Online Safety (Basic Online Safety Expectations) Determination 2022
I, Paul Fletcher, Minister for Communications, Urban Infrastructure, Cities and the Arts, make the following determination.
Dated 20 January 2022
Paul Fletcher
Minister for Communications, Urban Infrastructure, Cities and the Arts
Contents
Part 1—Preliminary
1 Name
2 Commencement
3 Authority
4 Definitions
Part 2—Basic online safety expectations
Division 1—Purpose of this Part
5 Purpose of this Part
Division 2—Expectations regarding safe use
6 Expectations—provider will take reasonable steps to ensure safe use
7 Expectations—provider will consult with Commissioner and refer to Commissioner’s guidance in determining reasonable steps to ensure safe use
8 Additional expectation—provider will take reasonable steps regarding encrypted services
9 Additional expectation—provider will take reasonable steps regarding anonymous accounts
10 Additional expectation—provider will consult and cooperate with other service providers to promote safe use
Division 3—Expectations regarding certain material and activity
11 Core expectation—provider will take reasonable steps to minimise provision of certain material
12 Core expectation—provider will take reasonable steps to prevent access by children to class 2 material
Division 4—Expectations regarding reports and complaints
13 Expectations—provider will ensure mechanisms to report and make complaints about certain material
14 Additional expectations—provider will ensure service has terms of use, certain policies etc.
15 Expectations—provider will ensure service has mechanisms to report and make complaints about breaches of terms of use
16 Additional expectation—provider will make accessible information on how to complain to Commissioner
Division 5—Expectations regarding making certain information accessible
17 Additional expectation—provider will make information on terms of use, policies and complaints etc. accessible
18 Additional expectation—provider will provide updates about changes in policies, terms and conditions etc.
Division 6—Expectations regarding record keeping
19 Additional expectation—provider will keep records regarding certain matters
Division 7—Expectations regarding dealings with the Commissioner
20 Expectations—provider will provide requested information to the Commissioner
21 Additional expectations—provider will have designated contact point
This instrument is the Online Safety (Basic Online Safety Expectations) Determination 2022.
(1) Each provision of this instrument specified in column 1 of the table commences, or is taken to have commenced, in accordance with column 2 of the table. Any other statement in column 2 has effect according to its terms.
Commencement information | ||
Column 1 | Column 2 | Column 3 |
Provisions | Commencement | Date/Details |
1. The whole of this instrument. | The day after this instrument is registered. |
|
Note: This table relates only to the provisions of this instrument as originally made. It will not be amended to deal with any later amendments of this instrument.
(2) Any information in column 3 of the table is not part of this instrument. Information may be inserted in this column, or information in it may be edited, in any published version of this instrument.
This instrument is made under section 45 of the Online Safety Act 2021.
In this instrument:
Act means the Online Safety Act 2021.
Part 2—Basic online safety expectations
Division 1—Purpose of this Part
For the purposes of subsections 45(1), (2) and (3) of the Act, this Part specifies the basic online safety expectations for the following:
(a) a social media service;
(b) a relevant electronic service of any kind;
(c) a designated internet service of any kind.
Note: Subsections 6(1) and 7(1), section 11, subsections 12(1), 13(1) and 15(1), and section 20 of this instrument are made in accordance with subsection 46(1) of the Act (core expectations).
Division 2—Expectations regarding safe use
6 Expectations—provider will take reasonable steps to ensure safe use
Core expectation
(1) The provider of the service will take reasonable steps to ensure that end-users are able to use the service in a safe manner.
Additional expectation
(2) The provider of the service will take reasonable steps to proactively minimise the extent to which material or activity on the service is unlawful or harmful.
Examples of reasonable steps that could be taken
(3) Without limiting subsection (1) or (2), reasonable steps for the purposes of this section could include the following:
(a) developing and implementing processes to detect, moderate, report and remove (as applicable) material or activity on the service that is unlawful or harmful;
(b) if a service or a component of a service (such as an online app or game) is targeted at, or being used by, children (the children’s service)—ensuring that the default privacy and safety settings of the children’s service are robust and set to the most restrictive level;
(c) ensuring that persons who are engaged in providing the service, such as the provider’s employees or contractors, are trained in, and are expected to implement and promote, online safety;
(d) continually improving technology and practices relating to the safety of end-users;
(e) ensuring that assessments of safety risks and impacts are undertaken, and safety review processes are implemented, throughout the design, development, deployment and post-deployment stages for the service.
