The ongoing review of Australia’s Privacy Act 1988 has enormous implications for AI, and too few Australian businesses are preparing for what’s coming. The changes under consideration would fundamentally alter how organisations collect, use, and process personal information for AI purposes.

Here’s what’s on the table and what you should be doing about it now.

The Key Proposals That Affect AI

Several proposals in the Privacy Act review directly impact AI development and deployment.

Expanded definition of personal information. The proposed broadening of what constitutes personal information could bring more data within the Act’s scope. Technical data like device identifiers, location data, and behavioural data that AI systems commonly use would more clearly be classified as personal information, triggering full privacy compliance obligations.

New transparency requirements. Organisations would need to clearly disclose when personal information is used in automated decision-making, including AI systems. This goes beyond current requirements and would mandate specific disclosures about how AI processes personal data and influences decisions.

Right to explanation. Individuals may gain the right to a meaningful explanation when a decision significantly affecting them is made using automated processing. For AI systems in lending, insurance, employment, and government services, this would require explainability capabilities that many current systems lack.

Enhanced consent requirements. The review proposes strengthening consent requirements, potentially requiring more specific consent for AI processing rather than broad consent buried in terms and conditions. This could affect AI systems that rely on existing consent frameworks that predate AI adoption.

Data minimisation. Stronger requirements to collect only the minimum data necessary for the stated purpose. AI systems, which often benefit from more data, would need to demonstrate that data collection is proportionate to the purpose.

What This Means for AI Development

If these proposals become law, the impact on Australian AI development will be significant.

Training data scrutiny. Companies training AI models on personal information will need to demonstrate that consent covers AI training use, that the data collection is proportionate, and that individuals have been informed about how their data contributes to AI systems.

Deployment requirements. AI systems processing personal information will need explainability features, clear disclosure to affected individuals, and processes for individuals to contest automated decisions.

Data retention. AI models trained on personal information raise questions about data retention. If an individual exercises their right to deletion, does the model need to be retrained? This is technically complex and potentially expensive.

Cross-border data flows. Tighter restrictions on transferring personal information overseas could affect AI systems that process data using overseas cloud infrastructure. Companies may need to demonstrate adequate protection or keep data within Australian jurisdiction.

What You Should Do Now

Don’t wait for the legislation to pass. Preparing now is significantly cheaper than scrambling later.

Audit your AI data usage. Map every AI system that processes personal information. Document what data is collected, how it’s used, where it’s processed, and what consent framework governs it. Identify gaps between current practice and proposed requirements.

Build explainability. If you have AI systems that make or influence decisions about individuals, start building explanation capabilities now. The technical work is substantial and shouldn’t be left until legislation mandates it.

Review consent mechanisms. Examine whether your current consent frameworks explicitly cover AI processing. If consent was obtained before AI was introduced, it likely doesn’t. Plan for how you’ll obtain updated consent without disrupting customer relationships.

Assess cross-border data flows. If your AI processing happens overseas, evaluate whether it would comply with strengthened cross-border transfer requirements. Consider whether domestic processing alternatives exist.

Engage with the process. The Privacy Act review includes public consultation periods. Australian businesses that engage constructively with the consultation process can influence how proposals are shaped. The AI-specific elements are still being refined, and industry input matters.

Get specialist guidance. The intersection of AI and privacy law is complex. Working with Team400’s AI team who understand both the technology and the regulatory landscape can help you prioritise preparation efforts and avoid costly missteps.

The Compliance Cost Question

Let’s be honest: these changes will increase compliance costs for Australian businesses using AI. Explainability features, enhanced consent mechanisms, data auditing, and potentially domestic data processing all cost money.

For large enterprises, these costs are manageable. For mid-market companies and startups, they could be significant. The government should consider compliance cost support for smaller organisations, similar to what’s been done for other regulatory changes.

But the costs of non-compliance will be higher. The proposed enforcement mechanisms include significantly increased penalties, and the reputational damage from a privacy breach involving AI processing would be substantial.

The Positive Case

It’s worth noting that stronger privacy protections for AI aren’t purely a compliance burden. They’re also a competitive advantage.

Australian businesses that can demonstrate robust AI privacy practices will be more trusted by customers, more attractive to international partners with their own privacy standards, and better prepared for the global trend toward AI regulation.

The EU’s AI Act and GDPR already set high bars for AI and privacy. Australian companies selling into European markets need to meet those standards regardless. Domestic legislation that aligns with international norms simplifies compliance for businesses operating across borders.

Timeline

The Privacy Act review has been deliberate. Don’t mistake that for inaction. The government has signalled that legislation implementing key reforms is expected within the next twelve to eighteen months. For AI-specific provisions, the timeline may be slightly longer, but the direction is clear.

Businesses that start preparing now will adapt smoothly. Those that wait will face compressed timelines and higher costs. The lesson from GDPR in Europe is clear: companies that prepared early spent less and experienced less disruption than those that treated it as a last-minute compliance exercise.

The Privacy Act review is coming. AI is in scope. Prepare now.