in this country, and we are bad as legislators, at reviewing legislation. This is groundbreaking. Do you have a review built in?
Sarah Munby: We are obliged to provide a post-implementation review between two and five years after the—
Chair: But that is very short in this case. It will really have just got going in five years’ time.
Sarah Munby: Sure. I think we should be looking at it long before the point of the formal post-implementation review. We would expect that to be continuous. I am not suggesting that we do one review and then it is done, but we specifically have a concrete obligation around reviewing where we are and reflecting on it. I think that that will be necessary—we may well come to this—because this is going to be a fast-moving space and we will need to be ready to respond to further change in the future. We have tried to build the Act in such a way that it is as future-proof as it can be, but I do not think that anything in this space will ever be entirely future-proof.
Q34 Chair: Well, I am old enough to remember ICSTIS, which became something else in the end, but was regulating, originally, paid-for telephone sites. That started off regulating pornography and then ended up doing much more under the late great Baroness Brenda Dean, so that moved on an awful lot. Sarah Munby and Sarah Connolly, did you both look at what other regulators had done in these fast-moving fields, where technology had taken things on apace, while you were shaping the legislation?
Sarah Connolly: We did quite a lot, in particular as we were thinking about the Green Paper and White Paper for pre-legislative scrutiny. We looked a lot at comparisons, including in sectors that had had regulation imposed on them that they perhaps were not too joyful about, and the evolution of that—financial services in the early days, and that kind of thing. So, yes, we did look quite hard. There is, I think, nothing quite like this Act in terms of the speed of change, the scale and the international nature, so we were also conscious that there were some lessons to be learned, but that we were also slightly ploughing our own furrow.
Q35 Chair: Dame Melanie, you and Sarah Connolly have talked about a positive feedback loop as this legislation was being drawn up, as you were working out what regulation would need to take place and feeding that back in. Will you be having reviews? There is potentially a big cost implication, with this area that is moving at pace. When I was first elected—okay, 18 years ago is like a dinosaur, isn’t it, so perhaps that is not a good example, but the change that we have seen, from mainstream media to 24-hour social media and the many different platforms now, has been rapid. How are you ensuring that your new, very big team will have the skills and foresight to see what might be coming next, in order to keep talking to the Department about what might be needed in terms of legislation?
Dame Melanie Dawes: That is a really important question. I see it in three parts, and I will start at the more concrete end. We are providing for evaluation, and measuring of key metrics in the work that we are doing. I can say a little bit more about that, but that is about just making sure that the things that we have already proposed are being acted on and are having effect in the way that we intended. That is the very important kind of nuts and bolts; impact assessment and evaluation is necessary, and we are building that in.
Then, going out a bit, there are various policy questions—such as the one around whether we need more on complaints, and also a few others—where the Act provides for Ofcom to provide advice to the Department, and there are some powers for the Secretary of State to act in some areas. There is a set of issues where the Bill needed to be concluded but there were still outstanding questions. There is a set of those on which we will provide various bits of advice over the next two to three years.
More broadly, going out again, you are absolutely right: people are changing their behaviour all the time, and things like generative AI are very relevant here. They are going to create new threats and new risks, but also potentially new opportunities to solve problems. Ofcom actually does have a capacity there. We have done this, for example, in looking at public service media, where our research and policy advice is at the centre of the Media Bill that the Government have just brought forward. We will continue to be active in this space. Our research is published regularly on how the British public are spending their time online, for example, and what the trends are, and that brings in questions like how that links with news and fake news and what is needed to underpin our democracy. At that broader policy and research end, that is a priority for Ofcom and will always be.
Chair: It seems like your job is never going to get any smaller. It is exhausting just listening what you are saying.
Dame Melanie Dawes: It is very interesting.
Sarah Connolly: To add to that, the other thing worth bearing in mind is that the Bill is designed to be technologically neutral; it focuses on the risk of harm and the actions that Ofcom can take to mitigate that risk. It is very consciously designed to be as tech-neutral as possible. It tries to avoid creating a piece of legislation that will work only for this one kind of tech, and rather to give as much flex as possible. Now, I am sure that we have not thought of everything, but the framework is designed to be as flexible as possible.
Sarah Munby: Specifically, and exactly on the point that Sarah is making, it is worth being clear that AI-generated content is covered by this legislation in the same way as human-generated content. That does not mean that all the complex issues involved in regulating AI are solved by this, but it is an important step forward.
Chair: It is in scope. Thank you.
Q36 Sir Geoffrey Clifton-Brown: Ms Munby, can I just follow up on the Chair’s question? It is not only Ofcom but the Department that is going to need staff with the skills to meet all this new technology. It is all very well getting this new, groundbreaking, world-beating legislation in place. As you say, it will be important to review it, and you will need staff to do that. What resources is your Department centrally devoting to getting the staff to do this job?
Sarah Munby: That is a subset of a broader question, if I may. There is certainly a need for a serious, ongoing function in the Department to look at how this work is being put into place, work collaboratively with Ofcom and carry out the evaluations that we were just talking about. On top of that, there is a broader point, which is that the Department needs to be constantly evolving its capabilities to be able to deal with new risks and new opportunities.
We have just had a case in point: since the creation of DSIT, we have done work in response to the rapid developments in generative AI, the emergence of ChatGPT and so on. I think you would say that we have demonstrably been able to mobilise around a new topic and to move quickly, for example, to organise the AI summit, so the muscle is definitely there. As I look at my organisation, I think the challenge is making that ability to respond quickly to change and evolve a part of the DNA. This is just one issue—I could give you another 10—where we need to be able to build capability to deal with a rapidly changing environment and ensure that we have the right resources to deal with these complex, international and risky topics.