Core expectation
(1) In determining what are reasonable steps for the purposes of subsection 6(1), the provider of the service will consult the Commissioner.
Additional expectation
(2) In addition, in determining what are reasonable steps for the purposes of subsection 6(1), the provider of the service will have regard to any relevant guidance material made available by the Commissioner.
Note: The Commissioner may, from time to time, publish specific guidance issued to all service providers. Guidance material published by the Commissioner may include information disclosed to it under subsection 7(2), but will not include information that is commercial-in-confidence or which the disclosing provider does not consent to being published.
8 Additional expectation—provider will take reasonable steps regarding encrypted services
(1) If the service uses encryption, the provider of the service will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is unlawful or harmful.
(2) Subsection 8(1) does not require the provider of the service to undertake steps that could do the following:
(a) implement or build a systematic weakness, or a systematic vulnerability, into a form of encrypted service;
(b) build a new decryption capability in relation to encrypted services; or
(c) render methods of encryption less effective.
9 Additional expectation—provider will take reasonable steps regarding anonymous accounts
Additional expectation
(1) If the service permits the use of anonymous accounts, the provider of the service will take reasonable steps to prevent those accounts being used to deal with material, or for activity, that is unlawful or harmful.
Examples of reasonable steps that could be taken
(2) Without limiting subsection (1), reasonable steps for the purposes of that subsection could include the following:
(a) having processes that prevent the same person from repeatedly using anonymous accounts to post material, or to engage in activity, that is unlawful or harmful;
(b) having processes that require verification of identity or ownership of accounts.
10 Additional expectation—provider will consult and cooperate with other service providers to promote safe use
Additional expectation
(1) The provider of the service will take reasonable steps to consult and cooperate with providers of other services to promote the ability of end-users to use all of those services in a safe manner.
Examples of reasonable steps that could be taken
(2) Without limiting subsection (1), reasonable steps for the purposes of that subsection could include the following:
(a) working with other service providers to detect high volume, cross-platform attacks (also known as volumetric or ‘pile-on’ attacks);
(b) sharing information with other service providers on material or activity on the service that is unlawful or harmful, for the purpose of preventing and dealing with such material or activity.
Division 3—Expectations regarding certain material and activity
11 Core expectation—provider will take reasonable steps to minimise provision of certain material
The provider of the service will take reasonable steps to minimise the extent to which the following material is provided on the service:
(a) cyber-bullying material targeted at an Australian child;
(b) cyber-abuse material targeted at an Australian adult;
(c) a non-consensual intimate image of a person;
(d) class 1 material;
(e) material that promotes abhorrent violent conduct;
(f) material that incites abhorrent violent conduct;
(g) material that instructs in abhorrent violent conduct;
(h) material that depicts abhorrent violent conduct.
Core expectation
(1) The provider of the service will take reasonable steps to ensure that technological or other measures are in effect to prevent access by children to class 2 material provided on the service.
Examples of reasonable steps that could be taken
(2) Without limiting subsection (1) of this section, reasonable steps for the purposes of that subsection could include the following:
(a) implementing age assurance mechanisms;
(b) conducting child safety risk assessments.
Division 4—Expectations regarding reports and complaints
13 Expectations—provider will ensure mechanisms to report and make complaints about certain material
Core expectation
(1) The provider of the service will ensure that the service has clear and readily identifiable mechanisms that enable end‑users to report, and make complaints about, any of the following material provided on the service:
(a) cyber‑bullying material targeted at an Australian child;
(b) cyber‑abuse material targeted at an Australian adult;
(c) a non‑consensual intimate image of a person;
(d) class 1 material;
(e) class 2 material;
(f) material that promotes abhorrent violent conduct;
(g) material that incites abhorrent violent conduct;
(h) material that instructs in abhorrent violent conduct;
(i) material that depicts abhorrent violent conduct.
Additional expectation
(2) The provider of the service will ensure that the service has clear and readily identifiable mechanisms that enable any person ordinarily resident in Australia to report, and make complaints about, any of the following material provided on the service:
(a) cyber‑bullying material targeted at an Australian child;
(b) cyber‑abuse material targeted at an Australian adult;
(c) a non‑consensual intimate image of a person;
(d) class 1 material;
(e) class 2 material;
(f) material that promotes abhorrent violent conduct;
(g) material that incites abhorrent violent conduct;
(h) material that instructs in abhorrent violent conduct;
(i) material that depicts abhorrent violent conduct.
14 Additional expectations—provider will ensure service has terms of use, certain policies etc.
(1) The provider of the service will ensure that the service has:
(a) terms of use; and
(b) policies and procedures in relation to the safety of end-users; and
(c) policies and procedures for dealing with reports and complaints mentioned in section 13 or 15; and
(d) standards of conduct for end-users (including in relation to material that may be posted using the service by end-users, if applicable), and policies and procedures in relation to the moderation of conduct and enforcement of those standards.
Note 1: See section 17 in relation to making this information accessible to end-users.
Note 2: For paragraph (b), the policies and procedures might deal with the protection, use and selling (if applicable) of end users’ personal information.
(2) The provider of the service will take reasonable steps to ensure that penalties for breaches of its terms of use are enforced against all accounts held or created by the end-user who breached the terms of use of the service.
Core expectation
(1) The provider of the service will ensure that the service has clear and readily identifiable mechanisms that enable end‑users to report, and make complaints about, breaches of the service’s terms of use.
Additional expectation
(2) The provider of the service will ensure that the service has clear and readily identifiable mechanisms that enable any person ordinarily resident in Australia to report, and make complaints about, breaches of the service’s terms of use.
The provider of the service will ensure that information and guidance on how to make a complaint to the Commissioner, in accordance with the Act, about any of the material mentioned in section 13 provided on the service, is readily accessible to end-users.
Division 5—Expectations regarding making certain information accessible
(1) The provider of the service will ensure that the information specified in subsection (2) is:
(a) readily accessible to end-users; and
(b) in relation to the information mentioned in paragraph (2)(b)—accessible at all points in the end-user experience, including, but not limited to, point of purchase, registration, account creation, first use and at regular intervals (as applicable); and
(c) regularly reviewed and updated; and
(d) written in plain language.
(2) For the purposes of subsection (1), the information is the following:
(a) the terms of use, policies and procedures and standards of conduct mentioned in section 14;
(b) information regarding online safety and parental control settings, including in relation to the availability of tools and resources published by the Commissioner.
The provider of the service will ensure that end-users receive updates written in plain language in relation to changes in the information specified in subsection 17(2), including through targeted in-service communications.
Division 6—Expectations regarding record keeping
19 Additional expectation—provider will keep records regarding certain matters
The provider of the service will keep records of reports and complaints about the material mentioned in section 13 provided on the service for 5 years after the making of the report or complaint to which the record relates.
Division 7—Expectations regarding dealings with the Commissioner
20 Expectations—provider will provide requested information to the Commissioner
Core expectations
(1) If the Commissioner, by written notice given to the provider of the service, requests the provider to give the Commissioner a statement that sets out the number of complaints made to the provider during a specified period (not shorter than 6 months) about breaches of the service’s terms of use, the provider will comply with the request within 30 days after the notice of request is given.
(2) If the Commissioner, by written notice given to the provider of the service, requests the provider to give the Commissioner a statement that sets out, for each removal notice given to the provider during a specified period (not shorter than 6 months), how long it took the provider to comply with the removal notice, the provider will comply with the request within 30 days after the notice of request is given.
(3) If the Commissioner, by written notice given to a provider of the service, requests the provider to give the Commissioner specified information relating to the measures taken by the provider to ensure that end‑users are able to use the service in a safe manner, the provider will comply with the request within 30 days after the notice of request is given.
Additional expectation
(4) If the Commissioner, by written notice given to a provider of the service, requests the provider to give the Commissioner a report on the performance of online safety measures that relevant providers have announced publicly or reported to the Commissioner, the provider will comply with the request within 30 days after the notice of request is given.
21 Additional expectations—provider will have designated contact point
(1) The provider of the service will ensure that there is an individual who is:
(a) an employee or agent of the provider; and
(b) designated as the service’s contact point for the purposes of the Act.
(2) The provider will ensure that the following: contact details of the contact point are notified to the Commissioner:
(a) an email address; and
(b) a phone number or voice chat address.
(3) If there is a change to the identity or contact details of the individual designated as the service’s contact point for the purposes of the Act, the provider will give the Commissioner written notice of the change within 14 days after the change.