The 10 December 2026 ADM Disclosure Rules: Who Is Caught
Summary
From 10 December 2026, APP entities must disclose in their privacy policies the kinds of personal information used in substantially automated decisions that significantly affect people's rights or interests. The trigger words are broader than most product teams assume, and the audit that answers them has not been done in most organisations.
Key Takeaways
- From 10 December 2026, APP entities must disclose in their privacy policies the kinds of personal information used in substantially automated decisions that significantly affect individuals' rights or interests.
- The obligation comes from the Privacy and Other Legislation Amendment Act 2024 (Cth), not from an AI Act. Australia has no standalone AI Act and governs AI through existing technology neutral laws.
- The trigger concepts, substantially automated and significantly affecting rights or interests, are questions of substance about your systems, not labels you choose.
- OAIC guidance is expected around September 2026, which leaves a short runway between guidance and deadline.
- The disclosure is the visible end of an internal audit most organisations have not run: finding every decision the machines are making with personal information.

On 10 December 2026, a new transparency obligation switches on for APP entities under the Privacy and Other Legislation Amendment Act 2024 (Cth). From that date, privacy policies must disclose the kinds of personal information used in substantially automated decisions that significantly affect individuals' rights or interests. It sounds like a paperwork exercise. It is the first time many organisations will be forced to work out, in writing and in public, what decisions their machines are actually making about people.
In Brief
- From 10 December 2026, APP entities must disclose in their privacy policies the kinds of personal information used in substantially automated decisions that significantly affect individuals' rights or interests.
- The obligation sits in the Privacy and Other Legislation Amendment Act 2024 (Cth). It is a privacy law obligation, not an AI law obligation, because Australia has no standalone AI Act.
- Whether a decision is substantially automated and whether it significantly affects rights or interests are questions of substance, and the honest answers require an internal audit most organisations have not run.
- OAIC guidance is expected around September 2026, leaving a short runway between guidance and deadline.
- The organisations exposed are not just the ones that call their products AI. Scoring, triaging, filtering and eligibility systems can all sit inside the net.
Where This Obligation Comes From
Australia has no standalone AI Act, and this obligation is a working example of what that means in practice. AI in this country is governed through existing technology neutral laws, and the Privacy and Other Legislation Amendment Act 2024 (Cth) reaches automated decision making through the law that has always governed personal information. The obligation does not care whether you describe your system as AI, machine learning or a rules engine. It cares what the system does with personal information and what the decision does to the individual.
That framing defeats the most common assumption we hear, which is that a business without an AI strategy has nothing to disclose. The net was not drawn around AI. It was drawn around automated decisions.
The Two Trigger Concepts
The obligation turns on two phrases, and both are doing more work than they appear to.
Substantially automated. The word is substantially, not fully. A decision does not escape the net because a human sits somewhere in the workflow. Whether the human involvement in your process is enough to change the character of the decision is a question about your actual system, your actual escalation rates and what your staff actually do with the output, not about what the process map says.
Significantly affects individuals' rights or interests. This is where the perimeter really sits, and it is wider than the dramatic cases. Decisions about money, access, eligibility and opportunity all put pressure on this phrase. Whether your particular decision crosses the line is exactly the kind of judgement that looks easy until a regulator or a complainant tests your answer.
Neither phrase can be answered from the marketing description of your product. Both have to be answered from the system itself.
Who Should Be Paying Attention
The obvious cohort is anyone shipping an AI product that makes calls about customers. The less obvious cohorts are where the exposure concentrates. Lenders and insurers whose scoring models have quietly become the decision. Platforms whose ranking and filtering determines who gets seen. Employers whose screening tools shape who gets interviewed. Health and human services organisations whose triage systems decide who waits. Professional firms whose AI tools have moved from drafting assistance into judgement. None of these need to use the word AI anywhere to be inside the net.
For founders building AI products for licensed professions, there is a second layer. Your customers are APP entities with their own disclosure obligations, and from 10 December 2026 they will start asking you precisely what your product decides and with what personal information. If you cannot answer cleanly, that is now a sales problem as well as a compliance problem.
Why the Deadline Is Closer Than It Looks
OAIC guidance is expected around September 2026. That leaves a short window between the regulator explaining its expectations and the obligation commencing. Organisations that wait for the guidance before starting will be running the audit, the analysis and the drafting inside roughly a quarter.
And the audit is the hard part. The disclosure itself is a few paragraphs in a privacy policy. What stands behind it is an inventory of every substantially automated decision in the organisation, an assessment of which ones significantly affect rights or interests and a defensible record of how those judgements were made. A disclosure that is wrong is worse than none, because it is a published statement a regulator can hold against you. Getting the underlying analysis right is the work, and it is legal work, because the questions are legal questions.
The Larger Pattern
This deadline is one instalment in a broader story. Because Australia governs AI through technology neutral laws, obligations arrive through statutes that never mention AI, on timetables set for other reasons, enforced by regulators whose perimeters were drawn decades ago. The businesses that navigate this well treat each new obligation as a prompt to map their whole position, not as an isolated drafting task. The ones that navigate it badly find out where their systems sit from a regulator.
Frequently Asked Questions
We do not use AI. Does this apply to us?
Possibly. The obligation attaches to substantially automated decisions using personal information, not to AI as a label. Scoring, eligibility and triage systems built long before the current AI wave can sit inside the net.
A human reviews every output. Are we outside the rules?
Not automatically. The test is whether the decision is substantially automated, and a human presence in the workflow does not settle that. What the human actually does with the output is what matters, and that is an assessment worth having done properly.
When should we start?
Now. OAIC guidance is expected around September 2026 and the obligation commences on 10 December 2026. The audit that stands behind the disclosure takes longer than the disclosure itself.
What happens if our disclosure is wrong?
A published privacy policy is a statement the regulator and your customers can test. An inaccurate disclosure creates its own exposure, which is why the underlying analysis matters more than the drafting.
Working out whether your systems are caught, or building the audit that stands behind the disclosure? Contact Astris Law, call (07) 3519 5616 or read more on our AI and licensed professions page.
Sources and References
- LegislationPrivacy and Other Legislation Amendment Act 2024 (Cth)
- LegislationPrivacy Act 1988 (Cth)
This article is for general information purposes only and does not constitute legal advice and should not be relied on as such. While we take reasonable care to ensure the accuracy of the information provided, we make no representations or warranties as to its completeness, currency or reliability. We accept no liability for any loss or damage arising directly or indirectly from the use of, or reliance on, this website's content. You should always seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.