AIRiskAware
Voltar aos InsightsLer em inglês

Este artigo está disponível apenas em inglês no momento.

Australia 7 min read 2026

What Is the Australian Privacy Act? How It Applies to AI Systems

Australia's Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) govern how personal information is handled — including by AI systems. Here is what organisations need to know.

What Is the Australian Privacy Act? How It Applies to AI Systems

Key Takeaways

  • The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with annual turnover above $3 million. The 13 Australian Privacy Principles govern how personal information is handled — including by AI systems.

  • APP 3 limits collection to information that is reasonably necessary — AI systems collecting extensive data for training or profiling must justify each data category.

  • APP 12 gives individuals the right to access personal information held about them — including information used in AI-assisted decisions. Organisations must respond within 30 days.

  • Biometric data used in AI facial recognition or analysis is sensitive information under the Privacy Act, attracting higher collection and use obligations including consent requirements.

  • The OAIC's enforcement against Clearview AI established extraterritorial jurisdiction over overseas companies collecting data about Australians — there is no safe harbour for offshore biometric data collection.

  • 2024 reforms strengthened enforcement. Proposed further reforms include a statutory tort for serious privacy invasions and enhanced automated decision-making transparency obligations.

"Apenas para fins informativos. Este artigo não constitui aconselhamento jurídico, regulatório, financeiro ou profissional. Consulte um especialista qualificado para orientação específica."

The Privacy Act and AI: the regulatory baseline

The Privacy Act 1988 applies to Australian Government agencies and private sector organisations with annual turnover above $3 million. The 13 APPs govern every stage of how personal information is collected, stored, used, and disclosed — and apply fully to AI systems. APP 3 limits collection to information reasonably necessary for the organisation's functions. APP 5 requires notification at or before the time of collection (or as soon as practicable after, where prior notification is not practicable). APP 6 prevents using personal information collected for one purpose in AI systems for another purpose without consent. APP 11 requires reasonable security safeguards including for AI systems. APP 12 gives individuals access rights to personal information including data used in AI-assisted decisions.

Sensitive information and enforcement

Biometric data is sensitive information under the Privacy Act, attracting higher obligations including consent requirements. The OAIC enforces the Privacy Act and can seek civil penalties. The 2023 Clearview AI appeal upheld established extraterritorial jurisdiction over overseas companies collecting data about Australians. 2024 reforms strengthened enforcement powers, with further proposed reforms including a statutory tort for serious privacy invasions.