Andrew McLachlan (SA, Deputy-President) | Hansard source

Order! Senators, pursuant to the order agreed to earlier today, the time for consideration of the bill in detail has expired. The question now is that the government amendments on sheet SY115 be agreed to.

Question agreed to.

The question now is that the Australian Greens amendments on sheet 3201 be agreed to.

Australian Greens ' circulated amendments—

(1) Clause 1, page 1 (line 6), after "Age", insert "and Digital Duty of Care".

(2) Schedule 1, page 3 (before line 4), before item 1, insert:

1A At the end of section 3

Add:

; and (c) to impose reporting obligations on providers of online services regulated by this Act about the number of Australian end-users of those services; and

(d) to impose obligations on large providers of online services regulated by this Act to identify, mitigate and manage the risks of harm or detriment from those services to Australian end-users.

1B Section 4 (before the paragraph beginning "The complaints system for cyber-bullying")

Insert:

(3) Schedule 1, item 2, page 3 (after line 15), after the definition of age-restricted user in section 5, insert:

key personnel of a provider: see section 5C.

large provider of a regulated online service: see section 5B.

regulated online service: see section 5A.

(4) Schedule 1, page 3 (after line 18), after item 3, insert:

3A After section 5

Insert:

5A Meaning of regulated online service

For the purposes of this Act, each of the following is a regulated online service:

(a) a designated internet service;

(b) a relevant electronic service;

(c) a social media service.

5B Meaning of large provider

For the purposes of this Act, a provider is a large provider of a regulated online service if:

(a) the provider provides the service during a calendar year to any one or more of the following:

(i) a total number of Australian end-users equal to or greater than 10% of the population of Australia;

(ii) 2.6 million or more Australian end-users;

(iii) 630,000 or more Australian end-users that are children; and

(b) the Minister, by notice given to the provider and published on a website maintained by the Department, determines that the provider is a large provider.

5C Meaning of key personnel

For the purposes of this Act, an individual is one of the key personnel of a provider if:

(a) the person holds a position in, or relating to, the provider; and

(b) because of that position, the person has actual or effective senior executive responsibility:

(i) for management or control of the provider; or

(ii) for management or control of a significant or substantial part or aspect of the operations of the provider.

3B Section 25 (after paragraph a)

Insert:

(aa) monitoring and enforcing the obligations of providers of regulated online services; and

(5) Schedule 1, page 4 (after line 12), after item 6, insert:

6A After Part 2

Insert:

Part 2A — Minimum obligations of providers and key personnel of regulated online services

Division 1 — Simplified outline of this Part

(a) duty of care obligations; and

(b) the key personnel obligations; and

(c) the risk assessment obligations; and

(d) the risk mitigation obligations; and

(e) the transparency obligations; and

(f) the end-user privacy and control obligations.

Division 2 — Providers must comply with obligations

28A Obligations of all providers

A provider must comply with its reporting obligations under Division 3.

Civil Penalty: The greater of 100,000 penalty units or 10% of the annual turnover of the provider during the period of 12 months ending at the end of the month in which the provider contravened, or began to contravene, the provision.

28B Obligations of large providers

In addition to its obligations mentioned in section 28A, a large provider must also comply with each of the following:

(a) its duty of care obligations under Division 4;

(b) its key personnel obligations under Division 5;

(c) its risk assessment obligations under Division 6;

(d) its risk mitigation obligations under Division 7;

(e) its transparency obligations under Division 8;

(f) its end-user privacy and control obligations under Division 9.

Civil Penalty: The greater of 100,000 penalty units or 10% of the annual turnover of the provider during the period of 12 months ending at the end of the month in which the provider contravened, or began to contravene, the provision.

Division 3 — Reporting obligations

28C The reporting obligations of all providers

(1) The reporting obligations of a provider of a regulated online service are to publish the following information on a publicly available website:

(a) the total number of Australian end-users of the service during a month, averaged over the last 6 month period (the reporting period);

(b) the number of Australian end-users of the service that are children during a month, averaged over the last 6 month period (the reporting period).

within the period provided under subsection (2) and in accordance with the requirements under subsection (3).

Note: For the consequences of a contravention of these requirements, see section 28A.

