On 20 May 2026, Australia's eSafety Commissioner issued the first-ever Direction to Comply under the country's new Age-Restricted Material Codes, ordering an Argentina-based AI "nudify" service to deploy age-assurance protections within 14 days or face civil penalties of up to A$49.5 million and search-engine delisting notices. The service — which lets users upload images of real people and generate sexually explicit deepfakes on demand — was drawing nearly 40,000 visits a month from Australia as of March 2026, and its operator had ignored eSafety's earlier engagement attempts.
This is a useful test case, because it forces a question our readers should sit with honestly: when is a sweeping new regulatory power used well? Here, mostly, it was. But the same machinery that disciplined a deepfake-abuse operator is built to reach far further, and that is where proportionality starts to fray.
The strongest case for the regulator
Start with the steelman. Non-consensual intimate imagery is not a close call. Nudify tools exist overwhelmingly to humiliate, coerce, and — when the target is a minor — manufacture child sexual abuse material. eSafety has documented these harms in Australian schools, and in November 2025 it forced a UK-based provider of three of the world's most-used nudify services (roughly 100,000 Australian visits a month) to withdraw access entirely after an official warning; the services later relaunched under new ownership with mandatory age assurance. The Argentina action is the same playbook applied under newer, harder-edged law.
The Age-Restricted Material Codes, registered on 9 September 2025 and in force since 9 March 2026, require app stores, social media services, AI chatbots, and other designated internet services to keep under-18s away from pornography, high-impact violence, and self-harm content using age-assurance methods that are, in eSafety's words, "accurate, robust, fair and reliable." A service whose entire product is on-demand sexual deepfakes, accessible to any child with a browser, is precisely the actor these codes were written for. Targeting it — rather than the open-source image models or the general-purpose platforms upstream — is a narrow, defensible exercise of enforcement discretion.
Where proportionality gets harder
The problem is not this enforcement action. It is the breadth of the instrument behind it.
First, the delisting power. Ordering search engines to de-index a site is a content-availability remedy aimed at an offshore operator that Australian penalties cannot easily reach. It is pragmatic, but it normalises search-result removal as a routine compliance lever — a tool that reads very differently when pointed at lawful adult content or a marginal-but-legal service than when pointed at a deepfake-abuse shop. Powers are defined by their worst foreseeable use, not their best debut.
Second, age assurance itself. Australia's broader regime now leans heavily on verifying who is on the other side of the screen. The under-16 social-media restriction that took effect on 10 December 2025 led the government to report more than 4.7 million accounts deactivated, removed, or restricted by mid-January 2026. The government's own Age Assurance Technology Trial, whose final report landed on 31 August 2025, concluded the technology can work "when deployed the right way" — but also flagged higher error rates and output variability for people of colour and certain age and gender presentations. Age estimation that misreads adults is not a rounding error; it is a tax on lawful access to lawful speech, paid disproportionately by the people the tools read least well.
Third, the privacy bargain. Robust age assurance for explicit content tends toward document checks or biometric estimation. eSafety stresses the data is "managed solely by the service" and must comply with privacy law, but the structural reality is more identity-linked data collected at more chokepoints across the web. The Electronic Frontier Foundation, surveying a parallel wave of U.S. state social-media bans in 2026, warns that age gates build "a dangerous new system of control" — surveillance infrastructure that survives long after the moral panic that justified it.
The line worth holding
None of this argues for inaction against nudify services. It argues for keeping two categories distinct. Compelling a deepfake-abuse operator to verify age — or exit the market — is proportionate because the service's lawful uses are essentially nil and the harm is concrete and severe. Compelling the general internet to verify everyone's age before they read or post lawful content is a different proposition: it burdens adult speech, leaks identity data, and degrades access for the worst-served users, all to address harms better met by narrower tools.
The Age-Restricted Material Codes will be judged not by this first direction but by the hundredth. If eSafety holds the line — reserving its heaviest powers for services where harm is the product, and resisting the temptation to age-gate the open web by default — Australia will have a model worth exporting. If the codes instead become a general-purpose identity checkpoint, the cost will land on exactly the speech and privacy interests an open internet depends on. The Argentina action shows the regulator can aim. The harder discipline is knowing when not to fire.