Australia: Basic Online Safety Expectations - Regulatory Guidance

Online Safety Act 2021 (Cth)

In brief

On 25 July 2022, Australia's eSafety Commissioner ("eSafety") published Regulatory Guidance on the "Basic Online Safety Expectations" ("Expectations"), which are provided for by Part 4 of the Online Safety Act 2021 (Cth) ("Act") and the Online Safety (Basic Online Safety Expectations) Determination 2022 ("BOSE Determination").

This comes a day after eSafety became entitled to issue notices seeking information from a wide range of online service providers regarding their compliance with the Expectations.

eSafety has indicated that it expects to issue the first reporting notices during August 2022, and a failure to comply with a reporting notice could result in civil penalties and reputational damage.

The Regulatory Guidance contains information which service providers should review and consider carefully to ensure they are ready to receive and respond to reporting notices from eSafety.


Contents

Recommended actions

Service providers within the scope of the Expectations should:

  • Review the Regulatory Guidance and Expectations and consider what measures the provider has in place for the purposes of compliance, taking into account eSafety's stated interpretation of the Expectations
  • Take steps to strengthen measures in areas of any perceived compliance gaps
  • Designate a contact point for eSafety compliance matters and share this with eSafety (a webform for this purpose can be obtained by emailing industybose@esafety.gov.au)

Consider its policies and processes to respond to a notice or request from eSafety. Specifically, providers should be ready to demonstrate what measures they have in place to satisfy the Expectations.

In depth

Background to the Act and the Expectations

As outlined in our previous alerts (here, here and here), the Act and the BOSE Determination came into effect on 23 January 2022. Amongst other things, they together prescribe a set of Expectations for social media services, relevant electronic services (including email, SMS and MMS, instant messaging, chat and online gaming services), and designated internet services (including other websites and apps).

Summary of the Expectations:

As a reminder, the core Expectations are outlined in section 46 of the Act and fleshed out by the BOSE Determination. They include both:

  • Broad expectations as to the overall safety of their services, including:
    • Take reasonable steps to ensure that end-users are able to use a service in a safe manner
    • Take reasonable steps to proactively minimise the extent to which material or activity on the service is unlawful or harmful
    • If the service uses encryption, take reasonable steps to develop and implement processes to detect and address material or activity that is unlawful or harmful (provided that the provider is not required to implement or build systemic weaknesses or vulnerabilities, build new decryption capability or render methods of encryption less effective)
  • More specific expectations, including:
    • Consult with the Commissioner on measures
    • Keep records of certain complaints for 5 years
    • Respond to requests from the Commissioner for various pieces of information, within 30 days

Enforceability of the Expectations

The Expectations are not themselves enforceable, and a failure to meet specific Expectations will not trigger penalties for non-compliance. However, while the Expectations are not directly enforceable, eSafety has several relevant powers under the Act which can be used to push providers towards compliance, including:

  • The power to require providers to report on how they are meeting any or all of the Expectations, either on a non-periodic or a periodic basis. The obligation to respond to a reporting notice is an enforceable obligation and is backed by civil penalties of up to AUD 111,000
  • The power to require reporting can either apply to specific providers or a determination may apply to a specified class of providers
  • The power to issue statements to providers about compliance and non-compliance with the Expectations and publish such statements, effectively "naming and shaming" those who do not meet expectations

eSafety's approach

The Regulatory Guidance indicates that eSafety intends to take a phased approach to compliance, with:

  • Phase 1 (from August 2022): non-periodic notices relating to specific Expectations and acute issues of particularly high harm, such as child exploitation and abuse
  • Phase 2 (from early 2023): periodic notices to begin tracking compliance with certain Expectations over time
  • Phase 3 (2023): expansion of the regular reporting required, provision of additional guidance, and the start of statements of compliance/non-compliance and potential use of reporting determinations

eSafety intends to try to give providers advance notice before issuing a reporting notice, although this may not always be possible. Providers should be aware that eSafety's default position is that information received from industry via reporting notices should be made public, where appropriate, in the interests of transparency and accountability, and any confidentiality claims must be clearly identified for eSafety's consideration.

eSafety expects that online service providers will review their policies, procedures and practices on a regular basis to ensure alignment with the Expectations.

Further guidance is anticipated from eSafety regarding eSafety's views on the various "reasonable steps" obligations.

Additionally, while the Expectations themselves are not enforceable in the normal way, industry codes of practice are under development which, if registered by eSafety (likely to be later this year), may impose more specific requirements on an even broader range of providers, and should be watched closely.

Please contact us if you require more information.

With thanks to Jack Chenoweth and Liz Grimwood-Taylor for their assistance in preparing this alert


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.