EXPLANATORY STATEMENT

Issued by the eSafety Commissioner

Online Safety (Restricted Access Systems) Declaration 2022

Online Safety Act 2021

Purpose

The Online Safety (Restricted Access Systems) Declaration 2022 (the Declaration) has been made by the eSafety Commissioner (the Commissioner) under subsection 108(1) of the Online Safety Act 2021 (the Act).

Legislative provisions

Section 108(1) empowers the Commissioner to declare, by legislative instrument, that a specified access-control system is a restricted access system in relation to material for the purposes of the Act (RAS Declaration).

The Declaration specifies an access-control system as a restricted access system for ‘relevant class 2 material’ being the material covered by subparagraphs 107(1)(f), (g), (h), (i), (j), (k) and (l) of the Act. By way of summary, this material includes the following:

• a film (or the contents of a film) that has been classified as R 18+ by the Classification Board established by the Classification (Publications, Films and Computer Games) Act 1995 (Classification Board);
• a publication (or the contents of a publication) that has been classified as Category 1 restricted by the Classification Board;
• a computer game that has been classified as R 18+ by the Classification Board,
• a film, publication or computer game that has not been classified by the Classification Board, but if it were to be classified, would likely be classified in the relevant category mentioned above; and
• any other kind of material that, if it were to be classified by the Classification Board in a corresponding way to the way in which films are classified, would be likely to be classified as R 18+.

Restricted access systems are relevant to a number of the provisions of the Act relating to relevant class 2 material that is, or has been, provided on a social media service, relevant electronic service, or designated internet service (within the meaning of those terms in the Act). In particular:

• the Commissioner may investigate whether end-users in Australia can access relevant class 2 material, and if so, whether this access is subject to a restricted access system under section 42 (either on the Commissioner’s own initiative, or after a complaint under subsection 38(2));
• in certain circumstances, the Commissioner may give a provider of a service allowing access to relevant class 2 material a remedial notice requiring the provider to ensure that material is removed from the service or access to the material is subject to a restricted access system (subparagraph 119(1)(f)). These notices can only be issued where the service is provided from Australia (subparagraph 119(1)(e));
• in certain circumstances, the Commissioner may give a hosting service provider which hosts relevant class 2 material a remedial notice requiring the provider to ensure that the service ceases to host the material or access to the material is subject to a restricted access system (subparagraph 120(1)(g)). These notices can only be issued where the material is hosted in Australia (subparagraph 120(1)(f)); and
• if the Commissioner is satisfied that relevant class 2 material is not, or was not, subject to a restricted access system (among other things) on 2 or more occasions in the previous 12 months, the Commissioner may prepare and publish a statement to that effect (section 123A).

The purpose of a RAS Declaration is not to prevent access to relevant class 2 material (whether it is user-generated content or otherwise) via any platform, but to seek to ensure that:

• access to relevant class 2 material is limited to persons 18 years and over; and
• the methods used for limiting this access meet a minimum standard.

In making a RAS Declaration, the Commissioner must have regard to the following matters specified in subsection 108(4):

(a) the objective of protecting children from exposure to material that is unsuitable for children; and

(b) the extent to which the instrument would be likely to result in a financial or administrative burden on providers of the following services:

(i) social media services;

(ii) relevant electronic services;

(iii) designated internet services; and

(c) such other matters (if any) as the Commissioner considers relevant.

Other relevant matters may include regulatory policy considerations such as:

• addressing public interest considerations while not imposing unnecessary financial and administrative burdens on industry; and
• accommodating technological change; and
• encouraging the development of technologies and services.

Under subsection 108(5) of the Act, the Commissioner must ensure that a RAS Declaration is in force at all times after the commencement of section 108.

Background

Online Safety Reforms

Online content was previously regulated under Schedules 5 and 7 of the Broadcasting Services Act 1992 (BSA). Provisions regarding a restricted access system were contained in Schedule 7 of the BSA, including the requirement for a restricted access system declaration. The most recent declaration was put in place in 2014 (2014 RAS Declaration).

In the context of the Government’s online safety reform agenda, the Government developed the Act to consolidate online safety regulatory arrangements and update them in light of changes in the digital environment.

The Act contains an enhanced online content scheme. The relevant powers under Schedule 7 of the BSA, and the 2014 RAS Declaration, were repealed on commencement of the Act.

The Declaration

Following consultation with industry, the Commissioner has prepared the Declaration, which specifies an access-control system as a restricted access system for relevant class 2 material.

Relevant class 2 material includes content that is unsuitable for a minor to see, because it depicts:

• realistically simulated sexual activity between adults; 
• high impact nudity; 
• high impact violence; 
• high impact drug use; and
• high impact language.  

