All writing
Policy CritiqueDigital Rights9 min read

The UK Online Safety Act: Safety Without Due Process Can Become Private Censorship Infrastructure

The Act tackles real harms, but its legitimacy depends on whether safety duties are matched by due process and safeguards against over-removal.

The UK Online Safety Act sits inside a real moral emergency. Online platforms have hosted child sexual abuse material, self-harm communities, terrorist content, fraud, harassment, hate, and abuse at scales that would be impossible without platform infrastructure. Any serious digital rights position has to admit this: doing nothing is not a rights-respecting option.

But the opposite danger is also real. A law designed around safety can become a system where platforms remove aggressively, automate cautiously, and silence lawful speech because the liability structure rewards risk avoidance over rights protection.

That is the central tension of the Online Safety Act.

The UK government’s explainer notes that illegal content duties are in effect and that Ofcom can enforce the regime; in-scope services must complete illegal content risk assessments and follow approved codes or equivalent measures. Ofcom’s materials require providers to assess risks arising from priority illegal content categories and implement safety measures proportionate to those risks.

This is important. Platforms should not be able to profit from foreseeable harm while pretending neutrality. Risk assessments, enforcement duties, and regulator scrutiny can force platforms to treat safety as a design obligation rather than a moderation afterthought.

Still, there are three problems the UK regime must manage carefully.

First, legal complexity may become automated over-compliance. Platforms often respond to regulatory risk by building systems that minimise liability. That may mean more automated detection, broader keyword filters, faster removals, and stricter account restrictions. The law may not explicitly require censorship, but incentive structures can produce it.

Second, the people most affected by mistakes may have the weakest remedy. If a human rights defender, journalist, activist, sex educator, minority-rights advocate, or survivor-support group is wrongly suppressed, the damage may be immediate. A slow appeal mechanism is not adequate if the removed content concerns breaking news, urgent documentation, or support for vulnerable users.

Third, child-safety and illegal-harms duties can reshape platform architecture in ways that affect privacy. Age assurance, identity verification, risk profiling, and content filtering can become intrusive if not carefully bounded. Protecting children is essential. Building an internet where everyone must prove identity or accept surveillance-style classification is not a clean victory.

This is why online safety policy needs a due-process spine.

A rights-respecting safety regime should require at least five safeguards.

First, platforms should publish clear explanations of how safety measures affect lawful content. If a platform changes recommender systems, search visibility, account restrictions, or content labels because of regulatory duties, users and researchers should be able to understand the pattern.

Second, appeals must be accessible, timely, and meaningful. A user should not have to decode corporate policy language to challenge a decision. Where content relates to journalism, political participation, human rights documentation, or public-interest speech, expedited review should be available.

Third, regulators should monitor over-removal, not only under-removal. Safety enforcement often measures what remains online. It should also measure what disappears wrongly.

Fourth, privacy-preserving approaches should be preferred over identity-heavy solutions. Age assurance and child protection should not become general-purpose surveillance infrastructure.

Fifth, civil society should have a formal role in evaluating harms and safeguards. Online safety cannot be left only to platforms and regulators. Affected communities often understand failure modes before institutions do.

The Online Safety Act is therefore a test of regulatory maturity. Can a state regulate online harms without creating a culture of invisible takedown pressure? Can a regulator demand safety without encouraging platforms to treat lawful speech as compliance risk? Can child protection be strengthened without normalising identity checks and intrusive data collection?

The answer depends on implementation.

Bad online safety policy treats speech as a hazard to be managed. Good online safety policy treats people as rights-bearing users who deserve both protection and due process.

The UK regime will be judged not only by what harmful content it removes, but by whether it protects the people who are easiest to silence in the name of safety.

A platform safety law without due process does not eliminate harm. It changes who gets harmed quietly.
Online Safety ActOfcomplatform regulationfreedom of expressiondue processonline harms

Sources

  1. 01UK Government, Online Safety Act: explainer, updated 2025.
  2. 02Ofcom, Illegal content duties under the Online Safety Act, 2026.