The Online Safety Act: A potential STRIKE for many unsuspecting businesses
New digital safety regulations for all Australian businesses, a December deadline for compliance, and a vast lack of awareness among business leaders is a potential strike for many companies.
In most cases there are no exemptions for small businesses… this means that almost all start-ups and scale-ups are captured under this new regulation.
The leaders have no idea this is coming, and it’s coming for most small businesses as well as numerous large established companies.
Under the Online Safety Act 2021, there are new codes and standards for how online businesses must protect users from class 1 content online and this compliance will come into effect on the 22nd December 2024, with codes for class 2 content following swiftly.
Class 1 content refers to highly harmful and prohibited online material (ie content that promotes or depicts child sexual exploitation or abuse, terrorist acts or violent extremism, advocacy of suicide or self-harm, and non-consensual intimate images or extreme violence.)
No business with an online presence can ignore these new codes, and plans to start developing your compliance documentation and risk management protocols needs to be underway - or else be at risk for a financial or reputational strike.
To give you a snapshot of how important this is, any business that enables User or Product Reviews, or provides an Online Forum or enables Peer- to-Peer communication will have new obligations under this new compliance regime.
Here are some examples of the companies I am involved in that must now comply, which previously did not even have to think about it:
KERB - because their technology enables photos and screenshots to be uploaded to their platform. KERB is a parking technology company. No exemption.
Mozaik Play - because they enable peer-to-peer communication and users to upload content to their platform. Mozaik Play is a student marketplace for the creative industries. No exemption.
Torqn - because they provide a mix of an online forum and product reviews as well as content uploads. Torqn is a knowledge network for industrial plant & equipment. No exemption.
Now think about the DIY Forum that Bunnings offers (Bunnings is a chain of hardware stores) or the content upload service for printing that Officeworks and Kmart offers (Officeworks is a chain or stationery retailers, and Kmart has typically been seen as a homewares retailer) and you start to get the picture of how many, if not most businesses with an online presence, will have significant new compliance requirements under the new Codes. No exemptions!
This also means that any company that has an online presence that releases new software features has to consider whether the new features they are releasing affect their classification or compliance requirements. That has never been the case before.
There are a host of new and complex obligations - based on service classification - now required by unsuspecting business leaders, and non-compliance could lead to fines or penalties after 22nd December 2024.
That's 47 days away.
Why should you care?
Big tech companies are under a lot of scrutiny to start protecting their users better, and many are taking major reputational hits as a result. Well known Australian businesses that don’t consider themselves a technology business, but now have significant compliance obligations, could come under reputational fire for not doing the bare minimum to demonstrate compliance.
Start-ups and scale-ups looking to raise money or win big contracts could find themselves under investor or due diligence scrutiny in the same way these stakeholders look for ISO certifications. The question being “is this business operationally prepared to manage their technology risks and obligations in the future”.
What do I do now?
Understanding this new compliance roadmap is critical, and preparing your 2025 planning to ensure you’re taking your new obligations into account is crucial.
This guide is designed to help you chart a course through the requirements of the Online Safety Act, focusing on how to evaluate your service classification, align with online safety expectations, and prepare for impending legislation.
Think of it as a decision flowchart with actionable insights - steps that will keep you prepared and protected as the regulatory landscape evolves - so you can avoid a Strike in the form of penalties or fines for non-compliance.
I’d also recommend that you reach out to an expert consultancy like Policy Australia, who can support you with your basic requirements, right through to operational implementation and risk assessments.
Starting Point: Online Safety Act Compliance Decision
The first decision every platform must address is straightforward but critical: what is your classification of the six codes and two standards.
Understanding more about the 8 services in the Online Safety Act 2021, image by Policy Australia
This choice defines which safety standards you must meet and affects which legislative updates will apply to you down the road.
Good news: Depending on what you classify as, your obligations might be relatively minor right now, and may just require supporting documentation of your chosen classification, and a risk assessment to be completed. But as more safety standards are imposed in the next few months, this may change.
Basic Online Safety Expectations (BOSE)
In addition to the Codes and Standards, the government has also established the Basic Online Safety Expectations (BOSE), which will apply to most online businesses:
Under the BOSE, platforms must meet a baseline of online safety expectations outlined by the Online Safety Act. These foundational requirements are designed to protect users across the digital space, covering a range of critical areas:
User Safety: Develop user-facing tools that allow quick reporting of harmful content and clear communication on safety features.
Transparency in Moderation: Ensure content moderation policies are visible and effective, with proactive measures for high-risk content types.
