ARTICLE
9 June 2026

Decisions In The Dark No More – OAIC Soon To Turn The Lights On For ADM Transparency Obligation

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer LLP logo
Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
Explore Firm Details
Australia's Office of the Australian Information Commissioner is developing regulatory guidance on new automated decision-making transparency requirements under the Privacy Act.
Australia Privacy
Kaman Tsoi,Julian Lincoln,Neeharika Palachanda
+1 Authors
 Your Author LinkedIn Connections
Kaman Tsoi’s articles from Herbert Smith Freehills Kramer LLP are most popular:
  • within Privacy topic(s)
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in United States
  • with readers working within the Consumer Industries, Media & Information and Retail & Leisure industries

The rapidly increasing adoption of automated decision making (ADM) in recent years – fuelled in part by the growing scale and sophistication of artificial intelligence (AI) technologies – is reshaping how organisations engage with individuals and data.

A range of amendments to the Privacy Act were passed in 2024 under the Privacy and Other Legislation Amendment Act 2024 (Cth) (tranche 1 reforms) (see more on the tranche 1 reforms here). One of the amendments introduces new Australian Privacy Principles (APPs) 1.7 to 1.9 which will require public facing privacy policies to include certain details about ADM from 10 December 2026 (ADM transparency obligation). 

The Office of the Australian Information Commissioner (OAIC) has confirmed that it intends to publish regulatory guidance on this obligation by September 2026 and, in anticipation, has released an issues paper seeking views to help inform the development of such guidance (issues paper). 

This article explores some of the key takeaways from the issues paper and what it may mean for APP-regulated entities, including how they can start preparing for the ADM transparency obligation ahead of the September guidance. 

A quick recap on ADM and the ADM transparency obligation 

Broadly, ADM refers to the use of technology to make decisions with limited or no human intervention. ADM systems range in complexity and functionality – from traditional rule-based systems (eg fixed criteria loan approval processes) to more advanced models powered by complex algorithms and AI (see more on the current legal landscape for ADM here).

In the context of the ADM transparency obligation, the kinds of ADM which entities must disclose in their privacy policy are those where:

  1. the entity has arranged for a computer program to make a decision, or do something substantially and directly related to making a decision (including refusing or failing to make a decision or do a thing);
  2. that decision could reasonably be expected to significantly affect the rights or interests of an individual (adversely or beneficially); and
  3. personal information about the individual is used in the operation of the computer program to make the decision, or do the thing that is substantially and directly related to making the decision. 

(APP 1.7)

For these kinds of ADM, organisations will need to disclose the kinds of:

  1. personal information used in ADM;
  2. decisions made solely by ADM; and
  3. decisions for which ADM does something substantially and directly related to making the decision. 

(APP 1.8)

The issues paper poses 12 targeted questions across six themes (meaning of computer program; substantially and directly related to making a decision; meaning of significantly affect rights or interests; meaning of making a decision; meaning of arranged for; extent of disclosure). Read together, they suggest the OAIC’s thinking on the ADM transparency obligation is already fairly well developed, with the consultation focused more on fine tuning certain areas.

Extent of disclosure

The objective of APP 1 is to ensure entities manage personal information openly and transparently – with APP 1.3 specifically requiring entities to maintain a clearly expressed, up to date privacy policy about how they manage personal information.

The question then is how much information must entities give individuals about ADM in their privacy policy to satisfy the ADM transparency obligation.

The issues paper suggests the OAIC considers individuals should receive effective, meaningful and accessible information about ADM – which in practical terms means information which is:

  • clearly articulated,in plain language, and easy to understand;
  • structured to enable requests for further information where required;
  • appropriately tailored – that is, sufficiently specific to be meaningful while avoiding overwhelming levels of detail;
  • organised to group similar information in a logical manner; and
  • framed in a way that allows information and decisions to be challenged or contested. 

This indicates the information given to individuals will need to be reasonably granular – sufficiently linking kinds of personal information (eg job application information) to kinds of decisions (eg job application screening). The addition of a new section to a privacy policy which broadly lists out the kinds of ADM-supported decisions which may use any of the personal information types identified generally in the policy may not be sufficient. 

Meaning of “decision”

The OAIC seeks input on the meaning of “decision” by reference to an “edge case”, whereby a job platform’s algorithm prioritises the promotion of a graduate engineering job advert to male engineering graduates (on the basis that male account holders will be best suited for the role because most engineers at the hiring company are male) – the effect being that a female engineering graduate searching for a job does not receive the job advert (thereby limiting her employment options). 

