Key legislation regulating metaverse platforms in Australia is:

• the Privacy Act 1988 (Cth) (the "Privacy Act");
• the Competition and Consumer Act 2010 (Cth) (CCA); and
• the Online Safety Act 2021 (Cth) (the "Online Safety Act") and proposed codes under that Act.

The Privacy Act

The Privacy Act regulates the collection and management of personal information by most private sector enterprises in Australia. Generally, the Privacy Act imposes obligations that are similar to, but generally seen as less onerous, than the General Data Protection Regulation (GDPR). 

The extra-territorial operation of the Privacy Act was expanded by amendments made in late 2022. The Privacy Act now applies to acts or practices of an entity occurring outside Australia, even where the relevant entity is not incorporated or created under Australian law, if an “Australian link” exists. This requires the relevant entity to carry on business in Australia. Australian case law provides that “carry on business in Australia” will be interpreted broadly, and may apply to a digital platform, including a provider of a metaverse platform, that is used by individuals in Australia even where the platform does not have a physical presence in Australia.

The Australian government is part way through a consultation process for reform of the Privacy Act that may have significant implications for the metaverse. The significant changes that are proposed include:

• the imposition of enhanced restrictions in high-risk cases, including where sensitive information, or the information of children, is collected and used on a large scale;
• inclusion of a right of erasure, which is not a right currently provided for under the Privacy Act; and

• rights for individuals to take action in the event of a breach of privacy and the potential for class actions to be permitted in the case of breaches. 

The CCA

The Australian competition and consumer protection regulator, the Australian Competition and Consumer Commission (ACCC), has already taken enforcement action against a number of digital platforms for misleading and deceptive conduct, including litigation against Google and Facebook for alleged misleading and deceptive conduct regarding data collection. It would be expected that the ACCC will continue to be vigilant in this area in its supervision of the metaverse.

In addition, the ACCC has proposed that it may recommend to the Australian government to further amend the CCA to clarify that prohibited anti-competitive mergers and acquisitions include so called “killer acquisitions”, where nascent competitors are acquired by existing businesses. This is likely to impact the ability of digital businesses providing metaverse platforms acquiring smaller competitors, which may restrict the ability of those platforms to grow.

The Online Safety Act

The Online Safety Act regulates abuse and harmful content on online platforms. The Online Safety (Basic Online Safety Expectations) Determination 2022 (Cth) was made under the Online Safety Act. That Determination requires, amongst other measures, that regulated entities, including providers of social media services (the definition of which is broad enough to encompass metaverse platforms), will take reasonable steps to ensure that end-users are able to use those services in a safe manner. 

The eSafety Commissioner, the regulator responsible for the enforcement of the Online Safety Act, has already indicated that while the regulator will not mandate the steps that a platform is required to take, addressing safe use of metaverse platforms will be a key area of focus as metaverse platforms develop. 

The Online Safety Act also provides for the development and implementation of codes to regulate particular categories of harmful online conduct. Industry bodies are required to develop the codes, which will be registered by the eSafety Commissioner if these meet certain statutory requirements. As at the beginning of 2023, no codes have been registered, however the Commissioner is currently considering codes which have been submitted by industry bodies including for social media, messaging and search engine providers. These initial codes are likely to be registered during the course of 2023.

Further Reforms

As at the beginning of 2023, the Australian government is consulting on regulatory reforms to be applied to digital platforms, which would include the providers of metaverse platforms. These encompass both competition measures, which may include for example requirements restricting the ability of dominant platforms to engage in self-preferencing and consumer protections, such as restrictions on unfair trading practices, which may apply to limit the ability of metaverse platform providers from collecting consumer data.

Other Legal Issues

Businesses operating on any metaverse platform will need to consider other legal issues, including intellectual property laws and cybersecurity. Australia does not have any specific online intellectual property laws, with general laws, such as the Copyright Act 1968 (Cth), the Trade Marks Act 1995 (Cth) and the Patents Act 1990 (Cth) applying equally in an online environment as in the physical environment. Businesses will need to consider whether extra protections (such as trade mark registrations) are required to protect metaverse related assets. 

There is no specific cybersecurity laws that currently apply to metaverse platforms or other similar services. However, significantly increased penalties were introduced for breaches of the Privacy Act at the end of 2022, which would apply to future cyber-attacks where the relevant business has not adequately protected the personal information it holds. 

Leaving aside consideration of Australia’s critical infrastructure legislation and the regulation of artificial intelligence and the use of big data, which are discussed in 3. Cloud and Edge Computing and 4. Artificial Intelligence and Big Data respectively, Australia does not have laws or regulations that focus solely on the digital economy. Digital economy businesses must comply with economy wide laws and regulation. There are, however, a number of specific legislative and regulatory regimes that have significant implications for certain sectors of the digital economy, some of which are discussed in this response.

