What AI Means for Your Privacy: Your Rights When Organisations Use AI

The AI decisions that affect you without you knowing

AI systems are making consequential decisions about people's lives at scale. A credit scoring model decides whether you get a loan. A recommendation algorithm shapes what news you see. A CV screening tool filters your job application before any human reads it. An insurance pricing model sets your premium based on patterns in data you may never have seen. These are not hypothetical scenarios — they are happening at millions of organisations, every day.

In most jurisdictions, you have rights when this happens. They vary by country, and they are not always well-publicised by the organisations that are obligated to respect them. This guide explains what those rights are and how to use them.

Your rights under EU and UK law (GDPR / UK GDPR)

Article 22 of GDPR — and its UK equivalent — gives you the right not to be subject to a decision that is based solely on automated processing and produces legal or similarly significant effects concerning you. Credit decisions, job rejections based on automated screening, insurance denials, and significant changes to service terms all potentially qualify.

What this right means in practice: you can ask the organisation to provide human review of the automated decision; you can express your point of view; and you can contest the decision. The organisation must be able to tell you meaningful information about the logic involved — not just "an algorithm decided." If you have been affected by an automated decision and you are in the EU or UK, you can request human review of that decision from the relevant organisation. If they refuse or do not respond, you can complain to your national data protection authority.

Your rights in Australia

The Privacy Act gives you the right to access personal information that an organisation holds about you — including data fed into AI systems that have made decisions about you. You can request what data was held and how it was used. From December 2026, a new legal obligation requires organisations to describe in their privacy policies how AI uses your personal information in decisions that significantly affect your rights or interests. If an AI system made a decision about you using inaccurate data, you can request correction.

Your rights in the United States

The US regulatory framework is patchwork but meaningful. If a lender uses AI in a credit decision and rejects you, the Fair Credit Reporting Act and Equal Credit Opportunity Act require them to give you specific reasons — not just a reference to an algorithmic score. The reasons must be specific enough for you to understand what factors led to the decision. If you believe an AI system discriminated against you based on race, sex, religion, national origin, or another protected characteristic, you can file a complaint with the EEOC (for employment) or CFPB (for financial decisions).

How to exercise your rights

Make your request in writing. Identify yourself, the decision you are questioning, and the right you are exercising. In the EU/UK, reference your Article 22 right explicitly. In Australia, reference the Privacy Act right of access. In the US, reference the specific statute (FCRA for credit, ECOA for lending decisions). Give the organisation a reasonable time to respond (30 days is standard under most privacy laws). If they do not respond or respond inadequately, file a complaint with your national regulator — the ICO in the UK, the OAIC in Australia, the data protection authority in your EU member state, or the CFPB/EEOC in the US depending on context.