Status of the AI Regulations

There are no AI technology-specific statutes or regulations in Australia.

At this stage, the fate of the previously proposed mandatory guardrails is unclear. The introduction of the Guidance for AI Adoption supersedes the VAISS which mirrored the mandatory guardrails, and this development sits alongside a view taken in some quarters – including by the Productivity Commission – that mandatory guardrails would have a general chilling effect on innovation and the economy.

It remains to be seen whether Australia will pursue technology-specific regulation at all. For now, existing laws including the laws outlined immediately below are considered technology-neutral and applicable to development, deployment and end-use of AI in Australia.

Other laws affecting AI

A non-exhaustive list of these laws affecting development, deployment and/or use of AI in Australia include:

• The Online Safety Act 2021, which includes mechanisms to address online safety issues, extended to AI-generated material⁸
• The Copyright Act 1968
• The Australian Consumer Law (ACL)⁹
• The Corporations Act 2001¹⁰
• Anti-discrimination laws

Notably, obligations arising under the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to any personal information input into an AI system, as well as the output data generated by AI (where it contains personal information).¹¹ The Privacy and Other Legislation Amendment Act 2024 introduced an additional privacy policy disclosure obligation where: (i) automated decision making is deployed by a regulated entity and that decision could significantly affect the rights or interests of an individual; and (ii) personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.

Intellectual property laws are another key area of focus for AI regulation. There has been public debate about whether the Copyright Act should be amended to accommodate a new fair dealing exemption for text and data mining (sometimes referred to as a "TDM exemption"). The Productivity Commission and technology industry groups have been vocal in support of a TDM exemption to bolster the growth of AI locally. However, as of October 2025 the Federal Attorney General, Michelle Rowland, has ruled out introducing such a change, with the Government and the appointed Copyright and AI Reference Group continuing to review and consult on what (if any) changes should be made to existing intellectual property laws in response to AI.

Definition of “AI”

Since Australia has not enacted AI technology-specific legislation, there is no single legal definition of AI adopted or used consistently across statutes or regulations.

The Guidance for AI Adoption incorporates an OECD definition of an "AI System", being "a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment."

In recent compliance guidance materials (discussed below), the Office of the Australian Information Commissioner (OAIC) has also adopted the OECD definition referred to in the Guidance for AI Adoption.

Territorial scope

As noted above, there are no AI technology-specific statutes or regulations in Australia akin to wide-reaching legislation such as the European Union's AI Act.

The pre-existing laws outlined above are domestic legislation, but in some circumstances have extraterritorial effect, they will also have extraterritorial effect. For example,

• The Privacy Act 1988 – The Privacy Act, including the privacy policy disclosure obligations discussed above, extends to acts or practices of a regulated entity occurring outside Australia and its external territories where the entity is an organization that has a turnover of more than $3 million a year, and with an 'Australian link' (in the case of a corporation, being incorporated in Australia, or carrying on a business in Australia).
• The Online Safety Act 2021 – The Online Safety Act has extraterritorial scope, providing protections for Australian internet service users, regardless of whether the online service provider has a physical Australian presence or not.

Sectoral scope

As noted above, there are no wide-reaching AI technology-specific statutes or regulations in Australia. To date, the Government's focus has not been sector-specific, and it is expected that any AI-specific regulations will apply across all sectors of the Australian economy.

Sector-specific guidance has been issued by some federal regulators. For example:

• The OAIC oversees and enforces compliance with the Privacy Act 1988 and the Australian Privacy Principles. In October 2024 the OAIC issued the following guidelines:
  • Guidance on privacy and the use of commercially available AI products¹²
  • Guidance on privacy and developing and training generative AI models¹³
• The Australian Securities and Investments Commission (ASIC) has reinforced in recent reports and public statements that financial services and credit obligations are technology- neutral.
  • AI-specific guidance issued by ASIC includes AI governance considerations for credit providers, as set out in its October 2024 publication "Report 798: Beware the gap: Governance arrangements in the face of AI innovation"¹⁴
  • Industry-issued guidance, such as the "Director's Guide to AI Governance" published by the Australian Institute of Company Directors in 2024, may also provide assistance in the absence of legislative updates¹⁵

Compliance roles

As noted above, and in the absence of AI technology-specific regulation, an entity or individual's compliance obligations under Australian law generally continue to apply on a technology-neutral basis.

