Online Safety Act 2021 (Cth)

The Online Safety Act 2021 (Cth) is the main Commonwealth law dealing with a range of harmful online content and online service obligations in Australia. It establishes the eSafety Commissioner, sets up complaint and investigation pathways, and gives the Commissioner powers to issue notices and take enforcement action.

The Act is structured around several practical areas. These include complaints about cyber-bullying material targeted at an Australian child, complaints and objections relating to intimate images, complaints about cyber abuse material targeted at an Australian adult, blocking and removal tools for serious harmful material, an online content scheme for class 1 and class 2 material, and a framework for industry codes, industry standards and service provider determinations. It also includes enforcement powers, information-gathering powers, investigative powers and review mechanisms.

For businesses, the key point is that the Act is not only about one-off takedown requests. It creates an ongoing compliance environment for online services, especially where users can communicate, upload, post, share, stream, link to or otherwise make material available online.

The Act uses specific service categories. The table of contents and definitions section show that it deals with social media services, relevant electronic services, designated internet services, hosting services, on-demand program services, internet service providers and the supply of internet carriage services to the public. The exact category matters because different notice powers and obligations apply to different providers.

In practical terms, a business should not assume it is outside the Act just because it is small or because online interaction is only one feature of the product. A customer forum, review page, in-app chat, member discussion board, creator upload tool, marketplace listing function or community feed may be enough to require a proper scope check.

The Act also contains provisions about when material is provided on a social media service, relevant electronic service or designated internet service, when material is posted by an end user, and when material is removed. Those concepts are important because many complaint and notice powers depend on whether the material is treated as being on one of those services.

The Act's practical trigger points usually arise when harmful material is posted, shared, hosted or made available through a covered service, or when a provider is subject to a reporting, information or compliance requirement. The legislation specifically deals with several content and conduct categories.

First, there are complaint pathways for cyber-bullying material targeted at an Australian child and cyber abuse material targeted at an Australian adult. Second, there are complaint and objection mechanisms for intimate images, including removal notice powers and a prohibition on posting an intimate image without consent. Third, there are blocking request and blocking notice powers for material that depicts abhorrent violent conduct. Fourth, the online content scheme deals with class 1 material and class 2 material, including removal notices, remedial notices, link deletion notices and app removal notices.

Separate from those content-specific pathways, the Act also supports broader regulatory settings. These include basic online safety expectations, periodic and non-periodic reporting about compliance with those expectations, industry codes, industry standards, service provider determinations and Federal Court orders in some circumstances.

For a business owner, the practical lesson is that obligations can be triggered by both the content on the service and the provider's systems, policies and responses. A business may need to act because of a user complaint, an objection notice, a Commissioner investigation, a reporting notice, a code or standard applying to its industry section, or a direct notice about content or accounts.

The Act does not impose one identical checklist on every online business. Instead, obligations depend on the service type, the kind of material involved, and whether a notice, code, standard or determination applies. Even so, there are some practical compliance themes that most covered businesses should expect.

You need a workable way to identify what service you are operating under the Act and what kinds of user activity occur on it. You need internal processes for receiving and escalating complaints or objections. You need moderation and takedown capability that matches the risks of the service. You need to preserve records and be able to respond to information requests. And if your service may fall within the social media minimum age framework, you need to assess account creation controls and privacy settings carefully.

The Act also shows that compliance is not only about removing content after the fact. Basic online safety expectations and the code and standards framework point to a broader governance approach. Businesses should think about product design, user rules, reporting channels, escalation pathways, staffing, training and audit trails as part of ordinary operations.

Part 4 of the Act deals with basic online safety expectations. It also includes periodic and non-periodic reporting mechanisms about compliance with those expectations. This means some providers may be required not only to have safety systems, but also to report on them when required.

