UK PM Starmer Warns Tech Executives That Current Online Safety Approach Is Unsustainable

On April 16, 2026, Prime Minister Keir Starmer and Technology Secretary Liz Kendall sat across the table from representatives of five of the world's largest social media companies and delivered a blunt message: "Things can't go on like this" [1].

The Downing Street summit — attended by Google UK managing director Kate Alessi, Meta public policy principal Markus Reinisch, X global government affairs director Wifredo Fernandez, TikTok northern Europe public policy director Alistair Law, and Snap Europe president Ronan Harris — was framed as a direct confrontation over child safety online [2]. No CEOs were present. The meeting produced no binding commitments and no signed agreements. What it did produce was the clearest signal yet that the UK government considers its own landmark Online Safety Act insufficient — barely two years after it became law.

The Scale of the Problem

The numbers behind Starmer's frustration are stark. Reports of AI-generated child sexual abuse material (CSAM) to the Internet Watch Foundation rose from just 7 in 2022 to 51 in 2023, 245 in 2024, and 426 in the first ten months of 2025 alone [3]. Total AI-generated CSAM cases identified in 2025 exceeded 8,000, with AI-generated videos surging 260-fold year-on-year [4]. Category A material — the most severe, involving penetration, bestiality, or sadism — rose from 2,621 to 3,086 items, now accounting for 56% of all illegal material compared to 41% the previous year [3]. Girls represent 94% of victims depicted in illegal AI-generated content [3]. AI-generated depictions of infants aged 0–2 jumped from 5 to 92 [3].

Source: Internet Watch Foundation

Data as of Mar 1, 2026CSV

Beyond CSAM, the broader landscape of online harm is extensive. Amnesty International UK polling of 3,024 UK respondents aged 16–25 found that 73% of Gen Z social media users have witnessed misogynistic content online, with 50% encountering it weekly [5]. Among Gen Z women who experienced online misogyny, 44% received unsolicited explicit images, 43% experienced body-shaming, and 32% faced hate speech [5]. Women from ethnic minority backgrounds who experienced misogyny were more likely to face hate speech than their white counterparts — 38% versus 31% [5].

Source: Amnesty International UK

Data as of Feb 1, 2025CSV

Home Office statistics recorded 84,374 racially or religiously aggravated crimes in England and Wales in the year ending March 2025, with 23% of victims identifying as Black and 33% as Asian [6]. The Online Safety Act was supposed to address the online dimension of these harms, but enforcement to date has not matched the scale of the problem.

What Ofcom Has Actually Done

Since the Online Safety Act came into force, Ofcom has launched 5 enforcement programmes and opened 21 investigations as of October 2025, later expanding to 18 investigations covering 83 pornography sites alone [7][8]. The regulator requested and received 104 risk assessment records under its enforcement programmes [8].

But the fines levied so far have been modest. A file-sharing service was fined £20,000 for failing to respond to information requests. AVS, a nudification site, received a £50,000 fine. Kick Online Entertainment SA was fined £800,000 for failing to comply with age check requirements. 4chan was fined £520,000 for non-compliance [7][9]. The total: roughly £1.39 million.

Source: Ofcom

Data as of Apr 1, 2026CSV

The Online Safety Act permits fines of up to £18 million or 10% of qualifying worldwide revenue, whichever is greater [10]. For Meta, 10% of worldwide revenue would exceed $13 billion; for Google, over $30 billion [11]. The actual fines imposed so far do not approach anything close to these maximums. No major platform — none of the companies represented at the Downing Street meeting — has been fined.

By comparison, the European Commission fined X (formerly Twitter) €120 million in December 2025 for breaching transparency obligations under the EU's Digital Services Act [12]. The DSA permits fines of up to 6% of global annual turnover [13]. While the OSA's theoretical 10% cap is higher, the EU has moved faster to impose significant penalties on household-name platforms.

Who Was in the Room — And What They Promised

The executives summoned to Downing Street were mid-level policy and government affairs officials, not C-suite decision-makers [2]. Meta sent a public policy principal, not Mark Zuckerberg. X sent a government affairs director, not owner Elon Musk. Google, TikTok, and Snap sent regional directors [2].

Starmer told the assembled executives: "I want to know that when my kids pick up their phones, they're not being exposed to things that can harm them, or glued to their screens by addictive design" [1]. He stated that a ban on children accessing platforms would be "preferable to a world where harm is the price of participation" [14].

