Last Thursday, in a late night sitting to finish off the parliamentary year, the Federal Parliament passed the Online Safety Amendment (Social Media Minimum Age) Bill 2024 (the Bill) following an expedited, one week journey through the upper and lower houses, senate committee and the public arena.
The Bill, which was introduced by Minister for Communications, Michelle Rowland, (the Minister) on 21 November 2024, represents a world-first ban on young people holding social media accounts and follows significant public discourse around the risks of social media to young people and the most effective responses to minimise those risks.
Under the Bill, individuals in Australia under the age of 16 (called age-restricted users) will be restricted from accessing certain social media platforms in an effort to, as the Explanatory Memorandum describes, safeguard the “health and wellbeing of the youngest users of social media platforms” and “to protect, not isolate, young Australians”.
The Bill is designed to require social media platforms to prevent age-restricted users from registering accounts on ‘age-restricted social media platforms’ (age-restricted SMPs), with significant penalties for platforms who do not take reasonable steps to prevent such access. The Bill amends the Online Safety Act 2021 (Cth) (OSA), which already provides heightened safety measures in the online space not only for young Australians, but for the Australian population more broadly, and will be administered by the eSafety Commissioner.
What social media platforms are covered by the ban?
The Bill defines an age-restricted SMP as an electronic service that satisfies the following conditions:
the sole or significant purpose of the service is to enable online social interaction between 2 or more end-users
the service allows end-users to link to, or interact with, some or all of the other end-users
the service allows end-users to post material on the service
any other conditions set out in legislative rules (made by the Minister).
This definition is broad and covers the vast majority of social media and other platforms with online interaction capabilities in Australia (when applied in its current state without any further conditions set out in the rules). The Minister may also specify certain electronic services as either age-restricted SMPs, or explicitly not age-restricted SMPs (following consultation with the eSafety Commissioner and any other Commonwealth authorities or agencies they see fit).
However, the Bill does not include any requirement for the Minister (or eSafety Commissioner) to engage with social media providers or the public in respect to whether such providers or services should or should not be covered by the ban. Currently, the only categories of platform the Federal Government has indicated will be excluded under legislative rules are messaging apps, online gaming services, and services with the primary purpose of supporting the health and education of end-users. Platforms which do not make material on their service accessible to, or delivered to, one or more end-users in Australia are not covered by the Bill.
What do age-restricted SMPs have to do?
In order to comply with the Bill, age-restricted SMPs must (among other obligations):
Take reasonable steps to prevent age-restricted users having accounts with the age-restricted SMP – there will be a grace period for a maximum of 12 months for compliance with this obligation following the Bill becoming law and the Bill makes clear that this obligation applies to both new accounts registered by age-restricted users, as well as existing accounts as at the date of commencement.
Not collect or use government-issued identification material (such as passports and driver licences) for the purposes of determining a user’s age.
Only use personal information obtained for the purpose of complying with the reasonable steps obligation to determine whether a user is an age-restricted user. Personal information may also be used where the relevant individual has otherwise provided their consent to the use of that information, or an exception under the Privacy Act 1988 (Cth) (Privacy Act) applies.
Destroy any personal information collected for the purpose of determining whether an individual is an age-restricted user after such determination has been made – if such information is not destroyed, this will be considered an interference with the privacy of the individual under the Privacy Act.
‘Reasonable steps’
Significantly, the Bill does not contain any detail about what ‘reasonable steps’ might be. The Explanatory Memorandum states, at a minimum, age-restricted SMPs will be required to implement a form of age assurance process to identify whether a prospective account holder is under the minimum age:
Whether an age assurance methodology meets the ‘reasonable steps’ test is to be determined objectively, having regard to the suite of methods available, their relative efficacy, costs associated with their implementation, and data and privacy implications on users, amongst other things.
Guidelines to assist in determining what would be considered reasonable steps will be prepared by the eSafety Commissioner during the grace period. There is no express obligation in the Bill for eSafety to engage with social media providers, children or other relevant parties in establishing the guidelines, although such engagement is highly likely.
The Bill further indicates that the guidelines are not legislative instruments. As such, the guidelines are likely to be principles-based and will provide age-restricted SMPs with flexibility and scope around how to take reasonable steps specific to the service they provide. The Explanatory Memorandum notes the guidelines are also likely to be heavily based on the government’s three-phase age assurance trial which is due to conclude next year.
Regulatory powers under the Bill
The eSafety Commissioner is granted various functions and powers under the Bill, including:
As indicated above, the formulation and promotion of guidelines outlining the reasonable steps that age-restricted SMPs should take to prevent age-restricted users from having accounts on their platform.
The power to obtain information in respect of a provider’s compliance with the ‘reasonable steps’ obligation, and to obtain any information relevant to:
Whether the service should or should not be specified as an age-restricted SMP.
Any use of information not permitted to be collected under the Bill.
