Australia's tech sector has entered a critical 18-month window. The Privacy and Other Legislation Amendment Act 2024, which received Royal Assent in December 2024, introduced new transparency requirements for automated decision-making (ADM) — and those provisions are scheduled to commence in December 2026. Companies operating in Australia must now use 2026 to inventory their algorithmic systems, redraft privacy policies, and build the internal documentation that the new regime will demand.
The amendment is one of the first tranches of reforms responding to the Attorney-General's Department's Privacy Act Review Report (February 2023), which recommended modernising Australia's 1988-era Privacy Act for an era in which consequential decisions — credit, insurance, hiring, government benefits, content moderation — are increasingly made or shaped by software. Rather than copying the European Union's broader algorithmic prohibition under Article 22 of the GDPR, Australia has chosen a narrower transparency-first model. That choice is worth defending.
What the new rules actually require
The amendments insert new provisions into the Privacy Act 1988 requiring APP entities to update their Australian Privacy Principle 1 (APP 1) privacy policies to disclose:
- The kinds of personal information used in substantially automated decisions that significantly affect the rights or interests of an individual;
- The kinds of such decisions made; and
- The fact that a computer program is used to make, or do a thing that is substantially and directly related to making, such decisions.
Two design choices in the statute deserve attention. First, the trigger is "substantially automated" decisions that "significantly affect" individuals — not every algorithm in the stack. Recommender systems that surface product listings, spam filters, or fraud-risk scores that merely flag transactions for human review fall outside the strict disclosure mandate. Second, the obligation is one of disclosure, not prohibition or mandatory human review. That distinguishes the Australian approach from GDPR Article 22, which creates a qualified right not to be subject to solely automated decisions.
Why proportionality matters here
Algorithmic accountability is a legitimate policy concern. When a benefits algorithm wrongly cancels payments — as the Robodebt scandal demonstrated — or when a tenancy-screening model encodes historical bias, the harms are real and concentrated on people least equipped to contest them. The Royal Commission into the Robodebt Scheme (2023) made plain that opaque automation in high-stakes government decisions corrodes public trust.
But the policy lesson from Robodebt is precisely about government automation operating without meaningful oversight or appeal — not about a generalised problem with private-sector algorithms. A proportionate regime focuses transparency requirements on decisions that are both heavily automated and consequential, while leaving lower-stakes uses of machine learning alone. By tying disclosure to "substantially automated" and "significant effect," the Australian Parliament has avoided the trap of triggering compliance theatre for every A/B test and ranking model.
Compare the trajectory in other jurisdictions. The EU's AI Act, which entered into force in August 2024, imposes layered obligations on "high-risk" AI systems with overlapping documentation, conformity assessment, and post-market monitoring duties. Smaller Australian SaaS providers and fintechs would struggle to absorb that level of compliance overhead. Australia's lighter-touch approach — disclose, document, be ready to explain — preserves room for experimentation while giving regulators and affected individuals the visibility they need.
The 2026 preparation checklist
Companies should treat the December 2026 commencement date as a hard deadline, not an aspiration. The Office of the Australian Information Commissioner (OAIC) has consistently signalled that it intends to use its expanded enforcement powers under the same Act — including new civil penalty tiers and statutory tort for serious invasions of privacy — actively.
Practical steps for the preparation period include:
- ADM inventory: map every system that makes or materially contributes to decisions about individuals — credit, insurance, employment screening, content takedowns, benefits eligibility, fraud blocking.
- Classification: assess each system against the "substantially automated" and "significant effect" thresholds. Document the reasoning; the OAIC and courts will scrutinise borderline calls.
- Privacy policy redraft: APP 1 policies typically need a new dedicated section on ADM. Boilerplate language will not survive enforcement scrutiny.
- Internal explainability artefacts: while not strictly required by the disclosure rule, having model cards or decision logic summaries ready will be valuable when individuals request information or when OAIC investigates.
What policymakers should avoid next
The 2024 amendments are explicitly a first tranche. The Attorney-General's Department has signalled that further reforms — including potentially a fair-and-reasonable test for personal information handling and direct rights of action — are under consideration. Two cautions are worth flagging.
First, resist the temptation to layer an Australian AI Act on top of the Privacy Act ADM regime before evaluating whether transparency alone is sufficient. Sequencing matters: let the disclosure rule operate, watch where genuine harms cluster, and target further intervention narrowly.
Second, preserve the "substantially automated" framing. Watering it down to include any algorithmic input — every ranking, scoring, or filtering step — would convert a workable rule into a paperwork tax that disproportionately hits Australian startups while large foreign platforms absorb the overhead trivially.
Australia has a real chance to demonstrate that algorithmic accountability and a thriving digital economy are compatible. The 2026 preparation window is when that case will be made — or quietly lost.