Consumer Data Right

Part IVD of the CCA contains the regulatory framework for the Australian Consumer Data Right (CDR). At the time the legislation for this relatively new regime was passed in 2019, the then Australian Treasurer commented that the CDR would be an important building block for “Australia’s data revolution”. 

The CDR has two key elements. First, the ability for customers (whether individuals or businesses) to require that businesses transfer data held about them either to the relevant customer directly or to an accredited third party.  The second element is a requirement for businesses to provide public access to information on specified products that they offer in a standardised format.

Where consumers are able to share data that a business holds about them, this has the potential to assist those consumers to find better products or services, more suited to their needs, from another company. In addition, requiring businesses to provide public data regarding specific products in a standardised format allows consumers to compare products and services more easily.

There are two regulators with primary responsibility for CDR. First, the ACCC which, for example, provides accreditation for CDR data recipients (that is, those entitled to obtain consumer data under the regime) and enforces compliance with the CDR legislation, rules and standards. Secondly, the Office of the Australian Information Commissioner (OAIC) is responsible for enforcing the privacy safeguards and privacy rules that are part of the CDR scheme and providing a complaints resolution service for individuals and small business.

CDR is intended to be applied across all sectors of the economy over time. Since its implementation, CDR has been applied in the banking sector (also known as “open banking”) and, in late 2022, took effect in the consumer energy sector. As at the beginning of 2023, CDR is being rolled out in the telecommunications sector. The Australian government intends to implement CDR in one new sector each year. The next sector to which CDR will be applied after telecommunications is the non-bank lending sector.

The Australian government undertook a review of the effectiveness of the CDR regime in 2022. The review found that CDR is an appropriately supported data-driven innovation with the potential for enhancing competition in the sectors to which CDR is applied. There were, however, concerns raised including for example, that a “sector by sector” roll out may not reflect business models; on occasions friction between the regulators with responsibility for the scheme created difficulties for participants (such as through the receipt of inconsistent advice); and also in relation to the complexity of the scheme, particularly in relation to the process for accreditation of data recipients. 

The review made 16 recommendations. These ranged from taking steps to encourage innovative use cases, to banning screen scraping in sectors where CDR is a viable alternative, to focussing on improving functionality and data quality in sectors that are already designated, rather than moving forward too quickly with other designations. The review also suggested that there could be greater interaction between CDR and the broader digital economy, including by avoiding duplication in areas such as digital payments and digital identities. 

Regulation of Digital Payments and Digital Wallets

Digital payments and digital wallets are not directly regulated. Nonetheless, the Australian government has been actively considering payment system reforms, including in the context of digital payments and digital wallets. See below for a number of examples.

• On 30 August 2021, the Australian Treasurer released a report of the findings of the Treasury’s Payment System Review. This noted, amongst other mattes, that digitalisation of payments, while creating many benefits, also resulted in new risks and regulatory challenges. It was, however, beyond the scope of that Review to make any recommendations regarding the manner in which those challenges should be addressed.
• In late 2021, a report on Mobile Payment and Digital Wallet Financial Services was released by the Parliamentary Joint Committee on Corporations and Financial Services. The report pointed to significant market changes, with multinational technology firms becoming very important providers within Australia’s payment systems. The report concluded that these market changes meant that Australia’s payment systems regulation is no longer fit for purpose and recommended that this be urgently reviewed.
• With the change of government in early 2022, the Treasury commenced consultation in December 2022 on A Strategic Plan for the Payments System. The plan that is to be implemented following the consultation is intended to ensure that Australia’s payment systems regulation provides for the security of Australia’s systems, promotes competition and protects Australians from harms, particularly scams and fraud. The consultation will look at developments in the broader digital economy, including but not limited to in the context of digital wallets, buy-now-pay-later (BNPL) businesses and crypto-assets.

Under Australian law, infrastructure used for certain data processing and storage services is considered to be critical infrastructure and such services are subject to additional government oversight. As the Australian government has sought to ensure public trust in the provision of its own services, including to ensure that Australians are willing to provide their data to the government, additional requirements are also imposed on, for example, providers of hosting services to the Australian government. Sector-specific obligations have been imposed by other regulators.

The government has foreshadowed that, as part of the updating of its cybersecurity strategy that will be undertaken over 2023, it is considering implementing additional rules that will impact cloud and edge computing, such as additional data localisation requirements (which would require data to be held in Australia).

The Security of Critical Infrastructure Act 2018 (Cth)

The Security of Critical Infrastructure Act 2018 (Cth) (the "SOCI Act") is Australia’s primary critical infrastructure regulation. There are 11 critical infrastructure sectors, and an additional number of categories of critical infrastructure assets. As well as sectors such as transport, water and energy, the regulated sectors include:

• communications (though noting that telecommunications infrastructure remains largely subject to separate telecommunications specific regulation);
• data storage or processing;
• financial services and markets; and
• space technology.

