Basic Online Safety Expectations

The Basic Online Safety Expectations are a key element of the Online Safety Act.

They articulate the Government’s robust expectations for social media services, messaging services, gaming services and other apps and sites accessible from Australia, with a focus on making sure these services take reasonable steps to keep Australians safe.

The Minister for Communications, Urban Infrastructure, Cities and the Arts establishes the expectations through a legislative instrument called a determination. 

You can find the Online Safety (Basic Online Safety Expectations) Determination 2022 and an explanatory statement through the Federal Register of Legislation at legislation.gov.au.

eSafety has the power to require services to report on how they are meeting any or all of the expectations. The obligation to respond to a reporting requirement is enforceable and backed by civil penalties and other enforcement mechanisms. eSafety can also publish statements about the extent to which services are meeting the expectations.

We believe this has great potential to help improve safety standards, and to bring greater accountability to services whose transparency to date has been highly selective and uneven.

On this page:

Core expectations in the Online Safety Act

The Online Safety Act specifies the core expectations that must be included in the determination to create safer online environments for Australians. The following is a summary.

Expectations regarding safe use

The provider of a service will:

  • take reasonable steps to make sure end-users can use the service in a safe manner, and
  • consult the Commissioner in determining what are such reasonable steps.

Expectations regarding certain material and activity

The provider of a service will take reasonable steps to:

  • minimise the extent to which the following material is provided on the service:
    • cyberbullying material targeted at an Australian child
    • adult cyber abuse material targeted at an Australian who is 18 or older
    • a non-consensual intimate image of a person
    • class 1 material
    • material that promotes, incites, instructs in or depicts abhorrent violent conduct
  • make sure technological or other measures are in effect to prevent access by children to class 2 material provided on the service.

Expectations regarding reports and complaints

The provider of a service will make sure the service has clear and readily identifiable mechanisms that enable end-users to report and make complaints about:

  • any of the following material provided on the service:
    • cyberbullying material targeted at an Australian child
    • adult cyber abuse material targeted at an Australian who is 18 or older
    • a non-consensual intimate image of a person
    • class 1 material
    • class 2 material
    • material that promotes, incites, instructs in or depicts abhorrent violent conduct
  • breaches of the service’s terms of use.

Expectations regarding dealings with the Commissioner

The expectation that the provider of a service will comply within 30 days if the Commissioner, by written notice, requests the provider to give the Commissioner:

  • a statement that sets out the number of complaints made to the provider during a specified period (not less than 6 months) about breaches of the service’s terms of use
  • a statement that sets out, for each removal notice given to the provider during a specified period (not less than 6 months), how long it took the provider to comply with the removal notice, or
  • specified information that explains what the provider does to make sure people can use its service safely.
     

Additional expectations in the determination

As well as the core expectations, the Online Safety (Basic Online Safety Expectations) Determination 2022 includes some additional expectations. The following is a summary.

Expectations regarding safe use

The provider of a service will:

  • take reasonable steps to proactively minimise unlawful or harmful material or activity on the service
  • have regard to eSafety guidance in determining reasonable steps to ensure safe use
  • take reasonable steps to develop and implement processes to detect and address unlawful or harmful material or activity on encrypted services
  • take reasonable steps to prevent anonymous accounts from being used for unlawful or harmful material or activity
  • take reasonable steps to consult and cooperate with other services to promote safety.

Expectations regarding reports and complaints

The provider of a service will:

  • make sure the service has clear and readily identifiable mechanisms that enable persons normally resident in Australia to report and make complaints about certain material provided on the service and breaches of the service’s terms of use
  • have (a) terms of use, (b) safety policies and procedures, (c) policies and procedures to deal with end-user reports and complaints, and (d) standards of conduct for end-users and policies and procedures in relation to the moderation of conduct and enforcement of those standards
  • take reasonable steps to make sure penalties for breaches of terms of use are enforced against all accounts held or created by the end-user who breached the terms of use
  • make information on how to make a complaint to the Commissioner accessible to end-users.

