Australian Privacy Commissioner Puts Social Media Platforms on Notice with New Guidance

Key Takeaways

• OAIC Publishes New Guidance: Privacy Commissioner Carly Kind warns social media platforms to comply with the SMMA’s privacy provisions.
• Shared Oversight: OAIC handles privacy enforcement, while eSafety oversees access controls for age-restricted platforms.
• Lawful and Proportionate Use: Platforms must apply age assurance methods that respect privacy and limit data collection.
• Transparency and Consent: Personal information must be handled openly, destroyed when no longer needed, and reused only with clear consent.
• Enforcement on the Horizon: The OAIC signaled it will closely monitor compliance and act on privacy breaches.

Deep Dive

Australia’s privacy regulator has reminded social media companies that privacy must remain front and center as new age restrictions come into force later this year. The Office of the Australian Information Commissioner (OAIC) on Friday published regulatory guidance for age-restricted social media platforms and age assurance providers under the forthcoming Social Media Minimum Age (SMMA) scheme, which begins on December 10.

Privacy Commissioner Carly Kind said the new guidance underscores the strict privacy obligations companies face when verifying users’ ages and that regulators will be watching closely.

“Today we’re putting age-restricted social media platforms on notice,” Kind said. “The OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful.”

The OAIC’s guidance lands a month after the eSafety Commissioner released its own framework outlining what “reasonable steps” platforms must take to block underage users. Together, the two regulators are defining the boundaries of a regime that seeks to keep children off adult spaces without creating new risks to personal data.

Kind said eSafety has provided “the rules of the game,” while the OAIC is clarifying what counts as “out-of-bounds” when it comes to handling personal information.

“SMMA is not a blank cheque to use personal or sensitive information in all circumstances,” she warned. “We’ll be actively monitoring platforms to ensure they stay within the bounds by deploying age assurance proportionately and lawfully.”

The new guidance instructs platforms to choose age-verification methods that are necessary and proportionate, minimize data collection, and destroy personal information once the purpose of verification has been fulfilled. It also reminds companies that pre-existing data can only be reused for SMMA purposes under strict consent rules and that transparency is mandatory at every stage.

Failure to meet these obligations could amount to “an interference with the privacy of an individual” and trigger enforcement action.

Further resources are expected in the coming weeks to help Australians understand how their personal data may be handled under the new regime, including guidance for families and children.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.