Does the 10 December 2026 ADM rule apply to my small business?

If you are an APP entity, yes. Most businesses with more than $3 million in annual turnover are caught, and so are some smaller ones (for example, those trading in personal information or providing health services). The obligation comes from the Privacy and Other Legislation Amendment Act 2024 and applies regardless of your size if it captures you. Check your APP-entity status with a privacy lawyer, because being small does not automatically exempt you.

What counts as an automated decision under the Privacy Act?

A three-limb test, and all three limbs must be met. First, your business arranged for a computer program to make a decision about a person, or to do something substantially and directly related to making it. Second, the decision could reasonably be expected to significantly affect that person's rights or interests. Third, personal information is used in the program's operation. The OAIC reads 'computer program' broadly, so ordinary software and apps can count, not just AI.

Does having a human approve the decision exempt us?

Not on its own. The OAIC has signalled that a human making the final call is not a safe harbour if the tool materially shapes the inputs the human relies on. If the system scores, ranks or filters people and the human mostly rubber-stamps the result, you are likely still caught. The obligation is also broader than the GDPR, which only covers solely-automated decisions. Keep a human review, but make it one that genuinely changes outcomes.

What do we have to put in our privacy policy?

Under the new APP 1.7-1.9, your privacy policy must disclose the kinds of personal information used by the program, the kinds of decisions made solely by the program, and the kinds of decisions substantially based on the program. This is a transparency obligation: you are telling people, in your policy, where automated decision-making touches them. Plan the wording before December 2026 and confirm it against the OAIC's final guidance, expected around September 2026.

Is the AI vendor or my business responsible?

Your business. The obligation attaches to the entity that arranged for the automated decision-making, not the vendor that merely hosts the tool. So if you deploy a third-party AI product to screen applicants or score customers, the disclosure duty is yours. That makes vendor due diligence important: you need to understand what the tool does with personal information and how it reaches its outputs, because you are accountable for it. Confirm your specific position with a privacy lawyer.

← All insights

Playbook·7 min read

The Privacy Act's automated-decision rules start 10 December 2026: what Australian SMBs must do

There is a date most Australian SMBs have not put in the calendar: 10 December 2026. From that day, the Privacy Act requires businesses to be transparent about automated decision-making that significantly affects people. It is the one concrete, near-term AI-adjacent obligation on the books, and it lands whether or not you think of yourself as "using AI".

This is a practical walk-through: who is caught, the test that decides it, the two traps that catch people out, and a checklist you can start working through now. One thing up front - this is general information, not legal advice. The detail matters here, so confirm your own position with a qualified privacy lawyer.

Where this rule comes from

The obligation was created by the Privacy and Other Legislation Amendment Act 2024, which was assented in December 2024 with a two-year transition. That transition ends on 10 December 2026. It inserts three new requirements - APP 1.7, 1.8 and 1.9 - into the Australian Privacy Principles under the Privacy Act 1988 (Cth).

It applies to APP entities. In practice that generally means businesses with more than $3 million in annual turnover, plus a range of smaller operators (for example, those that trade in personal information or handle health information). The short version: plenty of SMBs are caught, and being small is not an automatic exemption. The Office of the Australian Information Commissioner (OAIC) released an Issues Paper on 18 May 2026 and has signalled a broad reading of the new rules. Final guidance is expected around September 2026.

The three-limb test, in plain terms

Whether the rule applies to a given decision comes down to a three-limb test. All three limbs have to be met:

(a) A computer program makes, or helps make, the decision. Your business arranged for a computer program to make a decision about an individual, or to do something substantially and directly related to making it.
(b) The decision matters to the person. It could reasonably be expected to significantly affect their rights or interests.
(c) Personal information is used. Personal information is used in the program’s operation.

A couple of things are worth flagging straight away. “Computer program” is read broadly by the OAIC - it can include ordinary software and apps, not just what you would call AI. And “significant effect” can be adverse or beneficial. Granting or refusing a benefit, affecting someone’s contract rights, or affecting their access to a significant service can all count, even when the outcome is in the person’s favour.

What this looks like in a real SMB

Abstract tests are hard to act on, so here are everyday examples that tend to cross the line:

AI screening job applicants. A tool that ranks, scores or filters candidates is helping make a decision that significantly affects a person’s interests. Recruitment is squarely in scope.
AI scoring a loan, credit or insurance decision. Anything that feeds an approval, a price, or a limit is affecting contract rights and access to a service. Classic significant-effect territory.
AI triaging customers. A system that routes, prioritises or qualifies customers - deciding who gets a service, an offer, or escalation - can affect access to a significant service.

If software touches a decision about a person and the outcome matters to them, assume you need to look at it properly rather than assume you are clear.

Trap one: a human in the loop is not a safe harbour

The most common misreading is “we are fine, a person signs off”. The OAIC has signalled that this does not get you out of the obligation if the tool materially shapes the inputs the human relies on.

Think about how these systems actually run. The model scores the applicant, ranks the file, or flags the customer, and the human approves what is in front of them. If the human is effectively rubber-stamping the machine’s output, the decision is still substantially based on the program, and you are still caught. A human review only changes the analysis if it genuinely changes outcomes - if the person has the information, the authority and the practice to overturn the tool.

This is also why the Australian rule is broader than Europe’s. The equivalent GDPR right is limited to decisions made solely by automation. Australia’s covers decisions made solely by the program and decisions substantially based on it. The “we keep a human in the loop” line does not carry the same weight here.

Trap two: it is your obligation, not the vendor’s

The second trap is assuming the AI vendor owns the compliance because it is their tool. The obligation attaches to the entity that “arranged for” the automated decision-making - that is, the business deploying the tool to make decisions about its people or customers. The vendor that merely hosts the software is not the one on the hook.

