Australasia's AI Compliance Crackdown: What Professional Services Firms Must Do Before December 2026

The window for a cautious, wait-and-see approach to AI compliance in Australasia has closed. Australia's regulators are now auditing, enforcing, and penalising — and the December 2026 deadline for automated decision-making disclosure is closer than most compliance teams appreciate. For international professional services firms and global enterprises operating across multiple jurisdictions, the regulatory shifts underway in Australia and New Zealand carry implications well beyond the Pacific region.

Australia Is Not Waiting for a Standalone AI Act

One of the most consequential decisions shaping the current landscape is Australia's deliberate choice not to create a standalone AI Act. Confirmed by the December 2025 National AI Plan, the government has instead embedded AI governance within existing legal frameworks — most notably the Privacy and Other Legislation Amendment Act 2024 (POLA Act).

The practical effect of this approach is that AI compliance obligations are already live, drawing on legislation that carries real enforcement teeth. By 10 December 2026, organisations must transparently disclose in their privacy policies whether automated decision-making (ADM) systems — including AI tools — make or substantially assist in decisions that significantly affect individuals' rights. This is not a future proposal. It is a firm statutory deadline, and the Office of the Australian Information Commissioner (OAIC) has already signalled that ADM is an explicit enforcement priority for 2025–26.

In January 2026, the OAIC launched its first-ever compliance sweep, auditing the privacy policies of approximately 60 organisations to assess baseline readiness for these incoming obligations. For professional services firms — many of which use AI to inform hiring decisions, client credit assessments, risk scoring, or contract analysis — this is a direct signal that regulators are not waiting for December to start looking.

New Zealand: Light Touch, But Not No Touch

New Zealand has taken a more permissive, adoption-first stance following its mid-2025 National AI Strategy. However, "light touch" does not mean unregulated. The New Zealand Privacy Commissioner has introduced new rules governing the use of biometric data, with full agency compliance required by August 2026. For any firm using facial recognition, voice analysis, or behavioural biometrics in its operations or client-facing tools, this deadline demands immediate attention.

Firms with operations across both jurisdictions should resist the temptation to treat New Zealand as a lower-risk environment by default. The biometrics rules carry their own compliance obligations and are part of a broader regional trend towards more assertive data protection enforcement.

Enforcement Is No Longer Theoretical

The scale and specificity of recent enforcement actions in Australia should recalibrate any risk assessment that still treats regulatory penalties as unlikely. The Federal Court imposed a landmark $5.8 million civil penalty on Australian Clinical Labs for inadequate cybersecurity and delayed breach notification — a ruling that directly implicates how firms manage third-party AI vendors and data processors. The OAIC ordered Bunnings to cease its use of facial recognition technology entirely. In a separate ruling, Court Data Australia was found to have unlawfully scraped public records for commercial databases without providing fair collection notices.

These are not edge cases. They represent a clear enforcement philosophy: harms-based, technology-specific, and willing to target both the collection and use of data in AI contexts.

The ACCC has also entered this space, fining three major banks a combined $4.7 million for coercing customers into using the Digital ID system — a reminder that enforcement extends to how AI-adjacent technologies are deployed, not just how data is processed.

Four Compliance Priorities Firms Cannot Defer

Map Your Automation Footprint

Before any disclosure can be written, firms need to know where ADM operates within their business. This means systematically identifying every process in which AI makes or materially influences a decision affecting clients, employees, or third parties. Credit decisions, contract risk assessments, recruitment screening, document review prioritisation — all of these require scrutiny. Privacy policies must then be updated to describe the personal data inputs used in ADM and to clarify whether decisions are fully automated or substantially assisted by human-reviewed AI outputs. Vague references to "automated tools" will not satisfy the POLA Act's requirements.

Treat Data Scraping as a Legal Risk, Not a Technical Question

In April 2026, Australian copyright reforms explicitly rejected a text-and-data-mining exemption for AI training — the same exemption that exists in several other jurisdictions. This means that training AI models on scraped public data carries significant legal exposure in Australia without a formal licensing arrangement or an applicable existing exception. Combined with the Court Data Australia ruling, which found against commercial scraping of public records without fair notice, the message to firms building or procuring AI systems is unambiguous: your data provenance must be documented and defensible. Vendor contracts should now include explicit representations about training data sourcing.

Extend Vendor Due Diligence Downstream

The $5.8 million penalty against Australian Clinical Labs confirmed what regulators have been signalling for some time: privacy and cybersecurity accountability cannot be outsourced. If a firm deploys a third-party AI tool that processes personal data, the firm remains accountable for how that data is handled — including by the vendor's own subcontractors. Compliance teams should be conducting due diligence not just on direct AI vendors, but on fourth-party subcontractors within the supply chain. Contractual protections are necessary but not sufficient; firms need evidence of actual compliance, not just assurances.

Ensure Human Oversight Is Substantive

Where AI substantially assists human decision-makers, internal governance must ensure that human review is meaningful. Regulators and courts are increasingly alert to "rubber-stamping" scenarios in which a human nominally approves an AI recommendation without the authority, context, or information needed to override it. For professional services firms advising clients on matters of significant consequence — legal risk, financial exposure, regulatory standing — this is particularly acute. Oversight mechanisms should be documented, tested, and capable of demonstrating that human judgement genuinely operates in the loop.

The Extraterritorial Dimension

International firms should not read Australasian regulatory developments in isolation. Organisations deploying AI that influences decisions affecting individuals in the EU must also determine whether they qualify as "providers" or "deployers" under the EU AI Act — a classification that carries distinct and demanding compliance obligations, including transparency duties, regardless of whether the firm has a physical European presence. A firm headquartered in Sydney or Auckland that serves European clients through AI-assisted processes may simultaneously face obligations under both frameworks.

Managing overlapping obligations across multiple jurisdictions is now a baseline operational requirement for global professional services firms, not a specialist concern.

Act Before the Deadline, Not After It

The December 2026 ADM disclosure deadline is twelve months away. For organisations that have not yet mapped their automation footprint, reviewed their privacy policies, or assessed their vendor supply chains, that timeline is tight — not comfortable. Regulators in Australia have already demonstrated both the willingness and the capability to act before deadlines arrive.

Ops Intel works with international professional services businesses and global enterprises to navigate multi-jurisdictional AI compliance obligations with precision. If your organisation needs to assess its exposure under Australia's POLA Act, New Zealand's biometrics rules, or the EU AI Act — or all three simultaneously — our compliance team is ready to help.

Get in touch with Ops Intel to arrange a compliance review before your window narrows further.