Industry Codes

Consolidated Industry Codes of Practice for the Online Industry, Phase 1

(Class 1A and Class 1B material)

From September 2021 onwards, the steering group of industry associations developed eight Codes of Practice to protect Australians from Class 1A and 1B content under Australia’s classification scheme.

The development of the Codes was based on the provisions of Part 9, Division 7, of the Online Safety Act and was requested by the eSafety Commissioner.

On 31 March 2023, the group of industry associations submitted the Consolidated Industry Codes of Practice for the Online Industry, Phase 1 (class 1A and class 1B material) for registration to the Office of the eSafety Commissioner. The submitted Codes cover participants across eight key sections of the online industry specified in the Online Safety Act (see below).

Outcome:

On 16 June 2023,  the eSafety Commissioner formally registered the following five Codes:

1. Social Media Services Code
2. Apps Distribution Services Code
3. Hosting Services Code
4. Internet Carriage Services Code
5. Equipment Code

    

   On 12 September 2023, the Commissioner registered the 

6. Internet Search Engine Services Code

as a sixth Code. This Code had been re-submitted to the Commissioner to reflect recent developments in generative AI.
Each of the Codes consists of Head Terms (identical for all six Codes) and a Schedule listing the requirements specific to the respective online section. Electronic copies of the Head Terms and registered Codes can be found further below.

Commencement:

The registered Codes will become enforceable by the Office of the eSafety Commissioner six months after registration, i.e., on 16 December 2023 and 12 March 2024, respectively. Providers of services/equipment who have reasonable grounds for not being fully compliant – such as where significant engineering or system changes are required to comply with a specific requirement a Code – may have an additional six months to comply with that requirement.

Application of the Codes:

What online material is covered by the Codes?

Broadly speaking, the online material covered under the eight Codes is child sexual exploitation and pro-terror material, as well as material that deals with crime and violence, and drug-related content.

Which services/equipment are covered by the Codes?
The following five online sections are covered by the Codes:

1. social media services (e.g. Facebook, Instagram, TikTok);
2. app distribution services used to download apps (e.g. Apple IOS and Google Play stores);
3. hosting services (e.g. Amazon Web Services, NetDC).
4. internet carriage services (e.g. Telstra, iiNet, Optus, TPG Telecom, Aussie Broadband); and
5. manufacturers and suppliers of any equipment that connects to the internet, and those who maintain and install it (e.g. of modems, smart televisions, phones, tablets, smart home devices, e-readers etc).
6. internet search engine services (e.g. Google Search, Bing) 

Do I need to comply – are my services covered?

While each registered Code applies to the entire online section, not all services/equipment in that online section face additional compliance requirements. Roughly speaking, compliance requirements depend on the risk of harm from Class 1A and 1B material associated with a respective service/equipment. Providers of relevant services or those covered by the Equipment Code are advised to check the respective Codes to understand whether further compliance activities for each of their services/equipment are required.

The Preamble of the Head Terms (and other sections of the Head Terms) also provides useful guidance in relation to the applicability of the Codes.

If your services/equipment are covered by a Code, then you are, depending on the Code, required to undertake a risk assessment and, following that risk assessment, compliance measures in accordance with your respective risk category apply. Alternatively, for Codes where no risk assessment is required, compliance measures for different types of services/equipment apply.

• Providers of social media services are advised to check the Social Media Services Code (and Head Terms) to understand their compliance requirements.
• Providers of app distribution services are advised to check the App Distribution Services Code (and Head Terms) to understand their compliance requirements. Note that this Code contains further guidance in relation to the provision of first-party apps vs third-party apps and other factors that may influence whether apps/services are covered by this Code.
• Providers of hosting services are advised to check the Hosting Services Code (and Head Terms) to understand their compliance requirements. Note that this Code contains further guidance in relation to the provision of first-party hosting services vs third-party hosting services and other factors that may influence whether services are covered by this Code.
• Internet service providers are advised to check the Internet Services Code, the Equipment Code (to the extent they manufacture, supply, install or maintain equipment that connects to the internet, including phones, tablets or modems etc.) and Hosting Services Code (to the extent they provide Hosting Services to third parties) and the Head Terms. 
• Manufacturers and suppliers of any equipment that connects to the internet, and those who maintain and install it are advised to check the Equipment Code to understand their compliance requirements. Note that this Code contains further guidance in relation to different categories of equipment. Not all equipment has the same compliance requirements (some has none) and industry participants covered by this Code are advised to check which equipment category and which industry participant category (manufacturer, supplier, installer, maintenance) their equipment/their organisation falls into.
• Providers of internet search engine services are advised to check the Internet Search Engine Services Code (and Head Terms) to understand their compliance requirements.

  
  The eSafety Commissioner declined to register the

• Relevant Electronic Services Code (for relevant electronic services e.g., services used for messaging (including SMS and MMS) services, email, video communications, and online gaming services (e.g. Gmail, WhatsApp, services); and
• Designated Internet Services Code (for designated internet services that includes websites and end-user online storage and sharing services (e.g. Dropbox, Google Drive),

that the group of industry associations had submitted as part of the Consolidated Industry Codes of Practice, on the basis that these two Codes fail to provide appropriate community safeguards in relation to matters that are of substantial relevance to the community.

The Office of the eSafety Commissioner has registered mandatory and enforceable Industry Standards for Relevant Electronic Services and Designated Internet Services.

The Standards, developed by the Office of the eSafety Commissioner, will come into effect on 22 December 2024. Providers of Relevant Electronic Services and Designated Internet Services are advised to visit the website of the Office of the eSafety Commissioner for further detail and a copy of the Standards.

For further information, please contact the group of industry associations at hello@onlinesafety.org.au.