Australia’s New Rules on Automated Decision-Making

Business Law: 23 June 2026

Author: Leisa Bayston - Our People

If you’ve ever been rejected for a loan you were sure you’d get, had your insurance premium spike for no apparent reason, or watched a perfectly good job application vanish into the etherthere’s a decent chance a computer made that call. Welcome to the world of Automated Decision-Making (ADM)

ADM is exactly what it sounds like: computer programs making decisions, or doing the heavy lifting behind decisions that affect real people. Credit scoring algorithms, resume-screening bots, insurance pricing engines, welfare eligibility checks, even the content your social media feed serves up. It’s everywhere, it’s accelerating, and until recently, Australian law had very little to say about it.

That’s changing fast.

The Cautionary Tale We Couldn’t Ignore

You can’t talk about automated decision-making in Australia without talking about Robodebt. Introduced in 2015 to claw back supposed overpayments to welfare recipients, the scheme used a brutally simple algorithm that averaged annual income data across each fortnight to calculate what people “should” have received. The problem? That’s no way to work out what a casual worker actually earned in any given pay period. Anyone who’s done shift work or freelanced knows your income can swing wildly from one fortnight to the next.

The consequences were catastrophic. Over 470,000 Australians received incorrect debt notices. The government attempted to recover $2.3 billion, much of it based on debts that simply didn’t exist. The system flipped the burden of proof onto some of the most vulnerable people in the country, stripping away access to case officers and ignoring individual circumstances.

The Federal Court declared the scheme unlawful in 2019, and the subsequent Royal Commission was scathing referring multiple individuals for potential civil or criminal investigation and condemning the “corrosive moral logic” baked into the system. The algorithm wasn’t sophisticated. Its harms were entirely foreseeable. And that’s precisely what makes it such a powerful warning.

Algorithms in the Private Sector: The Trivago Lesson

It’s not just government. The ACCC has been turning its attention to how private businesses use algorithms too. In a landmark case, Trivago was hit with a $44.7 million fine in 2022 after the Federal Court found its algorithm didn’t actually show consumers the cheapest hotel deals despite years of advertising exactly that. Instead, the algorithm gave prominence to whichever booking site paid Trivago the highest click fee. Higher-priced rooms were pushed to the top in nearly 67% of listings.

The message from the ACCC was clear: if your algorithm makes decisions that affect consumers, you’d better be able to explain how it works and it had better match what you’re promising. That enforcement action is widely seen as a warm-up for the more comprehensive rules now heading our way.

So, What’s Actually Changing?

The Privacy and Other Legislation Amendment Act 2024 (POLA) passed in December 2024 and introduced new Australian Privacy Principles specifically targeting ADM. The ADM-related provisions come into force on 10 December 2026 giving organisations a two-year runway to get their house in order.

The new rules (APP 1.7–1.9) apply when a computer program is used to make a decision, or do something substantially related to making a decision, that could significantly affect someone’s rights or interests and personal information is involved. If that’s you, your privacy policy will need to spell out what kinds of personal information your systems use, what decisions are made entirely by computers, and what decisions involve computer-assisted actions.

If this sounds familiar, it should. The approach draws on principles from Europe’s GDPR, which has required transparency around automated decision-making for years. Australia’s Privacy Commissioner has signalled the country’s privacy framework is moving closer to the European model though a distinctly Australian “fair and reasonable” test may feature in future reform tranches.

The penalties for getting it wrong are serious. Non-compliance can attract fines of $62,600 per offence, and for serious interference with privacy, penalties can reach the greater of $50 million, three times the benefit obtained, or 30% of annual turnover. And because privacy policies are public documents, the OAIC can proactively check your compliance without telling you.

What This Means for Your Business

The good news? Well-designed automated systems genuinely help businesses make consistent, efficient decisions. Nobody’s saying you have to throw out your algorithms. The point is transparency and accountability making sure people know when a computer is calling the shots on matters that affect their lives, and that there’s a path to human review when things go sideways.

Practically, this means auditing your systems to identify where ADM is happening, mapping the personal information flowing through those systems, updating your privacy policy, and building in processes for human oversight. If your organisation doesn’t maintain a detailed register of its IT systems and data flows, now is the time to start. December 2026 is closer than it looks.

One more thing worth knowing: the OAIC has flagged that it will publish detailed guidance on the new APP 1 automated decision-making obligations during 2026. High-level updates to the APP Guidelines were made in late 2025, but more specific guidance is on the way. That’s good news for organisations working through compliance but it also means the landscape will continue to evolve before December arrives. Staying across those updates will matter.

What Should You Do Now?

Start by asking a simple question: does our business use any automated or semi-automated process that makes decisions affecting individuals credit, insurance, hiring, pricing, eligibility? If yes, December 2026 is relevant to you. Audit your systems, map your data flows, and get your privacy policy updated. If you’re not sure where to start, that’s worth a conversation.

Please note: The information in this article is provided for general information purposes only and does not constitute legal advice. It is not intended to be comprehensive or to apply to any specific circumstances. You should seek independent legal advice before acting on any information contained in this article.