The Compliance Clock Is Ticking
From 10 December 2026, any organisation bound by Australia’s Privacy Act must disclose its use of automated decision-making in privacy policies. That includes New Zealand entities that carry on business in Australia or handle personal information of individuals located there.
Buddle Findlay’s analysis is clear: this creates direct compliance obligations for NZ organisations operating across the Tasman — or risk being locked out of the Australian market. And NZ’s Privacy Act 2020 doesn’t address automated decision-making at all. There’s no local equivalent. No roadmap. No grace period.
What Australia’s New Rules Actually Require
The amendments sit in APP 1.7, 1.8, and 1.9 of the Australian Privacy Act. From 10 December 2026, any APP entity using a computer program and personal information to make — or substantially contribute to making — a decision that could “significantly affect” an individual’s rights or interests must describe in its privacy policy:
- The kinds of personal information used in the operation of such programs
- The kinds of decisions made solely by those programs
- The kinds of decisions for which those programs perform a step substantially and directly related to making the decision
What counts as “significantly affect”? The Australian Information Commissioner (OAIC) says it covers decisions affecting legal rights, contractual rights (like insurance policies), and access to significant services such as healthcare. Both adverse and beneficial decisions are in scope. Credit assessments, fraud detection, recruitment screening, algorithmic underwriting — all caught.
Crucially, the obligation applies regardless of when the automated arrangement was established. You can’t grandfather your way out of this.
The Extraterritorial Trap
The Australian Privacy Act has extraterritorial reach. A NZ entity that carries on business in Australia, or collects or holds personal information of individuals located in Australia, may qualify as an APP entity. If you have Australian customers, Australian employees, or process Australian data — you’re likely in scope.
The OAIC has also shifted towards proactive enforcement. It commenced its first formal compliance sweep in January 2026. Its reach is not limited to Australian-incorporated entities. Buddle Findlay’s warning is pointed: generic policy language won’t suffice. Policies must be tailored to actual systems.
NZ’s Regulatory Void
While Australia builds enforceable transparency obligations, NZ’s Privacy Act 2020 is silent on automated decision-making. Our AI regulation landscape already lagged Australia — this widens the gap considerably.
The practical implication: NZ organisations must comply with Australian law for their Australian operations, while having no domestic framework to prepare them. It’s like being asked to sit an exam you haven’t been taught for, in a subject your school doesn’t offer.
This isn’t just a compliance problem. It’s a competitiveness problem. NZ businesses that can’t demonstrate transparent AI governance may find themselves at a disadvantage in the broader Australasian market, where Australian regulators and consumers increasingly expect AI disclosure as standard.
Who’s Affected in NZ
If your NZ organisation does any of the following, you’re likely in scope:
- Uses AI or automated tools in recruitment screening for Australian-based roles
- Runs credit assessment or fraud detection platforms that process Australian personal information
- Provides algorithmic insurance underwriting or claims assessment for Australian customers
- Deploys customer service AI chatbots or triage for Australian users
- Uses AI-powered tools for access to services (healthcare, finance, government) affecting Australian residents
If you’re in that list and your privacy policy doesn’t specifically describe the AI systems making or contributing to these decisions, you have seven months to fix it.
What NZ Organisations Should Do Now
- Map your AI systems — Identify every automated tool that uses personal information to make or contribute to decisions affecting individuals
- Check your APP entity status — Determine whether you qualify as an APP entity under the Australian Privacy Act
- Audit your privacy policy — Generic language about “we may use technology” won’t cut it. You need specific descriptions of the kinds of decisions AI makes and the personal information it uses
- Prepare for enforcement — The OAIC is actively sweeping. Non-compliance after 10 December 2026 isn’t a theoretical risk
🔍 THE BOTTOM LINE
Australia’s AI disclosure law isn’t coming — it’s here, with a date certain. NZ organisations that ignore it aren’t betting on regulation being delayed; they’re betting on not being caught. With the OAIC already conducting compliance sweeps, that’s a bet with diminishing odds.
❓ Frequently Asked Questions
Q: Does this apply to NZ-only businesses? No — the obligations only apply if you qualify as an APP entity under Australia’s Privacy Act, which requires an Australian nexus (carrying on business there or handling Australian individuals’ personal information). If you operate exclusively in NZ, these specific rules don’t apply. Yet.
Q: What’s NZ doing about automated decision-making? Nothing, formally. NZ’s Privacy Act 2020 doesn’t address automated decision-making. The AI Blueprint for Aotearoa provides voluntary guidelines but has no enforcement mechanism. There’s no indication legislation is imminent.
Q: What happens if we don’t comply? The OAIC can investigate, make determinations, and seek enforceable undertakings or civil penalties. With the OAIC already conducting proactive compliance sweeps from January 2026, the enforcement trajectory is clear. Non-compliance could also result in reputational damage and loss of market access.
SOURCES
- Buddle Findlay: AI in the Machine — Australia’s new automated decision-making rules
- Australian Privacy Act 1988 (Cth), as amended by Privacy and Other Legislation Amendment Act 2024
- Office of the Australian Information Commissioner
