Automated decisions in Australia series – Part 1: a quick guide to Australia's new privacy rules
1. Set out in privacy policies:
a. the kinds of decisions; and
b. the kinds of personal information used to make decisions,
where…
2. … the entity has arranged for …
3. … a computer program …
4. … to make a decision … or to do a thing substantially and directly related to making a decision …
5. … that significantly affects rights or interests of an individual …
6. … using personal information.
Read together, these elements set out the trigger for including automated decisions in a privacy policy: where an entity has arranged for a computer program to make a decision (or to do a thing substantially and directly related to making a decision) that significantly affects the rights or interests of an individual, using personal information, the entity must set out in its privacy policies the kinds of decisions involved and the kinds of personal information used to make them.
From 10 December 2026, entities will need to update their privacy policy to disclose how they use automated and computer-assisted decision making. The new Australian Privacy Principles 1.7 to 1.9 will require entities to identify decisions that significantly affect the rights or interests of an individual, and set out in privacy policies:
The level of detail should be sufficient to enable individuals to understand how their personal information is used and the potential impact on their rights or interests, while remaining accessible and avoiding unnecessary technicality. The privacy policy does not need to include any confidential commercial information about automated decision-making systems.
This is not just about AI. The requirements capture a broad range of computer programs that make or support decisions affecting individuals – including rules-based systems, spreadsheet automation, scoring tools, and other commonly-used software products.
An entity has arranged for a computer program to make or support the decision.
This extends to third party systems used on your behalf or as part of a service provided to you by outsourcing partners or other service providers. This may require a more detailed understanding of the systems and processes used in your supply chain.
"Computer program" is broadly interpreted.
It captures a wide range of technologies, including commonly used software, apps and tools, extending to pre-programmed rules-based processes, artificial intelligence, machine learning, spreadsheet automation, scoring or ratings, etc.
The program makes a decision OR does a thing substantially and directly related to making a decision.
Identifying the "decision" is key to understanding what computer programs might make, or substantially and directly relate to, the decision.
This applies to both wholly and partially automated decisions. For partial automation or computer assisted decisions:
a. The thing done by the computer program must be substantially and directly related to the decision – a key factor in the decision, directly connected with making the decision.
b. It must meaningfully influence the decision (the decision would be significantly different or not made at all without the program’s contribution).
c. This can happen even if there is a human in the loop actually making the decision.
The decision significantly affects rights or interests of an individual.
This concept is impacted by circumstances. For example, a child or person experiencing vulnerability may face more significant impacts from the same conduct.
It extends beyond legal rights (eg under contract or statute) to material stakes individuals may hold that, while not necessarily protected by law, may have meaningful impact on individuals’ lives.
The decision uses personal information about that individual.
This is an important limitation on what systems are relevant for these requirements – and a concept that may expand further in future reforms.
Recent privacy determinations have seen the Privacy Commissioner explore "novel" applications of the Privacy Act to address a changed digital environment, including to expand what has traditionally been seen as personal information regulated under the Privacy Act. For example, recent determinations have found that information collected using pixel tracking technology used by health provider websites was personal information even though customers might not have been uniquely identified.
It is easy to underestimate the scope of the new transparency rules by focusing on fully automated processes or AI systems. However, Australia's framework extends much further than that.
While the General Data Protection Regulation (GDPR) (and the previous Data Protection Directive, dating back to 1995) have had requirements relating to automated decision-making and profiling for many years, Australia's formulation is not a “lift and shift” from the EU requirements.
In comparison to the GDPR, the Privacy Act formulation does not include some of the more restrictive provisions (in Article 22 of the GDPR) such as the right “not to be subject to” automated processing and profiling, the implementation of measures including human intervention, and the exception for special category data (although similar protections do arise in the Western Australian Privacy and Responsible Information Sharing Act 2024 (WA) that took effect on 1 July 2026, these are only applicable to WA public entities and their contracted service providers).
That said, in one sense, the scope could still be broader than the GDPR given that:
In both cases, the trigger is not the technology – it is the impact on individuals. This means the rules may well capture a lot of "business-as-usual" data-based business processes that have been in place in organisations for many years.
Automated decision transparency is one of the final pieces of 2024's first tranche of privacy reforms. The Government deferred a second tranche of reforms including reforms directly and indirectly impacting automated decisions.
The second tranche of privacy reforms was expected to bring further requirements impacting AI and automated decisions, including privacy impact assessments for high-risk activities (including automated decisions), the need to explain automated decisions, a requirement that data activities be "fair and reasonable" (regardless of consent), and changes to protect more data as "personal information" (impacting the training and use of AI models).
At Senate Estimates hearings, the Attorney-General's Department confirmed there is still a commitment to further reforms, that work is underway, and that consultation will follow – but no timelines have been set.
Other authors: Olivia Carmody, Lawyer; Cindy Nguyen, Graduate; Lauren Spence, Graduate and Joanne Lee, Paralegal.
This publication is a joint publication from Ashurst Perkins Coie Australia, Ashurst Perkins Coie Risk Advisory LLP and Ashurst Perkins Coie Risk Advisory Pty Ltd, which are all part of the Ashurst Perkins Coie Group.
Ashurst Perkins Coie Australia (ABN 75 304 286 095) is a general partnership constituted under the laws of the Australian Capital Territory.
Ashurst Perkins Coie Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883. A list of members of Ashurst Perkins Coie Risk Advisory LLP and their professional qualifications is open to inspection at its registered office, London Fruit & Wool Exchange, 1 Duval Square, London E1 6PW.
Ashurst Perkins Coie Risk Advisory Pty Ltd is a proprietary company registered in Australia and trading under ABN 74 996 309 133.
The Ashurst Perkins Coie Group comprises Ashurst Perkins Coie UK LLP, Ashurst Perkins Coie US LLP, Ashurst Perkins Coie Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst Perkins Coie" or describe themselves as being affiliated with Ashurst Perkins Coie. Some members of the Ashurst Perkins Coie Group are limited liability entities. Some members of the Ashurst Perkins Coie Group provide legal services and some provide non-legal services. Different legal entities in the group may operate in the same jurisdictions. Information about which Ashurst Perkins Coie Group entity operates in any country can be found on our website at www.ashurstperkinscoie.com.
The services provided by Ashurst Perkins Coie Risk Advisory LLP and Ashurst Perkins Coie Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Perkins Coie Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
This material is current as at 13 July 2026 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst Perkins Coie. We accept no liability for use of these materials and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.