Guide

The 2026 Australian AI compliance landscape: ACCC, OAIC, ASIC, APRA, AHPRA, TGA

A regulator-by-regulator look at where AI sits under Australian law in 2026: Privacy Act, Consumer Law, AHPRA + TGA for health, ASIC + APRA for financial, ACMA for advertising. What you actually need to do.

Jenn Yang portrait
Jenn Director, DotVA + Editor, On Autopilot · Melbourne Published · Updated · 12 min read
In short

In May 2026, Australia has no single AI Act. AI sits under existing frameworks: the Privacy Act 1988 (OAIC), Australian Consumer Law (ACCC), and sector-specific regulators (ASIC, APRA, AHPRA, TGA, ACMA). Most Australian SMBs need to: (1) get client consent for AI processing, (2) use paid-tier AI with no training on data, (3) anonymise where possible, (4) document AI use in your privacy policy. Regulated industries have additional sector obligations.

The regulators that matter

RegulatorCoversKey obligation for AI
OAICPrivacy Act 1988Don’t breach Australian Privacy Principles (APPs) when using AI on personal info
ACCCConsumer Law (ACL)Don’t mislead consumers about your product (incl. AI-generated claims)
ASICFinancial services + corporationsAFSL + ACL holders maintain advice quality + supervision
APRABanking, super, insuranceCPS 234 cyber + outsourcing standards
AHPRAHealth practitionersPatient confidentiality + professional standards
TGATherapeutic goodsTruthful claims, no exaggerated efficacy
ACMACommunications + spamSpam Act, AI calls + texts compliance

What every Australian SMB should do (baseline)

These four moves cover 80% of compliance risk for normal business use:

For any AI processing of client information, add a clause to your engagement letter / service agreement:

“We may use AI tools to assist with general document drafting, research, content production, and operational tasks. Where AI tools process information about you, we use enterprise-tier services with no third-party training on your data. Sensitive information (tax file numbers, health records, financial account numbers) is either anonymised before processing or handled through systems with Australian data residency. We will not use AI to make decisions about your matter without human review.”

Clients sign. You’ve documented consent.

2. Pay for AI (no training tier)

Free Claude.ai and free ChatGPT may use conversations for training or safety review. For business use:

  • Consumer: Claude Pro ($30 AUD/month) or ChatGPT Plus ($30 AUD/month)
  • Team: Claude Team or ChatGPT Team (both $30-45 AUD/user/month)
  • Enterprise / regulated: API access (Anthropic, OpenAI) or Azure OpenAI / AWS Bedrock with data residency

The paid-tier no-training guarantee is the foundational compliance layer.

3. Anonymise where possible

Don’t paste full client names, addresses, ABN numbers, TFNs, Medicare numbers, account numbers, etc. into AI for general work.

Replace with placeholders:

  • “Sarah Khan” → “Client A”
  • “ABN 12 345 678 901” → “ABN [client]”
  • “$45,000 owing” → “$X owing”

Run AI work. Replace back. Costs nothing, dramatically reduces compliance exposure.

4. Document AI use in your privacy policy

Add a section to your privacy policy:

AI processing. We may use AI tools (including Claude by Anthropic and ChatGPT by OpenAI) to assist with our work. Where AI processes information about you, we use enterprise tiers that don’t use your data for training. Sensitive personal information (as defined in the Privacy Act) is either anonymised before AI processing or processed through systems with Australian data residency.

Public, transparent, defensible.

Sector-specific: health (AHPRA + TGA)

Health practitioners face the strictest constraints:

AHPRA expects you to:

  • Maintain patient confidentiality at all times (Privacy Act + state acts)
  • Provide clinical advice with appropriate professional judgement (not AI-generated)
  • Document any AI-tool use in patient records
  • Use AI as an aid, never as a replacement for clinical decision-making

TGA prohibits:

  • AI-generated therapeutic claims that aren’t substantiated
  • Marketing claims about products that exceed evidence
  • Advertising restricted medicines (S4 / S8) on consumer-facing channels regardless of source

Practical setup for AU health practices:

  • Use AI for operational work (booking, reminders, intake forms, general patient education): yes
  • Use AI for diagnosis or treatment planning: never as the decision-maker; human clinician always
  • Use AI for marketing: only with TGA-aware compliance review
  • Pay for enterprise AI with no-training + ideally Australian data residency

See our AI for Australian allied health practices for the deep-dive.

