eSafety Commissioner makes final decision on world-first industry codes

Australia’s eSafety Commissioner has made the decision not to register two of eight online safety codes drafted by the online industry as they fail to provide appropriate community safeguards to deal with illegal and harmful content online. 

New mandatory codes will cover five sections of the online industry and operate under Australia’s Online Safety Act 2021. The codes require industry to take adequate steps to reduce the availability of seriously harmful online content, such as child sexual abuse and pro-terror material.

eSafety’s decision not to register the Designated Internet Services (DIS) code, covering apps, websites, and file and photo storage services like Apple iCloud and Microsoft One Drive; and the Relevant Electronic Services (RES) code, covering dating sites, online games and instant messaging, is due to the failure of the codes to provide  appropriate community safeguards, which is a requirement for registration . 

eSafety will now move to develop mandatory and enforceable industry standards for Relevant Electronic Services and Designated Internet Services. 

The eSafety Commissioner has reserved her decision on a third code, the draft Search Engines code, covering online search over concerns it is no longer fit for purpose following recently announced developments in the field of generative AI and its integration into search engine functions.  

 eSafety has requested that a revised Search Engines code be submitted within four weeks to address specific concerns we have raised. 

eSafety Commissioner Julie Inman Grant said she recognised industry’s hard work in developing the draft codes to date but said the RES and DIS codes just simply don’t go far enough in protecting Australian users, particularly children.

“We’re talking about the worst-of-the-worst online content here, often illegal content, including child sexual abuse material and pro-terror content,” Ms Inman Grant said. “eSafety and indeed the wider community, expect that these companies should take reasonable steps to prevent their services from being used to store and distribute this horrendous content. 

“And the need for action is increasing. In the first three months of this year, we have seen a 285 per cent increase in reports into our office of child sexual exploitation and abuse material compared to the same time last year. 

“While I commend industry for their significant amendments following our final feedback on these world-first codes in February, these two codes still don’t meet our minimum expectations. 

“For example, the Designated Internet Services code still doesn’t require file and photo storage services like iCloud, Google Drive, or OneDrive to detect and flag known child sexual abuse material. 

“We know that online storage services like these are used to store and share child sexual abuse material and pro-terror material between offenders.

“And the Relevant Electronic Services code also doesn’t require email services and some partially encrypted messaging services to detect and flag this material either, even though we know there are proactive steps they can take to stem the already rampant sharing of illegal content.

“For eSafety, these and other basic requirements are non-negotiable, and while we don’t take this decision lightly, we feel that moving to industry standards is the right one to protect the Australian community. Both the codes and the industry standards, once developed, will apply equally to Australian and overseas providers where their services are provided to to users in Australia.  
“The current Search Engines code is not fit for purpose given the increased functionality of search engines and the integration of powerful generative AI tools, which will revolutionise the way that search is conducted. 
“These tools require adequate safeguards to protect against potential risks posed by AI generated deepfake child sexual abuse and terror and extremist propaganda material. I want to give providers of Search Engines the opportunity to update the draft code in order to address the risks provided by generative AI.” 
The eSafety Commissioner will register the five remaining codes redrafted by industry which were resubmitted on 31 March, including the Social Media Services, Internet Carriage Services, App Distribution Services, Hosting Services, and Equipment codes. eSafety has been engaging closely with industry associations and industry participants throughout the development of the codes since mid-2021.   
Industry codes will come into effect six months from the date of registration while eSafety will begin the process of drafting industry standards for Designated Internet Services and Relevant Electronic Services.  

Once a code or standard is in place, eSafety will be able to receive complaints and investigate potential breaches. An industry code or standard will be backed up by powers to ensure compliance including injunctions, enforceable undertakings, and maximum financial penalties of nearly $700,000 per day for  continuing breaches.
The draft industry codes submitted to eSafety on 31 March can be found at These follow earlier draft industry codes which were published by the industry associations on 22 February 2023 and eSafety’s statements of preliminary concerns with those versions, which can be found at  


For more information or to request an interview, please contact: