Skip to main content

Please be advised that our office will be closed from 5pm – Tuesday, 24 December, and will reopen on Thursday, 2 January 2025.

Published 3 June 2024

Read Privacy Commissioner Carly Kind’s opinion piece published in The Australian on Tuesday 28 May 2024.

In the days between last Christmas and the new year, when most Australians were still digesting their Christmas meal in front of the cricket, the Office of the Australian Information Commissioner (OAIC) was fielding media inquiries about research that revealed Chinese-owned social media platform TikTok was harvesting Australians’ data, using tracking pixels.

The claims are accurate. TikTok, like all other social media platforms, receives personal information about internet users as they move across the web.

The range of data that websites share differs greatly across sites, but can span from the basic fact of a site visit to personal details such as email addresses and mobile numbers.

Some of this data Australians might already suspect is being shared – ever looked at a pair of shoes on an e-commerce site only to find them following you around your Facebook feed? But most people wouldn’t reasonably expect household brand websites, medical providers or news sites to be disclosing to X, Facebook, Snapchat or TikTok where you go on their site, how long you stay for, and what you read.

As Privacy Commissioner, I am concerned about these intrusive tracking practices. This has also been raised by others, such as Senator James Paterson, who has repeatedly raised concerns about TikTok’s pixel. However, having completed my office’s preliminary inquiries into TikTok’s use of the tracking tool and from the information before me, I can only conclude that, while harmful, invasive, and corrosive of online privacy, there has not been any obvious and clear contravention by TikTok of Australian privacy law as it is written.

I will be the first to say, these practices are unacceptable. Pixels are one of many tracking tools, including cookies, that permit granular user surveillance across the internet and social media platforms. These tools underpin a digital ecosystem driven by the business model of advertising – what professor Shoshana Zuboff called ‘‘surveillance capitalism’’ – wherein brands, keen for our attention, pay a premium to platforms that know enough about us to deploy the right ad at the right time.

Our website browsing preferences have become currency in a data economy that incentivises the collection of more and more personal data; the creation of more and more outrageous, misogynistic and bombastic content; and the engineering of more and more addictive features to keep us scrolling.

Our daily interactions with online and offline attempts to acquire our personal information are like death by a thousand cuts, wearing down our ability to meaningfully engage with privacy policies, terms and conditions and consent notices.

TikTok and other major social media platforms are key drivers of this economy. But so are the shopping outlets, news media, health providers, educational institutions and other online services that embed pixels and other tracking tools in their websites. Indeed, legally it is website providers who are primarily responsible for the collection and disclosure of this personal information in the first place.

At a minimum, they have an obligation to ensure that sharing web browsing data with social media platforms is in line with what internet users might reasonably expect. The bar is higher for websites that might be collecting sensitive information about a person’s health, politics, sexual orientation or religious beliefs.

Australia’s privacy laws do not outlaw such online tracking. Our legislation, written more than three decades ago, has struggled to keep pace with advances in technology and business practices. The law permits organisations to determine what and how much personal data they need for their activities, and does not require them to consider the impact of collecting this data on individual privacy.

We urgently need reform of the Privacy Act. It is the best way to tackle the most harmful aspects of the digital ecosystem. Privacy law reform could not only lift the standards for consent, bring into scope a larger subset of the Australian economy, and expand the powers of the OAIC to enforce privacy law, but also introduce a ‘‘fair and reasonable’’ test that could end these kinds of practices. The fair and reasonable test would prevent organisations from using consent as a shield for bad privacy practices, and require them to consider a range of factors, including whether the impact on privacy is proportionate to the benefit gained. In the case of kids’ personal information, platforms and websites will need to establish that collecting the data is in the child’s best interests.

Unless and until the government introduces such reform, there’s no clear route for me as Privacy Commissioner to take action against TikTok for its use of pixels. A regulator like the OAIC must always direct its attention – and its resources – to where they will have the greatest impact. This case raises issues that are sadly not unique to TikTok, and any litigation or investigation by the OAIC would be on uncertain legal footing.

This may be surprising news for people who instinctively feel that the law should prohibit foreign-owned social media companies from amassing so much valuable personal information. This could be another area to be explored through law reform, and there are different models internationally we might draw from.

The European Union uses a regimen of ‘‘adequacy’’ to prescribe where data can go, and US President Joe Biden recently issued an executive order banning the transfer of certain data to countries of concern, including China, Russia and Iran. The efficacy of such interventions has to be balanced against the clear interest in ensuring data can continue to flow across borders to permit Australian businesses to compete in a global economy.

Data-driven innovation offers economic opportunities but risks to Australians’ privacy must be addressed.