Basic Online Safety Expectations
The Basic Online Safety Expectations, known as ‘the Expectations’ or ‘BOSE’, are a key element of the Online Safety Act.
They outline the Australian Government’s expectations that social media, messaging and gaming service providers and other apps and websites will take reasonable steps to keep Australians safe.
The Minister for Communications established the Expectations through a legislative instrument called a determination.
Find out more about the Online Safety (Basic Online Safety Expectations) Determination 2022 – referred to as ‘the Determination’ – and read the explanatory statement on the Federal Register of Legislation at legislation.gov.au.
Under the Online Safety Act, eSafety can require online service providers to report on how they are meeting any or all of the Expectations. The obligation to respond to a reporting requirement is enforceable and backed by civil penalties and other mechanisms. eSafety can also publish statements about the extent to which services are meeting the Expectations.
The requirements are designed to improve providers’ safety standards, and improve transparency and accountability.
Find out more about the regulatory guidance for providers, how to comply with the Expectations and respond to mandatory reporting requirements.
On this page:
Summary of the Expectations
Some of the Expectations for providers include:
- ensuring all end-users can use online services in a safe manner
- that the best interests of the child is a primary consideration in the design and operation of services likely to be used by children
- ensuring safe use of certain features of a service, such as encrypted services, anonymous accounts, generative artificial intelligence (AI) and recommender systems
- minimising provision of unlawful and harmful material and activity
- enabling end-users to make reports and complaints about unlawful and harmful material and activity and reviewing and responding to these reports
- having terms of use, policies and procedures to ensure safe use, and enforcing these terms.
Reasonable steps
The Determination includes examples of reasonable steps that online service providers may take to meet the Expectations. The steps that are listed are not mandatory requirements and service providers may consult with eSafety and choose other steps – based on the nature of their business.
Some examples of reasonable steps set out in the Determination include:
- Undertaking assessments of safety risks and impacts, and implementing safety review processes, throughout the design, development and deployment of the service.
- Making sure the default privacy and safety settings of services used by children, are robust and set to the most restrictive level.
- Continually improving technology and practices relating to the safety of end-users.
- Providing educational and explanatory tools to end-users.
- Working with other online service providers to detect high volume, cross-platform attacks (also known as ‘volumetric’ or ‘pile-on’ attacks).
- Incorporating processes that require verification of identity or ownership of accounts.
- Implementing appropriate age assurance mechanisms
- Publishing regular transparency reports that outline the steps the service is taking to ensure safe use of the service.
Providers should be prepared to report on the steps they have taken, why they are reasonable, and how they help to meet the relevant Expectation(s) and keep people safe.
Reporting
There are three different ways eSafety is able to seek information from providers regarding compliance with the Expectations:
- Requesting information about terms of use breach complaints, the time frame for responding to removal notices, measures taken to make sure people can use the service in a safe manner, the performance of online safety measures and the number of active end-users of a service in Australia. Failure to comply would give the Commissioner discretion to prepare a statement.
- Issuing a reporting notice to an online service provider requiring them to produce a report about their compliance with any or all of the Expectations. These notices are enforceable, backed by civil penalties and other enforcement mechanisms, and can require non-periodic (one-off) reporting or periodic reporting over a specified time frame of six to 24 months.
- Making a reporting determination – a legislative instrument – requiring periodic or non-periodic reporting for a specified class of services. These determinations are enforceable and backed by civil penalties and other enforcement mechanisms if the provider fails to report.
Transparency
Information requested on 2 September 2024
On 2 September 2024, eSafety requested information about how many Australian children are using some of the most popular social media services and what age assurance measures those services have in place to enforce their own age limits.
A series of questions were sent to Google’s YouTube, Meta platforms Facebook and Instagram, TikTok, Snap, Reddit, Discord and Twitch, through expanded transparency powers under the Australian Government’s recently updated Basic Online Safety Expectations Determination.
Further information will be shared once the responses to the information requests are received.
Notices issued on 22 July 2024
On 22 July 2024, eSafety issued the first set of periodic notices focused on child sexual exploitation and abuse material and activity (CSEA) and sexual extortion to eight online service providers.
The periodic notices require providers to report to eSafety every six months for two years on how they have implemented the Expectations. This allows eSafety the opportunity to track key issues over time, and aims to incentivise improvements in safety.
The notices, issued under section 49(2) of the Online Safety Act, were given to Apple, Discord, Google, Meta, Microsoft, Snap, Skype and WhatsApp.
Further information will be shared once the first reports have been received.
Notices issued on 18 March 2024
On 18 March 2024, eSafety issued non-periodic reporting notices (or ‘transparency notices’) focused on terrorist and violent extremist material and activity to six online service providers. The notices require each provider to outline the steps they are taking to implement the Expectations with respect to terrorist and violent extremist material and activity.
The notices, issued under section 56(2) of the Online Safety Act, were given to Google, Meta, Telegram, Reddit, WhatsApp and X Corp.
Further information will be shared once this regulatory process has concluded.
Report published 11 January 2024 – response to notice to X Corp. (Twitter/X) focused on online hate
On 21 June 2023, eSafety gave a non-periodic reporting notice (or ‘transparency notice’) in relation to the steps Twitter (subsequently renamed X) was taking to minimise online hate, and enforce its terms of use and hateful conduct policy.
A summary of the response to the notice has been published.
Report published 16 October 2023 – responses to notices focused on CSEA
On 22 February 2023, eSafety gave the second set of non-periodic reporting notices (or ‘transparency notices’) focused on child sexual exploitation and abuse.
The notices were given to Google, Twitter (X), Twitch, TikTok and Discord.
A summary of the responses to the notices has been published.
Report published 22 December 2022 – responses to first notices focused on CSEA
The first non-periodic reporting notices (or ‘transparency notices’) were given on 29 August 2022. These notices also focused on child sexual exploitation and abuse and were given to Apple, Meta (and WhatsApp), Microsoft (and Skype), Omegle and Snap.
A summary of the responses to the notices has been published.
Why is eSafety publishing these reports?
By highlighting what we have learned from transparency notices and information requests, eSafety’s aim is that the information is used by researchers, academics, the media and the public to scrutinise the efforts of industry to encourage implementation of the Expectations and to lift safety practices, protections and standards across the industry.
eSafety recognises that each provider is different, with different architectures, business models and user bases. This means an intervention, or use of specific tools on one platform, may not be proportionate on another.
However, seen together these reports represent a significant step towards greater transparency and understanding of what providers are and are not doing to protect Australians online.
Guidance
The Basic Online Safety Expectations Regulatory Guidance was updated most recently in July 2024 to reflect the amendments as a result of the Online Safety (Basic Online Safety Expectations) Amendment Determination 2024.
Where there is a connection between the Expectations and other eSafety work streams – such as the industry codes and the age verification roadmap – we will aim to ensure alignment and consistency across the different elements and aim to use these learnings from different engagement processes.
eSafety encourages providers to review these resources:
- The Basic Online Safety Expectations regulatory guidance.
- eSafety’s Safety by Design principles and assessment tools. These resources will enable service providers to audit and improve their current safety practices and position themselves to meet the Expectations.
Last updated: 03/09/2024