The Federal Government’s focus on addressing online harms that impact young people continues in the Privacy and Other Legislation Amendment Bill 2024 (Bill) which proposes a Children’s Online Privacy Code (Code).
The Bill was introduced into the Commonwealth House of Representatives on 12 September 2024 and followed the Federal Government’s announcements on:
- 10 September 2024: to introduce legislation before the end of 2024 to enforce a minimum age for access to social media and other relevant digital platforms, and
- 22 November 2023: that it commenced a statutory review into the operation of the Online Safety Act 2021 (Cth). The report is due to the Federal Minister for Communications by 31 October 2024.
This article relating to the Code is part of our series of articles summarising key elements of the Bill.
The Privacy Act 1988 (Cth) (Act) does not currently contain any specific protections for children. The Privacy Act Review Report 2022 (Review Report) noted that this is of concern because children are increasingly being ‘datafied’. The Review Report however also notes that children will use the internet for access to information, freedom of expression and association. The issue is how they can do this alongside protections that aim to address their vulnerability to online harm.
In response, the Bill introduces two potential protections:
- that a definition of child (being an individual under 18) be included in the Act for the first time; and
- that the Australian Information Commissioner develop a Code.
The Code
The introduction of a Code will build on the Australian Privacy Principles (APPs) setting out how the APPs apply or are to be complied with in relation to the privacy of children and mirror international developments in the UK, Ireland and California. All have implemented stricter protections of children’s privacy through children’s online privacy codes.
Part 4 of the Bill sets up the framework for development of the Code but leaves the specific content to be determined by the Australian Information Commissioner.
In summary, the Australian Information Commissioner must:
- develop the Code and in doing so may consult with children, child welfare organisations, the eSafety Commissioner and the National Children’s Commissioner;
- make available a draft of the Code for public consultation and invite the public to make submissions;
- consult with the eSafety Commissioner and the National Children’s Commissioner before registering the Code on the Codes Register which is a publicly available register on the Office of the Australian Information Commissioner (OAIC) website; and
- register the Code within 2 years from the day of the Bill’s Royal Assent.
Will the Code apply to all organisations?
An organisation that is an APP entity under the Act will not necessarily be subject to the Code.
The Code is proposed to apply to social media services, relevant electronic services or designated internet services, as well as other services likely to be accessed by children unless they are services providing a health service. The OAIC can also specify within the Code itself which APP entities are and are not covered.
OAIC Position
The OAIC has released commentary on the approach it intends to take when developing the Code stating its ultimate objective will be to find ways to protect children through stronger privacy protections rather than prevent children from being able to access the digital world.
How to prepare and further reforms on the horizon
It is expected the UK Children’s Code will be used as the model for drafting the Code. It sets out 15 standards of age appropriate design reflecting a risk-based approach. The UK Children’s Code was specifically referenced in the Review Report and the OAIC has already indicated it will look to align the Code with the UK model.
Further, a number of the Review Report proposals that have not found their way into the Bill, but were agreed-in-principle in the Government Response to the Review Report, could be introduced within the Code itself. These include:
- developing child appropriate privacy policies and collection notices; and
- having regard to the best interests of the child when collecting, using and disclosing children’s personal information.
The OAIC has already noted that the Code might set out how to tailor privacy policies and collection notices for children to ensure they are clear and easy to understand and if it does align with the UK Children’s Code it is notable that it has as its first standard:
Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
For organisations that provide online services likely to be accessed by children it would be prudent to review the UK Children’s Code to consider what changes may need to be made prior to the introduction of the Code in Australia and always have regard to the best interests of the child when designing online services that are likely to be accessed by children.
For organisations that provide online services which are unlikely to (but potentially could) be accessed by children, or organisations that consider they are health services, we still suggest it is important to review the UK Children’s Code and keep up to date with development of the Code by the OAIC. Having regard to the Federal Government and the OAIC’s intention to protect young people from online harms it should not come as a surprise if the group of entities to be bound by the Code is expanded in the future and implementing age-appropriate design is always good privacy practice.
This article was written by Karen Keogh, Head of Pro Bono, Partner and Maddison Crawford, Law Graduate.
