
Australia Online Safety Act: BOSE and Deepfake Penalties
Definition: Australia's Online Safety Act, the Basic Online Safety Expectations (BOSE), and the Criminal Code Amendment of 2024 form the regime through which the eSafety Commissioner addresses deepfake and image-based abuse.
TL;DR: The BOSE Determination (F2024L00590, 31 May 2024) sets expectations for online services, and the Criminal Code Amendment Act 2024 No. 78 created offences for sharing non-consensual deepfake sexual material, with up to 7 years for aggravated cases. Providers can face civil penalties up to A$49.5M. The eSafety Commissioner enforces.
The two halves of the regime
BOSE sets out what the government expects services to do, from minimizing harmful material to responding to the eSafety Commissioner. The Criminal Code Amendment Act 2024 then criminalizes sharing non-consensual deepfake sexual material, with aggravated offences carrying up to seven years. Together they cover both platform expectations and individual conduct.
Real enforcement
This is not theoretical. In eSafety v. Anthony Rotondo, Justice Erin Longbottom ordered a A$343,500 penalty on 26 September 2025, an early signal that the Commissioner will pursue penalties for deepfake-related breaches.
How provenance supports compliance
Verifying inbound media and signing first-party content gives a service evidence that it meets BOSE expectations and a faster path to act on non-consensual deepfakes. The audit trail matters when the Commissioner asks what the service did and when.
The incident behind this
eSafety v. Anthony Rotondo: the Federal Court, per Justice Erin Longbottom, ordered a A$343,500 penalty on 26 September 2025, demonstrating active enforcement of Australia's deepfake provisions.
Regulatory mapping
| Regime | Effective | Bite | Why it applies |
|---|---|---|---|
| BOSE Determination F2024L00590 | 31 May 2024 | Up to A$49.5M civil (providers) | Basic Online Safety Expectations |
| Criminal Code Amendment Act 2024 No. 78 | 3 Sep 2024 | Up to 7 years (aggravated) | Non-consensual deepfake sexual material |
FAQ
Who enforces the Online Safety Act?
The eSafety Commissioner, who can issue notices, seek civil penalties, and refer criminal matters, as the Rotondo case shows.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: Australia's regime is active and penalties are real. Verify inbound media, sign first-party content, and keep an audit trail that meets BOSE expectations and supports fast action on deepfakes.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.