In brief
- The Privacy and Other Legislation Amendment Act 2024 is the first tranche of Privacy Act reform, and part of it targets automated decision making directly.
- From 10 December 2026, privacy policies must disclose automated decisions that use personal information and could significantly affect a person’s rights or interests.
- The OAIC has published guidance on using commercially available AI products and consulted on further automated decision making guidance in mid 2026.
- Privacy obligations already apply to personal information entered into AI tools, and to AI outputs that contain personal information.
- The small business exemption still stands at the time of writing, but businesses above the threshold, and many below it, should prepare now.
What has changed?
The Privacy and Other Legislation Amendment Act 2024 passed in late 2024 as the first tranche of a broader reform of the Privacy Act 1988. Most attention went to the new penalties and the statutory tort for serious invasions of privacy, but the change that matters most for businesses adopting AI is quieter: a new transparency obligation for automated decision making.
From 10 December 2026, an organisation covered by the Australian Privacy Principles that uses a computer program to make decisions with personal information must say so in its privacy policy, where those decisions could reasonably be expected to significantly affect a person’s rights or interests. The policy must describe the kinds of personal information used and the kinds of decisions made. The OAIC consulted on guidance for this obligation in May and June 2026, with final guidance expected before commencement.
What counts as an automated decision?
The obligation is not limited to tools marketed as AI. It covers any computer program that makes, or substantially contributes to, a decision using personal information, where the outcome could significantly affect someone. In practice that can include screening job applications, approving or declining credit or a service, calculating premiums or prices for an individual, and scoring or ranking customers in ways that change how they are treated.
Many businesses run tools like these inside everyday platforms without thinking of them as automated decision making. The first step is an audit: list where software uses personal information to decide or recommend something about a person, and note which of those outcomes could significantly affect them.
Does this apply to your business?
The Privacy Act generally applies to businesses with annual turnover above $3 million, and to some below it, including health service providers and businesses that trade in personal information. The Australian Government has agreed in principle to remove the small business exemption in a later tranche of reform, but that change was not law at the time of writing.
Being exempt is not the same as being unaffected. Larger clients increasingly push privacy obligations down through contracts, and a business planning to grow past the threshold is better served building good habits early than retrofitting them later.
What the OAIC expects when you use AI tools
The OAIC’s guidance on commercially available AI products, published in October 2024, sets out how existing privacy obligations apply to AI use. Personal information entered into an AI tool is a use or disclosure under the Australian Privacy Principles, and AI outputs that contain personal information are also covered. The OAIC recommends a risk based approach to selecting AI products, updating privacy policies to reflect AI use, and clearly identifying public facing AI tools such as chatbots.
How to prepare before December 2026
Four actions cover most of the ground. Map where software and AI use personal information to make or shape decisions about people. Assess which of those decisions could significantly affect rights or interests. Update your privacy policy to describe the information used and the decisions made. Set a governance habit: new AI tools get a privacy check before rollout, not after.
None of this requires abandoning AI. The reforms assume businesses will keep automating decisions and ask for honesty about it.
Where to start
If your business is adopting AI and is unsure where the Privacy Act now touches it, a short review of your tools, data flows, and privacy policy will usually surface the gaps quickly. Sybre helps Australian businesses with this through its consulting and compliance and AI Enablement services. Contact us to talk through where your business stands before the December 2026 deadline.
Frequently asked questions
When do the automated decision making rules take effect?
From 10 December 2026. From that date, privacy policies must describe the kinds of personal information used in relevant automated decisions and the kinds of decisions made.
What counts as an automated decision under the new rules?
A decision made by a computer program using personal information, where the decision could reasonably be expected to significantly affect a person's rights or interests. Examples include loan approvals, CV screening, and risk scoring.
Does the Privacy Act apply to my small business?
Businesses with annual turnover of $3 million or less are generally exempt, with exceptions such as health service providers and businesses that trade in personal information. Removal of this exemption has been agreed in principle but was not law at the time of writing.
Do we need to stop using AI tools to comply?
No. The obligations are about transparency and handling personal information properly. A documented view of where AI makes or shapes decisions, and a privacy policy that reflects it, is the core of compliance.
