Insight,

Privacy,

Report of the Statutory Review of the Online Safety Act 2021 released

10 February 2025

Our People
AU | EN
Current site :    AU   |   EN
Australia
EN |
Singapore
EN |

Tell me in a minute

The Government has tabled a report on the review of the Online Safety Act 2021 (Online Safety Act or OSA). While the report stops short of recommending a complete re-write of the OSA, it comes close. Chief amongst its recommendations are introducing a new duty of care, simplifying the way the online industry is defined under the OSA, decoupling the online safety framework from the National Classification Scheme, and bolstering the investigatory and enforcement powers of eSafety.

The report recognises that it will take time to develop and implement its key recommendations, given the scale and complexity of the task. However, it underscores the urgency for action and identifies the reforms that should be prioritised.

The Government has not made any further commitments in relation to the suggested reforms. Indeed, given the upcoming federal election, it is unlikely that any significant developments will occur in the coming months.

What has happened?

The Report of the Statutory Review of the Online Safety Act 2021 (Report) was tabled in Parliament by the Minister for Communications, the Hon Michelle Rowland, on 4 February 2024. Over 200 pages, the Report, which was prepared by Delia Rickard (the former Deputy Chair of the Australian Competition and Consumer Commission) as part of an independent review, sets out 67 detailed and wide-ranging recommendations to strengthen Australia’s online safety laws.

We have set out some of the most impactful recommendations below.

What are the key recommendations?

Replace the objectives of the Online Safety Act

The Report looks to recast the OSA from the ground up, recommending that the broadly framed purposes of the Act are replaced with the following objectives that link to its various functions:

  • promoting human rights and safety
  • promoting and protecting the best interests of the child
  • building the evidence base around online safety by keeping up with technology and identifying emerging harms
  • preventing and alleviating online harm in Australia through eSafety’s core functions of education, awareness raising and enforcement, and
  • improving online safety for all in Australia by advancing service provider responsibility, user empowerment and transparency.

The Report also recommends that the legislation define and cover a new series of ‘core enduring harms’ within eSafety’s remit. These are: harms to young people, harms to mental and physical wellbeing, instruction or promotion of harmful practices, threats to national security and social cohesion, and other illegal content, conduct and activity.

Implement a duty of care

The centrepiece reform will be the introduction of a ‘singular and overarching duty of care’ that places responsibility on service providers to take reasonable steps to address and prevent foreseeable harms on their services. The Report argues that shifting the onus from individuals – who are at a disadvantage in terms of their power and available information – onto online service providers will promote a more proactive and systemic approach, and have a far greater impact than the reactive model that many have described as ‘whack a mole’.

The new duty of care would include requirements for service providers to undertake due diligence, engage in an ongoing cycle of risk identification and assessment, embed safety by design principles into its operations, implement mitigation and measurement strategies and deliver transparency reports to eSafety. Further, rather than the industry-led process under the existing framework, the Report recommends that eSafety be empowered to make mandatory codes about how to comply with certain aspects of the duty (an approach that the Report considers will be more timely and efficient). However, it emphasises that these codes will not create safe harbours – in other words, an entity may still be found to have breached the duty of care even if it has faithfully complied with applicable code requirements. The Report notes that where ‘new and better ways’ are identified to protect against online harms, these must be adopted by industry without waiting for the codes to catch up.

The Report indicates that this does not mean that the codes being developed by industry under the existing online safety framework should be abandoned, as it will take a substantial amount of time to transition to a new regime and interim arrangements will be required to ensure a continuity of protection. However, if the recommendations are accepted, it seems that the codes are in development will be stop-gap measures at best. This may create some inefficiency and churn as service providers need to grapple with multiple different compliance measures designed under different regulatory frameworks in a short space of time. There is also a risk of confusion for consumers if this is not handled well.