Risk Reduction: Implement internal mechanisms to identify, address, and report on dangerous or illegal content in line with BOSE.
Suggested Action: Conduct a comprehensive internal review of current practices to ensure BOSE compliance. Being ready for these expectations helps meet the minimum standards now and anticipates future additions.
Need a hand with this? I have used Policy Australia to support the businesses I am involved with. Policy Australia is a specialist consultancy that is spearheading advice and implementation for Australian businesses of all sizes..
Contact them directly on: pateam@policyaustralia.com.au
Final Thoughts
I have been involved in a number of start-ups that were operating in regulated industries and they had higher costs and higher complexity from day one compared to start-ups that operate in unregulated industries. These new regulations capture many more start-ups who previously did not have to deploy any of their resources towards regulatory compliance. The first thing I want to do is make everyone aware, then ensure people take action so no one gets hit with a fine or a penalty!
Some extras for you..
Pending Legislation and Bills Before Parliament
New and proposed bills threaten to add further layers of compliance for digital platforms. Several bills are in various stages of approval and could bring significant shifts in operational requirements.
Staying ahead of these proposals enables early adaptation and can mitigate compliance burdens down the line.
Mis/Disinformation Bill
Scope: Designed to curb the spread of disinformation, this bill is particularly concerned with digital communications platforms. With no exemptions for small businesses, this legislation will require most digital platforms to implement active measures against the spread of false information.
Recommended Action: Prepare a draft request for exemption if applicable, especially if your business is part of a coalition that may advocate for small business concessions. Active participation in discussions with policymakers could also help shape the bill’s enforcement mechanisms to reflect the nuances of your business model.
Scams Bill
Impact: Currently, this bill applies to SMS platforms, but DIS platforms could be included at the discretion of the Minister in future amendments. Its primary focus is on reducing fraudulent activity, obligating SMS providers to detect and prevent scams in their user networks.
Next Steps: If you’re an SMS platform, early preparation is key. Establish scam detection capabilities now and consider implementing user reporting tools that allow for quick response to flagged content. DIS platforms should also stay updated on this bill’s progress, as the extension of requirements to DIS entities is a possibility.
Cybersecurity Legislation
New Requirement: A mandatory ransomware attack reporting regime is expected, though the threshold - likely tied to revenue - has not yet been determined. Given rising cyber threats, it’s expected that this legislation will require companies to be more vigilant and transparent in cyber incident reporting.
Action Item: If your business might meet the threshold, consider preparing a cybersecurity incident response framework that includes ransomware. Having reporting and response mechanisms in place will streamline compliance if you become subject to these requirements.
Privacy Act Amendments
Current Impact: Most small businesses may be out of scope due to revenue thresholds, though the amendments include important anti-doxxing provisions that could affect data handling practices, even for exempted companies.
Review Needed: A minor review of data protocols, particularly concerning anti-doxxing measures, is advised. While changes may be minimal, confirming that data policies align with these privacy standards will ensure there are no surprises later on.
Social Media Age Ban
Implications: Primarily targeted at SMS, this proposed age restriction aims to enforce an age limit for platform use, possibly expanding to other service types in future amendments. Without a clear exemption for small businesses, the age ban could require age verification systems even on smaller platforms if classification criteria evolve.
Plan Ahead: Begin exploring age verification technologies if you’re in the SMS category, and monitor this legislation closely. Platforms under the DIS category should remain attentive to future amendments that may extend age restrictions.
A Phased Approach to Regulatory Preparedness
Confirm Classification: Reassess your platform’s classification regularly as SMS or DIS. Misclassification could lead to overlooked obligations and penalties.
Meet BOSE Requirements: Early compliance with BOSE ensures your platform meets the minimum standards now and positions you for smoother adaptation to new regulations.
Monitor Legislation: Keep tabs on pending bills and proposed legislation, from the Mis/Disinformation Bill to the Cybersecurity Legislation. Draft exemption requests and engage with industry coalitions early, especially if small business concessions could reduce your compliance burden.
Build Flexibility into Compliance Systems: Since regulations will likely evolve, establishing a flexible infrastructure for compliance can reduce future disruptions. Consider automated monitoring, age verification, and reporting tools that can be scaled or adjusted as needed.
And, as always, let me know what you think!
The impact on company directors in Australia, including startup founding directors, will be significant. They will be required to approve compliance and obligations, holding them personally accountable. Do boards possess the necessary knowledge to confidently sign off?