The eSafety Commissioner has issued a decision on proposed industry codes of practice under Australian online safety laws, which has significant implications for all companies operating online services in Australia
Today marks a significant milestone in the roll-out of Australia's online safety regime, which has quickly become one of Australia’s most significant and rapidly developing areas of law for those in the online space.
Various obligations will be imposed on a range of industry participants, through the registration of five industry codes of practice (Codes) under the Online Safety Act 2021 (Cth) (Act) by Australia's eSafety Commissioner (eSafety) with eSafety intending to determine industry standards (Standards) in relation to two other areas of online services.
Five Codes (of the eight submitted by the industry associations responsible for Code development) will become registered under the Act covering providers of each of the following:
- social media services, so far as they are provided to end-users in Australia;
- app distribution services, so far as they are provided to end-users in Australia;
- hosting services, so far as they host material in Australia; and
- internet carriage services, so far as they are provided to customers in Australia;
as well as persons who:
- manufacture, supply, maintain or install equipment used by end-users in Australia in connection with online services or internet carriage services.
The Codes aim to establish appropriate safeguards for the community, by requiring providers to adopt various compliance measures in relation to child sexual exploitation material, pro-terror material, extreme crime and violence material, crime and violence material, and drug-related material (together, class 1A and class 1B materials).
Copies of the Codes that were submitted to eSafety are available here. It is anticipated that final versions of each will be made available on registration.
In addition to the above, eSafety has asked that the relevant industry associations revert with a revised search engine services Code, for eSafety's further review and potential registration. This request is driven by a desire for this Code to address recently announced developments in generative AI.
Two other Codes submitted to eSafety for registration will not be registered, and eSafety will instead move to determine Standards applicable to providers of:
- relevant electronic services (messaging services of various kinds, including email, SMS, MMS, chat, instant messaging and various online games); and
- designated internet services (covering a broad range of websites and apps not otherwise captured).
As these are the two broadest categories of service, the move towards Standards for these categories is significant.
Online industry participants to whom any of the registered Codes will apply will enter a transitional period upon registration, during which relevant compliance measures must be adopted before the Codes take effect.
All businesses with an online presence in Australia should be aware of what these developments mean for them and their obligations under the Act.
The soon to be registered Codes form part of a set of Consolidated Industry Codes of Practice for the Online Industry, Phase 1 (class 1A and class 1B material). Each is governed by a common set of Head Terms.
All industry participants covered by registered Codes will need to identify and adopt reasonable compliance measures in accordance with those Head Terms. Compliance measures are structured around a set of online safety objectives and outcomes which are grouped in three overarching categories:
- measures with the objective of taking reasonable and proactive steps to create and maintain a safe online environment for end-users in Australia;
- measures empowering end-users in Australia to manage access and exposure to class 1A and class 1B material; and
- measures strengthening transparency of, and accountability for, class 1A and class 1B material.
Broadly, industry participants will need to take the following steps:
- Step 1: Assess and determine which Code applies to each of their services or devices and then, in each case, how the service/device is categorised under the applicable Code. In some instances, this will require the provider to conduct a risk assessment in order to determine the risk profile of a service.
- Step 2: For each subcategory of services/devices covered by a Code, adopt a set of mandatory minimum compliance measures. For many subcategories these are wide ranging but examples include:
- requirements for some social media services to proactively detect and remove some forms of content;
- requirements for many service categories to notify appropriate entities (e.g., law enforcement) of some forms of harmful content;
- broad requirements relating to creating, implementing and documenting various systems, processes and procedures including with respect to users who breach content requirements;
- governance requirements;
- requirements relating to user features and user information; and
- broad reporting obligations for many service categories.
- Step 3: Consider adopting optional compliance measures contained in a Code. The question of whether to adopt any such measures must be considered in light of a test set out in the Head Terms.
- Step 4: Lastly, consider whether there are any other compliance measures that should reasonably be adopted – again, by applying a test set out in the Head Terms.
There will be a six month transition period from the date of registration before the Codes take effect. An additional six months may be available to industry participants who have reasonable grounds for not being fully compliant (such as where significant engineering or system changes are required to comply with the Codes), provided that it can be demonstrated that the relevant provider is working to achieve compliance on such issues within that timeframe.
After this transitional period, any failure to comply with the Codes may result in enforcement action in the form of a warning or, where issues are not addressed, potential civil penalties or other more significant enforcement action under the Act.
For those industry sections that will be moving to Standards (relevant electronic services and designated internet services) providers should anticipate draft Standards being made available for public comment in the coming months.
In short, the Act was a significant overhaul of Australia's online safety laws, with changes including the broadening of eSafety's powers, the expansion and consolidation of various regulatory schemes for removal of certain harmful materials such as harms relating to cyber-abuse of adults, cyber-bullying of children, and image-based abuse, as well as illegal and restricted materials under an Online Content Scheme. The Online Content Scheme also provided for the development of Codes by industry associations or, alternatively the development of Standards by eSafety, for eight sections of the online industry.
Since the Act was passed, relevant developments have included:
- September 2021: eSafety published a Position Paper which set out its policy positions regarding the Codes.
- 11 April 2022: eSafety issued notices to six industry associations, requesting the development of Codes for class 1A and class 1B material, under section 141 of the Act. Further Codes for class 1C and class 2 material were anticipated at a later date.
- 18 November 2022: Draft Codes were submitted to eSafety for potential registration.
- 9 February 2023: eSafety provided its preliminary views that the draft Codes failed to deliver appropriate community safeguards as required under the Act and invited industry associations to revise and resubmit draft Codes to address eSafety’s concerns.
- 31 March 2023: Revised Codes were resubmitted to eSafety for potential registration.
eSafety's decision means that significant compliance work will need to be undertaken by many organisations covered by the registered Codes within the next six months.
Thank you to Kelly Choo for her assistance in preparing this alert.