From December 2026, You Have to Explain Your AI's Decisions

AI is already making decisions about people inside your business. Whose CV gets read. Who gets offered payment terms. Which applicant makes the shortlist. Which claim gets flagged. You might not think of these as decisions a machine is making. The software does.

From 10 December 2026, Australian law starts treating them exactly like that.

Most business owners I talk to assume this is a problem for the big banks and the insurers. It isn't only theirs. If you use AI, or software with AI quietly baked into it, to help decide something that materially affects a person, you are walking into scope. And the clock is already running.

What Actually Changes On 10 December

The Privacy and Other Legislation Amendment Act 2024 added a set of new obligations to the Privacy Act. The one that matters here lands on 10 December 2026.

From that date, if your business uses personal information in decisions made wholly or substantially by a computer program, and those decisions could significantly affect someone's rights or interests, you have to say so. In your privacy policy. In plain terms.

That means spelling out two things. The kinds of personal information your automated systems use. And the kinds of significant decisions those systems make or heavily shape.

“Significant” is the word doing the work. The law is aimed at decisions with a legal or similarly serious effect on a person. Hiring and firing. Credit and finance. Insurance. Housing. Access to a service someone depends on. If your AI is helping sort any of that, the new rules have your name on them.

You're Probably Closer To This Than You Think

Most businesses didn't decide to start making automated decisions. It happened quietly, one tool at a time.

The recruitment platform that ranks candidates before a human sees the list. The accounting add-on that scores customers for payment terms. The rostering tool that decides who works when. The claims software that flags applications. Half the time nobody in the business could tell you there's a model in there at all.

I've written before about shadow AI, the tools your team adopts without telling anyone. This is the same problem wearing a suit. You can't disclose a decision you don't know you're making.

So the first job here isn't legal. It's investigative. You have to find out where AI is already touching decisions about people in your business, before you can do anything sensible about it.

The Part Almost Everyone Gets Wrong

The obligation is yours. Not your software vendor's.

You cannot buy a tool, let it make decisions about your customers, and then point at the vendor when someone asks how it works. The law puts the duty on the business using the system. You can't contract your way out of it.

This is exactly where renting your AI starts to cost you. When you rent a closed model you can't see into, and that model helps decide who gets a loan or a job, you've taken on a duty to explain something you were never given the tools to explain. That's an uncomfortable place to be with a regulator on the other side of the table. It's the same argument I made in the piece on renting versus owning your AI, and this deadline gives it teeth.

This Is A Human-In-The-Loop Law

Strip away the legal language and the reforms are saying something I've been telling clients for two years. A human has to be able to stand behind the decision.

AI output is probability, not truth. It's a confident guess shaped by patterns in data. That's fine when it's drafting an email. It's a different matter when it's deciding who gets hired or whose application gets knocked back. The law is catching up to the principle. If a machine influenced a decision that matters to someone's life, a person in your business needs to understand it well enough to explain it, and ideally to overrule it.

Human in the loop stops being a nice idea and becomes the thing that keeps you on the right side of the line.

What To Actually Do Before December

You've got roughly six months. That's enough to do this properly, and not a lot more. Here's where I'd start.

• Build an AI register. List every tool in the business that uses AI, including the ones bolted onto software you already pay for. For each one, note what it does and whether it touches a decision about a person.
• Map the decisions that matter. Out of that list, mark every place AI helps decide something with a real effect on someone. Hiring, credit, pricing, eligibility, performance. Those are your priority. The rest can wait.
• Put a human on the loop on purpose. For each significant decision, name who reviews the AI's contribution and who can override it. Write it down. Make it real, not assumed.
• Fix the privacy policy with proper advice. The disclosure itself is a legal document. Get a lawyer to draft the wording. Your job is to hand them an accurate picture of what your AI actually does, which is the part only you can do.
• Lean on your vendors. Ask every supplier whether they can explain, in human terms, how their model reaches a decision. The ones who can't are telling you something worth listening to.

If you've already got an AI policy, this slots straight into it. If you haven't, this deadline is as good a reason as any to finally write one.

Treat The Deadline As A Gift

I know how that sounds. A compliance deadline as a gift.

Most businesses never get around to mapping how AI actually flows through their operation. It's never urgent, until it is. This makes it urgent, with a date attached. So use it.

The work you do to get ready for December is the same work that makes your AI use safer and a lot easier to defend. You come out of it knowing what tools you run, where your data goes, and who's accountable for what. That's just running a business that understands its own machinery, which is worth doing regardless of any deadline. It also happens to be how you start building real AI capability instead of just accumulating tools.

I would massively challenge any leader reading this to treat the December deadline as the prompt to get their AI house in order now, rather than a box to tick in a panic come November.

The Cost Of Leaving It

The penalties get the headlines. Serious breaches of the Privacy Act can reach the greater of $50 million, three times any benefit gained, or 30% of adjusted turnover. Real numbers, and not the kind most businesses can absorb.

Forget the fine for a moment though. The thing that should actually worry you is being asked, by a customer or a regulator or your own board, how a decision got made, and having no answer. That's a trust problem, and trust takes a lot longer to rebuild than a balance sheet.

None of this is legal advice. I'm a strategist, not a lawyer, and the specifics of your obligations depend on your business, so get proper advice on the wording. What I can tell you is that the operational work, the knowing-what-your-AI-actually-does work, is the part most businesses are dangerously behind on. And that part is mine to help with, not your lawyer's.

If you want help working out where AI is already making decisions in your business, and what to do about it before December, that's the heart of what I do through AI consulting and structured business coaching. If you'd rather start by getting a quick read on where you stand, the quiz will point you at your sharpest first move in a few minutes.

Frequently Asked Questions

When do Australia's automated decision-making rules start?

10 December 2026. From that date, the new Australian Privacy Principle obligations require businesses covered by the Privacy Act to disclose, in their privacy policy, the kinds of personal information their automated systems use and the kinds of significant decisions those systems make. The amending Act passed in 2024, with a delayed start date to give organisations time to prepare.

Does this apply to small businesses?

It applies to APP entities, which already covers most medium and larger organisations. The long-standing small business exemption is under active review as part of the next round of privacy reforms, so smaller businesses shouldn't assume they are permanently out of scope. If you handle health information, trade in personal information, or provide services to government, you may already be covered regardless of size. Worth checking rather than assuming.

What counts as a significant automated decision?

A decision made wholly or substantially by a computer program that has a legal or similarly significant effect on a person. In practice that means things like hiring and performance decisions, credit and finance, insurance, housing, and access to essential services. A chatbot answering a general question isn't in scope. A system that decides who gets shortlisted for a job almost certainly is.

Is my AI software vendor responsible for compliance?

No. The obligation sits with the business using the system, not the company that built it, and you can't contract it away. That is why it matters whether your vendors can actually explain how their models reach a decision. If they can't, you have inherited a problem you can't see into.

What's the first thing I should do to get ready?

Build an AI register. Before anything legal, you need an honest list of every AI tool in your business, including the ones built into software you already pay for, and which of them touch decisions about people. You can't disclose, or govern, what you haven't mapped. The privacy policy wording comes after, with a lawyer's help.