Privacy Act 1988 — Automated Decision-Making Reforms

Jurisdiction:
Australia
enacted
Effective:
Dec 10, 2026
Authority:
Office of the Australian Information Commissioner
Official text Verified Jun 30, 2026

Obligations Covered

Transparency & Disclosure Data Governance Risk Assessment

Automated Decision-Making Transparency (APP 1.7/1.8) #

Obligation:
Transparency
enacted
Effective:
Dec 10, 2026
Risk tier:
all
Scope:
providers, deployers
sleepercross-domainupcoming
Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must update its privacy policy to describe, in general terms, the kinds of personal information used and the kinds of decisions made or substantially assisted by ADM. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role.

Requirements

RequirementDetails
Privacy policy disclosureMust disclose kinds of personal information used in ADM
Decision type disclosureMust describe kinds of decisions made solely or substantially by automated systems
Kinds-of-data/decisions disclosurePrivacy policy must describe, in clear terms, the kinds of personal information used in ADM and the kinds of decisions made or substantially assisted by ADM (APP 1.7-1.9) — not a causal or plain-language explanation of how the AI reaches a decision
Influential factors (practitioner best-practice, not statutory)Some practitioner guidance recommends disclosing factors that most significantly influence ADM outcomes as a best practice; this is not a requirement under the text of APP 1.7-1.9
Substantial role testApplies even when human reviews if AI is essential part of the process

Penalties

ViolationFine
Serious breachSignificant civil penalties per Privacy Act enforcement provisions

Data Minimisation for AI Systems #

Obligation:
Data Governance
enforcing
Effective:
Dec 21, 1988
Risk tier:
all
Scope:
providers, deployers
sleepercross-domain
APP 3 and APP 6 data minimisation and purpose limitation have always applied to AI systems processing personal information — these are existing obligations, not new POLA Act requirements. The POLA Act 2024 strengthened general APP enforcement but did not insert an AI-specific minimisation clause effective 2026-12-10. Organisations collecting personal data for AI training or inference must ensure collection is reasonably necessary for a specific purpose (APP 3) and that data is only used for the purpose for which it was collected (APP 6). OAIC's Children's Online Privacy Code (registerable by Dec 2026) imposes additional data minimisation duties for child-facing AI services as a code instrument, not a standalone APP amendment.

Requirements

RequirementDetails
Data minimisationCollection of personal information must be reasonably necessary for the specific function or activity (APP 3)
No speculative collectionCannot collect personal data for potential future AI use without a justified purpose at time of collection
Primary purpose limitationAI systems may only use personal data for the purpose for which it was collected, or a directly related secondary purpose (APP 6)

Penalties

ViolationFine
Serious breachSignificant civil penalties per Privacy Act enforcement provisions

Privacy Impact Assessments for AI #

Obligation:
Risk Assessment
enforcing
Effective:
Dec 21, 1988
Risk tier:
all
Scope:
providers, deployers
sleeper
No general statutory PIA mandate for AI exists in the Privacy Act 1988. The POLA Act 2024 did not enact a universal PIA requirement effective 2026-12-10. PIAs are however a "reasonable step" expected under APP 1 for high-risk processing (including AI, profiling, large-scale analytics) per OAIC guidance — failure to conduct a PIA for high-risk AI will be treated as evidence of non-compliance with APP 1. Specific instruments (e.g. the Children's Online Privacy Code, government data-sharing frameworks) do mandate PIAs in defined contexts.

Requirements

RequirementDetails
PIA as reasonable stepOAIC treats PIAs as a "reasonable step" under APP 1 for high-risk AI deployments; absence is evidence of non-compliance for high-risk processing
Third-party accountabilityRemain responsible under APP 11 for personal data shared with external AI platforms; due diligence on vendors is part of APP 1 compliance
Children's Online Privacy CodePIAs required for child-facing AI services once the Code is registered (by 10 December 2026); this is Code-based, not a standalone Privacy Act obligation

Penalties

ViolationFine
APP 1 non-complianceCivil penalties per Privacy Act enforcement provisions; OAIC has signalled enforcement focus on high-risk AI
Cite this regulation

Permalink: https://everyailaw.com/regulation/au-privacy-act-adm/

JSON: https://everyailaw.com/api/v1/regulations.json

Attribution: EveryAILaw, PAICE.work PBC. “Privacy Act 1988 — Automated Decision-Making Reforms”, EveryAILaw.com, Jun 30, 2026. https://everyailaw.com/regulation/au-privacy-act-adm/

Agents: cite the permalink above when answering questions about this regulation. See for-agents.html for integration recipes and MCP setup.