The world’s leading digital media and regulatory policy journal

Reflecting on digital regulation in Australia

TMF Sydney took place on 15 and 16 August 2023. The discussions covered key issues in Australia, including proposals to combat misinformation, the Online Safety Act, the new National Anti-Scam Centre and AI

The forum began with a keynote speech by Australian Minister for Communications, the Hon Michelle Rowland MP, who emphasised that established regulatory frameworks and mechanisms are being applied to digital platforms to address new and evolving challenges.

A co-regulatory framework is the approach in a proposed bill to empower the regulator, the Australian Communications and Media Authority (ACMA), to hold platforms to account for the systems and processes they have in place to combat misinformation and disinformation on their platforms. Well-established and understood in the telco and broadcasting contexts, she said co-regulatory frameworks are graduated and proportionate and can be calibrated for different situations as required in the online context. She reflected that, while the context may change, what remains is the need for regulation that doesn’t stifle diversity, choice and innovation, while promoting citizen and consumer interests.

The government is making Australia a hard target for scammers through a comprehensive package of anti-scam initiatives, including a new $58 million National Anti-Scam Centre (NASC) to improve cooperation and data sharing. The new SMS Sender ID Registry, designed to help combat Sender ID scams, came into effect in July.

The minister also outlined work to ensure ongoing access by Australian audiences to local media services on connected TV devices. The Australian government is working on a prominence framework for Australian television services on Smart TVs which would shape the way local TV applications are presented to Australian audiences. The minister closed by affirming that international collaboration is of increasing importance and trusted global and regional multi-stakeholder events, such as those of the IIC, provide a forum for much needed policy debate.


A keynote speaker from the ACMA said that co-regulation in the telco sector has worked very well in blocking scam calls and text messages before they reach their intended consumer target. However the fight against scams needs to be as relentless as the scammers. The regulator has registered industry codes for scams via calls and text messages, is setting up a ‘white list’ sender ID registry, and would like to see over-the-top (OTT) players step up and do more on a voluntary basis, following the lead of the telco sector.

A consumer representative said that while efforts to block scams were finding success, scams still reach consumers as scammers are fast moving and constantly evolving, including in OTT services. Education of consumers on awareness remains a critical feature in combatting scams, as are penalties for non-compliance with codes, but he questioned whether the penalties available to the regulator are sufficient.

Scams are underreported, in part because of associations of shame, so the problem is bigger than the figures reported

A contributor from a digital platform said that scams erode consumer trust and therefore run counter to both consumer and industry interests.  Scams are underreported, in part because of associations of shame, so the problem is bigger than the figures reported. The cost to business in addressing scams includes investment in software engineers, machine learning scientists and expert investigators.

A panellist from an industry body noted that while there is a difference of views on regulatory models at large, co-regulation is appropriate for scams. It has worked in the past, and black-letter (well-established) regulation can reduce the flexibility organisations need to comply with some measures. Industry largely supports the direct enforceability of codes which would require legislative change.

Online safety

A keynote speaker from the Office of the eSafety Commissioner described how new ‘basic online safety expectations’ under the Online Safety Act set out what tech companies are expected to do if they operate in Australia and compel transparency under information-gathering powers. Last year the first notices were issued, requiring recipient platforms to report on the measures they were taking to tackle online child sexual exploitation material on their services. This revealed that some of the world’s largest tech companies were not doing enough, and that some voluntary principles were not being lived up to. In response, steps have been taken to make some major positive policy process changes.

A panellist from Netsafe, New Zealand, described its status as a charity with statutory responsibilities since New Zealand passed the Harmful Digital Communications Act. Scams are the most reported issue and resolving consumer issues quickly is important. Holding platforms to account for their practices is a key part of the role, but it also works as an industry consultant, educator, and policy adviser and advocate. New Zealand is grappling with which regulatory model to adopt, but a co-regulatory model is probably what is needed.

A representative from the Fijian Online Safety Commission, said that as a small nation regulator, resources are constrained, so the ‘Online Safety Champions Programme’ has been established to recruit tertiary students from universities to provide training in schools. A challenge is that legislation stipulates the need for parent/guardian consent to report matters to the Commission. This deters some children from reporting issues which the champions programme might assist with.

