Understanding the UK’s Online Safety Act: Big Fines, Small Teams, and a Legal Showdown
In 2024, Meta’s global revenue is projected to reach approximately $164.5 billion. Under the UK’s Online Safety Act, Ofcom—the country’s media regulator—has the authority to impose fines amounting to 10% of a company’s qualifying worldwide revenue for breaches of the law. For Meta, this translates to a theoretical maximum fine exceeding $16 billion in a single enforcement action. Yet, the enforcement unit tasked with investigating and penalizing such violations comprises fewer than 50 people. This stark contrast between the scale of the law’s potential impact and the limited resources available to enforce it encapsulates the operational reality of Britain’s flagship internet legislation.
Meta is currently challenging Ofcom in the High Court over the methodology used to calculate both the fees and potential penalties. Monica Carss-Frisk KC, representing Meta, has argued that the regulator’s approach unfairly burdens a small group of large companies with most of the costs of enforcement. The ongoing legal proceedings, with a full hearing scheduled later this year, could reshape how this powerful regulatory framework is applied and financed.
Decoding the Headline Numbers
The Online Safety Act, which came into force in 2025, includes a penalty formula that has become well-known among compliance officers in Silicon Valley and beyond. It stipulates a maximum fine of 10% of qualifying worldwide revenue or £18 million—whichever is greater—for breaches of the Act. Meta’s 2024 revenue of $164.5 billion places its potential fine well into the billions, dwarfing the market capitalization of many FTSE 250 companies.
This penalty scale extends beyond Meta. Alphabet, ByteDance, Microsoft, Amazon, Apple, Snap, X, Discord, and Telegram all fall under the same enforcement umbrella. The Act arms Ofcom with the most formidable regulatory power wielded by any media regulator outside China over US tech giants. However, the regulator’s enforcement team operates with a fraction of the resources these companies dedicate to legal and policy affairs.
The Resource Challenge Facing Ofcom
Ofcom’s online safety enforcement directorate, responsible for investigations, issuing notices, and confirming penalties, is staffed by fewer than 50 people. This is a striking disparity when compared to the vast legal and policy teams maintained by the largest platforms. For instance, Meta’s UK legal team alone is significantly larger than the entirety of Ofcom’s enforcement unit.
This imbalance means the regulatory body is structurally outmatched in every case it pursues. The first confirmation decision under the Act was closely analyzed by compliance lawyers because it set the procedural precedent—information notices, provisional decisions, and confirmation notices—with each stage spanning months and open to appeal. This slow and resource-intensive process is the blueprint for future enforcement.
The Telegram Investigation: A Case Study in Enforcement Strain
In April, Ofcom launched a formal investigation into Telegram concerning its handling of child sexual abuse material and compliance with illegal-content duties under the Act. Telegram is known for its minimal moderation team, which adds layers of complexity to enforcement.
This investigation involves a small London-based team exchanging legal notices with Telegram’s representatives, coordinated by external counsel on both sides. The process unfolds over years and overlaps with an ongoing French criminal case against Telegram’s founder, Pavel Durov. Meanwhile, Ofcom is juggling numerous other priorities, including TikTok and YouTube’s recommender system reviews, age-assurance enforcement across hundreds of adult sites, illegal-content assessments on platforms like Discord and Reddit, and the legal defense against Meta’s court challenge.
In May, Ofcom condemned TikTok and YouTube after research revealed that 73% of UK teens still encountered harmful content via recommender feeds. Both platforms rejected Ofcom’s proposals for remediation. Without a mechanism to compel immediate algorithm changes, the regulator must navigate lengthy enforcement procedures while harmful content persists unabated.
Meta’s Legal Challenge Over the Fee Formula
At its core, Meta’s High Court challenge centers on the financial framework underpinning Ofcom’s enforcement. The regulator funds its operations through levies on the firms it oversees, with the current formula allocating most costs to the largest platforms. Meta argues this creates an inequitable burden, essentially making a few US companies subsidize the entire regulatory system.
More critically, the company disputes the calculation of “qualifying worldwide revenue,” contending that fines for UK breaches should be based solely on revenue generated within the UK, not globally. As a Meta spokesperson told the BBC, adjusting the calculation to UK-only revenue would still allow Ofcom to impose record-breaking fines but would avoid penalizing revenue earned in markets like São Paulo, Jakarta, or Lagos.
The case has attracted interest from other industry players, including Epic Games and the Computer and Communications Industry Association, who seek to intervene. Mr Justice Chamberlain has emphasized the wide public importance of these issues.
The Insurance Dimension: An Overlooked Factor
Another important but under-discussed aspect is whether regulatory fines can be insured against. Across Europe, the ability to insure such penalties remains a contentious topic in cyber risk and insurance law. UK courts generally disallow insurance coverage for deliberate or reckless misconduct, while the rules around negligence-adjacent penalties are less clear.
For a company the size of Meta, a $16 billion uninsurable fine would constitute a board-level crisis. Conversely, a penalty scaled to UK-only revenue, potentially insurable, becomes a more manageable expense. The different scenarios influence corporate compliance strategies well before any investigation begins.
Realistic Enforcement: What a Small Team Can Accomplish
Regulators operating with limited resources often adopt a strategic approach: selecting a few high-profile cases to prosecute slowly but visibly, publishing comprehensive decisions to guide industry self-regulation, relying on disclosure duties to leverage platform cooperation, and accepting that many violations will remain uninvestigated.
This pragmatic playbook reflects the structural constraints faced by tech regulators worldwide. The size of a penalty on paper rarely corresponds to the amount actually collected. For example, Clearview AI, despite receiving hefty fines in Europe, has largely ignored these penalties without significant financial consequence.
The October Hearing: A Pivotal Moment
The upcoming High Court ruling will have significant implications globally. The UK’s Online Safety Act represents the most aggressive online content regulatory framework attempted by any English-speaking democracy. Countries like Australia, Canada, and several US states are closely monitoring its outcomes.
If Ofcom’s penalty methodology withstands the Meta challenge, the 10%-of-global-revenue model could become the international benchmark for content regulation. Failure would prompt jurisdictions to reconsider foundational principles in shaping similar laws.
For the tech giants, investing tens of millions in litigation to potentially avoid tens of billions in exposure is a clear financial calculus. For Ofcom, the stakes are more complex: defending this case consumes senior legal and policy resources that might otherwise advance ongoing investigations like Telegram’s or the TikTok recommender review.
A small enforcement team cannot simultaneously manage court proceedings and multiple high-priority investigations. Platforms are acutely aware of this and may leverage litigation to delay enforcement actions.
The Real Metric: Enforcement in Practice
Ofcom has pledged to vigorously defend its methodology, asserting it aligns with the law’s plain language. However, the more meaningful figure is not the headline maximum fine but the cumulative total of fines actually imposed, collected, and upheld on appeal by the end of 2027.
Currently, this figure remains modest—mere hundreds of thousands of pounds—against a sector generating trillions in revenue. The vast gap between the theoretical $16 billion penalty and a lean enforcement unit is not an oversight but a deliberate political choice.
In essence, Parliament crafted legislation signaling a tough stance on American tech platforms but allocated enforcement resources akin to a mid-sized trading standards office. The headline deterrent largely exists in press releases, while actual enforcement depends on limited capacity and strategic prioritization. The platforms have already discerned which side of this imbalance will prevail.
Source: Here
