On March 17, 2026, the First-tier Tribunal (General Regulatory Chamber) dismissed an appeal by David Babbs, lead consultant for Clean Up the Internet, who had sought records of Ofcom’s meetings with Meta, X/Twitter, Google/YouTube, and ByteDance/TikTok about the Illegal Content Codes of Practice under the Online Safety Act 2023 (OSA)(Babbs v Information Commissioner [2026] UKFTT 389 (GRC)).

The Tribunal upheld Ofcom’s refusal to disclose any of those records, relying on section 44 of the Freedom of Information Act 2000 (FOIA) as applied through section 393 of the Communications Act 2003 (the 2003 Act). The decision is defensible as a matter of pure textualism. It is nonetheless deeply troubling. The Tribunal’s reasoning applies a 2003 provision to a regulatory context that Parliament in 2003 could not have foreseen and did not design that provision to address. When the OSA 2023 extended s.393 to cover Ofcom’s new online safety powers, it locked in that provision as a permanent shield over Ofcom’s engagement with the largest and most powerful private actors in the world, with no public interest override and no route to challenge within the Tribunal system. That outcome was not anticipated by the Blair government, is not justifiable as a matter of regulatory principle, and should be corrected by Parliament either by repealing or fundamentally reforming s.393.

CUTI made a six-part Freedom of Information request to Ofcom on January 17, 2025 seeking records of any meetings held since November 2023 between Ofcom and Meta (including WhatsApp, Facebook, and Instagram), X/Twitter, Google/YouTube, and ByteDance/TikTok, as well as documents relating to the Illegal Harms Statement published by Ofcom on December 16, 2024. The stated purpose was to understand how Ofcom came to take the positions it did in its Illegal Content Codes of Practice, and specifically whether those positions had been shaped by arguments from the tech platforms that remained outside the public domain and therefore could not be tested or challenged.

Ofcom disclosed some documents under parts 3, 4, and 5 of the request but withheld the remainder under s.44(1) FOIA on the basis that disclosure would be prohibited by s.393(1) of the 2003 Act. Ofcom also refused to confirm or deny whether it held information about meetings with X and Google/YouTube under s.44(2) FOIA, on the grounds that doing so would itself reveal whether those companies had been subject to Ofcom’s regulatory functions. The Information Commissioner upheld both positions in a decision notice dated 15 September 2025. The Tribunal dismissed the subsequent appeal in the decision under review.

The case turned on a single question of statutory construction: what does the phrase “obtained in exercise of a power conferred by” the listed Acts mean in s.393(1) of the 2003 Act? The Tribunal identified three competing interpretations advanced by the parties. The appellant (supported by the Interested Party, Movement for an Open Web) argued for a narrow reading: s.393 applies only to information that Ofcom obtained by exercising its compulsory information-gathering powers. On this view, the section exists to compensate businesses for the coercive nature of regulatory information demands, and it has no application to information provided voluntarily, such as lobbying submissions, meeting notes, or position papers handed over without compulsion. Ofcom argued for a broad reading: s.393 applies to all information obtained in the exercise of any statutory power, whether that power required or merely enabled the provision of information. On this reading, the section applies to anything Ofcom obtains while carrying out any of its statutory functions under the listed Acts. MOW advanced a middle position: s.393 should be limited to commercially sensitive information about the “affairs” of a business, drawing on language in the Explanatory Notes to the 2003 Act. The Tribunal rejected both narrower readings. Its key findings:

First, the phrase “in exercise of a power” means the act of using a power and is not limited to powers specifically designed to compel the provision of information. Because Ofcom obtains information whenever it exercises any of its statutory powers, no rational distinction exists between different categories of power for the purposes of s.393(1)( See paragraphs 21 and 25).

Second, making a distinction between compulsorily and voluntarily provided information would make s.393 unworkable and create inconsistency in the criminal offense provisions at s.393(10): the same piece of information might constitute the basis of a criminal offense in one scenario but not in another depending solely on how it was originally provided (See paragraph 22)

Third, the Explanatory Notes to the 2003 Act describe the provision using the language “relating to the affairs of” any particular business and “obtained under” the Act, neither of which matches the actual wording of s.393(1). Those notes are not a substitute for the statutory text (See paragraphs 17 and 29).

Fourth, s.44 FOIA is an absolute exemption. Public interest arguments have no bearing on its application, and neither the appellant nor MOW could invoke transparency arguments as a basis for a narrow reading of s.393 (See paragraph 32).

Fifth, while Ofcom’s decisions about the application of s.393 are not reviewable in the Tribunal, they are susceptible to judicial review, which the Tribunal described as an effective remedy (See paragraph 28).

Section 393(1) provides in part

” … information with respect to a particular business which has been obtained in exercise of a power conferred by [this Act or the listed Acts] … is not, so long as that business continues to be carried on, to be disclosed without the consent of the person for the time being carrying on that business.