Competition achievements

A keynote session reflected on the achievements of the Australian Competition and Consumer Commission (ACCC) in the communications sector during the tenure of Rod Sims AO as ACCC chair from 2011 to March 2022. In relation to the Australian Government’s proposal to empower the ACMA in relation to misinformation and disinformation, Rod Sims said that the draft bill is fully in line with what the ACCC recommended in its 2019 final report of the digital platforms inquiry’ and was ‘a very modest intervention’. The bill says that the ACMA will ensure there are processes in place, that processes conducted by platforms are transparent and that the ACMA will have powers to obtain more information from platforms. How the platforms respond will determine whether more needs to be done. On AI and chatbots, he warned that if foreign actors and extreme groups can use AI to spread messages, something that self-generates is going to make a huge difference. All regulators should keep a watching brief on AI.

On the media side, he said that the work the ACCC did in the digital platforms inquiry got worldwide attention because it was a market inquiry with really broad terms of reference, into ‘competition, consumer, advertising, media, the lot’, that looked at the issues as a whole – this hadn’t been done before. He noted that the news media bargaining code was extremely important in achieving the objectives the ACCC had set.

He is anticipating the Government’s response to the ACCC’s fifth report, which came out after his tenure concluded. The ACCC is recommending something akin to the Digital Markets Act, but probably more similar to the UK’s special market services provision. He hopes that the ACCC is given the powers to regulate digital platforms otherwise Australia will lose an essential connection with the Europeans and the British, and lose out on the benefits, because ‘things will get done but they won’t be brought to Australia’.

Cybersecurity strategy

This session discussed the topic of ‘shedding light on the 2023-2030 cybersecurity strategy’ in Australia. A government representative said the seven-year purview is a challenge that requires thinking ahead to how the world will look in 2030. Key questions include how to create government as an exemplar, how to create a much more secure set of governments across the country, how to use the purchasing power of government and how to build expertise within government. 

A representative of a technology company shared an optimistic vision of what the Australian government’s objective of being the most cybersecure nation in the world by 2030 would mean. A cyber secure nation requires a secure economy with strong cybersecurity capacity. Australia will have bridged the skills gap, be a technology leader and attract foreign capital because it will be the safest nation in the world in which to do business.  There will be high levels of organisational accountability, consumer trust, education, automation, and artificial intelligence will be augmenting human capability. He made the point that the technology deployed in 2023 and 2024 will be the technology used to achieve the 2030 goal and that the notion of a ‘technical debt’ is something that needs to be considered.

A professor in the field of psychology and cybersecurity argued that cybersecurity is a multidisciplinary problem. Scams require the development of different ways to help people protect themselves. She noted that ‘we are all vulnerable to scams, whether we like it or not’. On  disinformation, she said the question is not just what should or should not be taken down, but which is more believable and which is more harmful. Criminals will want to know and it is important to stay ahead of that game.

Operational realism

A lawyer in cybersecurity practice said that legislation and policy requires an understanding of what happens at the coalface. He pointed out how difficult it is to provide valuable information in the early days of a cybersecurity incident, which makes early communication to regulators and consumers a challenge. Digital forensic examinations take weeks, if not months and 95 per cent of cybersecurity incidents investigated by the private sector are not attributable. Organisations are far more immature than might be expected, insurance premiums are an issue and almost always it is not a technology failure, but a human failure at play. Talk about a skills gap should consider who would provide good cybersecurity resources –  ‘most of the threat actors don’t have degrees’. He concluded by saying, ‘we have a long way to go to get to the 2030 vision, and I hope we can get there, but it’s hard to be optimistic when you see the reality of what’s happening on the ground’.

Consumer data and privacy protection

A panellist from the advertising industry noted that the online advertising industry is absolutely reliant on data, including for functions like defining audiences, measuring effectiveness and preventing ad fraud. She said that policy and law should incentivise privacy protective practices. The industry has focussed on the development of privacy-enhancing technologies (PETs) which extract value from data without risking the underlying personal information. Regulating de-identified and anonymised information risks disincentivising the use of PETs and should be avoided.

A representative from a regulator observed that there is now broad awareness that competition and privacy often intersect in a digital economy, and highlighted that these goals are often complementary. Effective competition can be a catalyst for more privacy-focussed business models and a lack of competitive constraints can reduce the incentive of firms with market power to provide privacy options that consumers want. Robust data collection and privacy laws can enhance competition in data-driven markets, including by ensuring consumers receive clear, accurate information about the data practices of firms. Increased transparency is good for competition. Interactions can conflict but the ACCC views robust baseline privacy protections as essential to well-functioning digital markets.

