Dieser Artikel ist derzeit auf Englisch verfügbar.
The Privacy Act, AI, and What the OAIC Expects from Australian Organisations
Australia's Privacy Act 1988 already regulates AI in ways many organisations don't realise. The OAIC has made clear that the APPs apply fully to AI systems that collect, use, and disclose personal information — and the reform agenda will tighten these obligations further.
Key Takeaways
Australia's Privacy Act 1988 and the Australian Privacy Principles apply to AI systems that collect, use, or disclose personal information. The OAIC has issued guidance making this explicit.
APP 1 (open and transparent management) requires that your privacy policy address AI-driven data processing. Standard privacy policies written before AI adoption are almost certainly non-compliant.
APP 3 (collection of solicited information) and APP 6 (use and disclosure) restrict how personal information collected for one purpose can be used to train AI models for different purposes.
The Privacy and Other Legislation Amendment Act 2024 passed Parliament on 29 November 2024 (Royal Assent 10 December 2024), introducing a statutory tort for serious invasions of privacy (effective by 10 June 2025), new automated decision-making transparency obligations (effective 10 December 2026), and enhanced OAIC enforcement powers. Note: a 'fair and reasonable' test for data handling was NOT included — it was deferred to a future second tranche of reforms.
The OAIC has enforcement powers it can and does use. Organisations should not assume privacy regulation is unenforced in Australia — recent enforcement action against major organisations demonstrates regulatory willingness to act.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
The Privacy Act already regulates AI
A common misconception among Australian organisations is that AI governance is a regulatory gap — that because there is no dedicated Australian AI law, AI use is largely unregulated. This is incorrect. Australia's Privacy Act 1988, enforced by the Office of the Australian Information Commissioner, applies fully and comprehensively to AI systems that involve personal information. For most enterprise AI, this covers the majority of meaningful use cases.
The OAIC has issued specific guidance on AI and privacy, making clear that the Australian Privacy Principles are not technology-neutral in a way that permits AI to escape their reach. An AI system that collects, uses, or discloses personal information is subject to the APPs in the same way as any other system performing those functions.
Key APP obligations for AI systems
APP 1 — Open and transparent management of personal information: Organisations must have a clear and up-to-date privacy policy. The OAIC's position is that privacy policies must address how AI uses personal information in ways that are intelligible to a reasonable person. Privacy policies written before the organisation adopted AI tools are almost certainly deficient on this requirement. This is one of the most prevalent privacy compliance gaps in Australian organisations today.
APP 3 — Collection of solicited personal information: Personal information can only be collected for purposes that are directly related to the organisation's functions or activities, and that the individual would reasonably expect. Using customer data for purposes they did not anticipate — including training AI models — may breach APP 3 even where consent was technically obtained in boilerplate terms.
APP 6 — Use and disclosure of personal information: Personal information collected for one primary purpose cannot generally be used for a secondary purpose without consent or unless an exception applies. This creates direct friction with common AI practices: training a model on customer interaction data for purposes beyond what was originally disclosed may breach APP 6.
APP 11 — Security of personal information: Organisations must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. AI systems that store or process personal information must be assessed against this standard, including the security of training data, model outputs, and inference pipelines.
The reform agenda
Privacy Act reform has been working through the Australian parliamentary process since the 2022 Privacy Act Review Report. The most significant proposed change for AI governance is the introduction of a 'fair and reasonable' test: collection, use, and disclosure of personal information must be fair and reasonable in the circumstances, having regard to the reasonable expectations of individuals.
This test, if enacted, would create a meaningful constraint on AI training and inference pipelines that currently rely on expansive consent obtained in privacy policies that few people read. The reform trajectory is clear even if the timing remains uncertain: Australian privacy law is moving toward a more substantive standard that will require genuine consideration of individual expectations, not just formal consent.
What organisations should do now
Audit your AI systems against the APPs. Begin with your privacy policy — does it accurately describe how AI uses personal information? Then examine data collection and use practices for AI training — are they consistent with what individuals would reasonably expect at the time of collection? Establish a privacy impact assessment process for new AI deployments. And document your assessment, because when the OAIC investigates, it is looking for evidence of genuine consideration, not retrospective rationalisation.