What Government Can Do

Australia has already shown it can act on children's online safety. The under-16 social media ban passed Parliament in November 2024 and took effect in December 2025. The Children's Online Privacy Code is in development. The appetite for action exists. Here's what can be done right now.

NSW Department of Education

1. Reverse the "must be public" requirement

The NSW DoE social media procedures currently state that school accounts "must not restrict access or be set as 'private' or 'closed.'" This policy was written when "public" meant "accessible to the school community." In 2026, "public" means "scraped by AI, indexed by search engines, harvested by facial recognition, and available to anyone on earth."

The fix is straightforward: update the procedures to allow (or require) school social media accounts to use private or restricted settings. This is a policy update, not legislation. The Department can do this immediately.

2. Update the Permission to Publish form

The current consent form is binary (all public publishing or none) and makes no mention of AI training, facial recognition, or data scraping. It needs:

• Granular consent. Separate opt-in for each channel: school newsletter, school website, social media, and external media.
• AI risk disclosure. Explicit notification that public social media posts are scraped for AI training and facial recognition.
• Annual renewal. Consent should be reviewed annually, not remain open-ended.
• Default to private. Social media posting should require specific opt-in, not be bundled into general publishing consent.

This is a form update. It does not require legislation.

3. Issue clear guidance on AI-era social media risks

The Department should issue updated guidance to all NSW public schools addressing:

• The specific risks of posting children's images on public social media in 2026
• Meta's confirmed AI training practices and the lack of opt-out for Australians
• Facial recognition scraping from public Facebook content
• The deepfake pipeline from public photos to manipulated images
• Recommended alternatives for school communication (password-protected portals, dedicated school apps, private groups)

Schools are following current DoE guidance in good faith. That guidance is outdated. Updating it immediately changes the practice of every public school in NSW.

State and territory education departments (nationally)

4. Adopt consistent standards across all states

Every state and territory education department has its own social media policy for schools. None of them were written for the AI age. A coordinated national approach would ensure all Australian schoolchildren receive the same baseline protection, regardless of which state they live in.

The Education Council (the body that brings together state and territory education ministers) could agree to a set of minimum standards for school social media that include:

• No public posting of identifiable student images on social media platforms
• Granular, informed consent for any digital publication of student images
• Mandatory use of private or restricted settings on any school social media accounts
• Clear guidance on alternative communication platforms

Federal Government

5. Accelerate the Children's Online Privacy Code

The OAIC's Children's Online Privacy Code is due by December 2026. It should explicitly address:

• The use of children's images from public social media in AI training datasets
• Facial recognition scraping of children's images from public platforms
• The obligations of organisations (including schools) that post children's images publicly
• The right of children and parents to request deletion from AI training datasets

6. Close the consent gap in the Privacy Act

The current Privacy Act reform process should address the gap between what parents consented to ("publishing") and what actually happens ("permanent extraction into AI systems"). Consent given for one purpose (school communication) should not automatically extend to another (AI training, facial recognition).

The Privacy Act should also clarify that:

• A child's image is personal information in all contexts, including when posted by a school
• Public availability does not imply consent for AI training or biometric collection
• NSW government schools should be brought under the same privacy obligations as private schools

7. Require Meta to offer an opt-out for Australians

Meta offers European users an opt-out from AI training because GDPR requires it. Australians have no equivalent protection. Senator David Shoebridge summarised the situation directly: "Meta made it clear today that if Australia had these same laws, Australians' data would also have been protected."

Australia should legislate a right for all users, including schools and organisations, to opt out of having their public content used for AI training. Until then, the only defence is to not make the content public in the first place.

8. Enforce the Clearview AI order

The Australian Information Commissioner found Clearview AI breached the Privacy Act and ordered the company to stop collecting Australian data and delete what it had. There is no evidence of compliance. The OAIC should actively pursue enforcement, not let the matter rest.

What's already in motion