The Digital Duty of Care: Scrutinising Australia's Proposed AI Framework

What the Digital Duty of Care Means for Australian Businesses

Australia is rebuilding its online safety regime around a single obligation: a digital duty of care. The duty will require providers of online services to take reasonable steps to prevent foreseeable harm to Australian users, rather than reacting to complaints after the harm occurs. If your business operates a platform, app, marketplace, or any service with user interaction, this reform will shape your obligations. As a cybersecurity lawyer in Melbourne, I explain who the duty captures, what it requires, and what directors should do now.

What Is the Digital Duty of Care?

The duty originates from the independent statutory review of the Online Safety Act 2021 (Cth), conducted by former ACCC Deputy Chair Delia Rickard PSM. Her report reached government in October 2024 and found that the current Act is reactive: it relies on individual complaints to the eSafety Commissioner and after-the-fact content removal, which leaves a structural gap. On 14 April 2026, the Federal Government released its response and accepted, in whole or in part, the large majority of the review’s recommendations, including the duty. The Department of Infrastructure has since published its framework for the duty. Draft legislation is expected later in 2026, followed by a twelve-month transition period before commencement. The eSafety Commissioner will administer the duty.

The Harms the Duty Will Target

The duty will not operate in the abstract. The Government intends to legislate enduring categories of harm that providers must assess and address. The categories signalled to date are harms to young people, harms to mental wellbeing, the instruction and promotion of harmful practices, and other illegal content, conduct, and activity. Across all of these, the best interests of the child will be treated as a primary consideration. A provider will therefore need to answer a practical question for each category: what features of my service create or amplify this risk, and what am I doing to reduce it.

Who Does the Duty of Care Apply To?

This is the question most business owners answer incorrectly. The duty is risk based and proportionate. It applies to providers of online services regulated by the Act wherever there is a risk of harm to Australians. It is not confined to global platforms such as Meta or TikTok. The decisive factor is functionality, not size. Your business may be captured if your service enables user interaction, hosts user-generated content, provides messaging or search, distributes apps, or offers an AI chatbot feature. A niche community app, a gaming platform with chat, or an education tool with social features can fall within scope. The same expansive approach already applies under the social media minimum age regime, which commenced on 10 December 2025.

What “Reasonable Steps” Will Require

The duty turns on a familiar legal test: reasonable steps. The standard scales with risk, so a higher-risk service carries a heavier burden. In practice, reasonable steps include:

• Conducting and documenting regular risk assessments, including before any significant change to your service.
• Embedding safety by design into the product, rather than adding controls after launch.
• Applying age assurance and access controls where children risk encountering harmful material.
• Publishing and enforcing clear terms of use, with accessible reporting and complaint tools.
• Resourcing adequate trust and safety personnel to oversee the service.

High-reach and high-risk platforms will carry additional obligations, including annual risk assessments, public transparency reporting, and a dedicated compliance function.

What the Online Safety Codes Already Require

The duty is not yet law, but a working preview already binds many providers. The Phase 2 industry codes took effect on 27 December 2025 and 9 March 2026 and apply the same risk-based logic the duty will adopt. Each provider must self-assess into one of three risk tiers, then meet obligations that rise with the tier. For moderate and high-risk services, those obligations include age assurance before access to pornography, self-harm material, or high-impact violence, default safety settings for child users, enforceable terms, reporting tools, and sufficient safety staff. Services with an AI companion chatbot carry a heavier burden again, and a separate code for search engines commenced on the same date. Providers who treat these codes as their compliance baseline will be well placed for the duty.

How Australia’s Duty Compares Overseas

The Australian model is not novel. It draws on the European Union’s Digital Services Act and the United Kingdom’s Online Safety Act 2023, both of which require large services to assess systemic risks and mitigate them, backed by substantial penalties. Those regimes also give users direct rights: in the EU, a person can complain to the platform, which must act, and can escalate to a regulator if it refuses. Two practical points follow. The conduct expected of Australian providers is already visible in overseas enforcement, which gives in-scope businesses a benchmark now. A business operating across these markets should also align its safety systems once, rather than build a separate Australian process.

Penalties and Director Exposure

The stakes are material. The Phase 2 codes already carry civil penalties of up to A$49.5 million. For the duty itself, the Government has signalled higher maximums, with figures of up to A$100 million reported for serious or systemic breaches, although the precise enforcement settings remain to be finalised. Penalties are only part of the exposure. As the Medlab decision confirmed, courts and regulators treat governance failures as a board-level matter. A director who cannot evidence active oversight of online safety faces personal scrutiny, not only a corporate fine.

What You Should Do Now

A reasonable steps defence depends on evidence, not intentions. The provider that can produce dated risk assessments, records of its chosen mitigations, and minutes showing board oversight stands in a far stronger position than one asserting good faith alone. The transition period is for building that record. I advise in-scope businesses to take the following steps:

• Classify your service. Confirm whether you are an online service provider regulated by the Act and identify your likely risk tier.
• Run a gap analysis against the obligations already in force, including the Phase 2 codes and the social media minimum age regime.
• Document your risk process. Record each assessment, the harms identified, and the steps taken in response.
• Reconcile safety with privacy. Age assurance must not become unnecessary data collection. Favour tokenised verification that does not retain identity documents.
• Review insurance and vendor contracts. Confirm that cyber and directors and officers cover responds to online safety penalties, and that third-party providers carry the security burden they create.

Frequently Asked Questions

Is the digital duty of care law yet?

No. The Government has committed to the duty and released a framework, but draft legislation is expected later in 2026, followed by a twelve-month transition period.

Does the duty of care apply to small businesses?

It can. The duty applies by reference to the functionality and risk of your service, not your turnover. A small platform with user interaction may be captured, while a larger business with no online service is not.

How does the duty differ from the under-16 social media ban?

The minimum age regime is a specific rule about who may hold an account. The duty of care is a broad, ongoing obligation to prevent foreseeable harm across the entire service.

About Blaine HattieBlaine Hattie is a Principal in Commercial Transactions at Sutton Laurence King Lawyers. He advises businesses on transactions and finance with a special interest in technology, cybersecurity, digital media, defamation, and artificial intelligence.