Q37 Sir Geoffrey Clifton-Brown: Dame Melanie, let me just deal with technology for a minute. What is it reasonable to expect the internet providers to do in terms of monitoring their sites? It cuts both ways, doesn’t it? A big organisation such as Meta has an awful lot to survey; on the other hand, a small organisation that perhaps has only relatively few sites has very limited means to be able to survey those few sites. What is reasonable to expect in the surveillance field?
Dame Melanie Dawes: It depends on risk. In our draft illegal harms codes, we have said that if you have a risk of illegal hate speech, terror or child sexual abuse material being circulated, you are going to need to have effective content moderation that is properly resourced. You are going to need to deploy hash matching for CSAM material unless you are operating an encrypted service.
A lot of smaller platforms will not carry those risks. It depends a bit on their user base and on whether there are children. It depends on functionalities, such as whether they offer live streaming, which we know is an immediate risk for terror content because it is an opportunity for terrorists to spread their acts to the public. So my answer is that it depends on risk.
There are some small platforms that are highly risky, and that is a real concern, so we are going to be very clear with those companies that things need to change. As the video-sharing platform regulator, we have already had some tough conversations, taken a number of smaller companies through compliance procedures and got them to increase resources in a proportionate way. So we have experience of that.
Dame Melanie Dawes: I can certainly say what we will do, as the regulator, and it may be that Sarah can comment on the wider question of the police and what they are able to do.
What is not in the Bill is a requirement for encrypted services to introduce scanning that breaks encryption. That was much debated in the final months of the Bill and has been a big issue for the industry. As I said, although we are saying that CSAM hash matching is necessary for non-encrypted platforms that have a risk of having that material, we are not making that a requirement for encrypted services, because we do not yet see a technology that allows that to be done without breaking encryption. The Government was very clear about this in the final stages of the Bill, but that technology does not yet exist.
That does not, however, remove the responsibility on encrypted services to meet the requirements of the Bill, so they will have to find ways to assure us, as the regulator, that they are doing everything they can to prevent that material from circulating. They can do other things. It is definitely a gap, and there are definitely risks from encryption here, as well as benefits, but the responsibility does not go from them just because they introduce encryption.
Sarah Munby: I do not have much to add. The Bill—the Act—does not directly address the question of the police powers in relation to encryption. I do not think that was within the scope of what this Bill seeks to address, and I do not know if you would add anything to that, Sarah. As Melanie said, the importance of encryption to a lot of these services is clearly not something that we are seeking to minimise or remove. What we are doing here is asking platforms to do everything they can within what is possible to make sure that those services are safe. I do not think that that goes to the question of police powers.
Sarah Connolly: The only thing that I would add is to note that the Investigatory Powers 2016 Act is being looked at again at the moment. The investigative powers Bill is coming up, and I imagine that that will raise some of these questions.
Q39 Chair: There is one thing that I wanted to ask while we are talking about this. We talked about relations with your Department, but Dame Melanie also has a relationship with the Home Office. Have the relationships with other Departments been constructive? Where are the next test areas? The Home Secretary has to personally sign off some of the regulations around terrorism and so on. How is that relationship? Are there any lessons that we could learn from working with different Departments with different legislative frameworks?
Dame Melanie Dawes: Yes, we work very closely with the Home Office, as well. Obviously the sponsor Department for the Bill has been what is now DSIT, but we have had a constructive relationship with the Home Office, too. I had a number of discussions with Ministers in the Home Office during the passage of Bill, which included conversations specifically on encryption and a number of other issues. There is widespread interest in this across different Departments.
Q40 Chair: Were there any points where there was tension between Departments? There is nothing wrong with that; I assume that there might well be, because there is a difference in view in different bits of Government—and in different bits of society—on the encryption element.
Dame Melanie Dawes: There are certainly competing objectives, and I saw those being aired in a very sensible and constructive way. You can see, in the NAO Report, that governance around our implementation included the Home Office as well as DSIT. Yes, sometimes there are tensions, because the issues raise them, but I have seen very collaborative working on this process.
Q41 Sir Geoffrey Clifton-Brown: May I come back with one final question to you, Dame Melanie? You did not quite answer my question about what it is reasonable to expect the service providers to do in terms of surveillance of all their sites. There has been quite a lot of correspondence within the industry about this. Where have we got to with that dialogue with the industry?
Dame Melanie Dawes: There is no general monitoring requirement. That was the thing that the platforms were very concerned about—that they have to monitor everything. The existence of a piece of illegal content on a site will not necessarily mean that they are not complying with the law. We are looking for systems and processes to be in place that are based on risk, proportionate and effective. But those systems and processes will never be foolproof because there is just too much complexity and challenge here.
What will matter greatly is the attitude of the companies we are engaging with. That is why we have put in place our supervision teams to build trusting relationships, within which people can be honest with us about what they are worried about, what is working, and what is not working. Approaching those conversations with Ofcom in a responsible way will count for a lot. We will work with people who are prepared to engage with us. It is those who put the barriers up at the beginning and don’t want to work with us that we will immediately see as riskier.
Jessica Smith: To come to your point, in our illegal code—published a couple of weeks ago—there are two types of mitigations that we expect services to put in place. There are mitigations that are specific to the harm; for example, grooming mitigations. We expect children not to appear in friendship suggestion lists for adults, so that adults cannot contact children they don’t know. Those are specific mitigations to a particular harm.
There are also a set of mitigations that are cross-cutting and that we think will have an impact across all of the illegal harms that are on the priority harms list we have to address. Those include things like complaints and reporting, governance, and content moderation. With that suite of mitigations, we expect those will address the range of illegal harms that we are required to look at. It is that mix of the specific and the general that we think will overall improve protections across all those illegal harms.
