Background 

Australian privacy law has undergone a significant shift. What was once treated as a background compliance obligation often dealt with through generic policies or “best practice” guidelines has now evolved into a core legal and commercial risk.

Between late 2024 and mid‑2025, the Commonwealth Government introduced the first major overhaul of the Privacy Act 1998 (Cth) in decades. These changes fundamentally reshape how business must manage personal information and significantly increases the consequences of non-compliance.

A central feature of the reforms is a new focus on transparency and accountability in how data is used, particularly in the context of artificial intelligence and automated decision making (ADM).

 

What Has Changed? 

The reforms mark a shift toward accountability and enforcement.  Businesses that mishandle personal information now face serious consequences, including:

  • Substantially higher penalties, with fines reaching up to $50 million for serious breaches;
  • A new ability for individuals to bring claims for serious invasions of privacy;
  • Increased scrutiny of ADM; and
  • New criminal offences for certain misuse of personal information such as doxxing.

In addition, the reforms also introduce new transparency obligations relating to ADM systems being one of the most practical changes businesses will need to prepare for.

Privacy compliance is no longer a matter of reputational risk alone, it is now a direct financial and legal risk.

 

New Transparency Obligations for Automated Decision Making

From 10 December 2026, organisations will be required to disclose in their privacy policies whether they use ADM systems in ways that make or substantially influence decisions that significantly affect individuals.

This is a mandatory obligation and applies broadly. It is not limited to fully automated systems, it can also capture processes where decisions are influenced by algorithms or AI, even where there is some level of human involvement.

Where ADM is used, organisations must clearly set out:

  • Whether ADM is used in decision making processes;
  • The types of personal information used by those systems;
  • The kinds of decisions being made (for example, eligibility assessments, pricing); and
  • The nature of the “significant effect” on individuals, including how outcomes may impact their rights, opportunities or access to services.

These requirements are designated to address the “black box” nature of AI systems and ensure individuals can understand how decisions about them are made.

 

Why This matters for Technology Businesses 

Many technology businesses operate in ways that are now within the regulatory risk zone. This includes businesses that:

  • Collect and analyse user data;
  • Track online behaviour;
  • Rely on AI or ADM tools; or
  • Outsource data storage or processing to third-party providers.

These activities are precisely where the new ADM transparency obligations will apply most clearly.

 

What Your Business Should Be Doing 

The reforms require a practical shift in how businesses approach privacy. Key steps include:

  1. Review your polices and systems

Ensure your privacy policies accurately reflect current practices, and be transparent about how data is collected, used, and shared and importantly, whether and how ADM is used.

  1. Embed privacy into product and system design

Consider privacy obligations at the design stage and review how automated tools use and process personal information. Identify any use of AI or automated decision making, map how those systems operate, and ensure you meet the new ADM disclosure requirements.

  1. Strengthen data security and internal processes

Conduct regular security audits, train staff on proper data handling procedures and upgrade IT infrastructure where needed.

  1. Conduct a privacy audit

A targeted audit can identify gaps in compliance and allows you to assess risks across data collection, storage, third-party sharing and AI driven decision making processes.

  1. Seek professional advice

Given the complexity and evolving nature of the reforms, tailored legal advice is critical to effectively manage risk.

The Key Takeaway

For technology businesses, privacy compliance is no longer just a policy on a website. It now carries real enforcement, penalty and litigation risk, and depends on how products and platforms are designed and used in practice.

The introduction of mandatory ADM transparency requirements is a clear signal that regulators expect businesses to understand and be able to explain the role of AI in their operations.

Businesses that take proactive steps now will be far better positioned than those forced to respond after a breach or regulatory action.

For tailored advice on your business’ privacy obligations, the IP, Tech and Compliance team at M + E can help you. Get in touch with Ersel (ersel@morganenglish.com.au).

Related News

  • Jun 29, 2026

    News

    Force Majeure Risks in the Wake of Global Conflict – What it means for Australian Producers

  • Jun 25, 2026

    News

    Biodiversity Stewardship Agreements in NSW: Opportunities, Risks and Key Considerations