Just reading the first correspondence from Ofcom and this section in particular:

> What should I do if there is confidential information in my response?

> You must provide all the information requested, even if you consider that the information, or any part of it, is confidential (for example, because of its commercial sensitivity).

> If you consider that any of the information you are required to provide is confidential, you should clearly identify the relevant information and explain in writing your reasons for considering it confidential (for example, the reasons why you consider disclosure of the information will seriously and prejudicially affect the interests of your business, a third party or the private affairs of an individual. You may find it helpful to do this in a separate document marked ‘confidential information’

> Ofcom will take into account any claims that information should be considered confidential. However, it is for Ofcom to decide what is or is not confidential, taking into account any relevant common law and statutory definitions. We do not accept unjustified or unsubstantiated claims of confidentiality. Blanket claims of confidentiality covering entire documents or types of information are also unhelpful and will rarely be accepted. For example, we would expect stakeholders to consider whether the fact of the document’s existence or particular elements of the document (e.g. its title or metadata such as to/from/date/subject or other specific content) are not confidential. You should therefore identify specific words, numbers, phrases or pieces of information you consider to be confidential. You may also find it helpful to categorise your explanations as Category A, Category B etc

> Any confidential information provided to Ofcom is subject to restrictions on its further disclosure under the common law of confidence. In many cases, information provided to Ofcom is also subject to statutory restrictions relating to the disclosure of that information (regardless of whether that information is confidential information). For this reason, we do not generally consider it necessary to sign non-disclosure agreements. Our general approach to the disclosure of information is set out below.

> For the avoidance of doubt, you are not required to provide information that is legally privileged and you can redact specific parts of documents that are legally privileged. However, where you withhold information on the basis that it is privileged you should provide Ofcom with a summary of the nature of the information and an explanation of why you consider it to be privileged. Please note that just because an email is sent to or from a legal adviser does not mean it is necessarily a legally privileged communication. Further information is available in paragraph 3.18 of our Online Safety Information Powers Guidance.

So ofcom's position is:

We want your data, you will give us your data, the GDPR does not apply to you, and if it does, we will decide whether it does. You must explain yourself to us. You must not redact anything. Even if you think you can redact anything (you know, because GDPR) you cannot redact anything. The GDPR and data protection laws do not apply because we have said so. You are required to break confidentiality agreements. We will not sign an NDA because we do not need to and we will not justify ourselves to you in any way shape or form.

We are the UK, and therefore, because we asked you to, you will comply with our every demand, whim and whimper. Otherwise we will continue to send strongly worded emails.

And fine you. And block you. Because that's the only thing we can do. And you best not advertise VPN's or we'll...Send another sternly worded email!

Good job UK!

(I cannot see how that paragraph is in any way legal, it must break the EU/UK's data protection laws in trying to compel disclosure of third party data. I cannot see any court in the UK ever upholding that paragraph if legally challenged as it's way above Ofcom's remit to be demanding confidential data. In any case, they should absolutely be required to sign NDA's)