What IsAustralian Privacy Law

What Is the Privacy Act?

Australia's Privacy Act 1988 and the 13 Australian Privacy Principles govern how personal information is collected, used, and disclosed — including by AI systems.

What the Privacy Act covers

The Privacy Act 1988 is Australia's primary legislation governing personal information. It applies to Australian Government agencies and private sector organisations with annual turnover above $3 million, plus specific smaller organisations in health, credit, and other regulated contexts.

The 13 Australian Privacy Principles (APPs) in Schedule 1 govern the entire lifecycle of personal information — from collection through to access, correction, and disposal. For AI, the most significant APPs concern collection limits, notification, secondary use, security, and access rights.

The Australian Privacy Principles most relevant to AI

APP 1

Open and transparent management

Organisations must have a clearly expressed and up-to-date privacy policy disclosing how personal information is managed — including AI systems.

APP 3

Collection of solicited personal information

Collection is limited to information reasonably necessary for the organisation's functions. AI that collects broad data for general training must justify each category.

APP 5

Notification of collection

Individuals must be notified at or before collection about what is being collected, why, and how. AI that collects personal data must trigger appropriate disclosure.

APP 6

Use or disclosure for other purposes

Personal data collected for one purpose generally cannot be used for another — including using service delivery data to train AI models — without consent or a permitted secondary purpose.

APP 11

Security

Reasonable steps must be taken to protect personal information from misuse and unauthorised access — including the security of AI systems that process personal data.

APP 12

Access to personal information

Individuals have the right to access personal information held about them, including the basis of AI-influenced decisions. Organisations must respond within 30 days.

Sensitive information and biometric AI

Biometric data — facial images used for recognition, voice patterns, fingerprints — is sensitive information under the Privacy Act and attracts higher obligations. Collection of sensitive information generally requires consent, and use is more narrowly constrained. Facial recognition, voice analysis, and emotion detection AI must address this higher standard.

Enforcement and reform

The Office of the Australian Information Commissioner (OAIC) enforces the Privacy Act. It can accept complaints, conduct investigations, make determinations, and apply to the Federal Court for civil penalties. The OAIC's 2023 Clearview AI enforcement — upheld on appeal — established extraterritorial jurisdiction over overseas companies collecting data about Australians.

Privacy Act reforms in 2024 strengthened enforcement powers. Proposed further reforms include a statutory tort for serious privacy invasions and enhanced automated decision-making transparency obligations. Organisations deploying AI should design governance to meet the proposed higher standards now.

Privacy Act and AI deep-dive Australian AI governance hub OAIC AI guidance