Data storage or processing sector and assets

The critical data storage or processing sector provides services enabling end-users to store or back-up data using information technology or data processing services. Critical data storage or processing assets include enterprise data centres, managed services data centres and the like where the primary business offering is to government or to private sector critical infrastructure asset operators.

Data storage or processing services are critical to maintaining the supply and availability of data and cloud services and are increasingly relied upon by, and facilitate the effective functioning of, government and industry. In introducing the amendments to the SOCI Act to include this sector as a critical infrastructure sector in late 2020, the Australian government indicated that it was concerned not only because cyber breaches impacting this sector may result in the disclosure of highly sensitive and confidential information but also because significant outages may create risks for business continuity.

General obligations

While the SOCI Act defines critical infrastructure sectors, it primarily regulates critical infrastructure assets. The key obligations under the SOCI Act are (though some have not taken effect as at early 2023 and some apply only to particular critical assets categories):

• relevant regulated entities must provide information about critical infrastructure assets to the Australian government for inclusion in a non-public register;
• particular types of cybersecurity incidents involving critical infrastructure assets are required to be reported to the government;
• a government “assistance” regime applies under which, if a regulated entity suffers a cybersecurity incident, the government is able to collect information, direct entities to take particular action and request government agencies to provide support; 
• risk management plans are required to be implemented for particular types of critical infrastructure assets; and
• where an asset is a system of national significance, additional cybersecurity obligations may also be applied.

The information that must be provided for the register referred to above will include, where the responsible entity for a particular critical infrastructure asset does not itself maintain certain data (such as personal information, research and development data, operational system data and the like), information about its service providers, including providers of cloud services, and where data is held.

Risk management plans that will be required under the SOCI Act will identify and manage material risks of hazards occurring to the relevant critical infrastructure assets. While the definition of hazards is broad, it does include cyber and information security, for example, risks to digital systems, computers and data sets. 

Accordingly, even for critical infrastructure assets outside of the data storage or processing sector, the management of risks related to cloud computing and data storage services are very important under the SOCI Act.

Hosting Certification Framework

The Digital Transformation Agency (DTA) is the Australian government agency with primary responsibility for strategic advice on whole of government IT and digital services delivery. It has implemented a Hosting Certification Framework, which is essentially a procurement mandate rather than a legislative instrument.

The Framework requires that Australian government agencies must use certified service providers when procuring hosting arrangements for high value government data, whole of government systems or government systems classified as “protected” under the government’s information classification framework. For impacted service providers, certification is therefore a critical pre-condition to dealing with the government.

The categories of service providers that are within the Framework are primarily:

• data centre providers;
• cloud services providers; and
• software-as-a-service providers.

There are two levels of certification, namely (i) strategic and (ii) assured. Strategic is the higher level of certification and therefore providers seeking this certification must meet higher standards. Data sovereignty is a relevant consideration, with providers being required to agree to a level of government control over changes in strategic direction, operation and ownership to obtain certification.

Sector Specific Regulation

Prudential standards issued by the Australian Prudential Regulatory Authority (APRA) impose information security and outsourcing requirements on APRA regulated entities in the banking and insurance sectors. For example, risks associated with using cloud computing services must be identified, assessed, managed and reported on under Prudential Standard CPS 231 Outsourcing. This Standard is expected to be replaced in early 2023 by a new Prudential Standard CPS 230 Operational Risk Management, which will set out minimum standards for managing operational risk.

There is surprisingly little direct regulation of either artificial intelligence (AI) or big data under Australian law.

Intellectual Property

Australian copyright law, the Copyright Act 1968 (Cth) (the "Copyright Act") protects literary, dramatic, musical and artistic works. It does not recognise intellectual property rights in data per se; nor does it protect copyright in computer generated work, and in that respect differs from other jurisdictions such as the United Kingdom. 

Under Australian law, to obtain protection, a work must be original and created by a human author. Therefore, even if copyright could subsist in an AI created work, it would not be attributed to the artificial intelligence that created it but to an individual, presumably the creator of the algorithm that generated the work. 

There are, in any event, difficulties in obtaining copyright protection for AI created works because of the need for works to be “original”. A key case which considered this issue was Telstra Corporation v Phone Directories Company (2010) 194 FCR 142. That case looked at the question of whether copyright existed in telephone directories created largely by an automated computerised process. The Federal Court rejected the argument that copyright existed in the telephone directories, on the basis that there was not a sufficient element of independent intellectual effort in the creation of those directories to conclude that they were “original”.

Protection for AI generated inventions is also not provided under Australia’s Patents Act 1990. In Commissioner of Patents v Thaler [2022] FCAFC 62, the Federal Court held that a human inventor is required for a successful patent application. 

AI, Big Data and Australia’s Privacy Act

Australia’s Privacy Act does not contain any provisions that directly regulate the use of personal information in the context of AI or big data. The privacy regulator, the OAIC, has released a “Guide to data analytics and the Australian Privacy Principles” which sets out recommended best practice for data analytics involving personal information. The Guide recommends that de-identified data is used where possible, privacy by design approaches are implemented, privacy impact assessments are undertaken, and a position of openness and transparency is adopted in relation to the use of personal information.

The Australian government is, as at the beginning of 2023, undertaking a review of the Privacy Act, which may result in the introduction or more specific regulation of AI and big data. In consultation on proposed reforms, views were sought on whether, to increase transparency, regulated entities should be obligated to state in their privacy polices if personal information collected by the entity will be used in any automated decision-making process that has a legal or other similarly significant effect. 

It seems unlikely a reformed Privacy Act will include additional protections, such as those in the GDPR, for example, rights for individuals to obtain information about the logic of, and the consequences of using, automated decision-making processes or the right not to be subject to particular forms of automated decision-making.

Other Government Guidance

Though law and regulation in the area of AI and big data is limited, guidance material has been issued which may be used by both the private sector and government agencies.

Each of the Australian government and the New South Wales government ombuds have released guides regarding the use of big data and AI. Although aimed at governments, both guides provide useful rules for application in the private sector, including to ensure that appropriate consideration is given in the design stages for the relevant project – to ensure that the types of decisions that are made using AI or big data are suitable for automation, automation processes are unbiased and that the information used is accurate.

The Australian government has also released “Australia’s AI Ethics Principles” which sets out eight principles for the use of AI, including for example that AI systems should be “inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups”.

Use of AI and Big Data by Government Agencies

The Australian government’s own use of AI and big data has in some cases been problematic. In Katherine Prygodicz & Ors v Commonwealth of Australia (No 2) [2021] FCA 634, the Federal Court held that the Australian government’s use of the so called “Robodebt scheme”, which used automated processes to calculate whether overpayments of social security benefits had been made and to claim repayments, was unlawful. The Robodebt scheme is, as at the beginning of 2023, subject to a Royal Commission investigation, and it is likely that the failure of this scheme will limit to some extent the appetite of the Australian government to use AI, at least in the short term. 

Australia does not have specific laws that solely govern internet of things (IoT) products and services. Providers of IoT products and services are subject to generally applicable laws and regulations, including the Privacy Act, general consumer protection laws such as prohibitions on misleading and deceptive conduct under the Australian Consumer Law and, where telecommunications services are provided with IoT devices, potentially also regulation as carriage service providers under the Telecommunications Act and other telecommunications laws.

Privacy Act Review

While, as at the beginning of 2023, the Privacy Act does not include specific provisions regulating IoT devices, the review of that legislation which is being undertaken by the Australian government may change this.

In a Discussion Paper released for consultation by the Australian Attorney General in late 2021, amongst other matters, stakeholder views were sought on the following matters.

• Whether the Privacy Act should be amended to require that the collection, use and disclosure of personal information is only permitted where it is fair and reasonable in the circumstances, to bring Australia’s privacy legislation more in line with legislation in other jurisdictions, such as the GDPR. The Discussion Paper contemplated this would have the potential to significantly impact businesses that provide IoT products and services. In those cases, a higher standard of privacy protection would be expected by objective reasonable individuals, particularly where sensitive information is collected through IoT devices.
• Whether regulated entities that undertake certain restricted practices, such as the collection, use or disclosure of sensitive information or children’s information on a large scale (which would be likely to include providers of IoT products and services) should be subject to an obligation to take reasonable steps to identify privacy risks and implement measures to mitigate those risks. The Discussion Paper raised the question of whether an alternative would be to provide additional rights to individuals in relation to these restricted practices, such as providing for mandated absolute opt-out rights or requiring entities that undertake these practices provide explicit notice regarding their actions.

IoT Code of Practice

In September 2020, as specified in Australia’s Cyber Security Strategy 2020, the Australian government released a Code of Practice for “Securing the Internet of Things for Consumers”. The Code of Practice, which was stated by the government to be a “first step” in a process to improve the security of IoT devices, is a voluntary code. It was intended to reflect international approaches, such as the European Telecommunication Standards Institute (ETSI) baseline standard on smart devices, ESTI EN 303 645.

The Code of Practice contains 13 principles, which are very general in nature. At the time of the release of the Code of Practice, the government encouraged industry to prioritise compliance with the following three principles.

• No duplicated default or weak passwords – this principle applies to device manufacturers and requires that IoT device passwords should be strong, not resettable to factory defaults and that web services associated with IoT devices should use multi-factor authentication.
• Implementation of a vulnerability disclosure policy – this principle applies not only to device manufacturers but also to IoT service providers and app developers. It requires the establishment of a public vulnerability disclosure policy.
• Keep software securely updated – like the principle immediately above, this applies to device manufacturers, IoT service providers and app developers. This principle requires that software both on IoT devices and for associated web service should be securely updateable and consumers given express information regarding minimum times for software update commitments. 

