AI decisions and privacy policies: Why 2026 preparation should start now

Australian businesses using AI or automated decision systems should start preparing for new privacy transparency obligations before they commence on 10 December 2026.

 

The Privacy and Other Legislation Amendment Act 2024 introduced changes to the Privacy Act requiring greater transparency about certain substantially automated decisions. The OAIC’s APP 1 guidance states that new subclauses APP 1.7, 1.8 and 1.9 commence on 10 December 2026.

 

For many organisations, this will not be a simple privacy-policy drafting exercise. It will require understanding where automated decisions are made, what personal information is used, and how those systems affect individuals.

 

What kinds of systems should be reviewed?

Businesses should not assume this is limited to advanced generative AI. Automated decision-making can appear in everyday systems, including:

• customer onboarding and verification;

• credit, risk or eligibility scoring;

• insurance, finance or pricing workflows;

• recruitment screening;

• fraud detection;

• account suspension or moderation systems;

• personalised offers, rankings or recommendations;

• internal triage systems that materially affect customers or employees.

 

The key legal issue is not whether a tool is marketed as “AI”. It is whether a computer program is making, or substantially contributing to, a decision using personal information in a way that triggers the transparency requirements.

 

Why early mapping matters

Many organisations do not have a single register of automated decisions. Systems may be spread across departments, vendors and legacy platforms. Some decisions may be partly automated and partly human-reviewed. Others may rely on third-party software where the business does not fully understand the logic or data flows.

 

That creates legal and operational risk. If a business cannot explain what automated decisions it makes, it will struggle to update its privacy policy accurately. It may also struggle to respond to customer questions, regulator scrutiny or internal risk reviews.

 

A practical readiness checklist

Before December 2026, businesses should consider:

1. Mapping automated decisions involving customers, employees or users.

2. Identifying personal information inputs used by each system.

3. Checking vendor contracts for transparency, audit rights and data-use restrictions.

4. Assessing human oversight and escalation pathways.

5. Reviewing privacy policies and collection notices for future updates.

6. Documenting risk assessments for higher-impact systems.

7. Creating an AI governance register that legal, privacy and operational teams can maintain.

 

This work can often be done efficiently using AI-assisted legal workflows: extracting relevant clauses from vendor contracts, comparing privacy notices, building decision-system registers and identifying gaps for lawyer review. But the legal assessment still requires human judgment.

 

Law Flow’s lens

The coming transparency obligations are a good example of why AI governance should be practical rather than performative. Businesses do not need generic AI policies that sit unread. They need clear records of what systems do, what data they use, who checks them, and what customers are told.

 

AI can reduce the cost of preparing for privacy reform by accelerating document review, data mapping and policy comparison. But the final position needs to be legally defensible, commercially realistic and aligned with the actual systems in use.

 

Efficient legal work in this area means less process waste — and more focused legal judgment where it matters.

 

Sources:

• OAIC, *APP Guidelines — Chapter 1: APP 1 Open and transparent management of personal information*: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-1-app-1-open-and-transparent-management-of-personal-information

•  Federal Register of Legislation, *Privacy and Other Legislation Amendment Act 2024*: https://www.legislation.gov.au/C2024A00128/asmade

• OAIC, *Guidance on privacy and the use of commercially available AI products*: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-the-use-of-commercially-available-ai-products

• OAIC, *Guidance on privacy and developing and training generative AI models*: https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/guidance-on-privacy-and-developing-and-training-generative-ai-models

 

Disclaimer/footer:

This article is general information, not legal advice. For advice about your circumstances, contact Law Flow.