A close-up of Australia’s regulatory approach to data governance, content moderation, competition and more.
This is the thirteenth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Australia strives to become a top 10 digital economy by 2030, according to its Digital Economy Strategy. The Strategy foresees investments of AUD 1.5 billion (approx. USD 994 million) to build the foundation for growing the digital economy. The Australian Bureau of Statistics estimates that digital activity, including digital enabling infrastructure, digital media, and e-commerce, accounted for 6.1% of total economic value in 2021 (AUD 118 billion, approx. USD 78.2 billion).
But what do Australia’s domestic digital policies stand for? The thirteenth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Australia-specific points of emphasis.
In data governance, Australia aims to reform its Privacy Act and introduce new data transfer mechanisms, recently increased penalties and enforced rules on privacy and data breaches.
In content moderation, Australia enacted unique regimes on online safety and content remuneration and is deliberating measures against mis-/disinformation.
In competition, Australia is deliberating changes to merger rules for digital platforms, approved several mergers and conducted two market inquiries in digital sectors.
Jump directly to the section that interests you most:
Discover the details of Australia’s regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini and Tania Pierotic. Edited by Johannes Fritz.
Australia is currently deliberating the reform of the Privacy Act, the comprehensive personal information protection law that introduced the Australian Privacy Principles (APP). The reform would expand the definition of personal information to any information relating to an individual, introduce a Children’s Online Privacy Code, and create new data subject rights, e.g. to object. Since December 2022, the Privacy Act threatens higher penalties, namely the highest of AUD 50 million (approx. USD 33.1 million), three times the value of benefits obtained by the violation or 30% of local turnover. A current proposal aims to enable “action initiation” in the Consumer Data Right framework for sectoral data portability. In 2021, the Attorney General proposed an online privacy code for online platforms and data brokers, which did not advance to date.
In February 2023, a discussion paper suggested that the 2023-2030 Cybersecurity Strategy should cover regulatory frameworks, international cooperation, and cybersecurity breach response, among other topics. In October 2022, following the large-scale Optus data breach, the government announced an amendment to the Telecommunications Regulations 2021. The amendment would enable cooperation between telecommunications providers, financial institutions and state agencies to reduce cyber risks, including via personal information sharing.
Australia requires sectoral data localisation, e.g. regarding health records. For data transfers, the Privacy Act demands entities to ensure that the receiver provides substantially similar personal information protection. The reform would establish transfer mechanisms, i.e. adequacy, certification and standard contractual clauses, and require entities to inform subjects on what data is transferred and how it is protected. In addition, in December 2021, Australia signed an agreement with the United States which, subject to legislative approval, would enable data transfers for the prosecution of serious crimes, e.g. terrorism and child sexual abuse.
The Office of the Australian Information Commissioner (OAIC) is the main privacy enforcement agency and issues secondary legislation, e.g. on the Australian Privacy Principles. In addition, the Australian Competition and Consumer Commission (ACCC) covers the intersection of information and consumer protection, while the Australian Communications and Media Authority (ACMA) oversees communications and media services.
The OAIC pursues enforcement unilaterally and in cooperation with other agencies. In March 2023, the High Court revoked a special leave to appeal in the OAIC’s investigation against Facebook/Meta for disclosing Australians’ personal information to Cambridge Analytica. In March 2023, the Administrative Appeals Tribunal confirmed the finding of the OIAC and the United Kingdom’s Information Commissioner’s Office that Clearview AI must cease the collection of Australians’ images and delete existing images, for failing to obtain consent for collecting sensitive information, among others. Currently, the OAIC is investigating the Optus data breach with the ACMA and the Latitude data breach with New Zealand’s Office of the Privacy Commissioner. In August 2022, the Federal Court fined Google AUD 60 million (approx. USD 39.7 million) for misleading users on how to disable the collection of location data, in a case brought by the ACCC. In December 2022, the Federal Court dismissed a similar ACCC case regarding changes to Google’s privacy policy, denying the misleading of users to obtain consent.
Since January 2022, the Online Safety Act imposes content moderation obligations (“schemes”) for various online service providers, such as social media services, electronic services (including messaging and gaming), internet service providers, search engines and app stores. The Act formulates Basic Online Safety Expectations, specified by guidance, regarding the minimisation of harmful content and the establishment of complaint mechanisms. The Act further empowers the eSafety Commissioner to issue content removal notices, to which platforms must respond within 24 hours, and request industry-specific online safety codes. In June 2023, the eSafety Commission rejected two codes and requested a revision to the search engine code.
Since March 2021, the News Media and Digital Platforms Mandatory Bargaining Code regulates mandatory bargaining on news content remuneration between news organisations and “digital platforms”. Media companies can initiate remuneration negotiations with digital platforms concerning all news content following specific procedures, including arbitration. Digital platforms must notify operative changes that may impact news content.
Currently, Australia is deliberating the draft Combatting Misinformation and Disinformation Bill. The Bill establishes a framework for “digital platform services” to address “misinformation” and “disinformation”, providing definitions for the three terms. The Australian Communications and Media Authority could gather information, request recordkeeping and impose a compulsory code of conduct. In April 2022, the Social Media (Anti-Trolling) Bill, aiming to classify social media services as “publishers” subject to liability for defamatory content, was rejected.
The eSafety Commissioner regularly requests information and content removal from digital service providers. In June 2023, the eSafety Commissioner requested information from Twitter on its policies to prevent and address online hateful conduct. In February 2023, the eSafety Commissioner requested Twitter, TikTok, Google, Twitch and Discord to disclose their measures to tackle online child sexual abuse as well as their algorithms’ role in amplifying harmful content. In August 2022, a similar request on child sexual abuse material addressed Apple, Meta (and WhatsApp), Microsoft (and Skype), Snap and Omegle. In June 2022, the eSafety Commissioner issued content removal notices to several websites, regarding the Buffalo shooting, and informally requested Google and Microsoft to remove links thereto.