The phrase “in exercise of a power” is genuinely ambiguous. It could mean “in the course of using any power that was legally operative at the time” (the Tribunal’s reading) or it could mean “by means of the application of a coercive or compulsory power specifically directed at obtaining information” (the appellant’s reading). The ordinary English meaning of “exercise” does not settle the question conclusively, because one “exercises” a power both when compelled performance is at stake and when a statutory function is simply being carried out.

The Tribunal is correct that had Parliament meant to confine s.393 to compulsory information-gathering it could have said so, by cross-referencing specific provisions such as sections 135 and 136 of the 2003 Act, which deal explicitly with the power to require information. That Parliament did not do so is a legitimate textual observation. Where the Tribunal’s reasoning becomes vulnerable is in its treatment of the criminal offense argument. Section 393(10) makes it a criminal offense to disclose information in contravention of the section, with penalties on indictment of up to two years’ imprisonment. The Tribunal uses workability to justify the broad reading: without it, the same information could be a criminal offense to disclose if obtained compulsorily but not if obtained voluntarily. That argument runs the other way. Where a provision creates criminal liability, ambiguity should resolve in favor of the narrower reading. The principle that penal provisions should not be extended by implication is a well-established canon of statutory interpretation, and the Tribunal does not squarely address the tension.

The Tribunal also correctly notes that the Explanatory Notes use language that does not match the text of s.393(1) (referring to information “relating to the affairs” of any particular business and to information “obtained under” the Act rather than “obtained in the exercise of a power”) and treats this as unhelpful to all parties. But the divergence points in a more significant direction than the Tribunal acknowledges. Parliament’s contemporaneous account of what s.393 was meant to do describes it as protecting a business’s internal affairs data obtained under the statute. The Tribunal’s reading extends that protection to cover meeting agendas, attendee lists, voluntary position papers, and the substance of lobbying conversations. Those two things are not the same, and the gap is evidence that the broad reading was not anticipated.

The Communications Act 2003 received Royal Assent on July 17, 2003. It created Ofcom as a converged regulator, replacing five predecessor bodies: the Office of Telecommunications, the Independent Television Commission, the Broadcasting Standards Commission, the Radio Authority, and the Radiocommunications Agency.

Section 393 was drafted to protect the businesses that Ofcom regulated in that context. Those were principally large British and European operators with established presences in a domestic regulatory framework, companies that handed over commercially sensitive pricing data, subscriber numbers, infrastructure information, and business plans in the context of a structured statutory relationship. The concern Parliament was responding to was straightforward: a telecoms company ordered under sections 135 to 136 of the 2003 Act to produce detailed internal business data should not have that data freely disclosed into the public domain in response to a FOIA request. That is a legitimate regulatory interest.

Facebook was launched in February 2004, seven months after the 2003 Act received Royal Assent. YouTube was launched in February 2005. Twitter launched in July 2006. The iPhone was announced in January 2007. The App Store opened in July 2008. When Parliament enacted s.393 in 2003, none of the platforms now regulated under the Online Safety Act existed as commercial products, and the regulatory problem they present, namely the question of how a state regulator should oversee globally dominant private platforms with trillion-dollar market capitalizations and extensive capabilities for political influence, was not part of the legislative context.

The idea that s.393 would one day operate as a blanket shield over Ofcom’s engagement with Meta, Google, and ByteDance on the content of codes of practice governing online speech for 67 million people was simply outside Parliament’s contemplation. The 2003 Act was not designed for that world. Its confidentiality provision was calibrated for a different kind of regulatory relationship.

There is a fundamental difference between protecting British Telecom’s pricing data under a statutory confidentiality regime and concealing the content of conversations between Ofcom and the major social media platforms about the rules those platforms will follow in moderating speech. The Illegal Content Codes of Practice are not internal commercial decisions. They have the force of law for regulated service providers under the OSA framework. When Ofcom drafts those codes in dialogue with the platforms the codes are meant to govern, and that dialogue is made immune from FOIA scrutiny, the public has no way of knowing whether the resulting rules reflect regulatory judgment or industry preference.

Section 393, as construed in Babbs, ensures that information remains permanently secret. Section 115 of the Online Safety Act 2023 amended section 393 of the 2003 Act in several respects. Most importantly, it inserted s.393(1)(e), which added the OSA 2023 itself to the list of statutes whose powers bring information within the prohibition. It also inserted new gateways at s.393(3)(ha) and (hb) for sharing information in connection with OSA functions. The extension of s.393 to cover OSA powers was not subject to any serious parliamentary analysis of the accountability consequences: specifically, what it would mean for a regulator to be drafting speech codes with the platforms those codes are meant to govern, behind a permanent confidentiality screen. Shortly after the OSA received Royal Assent, the Government identified what it described as an oversight in the original Act: s.393, as amended, did not include a gateway allowing Ofcom to share information with Ministers for the purpose of fulfilling functions under the OSA. This meant that Ofcom sharing business information with the Secretary of State might itself constitute a criminal offense under s.393(10). The Communications Act 2003 (Disclosure of Information) Order 2024 was introduced to correct this, by creating an additional gateway.

