Australia's Privacy and Other Legislation Amendment Act 2024 — which received Royal Assent on 10 December 2024 — includes automated decision-making transparency requirements that commence on 10 December 2026. If your business uses AI, algorithmic scoring, or automated workflows to make decisions about people, you have eight months to comply. The maximum penalty for serious breaches: AUD $50 million.
This isn't a distant EU directive that may or may not affect Australian operators. This is Australian law, with Australian enforcement, on a fixed timeline.
What the Law Actually Requires
The new provisions target automated decision-making (ADM) — any process where AI, machine learning, or algorithmic systems make or substantially assist in making decisions about individuals. According to analysis from IIS Partners, the core obligations are:
Disclosure. Your privacy policy must explain that you use automated decision-making, what kinds of decisions it affects, and what categories of personal information are involved.
Notification. When someone has been subject to a solely automated decision, you must tell them — on request.
Explanation. You must be able to explain how the automated decision was made, in a way that's meaningful to the affected person.
Human review. If a decision was made solely by automated means, the individual can request human review.
The threshold is decisions that "significantly affect" someone — which, as Flowworks Legal notes, covers access to services, employment, credit, insurance, housing, and similar material interests.
Who's Affected
The requirements apply to organisations with annual turnover above AUD $3 million, plus health service providers, government contractors, and certain other entities regardless of turnover. That's the same scope as existing Privacy Act obligations.
But the practical reach is broader than most business owners realise. Akira Data's compliance analysis lists the AI use cases that trigger obligations:
- Chatbots that handle customer enquiries and make routing decisions
- Lead scoring systems that prioritise or deprioritise prospects
- Algorithmic pricing that adjusts quotes based on customer data
- Recruitment screening tools that filter CVs or rank candidates
- Credit assessment or tenant selection algorithms
- Customer segmentation that determines who gets access to offers or services
If you're using a CRM with AI features, a support platform with automated routing, or any tool that scores, ranks, or filters people — this likely applies to you.
The Enforcement Signal
The OAIC isn't waiting until December to start paying attention. In January 2026, the Office of the Australian Information Commissioner launched its first-ever compliance sweep, reviewing approximately 60 organisations across six sectors under its newly expanded enforcement powers. While that sweep focused on privacy policies for in-person data collection (APP 1.4), it signals something important: the regulator is shifting from publishing guidance to actively checking compliance.
The Privacy Act's new three-tier penalty structure scales penalties based on severity. Administrative breaches attract infringement notices up to $66,000. Systemic failures face substantially larger fines. And intentional misuse or conduct resulting in significant harm can reach the maximum — AUD $50 million, a multiple of the benefit obtained, or a percentage of annual turnover, whichever is greater.
How Australia Compares Internationally
Australia's approach sits between the EU's comprehensive AI Act — which has been in force since February 2025 — and the UK's lighter-touch, sector-specific model.
According to analysis from the Finance Brokers Institute, Australia's proposed framework borrows the EU's risk-tier structure (prohibited, high-risk, limited-risk, minimal-risk) but adapts it for Australian conditions. A notable design difference: Australia's proposed AI Safety Commissioner would be able to reclassify applications between risk tiers without requiring legislative amendment — avoiding the EU's problem of static rules for fast-moving technology.
The December 2026 Privacy Act amendments are the first binding obligation. The broader mandatory AI framework — covering algorithmic impact assessments, human oversight mechanisms, and third-party auditing for high-risk applications — is expected to phase in through 2027.
What to Do Now
Eight months sounds like plenty of time. It isn't, if you haven't started.
Audit your AI usage. Map every system in your business that uses AI, machine learning, or automated rules to make decisions about people. Include third-party tools — you can't shift accountability to your vendor.
Update your privacy policy. It must explicitly disclose your use of automated decision-making, the types of decisions affected, and the personal information involved. Akira Data provides a template framework as a starting point.
Build a human review process. When someone requests human review of an automated decision, you need a documented process for how that happens. "We'll look into it" isn't sufficient.
Document your decision logic. The explanation obligation means you need to be able to articulate, in plain language, how your automated systems reach their conclusions. Black-box models with no interpretability will be a compliance problem.
Talk to your vendors. If you use AI-powered tools from third parties, understand what data they process and what decisions they influence. Under the Privacy Act, the deploying organisation — not the vendor — bears accountability.
The Bottom Line
Australia's AI regulatory landscape is shifting from voluntary principles to enforceable law. The December 10, 2026 deadline is real, the penalties are material, and the OAIC is actively building its enforcement capability.
For businesses already using AI responsibly, compliance is mostly a documentation exercise. For those who've deployed AI tools without considering the privacy implications, the next eight months are critical.
The regulation isn't anti-AI — it's pro-transparency. Businesses that can clearly explain how they use AI to make decisions about people will be in a stronger position, not just legally, but with their customers.
Sources
- Privacy and Other Legislation Amendment Act 2024 — Federal Register of Legislation
- Australian Privacy Act Penalties: Understanding the New Civil Penalty Regime — Levo AI
- From 'Black Box' to Transparency: the Privacy Act's New ADM Rules — IIS Partners
- Privacy Act and AI: What to Do Before 2026 — Flowworks Legal
- The Privacy Policy Template for the December 2026 ADM Deadline — Akira Data
- OAIC to Exercise New Powers in Compliance Sweep — ADMA
- Australia's AI Regulatory Path: From Voluntary to Mandatory — Finance Brokers Institute