Newly released documents seen by EFA and obtained by Cam Wilson (a journalist for Crikey and friend of EFA) —read the full Crikey article here — under the Freedom of Information Act reveal that internal assessments by the Office of the Australian Information Commissioner (OAIC) align substantially with the early warnings and independent observations made by Electronic Frontiers Australia (EFA) regarding inaccurate claims around privacy compliance by participating vendors in the Australian Government’s Age Assurance Technology Trial (AATT) draft and final reports.
Months ago, EFA Chair John Pane — who resigned from the AATT Stakeholder Advisory Board after airing these exact concerns to the board — subsequently publicly called out the AATT trial for prioritising political sound bites and slogans instead of comprehensively assessing privacy compliance claims made about AATT vendor participants.
“These FOI documents validate EFA’s position and its strong concerns about misleading privacy claims made by the AATT, demonstrating that Australia’s chief privacy regulator shared similar concerns about the trial’s methodology and findings on privacy issues.” — John Pane, EFA Chair.
In June last year EFA called this behaviour out as ‘privacy washing’. The OAIC has been more diplomatic in its correspondence to eSafety, stating:
“Our overarching concerns remain regarding the conclusive references to privacy and language in the report that overstates the privacy evaluation that has taken place in the Australian context.”
Pane elaborated on the fundamental flaws in the trial’s methodology:
“It seems from the outset, the AATT testing of privacy controls was extremely superficial and not fit for purpose, with the end result having the necessary attributes of textbook ‘privacy washing.’ The trial set an incredibly low bar for vendor compliance, bizarrely inferring operational privacy capabilities simply by reading participants’ externally facing privacy policies. There was a glaring failure to undertake proper, detailed technical assessments of the participating vendors’ actual privacy frameworks, risk registers, and operational controls directly against Australian privacy law.”
Pane also raised serious concerns about how certain vendors handled children’s sensitive data:
“The AATT failed to identify or adequately condemn behaviours by certain vendors that indicated a serious misunderstanding of Australian privacy law regarding both data minimisation and data retention — by building backdoors and indefinitely retaining children’s highly sensitive personal and biometric data on the assumption that a coroner or law enforcement agency might request it in the future.”
On the AATT’s Final Report, Pane was unsparing:
“When the AATT Final Report was eventually released, it was predictably cloaked in government-friendly political rhetoric and sound bites, broadly claiming the technology was ‘private, robust, and effective.’ Yet, while comprehensive in page count, the report conveniently excluded fundamental performance indicators from its scope — most notably, the ease with which these technologies can be circumvented by technical means or third-party collusion. EFA was the first civil society organisation to give the AATT a ‘big red F,’ and the release of the OAIC documents proves that assessment was entirely justified.”
The consequences of this politically driven, gap-ridden technological approach are now playing out in real time. Recent data in the public domain indicates that despite earlier regulatory posturing as to the social media ban’s success, 70% of young people remain on social media platforms, while over 4 million children have been supposedly removed according to the social media platforms themselves. The numbers don’t add up.
In closing, Pane called for a fundamental shift in approach:
“The government should have listened to the advice of EFA and the broader digital rights community from the beginning. Instead of pursuing a fundamentally flawed prohibition model, the focus must shift to regulating the platforms themselves. We urgently need to break the surveillance-based, data-extractive business models of social media giants. The solution lies in forcing a statutory digital duty of care onto these platforms to protect all users — not just children — from algorithmic manipulation and digital surveillance, while simultaneously uplifting digital civics and online safety education for primary and secondary school students.”
See EFA’s previous media release from June 2025: Preliminary Findings of the Australian Government’s Age Assurance Technology Trial.