← Insights / Compliance

Australia's AI Compliance Shift: Privacy Act Reforms and the OAIC's Enforcement Focus on Transparency (2025–2026)

Australia is not waiting for a dedicated AI Act. Instead, it is methodically tightening the compliance screws through amendments to existing legislation, targeted regulatory guidance, and a regulator that has made AI accountability an explicit enforcement priority. For international professional ser

Compliance 4 July 2026 6 min read

Australia's AI Compliance Shift: Privacy Act Reforms and the OAIC's Enforcement Focus on Transparency (2025–2026)

Australia is not waiting for a dedicated AI Act. Instead, it is methodically tightening the compliance screws through amendments to existing legislation, targeted regulatory guidance, and a regulator that has made AI accountability an explicit enforcement priority. For international professional services businesses and global enterprises operating in or across the Asia-Pacific region, this approach carries practical and immediate implications.

The Privacy Act as Australia's Primary AI Compliance Instrument

Australia's decision to embed AI governance within the Privacy Act 1988, rather than create standalone AI legislation, is a deliberate and consequential policy choice. Significant reforms to the Act came into effect in late 2024, introducing stricter data protection standards, substantially increased penalties, and new compliance obligations that are directly relevant to AI systems.

The most significant change for businesses using automated processes is the mandatory transparency obligation for automated decision-making (ADM) systems. From 10 December 2026, organisations must clearly disclose in their privacy policies when and how automated processes are used in decisions that significantly affect individuals' rights or interests. This is not a vague aspirational standard — it is a documentation and disclosure requirement with an enforcement agency actively monitoring compliance.

For businesses with Australian operations, the immediate task is to audit existing AI systems against this standard. That means identifying which automated processes make or materially influence decisions affecting individuals, reviewing current privacy policy disclosures for adequacy, and establishing a remediation timeline that accounts for the December 2026 deadline.

What the OAIC Is Actually Doing

The Office of the Australian Information Commissioner (OAIC) has made its 2025–26 enforcement priorities explicit: practices that erode privacy rights in AI applications, facial recognition technology, and automated decision-making are squarely in its sights. This is not aspirational language from a regulator building its profile. The OAIC has already demonstrated its willingness to act.

In February 2026, the OAIC ruled that Bunnings — a major retail chain — had breached transparency and notice obligations through its use of AI-powered facial recognition technology. The ruling is instructive not only for what it found, but for what it signals: the OAIC affirmed that Bunnings was entitled to rely on certain crime prevention exemptions, yet still found the organisation in breach on transparency grounds. The message is direct — exemptions do not excuse poor disclosure practices. Even where your use of AI may be legally permissible, a failure to be transparent about it remains a regulatory exposure.

Earlier, in July 2025, the OAIC inquired into I-MED Radiology Network regarding patient data used for AI training. Although the data was found to be sufficiently de-identified, the inquiry itself illustrates the OAIC's appetite to scrutinise how health and sensitive data flows into AI development pipelines. Organisations in sectors handling sensitive personal data should treat this as a signal, not a reassurance.

The OAIC has also issued substantive guidance: updated advice on privacy considerations for commercially available AI products (January 2025), and guidance specifically for developing and training generative AI models (October 2024). For businesses deploying or procuring AI tools, these documents are now essential reading — and in any regulatory exchange, the OAIC will expect organisations to have engaged with them.

Australia's Broader Governance Architecture

Beyond the Privacy Act, Australia's National AI Plan (December 2025) confirms that the country will rely on a suite of technology-neutral laws — the Privacy Act, Australian Consumer Law, and Copyright Act — supported by voluntary guidance rather than a prescriptive AI-specific statute. The National AI Centre released updated Guidance for AI Adoption in October 2025, outlining six essential practices for responsible AI governance, superseding the earlier Voluntary AI Safety Standard from September 2024.

For government contractors and public sector clients, the Australian Government's Policy for the Responsible Use of AI in Government (Version 2.0), effective from 15 December 2025, introduces mandatory requirements for public service agencies including internal AI use case registers and foundational AI training for staff from June 2026. Businesses that supply AI-enabled services to Australian government clients should understand that their clients now carry these obligations — and will likely seek contractual assurances in turn.

New Zealand: A Complementary but Distinct Framework

Across the Tasman, New Zealand has opted for a principles-based, light-touch regulatory approach that prioritises AI adoption as an economic productivity driver. The National AI Strategy, "Investing with Confidence," launched in July 2025, is explicitly growth-oriented. Complementary guidance, "Responsible AI Guidance for Businesses" (July 2025), offers practical direction on ethical deployment, stakeholder engagement, and governance structures, without imposing hard legislative mandates.

Notably, New Zealand's framework incorporates Treaty of Waitangi obligations, ensuring Māori perspectives are embedded in AI ethics and data governance considerations. For multinational organisations entering the New Zealand market, this is not a formality — it is a material governance requirement that should be reflected in AI impact assessments and stakeholder engagement processes.

A Public Service AI Framework, introduced in February 2025, guides responsible AI use across government departments. As in Australia, the intent is to leverage existing privacy and consumer protection legislation rather than introduce new AI-specific law.

Implications for International Professional Services Businesses

For organisations with multi-jurisdictional AI compliance obligations, the Australasian picture presents a coherent set of practical priorities.

Transparency is non-negotiable. Both Australia and New Zealand are aligning with OECD AI Principles agreed in June 2024, and both frameworks place transparency at their core. The Bunnings ruling confirms that Australian regulators will hold organisations accountable for disclosure failures even where the underlying AI use is otherwise defensible. Organisations should treat privacy policy updates and ADM disclosures as urgent compliance deliverables, not future considerations.

Existing legal frameworks carry real compliance weight. The absence of a dedicated AI Act does not mean a light regulatory environment. Enforcement is happening through privacy law, consumer law, and copyright — frameworks with existing enforcement teeth and regulators that understand how to use them.

Procurement and supply chains are a compliance vector. Organisations deploying third-party AI products remain accountable for how those products handle personal data. The OAIC's guidance on commercially available AI products makes this clear. Vendor due diligence and contractual protections are essential components of any AI governance programme.

Indigenous data governance is a live consideration. New Zealand's Treaty of Waitangi obligations represent an emerging governance dimension that international organisations should factor into regional AI strategies, particularly where AI systems interact with data relating to Māori communities.

Get Your AI Compliance Position Right

Australia's regulatory direction is clear, the enforcement calendar is set, and the OAIC has demonstrated it will act. For international businesses, the window to establish compliant AI governance frameworks across Australasian operations is narrowing.

Ops Intel works with professional services businesses and global enterprises to navigate AI compliance obligations across multiple jurisdictions — from privacy law alignment and ADM disclosure frameworks to vendor governance and cross-border regulatory mapping.

If you are assessing your AI compliance position in Australia, New Zealand, or across a broader international footprint, contact Ops Intel to arrange a consultation.

Work with Ops Intel

Need help navigating AI compliance?

We build AI compliance frameworks and automation systems for professional services firms worldwide. Book a free 30-minute call or email us directly.

Call Now Claim Your Free Audit