If Parliament missed the basic question of whether Ofcom could talk to its own minister without breaching s.393, it plainly had not thought carefully about how s.393 would interact with the OSA’s accountability architecture more broadly. Section 44 of FOIA is an absolute exemption. Unlike the qualified exemptions in ss.27 to 42 of FOIA, which require a public interest balance, it operates without any weighing of the costs and benefits of disclosure. The Tribunal confirms this at paragraph 32. The result is that the public has no mechanism to obtain information by arguing that disclosure serves the public interest. Ofcom can withhold anything connected to its regulatory activities, subject only to its own assessment of whether a gateway applies, with no external check. The Tribunal described judicial review as an effective remedy. It is not. A judicial review court does not substitute its own view for Ofcom’s on the merits of a disclosure decision. It asks whether Ofcom acted lawfully, rationally, and procedurally fairly: a threshold that is very high when the decision is backed by the Tribunal’s broad reading of s.393. FOIA was designed to be accessible; the effective review mechanism that Babbs produces is a High Court procedure costing tens of thousands of pounds and years to resolve.

The combination of factors identified above, namely the broad reading of s.393, the absolute nature of s.44 FOIA, the extension to OSA powers, and the inaccessibility of judicial review, creates near-perfect structural conditions for regulatory capture. Regulatory capture occurs when a regulator’s decisions are systematically influenced by the interests of the industry it regulates rather than the public interest it is supposed to serve. The classic mechanism of capture is information asymmetry: the regulated entities have resources and sustained access to the regulator that other stakeholders lack, and the regulator’s decision-making gradually reflects that asymmetry. The Online Safety Act created exactly that dynamic. Ofcom must produce codes of practice of enormous complexity covering an industry it barely understands as well as the platforms do. It consults with those platforms intensively. The platforms have every incentive to use those consultations to shape codes in their favor. The public, civil society organizations, academics, and independent researchers cannot see the content of those conversations. Section 393, as construed in Babbs, ensures that they never will, unless Ofcom itself decides to disclose or a gateway coincidentally applies. The legitimate core of s.393 was, and remains, the protection of genuinely commercially sensitive data obtained from regulated businesses under compulsory powers. A telecoms company required to produce detailed internal pricing models, subscriber churn rates, or infrastructure costings has a legitimate interest in those materials not being made public in a way that would harm its competitive position. That is a rational regulatory accommodation.

But s.393 has since been extended far beyond that core. It now covers the OSA 2023 alongside the 2003 Act, the Broadcasting Act 1990, the Broadcasting Act 1996, and other legislation. Each successive extension has increased the surface area of the prohibition without reexamining whether the original rationale justifies its application in new contexts. The result is a provision whose scope has grown through accretion without any Parliament sitting down to ask whether the accountability tradeoff still makes sense. If full repeal is regarded as too disruptive to Ofcom’s regulatory functions, the minimum necessary reform is to remove s.393 from the list of provisions that engage the absolute exemption in s.44 FOIA and replace it with a qualified exemption framework under which disclosure would be required unless Ofcom could demonstrate that the public interest in maintaining confidentiality outweighs the public interest in disclosure. This would protect genuinely sensitive commercial data while requiring Ofcom to make the case, disclosure by disclosure, that withholding is justified rather than invoking a categorical prohibition. The extension of s.393 to OSA 2023 powers under s.115 of that Act should be reversed or substantially modified. In place of the blanket prohibition, Parliament should enact a dedicated transparency framework for Ofcom’s engagement with regulated platforms under the OSA that requires Ofcom to publish, at minimum, the substance of any meetings with regulated service providers about codes of practice, the positions those providers advanced, and the extent to which those positions were accepted or rejected in the final codes. The public has no reliable way to understand how Ofcom’s Illegal Content Codes of Practice were actually shaped. That should not be a permanent condition.

The Communications Act 2003 (Disclosure of Information) Order 2024 had to be introduced to correct an oversight that arose precisely because Parliament had not thought through the implications of extending s.393 to the OSA. That is not the hallmark of deliberate legislative design. Section 393 should be repealed and replaced with a proportionate confidentiality regime that protects genuinely sensitive commercial data while preserving the public’s right to understand how the rules governing internet speech in the United Kingdom were made. At minimum, the extension of the absolute FOIA exemption to cover OSA-derived information should be removed.

Daniel Lü. New York University.