Frequently asked questions about applying the correct industry standard or code

Services can fit within more than one industry section and/or definition in the Act. This was recognised by industry in the Head Terms to the Phase 1 Codes, which state:

• ‘Where a single electronic service could fall within the scope of more than one industry code or industry standard, the relevant industry participant will only be required to comply with one code or industry standard, as the case may be, for that electronic service.’

eSafety considers that Parliament also expressly envisaged services meeting multiple definitions in the Act. The definition of a designated internet service in section 14 of the Act applies to the exclusion of services that are also social media services and/or relevant electronic services (Section 14(1)(c) and (d)). Were it the case that only one definition could apply to a service, these clauses would not have been necessary. Parliament decided not to include a similar exclusion in the definition of a relevant electronic service, thereby providing that a service can meet the definition of both a social media service and a relevant electronic service.

As set out in the examples on this page, it is often the case that a service will meet both the definition of a social media service and a relevant electronic service under the Act. 

The Act has always specified that industry standards prevail over industry codes to the extent of any inconsistency (section 150 of the Act). 

Subsection 5(2) of the RES Standard provides that the Standard applies to all services which meet the definition of a relevant electronic service to the exclusion of any industry code. This clause was drafted to provide clarity to service providers regarding which code or standard applies to any given service. 

This was changed following the consultation on the draft RES Standard, which contained a predominant functionality test. eSafety received submissions from service providers that said that this ‘predominant functionality test’ risked confusion and advocated for a predominant or primary purpose test instead. For example, see the submission from the Digital Industry Group (DIGI).

eSafety was concerned that a predominant purpose test risked the presence of high-risk features (including messaging and chat) in relation to Class 1A and Class 1B material, not being a relevant factor in determining which code or standard applies where interactions between end-users through these features were not the ‘predominant purpose’ of a service. A service with a relatively ancillary/minor messaging or chat features can still pose significant risks to vulnerable groups in relation to these features. Indeed, it is often the co-mingling of social and messaging features that creates the risk of ‘discovery’ of children for harms such as child sexual abuse, as well as radicalisation in relation to pro-terror material.

eSafety was also concerned about ‘forum shopping’ should a predominant purpose test apply.
Given this, and service providers’ submissions about a lack of clarity, eSafety determined that subsection 5(2) was clearer if it provided that the RES Standard operated to the exclusion of any industry code and was more likely to lead to positive safety outcomes than a predominant purpose or predominant functionality test.

The requirements of the SMS Code and RES Standard are highly aligned (see pages 69-70 of the Phase 1 Industry Standards Regulatory Guidance), such that eSafety does not anticipate that significant changes are required from most providers regarding services that were previously regulated under the SMS Code. Indeed, these providers are likely to be better placed, having already uplifted their safety processes to comply with the SMS Code over the course of 2023 and 2024 than other services who were not covered by that code. As eSafety’s regulatory guidance also sets out, some of the requirements in the RES Standard also reduce the regulatory burden on industry, for example the RES Standard does not require annual compliance reports by default. 

eSafety considers that for services which meet the definition of a relevant electronic service, the application of the RES Standard, rather than the SMS Code, will provide for better safety outcomes. In particular, it will require that the systems, processes and technologies used are appropriate, and disruption and deterrence is effective, with development programmes that ensure these capabilities are enhanced over time. 

Under section 13A of the Act, a relevant electronic service includes:  

• ’(b) an instant messaging service that enables end users to communicate with other end users;
• (e) a chat service that enables end users to communicate with other end users;’

If a service is specifically designed to allow instant messaging or chat, eSafety considers it will meet the definition of an instant messaging service or chat service.

eSafety considers that the following characteristics are synonymous with both instant messaging and chat:

• real time or near instantaneous communication
• communication that is one to one or one to group.

An instant messaging or chat service is a relevant electronic service irrespective of whether instant messaging or chat is prominent or ancillary to other elements of the service.

