The December 2026 ADM deadline: what Australian businesses need to do now

A deadline most Australian businesses don't know about

On 10 December 2026, new automated decision-making transparency requirements come into force for APP entities under Australian privacy law. If you use AI — or any automated system — to make decisions that significantly affect individuals, you will be legally required to disclose that in your privacy policy.

This isn't a distant regulatory proposal. It's already legislated. The Privacy and Other Legislation Amendment Act 2024 passed in late 2024, and the ADM provisions take effect on 10 December 2026. That gives you time to prepare — but not a lot of it, especially if you need to map your AI systems, update your privacy policy, and put oversight processes in place.

Here's what the law requires, who it affects, and exactly what you need to do before the deadline.

What is "automated decision-making" under the new law?

The new provisions define automated decision-making (ADM) broadly. It covers any use of a computer program to make, or assist in making, a decision that has a significant effect on the interests of an individual.

This includes decisions made entirely by software, as well as decisions where a human makes the final call but relies substantially on an automated system's output. The key threshold is whether the decision significantly affects someone — not whether a human was involved in the process.

Common examples that are likely to meet the threshold:

• AI tools used to screen job applications or assess candidates
• Automated systems that determine credit eligibility or lending decisions
• AI used to triage or prioritise service delivery (e.g. in healthcare or social services)
• Algorithms that set pricing or access terms based on individual profiles
• Automated fraud detection systems that restrict account access

It's worth noting what's not covered: purely administrative automation (sending a confirmation email, generating an invoice) and decisions that have no real impact on individuals' rights, opportunities, or access to services.

Who is affected?

The obligations apply to APP entities — that is, organisations bound by the Australian Privacy Principles under the Privacy Act 1988. This includes:

• Businesses with an annual turnover of more than $3 million
• Health service providers (regardless of turnover)
• Businesses that trade in personal information
• Credit reporting bodies and credit providers
• Contractors that provide services under a Commonwealth contract

If you're not sure whether you're an APP entity, the OAIC's guidance is a good starting point — but most businesses of any meaningful size will be covered.

What the law actually requires

APP 1 (Open and Transparent Management of Personal Information) will be amended to require APP entities to include specific information about ADM in their privacy policies. The required disclosures include:

• That the entity uses automated decision-making
• The types of decisions that are made using automated processes
• The kinds of personal information used in those decisions
• Whether the decisions are made solely by automated means or with human involvement
• The individual's right to request meaningful information about the decision

The language doesn't need to be technical — but it does need to be accurate, specific enough to be meaningful, and easy for individuals to find.

What counts as a "significant effect"?

This is the question most businesses are wrestling with. The legislation doesn't provide an exhaustive list, but the OAIC has indicated that significant effects include decisions that affect:

• An individual's access to services, credit, or employment
• Their legal rights or obligations
• Their financial situation
• Their physical safety or health outcomes

If in doubt, err on the side of disclosure. The reputational and regulatory risk of failing to disclose material ADM use significantly outweighs the inconvenience of mentioning it.

Practical steps to take before December 2026

1. Map your AI and automated systems. Identify every system in your business that makes or substantially influences decisions about individuals. This includes third-party tools you've licensed, not just systems you've built.
2. Assess each system against the "significant effect" threshold. For each system, ask: could this decision meaningfully affect someone's rights, opportunities, or access to services? If yes, it's likely in scope.
3. Document how each system works. You'll need to be able to describe the type of decision, the personal information used, and the degree of human involvement. This documentation underpins your privacy policy disclosures.
4. Update your privacy policy. Draft the ADM disclosures and have them reviewed for accuracy and compliance before publishing.
5. Establish a human review process. Where decisions have significant effects, put a process in place for individuals to request human review of automated decisions.
6. Train your staff. Anyone involved in implementing or operating ADM systems needs to understand the new obligations.

What happens if you miss the deadline?

Non-compliance with the APPs can attract regulatory action from the OAIC, including investigations and determinations. For serious or repeated breaches, civil penalty provisions apply — with fines that can reach $50 million for large organisations under the serious interference provisions introduced in the 2022 Privacy Act reforms.

Beyond regulatory risk, failure to disclose ADM use undermines trust with clients and customers who increasingly expect transparency about how AI is used to make decisions that affect them.

Start now, not in November

December 2026 sounds far away. It isn't. Mapping your AI systems, assessing their significance, updating your privacy policy, and training your team takes time — particularly if you discover mid-process that some of your automated systems need to be redesigned or discontinued.

The businesses that get this right will be the ones that start the process now, not the ones that scramble in the final weeks before the deadline.