Status of the AI Regulations

There are no AI technology-specific statutes or regulations in Australia.

It remains to be seen whether Australia will pursue technology-specific regulation at all. For now, existing laws including the laws outlined immediately below are considered technology-neutral and applicable to development, deployment and end-use of AI in Australia.

Other laws affecting AI

A non-exhaustive list of these laws affecting development, deployment and/or use of AI in Australia include:

• The Online Safety Act 2021, which includes mechanisms to address online safety issues, extended to AI-generated material⁸
• The Copyright Act 1968
• The Australian Consumer Law (ACL)⁹
• The Corporations Act 2001¹⁰
• Anti-discrimination laws

Notably, obligations arising under the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply to any personal information input into an AI system, as well as the output data generated by AI (where it contains personal information).¹¹ The Privacy and Other Legislation Amendment Act 2024 introduced an additional privacy policy disclosure obligation where: (i) automated decision making is deployed by a regulated entity and that decision could significantly affect the rights or interests of an individual; and (ii) personal information about the individual is used in the operation of the computer program to make the decision or do the thing that is substantially and directly related to making the decision.

The Federal Government had also proposed the Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill, which was tabled in September 2024. This was intended to provide the Australian Communications and Media Authority (ACMA) with regulatory powers to combat online misinformation and disinformation, extending to content on digital platforms that are generated by AI. However, this Bill was later withdrawn, in part due to a lack of bipartisan support.¹²

Definition of “AI”

Since Australia has not enacted AI technology-specific legislation, there is no single legal definition of AI adopted or used consistently across statutes or regulations.

The Voluntary AI Standard does not define AI; however, it does define "safe and responsible AI" as requiring that "AI should be designed, developed, deployed and used in a way that is safe. Its use should be human-centered, trustworthy and responsible. AI systems should be developed and used in a way that provides benefits while minimizing the risk of negative impact to people, groups, and wider society."

There are presently a limited number of laws that make clear reference to AI, notably:

• The Online Safety Act 2021
• The Privacy Act 1998

In recent compliance guidance materials (discussed below), the Office of the Australian Information Commissioner (OAIC) has adopted from the OECD the following definition of AI as: "a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment."

As part of its public consultation processes, the Australian Government has sought feedback on whether it should implement a principles-based approach or a list-based approach (as adopted in the EU and Canada) to define "high-risk AI".

Territorial scope

As noted above, there are no AI technology-specific statutes or regulations in Australia akin to wide-reaching legislation such as the European Union's AI Act.

The pre-existing laws outlined above are domestic legislation, but in some circumstances have extraterritorial effect, they will also have extraterritorial effect. For example,

• The Privacy Act 1988 – The Privacy Act, including the privacy policy disclosure obligations discussed above, extends to acts or practices of a regulated entity occurring outside Australia and its external territories where the entity is an organization that has a turnover of more than $3 million a year, and with an 'Australian link' (in the case of a corporation, being incorporated in Australia, or carrying on a business in Australia).
• The Online Safety Act 2021 – The Online Safety Act has extraterritorial scope, providing protections for Australian internet service users, regardless of whether the online service provider has a physical Australian presence or not.

Sectoral scope

As noted above, there are no wide-reaching AI technology-specific statutes or regulations in Australia. To date, the focus of the Consultation, Interim Response and Proposals Paper has not been sector-specific, and it is expected that any AI-specific regulations will apply across all sectors of the Australian economy.

Sector-specific guidance has been issued by some federal regulators. For example:

• The OAIC oversees and enforces compliance with the Privacy Act 1988 and the Australian Privacy Principles. In October 2024 the OAIC issued the following guidelines:
  • Guidance on privacy and the use of commercially available AI products¹³
  • Guidance on privacy and developing and training generative AI models¹⁴
• The Australian Securities and Investments Commission (ASIC) has reinforced in recent reports and public statements that financial services and credit obligations are technology- neutral.
  • Recent AI-specific guidance issued by ASIC includes AI governance considerations for credit providers, as set out in its October 2024 publication "Report 798: Beware the gap: Governance arrangements in the face of AI innovation"¹⁵
  • Industry-issued guidance, such as the "Director's Guide to AI Governance" published by the Australian Institute of Company Directors in 2024, may also provide assistance in the absence of legislative updates¹⁶

Compliance roles

As noted above, and in the absence of AI technology-specific regulation, an entity or individual's compliance obligations under Australian law generally continue to apply on a technology-neutral basis.

