Follow us

Follow us

0%

OAIC's New AI Guidance: Navigating the Privacy Landscape for Australian Businesses

Key contacts
23 10月 2024 Insight
Article - By Katherine Gregor Kaman Tsoi Kosta Hountalas David Lim

In a landmark move, the Office of the Australian Information Commissioner (OAIC) has released new guidance on privacy and artificial intelligence (AI), signalling a clear intent to set specific expectations for the use and handling of personal information in the context of AI. 
 

The New Guidance: Two for the Price of One

The OAIC has published two key guides:

  1. a guide for businesses using commercially available AI products; and
  2. a guide for developers using personal information to train generative AI models.

These guides are designed to provide clarity about how the Privacy Act applies to AI and make compliance easier for entities subject to the Act. They set out the OAIC’s expectations for AI governance and privacy safeguards, emphasising a cautious approach and thorough risk assessment when implementing AI technologies.

Implications for Businesses

Many businesses may need to reassess and uplift their existing AI practices in light of this new guidance. Key areas to focus on include:

  1. Data Collection and Use: Ensuring that personal information collected for AI systems is necessary and proportionate.
  2. Transparency: Providing clear information to individuals about how their data is used in AI systems.
  3. Risk Assessment: Implementing robust processes for assessing privacy risks associated with AI technologies.
  4. Governance Structures: Establishing clear accountability and oversight mechanisms for AI systems.

Businesses face several challenges in aligning with the new guidance:

  1. Technical Complexity: Understanding the intricacies of AI systems and their privacy implications.
  2. Resource Allocation: Dedicating sufficient resources to privacy compliance in AI projects.
  3. Balancing Innovation and Compliance: Maintaining a competitive edge while adhering to stringent privacy standards.

The Privacy Act 1988 remains the cornerstone of privacy regulation in Australia. While technology-neutral, its principles apply to AI systems that handle personal information. Key aspects include:

  1. Australian Privacy Principles (APPs): These govern the collection, use, and disclosure of personal information.
  2. Notifiable Data Breaches Scheme: Requires organisations to notify individuals and the OAIC of eligible data breaches.

The new guidance applies these existing frameworks in AI contexts, suggesting consideration of the following issues:

  • Has a privacy by design approach been taken? Has a privacy impact assessment been conducted? (APP 1.2)
  • Are appropriate policies, processes, training and audits/reviews in place? (APP 1.2)
  • Is de-identification or other data minimisation appropriate? (APP 2, 3, 6)
  • Where AI systems are used to generate or infer personal information, including images, this is a collection of personal information. (APP 3)
  • Consent or deletion/de-identification of sensitive information, unless an exception applies. (APP 3, 4)
  • Whether collection of personal information is lawful and fair. (APP 3.5)
  • Whether data scraping or other collection of personal information from a third party is reasonable, and what assurances have been sought from the third party. (APP 3.6)
  • Privacy policies and notices may have to be updated and communicated to reflect handling of personal information in AI systems. (APP 1, 5)
  • Whether consent to use and disclose personal information is needed if the use and disclosure for the AI purpose (including to train a third party AI model, if applicable) is not for the primary purpose for which the information was collected, and is not for a related purpose which the individual would reasonably expect. Whether an opt-out approach is sufficient. (APP 6)
  • How to meet cross-border disclosure obligations where data is inputted into AI systems overseas. (APP 8)
  • Will input and output data be sufficiently accurate, current, complete and relevant for the purposes? This may involve impact assessment, testing, disclaimers, data updating, human oversight and content tagging (e.g. watermarks). (APP 10)
  • Security controls for the personal information, including assessment of vendor security. (APP 11.1)
  • When personal information should be destroyed or de-identified. (APP 11.2)
  • What happens if consent is withdrawn. (APP 3, 6, 8, 11.2)
  • How to enable individual requests for access to and correction of their personal information. (APP 1.2, 12, 13)

Implications for Different Types of GenAI Models

Key Takeaways for Businesses

Proactive Compliance

Don't wait for enforcement actions; start aligning with the guidance now.

Privacy by Design

Integrate privacy considerations from the outset of AI projects.

Regular Audits

Conduct privacy impact assessments of AI systems.

Staff Training

Ensure relevant personnel understand the privacy implications of AI.

Documentation

Maintain comprehensive records of AI-related privacy decisions and assessments.

