New Zealand law firm Buddle Findlay has warned that Kiwi businesses that hold or handle the personal information of individuals in Australia must prepare for strict new transparency rules regarding automated decision-making.

From 10 December 2026, amendments to the Australian Privacy Act will force organisations to reveal when they use computer programs to make significant decisions about individuals. These changes target systems that rely on personal information to screen job applicants, assess credit scores, or detect fraud.

For New Zealand’s CIOs and GRC managers, the update highlights a growing regulatory gap. While Australia is moving toward mandatory AI disclosure, New Zealand’s Privacy Act 2020 remains silent on the issue. This means firms relying solely on local compliance will likely fall short of Australian legal standards.

According to Buddle Findlay, the new rules have a long reach. Any New Zealand entity that does business in Australia or handles the data of people living there may be classified as an "APP entity".

Under sections APP 1.7 to 1.9, these organisations must clearly describe in their privacy policies:

- The kinds of personal information used in the operation of such programs

- The kinds of decisions made solely by those programs

- The kinds of decisions for which those programs perform a step substantially and directly related to making the decision.

“For New Zealand organisations operating in or across the Australian market, the practical consequence is clear: compliance with APP 1.7 in Australia is a standalone obligation that must be addressed on its own terms.  It cannot currently be satisfied by, compliance with New Zealand's Privacy Act. “

The law firm has published 4 practical steps that should be followed by in-house legal teams and privacy officers at New Zealand organisations with Australian operations or exposure.

Read more here