AI Privacy and Legal Frameworks in Australia and New Zealand

Artificial Intelligence (AI) is revolutionising the way we work by automating tasks, optimising processes, and improving decision-making. However, the rapid adoption of AI brings with it significant privacy and legal considerations. The challenge is how can we keep privacy laws up to date with this evolving technology?

Key Privacy Laws

In Australia and New Zealand, several laws govern the use of data privacy, particularly those that involve personal data. While these laws do not directly regulate AI, their requirements significantly impact how an organisation's AI systems can be developed and deployed, particularly when dealing with personal data.

Australian Privacy Laws

Privacy Act 1988: This act regulates the handling of personal information, ensuring organisations adhere to strict privacy principles. For example, if a company collects data from wearable devices used by individuals, it must comply with the Privacy Act's requirements for data protection, use, and disclosure.

Australian Privacy Principles (APPs): These principles provide a framework for managing personal information, including its collection, storage, use, and disclosure. AI systems processing personal data must comply with these principles. For instance, an organisation using AI for smart city projects must ensure that residents' personal data is collected and used transparently and securely.

Notifiable Data Breaches (NDB) Scheme: Introduced in February 2018, this scheme mandates that organisations must notify individuals and the Office of the Australian Information Commissioner (OAIC) about data breaches likely to result in serious harm. For instance, if an AI system managing critical infrastructure experiences a data breach, the organisation must promptly notify affected individuals and the OAIC, providing recommendations on protective measures.

State and Territory Legislation: In addition to federal laws, state and territory legislation also governs the use of personal data. For example, the Health Records Act 2001 (Victoria) and the Health Records and Information Privacy Act 2002 (New South Wales) provide specific protections for health information.

New Zealand Privacy Laws

Privacy Act 2020: This act modernises the previous 1993 legislation and strengthens the protection of personal information. Organisations using AI must ensure they comply with the principles of data minimisation, purpose limitation, and security safeguards. Recently, the New Zealand government released guidance on the use of AI in compliance with the Privacy Act, titled "Artificial Intelligence and the Information Privacy Principles (September 2023)."

Health Information Privacy Code 2020: This code sets specific rules for health information, crucial for any AI applications in healthcare. It ensures that personal health information is collected, stored, and disclosed appropriately.

Challenges with Advancements in Technology

The rapid pace of technological advancement often outstrips the development of privacy laws, creating challenges for regulators and organisations.

Regulatory Lag: One of the primary challenges is regulatory lag, where existing laws struggle to keep pace with innovation. This creates gaps in legal protections, leaving individuals vulnerable to privacy risks associated with emerging technologies.

Global Discrepancies: Privacy laws vary widely between countries, creating a complex landscape for multinational organisations. A company operating internationally must navigate different legal requirements, such as the stringent General Data Protection Regulation (GDPR) in Europe. This also applies to the privacy laws between the two countries. These discrepancies can lead to compliance challenges and legal uncertainties, particularly when data flows across international borders.

Emerging Technologies: Besides AI, emerging technologies such as the Internet of Things (IoT) and blockchain introduce unfamiliar privacy challenges that existing laws may not adequately address. For example, sensors in smart devices gather detailed data, raising concerns about potential breaches of personal privacy and data security.

Looking Towards Adaptive Regulation

To effectively address the challenges posed by AI, regulators need to adopt adaptive and flexible approaches to regulation. This involves regularly updating privacy laws and guidelines to keep pace with the advancements in technology along with emerging threats. New provisions or standards specifically tailored to AI-driven technologies may be necessary.

The evolving landscape of AI technology requires a proactive approach to privacy and legal governance. By understanding and complying with relevant laws, and adopting adaptive regulation, organisations can harness the benefits of AI while safeguarding against potential security and privacy risks.

To explore or learn more about how our Security & Risk solutions can help you harness the benefits of AI while safeguarding against potential security and privacy risks, contact our team today.