The Privacy and Other Legislation Amendment Act 2024 changed the rules for how Australian businesses handle personal information — including personal information processed by AI systems. If your business uses AI tools that touch client data, employee records, or any other personal information, the 2024 amendments are directly relevant to how you operate those tools.

What Did the Privacy Act 2024 Amendments Actually Change?

The Privacy and Other Legislation Amendment Act 2024 received Royal Assent in December 2024. It was the most significant amendment to Australian privacy law since the 2014 reforms that introduced the Australian Privacy Principles (APPs).

The key changes that affect businesses using AI fall into four categories.

A new statutory tort for serious invasions of privacy. For the first time, Australian individuals have a direct right of action in court for serious invasions of privacy. This is separate from the OAIC complaint process. It means that if a business mishandles personal information in a way that causes serious harm, the affected individual can sue directly — without waiting for a regulator to act. The tort covers both intrusion into seclusion and misuse of private information.

Strengthened OAIC enforcement powers. The OAIC gained expanded investigative powers, including the ability to conduct assessments of entities without a prior complaint. Penalties for serious and repeated interference with privacy were also increased. The civil penalty for serious breaches can now reach $50 million, or three times the benefit gained, or 30 percent of adjusted turnover — whichever is highest.

Automated decision-making transparency. The amendments introduced requirements — phased in over time — for entities to disclose when automated decision-making processes are being used to make decisions that significantly affect individuals. This directly applies to AI systems used for things like credit assessment, insurance underwriting, employment screening, and similar decisions.

Children's privacy provisions. New protections were added for the personal information of children, including restrictions on targeting and a higher standard of care for entities that regularly interact with minors.

The amendments also foreshadowed a second tranche of reforms — including a right to erasure, a right to explanation for automated decisions, and reforms to the small business exemption — that are expected to follow in subsequent legislation.

How Do the 2024 Amendments Affect Businesses Using AI Tools?

The amendments affect AI users in three ways that are practically significant.

Transparency about automated processing. If your business uses AI to make or substantially inform decisions about individuals — clients, employees, or members of the public — you now have heightened obligations to disclose this. The phased automated decision-making provisions require that affected individuals can find out whether automated processing was involved in a decision that significantly affected them and, if so, what logic was applied.

For a standard productivity AI tool — drafting emails, summarising meetings — these provisions are unlikely to apply directly. For AI used in intake screening, credit or risk assessment, performance management, or eligibility decisions, they almost certainly do.

Accountability for offshore processing. The existing APP 8 (cross-border disclosure) obligation was already significant. The 2024 amendments and the associated OAIC guidance tightened expectations around accountability when personal information is disclosed to overseas recipients for processing. Sending personal information to an AI vendor whose infrastructure sits in the US or EU for model inference is a disclosure to an overseas recipient under Australian privacy law. The entity disclosing that information remains accountable for how it is handled.

The practical implication: if your AI tools process personal information offshore, you need a contractual framework that binds the recipient to Australian Privacy Principles-equivalent protections, and you need to be able to demonstrate that framework if the OAIC asks.

Mandatory data breach notification thresholds. The amendments did not substantially change the Notifiable Data Breaches scheme threshold, but the combination of increased enforcement activity and the new statutory tort means that an AI-related data breach — such as a model trained on client data producing outputs that disclose that data — now carries greater legal exposure than it did before.

What is the New Statutory Tort and Who Does It Apply to?

The statutory tort for serious invasions of privacy applies to any entity — corporate or individual — that invades the privacy of a natural person in a way that a reasonable person would regard as serious. It covers two types of invasion: intrusion into seclusion (accessing someone's private information or activities without consent) and misuse of private information (disclosing or using private information in a way that causes harm).

The entity must have intentionally or recklessly caused the invasion. Negligence alone does not satisfy the test.

For businesses using AI, the most likely exposure is in the misuse category. If an AI system processes personal client data and produces an output that reveals that data to an unintended recipient — through a hallucination, a configuration error, or a breach — and the invasion is found to be serious, the affected individual can now sue directly.

