Summary
- Automated decision-making involves decisions made without meaningful human input, often using algorithms or AI, and is regulated under UK data protection law.
- Under Article 22 of the UK GDPR, individuals have the right not to be subject to solely automated decisions that have legal or similarly significant effects.
- Businesses must ensure transparency, provide meaningful information about how decisions are made, and allow individuals to challenge outcomes or request human review.
- This guide explains new and evolving privacy rules on automated decision-making for Australian businesses, outlining obligations, risks and safeguards.
- LegalVision’s business lawyers specialise in advising clients on data privacy, automated decision-making and regulatory obligations.
Tips for Businesses
Assess whether your systems involve solely automated decisions and whether they significantly affect individuals. Build in human oversight, provide clear explanations, and allow individuals to challenge outcomes. Document your approach and ensure compliance with privacy laws before deploying automated tools.
Automated decision-making uses computer systems to make or influence decisions that can significantly affect individuals. Under new Australian privacy reforms, businesses must be transparent about how these systems use personal information, ensure appropriate safeguards and allow for human oversight where decisions have a meaningful impact. This article explores the new privacy rules for automated decision-making in Australia and what businesses must do to comply.
New Rules for Automated Decision-Making Under Australia’s Privacy Reforms
The Privacy and Other Legislation Amendment Bill 2024 marks a significant shift in Australia’s approach to automated decision-making and AI technologies. This legislation introduces new transparency requirements for businesses and government agencies using “computer programs” for fully automated decision-making or to substantially assist human decision-makers. These rules apply when an organisation uses a computer program that leverages personal information to make decisions that could “reasonably be expected to significantly affect the rights or interests of an individual”.
The term “computer program” encompasses sophisticated AI and machine learning systems, as well as simpler forms of automation like pre-programmed rule-based processes. Even the use of Microsoft Excel to generate scores about individuals could fall under these rules if the scores significantly influence decision-making.
Key Considerations: Materiality Threshold and High-Risk Domains
The materiality threshold is a crucial consideration for businesses. Decisions must be “more than trivial” and have the potential to “significantly influence the circumstances of the individual”. Examples include granting or refusing benefits under a law, and affecting an individual’s rights under a contract. Other examples include impacting access to significant services.
Continue reading this article below the formCall 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
Compliance Requirements and Penalties
Organisations using automated decision-making technologies that meet the materiality threshold must update their privacy policies to include:
- types of personal information used in relevant computer programs;
- kinds of decisions made solely by computer programs; and
- kinds of decisions made by humans with substantial assistance from computer programs.
Businesses should also consider implementing a robust Notifiable Data Breach plan. This will help comply with obligations under the Privacy Act.
The Office of the Australian Information Commissioner (OAIC) can issue infringement notices for non-compliant privacy policies. Penalties which can be over $50,000 per contravention.
Future Implications and Recommendations for Businesses
Further reforms are anticipated. This includes a potential right for individuals to request information about automated decisions affecting them. This also includes mandatory privacy impact assessments for ‘high risk’ activities. Staying informed about developments in AI regulation and privacy law will be crucial for maintaining compliance.
For businesses reliant on automated decision-making, this legislation may necessitate significant operational changes. However, it also presents an opportunity to enhance customer trust by demonstrating commitment to transparency and ethical technology use.
To navigate these changes effectively, businesses should consider the following steps:
- conduct a thorough audit of automated decision-making processes;
- implement robust data governance and ethical AI frameworks;
- provide comprehensive training to staff on the new regulations;
- establish clear lines of accountability for automated decisions; and
- regularly review and update privacy policies and practices.
This fact sheet outlines the Australian Government’s strengthened consumer privacy laws in 2025 following major data breaches and their alignment with global standards.
Key Takeaways
In conclusion, the Privacy and Other Legislation Amendment Bill 2024 represents a significant shift in the regulatory landscape for automated decision-making in Australia. By taking proactive steps to ensure compliance, businesses can navigate this new environment effectively while harnessing the power of automation and AI to drive innovation and growth.
If you need help understanding the new privacy rules, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Under the new legislation, businesses must update privacy policies to disclose the types of personal information used, decisions made by computer programs, and human-assisted decisions influenced by automation. Compliance with these requirements is crucial to avoid penalties, and businesses should prepare by assessing the impact of their automated decision-making processes.
Businesses should prepare by conducting audits of current and planned automated decision-making technologies, assessing their impact on individual rights, and updating privacy policies. Implementing ethical AI frameworks, ensuring human oversight and accountability, and staying informed about regulatory developments will help maintain compliance and build customer trust.
They apply when your systems use personal information to make decisions that are more than trivial and could materially impact an individual.
You must explain what personal information your systems use, what decisions they make, and how automation influences those decisions in your privacy policy.
We appreciate your feedback! Request your free consultation now.
