
Background
Australian privacy law has undergone a significant shift. What was once treated as a background compliance obligation often dealt with through generic policies or “best practice” guidelines has now evolved into a core legal and commercial risk.
Between late 2024 and mid‑2025, the Commonwealth Government introduced the first major overhaul of the Privacy Act 1998 (Cth) in decades. These changes fundamentally reshape how business must manage personal information and significantly increases the consequences of non-compliance.
A central feature of the reforms is a new focus on transparency and accountability in how data is used, particularly in the context of artificial intelligence and automated decision making (ADM).
What Has Changed?
The reforms mark a shift toward accountability and enforcement. Businesses that mishandle personal information now face serious consequences, including:
- Substantially higher penalties, with fines reaching up to $50 million for serious breaches;
- A new ability for individuals to bring claims for serious invasions of privacy;
- Increased scrutiny of ADM; and
- New criminal offences for certain misuse of personal information such as doxxing.
In addition, the reforms also introduce new transparency obligations relating to ADM systems being one of the most practical changes businesses will need to prepare for.
Privacy compliance is no longer a matter of reputational risk alone, it is now a direct financial and legal risk.
New Transparency Obligations for Automated Decision Making
From 10 December 2026, organisations will be required to disclose in their privacy policies whether they use ADM systems in ways that make or substantially influence decisions that significantly affect individuals.
This is a mandatory obligation and applies broadly. It is not limited to fully automated systems, it can also capture processes where decisions are influenced by algorithms or AI, even where there is some level of human involvement.
Where ADM is used, organisations must clearly set out:
- Whether ADM is used in decision making processes;
- The types of personal information used by those systems;
- The kinds of decisions being made (for example, eligibility assessments, pricing); and
- The nature of the “significant effect” on individuals, including how outcomes may impact their rights, opportunities or access to services.
These requirements are designated to address the “black box” nature of AI systems and ensure individuals can understand how decisions about them are made.
Why This matters for Technology Businesses
Many technology businesses operate in ways that are now within the regulatory risk zone. This includes businesses that:
- Collect and analyse user data;
- Track online behaviour;
- Rely on AI or ADM tools; or
- Outsource data storage or processing to third-party providers.
These activities are precisely where the new ADM transparency obligations will apply most clearly.
What Your Business Should Be Doing
The reforms require a practical shift in how businesses approach privacy. Key steps include:
- Review your polices and systems
Ensure your privacy policies accurately reflect current practices, and be transparent about how data is collected, used, and shared and importantly, whether and how ADM is used.
- Embed privacy into product and system design
Consider privacy obligations at the design stage and review how automated tools use and process personal information. Identify any use of AI or automated decision making, map how those systems operate, and ensure you meet the new ADM disclosure requirements.
- Strengthen data security and internal processes
Conduct regular security audits, train staff on proper data handling procedures and upgrade IT infrastructure where needed.
- Conduct a privacy audit
A targeted audit can identify gaps in compliance and allows you to assess risks across data collection, storage, third-party sharing and AI driven decision making processes.
- Seek professional advice
Given the complexity and evolving nature of the reforms, tailored legal advice is critical to effectively manage risk.
The Key Takeaway
For technology businesses, privacy compliance is no longer just a policy on a website. It now carries real enforcement, penalty and litigation risk, and depends on how products and platforms are designed and used in practice.
The introduction of mandatory ADM transparency requirements is a clear signal that regulators expect businesses to understand and be able to explain the role of AI in their operations.
Businesses that take proactive steps now will be far better positioned than those forced to respond after a breach or regulatory action.
For tailored advice on your business’ privacy obligations, the IP, Tech and Compliance team at M + E can help you. Get in touch with Ersel (ersel@morganenglish.com.au).