The power to prepare and publish a statement on the eSafety website in respect of an age-restricted SMP’s failure to comply with the reasonable steps obligation or if it has used information in a way which infringes privacy.
Additionally, where an age-restricted SMP has used, disclosed or failed to destroy information in a way that the Information Commissioner considers is an interference with privacy, the Information Commissioner may prepare and publish a statement on its website (in a similar manner to the eSafety Commissioner as outlined above).
Enforcement
There are significant penalties proposed under the Bill in respect of non-compliance by age-restricted SMPs, including penalties for:
Providers who do not take reasonable steps to prevent age-restricted users from having accounts – with a penalty of up to $49.5 million (for corporations, being 150,000 penalty units).
Collecting information not permitted to be collected (as specified in the rules) or collecting government-issued identification materials for the purposes of taking reasonable steps – with a penalty of up to $49.5 million.
Not complying with the eSafety Commissioner’s notice to provide information – with a penalty of up to $825,000 for corporations (or 2,500 penalty units) for non-compliance.
The eSafety Commissioner may also issue infringement notices, enforceable undertakings and injunctions in respect of any breach of the age-restricted SMPs obligations to take reasonable steps and comply with notices.
The Bill does not impose any recourse on age-restricted users for registering an account with an age-restricted SMP by managing to circumvent the age assurance processes of an age-restricted SMP. Rather, the Bill penalises the platforms for not taking such reasonable steps to prevent such users from registering accounts.
Consultation and response
The introduction of a social media ban for under 16-year-olds has been the subject of significant discussion throughout Australia as well as globally, with many vocal supporters both for and against the ban. In addition to heated discourse around the ban itself, significant discussion has also arisen in relation to the process taken by the Federal Government to pass the Bill.
The Bill was passed in a highly expedited process. Following tabling of the Bill on 21 November, it was referred to the Senate Standing Committee on Environment and Communications (the Committee) on the same day, with the tabling of the Committee’s report and passage of the Bill through both houses completed by the morning of 29 November. Various interested parties, including many senators, have criticised this accelerated process and questioned whether the Bill has undergone sufficient engagement and consultation with relevant parties, most importantly children themselves.
Despite this short consultation period, the Committee received approximately 15,000 submissions (107 of which have been published) from a variety of social media platform providers, public interest advocacy groups focused on both youth issues and technological safety, individuals, academics, and governmental departments and agencies.
Privacy concerns and the privacy impact of the ban on young people have been key topics of discussion, with the Office of the Australian Information Commissioner (OAIC) submitting that the introduction of age-restrictions would have privacy impacts for all Australians, as age-assurance checks would need to be conducted on all individuals, not just those who may be age-restricted users. Privacy Commissioner, Carly Kind, in a personal LinkedIn post further warned about the risks of such a ban, stating:
Social media platforms will no longer need to be made safe for children, so for the many who are able to circumvent the ban, they will potentially find themselves in even more depraved places” and that in her position as Privacy Commissioner, “the widespread privacy implications of a social media ban have [her] concerned.
In its submission, the eSafety Commissioner welcomed the opportunity to work closely with the Federal Government and other stakeholders to implement the ban and highlighted its aim of protecting children and young people from online harms. The eSafety Commissioner stressed the importance of engagement with young people, noting:
As with any reform, it is imperative that we continue to seek meaningful engagement with those who are directly impacted by change as it is implemented. This means continuing to listen to and be informed by the voices of children and young people as much as possible.
The Australian Human Rights Commission also raised concerns, namely with respect to the potential negative human rights impacts of the ban. While it supports protecting children from the harms associated with social media, it queried the effectiveness of a blanket ban and outlined the importance of alternative responses that make the online world a safer space. It has also aligned with the OAIC’s concerns around the privacy impacts for Australians, which are likely to have somewhat been mitigated by the restriction on collecting government-issued identification materials for the purposes of age assurance.
What’s next?
As for next steps, the eSafety Commissioner will be responsible for drafting guidelines for the taking of reasonable steps to prevent age-restricted users from registering accounts on age-restricted SMPs. While the timeline for preparation and release of these guidelines is unclear, these will need to be finalised ahead of the obligations to take reasonable steps coming into effect sometime in the 12 months following the Bill coming into law, albeit the government will also want to ensure that its age assurance trial is complete so that it can use the results from the trial to instruct the guidelines. We consider it likely that we will hear more about these guidelines in the new year and will continue to provide updates as this law is implemented.
Interestingly, the government has appeared to use this Bill as a vehicle to discretely pass other changes to the OSA, namely an increase to the maximum penalties for non-compliance with industry codes and standards, from 500 penalty units (or $825,000) to 30,000 penalty units (or $49.5 million) for corporations. This broadly aligns with the maximum penalties imposed for significant breaches under the Australian Consumer Law and the Privacy Act, further demonstrating the government’s aim of standardising penalties for significant breaches of law.