The tort has a defence for actions in the public interest and actions authorised by law. It does not have a defence for "we didn't know the AI did that."

Smaller businesses under the small business exemption (under $3 million annual turnover) are currently exempt from most Privacy Act obligations. However, the second tranche of reforms is expected to remove or narrow this exemption. Businesses in that band who are building AI infrastructure now should design it to Privacy Act standards regardless — the exemption is unlikely to survive intact.

What Did the OAIC's Updated Guidance Say About AI Specifically?

The OAIC published updated guidance on AI and privacy in 2024 and 2025, reflecting both the amendments and the rapid uptake of AI tools across Australian businesses. The guidance is not legally binding, but OAIC guidance is typically treated as interpretive by courts and tribunals.

The key points from the OAIC's AI guidance relevant to business AI users:

The OAIC confirmed that using a third-party AI tool to process personal information constitutes a disclosure under the Privacy Act, even when the information is not permanently stored by the vendor. Sending a client file to an AI API for analysis is a disclosure. The obligation to ensure APP-equivalent protections applies.

The OAIC clarified that automated decision-making disclosures are required when AI is used to make or substantially inform decisions with legal or similarly significant effects. "Substantially inform" is a broader test than "fully automate" — a human reviewing an AI-generated recommendation and acting on it does not escape the disclosure obligation if the AI recommendation was the substantive basis for the decision.

The OAIC also noted that privacy impact assessments (PIAs) should be conducted before deploying AI systems that process personal information at scale, particularly in regulated industries. This is not a new obligation — the Privacy Act has always contemplated PIAs for high-risk processing — but the guidance elevated AI deployments as a category that routinely warrants one.

Sunburnt AI holds a board advisory role with Responsible AI Australia, which has engaged directly with the OAIC's consultation processes on AI governance. The consistent position from that engagement is that the regulator's expectations are running ahead of most businesses' current practices — particularly around offshore processing accountability and automated decision documentation.

What Do These Changes Mean for Offshore-Hosted AI Tools?

This is the most commercially significant question for most Australian businesses, and the answer is straightforward.

If you are using AI tools hosted offshore — any SaaS AI product whose infrastructure sits outside Australia — and those tools process personal information about your clients, employees, or other individuals, you are making cross-border disclosures under APP 8. The 2024 amendments and the OAIC guidance have made the accountability expectations for those disclosures clearer and more enforceable.

You need three things to manage this exposure properly.

First, a contractual arrangement with the offshore vendor that requires them to handle the personal information in a way that is at least equivalent to the Australian Privacy Principles. Standard SaaS terms of service do not provide this. An enterprise data processing agreement might — but you need to check, and most businesses have not.

Second, a record of what personal information is being sent to which offshore systems and why. This is the audit trail that the OAIC would ask for in an investigation. Most businesses using a patchwork of AI tools cannot produce this record, because the tools were adopted individually and without a governance framework.

Third — and this is the structural solution — a move toward AI infrastructure that processes personal information onshore, under Australian law, with an audit log from day one. This is what Australian-hosted AI operating systems are designed to provide.

Sunny, Sunburnt AI's AIOS, runs on AWS Sydney and Google Cloud Sydney. All data processing happens on Australian infrastructure. The action log records every data access event. The contractual relationship is with an Australian company operating under Australian law. That is the compliance position — not a workaround, but a structural answer to the cross-border disclosure problem.

If you want to understand exactly where your current AI stack creates Privacy Act exposure, the Sovereign AI Trust Framework gives you the five-pillar assessment methodology. It is the starting point for mapping your obligations against your current tools.

What Steps Should Australian Businesses Take Now?

Six practical steps, in order of priority.

1. Map your AI tools against personal information flows. List every AI tool your business uses. For each one, identify: what personal information does it access or process, where is that processing done (onshore or offshore), and what contractual protections govern that processing. If you cannot complete this map, stop and complete it before doing anything else.