Q42 Ben Lake: As has already been touched on this morning, although the Bill has now become an Act, Ofcom will still have quite a lot of work to do to develop the regime. I believe—if I am correct—you will have some 40 regulatory documents, including codes of practices and guidance, before the regime can take real effect. My first question is how is that body of work progressing? Do you have any expected timelines by which you would want to see all of the relevant documents and codes published and in force?
Dame Melanie Dawes: In fact, it is now more than 50 documents. There were some late entrants in the final months of the Bill.
Chair: I was just talking about your empire expanding.
Dame Melanie Dawes: Well, our workload is certainly expanding. We set out a road map on the day of Royal Assent at the end of October. That shows the sequence of the work, what is included in the 18-month deadline that I mentioned earlier, and any other aspects that will come a bit later. That is there, and that is published. I think we have already got to 10 of those—I think it’s 54—documents with the consultations that we have already published, so we are moving.
Of the big milestones ahead, the next will be in the late spring—probably May—when we will publish our fuller guidance on how to provide an age-appropriate experience for teenagers online. That will include how age verification needs to work on other sites than pornography providers, which is what we published guidance on yesterday. Then, as Jess was saying earlier, the extra duties on categorised services are the final piece of the jigsaw. But the road map is published, and we expect to stick to it.
Q43 Ben Lake: Wonderful. I would imagine that preparing just the consultation processes for those various codes and pieces of guidance are quite intense and labour-heavy. How have you been able to prioritise the different work streams? How have you ordered the different pieces of guidance and codes?
Dame Melanie Dawes: When we were confirmed as the regulator three years ago, in December 2020, we set up a major programme the next month, in January, so that we could sequence and plan all the work properly. That included the policy work, the preparation of codes and the research that was needed to sit behind that, engagement with companies and the building of capabilities. At the time, we had a very small team of no more than 20 or 30 people. That programme architecture was really important, and that is described in the NAO Report. It has helped us to make sure that resources are allocated to the right places, and to know what our milestones and dependencies are from one piece of work to another.
The precise final sequencing, though, was dependent on the Act itself. As Sarah Munby was saying earlier, many of the illegal harms were already crimes in UK law, and the Bill was also quite clear and settled in that area some time ago. That is why we were able to move so fast on that. It is also because it is important, but we were more ready and we had done the preparation. Some of the areas that were more debated in Parliament were slightly less ready for us to be able to go out on straight away. We did do quite a lot of calls for input and calls for evidence, which is the beginning of the consultation process, while the Bill was still going through so that we were as ready as we could be. That is what lies behind our published timescales.
Q44 Ben Lake: Thank you. Can I take you to a different aspect? Many of the duties that will be placed upon providers will not be enforceable before some of these codes are actually put in place. I am interested to know how you hope to reduce online harms in the interim period—in the short to medium term. How is it possible to reduce harm online if the codes are not in place and therefore the duty is not enforceable?
Dame Melanie Dawes: That is why we have set up our supervision teams already. I think the NAO Report said that we were supervising about 20 companies, but it is actually around double that. We take language and processes from other regulators, including the Financial Conduct Authority, incidentally. All those companies are being contacted right now and we will have a very structured engagement with them while we are finalising our codes. They will be the focus of our information requests; they will not be the only ones, but they will be the focus as we start to use our statutory powers to get the data we need on a more formal and consistent footing across the industry.
All of that means that when the powers are enforceable, we can act faster, but it also means that we can encourage, push and make our expectations very clear on a one-on-one basis with these companies right now. Action has been taken in many areas already, but there is a lot more to do. The supervision teams are on to that already.
Q45 Ben Lake: That is interesting. I appreciate it is very early days, but so far, if the supervision teams have had cause to contact one of the 40 or so companies that are considered to be the highest or largest risk—if they have identified something that they think will become enforceable even though the code is not in place yet—what sort of measures, powers or means of influence do they have to get the companies to act now, rather than wait for the code to be in place?
Dame Melanie Dawes: The fines and sanctions are not able to be levied until the codes are enforceable, but we will have them soon. It is all about the dialogue and making it clear that this is coming.
Q46 Ben Lake: So it’s almost a case of, “Do it now, or we will punish you.”
Dame Melanie Dawes: Yes. And these companies know that they are our priority for action because they are big ones where the British public, particularly our children, spend their time. There are the obvious household names, but also some smaller ones that are less well known, including groups such as file-sharing platforms where there is quite a lot of risk around child protection and child sexual abuse material. That is why we are doing the supervision—so that we can move fast.
Q47 Ben Lake: That seems very logical. To date, has the threat or the fear of the potential fine or sanction to come elicited a positive response from some of these companies? Have they started to move and change so that they are compliant?
Dame Melanie Dawes: It is a bit too early to say on the new laws that have only just come in, but I can tell you about the journey we have been on with video-sharing platform regulation. Those laws took force in November 2020, which was three years ago. They are narrower rules, they are more high-level and we can be less prescriptive.
It is quite a small number of companies: only about 20 are domiciled in the UK. It includes TikTok and parts of Snap’s service. We have worked with some of the adult sites—the pornography providers—that we are already regulating. What we found was that OnlyFans, for example, was very receptive to the dialogue we began with it on age verification, and it introduced age estimation techniques last summer that we believe to be effective. That was less than two years after the laws took effect.
Then there has been a cluster of smaller companies that have not been so compliant. We opened up a compliance programme on them together, at the beginning of this year. One we fined because it did not respond to our information requests, and two more we put through a very structured compliance dialogue. We announced the results of that a couple of weeks ago. They are now moving to putting in place the kinds of age verification that we are asking for.
So even when the powers are enforceable, it does take time to get the changes in. Some companies will move faster than others. What we are always judging is when we reach for the fines and sanctions, and when we continue what is often quite a tough dialogue, because our aim is always to get the changes on behalf of the public as quickly as we can. That perhaps gives you an idea of how we use our tools.
