EveryAILaw.comPrivacy Act 1988 — Automated Decision-Making Reforms
Obligations Covered
Automated Decision-Making Transparency (APP 1.7/1.8) #
Australia's Privacy Act reforms make AI transparency mandatory through privacy law — not AI-specific legislation. Any organization using personal information in automated decisions must disclose the types of data used, the logic applied, and the most influential factors. Even "human in the loop" doesn't exempt you if the algorithm plays a substantial role. The OAIC has stated that "the algorithm decided" is not an acceptable explanation.
Requirements
| Requirement | Details |
|---|---|
| Privacy policy disclosure | Must disclose kinds of personal information used in ADM |
| Decision type disclosure | Must describe kinds of decisions made solely or substantially by automated systems |
| Plain language explainability | Must explain in plain language how AI reaches decisions |
| Influential factors | Must disclose factors most significantly influencing outcomes |
| Substantial role test | Applies even when human reviews if AI is essential part of the process |
Penalties
| Violation | Fine |
|---|---|
| Serious breach | Significant civil penalties per Privacy Act enforcement provisions |
Data Minimisation for AI Systems #
APP 3 and APP 6 data minimisation and purpose limitation have always applied to AI systems processing personal information — these are existing obligations, not new POLA Act requirements. The POLA Act 2024 strengthened general APP enforcement but did not insert an AI-specific minimisation clause effective 2026-12-10. Organisations collecting personal data for AI training or inference must ensure collection is reasonably necessary for a specific purpose (APP 3) and that data is only used for the purpose for which it was collected (APP 6). OAIC's Children's Online Privacy Code (registerable by Dec 2026) imposes additional data minimisation duties for child-facing AI services as a code instrument, not a standalone APP amendment.
Requirements
| Requirement | Details |
|---|---|
| Data minimisation | Collection of personal information must be reasonably necessary for the specific function or activity (APP 3) |
| No speculative collection | Cannot collect personal data for potential future AI use without a justified purpose at time of collection |
| Primary purpose limitation | AI systems may only use personal data for the purpose for which it was collected, or a directly related secondary purpose (APP 6) |
Penalties
| Violation | Fine |
|---|---|
| Serious breach | Significant civil penalties per Privacy Act enforcement provisions |
Privacy Impact Assessments for AI #
No general statutory PIA mandate for AI exists in the Privacy Act 1988. The POLA Act 2024 did not enact a universal PIA requirement effective 2026-12-10. PIAs are however a "reasonable step" expected under APP 1 for high-risk processing (including AI, profiling, large-scale analytics) per OAIC guidance — failure to conduct a PIA for high-risk AI will be treated as evidence of non-compliance with APP 1. Specific instruments (e.g. the Children's Online Privacy Code, government data-sharing frameworks) do mandate PIAs in defined contexts.
Requirements
| Requirement | Details |
|---|---|
| PIA as reasonable step | OAIC treats PIAs as a "reasonable step" under APP 1 for high-risk AI deployments; absence is evidence of non-compliance for high-risk processing |
| Third-party accountability | Remain responsible under APP 11 for personal data shared with external AI platforms; due diligence on vendors is part of APP 1 compliance |
| Children's Online Privacy Code | PIAs required for child-facing AI services once the Code is registered (by 10 December 2026); this is Code-based, not a standalone Privacy Act obligation |
Penalties
| Violation | Fine |
|---|---|
| APP 1 non-compliance | Civil penalties per Privacy Act enforcement provisions; OAIC has signalled enforcement focus on high-risk AI |