Original Pictures
Australia Online Safety Act and BOSE overview

Australia Online Safety Act: BOSE and Deepfake Penalties

Definition: Australia's Online Safety Act, the Basic Online Safety Expectations (BOSE), and the Criminal Code Amendment of 2024 form the regime through which the eSafety Commissioner addresses deepfake and image-based abuse.

TL;DR: The BOSE Determination (F2024L00590, 31 May 2024) sets expectations for online services, and the Criminal Code Amendment Act 2024 No. 78 created offences for sharing non-consensual deepfake sexual material, with up to 7 years for aggravated cases. Providers can face civil penalties up to A$49.5M. The eSafety Commissioner enforces.

The two halves of the regime

BOSE sets out what the government expects services to do, from minimizing harmful material to responding to the eSafety Commissioner. The Criminal Code Amendment Act 2024 then criminalizes sharing non-consensual deepfake sexual material, with aggravated offences carrying up to seven years. Together they cover both platform expectations and individual conduct.

Real enforcement

This is not theoretical. In eSafety v. Anthony Rotondo, Justice Erin Longbottom ordered a A$343,500 penalty on 26 September 2025, an early signal that the Commissioner will pursue penalties for deepfake-related breaches.

How provenance supports compliance

Verifying inbound media and signing first-party content gives a service evidence that it meets BOSE expectations and a faster path to act on non-consensual deepfakes. The audit trail matters when the Commissioner asks what the service did and when.

The incident behind this

eSafety v. Anthony Rotondo: the Federal Court, per Justice Erin Longbottom, ordered a A$343,500 penalty on 26 September 2025, demonstrating active enforcement of Australia's deepfake provisions.

Regulatory mapping

RegimeEffectiveBiteWhy it applies
BOSE Determination F2024L0059031 May 2024Up to A$49.5M civil (providers)Basic Online Safety Expectations
Criminal Code Amendment Act 2024 No. 783 Sep 2024Up to 7 years (aggravated)Non-consensual deepfake sexual material

FAQ

Who enforces the Online Safety Act?

The eSafety Commissioner, who can issue notices, seek civil penalties, and refer criminal matters, as the Rotondo case shows.

Where Original Pictures stands today

Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.

Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.

Bottom line: Australia's regime is active and penalties are real. Verify inbound media, sign first-party content, and keep an audit trail that meets BOSE expectations and supports fast action on deepfakes.

Related


Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.

Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.

Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.