Privacy Act 1988 — Automated Decision-Making Reforms

Jurisdiction:

Australia

enacted

Effective:

Dec 10, 2026

Authority:

Office of the Australian Information Commissioner

Official text Verified Mar 26, 2026

Obligations Covered

Transparency & Disclosure Data Governance Risk Assessment

Automated Decision-Making Transparency (APP 1.7/1.8) #

Obligation:

Transparency

enacted

Effective:

Dec 10, 2026

Risk tier:

all

Scope:

providers, deployers

sleepercross-domainupcoming

Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must disclose the types of data used, the logic applied, and the most influential factors. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role. The OAIC has stated that "the algorithm decided" is not an acceptable explanation.

Requirements

Requirement	Details
Privacy policy disclosure	Must disclose kinds of personal information used in ADM
Decision type disclosure	Must describe kinds of decisions made solely or substantially by automated systems
Plain language explainability	Must explain in plain language how AI reaches decisions
Influential factors	Must disclose factors most significantly influencing outcomes
Substantial role test	Applies even when human reviews if AI is essential part of the process

Penalties

Violation	Fine
Serious breach	Significant civil penalties per Privacy Act enforcement provisions

Data Minimisation for AI Systems #

Obligation:

Data Governance

enacted

Effective:

Dec 10, 2026

Risk tier:

all

Scope:

providers, deployers

sleepercross-domain

The reformed Privacy Act explicitly prohibits collecting broad datasets "in case they might be useful" for AI training. Each data input to an AI system must be demonstrably necessary for the specific purpose. This directly impacts how organizations build training datasets and deploy AI models using personal information.

Requirements

Requirement	Details
Data minimisation	Each AI data input must be reasonably necessary for the specific purpose
No speculative collection	Cannot collect broad datasets for potential future AI use
Primary purpose limitation	AI systems may only use personal data for primary collection purposes
Enhanced consent	Specific, informed, voluntary, current consent required for AI training and profiling
Vendor due diligence	Must assess third-party AI vendors for data handling practices

Penalties

Violation	Fine
Serious breach	Significant civil penalties per Privacy Act enforcement provisions

Privacy Impact Assessments for AI #

Obligation:

Risk Assessment

enacted

Effective:

Dec 10, 2026

Risk tier:

all

Scope:

providers, deployers

sleeper

Requirements

Requirement	Details
Privacy Impact Assessment	Must conduct PIA before deploying AI systems handling personal information
Proactive disclosure	Must proactively disclose AI use at the point of data collection
Third-party assessment	Remain responsible for data shared with external AI platforms

Penalties

Violation	Fine
Serious breach	Significant civil penalties per Privacy Act enforcement provisions