(2) For the purposes of subsection (1), the period is:

(a) for the reporting period ending immediately before 1 July 2025—1 July 2025; and

(b) for each successive reporting period—within 30 days of the end of that period.

(3) For the purposes of subsection (1), the information must:

(a) be in the form required by the legislative rules; and

(b) contain the details required by the legislative rules.

Division 4 — Duty of care obligations

28D The duty of care obligations of large providers

The duty of care obligations of a large provider of a regulated online service are:

(a) to take reasonable steps to conduct its business (including the design of systems and processes relevant to providing the service), and to provide the service, with honesty and integrity, and with due skill, care and diligence; and

(b) in conducting its business (including the design and operation of systems and processes relevant to providing the service) and providing the service, to take reasonable steps to prevent matters from arising that would (or would be likely to) cause harm or detriment to Australian end-users of the service.

Note: For the consequences of a contravention of these requirements, see section 28B.

Division 5 — Key personnel obligations

28E The key personnel obligations of large providers

(1) A large provider must notify the Commissioner if any of the following events occurs:

(a) an individual becomes one of the key personnel of the provider;

(b) an individual ceases to be one of the key personnel of the provider.

(2) The notification must:

(a) be given within 14 days after the event occurs; and

(b) be in the form approved by the Commissioner; and

(c) if the notification is of an individual becoming one of the key personnel of the provider—be accompanied by a signed declaration that the individual:

(i) is a fit and proper person; and

(ii) is a resident of Australia; and

(iii) meets the requirements (if any) set out in the legislative rules.

Note: For the consequences of a contravention of these requirements, see section 28B.

Division 6 — Risk assessment obligations

28F The risk assessment obligations of large providers

(1) A large provider of a regulated online service must undertake an assessment (a risk assessment) that identifies and assesses the risks associated with providing the service.

(2) Without limiting subsection (1), the provider must have regard to the following matters in undertaking a risk assessment:

(a) the dissemination of illegal and harmful materials;

(b) the dissemination of online scams;

(c) negative effects on electoral processes and public security;

(d) negative effects on civil and political rights, such as political freedoms, freedom of opinion and expression;

(e) negative effects on gender-based violence, children's best interest, public health;

(f) serious negative consequences to Australian end-users, including their physical and mental wellbeing;

(g) the matters (if any) specified in the legislative rules.

(3) Without limiting subsection (1), the provider must consider the following systems in undertaking a risk assessment:

(a) recommender systems and any other relevant algorithmic systems;

(b) content moderation systems;

(c) terms and conditions and their enforcement;

(d) systems for selection and presenting advertisements;

(e) relevant data related practices of the provider.

(4) The provider must exercise due diligence in undertaking the risk assessment.

(5) A risk assessment must be consistent with any relevant standards made under section 28G.

Provider must review and update risk assessments

(6) A large provider must review its risk assessment for the purpose of identifying and assessing any new or changed risks:

(a) if either of the following occur:

(i) the Commissioner communicates to the provider information that identifies or assesses risks associated with providing the service;

(ii) circumstances specified in the legislative rules; and

(b) in any event—at least once every 3 years.

(7) A large provider must update its risk assessment to address any issues identified by a review as soon as practicable after the review is completed.

Notification and publication requirements

(8) A large provider must, as soon as practicable after the end of each financial year:

(a) give the Commissioner a copy of its risk assessment as prepared under subsection (1) or updated under subsection (7); and

(b) publish that risk assessment on a publicly available website.

(9) A risk assessment given or published under subsection (7) must be accompanied by a report including the following:

(a) details of the risks identified;

(b) indications of the severity of the risks;

(c) measures of the scale of the risks in Australia;

(d) a risk mitigation plan about managing and mitigating the risks in accordance with Division 7.

Note: For the consequences of a contravention of these requirements, see section 28B.

28G Commissioner may make standards

(1) The Commissioner may, by legislative instrument, make one or more standards about requirements for risk assessments.

Note: For varying or revoking a standard, see subsection 33(3) of the Acts Interpretation Act 1901.

(2) Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, standards under subsection (1) may provide differently for different kinds of entities, things or circumstances.