The Act does not define ‘service’, ‘instant messaging service’ or ‘chat service’. However, the explanatory memorandum to the Online Safety Bill outlines that a relevant electronic service includes:

• ’a service that enables end-users to communicate with other end-users by email; instant messaging; short message service (SMS); multimedia message service (MMS); or a chat service or a service that enables end-users to play online games with other end-users.’

In eSafety’s view, this makes it clear that enabling instant messaging between end-users is sufficient for a service to be an instant messaging service, regardless of how prominent the instant messaging feature is.

While the explanatory memorandum does not provide the same clarity regarding a chat service, eSafety takes a similar view.

The Act does not define the term ‘chat service’ or provide clarity on what services are intended to be captured. It is also not considered in extrinsic material to the Act. eSafety also considers the term does not have a technical meaning. As such, eSafety has interpreted the term based on its ordinary meaning.

eSafety considers that chat services include services that enable real-time, near-instantaneous communication that is either one to one or one to group. This includes text-based, video and/or voice chat communication. 

There is substantial overlap between the characteristics of instant messaging services and chat services, and therefore many services may be both an instant messaging service and a chat service. 

Key differences between instant messaging services and chat services include how closed or open the group is as well as its size. Chat services will often be much easier for an end-user to join, with the groups generally being open to any users with the link. Group messaging within an instant messaging service will generally require a person to create the group with any new users being added by existing participants. As a result of this, and more generally as a matter of design, chat services will often allow a greater number of users to be included in the group than instant messaging. An additional difference is that instant messaging services are likely to be text-based (but may enable voice and video, and image/video sharing), whereas chat services may occur via text, video and/or voice. 

Both chat services and instant messaging services directly facilitate or replicate spoken conversation – this is a key differentiator between those services and generally posting or commenting on a page or forum. A feature that can be used for posting or commenting by service users more broadly or members of the public generally is not a characteristic of a chat service. 

Practically, this means that not every service that has a feature branded as ‘chat’ or ‘live chat’ is a chat service for the purposes of the Act. For example, if comments on a livestream video can be left by wider end-users of a service, and/or users can continue to comment or post on a livestreamed video after the stream has ended, this suggests that the comments are more akin to posting on a public page than ‘chat’ as part of a ‘chat service’.

Service A contains:

• a personalised feed with material posted by users
• the ability to find, add and follow ‘friends’
• the ability to send direct or ‘instant’ messages to those friends
• users tend to use their real names, and post about their daily lives and interests. Posts can be shared publicly or privately with preapproved followers. Users often use the instant messaging feature to organise in-person catch ups, share memes and videos, and just chat.

Service B enables:

• users to post and comment on text, photos, videos and link
• posts are organised into comment boards centred around a common theme (for example, fashion, trains)
• unlike Service A, users tend to use pseudonymous handles

Service B has a one-to-one instant messaging feature that is limited and rarely used on the service. The feature only enables users to send text, and users can only use the messaging feature once they have gained enough points by posting and commenting on message boards.

In both Service A and Service B, the instant messaging feature is wholly integrated in the service – it is accessed from within the same mobile app, and the same account and terms of service are used for the social feed and instant messaging features.

Regardless of the differences in features, usage and centrality of the instant messaging feature to the user experience, both Service A and Service B would meet the definitions of both a social media service and a relevant electronic service. Service A and Service B would meet the definition of a relevant electronic service by virtue of being both an instant messaging service and a chat service.

Both services would have had to comply with the SMS Code until 22 December 2024, after which they were required to comply with the RES Standard.

The SMS Code mentions some features of services, such as livestreaming, in relation to the risk assessment methodology guidance provided in clause 5(d) of the SMS Code. Despite this guidance, service providers can develop a risk assessment methodology of their choosing. 

The SMS Code’s minimum compliance measures do not apply to any specific features – such as livestreaming, messaging, posting – but instead apply across a service. 

eSafety therefore does not consider the SMS Code is any more appropriate than the RES Standard for ensuring the safety of end-users on a service with features such as livestreaming. Indeed, the RES Standard includes provisions, such as that disruption and deterrence is effective that means that it is likely to lead to better safety outcomes than the SMS Code. 

eSafety recommends that service providers first determine whether their service meets a defined category in the RES Standard. These are listed at Section 12 of the RES Standard, from items 3-8, and are defined under Section 6. 

