Selected cases

Federal Court of Australia · [2026] FCA 629

eSafety Commissioner v X Corp

A Federal Court online-safety penalty case about a deficient platform reporting response, regulator notices and confidentiality for...

Federal Court of Australia21 May 2026

Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.

Get legal help

Start here

Quick read

  • Platform safety obligations can require detailed regulator reporting, not just internal moderation effort.
  • A Federal Court online-safety penalty case about a deficient platform reporting response, regulator notices and confidentiality for safety-system information.

Use this to check

  • Regulator notices often require information in a specified manner and form, not just a broad response.
  • Mergers and restructures do not necessarily make platform reporting obligations disappear.
  • Sensitive safety-system information may be protected from public inspection while still being provided to the regulator.

Decision snapshot

  1. What happened

    • The eSafety Commissioner issued Twitter, Inc with a non-periodic reporting notice under the Online Safety Act requiring a report by 29 March 2023 about compliance with basic online safety expectations concerning child sexual exploitation and abuse material and activity.
    • Twitter, Inc then merged into X Corp.
    • X Corp provided a report on 29 March 2023, but the Commissioner identified deficiencies, including questions that were not answered or lacked required detail.
    • X Corp supplied a supplementary response on 5 May 2023 and admitted that its original response was not prepared in the manner and form required by the notice to the extent it was capable of doing so.
  2. What the court had to decide

    • The Federal Court had to decide whether to grant declarations, a civil penalty, costs and confidentiality orders after X Corp admitted contravening section 57 of the Online Safety Act.
    • The issues included the appropriateness of the agreed $650,000 penalty, the deterrence function of reporting obligations and whether confidential annexures about detection and prevention systems should be restricted from public inspection.
  3. What the court decided

    • The Court declared that X Corp contravened section 57 between 29 March 2023 and 5 May 2023, ordered it to pay a $650,000 penalty and $100,000 toward the Commissioner's costs, and made confidentiality orders restricting inspection of annexures containing sensitive information about systems used to detect and prevent child sexual exploitation and abuse...

Practical impact

Practical read

  • Platform safety obligations can require detailed regulator reporting, not just internal moderation effort.
  • If a notice asks for information in a specified form, a partial or differently structured response can still be a contravention.

Useful next steps

  • Regulator notices often require information in a specified manner and form, not just a broad response.
  • Mergers and restructures do not necessarily make platform reporting obligations disappear.
  • Sensitive safety-system information may be protected from public inspection while still being provided to the regulator.
  • Online platforms should treat safety reporting as a governance workflow with legal, product and technical owners.
  • Assign formal regulator notices to one accountable owner with a deadline and evidence checklist.

Practical read

This case is important for digital platforms, marketplaces, social apps and any business operating a user-generated content environment. The issue was not simply whether X had safety systems. The Court focused on compliance with a formal reporting notice. The notice asked for a report in a particular manner and form, and the admitted problem was that the response did not meet that requirement by the deadline.

The judgment also shows why online safety compliance is becoming operational governance. A platform may need to answer regulator questions about safety expectations, complaints, detection systems, sensitive material and internal controls. Some information may be confidential because publishing it could help bad actors avoid safety systems, but confidentiality does not remove the reporting duty.

For smaller digital businesses, the lesson is to build a regulator-response playbook early. Know who owns notices, who gathers product and trust-and-safety data, who checks completeness, who signs off sensitive security material, and how the business records why it can or cannot answer a question. A late or incomplete answer can carry real penalty risk.

Checks to run

Key points

  • Assign formal regulator notices to one accountable owner with a deadline and evidence checklist.
  • Break each notice question into required data, narrative explanation and sign-off owner.
  • Document why any requested information cannot be provided in the requested form.
  • Protect sensitive safety and cybersecurity detail while still meeting regulator obligations.
  • Update regulator-response playbooks after mergers, product restructures or entity changes.

Key takeaways

  • Regulator notices often require information in a specified manner and form, not just a broad response.
  • Mergers and restructures do not necessarily make platform reporting obligations disappear.
  • Sensitive safety-system information may be protected from public inspection while still being provided to the regulator.
  • Online platforms should treat safety reporting as a governance workflow with legal, product and technical owners.

Related topics

How Sprintlaw can help