The Australian government assessed the effectiveness of the Code of Practice after its first six months of operation. The Code was not viewed favourably. The major manufacturers the government consulted with had largely not implemented even those principles that were fairly straight forward, such as to put in place a vulnerability disclosure policy. Those manufacturers expressed concern that, as the principles were high level, they were difficult to implement. The Australian government was also concerned that, in their assessment process, they had difficulty in obtaining feedback from manufacturers of lower cost IoT devices, suggesting that such providers were even less likely than the major manufacturers to comply with the voluntary Code of Practice.

Given the low levels of compliance with the Code of Practice, the Australian government undertook public consultation on whether the Code of Practice should be replaced with a mandatory standard, which would be likely to be ESTI EN 303 645 (or, at a minimum, the top three requirements of that standard). To implement that approach would require new legislation to be passed. As at the beginning of 2023, no action has been taken following that consultation process.

In late 2022, the Minister for Home Affairs and Cybersecurity, Clare O’Neil, announced that the government would develop a new cybersecurity strategy, with the aim of making Australia the “most cyber-secure” country in the world by 2030. The Minister also indicated that, despite pressure from some stakeholders, no action will be taken to adopt a mandatory standard until that new cybersecurity strategy is in place. The timing for that to occur is not yet clear.

The Broadcasting Services Act 1992 (Cth) (BSA) is the primary legislation regulating audio-visual media services in Australia, though the Radicommunications Act 1992 (Cth) (the "Radcomms Act") and the Online Safety Act are also key.

Scope of the BSA

Commercial free-to-air broadcasters, both television and radio, require licences issued under the BSA to operate. Licences apply in specific areas. In addition to complying with the BSA and licence conditions, each of the television and radio broadcasting sectors have implemented, and must comply with, a code of practice, which is registered by Australia’s communications sector specific regulator, the Australian Communications and Media Authority (ACMA).

It is not possible for a new commercial television broadcaster to commence operation in Australia, given the restrictions imposed under the BSA on the issue of new commercial television broadcasting licences. While it is possible to obtain new commercial radio licences, these are available only in limited circumstances. Commercial broadcasters licensed under the BSA are entitled to licences of spectrum under the Radcomms Act. While fees are not payable for commercial broadcasting licences under the BSA, fees are payable for licences under the Radcomms Act. As at 2023, these fees, which are known as a Commercial Broadcasting Tax, raise in aggregate approximately Australian AUD46 million per annum.

Subscription television broadcasters must also obtain licences under the BSA (and for spectrum the Radcomms Act). Unlike free-to-air broadcasting licences, these licences are not geographically limited. Generally, these broadcasters are regulated in a similar manner to commercial-free-to-air television broadcasters under the BSA.

The BSA also regulates Australia’s two national broadcasters, the Australian Broadcasting Corporation (or ABC) and the Special Broadcasting Service (or SBS) and community broadcasters.

Providers of online audio-visual media services are currently not required to obtain licences under the BSA and are subject to only very limited obligations under that Act.

Ownership Restrictions

The BSA incorporates the following cross-media ownership restrictions (which apply only to ownership of broadcasters and print media):

• only one television licence and two radio licences may be in common ownership in the one area; and
• metropolitan areas must have five media “voices” (across television, radio and print) and regional areas must have four.

The acquisition of an interest in any Australian media business by a foreign person (including any foreign government entity) requires foreign investment approval under the Foreign Acquisitions and Takeovers Act 1975 (Cth). An Australian business which provides online content services would be considered an Australian media business if it was operated wholly or partly to serve Australian audiences and meets certain other tests.

The ACMA maintains a register of foreign owners holding an interest of more than 2.5% in any Australian media company.

Any mergers or acquisitions in the media sector must also comply with general competition law. Section 50 of the CCA prohibits mergers or acquisitions that would have the effect or likely effect of substantially lessening competition. There is no obligation on merger parties to notify the ACCC, though the ACCC undertakes informal merger reviews and parties may seek a merger authorisation prior to finalising a transaction. If a merger authorisation is granted, the transaction cannot subsequently be challenged by the ACCC under Section 50. On the other hand, if an informal merger review clearance is given the ACCC may still challenge a transaction if the ACCC subsequently changes its view and considers the transaction does in fact infringe Section 50.

Australian Content Obligations

Australian content quotas are imposed on commercial free-to-air television broadcasters and subscription television broadcasters. This is one of the key obligations those broadcasters must comply with. Free-to-air television broadcasters must broadcast at least 55% of defined Australian content between 6am and midnight on their primary channels and 1,460 hours per annum during those time periods on their secondary channels. In addition, the Broadcasting Services (Australian Content and Children’s Television) Standards 2020 (Cth) imposes quota requirements (via a points system) on these broadcasters for first release Australian programmes. While there is flexibility regarding the content that may satisfy these quotas, higher points are awarded for Australian drama content.