Q48 Ben Lake: Thank you. That is very useful.
Finally, can I ask about the second-tier organisations? I note that the potential number is quite eye-watering: over 100,000 at the last estimate. How does Ofcom plan to monitor what might be the second-tier organisations that you will need to take a closer look at? I appreciate that it is a massive number. You cannot just start to send compliance teams—sorry, I think you termed them “supervision teams”—to start a dialogue with all these companies, but how will you try to sort the wheat from the chaff?
Dame Melanie Dawes: That is a very good question. This goes back to what I was saying in answer to Sir Geoffrey’s questions earlier. We already have, to some extent, a system of risk monitoring and risk flagging, which relies partly on partner organisations that are working on the frontline on things like child sexual exploitation, terror and hate. Also, we are working hard right now on how we can automate our understanding of the system, so that we can effectively automate the red flags, which we can then follow up. We are going to have to use data for that, clearly.
Q49 Ben Lake: Will that system—again, this is something that is constantly changing; it is an innovative, dynamic industry—be able to pick up changes in risk profile for some of these companies? I ask because it may well be the case that due to your very good efforts on some of the larger, more well-known organisations and companies, the harms will migrate to other companies. How will that system work?
Jessica Smith: As Melanie set out, the data sources that we are collating, and lots of the work that we are hoping to automate, should provide us with more of an early warning system about where harm is manifesting in what we term the long tail of smaller services. We should, we hope, be able to spot risks as they are emerging, based on that data.
One thing that I would add to that is that as well as being a risk-monitoring exercise, this is a communications exercise. It is also really important that these services understand what their responsibilities and duties are, so we are also really focused on trying to make sure that we have an effective communications campaign that reaches these services, and that it is very easy for these services to engage with our consultations and codes and they are very easily able to determine whether they are in scope, what their risk profile is and what measures they may need to put in place in order to be compliant with the laws.
Q50 Mr Djanogly: To follow up on Mr Lake’s questions, are the 50 regulatory documents being done together? Are they signed off together, or do they dribble out over a period of time? When should they all be finished?
Dame Melanie Dawes: They are clustered in groups. I believe there were nine of them that formed our illegal harms consultation pack on 9 November. That was a pretty big pack—it was 1,800 pages—but it included some really big set pieces, including Ofcom’s overall risk assessment of the industry, as well as our draft codes of practice and our enforcement guidelines. That was one set of material.
As I was saying earlier to Mr Lake, our road map sets out the broad clusters of work that we will be doing over the next two years. What we do not want is for it to be confusing and for things to—as you say—dribble out in a way that is not clear to the industry.
Can I add that we are getting a lot of very positive feedback from the industry that that road map approach is helping them? It is not something that the European Commission has done, for example, so there is something here that the UK is doing in a way that is being welcomed.
Q51 Mr Djanogly: At what stage do enforcement powers lock in?
Dame Melanie Dawes: The enforcement powers come in when various elements of our codes have been finalised. In some cases, that requires them to be set before Parliament, so it starts with our consultation. We digest the consultation responses and send them to the Secretary of State, who will then lay them before Parliament. It is only once that has been concluded that the codes can be enforced.
Mr Djanogly: So enforcement powers may come in before the two years.
Dame Melanie Dawes: The deadline is 18 months for us to get the protections of children and protections against illegal harms in place, so that is late April 2025. I don’t know whether Sarah Connolly wants to add anything, because this is a shared process with the Government.
Sarah Connolly: I think you have set it out. When Ofcom is ready with the codes that need to be laid, we are ready with the SIs to do that.
Chair: So they will not be delayed. Well, you cannot completely control it, of course.
Sarah Connolly: Exactly as to your point earlier, Chair.
Q52 Mr Djanogly: The concern here, as Mr Lake was getting at, is that the supervision teams will be going through their processes and doing all the right things, but in the meantime the service providers think that perhaps the regulator is a soft touch because you are not able to enforce. How will you be pushing them to realise that things are going to be changing once you have the information and the SIs are in place? There is a process to be managed there. How are you going to go about that?
Dame Melanie Dawes: In the end, for supervised services, it is a direct one-to-one conversation with their teams. For the rest of the industry, it is about publishing our intent—our blueprint. If you look at our illegal harms consultation and the pornography consultation yesterday, our expectation is quite clear and quite tough, actually. At the same time, what we do not want is to create a whole load of unnecessary cost and burden for smaller companies. We are trying to balance that. We are doing things like holding webinars for smaller businesses. There is one this week, and there are a couple more in January on different bits of the illegal harms consultation, so people can ask questions. However, that will also be a chance for us to say, “These are our expectations because the law has changed in the UK. If you want to continue to serve UK consumers, you are going to have to follow these rules.”
Q53 Mr Djanogly: Can you briefly explain what the sanctions will be?
Dame Melanie Dawes: We can charge fines of up to 10% of global revenues, which is pretty hefty. Fundamentally, if we are really concerned—we would need a high bar for this—we can disrupt their businesses, so we can prevent them from accessing the UK market.
Q54 Mr Djanogly: You have just said what I was going to come on to. What will the bar be? These are potentially very stringent sanctions. What level is going to trigger? Perhaps this is something you are looking at. Are we talking about numbers of incidents or size of incidents?
Dame Melanie Dawes: By its very nature, the 10% immediately scales to business size. We have set out our enforcement guidelines on that. Everything we do has to be stacked up in court. We can be judicially reviewed if a company feels that we have gone too far or do not have the right evidence. We have to be proportionate. That 10% of global revenues would be for the most exceptional circumstances. We would have to see very persistent lack of engagement with our rules and a serious risk to the public. However, we will be as transparent about this as we possibly can be.
