Australia builds enforcement layer behind age assurance laws

Australia is moving beyond age assurance mandates toward a broader legal framework designed to hold online platforms accountable for harms occurring on their services. Age checks can keep kids away from addictive design elements and online harms, but only if platforms implement them in good faith.

So far, in Australia, regulatory fines have not been much of a deterrent for Meta and other large social media firms; data has shown that the platforms have done a shoddy job of putting in place the rules they have promised to follow.

One possible solution is a digital duty of care – which Australia is in the process of drafting. In legal terms, a duty of care requires an entity to take reasonable care to avoid conduct that poses an unreasonable risk of harm to others. A digital duty of care, then, is a legal obligation for companies in the online space to take reasonable measures to ensure their product isn’t hurting people.

A document from the Australian government says it is developing draft legislation to implement a Digital Duty of Care in Australia under the Online Safety Act 2021. The duty of care reforms are intended to complement the Social Media Minimum Age law, which restricts social media for those under 16, and requires age assurance measures to be put in place. The government says it will support “broad, risk-based and proportionate regulation of all online service providers.”

“At its core, the Duty recognises that online service providers are best placed to manage risks of serious harm associated with use of their service. The Government will hold online service providers to account by requiring that they undertake thorough and regular risk assessments, implement effective mitigation strategies and measures, and report transparently on the effectiveness of those measures in driving safer online experiences for all Australians.”

The implication is clear, particularly in the requirement to “prevent, monitor and appropriately address content and activity that is illegal or harmful to young people.” The duty is designed to strengthen enforcement of Australia’s broader online safety regime, including the Social Media Minimum Age law and associated age assurance requirements. The proposal effectively builds the legal infrastructure needed to hold platforms accountable when they fail to comply with age assurance and online safety obligations.

Sure enough, social media companies are at the top of the list of covered services – which is to say, “all online service providers currently defined as within the scope of the Act.” It aims to cover the full tech stack.

The framework extends beyond social media to messaging apps, interactive online games, dating services, pornography services, generative AI systems, hosting providers, ISPs, search engines, app stores, connected devices and operating systems.

In other words, if an online service or company is operating in Australia, the duty of care applies.

Other key requirements are that all regulated entities maintain systems and processes that ensure the safety of service features, including AI and algorithmic content recommendation or generation systems and bot accounts, and “so far as is reasonably practicable, provide a safe online environment for all Australians.”

The document says the duty will complement, not replace, the Act’s complaint schemes. Risk management, risk assessment, harm prevention and mitigation are all part of the effective systems and processes online operators will be required to put in place.

Platforms must put the best interests of the user first

The government says three overarching principles of safety by design will guide the development of the regulatory framework.

These are service provider responsibility – service providers must “take active responsibility for the safety and safe use of their services, understanding, assessing and addressing online harms in the design and provision of those services.”

User empowerment and autonomy says covered services must center the “best interests, dignity and rights of their users.”

And the principle of transparency and accountability requires service providers to be “transparent in their approach to safety in the design and operation of their services, and accountable for this approach – including ongoing innovation and sharing of good practice in online safety.”

“Safety by design is a well-established concept, and eSafety has proven expertise and experience in providing research and guidance on how industry can embed safety by design principles in the design, development, deployment and operation of their services.”

eSafety gets option to issue fines up to $100 million

The question looming over the proposal is, what will make social media companies adhere to the duty of care, rather than simply ignoring it or fudging the data to seem compliant.

Enforcement will follow a graduated mode, first giving sites the opportunity to “identify and rectify deficiencies in their systems and processes.” The document lists, as examples of “formal powers given to eSafety,” information gathering and reporting notice powers, formal warnings, remedial directions and enforceable undertakings, audit powers, infringement notices and  application to the Courts for civil penalty orders or injunctions.

None of this sounds especially threatening, and there is a question to be asked about how much more administration is worth throwing at Big Tech. Periodic reporting obligations are not likely to scare Meta into making its products safer for kids.

The section on penalties is where the sting hits. “Enforceable provisions will be graduated but include serious civil penalties for egregious and systemic breaches of the Duty. In terms of penalty units, the maximum civil penalty will be commensurate to offences under other legislation such as the Competition and Consumer Act, where maximum penalties for ACCC enforcement were recently increased to $100 million” (about US$70.5 million).

The government says “high civil penalties are intended to serve as a deterrent and would only be applied in circumstances where there has been egregious or systemic non-compliance.” It remains to be seen how eSafety judges what is egregious or systemic, and what it will ultimately let slide.

A transitional period of a year will see existing elements of the Act and the industry codes or standards made under the Online Content Scheme incorporated into the duty. Organizations will also have time to adopt new guidance to be developed and published, and to prepare for compliance.

While time will tell how the duty is enforced in practice, it is likely to cause further consternation among social media CEOs, who are watching as the world follows Australia in embracing age limits for online platforms and the biometric age assurance technologies needed to enforce them.

Article Topics

age verification  |  Australia  |  Australia age verification  |  eSafety Commissioner  |  Online Safety Act (Australia)  |  regulation  |  social media