Subscription television broadcasters are subject to a “new eligible drama expenditure” scheme. This requires that at least 10% of total programme expenditure for each drama channel must be on new Australian drama programmes.

As at the beginning of 2023, no Australian content obligations are imposed on providers of online audio-visual media services. A small number of large streaming services providers (Amazon Prime, Disney, Netflix, Paramount+ and Stan) are required to report their level of investment in Australian content to the ACMA. 

The Australian government’s new National Cultural Policy, released in late January 2023, provides for Australian content quotas to be imposed on streaming services. Consultation on the form the content quotas will take will be undertaken over the first six months of 2023, with the new regime to be implemented from 1 July 2024.

Advertising and Other Content Restrictions

In some cases, very similar regulation is imposed on content service providers, whether these are broadcasters or streaming services providers. One such case is the regulation of gambling advertising, which is restricted during both live sports broadcasts and, through the operation of Schedule 8 of the BSA, when sports are live streamed.

The Online Safety Act contains an online content scheme which enables the eSafety Commissioner to mandate the take down from regulated services (which includes services provided by a broad range of online content providers) of content that would under Australian law be classified as:

• “RC” (refused classification) or “X 18+” (restricted content which may only be distributed in limited circumstances); or 
• R 18+, where access to that content is not subject to a restricted access system that limits access to those over 18 years of age.

Telecommunications Service Providers

Two primary types of telecommunications services providers are regulated under Australian law:

• carriers, that is owners of infrastructure used to provide carriage services to members of the public; and
• carriage service providers (or CSPs), who provide carriage services to others, either on a wholesale or retail basis.

Licences and Approvals for Carriers

Under the Telecommunications Act 1997 (Cth) (the "Telco Act") before core telecommunications infrastructure (fibre or radiocommunications facilities) may be used to supply carriage services to the public, a carrier licence must be obtained by the owner. Alternatively, a nominated carrier declaration may be obtained. This enables a third-party carrier, that is not the owner of the infrastructure, to act as the carrier for that infrastructure provided that third party agrees to comply with the regulatory obligations imposed on carriers for that infrastructure.

Carrier licences and nominated carrier declarations are granted by the ACMA (with the application fee for a carrier licence set at approximately Australian AUD2,000). Before a carrier licence may be granted, the ACMA must consult with the Communications Access Co-ordinator, which considers national security issues in relation to the grant of such a licence. 

In addition, as telecommunications infrastructure is considered to be critical infrastructure under Australian laws, foreign investment approval is required not only for a foreign person to acquire a direct interest in a carrier (or relevant infrastructure) but is also required to commence a carrier business. There are no monetary thresholds for these approvals.

Commencing Operations as a Carriage Service Provider (CSP)

CSPs are not required to obtain a licence under the Telco Act before commencing operations. However, where a CSP is a nominated CSP under the Telecommunications (Interception and Access) Act 1979 (Cth), meaning that the Attorney General has determined that it is a critical CSP, then the foreign investment approval rules for carriers apply to that nominated CSP.

The definition of CSP in the Telco Act is broad. It is not necessary for a CSP to own either the fixed line, mobile or satellite infrastructure that is used to provide carriage services for a telecommunications services provider to be classified as a CSP. In some cases (which are increasingly common as the IoT sector develops), intermediaries who arrange for another CSP to provide services to a third-party customer will also be considered to be CSPs, where that intermediary receives consideration for the provision of the service to the third-party customer and maintains the ongoing relationship with that third-party customer.

Spectrum Licences for Mobile, Fixed Wireless and Satellite Carriage Services

Under the regime established by the Radcomms Act, the ACMA is responsible for licensing spectrum, by means of spectrum, apparatus and class licences. Carriers are not guaranteed any allocation of spectrum and must acquire any relevant spectrum or apparatus licences, or satisfy the requirements to use any applicable class licence, to provide mobile, fixed wireless and/or satellite telecommunications services.

Spectrum licences for mobile services apply in specific geographic areas. These are generally auctioned by the ACMA for licence terms of 15 years. Apparatus licences are required for transmitters and receivers and are usually granted for one-year terms on a renewals basis. Class licences may be used by any person, without any separate approvals being required, provided that the licence conditions are satisfied. Class licences are relevant to some telecommunications services, for example, the Radiocommunications (Communication with Space Object) Class Licence 2015 (Cth) is relevant for satellite telecommunications services. 

Ongoing Regulatory Obligations Imposed on Carriers and CSPs

The regulatory obligations imposed on carriers and CSPs can broadly be split into four categories:

• technical, for example, interoperability requirements, numbering allocation and the like;
• competition related, for example, certain access obligations may be imposed on carriers;
• customer-focussed obligations; and
• national security and law enforcement related requirements. 

