What are the regulations?
There is currently a three-tiered approach to regulating online safety in Australia:
- Online Safety Act 2021 – the Act is the primary piece of legislation regulating issues including cyber-bullying, cyber-abuse, imaged-based abuse and online content.
- Basic Online Safety Expectations 2022 (the Expectations) – set out in a Ministerial Determination, the Expectations contain a series of ‘core’ and ‘additional’ expectations which aim to increase transparency and accountability of online service providers. The Expectations centre around ensuring online service providers have adequate terms of service, moderation practices, reporting and risk processes in place to minimise online harm.
- Industry Codes – five out of the eight industry codes have now been published which create mandatory compliance requirements for online service providers.
Who do the regulations apply to?
The Online Safety Act protects end-users who are accessing content from Australia, regardless of whether a company has an Australian presence. While jurisdictional issues have not yet been tested, and enforcement may prove tricky when dealing with an overseas entity, businesses who are accessible by end-users in Australia should familiarise themselves with the domestic regulations in this space.
The enforcement focus of the eSafety Commissioner to date has been social media platforms, however, we expect to see this lens broaden to capture a wide range of services operating alongside the online industry. This follows the announcement of the new Industry Codes.
What are the Industry Codes?
This week, the eSafety Commissioner published five out of the eight Industry Codes, applying to:
- social media services
- app distribution services
- hosting services
- internet carriage services
- manufacturers, suppliers, maintainers and installers of equipment used to access online services
The finalised codes will come into force on 16 December 2023 and create mandatory compliance requirements relating to moderation, risk assessments and reporting, depending on the nature of the service.
The Industry Code for search engine services has been stalled following developments in generative AI but is expected to be finalised soon.
The remaining codes applying to ‘relevant electronic services’ (including messaging and multi-player games) and ‘designated internet services’ (including all websites) have been determined to not meet the statutory requirements under the Act. The eSafety Commissioner will proceed to making an enforceable standard in replacement of these codes.
In addition to social media platforms and messaging service providers, did you know the Online Safety Act could also apply to:
- all websites
- search engines
- app distributors
- internet carriage services
- anybody who manufactures, supplies or installs equipment used by end-users (including manufacturers of wi-fi routers, smart TVs, gaming consoles)
- discussion forums and consumer review networks
What are the notices currently being issued to big tech?
In parallel to the development of the Industry Codes, ‘transparency notices’ are being progressively issued by the eSafety Commissioner to service providers across the online industry, requiring them to provide a report and answer questions relating to how they comply with the Expectations.
What are the consequences for non-compliance?
Failure to comply with an Industry Code carries a financial penalty of AUD$137,500 per instance of non-compliance.
While failing to respond to a transparency notice carries a financial penalty, failing to comply with the Expectations themself carry reputation harm, with the Commissioner publishing a statement to that effect on the eSafety Commissioner’s website.
There are also a number of avenues to enforce compliance relating to additional offences under the Act, including content removal and blocking notices, financial penalties and enforceable directions.
Online service providers (social media platforms in particular) who haven’t yet received a transparency notice from the Australian eSafety Commissioner may expect to receive one soon. In preparation for such a notice, service providers should familiarise themselves with the Expectations and consider implementing the ‘reasonable steps’ set out in Expectations.
In addition, online service providers should familiarise themselves with the Industry Codes and be ready to implement compliance measures by December this year.