AI developers and users should also note that the proposed mandatory AI guardrails impose compliance requirements on Australian organizations. These requirements include: (i) establishing internal governance protocols to ensure compliance with the guardrails; (ii) maintaining records to enable third parties to assess compliance; and (iii) undertaking conformity assessments in order to certify compliance with the guardrails.

Core issues that the AI Regulations seek to address

While voluntary, the AI Ethics Principles are designed to ensure AI is "safe, secure and reliable" by: (i) achieving safer, more reliable and fairer outcomes for all Australians; (ii) reducing the risk of negative impact on those affected by AI applications; and (iii) assisting businesses and governments to practice the highest ethical standards when designing, developing and implementing AI. By implementing the AI Ethics Principles, as well as the Voluntary AI Safety Standard which seeks to address similar issues, businesses can begin to develop the practices needed for future AI regulatory environments.

The proposed mandatory guardrails (the future of which remains unclear at this point in time) would seek to set clear regulatory expectations from the Australian Government on the safe and responsible use of AI. They focus on providing Australian businesses with: (i) greater regulatory certainty over the AI landscape; (ii) mechanisms to mitigate risks and harms associated with AI; and (iii) public trust in the development and deployment of AI in Australia in high-risk settings.

Specific laws, including the provisions under the Online Safety Act for high-impact generative AI internet services and the disclosure obligations for automated decision-making under the Privacy Act are more targeted at certain use cases for AI technologies.

• The Online Safety Act obligations form part of a broader move to prevent the proliferation of extreme material online and require technology companies to take responsibility where this content does appear or is distributed via their platforms and services.
• The Privacy Act amendments promote a long-held objective of transparency in the collection, use and handling of personal information.

Risk categorization

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI and currently no classification of AI systems based on risk.

In the Interim Response, the Australian Government indicated that it would adopt a risk-based framework to AI regulation, meaning the regulatory requirements will be commensurate to the level of risk posed by the specific use, deployment or development of AI where, for example, higher risk AI applications will likely include uses that may result in negative impacts for people that are difficult or impossible to reverse.

This risk-based framework is further reflected in the Proposals Paper, which outlines a risk-based approach for possible mandatory AI guardrails enforced in Australia. If the Government were to proceed with implementing mandatory AI guardrails, it would consider: (i) the levels of risk and key attributes of identified risks; and (ii) the balance of ex ante (preventative) and ex post (remedial) regulatory measures to successfully mitigate against identified risks.

In addition, specific risk categories were identified in the Proposals Paper:

• Category 1: This category relates to known or foreseeable uses of an AI system and risk is measured based on the context in which the AI system will be applied.
• Category 2: This category applies to advanced AI systems with unforeseeable applications and emergent risks. Risk is assessed based on the AI system's potential use – or misuse – for purposes that may cause widescale harm. By the time these risks become foreseeable, it may be too late to apply effective preventative measures.

Key compliance requirements

As noted above, there are no specific statutes or regulations in Australia that directly regulate AI. The voluntary AI Ethics Principles identify the following broad principles for ensuring safe, secure and reliable AI:

• Human, societal and environmental wellbeing: AI systems should benefit individuals, society and the environment
• Human-centered values: AI systems should respect human rights, diversity, and the autonomy of individuals
• Fairness: AI systems should be inclusive and accessible, and should not involve or result in unfair discrimination against individuals, communities or groups
• Privacy protection and security: AI systems should respect and uphold privacy rights and data protection, and ensure the security of data
• Reliability and safety: AI systems should reliably operate in accordance with their intended purpose
• Transparency and explainability: There should be transparency and responsible disclosure so people can understand when they are being significantly impacted by AI, and can find out when an AI system is engaging with them
• Contestability: When an AI system significantly impacts a person, community, group or environment, there should be a timely process to allow people to challenge the use or outcomes of the AI system
• Accountability: People responsible for the different phases of the AI system lifecycle should be identifiable and accountable for the outcomes of the AI systems, and human oversight of AI systems should be enabled