In the case of customer-focussed obligations, these are most onerous in relation to services provided to consumers and small businesses. In addition to complying with the economy wide obligations under the Australian Consumer Law, there are telecommunications consumer specific regulations that must be complied with from the time that services are first offered by a CSP to the public. These rules are incorporated not only in the Telco Act but also codes put in place under the co-regulatory regime established pursuant to the Telco Act. The most important code is the Telecommunications Consumer Protections Code. That Code contains a broad range of rules including in relation to the content of customer contracts, invoicing, financial hardship and dealing with disputes. Telecommunications companies that provide consumer and small business services must report annually on their compliance with the Code and must (as must carriers) join to the Telecommunications Industry Ombudsman scheme, which provides a dispute resolution service.

National security and law enforcement-related regulation must also be complied with from the time that services are first provided. For example, carriers and CSPs must maintain “interception capability” in respect of telecommunications services to allow for lawful interception to occur, unless an exemption is available. These arrangements must be in place from the commencement of service provision.

There are a variety of challenges that are faced when technology agreements are entered into with Australian government entities or businesses. For governments, typically standard form technology agreements are required to be used and additional obligations may be imposed depending on the nature of the services that are provided. When agreements are entered into with private sector entities, a variety of different obligations are required to be considered, ranging from directors’ duties to small business protections under the Australian Consumer Law. 

Sector specific obligations are also imposed, some of which are considered in 3. Cloud and Edge Computing.

Technology Contracts With Government Entities

At the federal level, there are no general mandated forms of technology agreement that all agencies are required to use. However, there are particular guidelines that are required to be adopted. For example, the Australian Cyber Security Centre (part of the Australian government’s Australian Signals Directorate) has guidelines that apply for cyber supply chain risk management which may be applied not only by government agencies but also private sector entities in procuring technology services.

At a state and territory level, it is common for governments to mandate not only an approved list of providers for their agencies but also to specify the forms of contracts that must be used. For example, in the case of New South Wales, the government’s procurement agency, Buy NSW, has implemented an ICT Services Scheme that agencies must use when procuring ICT goods and services which aligns with that government’s digital strategy.

Directors’ Duties

It may be a breach of directors’ duties where Australian corporates do not adequately manage cybersecurity-related risks and therefore this is a key issue that Australian corporates seek to manage when entering into technology agreements.

The potential scope of the obligation to manage cyber-risks was highlighted in Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496. While that case did not involve a breach of directors’ duties, it indicates the attitude of Australia’s corporate regulator, the Australian Securities and Investments Commission (ASIC), to the responsibilities of corporates (and directors) to the management of cyber-risks. In that case, ASIC took action against RI Advice in relation to a number of cyber incidents that impacted RI Advice over the period 2014–20. 

There is not an absolute obligation on Australian corporates to avoid any cybersecurity incidents. However, ASIC alleged that the failure of RI Advice to implement a programme to improve its cybersecurity and cyber-resilience policies and procedures to minimise the possibility of such incidents occurring breached the Australian financial services licence (AFSL) that providers of financial advice are required to hold. Consent orders were made under which RI Advice admitted to these breaches.

Data Localisation

The Privacy Act does not require that personal information held by a regulated entity is held in Australia. Instead, it provides that if a regulated entity discloses personal information to a person outside Australia who is not bound by the Privacy Act it must, unless an exemption applies, take reasonable steps to ensure that the offshore recipient does not breach relevant Australian Privacy Principles included in the Privacy Act and will be directly liable for any breaches that may occur. 

Importantly, where a regulated entity has outsourced its data storage to a third-party provider, such as a cloud services provider, the OAIC is likely to consider that the regulated entity continues to hold its data (including personal information) on the basis that the third-party provider must deal with the data in accordance with the directions of the regulated entity, even though the regulated entity does not physically possess the information. While this may mean that the requirements of the Privacy Act dealing with offshore transfers do not apply, the regulated entity will remain directly liable in relation to the management of the personal information. This means that Australian businesses (and Australian government entities) impose strict requirements in contractual arrangements for the storage of data.

While there are no generally mandated data localisation requirements, there are specific localisation requirements that apply in particular circumstances, which will need to be taken into consideration in technology agreements that involve data storage. For example, most Australian states and territories have privacy legislation that applies to the state or territory public sector and, in some cases, private sector health providers. In some cases, this privacy legislation includes restrictions on disclosing personal information outside the relevant jurisdiction. This applies, for example, under the New South Wales Privacy and Personal Information Protection Act 1998. That Act restricts public sector agencies disclosing personal information to an entity outside New South Wales unless a listed exemption applies. 

The Hosting Certification Framework, as discussed in 3. Cloud and Edge Computing, provides for data sovereignty, but does not impose data localisation requirements. In late 2022, the Minister for Home Affairs indicated that as part of the government’s proposed new cyber-security strategy it will look very carefully at data localisation. Should the Australian government mandate data localisation requirements for the storage of any particular categories of data in future, it is likely that such requirements will also be more frequently required not only by the public sector but also by private sector entities in their technology agreements.