Division 7 — Risk mitigation obligations

28H The risk mitigation obligations of large providers

Risk mitigation policies, procedures and systems

(1) A large provider of a regulated online service must have policies, procedures and systems to monitor, manage and mitigate risks associated with providing the service.

(2) The policy, procedure or system must be consistent with any relevant standards made under section 28J.

Risk mitigation plans and measures

(3) A large provider of a regulated online service must prepare a risk mitigation plan in relation to risks identified in a risk assessment prepared by the provider under section 28F.

(4) The plan must identify measures to manage and mitigate those risks.

(5) Without limiting subsection (4), such measures may include any one or more of the following:

(a) changing the design, features or functioning of the regulated online service, including the online interface;

(b) changing the terms and conditions and their enforcement;

(c) changing content moderation processes;

(d) testing and changing algorithmic systems, including recommender systems;

(e) changing advertising systems, including the way advertisements are targeted at or presented to Australian end-users;

(f) improving internal business processes to maximise safety;

(g) collaborating with other digital services;

(h) taking targeted measures to improve child safety, such as age assurance or parental control tools;

(i) taking into account the best interests of children when making decisions;

(j) ensuring information and evidence about potential illegal activities is appropriately recorded and reported.

(6) The plan and the measures must be consistent with any relevant standards made under section 28J.

Providers must implement measures

(7) The provider must take reasonable steps to implement those measures.

Note: For the consequences of a contravention of these requirements, see section 28B.

28J Commissioner may make standards

(1) The Commissioner may, by legislative instrument, make one or more standards about either or both of the following:

(a) requirements for policies, procedures and systems to monitor, manage and mitigate risks;

(b) requirements for risk mitigation plans and measures.

Note: For varying or revoking a standard, see subsection 33(3) of the Acts Interpretation Act 1901.

(2) Without limiting subsection 33(3A) of the Acts Interpretation Act 1901, standards under subsection (1) may provide differently for different kinds of entities, things or circumstances.

Division 8 — Transparency obligations

28K Annual transparency report

(1) A large provider of a regulated online service must prepare a report a transparency report) in respect of the 12 month period ending immediately before 1 July 2025 and each consecutive period of 12 months.

(2) A transparency report in respect of a period must include the following information:

(a) metrics about design, features and functioning of the service;

(b) metrics about access of the service by Australian end-users that are children;

(c) metrics about online scams, including Australian end-user reporting and response times;

(d) metrics about child sexual exploitation and abuse;

(e) metrics about content moderation;

(f) details about measures to prevent and deal with misuse;

(g) details about monthly number of Australian end-users;

(h) details about advertising on the service;

(i) the information (if any) required by the legislative rules.

(3) A transparency report in respect of a period must be published on a publicly available website within 30 days of the end of that period and in accordance with the requirements under subsection (4).

(4) For the purposes of subsection (3), the report must:

(a) be in the form required by the legislative rules; and

(b) contain the details required by the legislative rules.

Note: For the consequences of a contravention of these requirements, see section 28B.

28L Compliance audits

(1) The Commissioner may appoint or establish a person or body that is independent of the Commissioner to conduct an audit (a compliance audit) of a large provider of a regulated online service for the purpose of determining whether the provider is complying, or has complied, with this Part.

(2) The provider must:

(a) cooperate fully with the auditor in relation to the compliance audit; and

(b) provide the auditor with all reasonable facilities and assistance in relation to the compliance audit.

(3) This section does not limit any of the other powers or functions of the Commissioner or ACMA.

Note: For the consequences of a contravention of these requirements, see section 28B.

28M Making research data accessible to researchers

Researchers may request research data

(1) Subsection (2) applies if a researcher that is:

(a) either:

(i) affiliated with an Australian research organisation (including an academic entity or not-for-profit organisation); or

(ii) an Australian resident or permanent resident of Australia; and

(b) undertaking research for non-commercial purposes;

requests a large provider of a regulated online service to give, or make accessible, research data that is:

(c) collected using the service; and

(d) already established and maintained for the purposes of research.

Note: Examples of research data include research API access schemes.

Provider must ensure access to research data

(2) The provider must ensure that the research data is accessible to the researcher:

(a) as soon as reasonably practicable after the request is made; and

(b) where technically possible, in real-time.