More broadly, the Report notes that this approach mirrors the clear trend towards systems-based regulation in Europe, United Kingdom and North America. Online service providers often have larger markets in these jurisdictions, meaning that their regulators have greater influence and are often better positioned to take on digital industry. Accordingly, the Report suggests that aligning Australia’s approach with other like-minded countries where appropriate (such as in relation to the duty of care) could strengthen Australia’s position and lead to better regulatory outcomes.

Simplify the division of the online industry

The Report recognises that the way the OSA defines the sections of the online industry does not align with the types of services in the online ecosystem, and that this creates uncertainty and confusion for service providers applying the regulatory regime. It recommends consolidating the existing divisions into four broad categories:

  • online platforms (services providing online interaction and online content)
  • online search and app distribution services (gate-keeper services)
  • online infrastructure services, and
  • equipment and operating system services.

Unlike the current system, which divides the online industry based on the type of service provided to the end-user, this approach categorises the sections of the online industry according to the role they play in the online industry. The Report notes that these broader categories provide greater flexibility and allow services to assess their risk factors based on their specific mix of functions and features. While the consolidation contemplated by the Report will hopefully clarify the application of the legislative framework, it will be crucial to ensure that important differences between service types (e.g. messaging and social media) are appropriately considered by eSafety in developing any future mandatory codes.

Increase transparency reporting

To facilitate the new duty of care model, transparency requirements will continue to feature heavily. The Report notes that one of the ‘most useful’ powers that eSafety currently has is its ability to require services to provide information related to the Basic Online Safety Expectations, ask forensic questions and assess how much services are doing to keep users safe. It recommends that the OSA continue to provide eSafety with a broad ability to require information about any element of the service, while also requiring services with the greatest reach or risk to prepare and publish annual transparency reports and summaries to be made publicly available on their website. To prevent information from being used by bad actors, providers would not need to reveal matters that are commercial in confidence. The Report acknowledges that entities will likely have reporting obligations in other jurisdictions and suggests that alignment with these obligations (to the extent possible) would be desirable to limit the burden on industry.

Service providers currently have a range of reporting obligations scattered throughout different parts of the online safety framework, including under the Basic Online Safety Expectations, industry made codes and legislative standards. Accordingly, a consolidation of these obligations would make it easier for providers to identify and comply with their duties, and is overall a positive development.

Retain and strengthen the take-down regime

The Report recommends retaining the existing complaints-based content removal scheme, with some tweaks, to ensure that individuals have a means of quickly addressing immediate harms. The tweaks contemplated in the Report are intended to make the scheme more easily accessible and quicker to respond to different types of harms. The Report received many submissions on harmful patterns of behaviour, online hate, and volumetric / pile-on attacks, and specific attention is given to addressing these issues.

Service providers would also be required to have internal complaint handling processes (including for non-users) that comply with a code on internal dispute resolution, comply with a requirement to respond to certain issues within 24 hours and provide individuals with the right to appeal to an industry ombudsman if not satisfied with the outcome. To improve user access to assistance and reduce duplicative processes, the Report also recommends that the Government develop a holistic ‘no wrong door’ approach. This would require agencies (including law enforcement) to collaborate and share information across portfolios when addressing issues such as online safety, child safety, privacy and scams.

The Report notes that in an ideal world, there would no longer be a need for case-based regulation as many of these concerns would be addressed by the statutory duty of care. However, for the time being, the notice and takedown regime plays a crucial ‘safety net’ role in protecting individuals when harm occur.

Work with stakeholders to tackle the ‘wicked problems’

The Report identifies a number of ‘wicked’ problems that require a multi-stakeholder, multi-dimensional approach. Foremost among these is end-to-end encryption.

The Report acknowledges that there is a ‘legitimate place’ for encryption, and that there is little appetite amongst service providers to wind back its use. However, the Report does suggest that more should be done to ensure that encryption does not operate as a barrier to detecting and preventing online harms, and recommends forming ‘fusion cells’ to look into this and other similar complex issues (such as technology-facilitated abuse and sextortion). Fusion cells would bring together stakeholders across industry, including from the academic, government, regulatory and child protection sectors.

