Australian Privacy Law Update - What APP entities need to know in 2026

On 10 December 2026, automated decision-making transparency obligations under the Privacy Act 1988 (Cth) (Privacy Act) will come into effect.

Further, the Office of the Australian Information Commissioner (OAIC) has renewed its focus on organisations ensuring that their privacy policies are compliant with the Privacy Act, and is currently undertaking a "compliance sweep" of privacy policies.

This update provides a summary of this new transparency obligation and why it is a good time for your organisation to review and update its privacy policy.

New transparency requirements for automated decision making

In 2024, the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA Act) amended the Privacy Act to require APP entities to include additional information relating to automated decisions in their privacy policies.

This transparency requirements come into effect on 10 December 2026.

Under new APP 1.7, an APP entity must comply with the new transparency requirements if it arranges a computer program, using personal information about an individual, to make or directly support a decision that could reasonably be expected to significantly affect the individual’s rights or interests.

An APP entity must include the following details in its privacy policy:

• the kinds of personal information the APP entity uses in the operation of automated decision-making technology;
• the kinds of decisions made solely using automated decision-making technology; and
• the kinds of decisions where automated decision-making technology performs s function substantially and directly related to making a decision (i.e. a computer program is an essential part of the decision-making process) (APP 1.8).

The amendments are broadly cast to capture a range of technologies which may be used by organisations to automate decision-making processes, including AI-enabled systems, rule-based tools and automated assessment technologies.

Privacy Commissioner’s privacy policy compliance sweep

In January 2026, the OAIC began its first ever privacy compliance sweep, targeting approximately 60 organisations across six sectors where personal information is commonly collected in person. These sectors include real estate agencies, chemists, licensed venues, car rental businesses, car dealerships, pawnbrokers and second hand dealers.

As part of the sweep, the OAIC will assess each organisation's privacy policy for compliance with APPs 1.3 and 1.4, which require organisations to have a clearly expressed and up to date privacy policy. Organisations in the targeted sectors, and indeed all APP regulated entities, should view this as a signal that privacy policy compliance is an OAIC enforcement priority.

What organisations should do now

This year, APP entities should take active steps to ensure their privacy policies are compliant with the existing and new regulations by:

• mapping their information technology systems and decision flows to assess whether they are required to comply with the new automated decisions transparency obligations; and
• reviewing and updating their privacy policies to ensure they address the new automated decisions transparency obligations and reflect the organisation's current information handling practices.

Under the Privacy Act, an entity found to have non compliant privacy policy may be issued of a compliance notice, infringement notice or be pursued by the OAIC for civil penalties.

How we can help

In preparation for the commencement of the new privacy policy transparency obligations, Lander & Rogers is offering a cost-effective Privacy Policy Rapid Review Service to assist clients to review their privacy policies for compliance with the Privacy Act. This service will be available until December 2026.

Please contact our team of experienced privacy lawyers to learn more about this service.