It is also usual for us to reduce the level of the fine when a company accepts it and goes along with it. We have levied a number of fines on other parts of our industries in the last couple of months, and we offer that reduction to incentivise people to just come forward and sort it out with us as quickly as they can.
Q55 Mr Djanogly: The vast majority of the companies involved are going to be overseas. It may be hard to find out their turnover, for instance. I wonder how those people will ultimately be enforced against. When we think about it, we think of the larger ones where you have an ongoing engagement, know exactly what their turnover is and have a relationship. How will you deal with small companies online?
Dame Melanie Dawes: It may well prove to be quite difficult legally to get the process to work for very small companies that do not engage. That would be when we probably would need to move—if there were a serious risk—to the business disruption measures in the Bill, rather than attempting to continue to pursue another process through the courts.
We have a range of compliance tools at our disposal. We are going to have to be risk-based. Some of this is going to be very hard, when companies do not want to engage. Anyone with a significant UK presence—and we are the second market for many of these companies—has every incentive to work with us, and get this right.
Mr Djanogly: Ms Munby, would you like to comment?
Sarah Munby: The only thing I would add is that the problem of overseas enforcement is not a new one. This is true of lots of areas of law. It is inherently a bit imperfect, but it does affect actions, especially of significant services and businesses.
Q56 Chair: Some of the action will be a fine on global profits. How will you know that you have got that information? Dodgy providers will not have their records in public places, will they?
Dame Melanie Dawes: We will use publicly available information where it is there. Where you are talking about smaller and less responsible companies, in the end what matters is that Ofcom is able to stack up that the number is big enough, frankly, to disincentivise further non-compliance. It has also got to be able to stack up in court.
For us, it is going to end up as quite a practical question about a number that we can evidence, whether or not it is the perfect number. I know from my experience of tax administration that sometimes questions of turnover and revenue are as long as a piece of string anyway, in some circumstances. The important thing is that we can come up with something that has the impact and can be stood up.
Sarah Munby: The end result is that this is a sufficient suite of powers so that any company that wants to operate in a fashion that is compliant with them is strongly incentivised to do so. Of course, there may be a small number of companies actively seeking to operate outside this framework, where we would go to the end of the line on enforcement, using the full suite.
Chair: There may be some criminal issues there, anyway.
Sarah Munby: By that time, you would be making their lives so difficult that they would be unable to operate at a meaningful scale in the UK. That does not mean zero users.
Q57 Mr Djanogly: How does this tie in with foreign hostile players who want to use our systems for propaganda or disinformation purposes?
Sarah Munby: The Bill includes a series of priority sets of illegal activities, with particularly strong obligations on the largest platforms to manage them. Foreign interference is one of those areas. Platforms now have the obligation not just to act on those things when they are reported to them, but to have systems, processes and proactive measures to ensure that that kind of activity is not taking place.
Q58 Ben Lake: May I ask briefly about the resourcing and staffing you will need to implement this regime successfully? What has the impact been of delaying the fee regime and the reduction of it? I understand that it will not occur now until 2026-27. Have you been able to secure additional resources or funding from the Department for Culture, Media and Sport or the Treasury to allow you to undertake the work needed in the short to medium term?
Dame Melanie Dawes: The delay to the fee regime does not affect Ofcom’s resourcing. The way our resourcing works is that we are subject to an overall budget cap from the Treasury, which is just a number. We then collect fees from our industries, which do not count as public expenditure—it is important for me to say that. Our spectrum oversight work is funded by retaining some fees under the Wireless Telegraphy Act 2006—again, that does not count as public expenditure. The overall level of that budget cannot exceed a cap set by the Treasury. The Treasury has increased that cap for online safety over the last few years. We have a budget agreed for next year with the Treasury and the Department.
Q59 Ben Lake: Is that £66 million?
Dame Melanie Dawes: It is £63 million—a little bit shorter than we had hoped, but we can manage.
Chair: We have the Treasury Officer of Accounts here.
Dame Melanie Dawes: The important thing is that we have a conversation with the Government about risk. It is hard to predict exactly where the resourcing needs will be. We have the resources we need. Although the fee regime will not come in for a couple of years, we will be recouping all the set-up costs. Fundamentally, this will all be borne by the industry.
Q60 Ben Lake: Finally, it strikes me that the work—and the number of staff members and teams you will require to take on the work of both establishing the regime and keeping it going—will be quite significant. With the cap you mentioned, and the way your funding is structured, is there a risk that the cost of running the online harms regime will detract from your other functions as a regulator?
Dame Melanie Dawes: That is a really important point. We said in our note to the Committee before the prior planned date of the hearing that there is not an impact on our other work. We have been really careful about that. That is because the fees we get from telecoms companies must be spent on telecoms work, for example. It is the same for media and so on. That is a requirement in our underpinning wiring in Ofcom.
What is quite challenging is the overall budget cap, which has been fixed in cash terms for many years. Some of our fees, for example on community radio, have not moved in cash terms since the mid-2000s. We are now at a point where flexibility is at its very lowest level for us. That is a concern. However, in the end—and there is a wider point here for me—when I compare running a regulator with running a Government Department, we have more independence in how we spend our money.
Apart from that budget cap, we are accountable for how we spend the fees we receive. We work out where our salaries should lie, the balance between research and staff costs, where we can spend consultancy money where we need to, and so on. I think that accountability in Ofcom is one of the things that makes us effective and efficient. We follow Government control systems as far as we possibly can inside Ofcom, but it is ultimately our choice to do that. The accountability lodged in our board is one of the reasons we have been able to be effective here and mobilise quite quickly. As I say, sometimes freedom is seen as a problem, but the way I see it, having run both types of organisation, it drives accountability and responsibility. That makes us quite sharp in how we prioritise our resources.