Generally, the Report strongly advocates for providers to take responsibility for material on their services, noting that it should be ‘mandatory and absolute’ for providers to develop and deploy effective detection methods, ‘rather than aspirational, or a case of ‘best attempts’. This is strong language that seems to go even further than the reasonable steps that would be required under an overarching duty of care. Interestingly, the Report does point to other stages in the abuse cycle that should be considered, such as where devices are used to capture or render harmful material, before encrypted communications even come into play. This suggests that responsibility does not lie solely with the service providers that are the final link in the delivery chain and should be appropriately shared across the entire technology ecosystem.

Decouple the OSA from the National Classification Scheme

The Report recommends that the Online Safety Act be decoupled from the National Classification Scheme. This recognises that the classification rules for professionally-produced, commercially-distributed traditional media are not suited to responding to illegal and harmful online content, much of which is user-generated. The Report contemplates that there would still be a distinction drawn between class 1 (illegal and seriously harmful) and class 2 (legal but potentially harmful) content, which would apply to all types of online material and would sync with classification standards and criminal laws where appropriate. The new framework would support efficient decision-making of ‘dynamic and potentially high-volume content’ and allow for ‘rapid responses’ to illegal and harmful content.

Notably, the report also contemplates that the boundaries between the OSA and the National Classification Scheme should be better defined, with classified content not being subject to the OSA. That will be a relief for services that principally offer classified content.

Strengthen eSafety’s investigation and enforcement powers

There is significant discussion in the Report of eSafety’s pivotal role in overseeing the Online Safety Act. The Report argues that effective compliance with an overarching duty of care and its corresponding obligations requires new enforcement mechanisms and penalties.

Many of the recommendations centre around eSafety’s functions and powers:

Materially increase maximum penalties under the OSA (to the greater of 5% of global annual turnover or $50 million for a breach of the duty of care, and $10 million for non-compliance with removal notices).

The Act currently sets 500 penalty units as a maximum penalty for most of its contraventions. At current levels, this amounts to a maximum penalty of $825,000 for companies (relatively low by international standards), although some courses of conduct may result in multiple contraventions.

Notably, a number of maximum penalties under the OSA have already been significantly increased by the Bill that introduced the new minimum age requirements for social media, which was passed in December 2024, shortly after the Report was finalised.

However, the Report also contemplates penalties that go beyond financial incentives, in case of recalcitrant services that simply do not agree to cooperate. The Report contemplates that this could include access restriction powers (ie to block or limit access to a service from Australia) and business disruption powers (hampering a service’s ability to conduct business and receive revenue in Australia, such as by prohibiting processing of payments to a service, not carrying advertising, or throttling internet speeds). These would obviously be relatively drastic measures that would need to be subject to due process and consideration of system impacts across other businesses.

Introduce broader powers for eSafety to issue enforceable undertakings and remedial directions.

Currently, remedial direction powers only exist for the image-based abuse scheme and (in certain circumstances) the Online Content Scheme. The report recommends that the Act should therefore be amended to provide eSafety with powers to issue remedial directions or enforceable undertakings for all instances of non-compliance where they may be useful, including in relation to:

  • Compliance with the duty of care;
  • Complaints schemes; and
  • For both end-users and online service providers.

The Report also suggests that repeated failure to comply with take-down requirements should be taken as evidence of non-compliance with the duty of care, which could further raise the stakes when dealing with take-down requests.

Bolster eSafety’s investigation and information powers, including to provide eSafety with flexibility to conduct investigations as it sees fit.

In particular, the OSA should be amended to:
 

  • Facilitate the use of technological tools to assist with investigations and content removal, and the use of sock-puppet accounts;
  • Incorporate the monitoring and investigations provisions of the Regulatory Powers Act into the Act;
  • Initiate investigations regarding compliance with the duty of care; and
  • Initiate investigations into reposted material that was previously reported and taken down.

