top of page

Future of Data Regulation: UK Online Safety Bill and UK Transfer Risk Assessment

By Wei Heng Tan

UK Online Safety Bill

First introduced in Parliament on 17 March 2022, the Online Safety Bill aims to identify and address ‘legal but harmful’ content platforms. A number of key provisions were introduced:

  • Criminalising the sending of unsolicited sexual images (‘cyber-flashing’)

  • Preventing fraudulent advertisements

  • Protection of children using online platforms through age verification

A crucial innovation in the Bill is the imposition of duties and obligations on online platforms to regulate: illegal content, content that is harmful to children, and content that is harmful to adults. In general, a statutory duty of care is imposed on certain platforms, with the view of protecting users from harm. Regulated service providers would need to regulate content which they have reasonable grounds to believe that:

  1. “There is material risk of significant harm to individuals in the United Kingdom”

  2. The material risk of causing “signficiant harm to an appreciable number” of individuals and “how easily, quickly and widely content may be disseminated by means of the service”

UK Transfer Risk Assessment

With the UK’s International Data Transfer Agreement (IDTA) in force, the standard clauses contained must be used for data transfer of personal data from the UK to third parties. In the alternative, companies could use the EU’s standard contractual clauses (addendum). The clauses require companies to undertake a transfer risk assessment of the laws and practices of the country the third party is residing in. In response to the risks identified, the firm is to implement supplementary measures (be it technical, organisational, or contractual) to address them. Thus, firms can no longer rely solely on standard terms. They are required to undertake the necessary scrutiny, assessment, and countermeasure before proceeding.


Overall, the new data regulation paradigm places greater responsibility on firms to ensure that personal data is adequately safeguarded. While at the cost of commercial efficiency and might incur greater costs for small and medium-sized firms, they are concrete steps towards combatting the threats of a digital age.


bottom of page