Published: 27 February 2024

Download the Submission on the Draft Online Safety (Basic Online Safety Expectations) Amendment Determination 2023

Dear Secretary,

The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission in relation to the Draft Online Safety (Basic Online Safety Expectations) Amendment Determination 2023.

The OAIC is an independent Commonwealth regulator, established to bring together three functions: privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Cth) (Privacy Act) and other legislation), freedom of information (FOI) functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982 (Cth) (FOI Act)), and information management functions (as set out in the Australian Information Commissioner Act 2010 (Cth)).

While the Privacy Act protects the privacy of individuals by regulating the handling of personal information, the Online Safety (Basic Online Safety Expectations) Determination 2022 (BOSE Determination) made under the Online Safety Act 2021 (Cth) focusses on protecting Australians from online harms resulting from exposure to illegal or harmful online content or behaviour. Both regulatory frameworks are essential components in the ring of defence that is being built to address the risks and harms faced by Australians in the online environment and have distinct but complementary roles to play. We provide the following general comments in support of the BOSE Determination and the proposed amendments.

Intersections between Online Safety and Privacy

The BOSE Determination sets out the Government’s minimum safety expectations of online service providers for protecting their Australian users. The BOSE Determination employs a ‘reasonable steps’ approach,[1] which provides flexibility for online services to determine the most appropriate method for achieving the expectations. We note that the BOSE Determination does not require or expect service providers to undertake actions inconsistent with their obligations under the Privacy Act and other relevant laws.[2]

The proposed amendments to the BOSE Determination would maintain the current ‘reasonable steps’ approach, while introducing a range of new additional expectations that relate to addressing emerging risks associated with generative artificial intelligence, protecting the best interests of the child, addressing the safety impacts of business and resourcing decisions, online hate speech, improving industry transparency, and the enforcement of service providers’ terms of use.

The OAIC is supportive of the approach under the BOSE Determination, which broadly aligns with the principles-based framing of the Australian Privacy Principles (APPs). The APPs are not prescriptive and generally require entities to take ‘reasonable steps’ to meet obligations around the handling of personal information. This approach provides entities with the flexibility to take a risk-based approach to compliance, based on their circumstances, including size, resources and business model, while ensuring the protection of individuals’ privacy.

We consider that the ‘reasonable steps’ approach under the BOSE Determination, which will be maintained in relation to the proposed amendments, enables service providers to adopt a flexible and proportionate response to implementing the expectations that achieves both privacy and online safety outcomes. In this way, the BOSE Determination will continue to facilitate an approach in which privacy and online safety are not mutually exclusive considerations but complementary components to address the risks and harms faced by Australians in the online environment.

The OAIC agrees that ‘industry is primarily responsible for creating safer online spaces.’[3] It should be incumbent on industry to develop technological solutions that integrate privacy, security and online safety considerations. Regulatory guidance issued by the eSafety Commissioner will continue to play an important role in supporting industry to achieve these outcomes.[4]

Reform of the Privacy Act

The proposed amendments to the BOSE come at a time when the Government has committed to advancing substantial reform to the Privacy Act.[5] The Attorney-General’s Department is progressing Privacy Act reforms which have synergies with the proposed BOSE amendments, such as:

  • A requirement to have regard to the best interests of the child when handling the personal information of children;[6]
  • The introduction of a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’ which, among other matters, could address how the best interests of child users should be supported in the design of an online service;[7] and
  • A requirement for entities that provide online services to ensure that privacy settings are clear and easily accessible for service users.[8]

The OAIC considers that the Privacy Act reforms and proposed BOSE amendments should progress as soon as possible to ensure comprehensive protection for Australians against privacy and safety harms in the online environment. To the extent that new proposed expectations intersect with the proposals of the Privacy Act Review, it will be important for the Department to co-ordinate with the Attorney General’s Department to ensure coherence between regulatory frameworks and clarity for the regulated community, as well as for the OAIC and eSafety Commissioner as regulators.

Regulatory cooperation

These intersections also highlight the importance of continued co-operation at the regulator level to manage areas of regulatory convergence and ensure clarity for the regulated community. The OAIC has an effective, collaborative and strong working relationship with the eSafety Commissioner, including through our participation in the Digital Platform Regulators Forum (DP-REG). The OAIC will continue to seek opportunities to collaborate with the eSafety Commissioner bilaterally and through DP-REG to promote regulatory outcomes that are consistent with the objectives of the BOSE.

If we are able to be of further assistance to the Department please contact Rebecca Brown (Director, Law Reform & Digital Platforms) on 02 9942 4117 or rebecca.brown@oaic.gov.au.

Yours sincerely,

Angelene Falk
Australian Information Commissioner

23 February 2024

[1] See, Department of Infrastructure, Transport, Regional Development, Communications and the Arts, Amending the Online Safety (Basic Online Safety Expectations) Determination 2022 — Consultation paper, 22 November 2023, p 3.

[2] See, Explanatory Statement, Online Safety (Basic Online Safety Expectations) Determination 2022, p 4, 9; eSafety Commissioner, Basic Online Safety Expectations: Regulatory Guidance, September 2023, p 8.

[3] Department of Infrastructure, Transport, Regional Development, Communications and the Arts, Amending the Online Safety (Basic Online Safety Expectations) Determination 2022 — Consultation paper, 22 November 2023, p 2.

[4] eSafety Commissioner, Basic Online Safety Expectations: Regulatory Guidance, September 2023.

[5] Attorney-General’s Department, Government Response to the Privacy Act Review Report, 28 September 2023.

[6] Ibid, Proposal 16.4.

[7] Ibid, Proposal 16.5.

[8] Ibid, Proposal 11.4.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia