Australia privacy regulator flags age assurance trial claims

Freedom of Information documents show the Office of the Australian Information Commissioner raised concerns about privacy claims in the Government's Age Assurance Technology Trial, echoing criticism from Electronic Frontiers Australia.

The documents, obtained under FOI laws, relate to the trial's draft final report and exchanges between the privacy regulator and the eSafety office. In that correspondence, the OAIC wrote: "Our overarching concerns remain regarding the conclusive references to privacy and language in the report that overstates the privacy evaluation that has taken place in the Australian context."

The disclosure adds to scrutiny of a trial that examined age assurance tools and the privacy standards of participating vendors. It also revives debate over whether the published findings overstated vendors' compliance with Australian privacy expectations.

Electronic Frontiers Australia has long argued that the trial overstated the extent of its privacy assessment. The group's chair, John Pane, previously resigned from the trial's Stakeholder Advisory Board after raising concerns internally.

Pane said the newly released material supports that criticism. "These FOI documents validate EFA's position and its strong concerns about misleading privacy claims made by the AATT, demonstrating that Australia's chief privacy regulator shared similar concerns about the trial's methodology and findings on privacy issues," he said.

He also criticised how the trial reviewed suppliers. "It seems from the outset, the AATT testing of privacy controls was extremely superficial and not fit for purpose, with the end result having the necessary attributes of textbook privacy washing. The trial set an incredibly low bar for vendor compliance, bizarrely inferring operational privacy capabilities simply by reading participants' externally facing privacy policies. There was a glaring failure to undertake proper, detailed technical assessments of the participating vendors' actual privacy frameworks, risk registers, and operational controls directly against Australian privacy law," Pane said.

Privacy concerns

The OAIC's wording focused on both the language of the report and the degree of privacy evaluation actually carried out. That is significant because it suggests the regulator's concern was not merely about presentation, but also about the basis for the report's conclusions.

Age assurance systems have become central to broader efforts to restrict minors' access to certain online services, including social media and adult content. These systems often involve sensitive personal information, including identity data and, in some cases, biometric information, making privacy oversight a key issue in any assessment of their use.

Pane also criticised what he described as the trial's treatment of data handling by some vendors. "Furthermore, the AATT failed to identify or adequately condemn behaviors by certain vendors that indicated a serious misunderstanding of Australian privacy law regarding both data minimization and data retention by building backdoors and indefinitely retaining children's highly sensitive personal and biometric data on the assumption that a coroner or law enforcement agency might request it in the future," he said.

Final report

The dispute extends to the trial's final report, which Pane said presented the technology in favourable terms while omitting important tests. His criticism focused on whether the report examined how easily age assurance tools could be bypassed, either through technical workarounds or with third-party help.

"When the AATT Final Report was eventually released, it was predictably cloaked in government-friendly political rhetoric and sound bites, broadly claiming the technology was private, robust, and effective. Yet, while comprehensive in page count, the report conveniently excluded fundamental performance indicators from its scope-most notably, the ease with which these technologies can be circumvented by technical means or third-party collusion. EFA was the first civil society organization to give the AATT a big red F, and the release of the OAIC documents proves that assessment was entirely justified," Pane said.

The debate comes as Australian policymakers face pressure over the effectiveness of age-based restrictions online and the practical limits of enforcement. Critics of age assurance measures argue that weak implementation can create both privacy risks and a false sense of compliance.

Pane linked the issue to broader questions about social media regulation, arguing that the focus should shift from age-gating systems to platform accountability. He cited public figures that he said cast doubt on the impact of recent policy action, including data indicating that many young users remain on social media services.

"The government should have listened to the advice of EFA and the broader digital rights community from the beginning. Instead of pursuing a fundamentally flawed prohibition model, the focus must shift to regulating the platforms themselves. We urgently need to break the surveillance-based, data-extractive business models of social media giants. The solution lies in forcing a statutory digital duty of care onto these platforms to protect all users-not just children-from algorithmic manipulation and digital surveillance while simultaneously uplifting digital civics and online safety education for primary and secondary school students," Pane said.