The Voluntary AI Safety Standard identifies the following principles for ensuring safe, secure and reliable AI:

• Accountability: Establish, implement and publish an accountability process that outlines governance policies and regulatory compliance strategies
• Risk Management: Establish and implement risk management processes to identify and mitigate risks that are known or foreseeable
• Data Governance: Protect AI systems by implementing data governance, privacy and cybersecurity measures to manage security vulnerabilities such as data quality and data access
• Model Testing: Test AI models and evaluate performance before placing high-risk AI systems on the market, as well as continuously monitor the system once deployed
• Human Oversight: Enable human control and intervention across AI systems to achieve meaningful human oversight
• User Information: Inform end-users on how AI is being used, particularly around AI-enabled decisions, AI interactions and AI-generated content
• Complaints Mechanism: Establish processes for people negatively impacted by high-risk AI systems to contest AI-enabled decisions or make complaints about their experience
• Transparency: Be transparent with other organizations across the AI supply chain by sharing information about data, models, and systems to effectively mitigate risks
• Record Keeping: Keep and maintain records, including technical documentation, to allow third parties to assess compliance with guardrails
• Engage stakeholders: Engage stakeholders and evaluate their needs and circumstances, with a focus on safety, diversity, inclusion and fairness

The Proposals Paper suggested transitioning from the current voluntary AI guardrails, as outlined in the Voluntary AI Safety Standard, to mandatory guardrails. If mandatory guardrails were enacted (which remains unclear at this stage) organizations developing or deploying high-risk AI systems would be required to adhere to the first nine voluntary guardrails listed above, with the tenth proposed mandatory guardrail (Conformity Assessments) differing from the tenth voluntary guiderail, emphasizing ongoing stakeholder engagement to evaluate stakeholders' needs and circumstances based on safety, diversity, inclusion and fairness.

The Proposal Paper and its mandatory guardrails have been developed based on AI regulations enforced in Canada and Europe, specifically the Artificial Intelligence and Data Act in Canada and the EU AI Act in Europe.

Regulators

There is currently no AI specific regulator in Australia.

Existing federal regulators, including the OAIC, the eSafety Commissioner (who oversees the Online Safety Act), ASIC, and the ACCC are all very active regulators in the Australian marketplace and, as outlined above, have demonstrated a willingness to provide compliance guidance in the absence of AI technology-specific legislation.

Enforcement powers and penalties

As noted above, there is no AI technology-specific statutes or regulations in Australia.

The use, deployment or development of AI may be subject to enforcement and penalties if it breaches other, non-AI specific statutes and regulations.

For example, maximum penalties for breaches of the Privacy Act – which now includes the automated decision-making disclosure obligations outlined above – can be up to $3.3 million for an interference with privacy and $333,000 where an infringement notice is issued for a specific breach of the Australian Privacy Principles.

1 See the AI Ethics Principles (2019) here.
2 See the Voluntary AI Safety Standard here.
3 See the Consultation discussion paper here.
4 See the Interim Response here.
5 See the Proposals Paper here.
6 See the ACCC's report "Digital platform services inquiry" (March 2025) here.
7 See Productivity Commission's report "Harnessing data and digital technology" here.
8 See the Online Safety Act 2021 here.
9 You can read Australian Competition and Consumer Commission v Trivago N.V. [2020] FCA 16 here.
10 See the Corporations Act 2001 here.
11 See the Privacy Act 1988 here.
12 See the press release for the Communications Legislation Amendment (Combatting Misinformation and Disinformation) Bill 2024 here.
13 See OAIC guidance on privacy and the use of commercially available AI products here.
14 See OAIC guidance on privacy and developing and training generative AI models here.
15 See ASIC's report "Beware the gap: Governance arrangements in the face of AI innovation" (October 2024) here.
16 See the Australian Institute of Company Director's guidance, "A Director's Gude to AI Governance" here.

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2025 White & Case LLP}