In Short
- New Australian privacy rules restrict fully automated decision-making processes when personal information is involved.
- Businesses must ensure transparency and offer human review options when using automated systems.
- Organisations should update privacy policies and procedures to comply with these changes.
Tips for Businesses
To comply with new privacy regulations, review and update your data handling and automated decision-making processes. Train staff on the importance of transparency and ensure that systems allow for human intervention. Regularly assess privacy policies to maintain compliance and build customer trust.
The Privacy and Other Legislation Amendment Bill 2024, marks a significant shift in Australia’s approach to automated decision-making and AI technologies. This legislation introduces new transparency requirements for businesses and government agencies using “computer programs” for fully automated decision-making or to substantially assist human decision-makers. These rules apply when an organisation uses a computer program that leverages personal information to make decisions that could “reasonably be expected to significantly affect the rights or interests of an individual”.
The term “computer program” encompasses sophisticated AI and machine learning systems, as well as simpler forms of automation like pre-programmed rule-based processes. Even the use of Microsoft Excel to generate scores about individuals could fall under these rules if the scores significantly influence decision-making.
Key Considerations: Materiality Threshold and High-Risk Domains
The materiality threshold is a crucial consideration for businesses. Decisions must be “more than trivial” and have the potential to “significantly influence the circumstances of the individual”. Examples include granting or refusing benefits under a law, and affecting an individual’s rights under a contract. Other examples include impacting access to significant services.
Compliance Requirements and Penalties
Organisations using automated decision-making technologies that meet the materiality threshold must update their privacy policies to include:
- types of personal information used in relevant computer programs;
- kinds of decisions made solely by computer programs; and
- kinds of decisions made by humans with substantial assistance from computer programs.
Businesses should also consider implementing a robust Notifiable Data Breach plan. This will help comply with obligations under the Privacy Act.
The Office of the Australian Information Commissioner (OAIC) can issue infringement notices for non-compliant privacy policies. Penalties which can be over $50,000 per contravention.
Continue reading this article below the formFuture Implications and Recommendations for Businesses
Further reforms are anticipated. This includes a potential right for individuals to request information about automated decisions affecting them. This also includes mandatory privacy impact assessments for ‘high risk’ activities. Staying informed about developments in AI regulation and privacy law will be crucial for maintaining compliance.
For businesses reliant on automated decision-making, this legislation may necessitate significant operational changes. However, it also presents an opportunity to enhance customer trust by demonstrating commitment to transparency and ethical technology use.
To navigate these changes effectively, businesses should consider the following steps:
- conduct a thorough audit of automated decision-making processes;
- implement robust data governance and ethical AI frameworks;
- provide comprehensive training to staff on the new regulations;
- establish clear lines of accountability for automated decisions; and
- regularly review and update privacy policies and practices.
This fact sheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.
Key Takeaways
In conclusion, the Privacy and Other Legislation Amendment Bill 2024 represents a significant shift in the regulatory landscape for automated decision-making in Australia. By taking proactive steps to ensure compliance, businesses can navigate this new environment effectively while harnessing the power of automation and AI to drive innovation and growth.
If you need help understanding the new privacy rules, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Under the new legislation, businesses must update privacy policies to disclose the types of personal information used, decisions made by computer programs, and human-assisted decisions influenced by automation. Compliance with these requirements is crucial to avoid penalties, and businesses should prepare by assessing the impact of their automated decision-making processes.
Businesses should prepare by conducting audits of current and planned automated decision-making technologies, assessing their impact on individual rights, and updating privacy policies. Implementing ethical AI frameworks, ensuring human oversight and accountability, and staying informed about regulatory developments will help maintain compliance and build customer trust.
We appreciate your feedback – your submission has been successfully received.
