AI and Australia's Privacy Act Reforms: What's Changing and Why It Matters

The Privacy Act 1988 is Australia's primary data protection law, and its proposed reforms represent the most significant overhaul in decades. For businesses deploying AI, the reforms aren't just about data hygiene — they directly constrain how AI systems can be designed, trained, and operated. Understanding what's proposed, and what's likely to pass, is now a strategic priority.

The Key Reforms Affecting AI

The proposed reforms most directly relevant to AI users span several areas. Automated Decision-Making (ADM) transparency is the headline change — under the proposals, organisations using AI to make or materially contribute to decisions that significantly affect individuals must disclose this use and provide meaningful information about how the AI works. This is not a blanket ban on automated decisions; it's a transparency and accountability obligation.

Data minimisation requirements would compel organisations to collect only the personal data actually needed for a specified purpose. This has significant implications for AI training pipelines that have historically operated on a 'collect everything that might be useful' basis. The proposed right to object to ADM, and in some cases the right to opt out of automated processing for significant decisions, creates a new legal exposure for AI-dependent processes in areas like credit assessment, insurance underwriting, hiring, and government services.

What Counts as a 'Significant Decision'

The critical question for most businesses is: which AI-influenced decisions trigger the proposed obligations? The reforms focus on decisions that have a legal or similarly significant effect on individuals. In practice, this means decisions about employment (hiring, performance management, termination), access to credit or financial products, insurance coverage, housing, healthcare, and government services. If your AI system influences any of these outcomes, the proposed reforms apply to you.

The Consent and Transparency Challenge

Many businesses currently operate AI systems without clearly disclosing this to affected individuals. The reforms would require privacy policies to specifically disclose the use of automated decision-making and provide genuinely meaningful information about it — not boilerplate. This will require a fundamental rethink of how privacy notices are drafted, particularly for businesses in financial services, insurance, recruitment, and healthcare.

Preparing Before the Reforms Are Enacted

The reform process is ongoing and the final shape of legislation is not yet settled. But the direction is clear enough to act. Businesses should audit their AI systems now to identify which processes involve automated or semi-automated decisions about individuals; review and update privacy policies to disclose AI use in plain language; assess data minimisation practices in AI training pipelines; and establish a process for individuals to request human review of significant AI-influenced decisions. These steps are good practice regardless of when or exactly how the reforms pass.

The Privacy Act reforms will reshape the legal baseline for AI in Australia. Organisations that treat them as a compliance burden will spend money reacting. Organisations that treat them as a design constraint will build better AI systems — and face far less risk when the law catches up.