Basic Online Safety Expectations

Some of the Expectations for providers include:

• taking reasonable steps to proactively minimise material or activity that is unlawful or harmful, and ensuring users can use a service in a safe manner
• protecting children from content that is not age appropriate like pornography
• taking reasonable steps to prevent harmful use of anonymous and encrypted services
• putting in place user-reporting mechanisms, and clearly outlining their terms of service and enforcing penalties for people who breach these terms
• cooperating with other service providers
• responding to requests for information from the eSafety Commissioner.

The Determination includes examples of reasonable steps that online service providers may take to meet the Expectations. The steps that are listed are not mandatory requirements and service providers may consult with eSafety and choose other steps – based on the nature of their business. 

The reasonable steps that a provider may take include:

• Undertaking assessments of safety risks and impacts, and implementing safety review processes, throughout the design, development and deployment of the service.
• Making sure the default privacy and safety settings of services targeted at, or used by children, are robust and set to the most restrictive level.
• Working with other online service providers to detect high volume, cross-platform attacks (also known as ‘volumetric’ or ‘pile-on’ attacks).
• Incorporating processes that require verification of identity or ownership of accounts.
• Implementing age assurance mechanisms.

Providers should be prepared to report on the steps they have taken, why they are reasonable, and how they help to meet the relevant Expectation(s) and keep people safe.

There are three different ways eSafety is able to seek information from providers regarding compliance with the Expectations:

1. Requesting information about terms of use complaints, the time frame for responding to removal notices, or measures taken to make sure people can use the service in a safe manner. Failure to comply would give the Commissioner discretion to prepare a statement.
2. Issuing a reporting notice to an online service provider requiring them to produce a report about their compliance with any or all of the Expectations. These notices are enforceable, backed by civil penalties and other enforcement mechanisms, and can require non-periodic (one-off) reporting or periodic reporting over a specified time frame of six to 24 months. 
3. Making a reporting determination – a legislative instrument – requiring periodic or non-periodic reporting for a specified class of services. These determinations are enforceable and backed by civil penalties and other enforcement mechanisms if the provider fails to report.

Notice issued to Twitter (subsequently rebranded as X) on online hate

On 21 June 2023, eSafety issued a non-periodic reporting notice (or ‘transparency notice’) to Twitter (X) under section 56(2) of the Online Safety Act. This notice requires Twitter (X) to explain what it is doing to minimise online hate, including how it is enforcing its terms of use and hateful conduct policy.

Further information will be shared once this regulatory process has concluded.

Report published 16 October 2023 – responses to notices focused on CSEA

On 22 February 2023, eSafety issued the second set of non-periodic reporting notices (or ‘transparency notices’) focused on child sexual exploitation and abuse (CSEA).

The notices were given to Google, Twitter (X), Twitch, TikTok and Discord.

A summary of the responses to the notices has been published.

Report published 22 December 2022 – responses to first notices focused on CSEA

The first non-periodic reporting notices (or ‘transparency notices’) were issued on 29 August 2022. These notices also focused on child sexual exploitation and abuse and were issued to Apple, Meta (and WhatsApp), Microsoft (and Skype), Omegle, and Snap.

A summary of the responses to the notices has been published.

Non-compliance to 22 February 2023 Notices

eSafety closely considered the responses provided by the five recipients of the reporting notices given on 22 February 2023: Google, Twitter (X), TikTok, Twitch and Discord. eSafety found that Google and Twitter (X) did not comply with the notices given to them. 

Find further information about this enforcement action.

By highlighting what we have learned from these notices eSafety’s aim is that the information is used by researchers, academics, the media and the public to scrutinise the efforts of industry to encourage implementation of the Expectations and to lift safety practices, protections and standards across the industry.
 
eSafety recognises that each provider is different, with different architectures, business models and user bases. This means an intervention, or use of specific tools on one platform, may not be proportionate on another. 

However, seen together these reports represent a significant step towards greater transparency and understanding of what providers are and are not doing to protect Australians online.

eSafety published additional guidance on the Expectations and reasonable steps to meet them, in consultation with stakeholders, in September 2023.

Where there is a connection between the Expectations and other eSafety work streams – such as the industry codes and the age verification roadmap – we will aim to ensure alignment and consistency across the different elements and aim to use these learnings from different engagement processes.

eSafety encourages providers to review these resources:

• The Basic Online Safety Expectations regulatory guidance.
• eSafety’s Safety by Design principles and assessment tools. These resources will enable service providers to audit and improve their current safety practices and position themselves to meet the Expectations.