The Online Safety Act 2021 (Act) establishes a regulatory framework to improve and promote the safety of Australians online. Given the rapidly evolving online landscape, a statutory review of the Act was conducted in 2024, resulting in the Report of the Statutory Review of the Online Safety Act 2021 (Report). The Report includes 67 recommendations designed to enhance the Act's effectiveness through a 'systems-based' approach – an approach that squarely places the burden on online platforms to protect against online harm.
If adopted by the Government, the recommended changes would significantly overhaul the way online safety is regulated in Australia. Under these proposed changes, the regulator would receive significantly more power to investigate, enforce and litigate breaches of the Act. The Report also recommends the introduction of an overarching duty of care, requiring online services to take reasonable steps to prevent foreseeable harm. The onus would be on big tech and social media companies to proactively mitigate harm to users. A breach of the duty of care would see online platforms face penalties of up to $50 million or 5% of global annual turnover.
In this post we've curated the Report's 67 recommendations and have summarised the key ones.
Key recommendations from the Report
1. Duty of Care
The Report recommends that an overarching legal obligation be placed on online service providers, such as social media platforms, to mitigate against online harm, and to efficiently identify and remediate harms when they emerge. This 'systems-based' approach – which puts the onus on the online platforms - aligns with the UK and EU approaches to online safety and will require online service providers to take reasonable steps to prevent foreseeable harms on their platforms.
The Report provides a list of broadly-drafted harms that would need to be covered in the duty of care, including harms to young people (including sexual exploitation and abuse), harms to mental and physical wellbeing (including attacks based on a person’s sex, gender, race, ethnicity, sexual orientation and others), threats to national security (including promotion of terrorism) and promotion of harmful practises (including self-harm, disordered eating and dares that could lead to grievous harm).
Online platforms with the greatest reach or risk will face even more stringent requirements, including to prepare risk assessments every 12 months; provide an annual transparency report and publish a summarised version on its website; have an independent, adequately-staffed compliance function that reports directly to senior management; and submit to audits by the regulator to ensure compliance with duty of care obligations.
The Report suggests that the online platforms likely to meet this higher 'reach or risk' threshold will be, at a minimum, the services used by more than 10% of the Australian population. This would include Facebook, Instagram, TikTok and X.
2. Establishment of an 'Online Safety Commission'
The Act is currently administered by a single regulator, known as the eSafety Commissioner. The Report recommends the introduction of a Commission model, akin to the Australian Communications and Media Authority (ACMA) and the Australian Competition and Consumer Commission (ACCC). The Report proposes that the Online Safety Commission should be comprised of a Chair, Deputy Chair and a Commissioner, with the potential for the Commission to have up to nine members.
3. Increased powers to the Commission
The Report recommends significantly enhancing the powers of the Commission, including to:
- create mandatory codes for the compliance with duty of care obligations;
- take proactive measures, including through its own investigations, to prevent online harm (rather than waiting to respond to complaints); and
- issue fines and penalties for non-compliance with the Act, including fines of up to $10 million if an online platform fails to respond to a removal notice.
4. Increased civil penalties for non-compliance
The Act currently sets a maximum penalty for offences at $782,500 for companies, which the Report finds is too low and out of step with comparable penalties in Ireland (€20 million), the EU (6% of annual global turnover) and the UK (£18 million). The Report recommends that, in order to be an effective deterrent, the maximum civil penalty be increased to $50 million or 5% of global turnover.
5. Mandatory Australian presence for overseas entities
While most overseas entities have cooperated with eSafety in the administration of the Act, the Report recommends that the Government consider the feasibility of requiring major online platforms to establish domestic legal presence in Australia as a condition of operating in the country. Failing this, the online services should be required to designate a point of contact to the regulator for the purposes of complying with the Act.
Implementing the recommendations: Next steps
The recommendations in the Report are under consideration by the Government, with the Government acknowledging that a measured and staged implementation of the recommendations is needed. The Report recommends that the Government prioritises the reforms that will provide the most substantial and immediate online safety protections, including in particular the duty of care and the establishment of the Online Safety Commission.
While there are no set timelines, the Government has already committed to legislate the online duty of care.
Please reach out to discuss how these recommendations could impact your organisation.
