The ruling
On 21 May 2026, Federal Court Justice Michael Wheelahan ordered X Corp to pay an A$650,000 civil penalty, plus A$100,000 toward the eSafety Commissioner's costs, for failing to fully comply with a transparency reporting notice issued under the Online Safety Act 2021. The notice, served on 22 February 2023 when the company was still Twitter Inc, asked the platform to detail what it was doing to detect and prevent child sexual exploitation material (CSAM). X admitted contravention but spent three years arguing it was not the right legal entity to answer, because Twitter Inc had merged into X Corp the following month. The Full Federal Court rejected that argument in July 2025, upholding an October 2024 first-instance decision. Wheelahan J's quantum sits close to the statutory maximum of A$782,500 for a corporate breach of a single reporting-notice contravention, per eSafety's regulatory guidance.
In its post-judgment statement, eSafety Commissioner Julie Inman Grant framed the outcome as a vindication of procedural transparency: "Meaningful transparency is critical to holding technology companies to account." The case is the largest enforcement win to date for the regulator under the Online Safety Act and lands as the federal government considers a statutory review of the Act that proposes expanding both the obligations and the penalty schedule.
The steelman: this is the right kind of enforcement
It is worth stating the case for the regulator at its strongest. CSAM is universally illegal across democratic jurisdictions. The notice did not order X to remove anything, classify any speech, or change any moderation policy. It asked the company to describe its own systems — how it scans uploads, how quickly it actions reports, how many staff in trust and safety remain, what hashing technology it uses. Twitter's pre-Musk transparency reports were a reference point for researchers and competing platforms; the post-acquisition disclosure vacuum prompted multiple regulators worldwide to ask harder questions. X's reported answer to many of eSafety's questions was effectively "we will not say," and the regulator's published comparison of platform answers makes that gap visible. A regulator that cannot ask procedural questions about the worst illegal-content category on the internet is not a regulator at all.
Procedural transparency mandates are also the regulatory form most consistent with a pro-innovation worldview. They impose a one-off cost (a report), they do not pre-empt design choices, and they let competing firms — and journalists — observe whether the practices a company describes match the outcomes researchers measure. That is closer to a securities-disclosure model than to content-control, and it is the model the EU's Digital Services Act, the UK Online Safety Act, and even US state laws have converged on. On the narrow facts here, the eSafety Commissioner asked a procedurally legitimate question, X gave a procedurally inadequate answer, and a court enforced the rule.
Where the Online Safety Act framework still concerns us
The danger is generalising from this case to the broader architecture. Three structural problems remain.
First, the Act concentrates discretionary authority in a single appointed commissioner to define which expectations matter, which platforms get notices, and which answers count as "absent, incomplete or inaccurate" — the trigger for an infringement notice. Wheelahan J's earlier 2024 judgment, analysed by A&O Shearman, already had to push back on the Commissioner's attempt to apply the same Act extraterritorially — demanding global takedown of footage of a Sydney church stabbing rather than geoblocking it for Australian users. That was the same regulator, citing the same statute, in a much more speech-laden context. The transparency tool that works against X here is not categorically different from the takedown tool that overreached in the church-stabbing matter.
Second, "transparency" creep is a real risk. Once a regulator can compel narrative answers about internal systems, the scope of what counts as a "system" expands. The December 2025 Basic Online Safety Expectations regulatory guidance already covers generative AI integrations, recommendation algorithms, and end-to-end encrypted messaging — categories where the line between "tell us what you do" and "tell us what to do" is far less obvious than it is for CSAM scanning.
Third, civil penalty escalation is being proposed without commensurate procedural safeguards. The government's review issues paper floats raising maximum penalties for systemic non-compliance to a percentage of global turnover — DSA-style numbers. Higher maxima only make sense if merits review and proportionality tests get correspondingly stronger, because a regulator's incentive to test the edges of its powers grows with the size of the cheque.
The proportionate path
The Federal Court did its job. It enforced a narrow, defensible rule against a platform that, by its own admission, failed to comply. The question for Canberra now is whether the next iteration of the Online Safety Act keeps that core — procedural disclosure about illegal-content systems — and strips out the parts that invite cross-border takedown demands or vague duty-of-care obligations. Australia has the chance to model a transparency-first regime that other liberal democracies could borrow. It will only happen if the statutory review treats the X penalty as evidence that the existing tool already works, not as a mandate to build a bigger one.