On April 23, 2026, the Electronic Frontier Foundation published a Speaking Freely interview with Australian lawyer Lizzie O'Shea, founder and chair of Digital Rights Watch. Her warning is blunt: governments increasingly treat genuine online-harm concerns as an opening to expand content-policing powers, and "curtailing freedom of speech...can have a real impact on democracy." She is especially wary of "giving a regulator in Australia the right to take down content from anywhere in the world," calling it "a very concerning development" (EFF).
The interview is well-timed. In the first half of 2026, Australia assembled one of the democratic world's most expansive online-governance stacks. Three distinct mandates now sit on top of the existing Online Safety Act regime — and each, individually defensible, compounds into something that deserves the scrutiny O'Shea urges.
The strongest case for the new rules
The regulatory impulse is not frivolous. eSafety's own research found that 34% of Australian adults saw online hate in the prior year and 18% experienced it personally — up from 14% in 2019 — with Aboriginal and Torres Strait Islander, disabled, sexually diverse and linguistically diverse Australians far more exposed (eSafety, Hate in the digital age, 2025). After the December 2025 Bondi Beach attack, the political demand for a response was overwhelming and bipartisan. When a third of the public encounters hate online and platforms have spent a decade under-investing in trust and safety, "do nothing" is not a serious position. A government that can show measurable harm has a legitimate interest in acting.
What was actually enacted
Three things changed in quick succession.
First, on January 21, 2026, Parliament passed the Combatting Antisemitism, Hate and Extremism (Criminal and Migration Laws) Act 2026. It raises penalties for advocating or threatening violence against protected groups, creates aggravated offences, establishes a regime to proscribe "prohibited hate groups," and lets the Immigration Minister refuse or cancel visas over hate-related conduct whether or not the person was convicted (Federal Register of Legislation; Attorney-General's media release).
Second, on March 9, 2026, six new Phase 2 Online Safety Codes came into effect, covering social media core and messaging features, app stores, hosting and electronic services. They require risk assessments, age-assurance measures, default safety settings and trust-and-safety functions, backed by significant civil penalties (Baker McKenzie analysis).
Third, the under-16 social-media ban under the Online Safety Amendment (Social Media Minimum Age) Act 2024 took force on December 10, 2025, exposing platforms to fines of up to A$49.5 million for failing to take "reasonable steps" to keep minors off their services (eSafety).
Where proportionality breaks down
Proportionate regulation targets a defined harm with the narrowest effective tool and builds in review. Several of these measures fail that test.
The conviction-optional visa power is the clearest example: it attaches a severe, life-altering consequence to conduct that need never be proven in court. That is not a content-moderation rule, but it shapes online speech directly — non-citizens now face migration jeopardy for posts an official deems "hate-related," with the chilling effect falling hardest on the activist and diaspora communities O'Shea flags as most vulnerable to "weaponized restrictions framed as safety measures."
The age ban illustrates the second problem: enforcement-by-vagueness. In April 2026, Commissioner Julie Inman Grant moved eSafety from monitoring to an "enforcement stance" after its first compliance report found Facebook, Instagram, Snapchat, TikTok and YouTube were letting minors retry age checks and create new underage accounts. But "reasonable steps" is undefined, so platforms rationally over-comply — and the only reliable way to verify ages at scale is to verify everyone's, pulling the entire adult population into identity checks to police a youth-access rule. O'Shea's alternative — regulate the data-harvesting business model rather than user access — is the more rights-respecting path, and Australia has largely skipped it.
The Phase 2 Codes' age-assurance and risk-assessment duties point the same way. Each obligation is reasonable in isolation; together they push platforms toward pre-emptive removal and identity-gating, because the cost of an eSafety notice dwarfs the cost of taking borderline-lawful speech down. The extraterritorial takedown power O'Shea singles out means a decision made in Canberra can scrub content globally — and, as she warns, becomes a template authoritarian governments will gladly copy.
The democratic stakes
None of this requires defending hate speech. It requires insisting that the tools match the harm. Australia has stacked three powerful regimes in six months with little coordinated review of their combined effect on lawful expression, identity privacy and the open internet. The right correction is not repeal but precision: statutory definitions of "reasonable steps," judicial process before migration consequences, sunset clauses, and a strong preference for data-practice rules over access bans and global takedowns. O'Shea's intervention is a reminder that the question is never whether to act, but whether the cure preserves the democracy it claims to protect.