On 25 November 2022, the UK Information Commissioner's Office (“ICO”) and the UK communications regulator, Ofcom, issued a joint statement setting out how they intend to work together to “ensure consistency between data protection and new online security regimes”. Regulators noted that the statement is primarily aimed at online service providers who are likely to be regulated under the online safety regime, but will also be of interest to other interested parties as an indication of their joint direction.
According to the statement, in anticipation of Ofcom taking on new roles in 2023 under the Online Safety Bill, the partnership's ambitions are twofold:
- Regulators want online service users Have confidence that your security and privacy will be respected and that regulators will take prompt and effective action when providers fail to meet their obligations.
- Regulators want online service providers of all sizes to meet their obligations and continue to innovate and grow, supported by regulatory clarity and free of undue burdens.
To achieve this, the ICO and Ofcom will work closely to achieve maximum alignment and consistency between online security and data protection regimes. They are going to:
- Maximize consistency by:
- ensure that their policies are consistent with each other's regulatory requirements and consult closely when preparing codes and guides. Ofcom will prepare codes of practice and guidance for online services on compliance with the online safety regime and will consult with the ICO, among others, in their preparation. The ICO will also prepare guidance on data protection expectations for online services that implement security technologies (e.gage guarantee, content moderation) and will consult Ofcom and others on its preparation;
- seek solutions that improve user security and preserve their privacy; and
- providing clarity on how compliance with both regimes can be achieved when tensions exist between privacy and security objectives.
- Promote compliance setting clear expectations for the industry on what needs to be done to meet online security and data protection requirements. This includes particular transition support for small and emerging businesses to help them thrive and grow. Regulators will take action against services that do not meet obligations, sharing information and intelligence, as appropriate, and coordinating approaches to enforcement.
According to the statement, the ICO and Ofcom will reaffirm their cooperation through a renewed memorandum of understanding which will be updated next year in light of Ofcom's new responsibilities under the Online Safety Bill.