It should be noted that, while relevant class 2 material includes some pornographic content, the category captures a wider variety of content types.

The Declaration is not intended to capture materials or resources providing information or promoting awareness about sexuality, sex education or sexual health. When content is classified, a number of matters must be taken into account, including the literary, artistic or educational merit (if any), as well as the general character of the content, including whether it is of a medical, legal or scientific character.[1]

The Declaration adopts the same framework as the 2014 RAS Declaration. Like the 2014 RAS Declaration, the Declaration does not specify or prescribe technologies or processes to be used by service providers to determine age and restrict access to content.

Instead, the Declaration requires an application for access to relevant class 2 material, the giving of warnings and safety information relevant to the content, the taking of ‘reasonable steps’ to confirm the age of applicants and limiting access to relevant class 2 material. ‘Reasonable steps’ are to be determined by a service provider, with guidance contained in this Explanatory Statement.

This approach:

• achieves the objective of protecting children from exposure to unsuitable content without imposing unreasonable financial and administrative burdens on service providers;
• gives service providers the flexibility to implement measures to restrict access to content which reflect the nature of their platforms and services, their business models and technologies. This is important, given the diverse range of services covered by the relevant provisions of the Act;
• gives service providers the flexibility to implement measures to restrict access to content which reflect their size, capacity, capability and maturity. For example, a smaller service provider would not be expected to have the same practices in place as a larger service provider; and
• allows for advances in relevant technologies. A more prescriptive approach does not support the testing and introduction of new systems and technologies that can restrict access to content, and risks stifling innovation in this area.

Operation

In summary, the Declaration specifies an access-control system for relevant class 2 material by setting out the minimum requirements such a system must satisfy.

An access-control system must:

• require an application for access to the material, and a declaration from the applicant that they are at least 18 years of age; and
• provide warnings as to the nature of the material; and
• provide safety information for parents and guardians on how to control access to the material; and
• incorporate reasonable steps to confirm that an applicant is at least 18 years of age; and
• limit access to the content unless certain steps are complied with, which may include the use of a PIN.

Public Consultation

First phase of consultation

In formulating the Declaration, the Commissioner undertook a two-phase consultation process. The first phase involved the publication of a Restricted Access System Declaration (Online Safety Act 2021) Discussion Paper in August 2021, which invited feedback on the design of the new RAS Declaration. Responses to the issues raised in the Discussion Paper were due on 12 September 2021.

As well as publishing the Discussion Paper on the eSafety Commissioner’s website and requesting public submissions through a media release, the Commissioner invited a range of stakeholders to contribute their views. These included members of the digital services industry, industry groups advocating for Australian service providers and various digital rights groups.

31 submissions were received from industry, advocacy groups, and the general public. Key themes in the submissions included:

• the need to protect children from exposure to explicit content;
• the potential for a restricted access system to have a negative impact on access to educational material, including healthcare resources; and
• the need to provide flexibility so that restricted access systems can adapt to evolving and new technologies and allow for continuing innovation.

A number of submissions supported the implementation of a prescriptive RAS Declaration that sets out specific tools and technologies to restrict access to content. However, the majority of submissions recommended that the requirements of an access-control system be kept flexible to reflect the diversity of services covered by the relevant provisions of the Act, as well as the differences in service size, capability, capacity and maturity.

The relevant provisions of the Act apply to sole traders operating websites offering niche adult services, through to major social media companies with global resources. Members of industry and advocacy groups recommended that this spectrum of capabilities and resourcing lends itself to a flexible and non-prescriptive approach to system design that is proportionate to the size of the service.

Submissions also demonstrated that there is already an array of different tools and technologies that are employed by service providers to ensure that young people cannot access age-inappropriate material. A flexible restricted access system allows for industry to meet the legislative requirements in a way that is relevant to their business, the size of the service and its sophistication.

Overall, submissions supported a framework like the framework established under the Restricted Access System Declaration 2014.

Second phase of consultation

The draft Declaration and supporting explanatory statement, which were developed with reference to feedback received during the first phase of consultation, were released for public consultation in October 2021. Responses were due on 23 November 2021.

13 submissions were received from industry, advocacy groups and the general public.

Overall, the submissions were supportive of the drafting of the Declaration. While some submissions raised concerns that the Declaration placed too much responsibility on service providers to determine the ‘reasonable steps’ needed to confirm an applicant is at least 18 years of age, the majority of submissions supported the flexible approach taken in the Declaration. This approach allows businesses to incorporate age confirmation methods which are best suited to their operational requirements.

