Back to Insights

Australia 7 min read 2026

What Is the Australian Privacy Act? How It Applies to AI Systems

Australia's Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) govern how personal information is handled — including by AI systems. Here is what organisations need to know.

A

AIRiskAware

Specialist AI Risk Governance & Compliance

Share

What Is the Australian Privacy Act? How It Applies to AI Systems

Key Takeaways

The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with annual turnover above $3 million. The 13 Australian Privacy Principles govern how personal information is handled — including by AI systems.
APP 3 limits collection to information that is reasonably necessary — AI systems collecting extensive data for training or profiling must justify each data category.
APP 12 gives individuals the right to access personal information held about them — including information used in AI-assisted decisions. Organisations must respond within 30 days.
Biometric data used in AI facial recognition or analysis is sensitive information under the Privacy Act, attracting higher collection and use obligations including consent requirements.
The OAIC's enforcement against Clearview AI established extraterritorial jurisdiction over overseas companies collecting data about Australians — there is no safe harbour for offshore biometric data collection.
2024 reforms strengthened enforcement. Proposed further reforms include a statutory tort for serious privacy invasions and enhanced automated decision-making transparency obligations.

Important: This content is AI-assisted and under ongoing accuracy review

Articles on AIRiskAware are drafted with AI assistance to summarise complex regulatory landscapes. Specific facts (dates, fine amounts, statute references, case citations) may contain errors. Do not rely on this content for legal, regulatory, financial, or professional decisions. Always verify directly against primary sources (regulator websites, official legislation) or consult a qualified specialist.

Spotted an error? Please report it — we review and correct promptly.

The Privacy Act and AI: the regulatory baseline

The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with annual turnover above $3 million. The 13 APPs govern every stage of how personal information is collected, stored, used, and disclosed — and apply fully to AI systems. APP 3 limits collection to information reasonably necessary for the organisation's functions. APP 5 requires notification at or before the time of collection (or as soon as practicable after, where prior notification is not practicable). APP 6 prevents using personal information collected for one purpose in AI systems for another purpose without consent. APP 11 requires reasonable security safeguards including for AI systems. APP 12 gives individuals access rights to personal information including data used in AI-assisted decisions.

Sensitive information and enforcement

Biometric data is sensitive information under the Privacy Act, attracting higher obligations including consent requirements. The OAIC enforces the Privacy Act and can seek civil penalties. The 2023 Clearview AI appeal upheld established extraterritorial jurisdiction over overseas companies collecting data about Australians. 2024 reforms strengthened enforcement powers, with further proposed reforms including a statutory tort for serious privacy invasions.

Stay ahead of AI governance

Regulatory updates, practical frameworks, and new articles — free, monthly. No spam.

No spam. Unsubscribe anytime. We'll never share your email.

Work with AIRiskAware

Specialist AI risk governance and compliance advisory for enterprise organisations and businesses of all sizes.

Found this useful? Share it.

Share on LinkedIn

Related articles

AI Governance for Australian Charities and Not-for-Profits: ACNC Obligations and Practical Compliance

Australia 9 min read

AI Governance for Australian Charities and Not-for-Profits: ACNC Obligations and Practical Compliance

AI in Australian Aged Care: Governance Obligations for Providers Under the Strengthened Standards

Australia 10 min read

AI in Australian Aged Care: Governance Obligations for Providers Under the Strengthened Standards

The ATO and AI: Tax Compliance Obligations for Australian Businesses Using Artificial Intelligence

Australia 9 min read

The ATO and AI: Tax Compliance Obligations for Australian Businesses Using Artificial Intelligence

More from AIRiskAware

Practical AI governance guidance for organisations at every stage.

All Insights Free Assessment