The practical consequence is that vendor due diligence matters. You are accountable for what the tool does with personal information and, broadly, for how it reaches its outputs, so you need to actually understand both before you rely on it.

The checklist

Here is the work, in order. You have until December 2026, but the mapping step always takes longer than people expect, so start now.

Map where automated tools touch decisions about people. Walk through hiring, credit and pricing, customer triage, and anything else where software helps decide an outcome that affects an individual. Include tools you would not instinctively call AI.
Assess which decisions cross the threshold. Run each one against the three-limb test. Flag the ones where the effect on the person is significant - this is where a privacy lawyer earns their fee.
Update your privacy policy with the required disclosures. Under APP 1.7-1.9 you must disclose the kinds of personal information the program uses, the kinds of decisions made solely by the program, and the kinds of decisions substantially based on it. Draft the wording now and finalise it against the OAIC’s September 2026 guidance.
Do vendor due diligence. For each third-party tool in scope, document what personal information it uses and, as far as you can, how it produces its outputs. You are responsible for it.
Keep a human review that genuinely matters. If you rely on human oversight, make it real - give the reviewer the information, the authority and the habit to change the outcome, not just a box to tick.

Why bother getting ahead of it

Privacy is not a soft regime. The OAIC gained compliance- and infringement-notice powers in December 2024, and the Privacy Act carries a tiered civil penalty regime under which serious breaches can attract civil penalties in the tens of millions of dollars. Transparency obligations like this one are also exactly the kind of thing a regulator can check at a glance, by reading your published privacy policy.

The reassuring part: this is governance work you should be doing anyway if AI is making or shaping decisions about people in your business. Mapping where it touches customers and staff, knowing how the tools behave, and keeping oversight that is real rather than cosmetic - that is just running AI responsibly.

To be clear once more, this article is general information, not legal advice, and the OAIC’s final guidance is still landing. Confirm your specific obligations with a qualified privacy lawyer.

Where this fits

This is the practical end of AI governance, and it is what XLev’s AI strategy and governance work is built for: mapping where AI and automated tools touch decisions in your business, assessing what is in scope, getting your vendor due diligence and your policies in order, and keeping human oversight that actually counts. If you want December 2026 handled rather than hoped over, that is where to start.

Sources

[1]OAIC - Consultation on automated decision-making transparency - The Office of the Australian Information Commissioner's consultation and Issues Paper (18 May 2026) on the new ADM transparency obligation, signalling a broad reading; final guidance expected around September 2026.
[2]Bird & Bird - Australia's new ADM transparency obligation - Legal analysis (28 May 2026) of the new APP 1.7-1.9 obligation, the three-limb test, the OAIC's broad reading ahead of December 2026, and why it is wider than the GDPR.
[3]Department of Industry, Science and Resources - National AI Plan - Australia's National AI Plan (2 December 2025), confirming the regulatory approach of applying existing technology-neutral laws, including privacy, to AI.

Citations are to publicly available reports, advisor publications and practitioner research. Inclusion does not imply endorsement of XLev by any cited organisation.

Frequently asked questions

Does the 10 December 2026 ADM rule apply to my small business?: If you are an APP entity, yes. Most businesses with more than $3 million in annual turnover are caught, and so are some smaller ones (for example, those trading in personal information or providing health services). The obligation comes from the Privacy and Other Legislation Amendment Act 2024 and applies regardless of your size if it captures you. Check your APP-entity status with a privacy lawyer, because being small does not automatically exempt you.
What counts as an automated decision under the Privacy Act?: A three-limb test, and all three limbs must be met. First, your business arranged for a computer program to make a decision about a person, or to do something substantially and directly related to making it. Second, the decision could reasonably be expected to significantly affect that person's rights or interests. Third, personal information is used in the program's operation. The OAIC reads 'computer program' broadly, so ordinary software and apps can count, not just AI.
Does having a human approve the decision exempt us?: Not on its own. The OAIC has signalled that a human making the final call is not a safe harbour if the tool materially shapes the inputs the human relies on. If the system scores, ranks or filters people and the human mostly rubber-stamps the result, you are likely still caught. The obligation is also broader than the GDPR, which only covers solely-automated decisions. Keep a human review, but make it one that genuinely changes outcomes.
What do we have to put in our privacy policy?: Under the new APP 1.7-1.9, your privacy policy must disclose the kinds of personal information used by the program, the kinds of decisions made solely by the program, and the kinds of decisions substantially based on the program. This is a transparency obligation: you are telling people, in your policy, where automated decision-making touches them. Plan the wording before December 2026 and confirm it against the OAIC's final guidance, expected around September 2026.
Is the AI vendor or my business responsible?: Your business. The obligation attaches to the entity that arranged for the automated decision-making, not the vendor that merely hosts the tool. So if you deploy a third-party AI product to screen applicants or score customers, the disclosure duty is yours. That makes vendor due diligence important: you need to understand what the tool does with personal information and how it reaches its outputs, because you are accountable for it. Confirm your specific position with a privacy lawyer.

Where this fits

AI Strategy Workshops

Half-day or full-day workshops with leadership. Walk out with a 12-month plan, not a slide deck.

See AI Strategy Workshops →Book a free 30-min discovery call

Where this rule comes from

The three-limb test, in plain terms

What this looks like in a real SMB

Trap one: a human in the loop is not a safe harbour

Trap two: it is your obligation, not the vendor’s

The checklist

Why bother getting ahead of it

Where this fits

Frequently asked questions

AI Strategy Workshops

More on adopting AI in an SMB.