Allow eSafety to disclose information to Commonwealth agencies and departments or international authorities.

In particular, disclosure by eSafety should be permitted to:
 

  • Any head of a Commonwealth agency or department;
  • International authorities; and
  • Teachers, school principals, parents or guardians regarding complaints from a child about image-based abuse (as can be done for child cyberbullying).

If implemented, these changes will significantly alter the enforcement landscape. In particular, eSafety would be empowered to take action to enforce systemic obligations under the duty of care across the online industry (eg to require compliance with risk assessments, undertake risk measurement and reporting, provide transparency reports, cooperate with investigations etc). While much of eSafety’s role to date has been focussed on transparency and education, there may well be a pivot towards greater intervention and active enforcement in future.

The Report also raises a number of other suggestions for enhancing eSafety’s role to ensure that it is able to operate as an effective regulator in this space. Additional key recommendations include that:

  • Additional powers should be considered to hold individual end-users (in addition to service Australia) accountable, such as by suspending or removing account privileges and in serious cases prohibiting end-users from engaging in certain types of online activity
  • Australia should explore options for requiring a domestic ‘legal’ presence for major platforms (addressing potential concerns about accountability for international service providers who do not currently have any physical presence in this country)
  • The Government should consider options for introducing a licensing scheme for major services as a condition for operation
  • There be a major campaign to ‘re-launch’ eSafety in order to raise national awareness of online safety issues and eSafety’s role in addressing these
  • eSafety should be restructured according to a ‘Commission model’, where the board is responsible for collectively making decisions (rather than a single member regulator, as under the current model) and is supported by a dedicated and appropriately resourced legal team (consistent with the greater focus on enforcement!), corporate management and IT systems
  • Develop a cost recovery mechanism, such as an industry levy, to fund the cost of regulating industry. This would raise complex issues, such as which entities should be required to cover the cost and how the cost would be calculated and shared across industry in an equitable manner (eg whether based on number of Australian users, or revenue generated in Australia, or a combination of these or other metrics).

What’s next?

The Report acknowledges that the breadth of reforms it contemplates are broad and implementation will be complex. Accordingly, its final recommendation is for the Government to separate the reforms into smaller tranches of smaller legislative projects. If the Government takes this approach, the Report recommends prioritising implementing the reforms that will result in the most substantial and immediate online safety protections for Australians, namely the new duty of care and the structural reforms to eSafety.  

One brief but important recommendation is that Australia should work to align and cooperate with international partners on enforcement. The report acknowledges that Australia’s enforcement of online safety laws will be most effective if it is ‘interoperable’ and coordinated with like action by international partners in other jurisdictions, such as the UK and EU. Duplicative, fragmented, or inconsistent regulatory activity in online safety remains a key risk of digital platforms.

From a Government perspective, beyond restating its intention to legislate a digital duty of care, the Minister’s media release does not make any further commitments. Rather, it simply indicates that the Government is ‘continuing to carefully consider all recommendations put forward in the report’ and ‘will response in due course’.

It seems highly unlikely that there will be material developments before the looming federal election. Nevertheless, we will be following along closely to keep you up to date. You can also keep up-to-date with the KWM Tech Regulation Tracker here.

Categories

Key Contacts

Show MoreShow Less
Latest Thinking
Insight
Bendel: Commissioner ‘A loan’ in view that UPE was a loan for Division 7A purposes
The long-awaited High Court decision in Bendel has arrived!

12 June 2026

Insight
Queensland goes all in on critical minerals: Key changes under the SDPWO Amendment Bill 2026
Queensland has fired the legislative starting gun in the race for critical minerals investment.

05 June 2026

Insight
The forfeiture rule and superannuation death benefits: emerging issues for trustees
While the forfeiture rule is a longstanding position in law, its application to superannuation is not always clear.

05 June 2026

Explore Latest Thinking
Our People
Media Centre
About Us
Contact Us
Explore Our Expertise
Explore insights

Advertising and Targeting Cookies