Q61 Chair: You talked about recovering the costs of entry through the fees. When will you have reached the point where you have recovered the set-up costs? How long will it take?
Jessica Smith: The first year for charging fees is the financial year 2026-27. The following year, 2027-28, we would need to begin recouping the overall costs of the set-up of the regime. From that period, that could continue for three to five years.
Q62 Chair: So it could be long as five years after 2027-28?
Jessica Smith: Yes.
Chair: It is a long time before those costs come back.
Dame Melanie Dawes: It is. It does not score as public expenditure, but it is none the less money that has been raised through public sector sources.
Q63 Chair: It is quite instructive how long it takes for a very complicated new regime to play in. Do you think you could have done it any quicker? Looking back at how you shaped this, are there any lessons you have learned? Is there anything you would do differently next time?
Jessica Smith: The function of the fees and recouping regime is set out in the legislation, regardless of delays to the Bill. There were changes in the process for establishing the fees regime due to some recommendations made by a parliamentary Committee to introduce additional scrutiny to the statutory instruments. That has meant that the first year of the fees regime is now 2026-27.
Chair: That’s democracy.
Jessica Smith: Indeed. It is just a function of the way the system was set up in the legislation. It could not have been done quicker.
Q64 Chair: Ms Connolly, looking back, is there anything that you would have done differently to get that fee money coming in quicker?
Sarah Connolly: No, Jess has covered it. We made a suggestion, and it was improved upon.
Q65 Sir Geoffrey Clifton-Brown: Dame Melanie, let me come back to your conversation with Mr Lake and the Chair about funding. Paragraph 10 of the Report says: “The government expected that the setting up of the new regulatory regime would be completed in 2023-24. Ofcom would then start to recover…its upfront costs”. Up to that point, you were relying on Wireless Telegraphy Act receipts, which you would otherwise have had to give to the Treasury, but you will be allowed to keep them. Is there a gap between those two regimes? Now that the Act has come in later and your recovery is a year later, is there going to be a gap between those two fee fundings?
Dame Melanie Dawes: We will recoup all that money later, as Jess was just explaining, from financial year 2027-28. It will take time for that recoupment to come through, but everything that has been spent on this regime during its set-up will fundamentally be paid—
Q66 Chair: I think what Sir Geoffrey was driving at was whether the Treasury is allowing you to keep the Wireless Telegraphy Act money for the extended period.
Sarah Munby: We will continue that set-up.
Dame Melanie Dawes: My apologies; I misunderstood.
Q67 Sir Geoffrey Clifton-Brown: That is what I wanted to clarify. Thank you very much indeed. Can I ask you one or two other mop-up questions? Paragraph 1.8 on page 18 of the Report says that one of the additional powers that the Act gives you is to tackle fraudulent advertising. That is totally different from what you have had to cover before. What action will you be taking, given that fraud and scams are such prevalent crimes now, to build up expertise in that area?
Dame Melanie Dawes: We included measures to counter fraud in our first consultation on illegal harms. We are recommending that larger platforms make use of trusted flaggers—organisations like HMRC, the Financial Conduct Authority and other civil society organisations that are very well placed to know that something is fraudulent but at the moment don’t have anybody who is listening when they tell them about it. We are recommending that the services have in place a proper trusted flagger mechanism so that they can act more quickly, and there are a number of other measures in our first consultation.
We have covered those issues in our first piece of work, but this is a very fast-moving set of problems. Criminals will move towards whatever loophole that they can see has opened up. This very much goes across to our telecoms work. One of the advantages of Ofcom doing this work is that we can see round the corners. A lot of it has to be done in partnership with the enforcement agencies and other regulators, including the FCA.
Q68 Sir Geoffrey Clifton-Brown: The last sentence is what I was looking for. Thank you very much indeed. This is a series of mop-up questions. The final sentence of paragraph 1.16 on page 24 says that Ofcom “has no specific powers to take action, or compel regulated service providers to take action, on individual pieces of content, or to get providers to offer redress to individual users on a case-by-case basis.” I think that will come as a surprise to many. Could you explain that?
Dame Melanie Dawes: This goes back to what we were talking about earlier. This is not legislation that gives the regulator powers to intervene on individual pieces of content, so it is different from our broadcasting work. We are not able to require redress specifically, but what we are doing is making sure complaints mechanisms operate much better than they do today. It is quite a core part of our consultations already, and every time I talk to young people about this, interestingly, the first thing they say is, “Nobody listens when I complain to them about something and I want to block something.” It is the first thing they say—“I don’t have agency, nobody’s listening, I can’t control this and they don’t care.” So, user engagement by platforms is a really big part of improving things.
Q69 Sir Geoffrey Clifton-Brown: Can I ask you some questions about your governance, taking you to pages 27 and 31? On your main board, given that this is a very fast-moving field, and given also that we have discussed the need for staff with relevant skills, you also need non-executives with relevant skills, I would suggest to you, which aren’t necessarily the non-executives that you have got at the moment. What consideration are you giving to that?
Dame Melanie Dawes: Our non-executives are appointed by the Government, and also by the devolved Administrations. Three of our NEDs are actually appointed by the Governments of Scotland, Wales and Northern Ireland. This is probably a question for Ms Munby.
Sarah Munby: Indeed. We are currently in the very late stages of a recruitment process for three non-execs for Ofcom. That process is in part specifically designed to make sure that that board is really equipped to deal with the full suite of Ofcom’s activities, including online safety.
Q70 Sir Geoffrey Clifton-Brown: Those were really helpful answers. Looking at that organisational chart on page 27, figure 7, is it just on the main board that you have non-executives, or on some of those other boards—the policy management board and the online safety programme board—do you have non-executives as well?
