The ADM Transparency Obligation: Get Your Privacy Policy Ready Before 10 December 2026
10 December 2026: the ADM transparency obligation lands for anyone using AI in credit decisions. What it requires, and how to be ready.
The ADM Transparency Obligation: Get Your Privacy Policy Ready Before 10 December 2026
Part of the series: How to use AI with client documents in Australian real estate finance
General information, not legal advice. Current as at June 2026.
Most AI compliance worries are about general principles - "be responsible," "manage the risk." This one is different. It is a specific obligation, with a specific commencement date, that lands directly on anyone using automation in decisions about individuals. Put it in the calendar now: 10 December 2026.
What the obligation is
The Privacy and Other Legislation Amendment Act 2024 introduces a new automated decision-making (ADM) transparency obligation that commences on 10 December 2026. It amends the privacy-policy requirement so that an APP entity must disclose where automated decision-making is used.
Two things it is not, because both are common misconceptions:
- It does not ban automated decisions.
- It does not require you to put a human in the loop.
It is a transparency and accountability measure. As Pinsent Masons summarised, the reforms are designed to improve transparency and public understanding of how automated systems affect individuals, not to prohibit enterprise use of ADM.
What you have to disclose
Where a computer program makes - or substantially and directly assists in making - a decision that could reasonably be expected to significantly affect an individual's rights or interests, and personal information is used in that program, your privacy policy must set out:
- the kinds of personal information used in those automated decisions;
- the kinds of decisions made solely by automation; and
- the kinds of decisions where automation substantially and directly assists a human decision-maker.
One detail catches a lot of people out: the obligation applies regardless of whether the ADM arrangement was set up before or after commencement. You do not get grandfathered just because your automated process predates the rule.
Why this matters for CRE finance
The legislation does not name "lending" or "credit" as examples - so be clear that the application to credit is a reasoned reading, not a stated carve-out. But it is a strong reading. The "rights or interests" threshold is illustrated by decisions affecting a person's rights under a contract, agreement or arrangement, and decisions affecting access to a significant service or support. A credit or lending decision about an individual - a guarantor, a director, a sole-trader borrower - is squarely the kind of thing that fits.
So if you use, or plan to use, AI to make or substantially assist credit decisions involving individuals, the practical task is twofold: know exactly where automation sits in your process, and say so in your privacy policy by 10 December 2026.
The runway is shorter than it looks
The date is December 2026, but the preparation window is tighter. The OAIC ran a consultation on the obligation that closed on 15 June 2026, with final guidance still to come. That leaves a short stretch between guidance landing and commencement - not long if you discover, late, that you do not actually have a clear map of where automation lives in your decisioning.
Why sovereign, logged AI makes this easy (and scattered AI makes it hard)
Here is the quiet advantage of having done the earlier work. The whole obligation turns on a simple capability: you can only disclose what you can see.
- If your AI use is sovereign and logged - running onshore, in a controlled system that records where automation was applied and what it produced - then meeting this obligation is largely a documentation exercise. You already have the map; you just write it into the privacy policy. (See sovereign AI for CRE finance.)
- If your AI use is scattered across a dozen public browser tabs, with different staff using different tools on different deals, then you cannot honestly describe your automated decision-making, because you do not know its full shape. That is not a drafting problem; it is a visibility problem, and December 2026 turns it into a compliance problem.
The same logging that makes this obligation a paperwork exercise is the logging your governance framework and your credit-paper workflow should already be producing. Build it once.
A short readiness checklist
- Map every point where automation makes or substantially assists a decision about an individual.
- For each, note the kinds of personal information involved.
- Classify each as "solely automated" or "substantially assisting a human."
- Draft the privacy-policy disclosure now, in plain language, and refine it when OAIC guidance lands.
- Keep the underlying log current, so the disclosure stays true as your process changes.
The bottom line
This is the most concrete AI obligation on the Australian horizon for lenders, and it rewards firms that kept their AI use disciplined. There is no need to fear it - it does not stop you automating - but there is a date, and you cannot disclose what you never tracked. Know where your automation sits, write it down, and 10 December 2026 is a non-event.
Want to see where you stand? Run through the checklist for using AI legally in Australia - Section 3 walks the ADM obligation step by step for CRE brokers and lenders.
This article is general information about regulatory developments and is not legal or compliance advice. The application of the ADM obligation to credit decisions is our reasoned reading, not an example stated in the legislation. Confirm your obligations with your own advisers.
Vanillah
We build simply satisfying software.