The meeting generated no legally binding obligations. It was, in regulatory terms, a political event. The government's "Growing Up In The Online World" consultation, which has received over 45,000 responses including nearly 6,000 from young people, closes on May 26, 2026 [1]. Options under consideration include an Australia-style social media ban for under-16s, curfews, app time limits, and restrictions on addictive design features [1].

Ellen Roome, founder of the campaign group Jools Law and a bereaved mother, dismissed the meeting as a "stunt," criticising the government for telling MPs to vote against raising the minimum age for social media access while publicly claiming commitment to child protection [15].

The Compliance Cost Debate

Industry groups argue that Online Safety Act compliance is prohibitively expensive. PwC estimates the Act affects roughly 100,000 companies worldwide [16]. Companies must navigate over 3,000 pages of regulatory guidance, conduct legal risk assessments, and implement age verification systems costing approximately $1.50 per user [16][11]. Ofcom's own budget for online safety work reached £92 million in FY 2025/26, up from £71 million the previous year — costs ultimately passed to regulated service providers [17].

The impact on smaller operators has been tangible. Microcosm, a non-profit forum platform, announced it would shut down in March 2025 rather than bear compliance costs [18]. Some smaller sites and forums have blocked UK users entirely rather than invest in compliance infrastructure [18].

But this picture requires context. The £92 million Ofcom budget, spread across all regulated platforms, represents a fraction of the operating costs of major tech companies. Meta reported $164 billion in revenue in its most recent fiscal year. Google parent Alphabet reported over $340 billion. The ITIF, a US-based technology policy think tank, has argued that the Act's 34-million-monthly-user threshold for enhanced duties captures leading US platforms while exempting smaller competitors, creating an unequal playing field [11]. Whether that is a design flaw or a feature — protecting smaller operators from disproportionate burdens while holding dominant platforms accountable — depends on one's perspective.

Independent economists have not produced a comprehensive, publicly available analysis proving that compliance costs are genuinely prohibitive for major platforms relative to their operating profits. The costs are real for small and mid-sized services but represent a rounding error for the companies whose executives sat in Downing Street.

The Encryption Standoff

If Starmer moves toward a stricter regime, the most technically contentious measure would be mandatory scanning of encrypted messages. The Online Safety Act already contains provisions allowing Ofcom to require "accredited technology" to detect CSAM in private messages — a power that, if exercised, would require some form of client-side scanning [19].

The Open Rights Group, coordinating with European Digital Rights (EDRi) and over 80 civil society organisations from 23 countries, has warned that this would make the UK "the first liberal democracy to require the routine scanning of people's private chat messages" [19]. The technology, known as client-side scanning, would operate by analysing message content on users' devices before encryption is applied.

Cryptographers and security researchers have consistently argued that client-side scanning fundamentally undermines end-to-end encryption. If a device scans messages before encrypting them, the encryption no longer protects user privacy from the scanning system itself. Any backdoor or scanning mechanism creates a vulnerability that could be exploited by hostile actors [20]. High Court challenges led by civil liberties groups are focusing on compatibility with the Human Rights Act [20].

Starmer has stated his commitment to privacy, but his government has confirmed plans to grant Ofcom powers to scan encrypted chats [20]. Ofcom was expected to issue its report on the technical feasibility of such scanning by April 2026 [20]. This tension — between the government's stated commitment to privacy and its pursuit of tools that privacy advocates say would destroy it — remains unresolved.

How the UK Compares Internationally

The UK's Online Safety Act sits within a global wave of platform regulation, but it differs from peer frameworks in significant ways.

EU Digital Services Act: The DSA takes a broader approach, covering not just illegal content but also dark patterns, illegal goods, and intellectual property issues [21]. Enforcement is shared between national Digital Services Coordinators and the European Commission, which has direct authority over platforms with more than 45 million monthly EU users [13]. The DSA's penalty cap is 6% of global turnover — lower than the OSA's 10% — but the EU has already imposed a €120 million fine on X, while Ofcom's largest fine is £800,000 [12][7]. The DSA emphasises reactive notice-and-takedown procedures, while the OSA places greater weight on proactive monitoring obligations [21].

Australia: The eSafety Commissioner enforces mandatory takedown obligations and basic safety expectations. Australia passed the Online Safety Amendment (Social Media Minimum Age) Act 2024, which took effect in December 2025, requiring platforms to take "reasonable steps" to prevent under-16s from having accounts [22]. By mid-January 2026, over 4.7 million accounts judged to belong to individuals under 16 had been deactivated, removed, or restricted [22]. The eSafety Commissioner has expressed "significant concerns" about compliance by Facebook, Instagram, Snapchat, TikTok, and YouTube [22]. Penalties can reach AUD $49.5 million for systemic non-compliance [22].