Core issues that the AI Regulations seek to address

While voluntary, the AI Ethics Principles are designed to ensure AI is "safe, secure and reliable" by: (i) achieving safer, more reliable and fairer outcomes for all Australians; (ii) reducing the risk of negative impact on those affected by AI applications; and (iii) assisting businesses and governments to practice the highest ethical standards when designing, developing and implementing AI. By implementing the AI Ethics Principles, as well as the Guidance for AI Adoption which seeks to address similar issues, businesses can begin to develop the practices needed for future AI regulatory environments.

Specific laws, including the provisions under the Online Safety Act for high-impact generative AI internet services and the disclosure obligations for automated decision-making under the Privacy Act are more targeted at certain use cases for AI technologies.

• The Online Safety Act obligations form part of a broader move to prevent the proliferation of extreme material online and require technology companies to take responsibility where this content does appear or is distributed via their platforms and services.
• The Privacy Act amendments promote a long-held objective of transparency in the collection, use and handling of personal information.

Risk categorization

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI and currently no classification of AI systems based on risk.

The Guidance for AI Adoption identifies that some AI systems carry higher risks than others, particularly general-purpose AI systems (GPAIs), developed to handle a range of tasks and flexible to potentially conduct activities not contemplated by the developer, e.g., large language models. The Guidance does not specifically delineate between high and low risk AI systems and instead creates a framework within which developers and deployers of AI can identify risks and take appropriate risk mitigation steps in the circumstances.

Key compliance requirements

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI. The voluntary AI Ethics Principles identify the following broad principles for ensuring safe, secure and reliable AI:

• Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment
• Human-centered values: AI systems should respect human rights, diversity, and the autonomy of individuals
• Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups
• Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data
• Reliability and safety: AI systems should reliably operate in accordance with their intended purpose
• Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them
• Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system
• Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled

The Guidance for AI Adoption identifies the following six practices:

1. Decide who is accountable: Establish end-to-end accountability and robust AI governance
2. Understand impacts and plan accordingly: Ensure stakeholder rights and fair treatment
3. Measure and manage risks: Implement AI specific risk management
4. Share essential information: Ensure appropriate transparency and explainability
5. Test and monitor: Ensure quality, reliability and protection through evaluation and monitoring of AI systems
6. Maintain human control: Integrate meaningful human oversight and control of AI

Regulators

There is currently no AI-specific regulator in Australia.

Existing federal regulators, including the OAIC, the eSafety Commissioner (who oversees the Online Safety Act), ASIC, and the ACCC are all very active regulators in the Australian marketplace and, as outlined above, have demonstrated a willingness to provide compliance guidance in the absence of AI technology-specific legislation.

Enforcement powers and penalties

As noted above, there is no AI technology-specific statutes or regulations in Australia.

The use, deployment or development of AI may be subject to enforcement and penalties if it breaches other, non-AI specific statutes and regulations.

For example, maximum penalties for breaches of the Privacy Act – which now includes the automated decision-making disclosure obligations outlined above – can be up to $3.3 million for an interference with privacy and $333,000 where an infringement notice is issued for a specific breach of the Australian Privacy Principles.

_{1 See the AI Ethics Principles (2019) here.
2 See the Guidance for AI Adoption here; and the Voluntary AI Safety Standard here.
3 See the Consultation discussion paper here.
4 See the Interim Response here.
5 See the Proposals Paper here.
6 See the ACCC's report "Digital platform services inquiry" (March 2025) here.
7 See Productivity Commission's report "Harnessing data and digital technology" here.
8 See the Online Safety Act 2021 here.
9 You can read Australian Competition and Consumer Commission v Trivago N.V. [2020] FCA 16 here.
10 See the Corporations Act 2001 here.
11 See the Privacy Act 1988 here.
12 See OAIC guidance on privacy and the use of commercially available AI products here.
13 See OAIC guidance on privacy and developing and training generative AI models here.
14 See ASIC's report "Beware the gap: Governance arrangements in the face of AI innovation" (October 2024) here.
15 See the Australian Institute of Company Director's guidance, "A Director's Gude to AI Governance" here.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}