Looking Ahead: The Future of AI Regulation in Australia

The OAIC’s guidance is part of a rapidly evolving AI regulatory environment in Australia. As well as the consultation on mandatory guardrails for high-risk AI and the review into whether the Australian Consumer Law remains suitable for AI, we have recently had further developments in the ongoing Privacy Act Review.  

The Australian Government has now decided to split its implementation of the reforms proposed in the Attorney-General’s Department Privacy Act Review Report 2022 (A-G Privacy Report) into two tranches.

The first tranche came last month in the form of the Privacy and Other Legislation Amendment Bill 2024 (see previous update). If passed, key impacts for AI include:

  1. Automated decisions: Enhanced transparency will be required in privacy policies where personal information is used for automated decision-making that may significantly affect the rights or interests of an individual. This will include identifying the types of personal information used, the decisions it is used for and whether those decisions are wholly or substantially automated.
  2. Children’s privacy: The OAIC will be required to a develop a new binding Children’s Online Privacy Code. The Bill does not specify what the content of the Code should cover, but this could include AI.
  3. Inquiries and codes: The Attorney-General will be able to direct the OAIC to conduct public inquiries and develop binding APP Codes in the public interest. Emerging technology is one area where these powers are anticipated to be used. The Attorney-General may consider it appropriate to direct the development of an APP Code in an area where OAIC guidance is not seen to be having sufficient influence.
  4. Increased enforcement: The OAIC may take a more active role in enforcing privacy compliance in AI contexts, with a higher volume of enforcement anticipated with the introduction of a tiered and more flexible penalty regime.
  5. Statutory tort for serious invasions of privacy: A new tort will give individuals a direct right to sue for certain serious invasions of privacy. While the invasion of privacy will need to be intentional or reckless, amongst other things, there could be circumstances in which this could apply to an AI-related privacy breach.

Tranche 2 is expected to bring an even broader set of reforms. The Attorney-General has stated that his Department intends to prepare draft legislation for Tranche 2 in the coming months, for consultation with stakeholders. Proposals from the A-G Privacy Report yet to be addressed which may also impact the use of personal information in relation to AI include:

  • extending the definition of ‘personal information’ from ‘about an individual’ to ‘relates to an individual’;
  • new controls around ‘targeting’ individuals and ‘trading in’ personal information;
  • removing or reducing the employee records and small business exemptions;
  • a direct right of action to sue for Privacy Act breaches, separate from the statutory tort described above;
  • a requirement for all use and disclosure of personal information to be fair and reasonable, irrespective of consent;
  • transparency and risk assessment requirements for high privacy risk activities;
  • expanded individual rights, including a right to request erasure of personal information;
  • additional matters relating to automated decisions; and
  • inclusion of a definition of consent requiring it to be voluntary, informed, current, specific and unambiguous.

See our article here on Navigating Australian Privacy Reform.
 

Conclusion: Embracing Responsible AI

The OAIC’s new guidance marks a significant step towards ensuring responsible AI use in Australia. While it presents challenges, it also offers an opportunity for businesses to build trust with consumers and gain (or retain) a competitive advantage through robust privacy practices.

As the AI landscape continues to evolve, staying informed and adaptable will be key. Businesses that proactively embrace these privacy principles in their AI strategies will be better positioned to navigate the complex intersection of innovation and regulation in the years to come.

By taking a thoughtful, privacy-centric approach to AI implementation, businesses can harness the power of these transformative technologies while maintaining the trust and confidence of their customers and stakeholders.

Navigating Australian Privacy Reform:

Your guide to the changes ahead

Find out more

Key contacts

Julian Lincoln photo

Julian Lincoln

Partner, Head of TMT & Digital Australia, Melbourne

View profile
Katherine Gregor photo

Katherine Gregor

Partner, Melbourne

View profile
Peter Jones photo

Peter Jones

Partner, Sydney

View profile
Kwok Tang photo

Kwok Tang

Partner, Sydney

View profile
Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

View profile

Legal Notice

The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.

© Herbert Smith Freehills 2024

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Subscribe now
Sydney Australia Perth Brisbane Melbourne Technology, Media and Entertainment, and Telecommunications Data Protection and Privacy Emerging Technology Artificial Intelligence Financial Institutions Mining Pharmaceuticals and Healthcare Technology, Media and Telecommunications Manufacturing and Industrials Private Capital Professional Support and Business Services Energy Real Estate Infrastructure Consumer Data and Privacy Artificial Intelligence Tech Regulation Digital Transformation Emerging Technologies Risk and Regulation AI and Emerging Technologies Julian Lincoln Katherine Gregor Peter Jones Kwok Tang Kaman Tsoi