(3) However, subsection (2) does not apply in relation to research data that includes:

(a) protected information; or

(b) personal information (within the meaning of the Privacy Act 1988); or

(c) any information the disclosure of which the provider reasonably considers might cause a significant security vulnerability for the service.

Note: For the consequences of a contravention of these requirements, see section 28B.

28N Public Information Register

(1) A large provider of a regulated online service must establish and maintain a register to be known as the Public Information Register.

(2) The register must contain the following information:

(a) information included in a report published by the provider under section 28C;

(b) information included in a risk assessment (including a risk mitigation plan) published by the provider under section 28F;

(c) information included in a transparency report published by the provider under section 28K;

(d) information (if any) prescribed by legislative rules made for the purposes of this paragraph.

(3) The provider must ensure that:

(a) a person may access the register to search for information contained in the register; and

(b) the register is operational at all times.

Note: For the consequences of a contravention of these requirements, see section 28B.

Division 9 — End-user privacy and control obligations

28P The end-user privacy and control obligations of large providers

The end-user privacy and control obligations of a large provider of a regulated online service are:

(a) to ensure that privacy settings for Australian end-users of the service default to maximum privacy protections; and

(b) to ensure that Australian end-users of the service can opt to reset or disable engagement based content recommender systems; and

(c) to ensure that Australian end-users of the service can opt out of targeted advertising.

Note: For the consequences of a contravention of these requirements, see section 28B.

Division 10 — Obligations of key personnel of large providers

28Q Obligations of key personnel of large providers

A person who is one of the key personnel of a large provider must conduct the responsibilities of their position:

(a) by acting with honesty and integrity, and with due skill, care and diligence; and

(b) by dealing with the Commissioner and ACMA in an open, constructive and cooperative way; and

(c) by taking reasonable steps in conducting those responsibilities to prevent matters from arising that would (or would be likely to) result in a material contravention by the provider of this Act or the legislative rules.

Penalty: 500 penalty units

(6) Schedule 1, page 11 (after line 4), after item 13, insert:

13A Before paragraph 164(1)(a)

Insert:

(aa) section 28A;

(ab) section 28B;

13B Before paragraph 165(1)(a)

Insert:

(aa) section 28A;

(ab) section 28B;

13C Before paragraph 182(4)(a)

Insert:

(aa) section 28G;

(ab) section 28J;

13D After paragraph 182(4)(zb)

Insert:

(zba) section 194A;

13E After paragraph 183(2)(zb)

Insert:

(zba) the number of notices given by the Commissioner under section 194A during that year;

13F At the end of section 193

Add:

13G After section 194

Insert:

194A Commissioner may obtain information or documents etc.

Scope

(1) This section applies to a person if:

(a) the person is a large provider of a regulated online service; and

(b) the Commissioner believes on reasonable grounds that the person has information or a document that is relevant to the operation of Part 2A (minimum obligations of providers and key personnel of regulated online services).

Commissioner may require information or documents

(2) The Commissioner may, by written notice given to the person, require the person to:

(a) give to the Commissioner any such information; or

(b) produce to the Commissioner any such documents; or

(c) attend an interview with the Commissioner, including to make a statement or answer questions.

(3) The notice must:

(a) if the notice requires the person to give information or produce a document or thing—specify:

(i) the period (which must be at least 14 days after the notice is given to the person) within which the person is required to comply with the notice; and

(ii) the manner in which the person is required to comply with the notice; and

(b) if the notice requires the person to attend an interview—specify:

(i) a time and place at which the person is to attend; and

(ii) the nature of the matter to which the interview will relate.

194B Copies of documents

The Commissioner may:

(a) inspect a document produced under subsection 194A(2); and

(b) make and retain copies of, or take and retain extracts from, such a document.

13H Section 195

After "section 194", insert "or 194A".

13I Subsections 196(1) and (3)

After "section 194", insert "or 194A".

13J At the end of subsection 221(2)

Add:

; or (i) a notice under subsection 194A(2).

Question negatived.

I will now deal with the amendments circulated by Senator David Pocock on sheets 3205, 3206 and 3207.