On 21 May 2026, Justice Michael Wheelahan of Australia's Federal Court ordered X Corp to pay an AUD 650,000 (~USD 465,000) civil penalty for breaching the Online Safety Act 2021, plus AUD 100,000 toward eSafety Commissioner Julie Inman Grant's legal costs — AUD 750,000 in total, due within 45 days. The judgment closes a three-year fight that began when the regulator issued a transparency notice to the company then known as Twitter Inc. on 22 February 2023.
The penalty lands close to the statutory maximum of AUD 687,500. Wheelahan was explicit about why: a fine near the ceiling was warranted because X is "a substantial corporation," so the sum had to "operate as a real deterrent and is not simply a cost of doing business." Counsel for the Commissioner, Christopher Tran, made the same point — a large figure was needed so non-compliance would not be treated as an operating expense.
What X actually did wrong
It is worth being precise about the breach, because the headline number invites confusion. X was not punished for hosting child sexual exploitation material, nor for refusing to remove it. The 2023 notice — one of five sent that February to Twitter, Google, TikTok, Twitch and Discord under the Basic Online Safety Expectations — asked the platforms to report on how they detect and respond to such material. X filed a report, but the Commissioner found numerous answers inadequate, incomplete, or left blank: how its content-recommendation systems work, how quickly it responds to user reports of abuse, and what tools it has to detect livestreamed abuse.
This is, fundamentally, a disclosure offence. The state asked a regulated company a set of factual questions about its safety systems and the company declined to answer them fully. That is a meaningfully different thing from a government dictating what speech may appear online.
The strongest case for the fine
The regulator's position deserves a fair hearing, not a caricature. Platforms hold near-total information asymmetry over their own moderation systems; outsiders cannot audit what they cannot see. Transparency mandates are the least intrusive tool a regulator has — they compel facts, not outcomes — and they are the precondition for any evidence-based policy at all. Inman Grant's framing, that "meaningful transparency was critical to holding technology companies to account," is hard to dispute in principle. And X did not merely disagree on the merits; it left mandatory questions unanswered and then argued in court that the corporate merger of Twitter Inc. into X Corp in March 2023 had extinguished the obligation entirely. Wheelahan rejected that argument in October 2024, and the full Federal Court upheld him in July 2025. A regulator that issues a lawful notice and is met with a corporate-structure technicality has a legitimate interest in a penalty that bites.
Why this enforcement is proportionate — and where the real risk lies
From a pro-innovation, free-speech standpoint, the encouraging part of this case is what it is not. It is not a content-takedown order with extraterritorial reach. It is not an age-verification mandate that forces every user to prove their identity to read a webpage. It is not a vague "duty of care" that makes platforms liable for the speech of their users. It is a transparency obligation, narrowly drawn, tied to one of the few categories — child sexual abuse material — where there is near-universal agreement that disclosure serves a compelling public interest. Reporting duties of this kind are the defensible end of the online-safety spectrum precisely because they expand the public record without shrinking the space for lawful expression.
The worry is that the same regulator's toolkit also contains far blunter instruments. eSafety has pursued global content-removal orders, and Australia's December 2024 social-media age-restriction regime (Part 4A of the Act) pushes the state into mandating who may speak and listen online — the kind of measure the Electronic Frontier Foundation has warned, in the context of California's parallel social-media restrictions, risks building "a dangerous new system of control" under the banner of child safety. Age gates and identity checks impose real costs on every adult user's privacy and on smaller platforms that cannot absorb the compliance burden, and they rarely deliver the protection promised.
The lesson the X judgment should reinforce is the distinction between these tools. Compelling a company to describe its safety systems is proportionate; compelling every citizen to surrender identity documents to use those systems is not. Regulators that lean on transparency, audited reporting and deterrent penalties for non-cooperation can hold platforms accountable without policing speech. Those that reach for age mandates and takedown powers trade a marginal, often illusory safety gain for a structural hit to the open internet.
The takeaway for platforms
For X specifically, the case is a self-inflicted wound. Had it answered the notice in good faith in 2023 — even with answers the regulator disliked — there would be no penalty. Stonewalling and then litigating a merger technicality for three years converted a routine reporting exercise into a near-maximum fine and an adverse precedent now binding on every platform operating in Australia. Companies that treat lawful transparency demands as optional should expect regulators, and courts, to make the cost of refusal exceed the cost of compliance. The better posture — for the industry's own credibility in resisting genuinely overbroad regulation — is to answer the proportionate questions fully, and save the fight for the mandates that actually threaten the open internet.