Privacy Act Automated Decision-Making (ADM) Transparency: The 10 December 2026 Deadline

From 10 December 2026, new Australian Privacy Principle (APP) 1.7 requires an APP entity to state in its privacy policy whether it uses a computer program to make, or to do a thing substantially and directly related to making, decisions that could reasonably be expected to significantly affect the rights or interests of an individual where personal information is used - and, if so, to disclose the kinds of personal information and the kinds of decisions involved. This is a privacy-policy transparency duty, not a ban on automated decision-making.

The obligation was introduced by the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024. Parliament built in a 24-month grace period, so the new APP 1.7, 1.8 and 1.9 commence on 10 December 2026. The obligation applies to decisions made on or after that date, regardless of whether the arrangement for the computer program was put in place, or the personal information was acquired, before commencement.

Practically, this means every Australian organisation bound by the Privacy Act - and any overseas entity carrying on business in Australia that handles Australians' personal information - must audit where software (including AI) drives consequential decisions about people, and then publish a clear, accurate description of that use in its APP 1.3 privacy policy before 10 December 2026.

Areebi is a Secure AI Control Plane that gives Australian regulated enterprises the immutable audit log, AI inventory and policy engine needed to identify which AI systems make rights-affecting decisions and to substantiate what an ADM privacy-policy disclosure should say.

The new provisions add three specific disclosures to the existing privacy-policy requirements in APP 1.3-1.4. Per the OAIC's APP 1 Guidelines, where the trigger is met an APP entity's privacy policy must set out:

• (a) The kinds of personal information used in the operation of the computer programs that make, or are substantially and directly related to making, the relevant decisions.
• (b) The kinds of decisions made solely by the operation of computer programs - that is, fully automated decisions with no meaningful human involvement.
• (c) The kinds of decisions for which a thing that is substantially and directly related to making the decision is done by the operation of computer programs - that is, decisions where software materially shapes the outcome even though a human nominally decides.

Two definitional points matter. First, under new APP 1.9, "making a decision" includes refusing or failing to make a decision, so automated rejections, exclusions and non-actions are squarely in scope. Second, the disclosure is about kinds of information and kinds of decisions: organisations describe categories (for example, "credit-history and transaction data used to assess loan eligibility"), not every individual model feature or rule.

What the obligation does not (yet) require

APP 1.7 is a policy-level transparency duty. As enacted it does not, by itself, create a statutory right for an individual to demand a personalised explanation of a specific automated decision, nor a standalone right to human review. Those individual-level rights, plus a broader "fair and reasonable" test and exemption reform, are flagged for a later tranche-2 of the Privacy Act review but are not yet legislated as at mid-2026 - so plan for the disclosure duty now and monitor for further reform.

The Act uses "computer program" in its ordinary meaning rather than defining it narrowly. On that ordinary, technology-neutral reading the term is broad enough to capture rules-based systems, statistical models, machine-learning systems and generative AI tools such as chatbots and text, image or code generators. There is no carve-out for "AI assistance" - if software does a thing substantially and directly related to making a rights-affecting decision, it is in scope even when a person signs off the final call.

This breadth is consistent with the OAIC's existing guidance on commercially available AI products, which warns that using AI "in relation to decisions that may have a legal or similarly significant effect on an individual's rights is likely a high privacy risk activity" and stresses that public-facing AI tools such as chatbots should be clearly identified as such. The same guidance cautions that the complexity of many AI systems can make it difficult to understand and explain how personal information is used and how outputs are reached - which is precisely the gap the new disclosure is intended to close.

Why the breadth is an enforcement risk for enterprises

• Shadow AI. Staff routinely paste personal information into ungoverned chatbots to triage claims, screen candidates or draft customer decisions. If those tools materially shape a rights-affecting outcome, the underlying use may need to be reflected in your privacy policy.
• Embedded vendor AI. Scoring, fraud-detection, eligibility and recommendation features inside SaaS products can be "computer programs" making or assisting decisions even though you did not build them.
• Agentic AI. Autonomous agents that take actions across systems can do "a thing substantially and directly related to" a decision, expanding the surface area you must inventory.

You cannot disclose what you cannot see. Areebi's shadow-AI discovery and AI inventory surface sanctioned and unsanctioned AI usage so legal and privacy teams can map which systems touch rights-affecting decisions involving personal information. See also what is automated decision-making.

The obligation binds APP entities - most Australian Government agencies and private-sector organisations with annual turnover above A$3 million, plus certain others (health-service providers and businesses that trade in personal information apply regardless of turnover). Overseas organisations carrying on business in Australia and handling Australians' personal information are also caught.

The disclosure is triggered only where both limbs are satisfied:

1. A computer program makes, or does a thing substantially and directly related to making, a decision; and
2. the decision could reasonably be expected to significantly affect the rights or interests of an individual, with personal information used in the program's operation.

