Notes from the Asia-Pacific region: Australia kicks AI governance, digital responsibility into high gear

The past few months have felt like Australia's privacy, artificial intelligence governance and digital responsibility ecosystem has shifted into high gear. 

Several significant moves from the Office of the Australian Information Commissioner have addressed key issues. The release of the OAIC's 2026 Australian Community Attitudes to Privacy Survey highlights a significant escalation in public concern, with a substantial majority of Australians reporting heightened sensitivity to how their personal information is collected and used. 

At the same time, the public's trust in AI-related technologies has fallen to notably low levels. This combination of rising concern and declining trust reflects a growing disconnect between organizational data practices and community expectations. While individuals remain willing to engage with digital services, this willingness is increasingly conditional on organizations demonstrating transparency, fairness and clear purpose in their use of data. As a result, trust is becoming a critical enabler of digital engagement and organizations that fail to address this risk reduce adoption of services and heightened reputational exposure.

In parallel, the OAIC initiated consultation on new guidance to support transparency in automated decision-making, reflecting the increasing use of AI and data-driven systems across industries. Legislative reforms will introduce a formal obligation from December 2026 requiring organizations to disclose how personal information is used in automated or partially automated decisions that may significantly impact individuals. 

Importantly, the scope of ADM is expected to extend beyond fully automated outcomes to include decision-support tools where technology plays a material role in shaping decisions. This indicates that many organizations will need to reassess their current use of analytics, AI and process automation technologies to ensure compliance. Enhanced transparency will be required not only in privacy policies but also in how organizations communicate with customers about the role of technology in decision-making processes.

Further regulatory developments are evident in the OAIC's updated guidance on privacy obligations under the Anti-Money Laundering and Counter-Terrorism Financing framework. As reforms expand the regime to include additional sectors such as real estate, legal services and accounting, a broader range of entities will now be required to comply with the Privacy Act when handling personal information. The guidance reinforces that while organizations are permitted to collect and use personal data to meet AML/CTF obligations, this must be balanced against strict privacy principles, particularly the requirement to limit collection to what is reasonably necessary. 

Data minimization is a central theme of the updated guidance, with a clear expectation that organizations should avoid retaining unnecessary information, including full copies of identification documents, unless explicitly required. This reflects a broader regulatory focus on reducing the risks associated with excessive data retention and strengthening safeguards around sensitive information.

The OAIC's enforcement activity also provides important insight into regulatory expectations. The recent investigation into Property Lovers and the fastproperty.ai platform demonstrates the regulator's ongoing commitment to monitoring compliance and enforcing prior determinations. While the OAIC ultimately found the platform did not breach the Privacy Act during the period under review, the investigation followed earlier findings of unlawful data scraping practices, highlighting the seriousness with which such conduct is treated. 

Notably, the regulator identified potential concerns beyond the scope of privacy law and referred these to other authorities, underscoring the increasing overlap between privacy regulation and broader consumer protection frameworks. This case illustrates that even where organizations are technically compliant with privacy requirements, they may still face regulatory scrutiny if their practices raise concerns about consumer harm.

These developments indicate a maturing regulatory environment in which transparency, accountability and responsible data handling are becoming central expectations. Organizations must not only ensure compliance with evolving legal requirements but also proactively build trust with customers through clear communication and robust governance practices. Strengthening privacy frameworks, enhancing transparency around AI and automated decision-making, and adopting disciplined data minimization approaches will be critical to navigating this increasingly complex landscape.