Dame Melanie Dawes: No. The non-executives are at the Ofcom board level, so beneath that it is executive governance. This is the governance, by the way, during the set-up process, so this has now changed. We now have an online safety group that holds the accountability for delivering on our responsibilities in this area.
Q71 Sir Geoffrey Clifton-Brown: I was coming on to that, to ask you exactly what the online safety group does and where it fits in that hierarchy.
Dame Melanie Dawes: The policy and management board is the main executive decision-making board for Ofcom. I chair that, and that contains all the members of my senior team, including all of those who run our main regulatory groups. When I arrived at Ofcom in 2020, I thought we needed to improve our accountabilities and make it clearer, so we now have four groups—telecoms and post, which is called network and communications at Ofcom, broadcasting and media, spectrum, and now online safety. It is in those groups that the accountability sits for discharging our regulatory responsibilities. They are supported by our economist group, our legal and enforcement, our strategy and research and our corporate group. That is our matrix-based structure.
Beneath the policy and management board there is governance, in the online safety group, which looks at all the things they need to be achieving over a two to five-year time horizon, manages resources, manages risk, feeds up to the Ofcom risk register, which is ultimately owned by the Ofcom board, and so on, in the way that you would expect in an organisation.
Q72 Sir Geoffrey Clifton-Brown: It is very useful to have that on the record. Can I take you to page 37, paragraph 3.16? It builds on a question that Mr Djanogly was asking you. To quote the relevant bits of that paragraph, there was “a risk that the regime might stifle innovation.” One “business platform told us that they feared that any new measure would disproportionately affect small companies and start-ups, thereby prohibiting the emergence of new players and innovation.” Would you like to comment on that, and what consideration you are giving to it?
Dame Melanie Dawes: We are required, in our underlying set-up as a regulator, to support innovation and investment. There are real trade-offs here which we need to manage quite carefully. We have described to you already what we are doing to try to make it straightforward for smaller companies to comply with the regime and to know what they need to do. Obviously, if they are risky services they will need to do more, but it is a big part of our work and we do accept completely that there are these risks and that it is our job to ensure that we manage them proactively and carefully.
Q73 Sir Geoffrey Clifton-Brown: Thank you. Finally, to you, Ms Munby, are you confident that DSIT can develop a proper framework and gather robust data, so that it can undertake the required evaluation of the effectiveness of the new regulatory regime?
Sarah Munby: Yes, in partnership with Ofcom, absolutely, although I would note that when you are introducing a novel regime, one that there are not lots of precedents for internationally, the monitoring and evaluation here is not straightforward. There isn’t a fantastic baseline of all of the data that you would need. So it is a very serious effort. We have a series of joint structures working together on how to carry out the evaluation. I think it will need to be a strong partnership to make sure that we are seeing the frontline data and how that is changing as we make our judgments. So yes, but there is a serious effort of work.
Q74 Sir Geoffrey Clifton-Brown: I was pleased to see in the NAO Report the amount of international co-operation and the various different bodies and aspects of all this that you and Ofcom participate in. Given that, how will you ensure that the implementation and operation of the Act will be the best in class internationally, given that it is such a worldwide and well-respected piece of legislation?
Sarah Munby: I might ask Melanie to comment on Ofcom’s work in partnership with other regulators internationally. In some sense, we have set up the frontline operation and it is for the regulator to ensure that it is being run in a best-in-class way. The job for us now, along with our international partners, is to be really alert to what is coming next. What is the next set of issues? How do we think about them? Is there anything more that we need to do about the rise of micro-targeted bots? What does that mean? It is those issues that I would want the Department to really be focused on internationally. All the work we are doing around AI is a good example of that. Melanie might want to comment on the practical partnership right now.
Q75 Chair: Dame Melanie, do you meet your international counterparts? How does that work?
Dame Melanie Dawes: Yes, very regularly. Our aim at Ofcom is to serve the British public and to achieve change on their behalf in line with this new law. I am confident that we will, in doing so, show that this is best-in-class legislation, but my primary aim is just to achieve the outcomes for the public. We cannot do that, though, without international collaboration.
A year ago, we set up a global online safety regulators network with the Australians, who were the first to regulate a few years ago. We now have about 10 members, including the French, the Germans and the Irish, South Korea and South Africa. We will chair the network next year. We also do a lot of work specifically on age verification with a slightly different cluster of regulators that happen to have porn providers in their jurisdictions. Then, of course, there is the European Commission and all the work it is doing under the Digital Services Act. It is really important and we cannot do it without international collaboration.
Q76 Chair: From a Government Department to the world stage in a few steps.
Dame Melanie Dawes: To the world regulatory stage. It is a particular slice of the world.
Q77 Sir Geoffrey Clifton-Brown: The ambition there is admirable, but of course, it will take a lot of resource to monitor, evaluate and co-operate with all those various international agencies. Do you have the necessary resource to do all that work?
Dame Melanie Dawes: We have a very strong international team, but the work is also going to help us as well. For example, I am afraid that one of the first things that the new network has really got concerned about is that there is a big rise in sextortion going on, which is where people are ultimately blackmailed for horrible reasons. The new network has enabled us to get the pattern of that, get the measure of it and talk to the law enforcement agencies about it more quickly than we would otherwise have done. Yes, it is an investment of our time and effort, but it is one that we believe, within the overall resource that we have, is worth making, as is the investment inside the UK with our fellow regulators under the digital regulation co-operation forum.
Q78 Chair: There is a lot more that we could go into on evaluation. However, there were some gaps identified, Ms Munby, by the consultants you brought in earlier this year; ones that you acknowledge because this is so new. How are you evaluating your evaluation processes as well to make sure you are keeping ahead of the curve? Are you working with Ofcom because it will have an important role in evaluating the practical implementation?