Sector-specific: financial services (ASIC + APRA)

ASIC (AFSL + ACL holders) requirements:

  • Maintain advice quality + supervision standards even with AI assistance
  • Don’t outsource regulated advice to AI (it remains the licensee’s responsibility)
  • Document AI use in compliance procedures
  • Ensure AI doesn’t make misleading representations

APRA-regulated entities (banks, insurers, super funds):

  • CPS 234 requires specific cyber + outsourcing controls
  • Cloud AI may be classified as material outsourcing requiring board sign-off
  • Data residency requirements often mandate Australian-region AI

Practical setup for AU financial services:

  • Use AI for general operations + research: yes
  • Use AI for client communications: drafts only, human licensee signs off
  • Use AI for advice: never; AI may draft considerations, licensee makes the call
  • Use enterprise API + Australian region (AWS Bedrock Sydney for Claude, Azure OpenAI Australia East for ChatGPT)

See our AI for Australian mortgage brokers and AI for Australian financial planners for sector-specific walkthroughs.

The Law Council of Australia and state bar associations have published 2025-2026 guidance:

  • AI may be used for routine drafting + research with appropriate verification
  • AI-generated legal advice must be reviewed by an admitted practitioner before reaching the client
  • Client confidentiality is paramount; default to enterprise AI with no-training + AU region
  • Document AI use in matter files

See our AI for Australian law firms for the practical setup.

Sector-specific: marketing + advertising (ACCC + ACMA)

Australian Consumer Law (administered by ACCC) catches:

  • Misleading or deceptive representations (s18)
  • False statements about goods or services (s29)
  • “Australia’s #1” or “best in the country” claims without substantiation

Spam Act 2003 (administered by ACMA) covers:

  • AI-generated marketing emails + SMS must comply with consent requirements
  • Sender identification can’t be misleading
  • Unsubscribe mechanism must function

Practical: AI drafts marketing; humans verify every claim before publishing.

What’s coming (likely 2026-2027)

The federal government has run an AI consultation through 2024-2025. Expected directions:

  • A risk-based AI framework (similar to EU AI Act in shape, lighter in detail)
  • Specific obligations for “high-risk” AI uses (employment, housing, financial decisions, healthcare)
  • Mandatory AI-use disclosure for certain content classes
  • An AI Commissioner role (likely under OAIC)

We’ll update this page as the legislation lands. Subscribe to the On Autopilot newsletter for updates.

What’s NOT compliance-risky in 2026

To balance the above, here’s what most Australian SMBs can do without worry:

  • Use AI to draft marketing copy (with human review for claims)
  • Use AI for non-confidential research
  • Use AI to summarise public information
  • Use AI for general operations + admin
  • Use AI for content writing
  • Use AI for code

These are low-risk activities under current Australian law for most businesses outside the regulated sectors.

This guide is general information, not legal advice. Get specific legal advice for:

  • Any client-facing AI tool you’re building (especially in regulated industries)
  • Any AI use that touches sensitive personal information at scale
  • Any AI-generated content that makes specific claims (financial, health, legal)
  • Any cross-border data transfer for AI processing

A lawyer who understands tech + your sector is worth $500-1,500 AUD for a couple of hours of scoping. Cheap insurance.

What’s next

Common questions

Is there an Australian AI Act yet?
No, not as of May 2026. The Albanese government has run consultations through 2024-2025 on a risk-based AI framework. A bill is expected late 2026 or 2027. Current obligations come from existing law applied to AI use.
Does the EU AI Act apply to my Australian business?
Only if you provide AI services to people in the EU (extraterritorial scope). Most Australian SMBs aren't caught. If you do EU business, you're likely already managing GDPR; the AI Act layers on top.
Can I use ChatGPT for tax-time work on client data?
With explicit client consent + paid tier (no training) + reasonable anonymisation, yes. The ATO doesn't prohibit AI tooling. Tax File Numbers are 'sensitive information' under the Privacy Act and need stronger protections; default to API or enterprise AI for TFN-touching work.
What about creative content (AI-generated images, copy)?
Copyright on AI output is murky. AI-generated content likely isn't copyrightable in Australia under current case law. You can use it commercially, but you can't stop competitors from copying it. For brand-defining assets, commission human-created work.
Are there penalties for getting this wrong?
Yes. Privacy Act maximum penalty: $50M+ AUD for serious or repeated interferences with privacy. Australian Consumer Law maximum: $50M+ AUD per breach. Industry-specific: AHPRA can suspend registration. ASIC can revoke AFSL. Defaults are: comply with existing law, document your AI use, get consent.
Jenn Yang portrait
You'll be talking to Jenn Yang, Director, DotVA + Editor, On Autopilot Replies within one business day, AEST. jenn@onautopilot.com.au

Want this built for your business?

Book a free 30-minute AI audit. We'll map your business and show you exactly which systems we'd build first. No pitch deck, no scoping fee.

Book my free AI audit

Keep reading

Guide

AI for Australian law firms: practical wins without the LIV warning letter