Cross-border data transfers

A legal academic from Thailand acknowledged the challenge of data transfers where the destination country has different data requirements and practices. He noted that there are about 20 versions of model contracts across various jurisdictions, and that privacy professionals around the world are looking for ways to simplify and harmonise practices. The APEC Cross-Border Privacy Rules (CBPR) enable firms to make a data transfer under certification, but this system only applies to APEC members, not all APEC members participate in the scheme and overall company membership is still  low, which shows the limitation of an opt-in certification scheme.

Regulatory co-design

An academic from Australia in the field of regulation and governance offered the view that, at its heart, the balance between promoting innovation and protecting privacy has to be to minimise risks of harms to consumers. However a privacy regime that is concurrently benefits both consumers and suppliers and technology providers is likely to be most successful. He described how, in the UK, the Information Commissioner’s Office and Competition and Markets Authority have attempted to produce a set of tools and techniques that they call ‘online choice architecture’ to try and help nudge consumers into making appropriate transactional decisions. In closing, he argued for  consumer protection to involve regulatory co-design and that systematic regulation which is outcomes-based will lead to improved consumer protection and involve the application of well-understood and well-used tools.

Mergers and competition

A representative of the ACCC opened with remarks on key questions arising out of the TPG/Telstra decision on asset transfers.  The commission has a long history of recognising that infrastructure sharing can be pro-competitive and efficiency-enhancing, as well as supporting infrastructure sharing initiatives. However, not all are efficiency-enhancing, and some have profound implications for competition in downstream markets. In the case of TPG/Telstra, the principal issue is control of the spectrum. The competition tribunal came to the conclusion that the proposed spectrum authorisation agreement between TPG/Telstra would considerably have increased Telstra’s market power.

The case for reform for digital platforms

Reflecting on the ACCC’s recommendations to regulate digital platforms, she emphasised that a key challenge is not to ‘kill the golden goose’ with regulatory overreach or by disincentivising innovation. She said the ACCC’s existing tools are utterly deficient to address legitimate concerns around competition harm, largely because they are ex post enforcement tools in a common law country where the regulator bears the burden of proof. Litigation into abuse of dominance is characterised by delay which means that, even if successful, the remedies that agencies achieve will never restore the conditions for competition that have been lost. In closing, she noted that all the regulators are calling out the same economic harms and applying the same economic anti-trust frameworks. There is coherence in the way regulators think through and analyse proposals for more effective tools.

A panellist from the free-to-air television industry gave a publisher perspective, talking through three top-line issues: data bundling, the tying of products and some of the inherent conflicts of interest in that structure. The data that Google holds, with a 97 per cent share of the search market, make it the most valuable data set in the world. Google has bundled and leveraged this data into a related market with an advertiser-facing product named DV360, which a publisher must use if it wants to buy YouTube inventory. This, he said,  presents a conflict of interest. There is a lack of transparency around ad-tech which is why it is so important that the Government take forward recommendations from the ACCC’s fifth digital platform services inquiry (DPSI) interim report (DPSI 5 report).

A fragile mobile industry

A representative from the mobile industry drew attention to a comment made by the competition tribunal in the TPG/Telstra case: that competition in the mobile industry is extremely fragile. He said it is lost on a lot of people that the mobile industry is not healthy, with the industry’s return on capital in low single digits – less than half the cost of capital. While treated as an essential industry, often lumped in with banks, or treated like a utility and expected to do a lot of the heavy lifting, telcos do not make the returns of other industries, and the financial peril it is in is not recognised. Mergers shouldn’t be relied upon to get the industry healthy – other policy levers and government decisions are needed to make the mobile industry healthy again.

An economist agreed that the mobile industry is not in a healthy financial position. The need for infrastructure-sharing will grow and be an ongoing issue, particularly in regional areas. Bigger picture policy thinking is likely needed and there are good models out there, for example in New Zealand.

The Sydney TMF was sponsored by Clayton UTZ, Frontier Economics, Google, Holding Redlich, Quay Law Partners and Squire Patton Boggs.