Online Safety Act 2021 (Cth)

In brief

On 25 July 2022, Australia's eSafety Commissioner ("eSafety") published Regulatory Guidance on the "Basic Online Safety Expectations" ("Expectations"), which are provided for by Part 4 of the Online Safety Act 2021 (Cth) ("Act") and the Online Safety (Basic Online Safety Expectations) Determination 2022 ("BOSE Determination").

This comes a day after eSafety became entitled to issue notices seeking information from a wide range of online service providers regarding their compliance with the Expectations.

eSafety has indicated that it expects to issue the first reporting notices during August 2022, and a failure to comply with a reporting notice could result in civil penalties and reputational damage.

The Regulatory Guidance contains information which service providers should review and consider carefully to ensure they are ready to receive and respond to reporting notices from eSafety.

Recommended actions

Service providers within the scope of the Expectations should:

■ Review the Regulatory Guidance and Expectations and consider what measures the provider has in place for the purposes of compliance, taking into account eSafety's stated interpretation of the Expectations

■ Take steps to strengthen measures in areas of any perceived compliance gaps

■ Designate a contact point for eSafety compliance matters and share this with eSafety (a webform for this purpose can be obtained by emailing [email protected])

Consider its policies and processes to respond to a notice or request from eSafety. Specifically, providers should be ready to demonstrate what measures they have in place to satisfy the Expectations.

In depth

Background to the Act and the Expectations

As outlined in our previous alerts (here, here and here), the Act and the BOSE Determination came into effect on 23 January 2022. Amongst other things, they together prescribe a set of Expectations for social media services, relevant electronic services (including email, SMS and MMS, instant messaging, chat and online gaming services), and designated internet services (including other websites and apps).

Summary of the Expectations:

As a reminder, the core Expectations are outlined in section 46 of the Act and fleshed out by the BOSE Determination. They include both:

■ Broad expectations as to the overall safety of their services, including:

■ Take reasonable steps to ensure that end-users are able to use a service in a safe manner

■ Take reasonable steps to proactively minimise the extent to which material or activity on the service is unlawful or harmful

■ If the service uses encryption, take reasonable steps to develop and implement processes to detect and address material or activity that is unlawful or harmful (provided that the provider is not required to implement or build systemic weaknesses or vulnerabilities, build new decryption capability or render methods of encryption less effective)

■ More specific expectations, including:

■ Consult with the Commissioner on measures

■ Keep records of certain complaints for 5 years

■ Respond to requests from the Commissioner for various pieces of information, within 30 days

Enforceability of the Expectations

The Expectations are not themselves enforceable, and a failure to meet specific Expectations will not trigger penalties for non-compliance. However, while the Expectations are not directly enforceable, eSafety has several relevant powers under the Act which can be used to push providers towards compliance, including:

■ The power to require providers to report on how they are meeting any or all of the Expectations, either on a non-periodic or a periodic basis. The obligation to respond to a reporting notice is an enforceable obligation and is backed by civil penalties of up to AUD 111,000

■ The power to require reporting can either apply to specific providers or a determination may apply to a specified class of providers

■ The power to issue statements to providers about compliance and non-compliance with the Expectations and publish such statements, effectively "naming and shaming" those who do not meet expectations

eSafety's approach

The Regulatory Guidance indicates that eSafety intends to take a phased approach to compliance, with:

■ Phase 1 (from August 2022): non-periodic notices relating to specific Expectations and acute issues of particularly high harm, such as child exploitation and abuse

■ Phase 3 (2023): expansion of the regular reporting required, provision of additional guidance, and the start of statements of compliance/non-compliance and potential use of reporting determinations

eSafety intends to try to give providers advance notice before issuing a reporting notice, although this may not always be possible. Providers should be aware that eSafety's default position is that information received from industry via reporting notices should be made public, where appropriate, in the interests of transparency and accountability, and any confidentiality claims must be clearly identified for eSafety's consideration.

eSafety expects that online service providers will review their policies, procedures and practices on a regular basis to ensure alignment with the Expectations.

Further guidance is anticipated from eSafety regarding eSafety's views on the various "reasonable steps" obligations.

Additionally, while the Expectations themselves are not enforceable in the normal way, industry codes of practice are under development which, if registered by eSafety (likely to be later this year), may impose more specific requirements on an even broader range of providers, and should be watched closely. 

With thanks to Jack Chenoweth and Liz Grimwood-Taylor for their assistance in preparing this alert