2. Check your privacy policy. Does your privacy policy disclose that you use AI tools to process personal information? Does it disclose cross-border transfers? Most privacy policies written before 2023 do not adequately address AI processing. Update it.

3. Conduct a privacy impact assessment for high-risk AI uses. Any AI tool used for intake screening, risk assessment, eligibility decisions, or client-facing decisions that significantly affect individuals warrants a PIA. It does not need to be elaborate — a structured analysis of the data flows, the risks, and the mitigations is sufficient.

4. Review your vendor contracts. For offshore AI tools handling personal information, check whether your contract includes data processing terms equivalent to the Australian Privacy Principles. If it does not, either negotiate terms or assess the risk of continuing to use the tool.

5. Document your automated decision-making. If AI is involved in decisions that significantly affect individuals, create a disclosure mechanism — in your privacy policy, in client-facing communications, or in your terms of service — that explains this. The phased legislative requirements will make this mandatory; getting ahead of it now is lower-friction than retrofitting it under pressure.

6. Consider your AI hosting position. If your business is in a regulated industry — law, accounting, financial advice, migration, health, NDIS — the combination of Privacy Act obligations and the sector-specific regulatory requirements makes the case for Australian-hosted AI infrastructure straightforward. The cost of offshore AI tools is not just the subscription fee. It includes the compliance exposure, the contractual overhead, and the governance debt that compounds quietly until it does not.

The Sovereign AI Trust Framework maps these six steps against a five-pillar compliance assessment. Download it and work through it against your current AI stack.

FAQ

Did the Privacy Act 2024 amendments apply immediately?

Most provisions of the Privacy and Other Legislation Amendment Act 2024 commenced on Royal Assent in December 2024. The automated decision-making transparency provisions are being phased in over a period specified in the regulations. Check the current implementation status with the OAIC or your privacy adviser for the precise commencement dates applicable to your situation.

Does the small business exemption still apply under the 2024 amendments?

The small business exemption (under $3 million annual turnover) was not removed by the 2024 amendments, but the government has indicated it will be addressed in the second tranche of reforms. Businesses currently exempt should not design AI infrastructure assuming the exemption will persist.

Is using ChatGPT or Copilot for client work a Privacy Act issue?

If you are inputting personal information about clients into a general-purpose AI tool — drafting client correspondence, summarising client documents, processing client data — and that tool processes the information on offshore infrastructure, it is a cross-border disclosure under APP 8. Whether it creates a Privacy Act breach depends on whether you have adequate contractual protections in place and whether the processing is otherwise appropriate under the APPs.

What is a privacy impact assessment and do I have to do one?

A PIA is a structured analysis of how a new system or process will handle personal information, what the risks are, and how they will be managed. The Privacy Act does not mandate PIAs in all cases, but the OAIC guidance strongly recommends them for AI systems processing personal information at scale or in high-risk contexts. In practice, if you deploy a significant AI system without a PIA and something goes wrong, the absence of one will be a relevant factor in any OAIC assessment.

Does the statutory tort for privacy invasion apply to businesses or just individuals?

The statutory tort can be brought against any entity — individual or corporate — that seriously invades the privacy of a natural person. It is not limited to actions by individuals. A business whose AI system misuses personal information in a way that causes serious harm to an individual is potentially liable under the tort.

Conclusion

The 2024 Privacy Act amendments moved the compliance bar for Australian businesses using AI. The combination of strengthened enforcement, a new direct right of action, clearer cross-border disclosure accountability, and the OAIC's elevated expectations around automated processing means that the "we'll deal with it if it becomes an issue" approach carries real legal exposure now.

The practical answer is not complexity — it is structure. Map your tools, check your contracts, document your processing, and make a clear decision about where personal information is processed and by whom.

For regulated businesses, the structural answer is Australian-hosted AI infrastructure with an audit log from day one. That is what the Sovereign AI Trust Framework is built around.

Download the Sovereign AI Trust Framework and map your current AI stack against the five compliance pillars.