From 10 December 2026, Australian businesses will have to be transparent about the decisions they let software make about people. That single change has done more to shift the AI conversation than any product launch. Regular AI use among Australian small and medium businesses climbed from 40% in mid-2024 to 69% by early 2026, and now the rules are catching up. The question in most boardrooms has moved from "should we use AI" to "are we using it responsibly, and can we prove it."
This is not only a compliance story. With trust the biggest single barrier to AI adoption in Australia, responsible AI is becoming both a legal expectation and a real commercial advantage. Here is what is changing, where it bites, and what to do before the deadline.
What the new rule requires
The headline change sits inside the Privacy Act reforms. From 10 December 2026, if your business uses a computer program to make, or to substantially help make, a decision that could reasonably be expected to significantly affect a person's rights or interests, and personal information is involved, you will need to disclose that in your privacy policy. The policy must describe the kinds of personal information used and the types of decisions that the program makes or substantially assists.
A few details matter more than the headline.
The definition of automated decision-making is deliberately broad. It is not limited to advanced AI. A rule-based script, a machine learning model, or even a spreadsheet that scores or ranks people in a way that drives a significant decision can fall within scope. If software is doing the deciding, or doing most of it, the label on the technology does not get you out of the obligation.
It applies to most established businesses. The duty falls on what the Act calls APP entities, which generally means organisations with annual turnover above three million dollars, along with health service providers, credit reporting bodies, Consumer Data Right participants, and a handful of others regardless of size.
It is not grandfathered. The rule applies to decisions made on or after the start date, whether or not the system behind them was built years earlier. An old model making new decisions is still in scope.
And the penalties are serious. Non-compliance sits under the Privacy Act's civil penalty regime, which for serious or repeated breaches can reach into the tens of millions of dollars, on top of the reputational cost of being named for it.
This article is general information, not legal advice. For how the rule applies to your specific systems, talk to a privacy lawyer, and note that the OAIC is expected to publish formal guidance on these obligations around September 2026.
Where it bites: the decisions that count
The test is whether a decision could significantly affect someone's rights or interests, so the rule lands hardest on the decisions people care about most. Think recruitment and hiring, credit and lending, insurance pricing and eligibility, healthcare recommendations, and access to important services. If you use software to shortlist candidates, score loan applications, set premiums, triage patients, or grant and refuse access, you are squarely in the territory the reform was written for.
The flip side is reassuring. A recommendation engine suggesting which article to read next, or an automation that sorts internal support tickets, is unlikely to significantly affect anyone's rights. The line is not about how clever the software is, it is about how much the decision matters to the person on the other side of it. That distinction is worth making early, because it tells you which of your systems to look at first.
The bigger direction
The transparency rule is one piece of a clear and stable trend. Alongside it, the government has published a Voluntary AI Safety Standard and AI Ethics Principles through the National AI Centre, setting out practices like human oversight, testing, transparency, and accountability. It has also consulted on mandatory guardrails for AI in high-risk settings, which would place firmer obligations on uses such as hiring and credit, though the timing of that remains open.
A second tranche of privacy reform is expected to go further still. The signals point toward privacy impact assessments for high-risk activities, a right for individuals to an explanation of automated decisions that affect them, and a broader "fair and reasonable" test for how personal information is used, regardless of consent.
You do not need to track every consultation to stay ahead. The direction does not wobble: Australian regulation is converging on transparency, explainability, fairness, and a human who is accountable for the outcome. Build for those four things, and you are building for wherever the rules finally land, rather than chasing each amendment as it arrives.
Why this is good for business, not just compliance
Here is the part that matters commercially. The biggest barrier to AI adoption in Australia is not cost or capability, it is trust. Around two thirds of hesitant businesses point to a discomfort with letting software make decisions unchecked, and customers feel the same way about decisions made about them.
So transparency and accountability are not red tape, they are how you earn the trust that lets AI get adopted at all. A business that can clearly explain how its AI reaches a decision, and show that a person is accountable for it, will win more confidence from customers, staff, and regulators than a competitor running an opaque system that nobody can interrogate. Treated well, responsible AI is a selling point, not a cost centre.
What to do before December 2026
You have time, but the work takes time too. A sensible order of operations:
First, map where you use automated decisions. Include the unglamorous ones: the spreadsheets, scripts, and quiet automations that score, sort, or rank people. You cannot disclose what you have not found.
Second, keep a human in the loop for anything that significantly affects someone. Let the software assist and recommend, and let a person make and own the final call on the decisions that matter.
Third, build in explainability and logging, so that for any given decision you can say what data was used and why the outcome was what it was. This is far easier to design in from the start than to bolt on after the fact.
Fourth, update your privacy policy to disclose your automated decisions in plain language, well before the deadline rather than in the final fortnight.
Fifth, check your vendors. If a third-party AI tool makes or shapes decisions on your behalf, its behaviour is still your responsibility and your disclosure.
Sixth, mind your data. Be deliberate about what personal information goes into any AI system, and where that information then travels.
This is where building AI properly pays off. An AI built on your own data, with explainability and human oversight designed in, is both more useful and far easier to stand behind than a generic tool bolted onto your business, which is the heart of proper AI integration for Australian businesses. It matters even more for agentic AI that can take actions on its own, where the case for logging and human oversight is stronger still.
How we approach it
We build AI integrations with governance built in from the start: explainability, human-in-the-loop controls, audit logging, and privacy by design, so the result is both useful and defensible. That work sits across our generative AI integration and compliance and privacy management services. If you are still weighing which AI tools to trust with business data, our guide to using Claude in your business is a sensible starting point.
The reforms are not a reason to slow down on AI. They are a reason to do it in a way you can explain and defend. If you want help building AI that is useful, transparent, and ready for December 2026, tell us what you are working on. This article is general information and not legal advice.
