If you’re a business using or considering AI, there’s an important legal update you’ll want to know about—and it’s designed to make privacy compliance clearer and easier.
The Office of the Australian Information Commissioner (OAIC) has just published two new guides that explain how Australia’s existing privacy laws apply to AI, and what businesses need to do to stay on the right side of them.
Let’s break it down in plain English so it’s easy to understand—even if you’re still getting your head around AI!
What Was the Old Rule?
Before now, businesses have faced uncertainty about how privacy laws apply to AI tools—especially commercially available generative AI products that use personal information to train their models.
This created confusion about what steps to take to comply and how to select AI products that respect privacy.
There wasn’t clear guidance from regulators on how to balance innovation with privacy risks. Many organisations were left guessing if their AI usage was lawful or exposing them to privacy breaches.
What’s Changed?
The OAIC has stepped in with two new guides:
- Guide for Businesses Using AI Products: This helps businesses understand their privacy obligations when using AI tools, and offers practical tips on choosing AI products that meet privacy standards.
- Guide for AI Developers: This focuses on developers using personal information to train generative AI models, clarifying how privacy laws apply in that context.
These guides clearly articulate the OAIC’s expectations and outline what good privacy governance looks like when it comes to AI.
What Does This Mean for Your Business?
The key takeaway is that AI products shouldn’t be used just because they’re available.
Businesses must:
- Take a cautious approach, carefully assessing privacy risks
- Ensure robust privacy safeguards are in place
- Be transparent with customers about how their personal information is used in AI
- Verify that any AI-generated outputs comply with privacy laws
If you’re planning to use AI or already do, these guides give you a clear path to follow—and the OAIC is serious about enforcing compliance.
What Should You Do Now?
Here’s a quick checklist to help you stay compliant:
- Review your current or planned use of AI tools. Are you aware of what personal information they collect or process?
- Read the OAIC’s new guides to understand your obligations and best practices.
- Work with your legal or privacy team to put privacy governance measures in place—like risk assessments and data minimisation.
- Train your staff on privacy risks related to AI and how to handle data responsibly.
- Stay informed about upcoming privacy reforms, including potential new obligations on fair and reasonable use of personal information.
Key Takeaways
- Existing privacy laws apply fully to AI—there’s no special exemption just because it’s a new technology.
- The OAIC’s new guides clarify how those laws work with AI tools and development.
- Businesses must assess privacy risks and build safeguards before using AI.
- Transparency and accountability are essential to build trust and avoid penalties.
Frequently Asked Questions (FAQ)
1. Do privacy laws apply to all AI tools?
Yes. Australian privacy laws apply to any AI tool that collects, uses, or shares personal information. There are no special exceptions just because it’s AI.
2. What are the main privacy risks with AI?
Risks include accidental data leaks, using personal info without permission, AI generating incorrect or misleading results, and not being clear with customers about how their data is used.
3. How can my business comply with the new guidance?
Start by reading the OAIC’s guides, do a privacy risk check on your AI tools, protect personal data with strong security, train your staff on privacy best practices, and be transparent with your customers about AI use.
4. What happens if a business breaks the privacy rules?
The OAIC can investigate and take enforcement action, including fines. Breaking privacy rules can also harm your reputation and customer trust.