In response to feedback, section 7 of the Declaration has been amended to clarify that safety information can be provided via a link to this information on the relevant social media service, relevant electronic service, or designated internet service.

A common theme throughout the submissions was a need for a greater focus on the privacy implications of the Declaration. A number of submissions suggested that the Declaration itself should address privacy implications, for example, by noting that age verification methods should be privacy preserving and respectful of the data protection principle of data minimisation. Following consultation with the Office of the Australian Information Commissioner, additional information about best practice privacy considerations has been incorporated into this explanatory statement.

Regulation Impact Statement

The Office of Best Practice Regulation (OBPR) has determined that the regulatory proposal in the Declaration is minor in nature and has therefore verified that no further regulatory impact analysis is required – OBPR reference number 44734 (verification provided 13 October 2021).

Notes on sections

The provisions of the Declaration are described in Attachment 1.

Statement of Compatibility with Human Rights

Subsection 9(1) of the Human Rights (Parliamentary Scrutiny) Act 2011 requires the rule maker in relation to a legislative instrument to which section 42 (disallowance) of the Legislation Act 2003 applies to cause a statement of compatibility to be prepared in respect of that legislative instrument.

This statement has been prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

The Declaration is compatible with the human rights and freedoms recognised or declared in the international instruments listed in Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Human Rights Implications

The Declaration engages the right to freedom of expression.

Under the International Covenant on Civil and Political Rights, everyone is entitled to the right of freedom of expression, including the ‘freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media’ (see Article 19).

The Declaration engages the right to freedom of expression as it concerns seeking and receiving information through accessing online content. While the Declaration may restrict the freedom to expression as it concerns receiving this information, it does so in a proportionate manner, in accordance with clear legislative and policy intent of protecting children from exposure to content that is unsuitable for children (see section 108(4)(a) of the Act).

The Declaration is therefore consistent with Article 19 of the International Covenant on Civil and Political Rights, in that the obligation imposed by the Declaration, insofar as it may limit access to certain online content, reflects Parliament’s intention of protecting children from exposure to unsuitable content.

This Declaration also engages the prohibition on interference with privacy.

Under the International Covenant on Civil and Political Rights, no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks (see Article 17).

To the extent that the Declaration interferes with a person’s privacy, by requiring service providers to take steps to verify the age of an applicant, this restriction is provided by law, serves a legitimate objective and is not arbitrary.

As the explanatory statement makes clear, age confirmation methods should be privacy preserving to the extent possible, and a data minimisation approach should be taken to ensure that the only attribute being tested is the age of the applicant. Age confirmation does not involve identity verification. To the extent that the Declaration interferes with a person’s privacy, it does so in a reasonable, necessary and proportionate manner, in accordance with clear legislative and policy objective of protecting children from exposure to content that is unsuitable for children (see section 108(4)(a) of the Act).

The Declaration is therefore consistent with Article 17 of the International Covenant on Civil and Political Rights, in that the obligation imposed by the Declaration, insofar as it affects an individual’s right to privacy, reflects Parliament’s intention of protecting children from exposure to unsuitable content.

Best interests of the child

Article 3(1) of the Convention on the Rights of the Child provides that in all actions concerning children, the best interests of the child shall be a primary consideration. The principle requires legislative, administrative and judicial bodies to take active measures to protect children’s rights, promote their wellbeing and consider how children’s rights and interests are or will be affected by their decisions and actions.

The Declaration supports the best interests of the child by providing mechanisms so that children are protected from harmful online content.

Conclusion

The Declaration is compatible with human rights, and to the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate.

Attachment 1

NOTES ON SECTIONS

PART 1  PRELIMINARY

Section 1 – Name

Section 1 provides for the citation of the Declaration as the Online Safety (Restricted Access Systems) Declaration 2022.

Section 2 – Commencement

Section 2 provides that the Declaration commences on the later of the start of the day after the Declaration is registered, or on the commencement of the Act.

In accordance with section 4 of the Acts Interpretation Act 1901, the Declaration may be made before section 108 of the Act commences, but in that case it does not take effect until that section commences. Section 108, along with the rest of the Act, will commence on a day to be fixed by Proclamation, or the day after the period of 6 months after the Act received the Royal Assent. The Act received the Royal Assent on 23 July 2021. This means the Act will commence no later than 23 January 2022.

Section 3 – Authority

Section 3 notes that the authority for the Declaration is subsection 108(1) of the Act.

Section 4 – Definitions

Section 4 defines the terms used in the Declaration. The note to the section refers to terms that have the same meaning in the Declaration as in the Act.