Part 9 also contains a detailed framework for industry codes and industry standards. The Act refers to sections of the online industry and participants in a section of the online industry. It allows for registration of industry codes, requests for codes, replacement of codes, compliance obligations, and formal warnings for breaches. If codes are not made or are inadequate, the Commissioner may determine an industry standard. Industry standards prevail over inconsistent industry codes.

There is also a framework for service provider determinations and compliance with service provider rules. For businesses, this means the Act should be read together with any subordinate instruments or registered industry requirements that apply to your part of the market. A business may be compliant with its own internal policy but still fall short if an applicable code, standard or determination requires more.

The Act gives the eSafety Commissioner several pathways to respond to harmful material. Depending on the part of the Act, notices may be directed to providers of social media services, relevant electronic services, designated internet services, hosting service providers, end users, app distribution services or others.

For cyber-bullying material targeted at an Australian child, the Act includes removal notices to service providers and hosting service providers, as well as end user notices. For non-consensual intimate images, the Act includes removal notices, formal warnings and remedial directions. For cyber abuse material targeted at an Australian adult, the Act again includes removal notices and formal warnings. For material depicting abhorrent violent conduct, the Act provides for blocking requests and blocking notices. Under the online content scheme, the Act provides for removal notices, remedial notices, link deletion notices and app removal notices.

If your business receives one of these notices, the first steps are practical and immediate. Identify the exact service and content involved, preserve records, confirm who in the business has authority to act, and work through the current legal requirements for compliance. Delay, confusion between teams, or poor recordkeeping can turn a content issue into an enforcement issue.

The Act now includes Part 4A on social media minimum age. This is a significant addition for platform providers. The Part includes an object provision, a definition of age-restricted social media platform, a civil penalty provision for failing to take reasonable steps to prevent age-restricted users having accounts, and a delayed effect provision for that requirement.

The same Part also includes privacy-related rules. It refers to information that must not be collected, the use of certain identification material and services, and information collected for purposes including taking reasonable steps to comply with age restriction. This means businesses should not treat age assurance as a purely technical problem. The compliance design must also account for what information can and cannot be collected and how it is handled.

If your service may be an age-restricted social media platform, you should check three things carefully when checking the current position. First, whether your service falls within the statutory concept in section 63C. Second, whether the requirement to take reasonable steps has taken effect for your service, given the delayed effect provision in section 63E. Third, whether your age-checking process is consistent with the privacy rules in sections 63DA, 63DB and 63F.

Part 10 of the Act deals with enforcement. It includes civil penalty provisions, infringement notices, enforceable undertakings and injunctions. Elsewhere in the Act, there are also formal warning provisions attached to many notice and compliance pathways, as well as powers for Federal Court orders requiring a person to cease providing certain services or cease supplying an internet carriage service in specified circumstances.

There are also substantial information-gathering and investigative powers. The Act includes powers to obtain information about compliance with the social media minimum age framework, powers to obtain end user identity information or contact details, and powers relating to examinations and production of documents. For businesses, this means compliance is not limited to content moderation. Governance, records, internal accountability and legal response capability matter as well.

Operationally, the main risks are usually these: not understanding that the service is covered, not having a clear owner for notice handling, not being able to act quickly on harmful content, and not keeping enough records to show what happened and why. Those failures can increase both legal exposure and reputational damage.

The Act is in force. The current compilation referred to here is Compilation No. 3, with a compilation date of 11 December 2024, and it includes amendments made by Act No. 127 of 2024. The compilation notes also state that uncommenced amendments are not shown in the text of the compiled law.

That matters in practice. If your business is checking a live compliance issue, especially around the social media minimum age framework or any penalty-linked provision, you should confirm whether there have been later amendments, commencement events, legislative rules, registered industry codes, industry standards or service provider determinations affecting your position.

Businesses should also remember that the Act interacts with other laws and frameworks. The legislation itself notes relationships with the Broadcasting Services Act 1992 and the Telecommunications Act 1997, and it preserves concurrent operation of State and Territory laws in some areas. A full compliance review may therefore need to look beyond this Act alone.