3 March 2021

Dear Chair

I welcome the opportunity to make a submission to the Committee’s inquiry into the Online Safety Bill 2021 (the Bill).

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth)), and information management functions (as set out in the Information Commissioner Act 2010 (Cth)).

The OAIC acknowledges the important policy objective of the Bill to keep Australians safe online so that the substantial benefits that come from using the internet can be realised.[1]

Most aspects of the daily lives of Australians have been transformed by innovations in technology and service delivery. The scale and scope of technological change – including the emergence of new platforms and services – has given rise to new ways for individuals to interact online and created new risks. Many of these risks have emerged specifically due to the dramatic increase in the amount of data and personal information collected, used, and shared, both in Australia and globally.

The OAIC considers that strong data protection and privacy rights are therefore an essential piece in the ring of defence that is being built to address the risks faced by Australians in the online environment. Accordingly, online safety and privacy have distinct but complementary roles to play to achieve the Government’s online safety agenda and keep Australians safe online.

The Government confirmed its commitment to strengthening and enhancing online privacy protections for consumers in its response to the Australian Competition and Consumer Commission (ACCC)’s Digital Platforms Inquiry (DPI) final report.[2]

The Government’s privacy law reform agenda includes the development of a binding online privacy code with enhanced privacy protections for children and other vulnerable groups, which will apply to digital platforms and other entities that trade in personal information online. The Government is also currently conducting a broad review of the Privacy Act. The OAIC considers the review an opportunity to ensure that Australia’s privacy framework is proportionate, sustainable and responsive to emerging privacy risks into the future.

The OAIC made a submission to the consultation on the exposure draft of the Online Safety Bill 2021, which outlined the potential for intersection between the proposed online privacy code and measures in the Bill related to the registration of industry codes and the making of industry standards by the eSafety Commissioner. As outlined in our previous submission, the OAIC recommends that the Bill include additional measures to further support cooperation and facilitate information sharing, where necessary, to enable the OAIC and the eSafety Commissioner to ensure a consistent and coordinated approach to the regulation of online safety and privacy.

Consistency and collaboration

Division 7 of Part 9 of the Bill sets out a framework for the development of industry codes and industry standards for sections of the online industry. ‘Sections of the online industry’ include social media services, relevant electronic services, providers of designated internet services, internet search engine services and app distribution services (see cl 135).

Clause 138 of the Bill sets out examples of matters that may be managed through industry codes and industry standards. The examples include, but are not limited to, ‘procedures directed towards the achievement of the objective of ensuring that online accounts are not provided to children without the consent of a parent or responsible adult.’

There is some alignment between these definitions and proposed content and the Government’s proposed binding online privacy code, which will apply to social media platforms and other online platforms that trade in personal information.[3] The privacy code will require these entities to:

  1. be more transparent about data sharing
  2. meet best practice consent requirements when collecting, using and disclosing personal information
  3. stop using or disclosing personal information on request, and
  4. comply with specific rules to protect the personal information of children and vulnerable groups.

The OAIC considers that these alignments present an opportunity to address issues of common concern through a coordinated online safety and data protection regime. Ongoing consultation and cooperation between the OAIC and the Office of the eSafety Commissioner will continue to ensure that the distinct but complementary roles of privacy and online safety work effectively and comprehensively to address online risks and harms.

The OAIC has significant experience in co-regulatory matters and working with other regulators to avoid unnecessary or inadvertent overlap and to create certainty for consumers and industry. The OAIC has entered into memorandums of understanding with other regulators to achieve this including the ACCC, the Australian Communications and Media Authority (ACMA), and the Inspector-General of Intelligence and Security.

The OAIC considers that these types of collaborative working arrangements can be most effective where they have a legislative basis to support cooperation and facilitate information sharing. The OAIC recommends that the Bill ensure that the eSafety Commissioner and Information Commissioner have the legislative authority to share information where necessary, to develop a consistent and coordinated approach to the regulation of online safety and privacy.

To this end, the OAIC welcomes amendments to the Bill that will allow the eSafety Commissioner to share information to enable or assist the OAIC to perform or exercise its functions or powers.[4] However, the OAIC recommends that consideration is given to providing the OAIC with a comparable legislative basis to enable it to share information with the eSafety Commissioner.[5]

The OAIC also recommends that a provision be included in the Bill to require consultation with the Information Commissioner before the eSafety Commissioner decides to register an industry code or make an industry standard which may intersect with privacy and data protection issues. There is precedent for such consultation requirements in other legislation, for example, s 53 of the Office of the National Intelligence Act 2018, s 355-72 of the Taxation Administration Act 1953 and s 56AD of the Competition and Consumer Act 2010.

The OAIC has an effective, collaborative and longstanding working relationship with the Office of the eSafety Commissioner and we recommend it is further supported and strengthened through the measures set out in this submission, as we work together to achieve an online environment where safety and privacy is respected and protected.

Should you require further information about any aspect of this submission please contact Sarah Croxall, Director, Regulation and Strategy Branch [contact details removed].

Yours sincerely

Angelene Falk
Australian Information Commissioner
Privacy Commissioner

3 March 2021


[1] Department of Infrastructure, Transport, Regional Development and Communications (2021), Online Safety Bill – Reading Guide (accessed 9 February 2021).

[4] See cl 212 of the Online Safety Bill 2021.

[5] Section 29 of the Australian Information Commissioner Act 2010 sets out the circumstances in which the Commissioner may share information. Under s 29(2)(aa) of the Act, the Commissioner is expressly authorised to share information acquired in the course of performing a function conferred by Part IVD (about the consumer data right) of the Competition and Consumer Act 2010 with, amongst other entities, the Australian Competition and Consumer Commission.