Germany: Germany operates a dual system combining federal and state-level protections. The Federal Youth Protection Act (JuSchG), reformed in 2021, requires online platforms to implement age ratings and precautionary measures [21]. Germany was an early mover with its NetzDG law in 2017, which required platforms to remove "manifestly unlawful" content within 24 hours. The NetzDG has since been largely superseded by the DSA but established a model for rapid takedown requirements.

No single jurisdiction has produced definitive evidence of large, measurable reductions in harmful content without provoking significant free-speech litigation. Australia's age-ban approach has generated the most dramatic compliance numbers (4.7 million accounts removed) but faces questions about effectiveness given the ease of circumvention. The EU has levied the largest financial penalties but is still in the early stages of measuring outcomes. The UK has the most detailed regulatory framework on paper but the weakest enforcement record to date.

Is the Online Safety Act Actually Failing?

Starmer's "unsustainable" framing raises a question: is the Act genuinely failing, or is this political positioning ahead of a regulatory tightening?

The evidence suggests both. On the enforcement side, there are documented gaps. Ofcom's initial codes of practice omitted specific measures to mitigate risks to children from livestreaming, location information sharing, and ephemeral messaging [23]. Dating industry analysis revealed major compliance gaps ahead of the April 7, 2026 CSEA reporting deadline, suggesting an industry that "has known the deadline was coming for over two years and has still not adequately prepared" [24]. Downloads of VPN services by UK users surged as some sought to circumvent age verification requirements, and users successfully bypassed photo-based age verification using images from video games [23].

At the same time, the Act is barely operational. Phase 2 children's safety codes only came into force in early 2026 [8]. Major platforms have yet to face substantive enforcement action. The question of whether the Act has "failed" may be premature — it has not yet been fully tested.

The political dimension is also clear. The White House has warned Starmer to "stop threatening American tech companies' free speech," with Trump administration officials monitoring the OSA with "great interest and concern" [25]. US diplomats from the Bureau of Democracy, Human Rights and Labour travelled to London in March 2026 to "affirm the importance of freedom of expression" and challenged Ofcom directly [25]. During his meeting with Starmer in Scotland, President Trump warned the Prime Minister not to censor Truth Social [25]. The US lobbying group NetChoice called the OSA an "ID-for-Speech law" being used to "censor and silence lawful expression and political dissent" [25].

This transatlantic pressure creates a political incentive for Starmer to reframe the issue as one of child protection — where public support is overwhelming — rather than content moderation more broadly, where his government faces pushback from Washington and Silicon Valley alike.

Who Gets Protected — And Who Doesn't

The changes Starmer is signalling would most directly address harms to children: CSAM exposure, addictive design features, and contact risks from strangers. An under-16 ban, if implemented, would remove the youngest users from platforms entirely — following Australia's approach.

But several categories of harm would remain largely unaddressed. Image-based sexual abuse of adult women — including deepfake pornography, which has exploded alongside generative AI — falls outside the scope of age-based restrictions. The 44% of Gen Z women who report negative mental health impacts from online misogyny are mostly over 16 [5]. Hate speech targeting ethnic minorities, which disproportionately affects Black (23% of hate crime victims) and Asian (33%) communities, is addressed by the OSA's illegal content duties but has not been a focus of enforcement action [6][7].

The OSA's "legal but harmful" provisions for adults were removed during the Act's parliamentary passage, meaning content that is harmful but not illegal — including much misogynistic abuse — falls into a regulatory gap for users over 18 [11]. A stricter regime focused on children's access does nothing to close that gap.

What Comes Next

The government's consultation closes on May 26. The options range from incremental — tighter enforcement of existing OSA provisions, higher fines, faster timelines — to structural, including the under-16 ban, mandatory algorithmic audits, and the politically explosive question of encrypted message scanning.

Source: OpenAlex

Data as of Jan 1, 2026CSV

Academic research on online safety regulation has grown dramatically, with publications rising from under 9,000 in 2011 to over 125,000 in 2025 [26]. The policy infrastructure exists. The technical knowledge exists. What remains contested is political will, the tolerance of trade-offs between privacy and safety, and whether the UK is prepared to follow through on enforcement that matches the severity of its rhetoric.

Starmer's meeting with tech executives was, by his own framing, a warning shot. The question is whether the next phase brings enforcement with teeth — or another round of consultations, summits, and warnings that leave platforms free to treat UK regulation as a cost of doing business rather than a constraint on how they operate.