Expectations regarding making certain information accessible

The provider of a service will:

  • make sure certain information is (a) readily accessible to end-users, (b) accessible at all points in the user experience, (c) regularly reviewed and updated, and (d) written in plain language
  • make sure end-users receive updates when certain information changes.

Expectations regarding record keeping

The provider of a service will:

  • keep records of end-user reports and complaints for 5 years.

Expectations regarding dealings with the Commissioner

The provider of a service will:

  • comply within 30 days if the Commissioner, by written notice, requests the provider to give the Commissioner a report on the performance of online safety measures announced publicly or reported to the Commissioner
  • designate a contact point to eSafety for purposes of the Act, notify their contact details to the Commissioner and provide written notice of any change.
     

Reasonable steps

The determination includes examples of reasonable steps online services may take to meet relevant expectations. These are intended to provide services with guidance and to signal some of the matters on which eSafety may ask them to report.

Examples from the Online Safety (Basic Online Safety Expectations) Determination 2022 include:

  • undertaking assessments of safety risks and impacts, and implementing safety review processes, throughout the design, development and deployment of the service
  • making sure the default privacy and safety settings of services targeted at or used by children are robust and set to the most restrictive level
  • working with other service providers to detect high volume, cross-platform attacks (also known as ‘volumetric’ or ‘pile-on’ attacks)
  • having processes that require verification of identity or ownership of accounts
  • implementing age assurance mechanisms.

The reasonable steps provided as examples in the determination are not mandatory, and services may choose to undertake different steps. Services should be prepared to report on these steps, why they are reasonable, and how they are effective at meeting the relevant expectation(s) and keeping people safe.

Services are expected to consult with eSafety and refer to any guidance published by eSafety in deciding which reasonable steps are most suitable.

Reporting

There are three different ways eSafety will be able to seek information from services regarding compliance with the expectations.

  1. eSafety may request information about terms of use complaints1, the timeframe for responding to removal notices2, or measures taken to make sure people can use the service in a safe manner3.  Failure to comply would give the Commissioner discretion to prepare a statement.
  2. eSafety may give a reporting notice to a service provider requiring them to produce a report about their compliance with any or all of the expectations4. These notices are enforceable, backed by civil penalties and other enforcement mechanisms, and can require non-periodic (one-off) reporting or periodic reporting over a specified timeframe of six to 24 months. In deciding whether to give such a notice, eSafety must consider several factors, including the number of complaints it has received under the Online Safety Act in relation to the service in the previous 12 months, any deficiencies in the provider’s safety practices or terms of use, and any previous contraventions of civil penalty provisions relating to the expectations.
  3. eSafety may make a legislative instrument requiring periodic or non-periodic reporting for a specified class of services5. Like the reporting notices, these determinations are enforceable and backed by civil penalties and other enforcement mechanisms for failure to report.
     

Further guidance

eSafety will produce guidance on the expectations and reasonable steps to meet them, in consultation with stakeholders. Where there is a connection between the expectations and other eSafety workstreams – such as the industry codes and the age verification roadmap – we will work to ensure alignment and consistency across the different elements and to cross-pollinate learnings from different engagement processes.

In the meantime, we encourage services to refer to the following resources:

  • Our Regulatory Posture and Priorities 2021-22 this document explains that eSafety will not require reporting until the expectations have been in effect for at least six months, though we may request reporting if a serious issue emerges during that time. In the interim, our focus is on raising awareness of the expectations among service providers and building their capacity to comply.
  • Our Safety by Design principles and assessment tools these resources will enable service providers to audit and improve their current safety practices and position themselves to meet the expectations.
  • These Frequently Asked Questions about the expectations. The Department of Infrastructure, Transport, Regional Development and Communications developed these FAQs to respond to common questions raised during stakeholder consultation.

 

 

1 Online Safety Act (Cth) 2021 s 46(1)(g)

2 Online Safety Act (Cth) 2021 s 46(1)(h)

3 Online Safety Act (Cth) 2021 s 46(1)(i)

4 Online Safety Act (Cth) 2021 ss 49, 56

5 Online Safety Act (Cth) 2021 ss 52, 59