The Office of the Australian Information Commissioner (OAIC) will provide local businesses with guidance on how Australian privacy law applies to artificial intelligence (AI) in a series of new guides published ahead of incoming Privacy reform.

The first guide aims to help businesses comply with privacy obligations when using commercially available AI products and assist them in selecting an appropriate product, with the second guide provides privacy guidance to developers using personal information to train generative AI models.

Privacy Commissioner Carly Kind said that the guides should clarify how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practice. “How businesses should be approaching AI and what good AI governance looks like is one of the top issues of interest and challenge for industry right now,” said Kind.

“Our new guides should remove any doubt about how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practice. AI products should not be used simply because they are available.

“Robust privacy governance and safeguards are essential for businesses to gain advantage from AI and build trust and confidence in the community,” she said.

The new guides align with OAIC focus areas of promoting privacy in the context of emerging technologies and digital initiatives, and improving compliance through articulating what good looks like.

“Addressing privacy risks arising from AI, including the effects of powerful generative AI capabilities being increasingly accessible across the economy, is high among our priorities,” Kind said. “Australians are increasingly concerned about the use of their personal information by AI, particularly to train generative AI products.

“The community and the OAIC expect organisations seeking to use AI to take a cautious approach, assess risks and make sure privacy is a key consideration. The OAIC reserves the right to take action where it is not.”

Kind also highlighted the need for privacy reform, suggesting the introduction of a positive obligation on businesses to ensure personal information handling is fair and reasonable. “With developments in technology continuing to evolve and challenge our right to control our personal information, the time for privacy reform is now,” said Kind. “In particular, the introduction of a positive obligation on businesses to ensure personal information handling is fair and reasonable would help to ensure uses of AI pass the pub test.”

It comes just over a month after the first tranche of long-awaited Privacy reforms hit Australian Parliament, outlining four elements that will likely be covered in the first bill, including doxxing, a new statutory tort for pursuing serious invasions of privacy, child protection online, and new transparency rules for Automated Decision Making (ADM).