Sarah Munby: Yes, and we have laid out several stages of evaluation work. We have a little bit of time before that substantial evaluation that I talked about earlier and I think it is very much going to be iterative. We have begun by laying out the framework, the options and how we think we will go about the evaluation. There will then be, over time, more and more digging into individual groups and the impact on those. As I say, it is a substantial programme of work.
Q79 Chair: Are you safeguarding the funding for that? You have a 1% settlement still and that is actually a cut in real terms. We have an election coming and I have sat in a Department where people think it is not worth spending money on social science research. I argued against that being cut, but I do not think I won. There is always a risk that it is seen as easy to get rid of because it is not actually affecting things. How robust are you going to be in safeguarding that evaluation?
Sarah Munby: We are going to need to be robust. This Act has been one of the flagship events for the Department this year. It exactly falls into the territory I am talking about of grasping new and emerging social and economic issues. If we do not evaluate this, and are not confident in our success here, that is a serious risk to our future work programme.
Q80 Chair: Great. We are glad to have that on the record, because we are keen to look at future risks. I want to touch on the level of fees you are going to charge, Dame Melanie, and how you are going to model that. It is still quite a way off before you have all these things in place. Maybe it would for Ms Smith to tell me. Who wants to answer that? Briefly, when are the providers going to know the level of fees they will have to pay?
Jessica Smith: As I said earlier, there are a couple of steps in the legislation that we need to follow to get the fees regime set up. The first thing we need to do is produce advice for the Secretary of State on the level of worldwide revenue that services will need to have before they can be in scope of the fees regime. We are researching that now and will consult on it with services next year. That will be finalised at the end of next year, 2024. Once the regulations are made—
Q81 Chair: That will be during 2025.
Jessica Smith: That will be during 2025. We have to set out a statement of charging principles for each year. That will set out exactly how we have calculated the level of fees we are charging the industry. We will be completely transparent to the industry at the start of each financial year on how much the fees will be.
Q82 Chair: Are the fees likely to be index-linked?
Jessica Smith: I expect so, though we are still working on the process.
Q83 Chair: There is still a lot of uncertainty. Can you even give us an idea of scale, for Facebook, Meta or a smaller provider?
Jessica Smith: This is a cost-recovery system. All we can charge for is the level of cost we incur for the discharge of our online safety duties each year.
Q84 Chair: My point is, are you spreading that cost recovery? You will have an intense relationship with the 40 providers you are focusing on of the 100,000 that are out there. That is going to be more costly, but you are presumably not charging them the full cost of that one-to-one supervision.
Dame Melanie Dawes: We are going to have work this through. No, we are not going to charge them a higher cost. It is always the case, in any form of regulation, that disproportionate amounts of time are spent on smaller and risky companies. That is often paid for by the larger and more compliant ones. That happens across our regimes right now, without mentioning names.
We are going to have to work all this through, and think about what is administratively effective. I do not want to go after very large numbers of smaller companies. That will simply waste everybody’s time for extremely small amounts of money. Equally, we need to be fair to the larger companies, although they will be occupying a lot of our time, as well.
Q85 Chair: Is there any idea of scale? When you talk to industry, even privately and feel you cannot share a number here, do they have any idea of what level?
Dame Melanie Dawes: I do not think we can really go into that right now.
Q86 Chair: This is another challenge of a new regime.
Jessica Smith: This is why we will run a consultation, so that they get a chance to input into that decision.
Dame Melanie Dawes: Ultimately, the Government will have a role in deciding some of those trade-offs.
Q87 Chair: My final question is about staff, salaries and skills. You gave a great paean to being outside of Whitehall, Dame Melanie, that you have lots of freedoms on salaries and so on. There is an issue about retention and competition. You will need some of the same staff that some of the providers will need. The Department has a capability, though small relative to the field. Are there enough people out there with the skills and are you able to pay the right salaries? Are salaries going up? What is the situation?
Dame Melanie Dawes: We have been very encouraged by the way we have been able to recruit. The response we have had reflects a number of things. The salaries are what they need to be, but they are not that much higher, but they are not that much higher than you would expect anywhere else in the public sector. In fact, they are only a very little higher.
I think people have come because of the mission. A lot of people out there in the industry have been working on trust and safety, as it is known, for many years, and they see Ofcom as a place where they can actually achieve change over the next few years. They have agency, because we are an independent regulator. That is very attractive, particularly to some of our data and technology colleagues; they just want to build and understand things, and do not really see how you do that in Government, for example. I think they can understand the job in a regulator a bit better.
Q88 Chair: So there has been no problem, and there will be no problem with retention either.
Dame Melanie Dawes: We have done a really good job among our people teams, which won an industry award for recruitment. It has been very diverse, and it has been out of London. It has not been easy, but it has been easier than I expected. We have lost a few people who have gone back to the industry already, and we will carefully manage the conflicts on that churn, but in the end—
Q89 Chair: People will obviously move jobs, but retention generally is not an issue.
Dame Melanie Dawes: No, retention generally is not an issue—not at the moment.
Chair: We could go on forever on this issue. It is such an interesting Act of Parliament and an interesting time to be looking at it as Ofcom. The Department has sort of passed the day-to-day element of it over to Ofcom, but there is still clearly a lot of work to be done on all the regulations. By the end of the very next Parliament, we will still only be in the foothills, so it is instructive for policy makers about how long these big changes potentially take.
I thank our four witnesses very much indeed. It is great to have four capable, competent, professional women in the room—a few others around the table from the NAO included. The uncorrected transcript of this session will be up on the website in the next couple of days. We will produce a report on this in 2024, subject to the date of any general election. We will obviously be in touch with you about that. Thank you very much indeed for your time.