The grace period is ending. Under Australia’s Privacy Act reform, new rules governing automated decision-making (ADM) will come into full effect from December 2026—a move expected to bring the country in closer alignment with global standards like the EU GDPR and OECD AI principles.
The two-year implementation window is designed to give organisations time to assess, audit, and adjust their systems. But with complex AI-driven technologies increasingly embedded in publishing, finance, HR, and advertising workflows, many businesses are still unaware that their systems even fall under these new obligations.
Now is the time to act.
🔍 What’s Changing: ADM & the Privacy Act
The 2025 amendments to the Privacy Act introduce new transparency and fairness requirements around automated decision making—defined as decisions that are:
- Made without meaningful human involvement, and
- Have a legal or similarly significant effect on individuals (e.g. access to credit, insurance pricing, personalised news delivery, or targeted advertising).
Under the updated Act, organisations using ADM must:
- Notify individuals when decisions are made solely by automated means
- Provide meaningful information about the logic and impact of the decision
- Offer a right to request human review
These changes reflect broader AI privacy requirements in Australia aimed at increasing public trust and reducing opaque, high-risk uses of personal data.
⚠️ Why This Matters: Legal & Strategic Risk
From 1 January 2027, businesses that continue to rely on algorithmic systems without adequate transparency, explainability, and human oversight may face:
- Regulatory action by the OAIC
- Increased exposure to civil penalties or the new privacy tort
- Reputational damage and consumer distrust
Critically, this doesn’t just apply to “big tech” or high-risk sectors. Any organisation using:
- Personalised marketing tools
- Automated eligibility or risk scoring
- AI-generated content curation
- Algorithmic pricing or segmentation
…will need to assess whether those systems fall under the automated decision making Privacy Act thresholds.
✅ What Businesses Should Do Now
At FMA Consulting, we recommend a four-phase ADM readiness roadmap:
| Phase | Action | Outcome |
|---|---|---|
| 1. Audit | Identify systems that make automated decisions about individuals | Establish scope |
| 2. Classify | Assess whether the decisions have “legal or significant effects” | Risk classification |
| 3. Explain | Document logic, inputs, and safeguards for each decision system | Transparency and defensibility |
| 4. Remediate | Implement human-in-the-loop controls, user rights, and impact assessments | Compliance and accountability |
💡 Final Thoughts
The future of privacy is automated—and the regulation is catching up. With the grace period ending in December 2026, businesses must act now to map, explain, and govern their automated systems.
Treat this not as a regulatory burden—but an opportunity to lead with accountability, transparency, and trust in how your AI systems affect people’s lives.
Need help with an ADM audit or algorithmic risk assessment?
Talk to FMA Consulting about preparing your systems, policies, and disclosures for Australia’s new AI transparency obligations.
📌 Frequently Asked Questions
The OAIC will enforce provisions requiring:
– Clear disclosure when decisions are made without human involvement
– Explanation of the logic used in automated processes
– User rights to challenge or seek review of significant automated decisions
These rules are part of broader AI privacy governance the OAIC is expected to expand over 2025–2026.
Any decision that affects:
– Access to services (e.g. credit, housing, healthcare)
– Pricing, eligibility or employment
– Personalisation that materially shapes user experience (e.g. news feed visibility, ad targeting) could fall under this category—especially if individuals cannot reasonably opt out.
Yes—if your targeting, pricing, or segmentation tools make decisions that materially affect the user’s experience or costs, and do so without human oversight, they may fall under ADM rules.
Similar to Article 22 of the GDPR, Australia’s amended Privacy Act will:
– Ban certain automated decisions without transparency and recourse
– Require meaningful human review
– Impose new standards for explainability and fairness
But unlike GDPR, Australia’s framework remains principles-based, meaning interpretation will depend on risk, sector, and OAIC guidance.
You are still responsible. Whether using third-party adtech, recommendation engines, or AI APIs, the obligation to disclose, explain, and remediate risk applies. This includes ensuring contracts, audits, and data flows are ADM-compliant.
References & Further Reading
Australian Privacy Alert: Parliament passes major and meaningful privacy law reform
Leave a Reply