PART 2  Restricted access systems for relevant class 2 material

Section 5 – Specified access-control systems for relevant class 2 material

Section 5 sets out the minimum requirements for an access-control system to be a specified as a restricted access system for the purpose of the Declaration.

Section 6 – Applying for access to relevant class 2 material

Under section 6, an access-control system must require an applicant seeking access to relevant class 2 material to apply for access either in writing, in electronic form or orally. This means that an applicant must take proactive steps to initiate the service (‘opt-in’).

The applicant must also provide a declaration, in writing or in electronic form, that they are 18 years or over.

Section 7 – Provision of warnings

The access-control system must provide warnings about the nature of relevant class 2 material that is being accessed, and must provide safety information, or a link to safety information, about how a parent or guardian may control access to such material by persons under 18.

This is consistent with the Government’s policy to enhance online safety for children, which aims to ensure parents and guardians have access to online safety information and advice to assist them in managing their family’s online experience.

Section 8 – Confirmation of age

Section 8(1) requires that, in providing access to relevant class 2 material, providers must do more than simply accept a declaration of age. An access-control system must include reasonable additional steps to confirm that the applicant is at least 18 years of age. The subsection is not prescriptive in this regard, and there is scope for providers to consider a range of age-confirmation methods.

Reasonable steps may be established by transaction type – use of a credit card where content is fee-based, for instance. Other reasonable steps might link the application process to an already-validated age-restricted platform, allow provision of other identity related information, or allow applicants to use a token generated during another age confirmation process.

In determining what reasonable steps may be required when confirming age, consideration should be given to the type and size of the relevant service, the size and composition of its user base in Australia, the type of content, as well as whether additional functionality, such as parental controls and metatags, are employed. Whereas a sole trader operating an adult website might implement a restricted access system using a credit card to confirm age (along with the other access-control steps prescribed by the instrument), more will likely be expected of a larger, better-resourced and more technically sophisticated service. Such services may be expected to employ multiple measures working in concert, rather than relying on a single method.

The flexibility in approach provides service providers with the ability to develop service-specific solutions that accord with their business practice, while continuing to give effect to the policy objective that persons under 18 years old cannot access relevant class 2 material. The flexibility recognises that new methods of age confirmation may be developed in the future, and allows industry to adopt new technological solutions as they become available.

Service providers must continue to comply with their obligations under applicable privacy laws, such as the Privacy Act 1988 (Cth), including taking reasonable steps to protect personal information they hold. Whether or not privacy laws apply, age confirmation methods should be privacy preserving to the extent possible. Importantly, a data minimisation approach should be taken to ensure the only attribute being tested is the age of the applicant. For the avoidance of doubt, age confirmation does not involve identity verification. Practical steps to protect privacy include collecting the minimum amount of personal information necessary to take reasonable steps to confirm age, implementing security measures for any information collected and not using information collected for age confirmation for other purposes.

Under subsection 8(2) an access-control system may provide access to relevant class 2 material if an applicant has previously submitted evidence that the person is at least 18 years of age to the relevant service provider (or to a person acting on behalf of the provider) without taking any further steps to confirm the applicant’s age. The submission of proof of age is not required to have been made in relation to the particular application for access to content, however the proof of age provided on an earlier occasion must be sufficient to satisfy the requirement that reasonable steps be taken to confirm that an applicant is at least 18 years of age. For example, a service provider may have the capacity to cross check other instances where a person may have submitted proof of age as in situations where age and identification are submitted for the establishment of an account.

Section 9 – Limiting access to relevant class 2 material

Section 9 describes the instances in which an access-control system may provide

access to relevant class 2 material.

Under paragraph 9(1)(a), an access-control system must not provide access to relevant class 2 material, unless:

• the applicant has applied for access (‘opted-in’) and made a declaration that they are at least 18 years of age; and
• the applicant has been provided with warning and safety information; and
• the access-control system has confirmed that the applicant is at least 18 years of age.

Under paragraph 9(1)(b) an access-control system may provide access to relevant class 2 material when an applicant has been provided with a Personal Identification Number (PIN) or some other means of limiting access, by which the access-control system can verify that the applicant:

• has previously applied for access (‘opted-in’) and made a declaration that they are at least 18 years of age;
• had their age confirmed by the access-control system; and
• has been provided with warning and safety information.

The phrase ‘other means of limiting access’ in section 9(1)(b) is to be interpreted broadly and may include any method a service provider designs that allows an access‑control system to uniquely recognise the applicant in question.

[1] See section 11 of the Classification (Publications, Films and Computer Games) Act 1995.