Other Statutory Requirements: Unfair Contract Terms

Many technology services providers use standard form contracts for providing technology services to small businesses and will not agree to modifications of those contracts. Great care must be taken to ensure that those standard form contracts do not include terms that would breach Australia’s prohibition on unfair contract terms. 

Under the Australian Consumer Law, both standard form consumer contracts and standard form small business contracts must not contain unfair contract terms. An unfair contract term is one which gives a supplier a significant advantage over the customer, is not necessary to protect the legitimate interests of the supplier and would cause financial or other harm to the customer if enforced. 

The ACCC has taken action in relation to unfair contract terms in the technology sector. For example, in 2022, it successfully took action against Fuji in relation to terms of its printer and related software contracts. Those unfair contract terms provided for automatic contract renewal, high termination fees and gave Fuji the ability to unilaterally increase prices. 

In late 2023, amendments to the Australian Consumer Law will take effect which will mean that not only are unfair contract terms void, but businesses that include these in their standard form contracts will be subject to penalties. This new penalty regime will make compliance with the regime by technology providers even more important.

Electronic Signatures and Trust Services 

In Australia, legislation exists at both a state/territory and federal level regulating the use of electronic signatures. These laws are on consistent terms with the federal law, the Electronic Transactions Act 1999 (Cth) (the "ET Act").

Under the ET Act, a requirement under a law of the Commonwealth to sign a document can be met by means of an electronic communication, subject to some specific exceptions. For example, the ET Act does not apply to the submission of documents or evidence to a Commonwealth court or tribunal, which is instead regulated under the Evidence Act 1995 (Cth). Other exclusions from the ET Act include documents relating to passports, voting and the electoral roll.

There is no requirement under the ET Act that an electronic signature take a particular form. The ET Act requires that the person signing, and their intention, are identified using a method that meets particular criteria. The method must be as reliable as appropriate in the circumstances or factually satisfy the requirements of identifying the person and their intention. If the signature is given to a Commonwealth entity, the method used must satisfy the entity’s information technology requirements (if any) or otherwise must have the consent of the recipient of the signature.

Real estate transactions are governed by state and territory laws, and therefore are not regulated under the ET Act. While there are no government endorsed trust services, a national electronic conveyancing scheme has been adopted, known as PEXA (Property Exchange Australia), which allows for agents (solicitors and conveyancers) to digitally sign property transaction documents on behalf of their principals. 

Australia’s primary corporations legislation, the Corporations Act 2001 (Cth) (the "Corporations Act"), governs the use of electronic signatures by companies. Amendments to the Corporations Act that took effect in early 2022 enable documents, including deeds, to be executed electronically by companies. The Corporations Act is on the same terms as the ET Act, that is, it does not mandate that an electronic signature take a particular form. Instead, the person signing, and their intention, are required to be identified using a method that meets particular criteria, which are the same as those set out in the ET Act.

While, as noted above, there is no government endorsed trust services specifically for electronic signatures in Australia, the Australian government does operate the Trusted Digital Identity Framework (TDIF) which is an accreditation framework for digital identity services for the Australian government. At the current time, private sector entities cannot obtain accreditation under the TDIF for the provision of digital identity services within the Australian government’s digital identity scheme, which is discussed below. 

Digital Identity Schemes

The Australian government has implemented a digital identity scheme known as “myGovID”. As at the beginning of 2023, this scheme enables individuals, following an initial identity verification process, to access approximately 80 Australian government services, such as the Australian Taxation Office and Centrelink (social security services) and a very limited number of state government services, without the need to re-verify their identity. 

In its current form, the myGovID scheme has significant limitations as it cannot be used for all Australian government services. It also cannot be used to verify identity for most state and territory government services or for services provided by the private sector. To address this deficiency, and to provide for strengthened protections for individuals and establish clearer governance arrangements, in late 2021 the Australian government commenced consultation on a draft “Trusted Digital Identity Bill”. That Bill (and its supporting instruments) provides for significant enhancements to the myGovID scheme, including by providing:

• an accreditation scheme to allow state and territory governments as well as private sector entities to be accredited to provide digital identity services; and 
• the ability for state and territory governments and private sector entities to participate in the digital identity scheme by allowing their customers to verify their identity using the scheme.

The Bill would also create an independent statutory office holder, to be known as the “Oversight Authority” with responsibility under the new regime including for example to accredit entities to provide the digital identity services and to take enforcement action for breach of the law. Additional privacy, security and other protections were provided to consumers under the Bill to seek to promote public confidence in the operation of the new regime.

Since the change in the Australian government following the election in early 2022, no action has been taken to progress this Bill. As recently as November 2022, the Australian government, together with a number of the state and territory governments, re-affirmed their commitment to a national digital identity system and therefore the Bill may be re-activated in 2023.