If te service does not fall under any defined category, the service provider is required to carry out a risk assessment, as outlined in Section 7 of the RES Standard. Alternatively, the service provider can automatically determine the risk profile of the service to be Tier 1 without carrying out a risk assessment, as outlined in subsection 7(9) of the RES Standard.

The risk assessment must be carried out in relation to the service as a whole, even if the functionality that brings the service within the definition of a relevant electronic service is only a part of the service as a whole. Subsection 7(8) of the RES Standard states the service provider must assess:

• ‘the risk that class 1A material or class 1B material will be solicited or accessed by, or distributed to, end-users in Australia using the service, or will be stored on the service.’

Whether a service is a Tier 1, Tier 2, or Tier 3 RES depends on whether the service is assessed as high, medium or low risk, in accordance with the methodology, risk factors and indicators required by the RES Standard (see Sections 7 and 8).

The Act provides that a service that meets the definition of a social media service or relevant electronic service cannot also be a designated internet service (see Sections 14(1)(c) and (d)). Therefore, if a service meets the definition of a relevant electronic service, for example by virtue of facilitating chat or instant messaging between end-users, it is a relevant electronic service, and not a designated internet service.

This is a feature of the Act and not changed by the Phase 1 Codes and Standards. This will remain the case for Phase 2 codes and standards and applies to other requirements under the Act.

A service may align with a defined category in the DIS Standard, but be subject to the RES Standard.

For example, Service C may facilitate the storage and sharing of files between end-users. This kind of service would ordinarily align with the end-user managed hosting service category in the DIS Standard. End-user managed hosting service is defined in Section 6(1) of the DIS Standard.

If, as part of that same service, end-users can communicate by chat or instant messaging, then that service is likely to be regulated under the RES Standard and not the DIS Standard.

Alternatively, if the chat or instant messaging functionality is provided by the service provider through a separate service to the file storage and sharing service, then the provider will be subject to the RES Standard in relation to the chat/instant messaging service and the DIS Standard in relation to the file sharing service.

As stated on page 14 of the Phase 1 Standards Regulatory Guidance, service providers should have regard to the following non-exhaustive factors to assist in distinguishing one service that they provide from another:

• The presence of a separate sign-up process, including terms and conditions, for each service.
• The method(s) by which end-users can access each service (for example, whether via the same website or application).
• The functionality of each service and the level of integration of the functionality between the services (such as, what the service can do).

Sections 14(1)(c) and (d) of the Act provide that a service that meets the definition of a social media service or relevant electronic service cannot also be a designated internet service. Therefore, if a service meets the definition of a social media service, it is a social media service, and not a designated internet service.

A service is a social media service if it meets the conditions in Section 13(1)(a) of the Act. These are:

• the sole or primary purpose of the service is to enable online social interaction between two or more end-users
• the service allows end-users to link to, or interact with, other end-users, and
• the service allows end-users to post material on the service.

A designated internet service may meet some, but not all, of the conditions set out in section 13(1)(a) of the Act for a social media service.

For example, Service D is a pornography site which meets the definition of a high impact designated internet service (which is defined in Section 6(1) of the DIS Standard), and also enables end-users to post pornographic content and to interact through comments sections linked to this content. However, Service D does not have a sole or primary purpose to enable online social interaction between two or more end-users. As not all of the conditions set out in the Act for a social media service are met, the service is not a social media service and would be a designated internet service.

In other cases, a service that aligns with a designated internet service category may meet the definition of a social media service.

For example, Service E meets the definition for a social media service and also offers a chatbot functionality. This chatbot may align with the high impact, generative AI, designated internet service category, which is defined in Section 6(1) of the DIS Standard. Even though that feature means the service might ordinarily meet the high impact generative AI designated internet service definition, if the feature is integrated into the social media service and is not considered a separate service, then the service as a whole (including the generative AI component) would be regulated under the SMS Code. This is because the Act provides that a service that meets the definition of a social media service or relevant electronic service cannot also be a designated internet service – see the Online Safety Act 2021 (Cth), subsections 14(1)(c)-(d).