The Explanatory Memorandum and OAIC materials give indicative examples of decisions that can significantly affect rights or interests, including decisions about: entitlement to a benefit under legislation; access to or pricing of credit, insurance or other financial products; eligibility for housing or essential services; access to healthcare; and employment or recruitment outcomes. "Rights or interests" is read broadly and is not limited to strictly legal rights.

The practical test to run on every system

For each AI or software-driven decision process, ask: (1) does it use personal information? (2) could the outcome significantly affect a person's rights or interests? (3) is the decision made solely by the program, or does the program do something substantially and directly related to making it? If the answers put a system in scope, its kind of information and kind of decision must be reflected in your privacy policy by 10 December 2026.

Because APP 1.7 is an Australian Privacy Principle, failing to maintain a compliant privacy policy is an interference with privacy and is enforced through the Privacy Act regime that the 2024 Act significantly strengthened. There is no separate "ADM fine"; instead, ADM non-compliance is policed with the same escalating toolkit the OAIC now applies to APP breaches generally.

• Compliance notices - the OAIC can direct an entity to remedy an alleged contravention within a set timeframe (for example, fix a non-compliant or silent privacy policy).
• Infringement notices - the 2024 Act introduced a low-level civil penalty with infringement-notice powers for administrative breaches of the APPs (the OAIC has expressly cited failing to have a compliant APP 1.3 privacy policy as such a breach), allowing penalties without court proceedings.
• Mid-tier civil penalties - a new tier for interferences that do not meet the "serious" threshold.
• Top-tier civil penalties - for a serious interference with privacy under s 13G, the maximum is the greater of A$50 million, three times the benefit obtained from the conduct, or 30% of the entity's adjusted turnover during the breach period, per the OAIC's guidance on civil penalties. The 2024 Act removed the previous "repeated" requirement so the top tier now applies to serious interferences.

There is also a parallel private-litigation exposure. The statutory tort for serious invasions of privacy commenced on 10 June 2025 under the same 2024 Act, per the OAIC. Courts can award damages, injunctions and apologies, with damages for non-economic loss capped at the greater of A$478,550 or the maximum amount available for non-economic loss in defamation proceedings. Opaque, harmful automated decisions are exactly the kind of conduct that can attract both regulatory action and a tort claim.

The OAIC is producing dedicated guidance on transparency in automated decision-making to help entities apply APP 1.7 before commencement. The key milestones are:

• 10 December 2024 - Privacy and Other Legislation Amendment Act 2024 receives Royal Assent.
• 10 June 2025 - statutory tort for serious invasions of privacy commences.
• 18 May 2026 - OAIC publishes its Issues Paper / consultation on guidance for transparency in automated decision-making.
• 15 June 2026 - submissions to the consultation close (Monday 15 June 2026).
• ~September 2026 (anticipated) - OAIC final ADM transparency guidance expected, leaving a short runway before commencement.
• 10 December 2026 - APP 1.7, 1.8 and 1.9 commence; privacy policies must be compliant.

The compressed gap between expected final guidance (around September 2026) and the 10 December 2026 commencement is the central operational risk: organisations that wait for finished guidance before starting their AI inventory and policy drafting may have only weeks to remediate. The defensible path is to build the inventory and a draft disclosure now, then refine wording once the final guidance lands.

For the wider Australian picture, see our guides to the Australian Privacy Act and Australia AI governance, which also cover the (voluntary, not mandatory) Voluntary AI Safety Standard and sector-specific prudential rules such as APRA CPS 230.

Treat this as a discovery-and-documentation programme, not a one-line policy edit. The disclosure is only as accurate as your underlying inventory of where software drives decisions about people.

A practical readiness sequence

1. Inventory the decision surface. Catalogue every system - built, bought or shadow - that makes or materially assists decisions using personal information. Include embedded vendor AI and agentic tools.
2. Apply the two-limb trigger test to each system and record which decisions are solely automated versus substantially-and-directly assisted.
3. Classify the data. For in-scope systems, document the kinds of personal information used so the (a) disclosure is precise and defensible.
4. Draft the APP 1.7 disclosures across categories (a), (b) and (c), in plain English, and route them through legal review.
5. Govern the runtime. Apply DLP, guardrails and access controls so personal information flows into AI only where sanctioned, and log every interaction immutably to evidence what your policy claims.
6. Stand up monitoring and review. Detect new in-scope AI as it appears, and re-test the policy after the OAIC's final guidance and ahead of any tranche-2 reform.

Areebi is purpose-built for this: it is privately deployable and sovereign (Docker, Kubernetes, on-premises or private cloud, with data resident in Australia), so regulated entities can run discovery, DLP, guardrails and immutable audit logging without sending personal information offshore. Start with a readiness assessment or book a demo. Note: Areebi is in stealth and pre-named-customer, and is SOC 2 readiness in progress (not yet certified) - see our Trust Center.