← All posts

TL;DR

From 10 December 2026, the amended Privacy Act requires APP entities using automated decision-making to disclose what data they use and what decisions are automated. Penalties reach $50 million or 30% of turnover. The OAIC gets stronger enforcement powers. Every AI tool processing personal information falls under these requirements — and the deploying organisation, not the vendor, is liable.

On 10 December 2026, the most significant overhaul of Australian privacy law in a generation comes into effect. The amendments to the Privacy Act 1988 will reshape how every organisation covered by the Australian Privacy Principles handles personal information. For companies using artificial intelligence — which, by late 2026, will be nearly all of them — three changes in particular will force a reckoning that most organisations have not yet begun to prepare for.

Automated Decision-Making: The Transparency Obligation That Changes Everything

The headline change is mandatory transparency for automated decision-making. From December, any APP entity that uses a computer program, algorithm, or automated system to make or influence a decision that affects an individual's rights or interests must disclose this in their privacy policy. The disclosure must specify what kinds of personal information are used, what kinds of decisions are made or influenced by the automated system, and how those decisions affect the individual.

This sounds narrow. It isn't. The scope of "automated decision-making" under the amended Act captures far more than most organisations realise.

If your AI summarises customer call transcripts and that summary is read by a human who makes a decision based on it, the AI influenced the decision. It counts. If your AI scores job applications and a recruiter uses that score to shortlist candidates, the AI influenced the hiring decision. It counts. If your AI flags transactions as potentially fraudulent and those flags determine whether a payment is processed, the AI influenced the outcome. It counts. If your AI analyses customer sentiment from emails and that analysis determines which customers receive follow-up contact, the AI influenced the service decision. It counts.

And here is the part most organisations miss: it applies to third-party AI tools. If your team uses a meeting transcription service that runs on someone else's AI, and the transcripts inform decisions about clients, the ADM transparency obligation applies to you, not to the transcription vendor. The deploying entity — your organisation — is the APP entity. The obligation is yours.

The Penalty Regime: Numbers That Get Board Attention

The amendments introduce a penalty framework designed to be taken seriously. For serious or repeated interferences with privacy, the maximum penalty is the greater of $50 million, three times the value of the benefit obtained from the contravention, or 30 per cent of the organisation's adjusted turnover during the breach turnover period.

For a mid-sized Australian company with $50 million in annual revenue, that's a potential $15 million penalty. For a large enterprise with $500 million in turnover, it's $150 million. These are not compliance-programme-justification numbers. These are boardroom-conversation numbers.

The penalty framework applies to ADM transparency failures. If your privacy policy does not disclose that you use AI for automated decisions, and you do, and the OAIC determines that individuals were affected without being informed, the penalty regime applies. "We didn't realise the transcription service counted" is not likely to be a successful defence.

The OAIC Gets Teeth

For most of its existence, the Office of the Australian Information Commissioner has been under-resourced and limited in its enforcement options. The Clearview AI case exemplified the problem. In 2021, the OAIC ruled that Clearview had breached the Privacy Act by scraping images of Australians from the internet without consent. Clearview appealed. The case dragged on. In August 2024, the OAIC abandoned further action, citing resource constraints. Meanwhile, the UK's Information Commissioner's Office fined Clearview £7.5 million. The French data protection authority fined them €20 million. Italy fined them €20 million. Australia collected nothing.

The amendments change this. The OAIC gains the power to issue infringement notices for privacy breaches — effectively, regulatory fines without having to go through a full court process. It gains stronger investigative powers, including the ability to compel information and conduct assessments. It gains an expanded regulatory toolkit that moves it from the "please fix this" era to the "here is the penalty" era.

The message to Australian organisations is clear: the regulator that let Clearview walk away in 2024 is not the regulator you will face in 2027. The amendments were designed, in part, as a direct response to that case. Parliament saw what happened and gave the OAIC the powers it lacked. The test cases will come. Don't be one of them.

