UK Online Safety Act Expands Client-Side Scanning Mandates, Raising Corporate Liability Questions Across Jurisdictions

The UK government's draft amendments to the Online Safety Act 2023 introduce direct criminal penalties of up to five years imprisonment for technology executives who decline to implement client-side scanning on all devices. Primary text of the Act (legislation.gov.uk/ukpga/2023/50) already requires platforms to mitigate illegal content risks, yet the new proposals extend this to mandatory pre-transmission inspection of every photo, video, and message. This builds on prior Home Office statements from June 2024 emphasizing age verification and content moderation timelines. Cross-referencing with the EU's Digital Services Act (eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2065), which imposes systemic risk assessments without individual executive liability, reveals a sharper UK approach that personalizes enforcement. Patterns from Australia's 2018 Assistance and Access Act and India's 2021 IT Rules amendments show similar pressure on platforms to embed scanning, often framed around child protection but resulting in broader data access capabilities. Coverage in secondary reports has understated the linkage to digital identity frameworks outlined in the UK's 2023 Digital Identity and Attributes Trust Framework consultation, where device functionality could hinge on verified ID submission. Multiple stakeholder views include government emphasis on enforcement gaps and industry concerns over encryption integrity documented in Apple and Google public policy filings. The policy trajectory indicates potential ripple effects on global norms for platform liability without resolving tensions between safety objectives and end-to-end encryption standards.