OAIC releases new guidance on AI privacy compliance

The Office of the Australian Information Commissioner (OAIC) has published new guides for business to more clearly articulate how Australian privacy law applies to artificial intelligence (AI) and set out the regulator’s expectations.

The first guide will make it easier for businesses to comply with their privacy obligations when using commercially available AI products and help them to select an appropriate product. The second provides privacy guidance to developers using personal information to train generative AI models.

“How businesses should be approaching AI and what good AI governance looks like is one of the top issues of interest and challenge for industry right now,” said Privacy Commissioner Carly Kind. “Our new guides should remove any doubt about how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practice. AI products should not be used simply because they are available.

“Robust privacy governance and safeguards are essential for businesses to gain advantage from AI and build trust and confidence in the community.”

The new guides align with OAIC focus areas of promoting privacy in the context of emerging technologies and digital initiatives, and improving compliance through articulating what good looks like.

“Addressing privacy risks arising from AI, including the effects of powerful generative AI capabilities being increasingly accessible across the economy, is high among our priorities,” said Kind. “Australians are increasingly concerned about the use of their personal information by AI, particularly to train generative AI products.

“The community and the OAIC expect organisations seeking to use AI to take a cautious approach, assess risks and make sure privacy is a key consideration. The OAIC reserves the right to take action where it is not.”

While the guidance addresses the current situation — concerning the law, state of technology and practices — Commissioner Kind said an important focus remains how AI privacy protections could be strengthened for the benefit of society as a whole.

“With developments in technology continuing to evolve and challenge our right to control our personal information, the time for privacy reform is now,” she said. “In particular, the introduction of a positive obligation on businesses to ensure personal information handling is fair and reasonable would help to ensure uses of AI pass the pub test.”

The OAIC has published a blog post with further information about the privacy guidance for developers using personal information to train generative AI models.

Image credit: iStock.com/Sansert Sangsakawrat