Artificial intelligence (AI) and automated tools are now deeply embedded in how organisations operate, from recruitment screening and credit assessments to fraud detection and customer service triage. For New Zealand organisations that hold or handle the personal information of individuals in Australia, a significant compliance obligation is approaching. From 10 December 2026, amendments to the Privacy Act 1988 (Cth) introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) will require organisations and agencies bound by the Australian Privacy Principles (APP) under that Act (APP entity) to disclose, in their privacy policies, the use of computer programs that rely on personal information to make or support decisions that could significantly affect an individual's rights or interests.
New Zealand's Privacy Act 2020 (Privacy Act) does not address automated decision-making, creating a compliance gap that New Zealand organisations with an Australian nexus cannot afford to overlook.
Australia's new transparency obligations
The new obligations sit in APP 1.7, 1.8 and 1.9. From 10 December 2026, an APP entity that uses a computer program and personal information to make, or do something substantially and directly related to making, a decision that could reasonably be expected to significantly affect an individual's rights or interests must describe in its privacy policy.
The policy must describe:
- The kinds of personal information used in the operation of such programs
- The kinds of decisions made solely by those programs
- The kinds of decisions for which those programs perform a step substantially and directly related to making the decision.
The obligation applies regardless of when the automated arrangement was established. Critically, the Australian Privacy Act has extraterritorial reach. A New Zealand entity that carries on business in Australia, or collects or holds personal information of individuals located in Australia, may qualify as an APP entity and be subject to these requirements.
The term "significantly affect" is broad. The Office of the Australian Information Commissioner (OAIC) has indicated it covers decisions that affect an individual's legal rights (for example, entitlement to a benefit or access to a service), their rights under a contract or agreement (such as a life insurance policy), or their access to significant services or support such as healthcare. Both adverse and beneficial decisions are within scope. The threshold question is whether the computer program makes, or plays a substantial and direct part in making, the decision, not merely whether it processes data.
Practical examples include AI-enabled credit assessment or fraud detection platforms, rule-based underwriting systems, and algorithmic tools determining access to services. Generic policy language is unlikely to suffice. Policies must be tailored to an organisation's actual systems. New Zealand organisations should note that the OAIC has shifted towards proactive enforcement of privacy policy obligations, commencing its first formal compliance sweep in January 2026, and its reach is not limited to Australian-incorporated entities.
New Zealand: A gap in our privacy laws?
New Zealand currently has no equivalent to APP 1.7. The New Zealand Privacy Commissioner identified automated decision-making as a priority reform area since 2023, noting the risks of bias and the need to align with international practice. However, no legislative change addressing this has been introduced and there is no strict obligation under the Privacy Act to disclose the use of automated decision-making tools in a privacy policy or elsewhere. For New Zealand organisations, the absence of a New Zealand transparency requirement means that organisations relying solely on their domestic compliance will fall short of what Australia demands.
For New Zealand organisations operating in or across the Australian market, the practical consequence is clear: compliance with APP 1.7 in Australia is a standalone obligation that must be addressed on its own terms. It cannot currently be satisfied by, compliance with New Zealand's Privacy Act.
What New Zealand organisations should do now
For in-house legal teams and privacy officers at New Zealand organisations with Australian operations or exposure, we recommend the following practical steps:
- Map your automated systems and Australian nexus: Determine whether your organisation qualifies as an APP entity by reason of carrying on business in Australia or holding personal information of individuals located in Australia. If you are an APP entity, identify all computer programs, AI tools and rule-based platforms that use personal information to make or inform decisions that could significantly affect individuals' rights or interests.
- Review your privacy policy: If your organisation is or may be an APP entity, ensure you maintain a privacy policy that specifically addresses automated decision-making.
- Audit your vendor arrangements: Even where the automated tool is provided by a third-party vendor, the APP entity remains responsible for compliance. Review vendor contracts to understand how their systems operate and ensure you can accurately describe their operation in your policy.
- Act now: With 10 December 2026 approaching, privacy policy updates, governance reviews and vendor audits all take time. The OAIC's compliance sweep demonstrates that enforcement is not theoretical.