Personal Information: The Definition Expands

The amendments broaden the definition of personal information, capturing more of what AI systems process. The shift is from a narrow "identified or reasonably identifiable" standard to a broader one that considers the context, the cost, and the technology available to identify individuals from data.

For AI systems, this matters enormously. AI models that process customer interactions are handling data that, in combination with other available information, could reasonably identify individuals. A transcript of a customer call, combined with the caller's phone number in your CRM, is personal information. A meeting recording that captures voices and names, combined with the meeting invitation in your calendar, is personal information. An AI-generated summary of a client interaction, combined with the client's file, is personal information.

Under the amended Act, your organisation's obligations extend to how your AI vendors handle this data. If your meeting transcription vendor stores audio files on servers in a jurisdiction without adequate privacy protections, that's your APP 8 cross-border disclosure problem. If your customer sentiment vendor uses interaction data to train its models without explicit consent, that's your APP 6 use and disclosure problem. The vendor's privacy policy is not your compliance. Their practices become your liability.

What December 2026 Means in Practice

Here is the practical reality of what the amendments require for any organisation using AI to process personal information.

You need to know every AI tool your organisation uses that touches personal information. Not just the ones IT approved. The ones individual teams adopted. The meeting assistant your executive assistant installed. The transcription service your legal team uses for client calls. The document analyser your compliance team feeds with customer files. Every single one.

For each of these tools, you need documented answers to specific questions: what personal information does it process? Where is that data stored? Who has access? Is the vendor's data handling compliant with the APPs? Has the model been tested for bias? Can decisions the model influences be explained to the affected individual? What does the vendor's privacy policy actually say — not the summary, the full document?

You need your privacy policy updated with ADM disclosures. Not a generic statement that "we may use automated systems." Specific disclosures: what systems, what data, what decisions, what effect on individuals. The amended Act requires meaningful transparency, not boilerplate.

You need vendor contracts that address APP compliance. If your current vendor agreements don't include data processing terms that satisfy the APPs, they need to. The amendments don't create a vendor exemption. Your organisation is the APP entity. The vendor's compliance gaps are your compliance gaps.

Why Most Organisations Will Be Caught Off Guard

December 2026 sounds distant. It isn't. The organisations that will be compliant on 10 December are the ones that started their AI vendor audits in mid-2026. Auditing takes time. Vendor negotiations take time. Privacy policy rewrites take time. Internal training takes time. If you start in November 2026, you will not be ready in December 2026.

The pattern we see in our work is consistent. Organisations know the amendments are coming. They've assigned someone to "look into it." That person is busy. The project hasn't started. The AI tools keep proliferating. The gap between what the law will require and what the organisation can demonstrate is growing, not shrinking, with every new AI tool a team adopts without governance oversight.

The organisations that will be fine are the ones that treat December 2026 as a deadline with consequences. They're auditing now. They're updating policies now. They're bringing vendors into compliance now. They'll be ready because they started early.

The organisations that will be caught out are the ones that are still treating this as a 2027 problem.

Don't wait for the deadline. An independent AI vendor audit identifies compliance gaps before the OAIC does.

Frequently asked questions

What changes in the Privacy Act on 10 December 2026?

The amendments require APP entities using automated decision-making to disclose what personal information is used, what decisions are automated, and how they affect individuals. The OAIC gets stronger enforcement powers including infringement notices, and penalties reach $50 million or 30 percent of turnover.

Does the Privacy Act amendment apply to AI tools we use from third parties?

Yes. If you deploy a third-party AI tool that processes personal information, the APPs apply to you as the APP entity. The regulator fines you, not the vendor.

What is automated decision-making under the amended Privacy Act?

It covers any system where AI processes personal information and the output influences decisions about individuals — including screening, scoring, summarising, flagging, or routing. Even AI meeting summarisers and transcription tools may qualify.

What should companies do to prepare for the December 2026 Privacy Act deadline?

Audit all AI vendors processing personal information, update privacy policies with ADM disclosures, document data flows and decision logic, and ensure vendor contracts include APP compliance obligations. Start now — December is closer than it seems.