The case suggests the OAIC is open to taking a broad view of what counts as a “decision” for the purposes of the ADM transparency obligation – with the focus being not only on the final outcome, but also on intermediate steps that materially shape that outcome.

It echoes the broader approach taken in the EU case involving German credit information agency Schufa, whereby it was found that the automated calculation of a credit score based on personal data – not only the lender’s final decision to approve or deny lending – is “automated individual decision-making” under the General Data Protection Regulation (GDPR) because that score is strongly relied on in the later lending outcome. 

If a similar approach is adopted in Australia, entities may need to treat material intermediate steps, not just final outcomes, as subject to the ADM transparency obligation.

Meaning of “substantially and directly related”

While the GDPR focuses on solely automated decisions, Australia’s ADM transparency obligation extends to decisions where a computer program does something substantially and directly related to making the decision.

The issues paper proposes the following factors and asks for feedback, including ranking the factors and suggesting others:

  • degree of reliance on the ADM system output; 
  • ability and likelihood of human override over an ADM decision; 
  • nature of the output (advisory vs determinative); 
  • transparency and explainability of outputs; 
  • integration of ADM into decision-making workflow.

Meaning of “significantly affect rights or interests” 

The ADM transparency obligation applies to decisions which could reasonably be expected to significantly affect the rights or interests of an individual. An example under APP 1.9 of such a decision is one that affects an individual’s “access to a significant service or support”. 

The issues paper indicates the OAIC considers “significant services or support” may include financial assistance, healthcare, financial products, telecommunications services, essential banking and credit services, and essential utilities.

The explanatory memorandum to the tranche 1 reforms also noted that the use of computer programs to target individuals with content and advertisements may have a significant effect on an individual if it results in differential pricing for the provision of or access to significant goods or services. The issues paper explores at what point a price differential might become “significant” – including whether it turns on the percentage difference or dollar amount, or the significance of the product or service being purchased. 

Businesses are likely to seek a materiality threshold here that excludes ordinary personalisation, product recommendations and low-stakes optimisation. The OAIC, however, can be expected to resist a narrow interpretation where profiling individuals changes price, eligibility, access, ranking or visibility in a way that materially impacts a person's economic or social options.

Meaning of “arranged for” 

The ADM transparency obligation applies to entities that “arrange for” ADM. The OAIC expands on the distinction drawn in the explanatory memorandum to the tranche 1 reforms between “arranging for” and simply “operating” ADM, using the examples below to emphasise the need for entities to actively identify, assess and oversee how their third party providers use ADM.

Arranged for ADM Operating ADM
Procurement of AI system to screen and rank job applications, leading to a decision being made on who to employ  Development and hosting of software which automatically approves or rejects customer applications for another entity
Permission or direction to employees to use an AI chat tool to draft performance assessments which determine promotion decisions  Maintenance of infrastructure for a fraud detection system which automatically blocks or flags transactions for another entity
Contracting a third party software company to automatically approve or decline refunds   
Deployment of a case management system which automatically escalates particular complaint types   

Where to from here

  1. Consider engaging with the submission process. With submissions to the issues paper closing 15 June 2026, entities should consider whether there are any practical issues they wish to raise or interpretations they wish to influence, particularly in the context of their industry or sector.
  2. Map current and planned use of ADM. Entities should work to identify and understand how they use ADM with personal information – including where carried out by their third party service providers. This should consider not only final decisions, but also material intermediate steps. Entities should consider implementing processes to identify new or changed uses of ADM going forward. These processes may include negotiating certain audit or information gathering rights in third party service provider contracts with respect to ADM.
  3. Review third party contracts. Given the breadth of "arranged for," entities should review vendor agreements to understand which third party tools may give rise to APP 1 obligations, and consider negotiating audit, information gathering and notification rights with respect to ADM.
  4. Don’t forget existing obligations. While the new ADM transparency obligation is in the limelight at the moment, mapping your entity’s ADM usage may reveal other issues. For example: unfair collection of personal information (APP 3.5), failure to notify the fact of collection (APP 5.2(b)), use for unrelated purposes (APP 6), inaccuracy (APP 10) and inadequate governance, such as privacy impact assessments (APP 1.2).
  5. Monitor OAIC guidance. Entities should look out for the OAIC’s regulatory guidance on the ADM transparency obligation and be ready to update their privacy policies accordingly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Kaman Tsoi
Kaman Tsoi
Photo of Julian Lincoln
Julian Lincoln
Person photo placeholder
Eloise L'Estrange
Photo of Neeharika Palachanda
Neeharika Palachanda
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More