Chapter 1: Regulatory Overview
1.1 The Australian Approach to AI Regulation
Australia does not have a comprehensive, standalone AI law. As of June 2026, the country regulates artificial intelligence through a combination of voluntary ethical principles, reforms to existing legislation (particularly the Privacy Act 1988), sector-specific regulatory guidance, and consumer protection law. This approach emerged after the Australian Government explicitly abandoned its proposal for mandatory AI guardrails in December 2025, pivoting from an EU-style regulatory model to a technology-neutral stance under the National AI Plan.
The result is a regulatory environment in which AI developers and deployers must navigate multiple existing legal frameworks. Compliance obligations arise primarily from privacy law, consumer law, anti-discrimination law, work health and safety requirements, and sector-specific regulations, rather than from any single AI-focused statute.
1.2 Key Regulatory Bodies
Department of Industry, Science and Resources (DISR): The lead policy department for AI governance. Responsible for the National AI Plan, the AI Ethics Principles, and coordination of the government's overall approach to AI. Conducted the voluntary AI Ethics Principles consultation and the mandatory guardrails consultation before the December 2025 policy reversal.
Office of the Australian Information Commissioner (OAIC): The primary regulator for personal data, enforcing the Privacy Act 1988 and the Australian Privacy Principles (APPs). Has jurisdiction over AI systems that collect, use, disclose, or store personal information. The OAIC will oversee the new automated decision-making disclosure obligations under the Privacy Act amendments effective December 10, 2026.
Australian Competition and Consumer Commission (ACCC): Enforces the Competition and Consumer Act 2010 (incorporating the Australian Consumer Law). Has actively pursued enforcement actions against misleading AI claims and deceptive conduct involving AI-powered products and services. The ACCC Digital Platform Services Inquiry examines AI-related competition issues.
eSafety Commissioner: The world's first government agency dedicated to online safety. Regulates AI-generated harmful content under the Online Safety Act 2021, including deepfakes, synthetic child sexual abuse material, and AI-enabled cyber abuse. Has the power to issue removal notices and impose civil penalties.
Australian AI Safety Institute (AISI): Established under the National AI Plan and operational from early 2026. Tasked with evaluating frontier AI models, conducting safety assessments, and building technical capacity for AI risk evaluation. The AISI is modelled in part on the UK AI Safety Institute but operates within Australia's voluntary governance framework.
Australian Prudential Regulation Authority (APRA): Regulates AI use in banking, insurance, and superannuation. CPS 234 (Information Security) applies to AI systems processing financial data. Has issued guidance on operational risk management that encompasses AI-driven decision-making.
Australian Securities and Investments Commission (ASIC): Regulates AI in financial services, including robo-advice platforms, algorithmic trading, and AI-driven financial product distribution. Responsible for consumer protection in financial AI.
Therapeutic Goods Administration (TGA): Regulates AI-based medical devices under the Therapeutic Goods Act 1989, including Software as a Medical Device (SaMD).
1.3 Timeline of Key Developments
| Date | Development |
|---|---|
| 2019 | AI Ethics Framework published by Department of Industry |
| March 2024 | Voluntary AI Ethics Principles refreshed (8 principles) |
| June 2024 | Mandatory guardrails consultation paper released — proposed 10 mandatory guardrails |
| September 2024 | Public consultation on mandatory guardrails closes (over 500 submissions) |
| December 2025 | Government abandons mandatory AI guardrails in favour of technology-neutral approach |
| 2025 | National AI Plan released — emphasises innovation, adoption, and voluntary governance |
| October 2025 | AI6 Guidance for Australian Government Agencies issued (6 mandatory guardrails for Commonwealth agencies) |
| Early 2026 | Australian AI Safety Institute (AISI) becomes operational |
| September 2025 | Privacy and Other Legislation Amendment Act receives Royal Assent (APP 1.7-1.9 amendments) |
| December 10, 2026 | Privacy Act amendments effective — automated decision-making disclosure obligations commence |
1.4 Key Legislation Affecting AI
| Law | AI Relevance |
|---|---|
| Privacy Act 1988 (Cth) | Personal data processing, Australian Privacy Principles, automated decision-making disclosure (from Dec 2026) |
| Competition and Consumer Act 2010 (Cth) | Misleading AI claims, unfair practices, consumer guarantees for AI products |
| Online Safety Act 2021 (Cth) | Deepfakes, synthetic CSAM, AI-enabled online harms |
| Work Health and Safety Act 2011 (Cth + state equivalents) | AI in workplace safety, autonomous systems, psychosocial hazards |
| Racial Discrimination Act 1975 (Cth) | AI-driven racial discrimination |
| Sex Discrimination Act 1984 (Cth) | AI-driven gender discrimination |
| Disability Discrimination Act 1992 (Cth) | AI accessibility and disability discrimination |
| Age Discrimination Act 2004 (Cth) | AI-driven age-based discrimination |
| Australian Human Rights Commission Act 1986 (Cth) | Complaints mechanism for AI-related human rights violations |
| Therapeutic Goods Act 1989 (Cth) | AI as medical device (SaMD) regulation |
| Security of Critical Infrastructure Act 2018 (Cth) | AI in critical infrastructure sectors |
| Telecommunications Act 1997 (Cth) | AI in telecommunications services |
| My Health Records Act 2012 (Cth) | AI processing health records |
| Administrative Decisions (Judicial Review) Act 1977 (Cth) | Judicial review of government AI-assisted decisions |
1.5 The Mandatory Guardrails That Were Abandoned
In June 2024, the Australian Government released a consultation paper proposing 10 mandatory guardrails for AI in high-risk settings. These guardrails would have required organisations deploying AI in high-risk contexts to implement specific governance measures, including transparency, testing, human oversight, and accountability mechanisms. The proposal attracted over 500 submissions.
In December 2025, the government decided not to proceed with mandatory guardrails, citing concerns about regulatory burden, the pace of AI development, and the risk of inhibiting innovation. Instead, the National AI Plan adopted a technology-neutral approach that relies on existing laws and voluntary principles.
This decision has significant practical implications: unlike the EU (which enacted the AI Act) or Canada (which pursued the Artificial Intelligence and Data Act), Australia has no planned AI-specific legislation imposing binding obligations on AI developers or deployers. Compliance obligations arise from existing legal frameworks.
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.