Australia moves on online safety

The eSafety Commissioner has issued a decision on proposed industry codes of practice under Australian online safety laws, which has significant implications for all companies operating online services in Australia.

In brief

Today marks a significant milestone in the roll-out of Australia's online safety regime, which has quickly become one of Australia’s most significant and rapidly developing areas of law for those in the online space.

Various obligations will be imposed on a range of industry participants, through the registration of five industry codes of practice (Codes) under the Online Safety Act 2021 (Cth) (Act) by Australia's eSafety Commissioner (eSafety) with eSafety intending to determine industry standards (Standards) in relation to two other areas of online services.

We are now taking expressions of interest for our upcoming Online Safety seminar, please register your interest here.

Key takeaways

Five Codes (of the eight submitted by the industry associations responsible for Code development) will become registered under the Act covering providers of each of the following:

  • social media services, so far as they are provided to end-users in Australia;
  • app distribution services, so far as they are provided to end-users in Australia;
  • hosting services, so far as they host material in Australia; and
  • internet carriage services, so far as they are provided to customers in Australia;

as well as persons who:

  • manufacture, supply, maintain or install equipment used by end-users in Australia in connection with online services or internet carriage services.

The Codes aim to establish appropriate safeguards for the community, by requiring providers to adopt various compliance measures in relation to child sexual exploitation material, pro-terror material, extreme crime and violence material, crime and violence material, and drug-related material (together, class 1A and class 1B materials).

Copies of the Codes that were submitted to eSafety are available here. It is anticipated that final versions of each will be made available on registration.

In addition to the above, eSafety has asked that the relevant industry associations revert with a revised search engine services Code, for eSafety's further review and potential registration. This request is driven by a desire for this Code to address recently announced developments in generative AI.

Two other Codes submitted to eSafety for registration will not be registered, and eSafety will instead move to determine Standards  applicable to providers of:

  • relevant electronic services (messaging services of various kinds, including email, SMS, MMS, chat, instant messaging and various online games); and
  • designated internet services (covering a broad range of websites and apps not otherwise captured).

As these are the two broadest categories of service, the move towards Standards for these categories is significant.

Online industry participants to whom any of the registered Codes will apply will enter a transitional period upon registration, during which relevant compliance measures must be adopted before the Codes take effect.

All businesses with an online presence in Australia should be aware of what these developments mean for them and their obligations under the Act.

Next steps

The soon to be registered Codes form part of a set of Consolidated Industry Codes of Practice for the Online Industry, Phase 1 (class 1A and class 1B material). Each is governed by a common set of Head Terms.

All industry participants covered by registered Codes will need to identify and adopt reasonable compliance measures in accordance with those Head Terms. Compliance measures are structured around a set of online safety objectives and outcomes which are grouped in three overarching categories:

  1. measures with the objective of taking reasonable and proactive steps to create and maintain a safe online environment for end-users in Australia;
  2. measures empowering end-users in Australia to manage access and exposure to class 1A and class 1B material; and
  3. measures strengthening transparency of, and accountability for, class 1A and class 1B material.

Broadly, industry participants will need to take the following steps:

  • Step 1: Assess and determine which Code applies to each of their services or devices and then, in each case, how the service/device is categorised under the applicable Code. In some instances, this will require the provider to conduct a risk assessment in order to determine the risk profile of a service.
  • Step 2: For each subcategory of services/devices covered by a Code, adopt a set of mandatory minimum compliance measures. For many subcategories these are wide ranging but examples include:
    • requirements for some social media services to proactively detect and remove some forms of content;
    • requirements for many service categories to notify appropriate entities (e.g., law enforcement) of some forms of harmful content;
    • broad requirements relating to creating, implementing and documenting various systems, processes and procedures including with respect to users who breach content requirements;
    • governance requirements;
    • requirements relating to documentation such as terms of use and acceptable use policies;
    • requirements relating to user features and user information; and
    • broad reporting obligations for many service categories.
  • Step 3: Consider adopting optional compliance measures contained in a Code. The question of whether to adopt any such measures must be considered in light of a test set out in the Head Terms.
  • Step 4: Lastly, consider whether there are any other compliance measures that should reasonably be adopted – again, by applying a test set out in the Head Terms.

There will be a six month transition period from the date of registration before the Codes take effect. An additional six months may be available to industry participants who have reasonable grounds for not being fully compliant (such as where significant engineering or system changes are required to comply with the Codes), provided that it can be demonstrated that the relevant provider is working to achieve compliance on such issues within that timeframe.

After this transitional period, any failure to comply with the Codes may result in enforcement action in the form of a warning or, where issues are not addressed, potential civil penalties or other more significant enforcement action under the Act.

For those industry sections that will be moving to Standards (relevant electronic services and designated internet services) providers should anticipate draft Standards being made available for public comment in the coming months.


As outlined in our prior alerts, the Act was passed on 23 June 2021 and commenced on 23 January 2022. Please view our articles (here, here, and here) for further details regarding the Act.

In short, the Act was a significant overhaul of Australia's online safety laws, with changes including the broadening of eSafety's powers, the expansion and consolidation of various regulatory schemes for  removal of certain harmful materials such as harms relating to cyber-abuse of adults, cyber-bullying of children, and image-based abuse, as well as illegal and restricted materials under an Online Content Scheme.  The Online Content Scheme also provided for the development of Codes by industry associations or, alternatively the development of Standards by eSafety, for eight sections of the online industry.

Since the Act was passed, relevant developments have included:

  • September 2021: eSafety published a Position Paper which set out its policy positions regarding the Codes.
  • 11 April 2022: eSafety issued notices to six industry associations, requesting the development of Codes for class 1A and class 1B material, under section 141 of the Act.  Further Codes for class 1C and class 2 material were anticipated at a later date.
  • 18 November 2022: Draft Codes were submitted to eSafety for potential registration.
  • 9 February 2023: eSafety provided its preliminary views that the draft Codes failed to deliver appropriate community safeguards as required under the Act and invited industry associations to revise and resubmit draft Codes to address eSafety’s concerns.
  • 31 March 2023: Revised Codes were resubmitted to eSafety for potential registration.

eSafety's decision means that significant compliance work will need to be undertaken by many organisations covered by the registered Codes within the next six months.

* * * * *

If you have any questions on how these changes may impact you, please contact a Baker McKenzie representative. 

Thank you to Kelly Choo for her assistance in preparing this alert.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.