The provisions under the scheme will be implemented on 10 December
The Office of the Australian Information Commissioner (OAIC) has released a regulatory guidance in line with the Social Media Minimum Age (SMMA) scheme.
The guidance is geared towards age-restricted social media platforms and age assurance providers and is intended to help them comply with the privacy provisions under the SMMA scheme set to be implemented on 10 December. According to Privacy Commissioner Carly Kind, the guidance highlights entities’ strict legal obligations when it comes to the proportionate application of age assurance and through approaches that respect privacy.
Under the guidance, entitles must be aware that the additional privacy obligations under the SMMA scheme take effect alongside the Privacy Act 1988 and the Australian Privacy Principles. They must also select necessary and proportionate age-assurance methods and evaluate the privacy effects under each method.
Entities must limit the inclusion of personal and sensitive information in age-assurance processes. They must be aware that pre-existing personal information eventually used for SMMA purposes need not be deleted if the original purposes are ongoing; however, the information must be destroyed once the purposes have been completed.
Entities must ensure that all further uses of personal information obtained for SMMA purposes are optional and that users provide clear consent that can be rescinded easily. Entities must also indicate transparently in privacy notices and when it matters how personal information accessed for SMMA purposes is used.
“Today we’re putting age-restricted social media platforms on notice. OAIC is here to guard and uplift the privacy protections of all Australians by ensuring that the age assurance methods used by age-restricted social media platforms and age assurance providers are lawful”, Kind said in an OAIC media release. “The OAIC is committed to ensuring the successful rollout of the SMMA regime by robustly applying and regulating the privacy rules contained in the legislation, in order to reassure the Australian community that their privacy is protected”.
The OAIC regulates SMMA with eSafety, which recently unveiled its own regulatory guidance on the reasonable steps to be taken by age-restricted social media platforms in order to prevent the creation of accounts by age-restricted users. eSafety’s guidance also provided guiding principles on how age assurance should be implemented to fulfill SMMA obligations.
“eSafety has provided the rules of the game with their ‘reasonable steps.’ Now the OAIC is setting out what is out-of-bounds when it comes to the handling of personal information for age assurance in the social media minimum age context”, Kind said. “SMMA is not a blank cheque to use personal or sensitive information in all circumstances; we’ll be actively monitoring platforms to ensure they stay within the bounds by deploying age assurance proportionately and lawfully”.
The OAIC confirmed that it would publish additional resources to clarify the use of Australians’ personal information in age assurance methods. It would also release resources to educate children and families regarding children’s online privacy.