Generally, if a service changes its features or functionality in a way that changes its applicable code or standard, requirements under the new code or standard apply immediately upon that feature being added or removed. 

However, the RES and DIS Standards require a service provider, prior to providing a relevant electronic service or designated internet service to end-users in Australia, to carry out a risk assessment of the service within 6 months before starting to provide the service (unless it falls within a category that is not required to undertake a risk assessment), as outlined in subsection 7(4) of the RES Standard, and subsection 7(4) of the DIS Standard. 

This means a service that becomes a relevant electronic service or designated internet service, through the addition or removal of a feature, should have identified its compliance requirements and comply with all relevant requirements at the time the service becomes a relevant electronic service or designated internet service. 

The SMS Code does not specifically envisage a scenario in which a new social media service is provided after the Code has commenced. However, it does outline that where a risk assessment is required, the service provider must conduct a risk assessment as soon as reasonably practicable. See SMS Code, clause 4.1(c), and Head Terms clause 5.2. 

Note: Tier 3 social media services are not required to conduct a risk assessment.

What is reasonably practicable will depend on the circumstances. eSafety considers that within one month of providing the service will usually be an appropriate period to carry out a risk assessment. However, it is desirable for service providers becoming a social media service to conduct their risk assessment prior to providing the service – timing that is consistent with requirements under the Phase 1 Standards. 

The Basic Online Safety Expectations, known as ‘the Expectations’ or ‘BOSE’, apply to all social media services, relevant electronic services and designated internet services. 

Under the Expectations, as under the Phase 1 Codes and Standards, a service provider can be both a social media service and a relevant electronic service. Nothing has changed in this regard. The only change is which Phase 1 code or standard applies where a service is both a social media service and a relevant electronic service.

The BOSE requires providers to take reasonable steps, taking into account the nature and risks of the service. The steps a service provider is expected to take under the BOSE reflect the nature of the service and not whether a service is categorised as a social media service or a relevant electronic service. 

If a service has a messaging functionality, the service provider is expected to take reasonable steps in relation to user safety for that feature under the Expectations, like any other feature.

The Online Safety Amendment (Social Media Minimum Age) Act 2024 created a new definition under Section 63C of the Act of an ‘age-restricted social media platform’. The designation of a service as an age-restricted social media platform does not affect how a service is defined for the purpose of Phase 1 Codes and Standards. Some services will meet the definitions of a social media service in section 13 of the Act, a relevant electronic service in section 13A and an age-restricted social media platform in section 63C. 

Services that fall into the definitions of both social media services and relevant electronic services have to comply with the RES Standard.

More information:

• Phase 1 Codes (Class 1A and Class 1B Material) Regulatory Guidance, page 14.
• Phase 1 Standards (Class 1A and Class 1B Material) Regulatory Guidance, pages 15-16.

Actions taken by service providers in order to comply with the SMS Code will assist in ensuring compliance with the RES Standard because the minimum compliance measures in the SMS Code are largely applicable to the RES Standard.

eSafety will not undertake any enforcement activity until six months has lapsed from the Standards coming into effect, other than in exceptional circumstances, that is 16 June 2025.

Requirements on providers to assess their categorisation or risk profiles, and implement the Standards, still apply in the first six months.

eSafety will not enforce requirements on Tier 1 social media services which also constitute relevant electronic services to submit annual code compliance reports for the first year of industry codes operation (ending 16 December 2024).

More information:

• Phase 1 Codes (Class 1A and Class 1B Material) Regulatory Guidance, pages 14-15. 

This currently applies to the Phase 1 Codes and Phase 1 Standards and not the proposed Phase 2 codes.

The degree of alignment with Phase 1 will depend on how the Phase 2 codes, Head Terms and potentially standards develop. eSafety will develop regulatory guidance on Phase 2 after the registration of Phase 2 codes and/or standards.

More information:

• Phase 1 Standards (Class 1A and Class 1B Material) Regulatory Guidance, pages 15-16.