Court proceedings concerning third-party content liability focus on defamatory content. In August 2022, the High Court ruled that Google is not liable for hyperlinking to a defamatory article, i.e. not the publisher of the websites linked in its search results. In September 2021, the High Court ruled that (news) companies can be liable for defamatory comments by third parties on their social media page.
The Competition and Consumer Act 2010 prohibits behaviours, including mergers and unilateral conduct, that can substantially lessen competition. Since November 2022, the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 widely prohibits unfair contract terms, removing financial thresholds for assessing contracts. In August 2021, the Australian Competition and Consumer Commission (ACCC) proposed reforms regarding merger rules, which have not yet advanced. The proposals include a consolidation of the current multi-channel merger review process and a specific merger review for “large digital platforms”, with lower thresholds for the establishment of competitive harm and the duty of notification.
The ACCC conducts market inquiries in digital sectors. Currently, the Digital Platform Services Inquiry investigates digital platforms such as search engines, social media services, private messaging services, and content aggregation services, until March 2025. The interim reports have examined the impact of social media services, general online retail marketplaces, market dynamics and consumer choice in search services and web browsers, and the expansion of digital platform ecosystems. Published in September 2021, the final report of the Digital Advertising Services Inquiry found that Google’s large market share in all four advertising service markets (advertiser ad servers, demand-side platforms, supply-side platforms and publisher ad servers) and vertical integration in the ad tech supply chain have a negative effect on competition. The ACCC released six recommendations including increased transparency requirements and additional enforcement powers in digital markets.
The ACCC further pursues enforcement of both unilateral conduct and merger rules. In April 2022, the Federal Court fined Uber AUD 21 million (approx. USD 14 million) in an ACCC investigation into misleading warning messages. Uber had threatened cancellation fees during the five-minute “free cancellation period”. Regarding mergers, the ACCC has issued a joint statement with British and German authorities emphasising strict controls in digital markets. In the past years, the ACCC approved several mergers, including Google/Mandiant, Microsoft/Activision Blizzard and Meta/Kustomer.
Australia considers artificial intelligence (AI) a critical technology in the national interest and is a founding member of the Global Partnership on Artificial Intelligence. The June 2021 AI Action Plan identifies four focus areas for Australia’s AI ambitions: developing AI to transform businesses, attracting AI talent, using AI to solve national challenges, and making Australia a global leader in responsible and inclusive AI. Previously, the 2019 AI Roadmap identified three areas of AI specialisation: health, ageing and disability; towns, cities and infrastructure; and natural resource management.
Recently, the policy focus shifted to the development of responsible AI, as evidenced by the June 2023 discussion paper on Safe and Responsible AI in Australia. The paper outlines proposals to mitigate AI risks and support the development of safe and responsible AI. The consultation inquires on potential regulatory gaps, unidentified AI risks, types of AI systems to be banned, and suitable transparency requirements. The currently debated Combatting Misinformation and Disinformation Bill aims to tackle the spread of misinformation and disinformation on digital platforms through artificial intelligence services and bots. Finally, in June 2021, the Federal Court ruled that an AI system can be the inventor of a patent.
Australia strives to advance international digital trade in both trade agreements and novel forms of international cooperation. Australia is party to the Comprehensive and Progressive Trans-Pacific Partnership (CPTPP) and the Regional Comprehensive Economic Partnership (RCEP), which both contain a chapter on electronic commerce. Since September 2022, Australia participates in negotiations for the Indo-Pacific Economic Framework (IPEF) which is expected to cover digital trade. In addition, Australia has enacted a digital economy agreement with Singapore and a free trade agreement (including a digital trade chapter) with the United Kingdom. In 2023, the signing of the upgraded ASEAN-Australia-New Zealand Free Trade Area is expected, aiming to support electronic commerce and digital transformation, among others.
In terms of regulatory cooperation, Australia is part of the Global Online Safety Regulators Network, with Fiji, Ireland and the United Kingdom, and the Quad Cybersecurity Partnership, with Japan, India, and the United States. Australia further signed a Memorandum of Understanding regarding cooperation on unsolicited communications, with South Korea, the Netherlands, the United Kingdom and New Zealand, and a fintech agreement, with Singapore.
In April 2023, the Attorney-General of Australia banned TikTok on government devices based on the Protective Security Policy Framework. The binding direction to government departments and agencies prohibits the installation and use of TikTok, to be implemented “as soon as practicable”. Previously, the government issued a 5G Security Guidance to Australian carriers, warning of vendors that may be subject to foreign government directions, citing security concerns. The notice effectively (but not explicitly) banned network equipment from Chinese providers Huawei and ZTE.
In February 2023, the Australian government outlined its three-stage approach to regulate crypto assets: strengthening enforcement, bolstering consumer protection, and establishing a framework for reform. Introduced in March 2023, the Digital Assets (Market Regulation) Bill 2023 would create a regulatory framework for cryptocurrency exchanges, custody services, and stablecoin issuers. For cryptocurrency exchanges, the Bill introduces a licensing requirement. For custody services and stablecoin issuers, the Bill requires minimum capital requirements, customer fund segregation, and auditing. Previously, the Budget Paper for 2022-2023 noted that Australia would continue to exclude digital cryptocurrencies from the income tax treatment of foreign currency, but not governmental digital currencies.