What is the eSafety and OAIC MOU and when was it announced?

The eSafety Commissioner and the Office of the Australian Information Commissioner (OAIC) formalised a Memorandum of Understanding (MOU) on 23 April 2026. It creates a coordinated regulatory framework at the intersection of the Online Safety Act and the Privacy Act 1988, enabling information sharing and joint responses to emerging online harms.

Which compliance areas are now under joint scrutiny by eSafety and the OAIC?

The MOU specifically identifies two areas: age assurance requirements under Australia's online industry codes and standards, and Social Media Minimum Age obligations. Both regulators will jointly monitor whether platforms implementing age-verification technologies satisfy both online safety obligations and the Australian Privacy Principles.

How does the MOU change compliance obligations for digital platforms?

Previously, platforms could assess privacy obligations with the OAIC and online safety obligations with eSafety separately. Under the MOU, the two regulators share information and coordinate responses, meaning a failure on privacy grounds — such as collecting more personal data than necessary for age verification — can simultaneously attract scrutiny under the online safety framework.

What should legal and compliance advisers do in response to the eSafety–OAIC MOU?

Advisers should review whether clients' age assurance technologies have been assessed against the Australian Privacy Principles, check that data collection is limited to what is reasonably necessary, update privacy policies to disclose age assurance practices, and monitor further guidance from both regulators on how the MOU will be operationalised in practice.

eSafety & OAIC Online Privacy Compliance: MOU Explained

eSafety and OAIC Join Forces on Online Privacy: What the Collaboration Means for Digital Platforms

The eSafety Commissioner and the Office of the Australian Information Commissioner (OAIC) have formalised a new working relationship through a Memorandum of Understanding (MOU), announced on 23 April 2026. The agreement creates a coordinated regulatory framework at the intersection of online safety and Australian privacy law — with direct implications for digital platforms operating in Australia.

What the MOU Means for eSafety OAIC Online Privacy Compliance

For accountants and legal professionals advising digital platforms, social media services, or any online business subject to Australia's online safety regime, this MOU signals a shift in how compliance obligations will be monitored and enforced.

Previously, privacy obligations under the Privacy Act 1988 and online safety obligations under the Online Safety Act were administered by separate regulators with limited formal coordination. The MOU changes that by:

Formalising communication pathways between the two agencies on matters where privacy and online safety intersect
Enabling information and expertise sharing between the OAIC and eSafety
Creating a foundation for coordinated regulatory responses to emerging harms, including those involving artificial intelligence

Australian Information Commissioner Elizabeth Tydd described the arrangement as building "a foundation where privacy protections and online safety initiatives can better address specific harms side by side."

Key Compliance Areas Now Under Joint Scrutiny

The MOU specifically calls out two areas where the two regulators will work together:

Age assurance requirements. Australia's online industry codes and standards now make age assurance mandatory. These measures are designed to protect children from abuse and harmful or age-inappropriate content. The eSafety Commissioner has acknowledged that implementing age assurance technologies must also respect privacy rights — meaning platforms cannot simply deploy any age-verification tool without considering its privacy implications under Australian law.

Social Media Minimum Age obligations. Platforms subject to the Social Media Minimum Age regime must comply with both their safety obligations and the privacy rights of users. The two regulators will jointly monitor compliance in this space.

eSafety Commissioner Julie Inman Grant noted that the proliferation of AI is "amplifying risks" and that regulators are "increasingly requiring industry to deploy age-assurance technologies that meet their regulatory obligations and respect privacy in the Australian context."

A Plain-English Worked Example

Consider Platform A, a mid-sized social media service operating in Australia. To comply with its Social Media Minimum Age obligations, Platform A implements an age-verification tool that collects users' government-issued ID documents.

Under the old siloed approach, Platform A might have assessed its safety obligations with eSafety and its privacy obligations with the OAIC separately — potentially receiving inconsistent guidance.

Under the MOU, both regulators now share information and coordinate their responses. If Platform A's age-verification method raises privacy concerns — for example, collecting more personal information than necessary — the OAIC and eSafety can jointly assess whether the platform's approach satisfies both regimes. A failure on privacy grounds could simultaneously attract scrutiny under the online safety framework, and vice versa.

The practical lesson: platforms can no longer treat privacy compliance and online safety compliance as separate workstreams.

Checklist for Affected Firms and Their Advisers

Review whether your client operates a digital platform, social media service, or online product subject to Australia's online industry codes or the Online Safety Act
Assess whether the platform's current age assurance or age-verification processes have been reviewed for compliance with the Australian Privacy Principles
Check whether any data collected for age assurance purposes is limited to what is reasonably necessary — a core requirement under Australian privacy law
Identify whether the platform has documented its approach to balancing privacy rights against online safety obligations
Consider whether existing privacy policies and notices adequately disclose age assurance data collection and use
Monitor further guidance from both the OAIC and eSafety on how the MOU will be operationalised in practice — the precise scope of joint enforcement activity has not been specified in the cited source
Advise clients to engage proactively with both regulators if they are uncertain whether their age assurance technology meets the privacy standard expected in the Australian context

What You Should Do Next

Read the full MOU on the OAIC website (link in Sources below) to understand the formal scope of the two regulators' cooperation
Brief relevant clients — particularly those operating social media platforms or services with age-restricted content — on the dual-regulator compliance environment
Review client privacy impact assessments to ensure age assurance technologies have been assessed against Australian Privacy Principles, not just online safety standards
Flag this development in any privacy compliance audits or legal opinions touching on online safety obligations
Subscribe to updates from both the OAIC and eSafety to receive guidance as the MOU is implemented

Sources

OAIC — eSafety and OAIC working together to protect privacy and safety for all Australians

Quick facts

The eSafety Commissioner and the OAIC formalised a Memorandum of Understanding on 23 April 2026, creating a coordinated regulatory framework at the intersection of online safety and Australian privacy law. The MOU formalises communication pathways, enables expertise sharing, and establishes a foundation for joint responses to emerging harms including those involving artificial intelligence.

Australia's online industry codes and standards now make age assurance mandatory to protect children from abuse and harmful content. eSafety Commissioner Julie Inman Grant noted that the proliferation of AI is 'amplifying risks' and that regulators are 'increasingly requiring industry to deploy age-assurance technologies that meet their regulatory obligations and respect privacy in the Australian context.'

Under the MOU, the OAIC and eSafety can jointly assess whether a platform's age-verification approach satisfies both the Online Safety Act and the Privacy Act 1988. A failure on privacy grounds — for example, collecting more personal information than necessary — could simultaneously attract scrutiny under the online safety framework, meaning platforms can no longer treat privacy and online safety compliance as separate workstreams.

Australian Information Commissioner Elizabeth Tydd described the eSafety–OAIC arrangement as building 'a foundation where privacy protections and online safety initiatives can better address specific harms side by side.' The two regulators will jointly monitor compliance with Social Media Minimum Age obligations, covering both safety requirements and the privacy rights of users.