The Australian Privacy Commissioner’s recent activity includes: consultation on Guidance for Transparency in Automated Decision Making, updating its Chapter 3 Australian Privacy Principles guidelines on the collection of personal information by new technology, as well as the Privacy Commissioner’s recent decision in Commissioner Initiated Investigation into IRE Pty Ltd’s rental digital platform and a compensation order against American Express Australia Limited for an insider security breach.

Consultation on Guidance for Transparency in Automated Decision Making
From 10 December 2026, APP entities that use personal information in automated decision-making (ADM) with the potential to affect rights or interests will be required to provide information in their privacy policies about the kinds of personal information used and the kinds of decisions made using ADM. Background.

The Office of the Australian Information Commissioner (OAIC) has published an Automated Decision-Making Issues Paper prior to giving guidance on the automated decision-making (ADM) transparency obligation.

The Issues Paper explains that the types of ADM that require disclosure in APP entities’ privacy policies are those that meet the following criteria:
* the entity has arranged for a computer program to make, or do a thing that is substantially and directly related to making, a decision; and
* the decision could reasonably be expected to significantly affect the rights or interests of an individual; and
* personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.

The Paper observes that a wide range of technologies are likely to fall within the definition of “computer program”, including commonly-used software, apps, or word-processing tools.

The OAIC says that generative AI tools used to generate text, images, videos, code or synthesis, including chatbots, all fall within the definition of computer program for the purpose of the ADM obligation.

Regulated entities will need to assess the computer programs that they use that meet the disclosure criteria.

Updated Australian Privacy Principle 3 guidance
The OAIC has updated its guidance on APP 3 (collection of solicited personal information) to reflect recent determinations, and to include examples which apply the APP 3 principles to current technology use cases such as artificial intelligence and facial recognition technology, and current practices like data scraping, tracking pixels and data broking.

The changes to the APP 3 guidelines also clarify how proportionality is implicit in the APP 3 requirements, requiring entities to take a data minimisation approach.

Data minimisation is the practice of limiting the collection of all information, but especially personal information.

Financial institution insider security risk
The Australian Privacy Commissioner has ordered American Express Australia Limited (AMEX) to compensate a complainant following a finding of interference in their privacy by its employee.

In the determination in the matter of ‘BAM’ and American Express Australia Limited the Australian Privacy Commissioner found that AMEX interfered with the complainant’s privacy under the Privacy Act 1988 (Cth), by failing to take such steps as were reasonable in the circumstances to protect the complainant’s personal information from unauthorised access by employees, in breach of Australian Privacy Principle (APP) 11.1.

The findings discussed the issue of insider security risk within a financial institution.

The determination examined circumstances in which an AMEX employee’s authorised access to relevant systems enabled them to view a range of information about AMEX customers, including travel and hotel bookings, and financial transactions.

A former AMEX customer subsequently alleged that the employee had accessed their account and personal information for purposes outside of legitimate business purposes.

The Australian Privacy Commissioner concluded that AMEX had failed to meet its obligation under Australian Privacy Principle (APP) 11.1 to take reasonable steps to protect the information it held from unauthorised access particularly from insider security risks.

Under the determination, for interference with the complainant’s privacy, American Express Australia Limited must:
* pay the complainant specified amounts for economic loss, for non-economic loss caused by the interference with the complainant’s privacy, and for reimbursement of expenses the complainant incurred making the complaint;
* issue a written apology to the complainant, acknowledging its interference with the complainant’s privacy, signed by a representative of AMEX with sufficient seniority;
* implement technical controls across the relevant systems, to enable AMEX to restrict its employees’ access to specific customer information, including to protect the personal information of vulnerable or high-profile customers;
* implement account-level access logging and action logging across the relevant systems to the extent these are still in operation, to create time-stamped log entries when an employee accesses or takes action on a customer’s records.

Data minimisation and dark patterns
The Privacy Commissioner’s recent decision in Commissioner Initiated Investigation into IRE Pty Ltd (Privacy) [2026] AICmr 24 considered the collection of personal information for the purpose of processing tenancy applications and the role of RentTech platforms, such as 2Apply.

The Privacy Commissioner observed that RentTech platforms are more than just a ‘middleman’ between renters and real estate
agents; they directly collect and enable the collection of personal information.

This determination reinforces that the operators of RentTech and other online platforms may bear their own obligations under the Privacy Act to handle personal information in a manner consistent with the Australian Privacy Principles.

The Privacy Commissioner concluded that IRE Pty Ltd, trading as InspectRealEstate, interfered with the privacy of individuals whose personal information was collected via 2Apply between March 2020 and 18 March 2025, within the meaning of s 13(1) of the Privacy Act 1988 (Cth), by:
a. collecting personal information that is not reasonably necessary for its functions or activities, in breach of Australian Privacy Principle (APP) 3.2; and
b. collecting personal information by unfair means, in breach of APP 3.5.

The decision considers the role of ‘online choice architecture’ practices, ‘dark patterns’, and Online Choice Architecture practices which can include confirmshaming; biased framing; and bundled consent.

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.