The Privacy and Other Legislation Amendment Act 2024 introduces a new APP 1 transparency obligation for substantially automated decisions that have a legal or similarly significant effect on individuals, commencing 10 December 2026. It sits alongside AUSTRAC's post-31-March-2026 documentation expectations on AML decision-making. Contestability and human oversight appear in the broader Privacy Act reform / AI-governance discussion rather than as enacted ADM obligations today. Working reference for compliance officers — not legal advice.
Working reference, not legal advice
Incoming Privacy Act reforms will require APP entities to update their privacy policies to explain certain uses of personal information in substantially automated decisions that have a legal or similarly significant effect. This is a transparency obligation commencing 10 December 2026. It should not be presented as a current statutory right to contest automated gaming-risk decisions, nor as a current statutory requirement for human oversight, although those may be prudent governance controls and may appear in broader AI/privacy reform discussions. For a definitive view, talk to a privacy lawyer or check the OAIC's published guidance.
The Privacy Act 1988 (Cth) is the Commonwealth privacy framework, with the Australian Privacy Principles (APPs) as its 13-principle operational core. The Privacy and Other Legislation Amendment Act 2024 introduced an APP 1 transparency obligation that, once in force, will require APP entities to explain in their privacy policies any use of personal information in substantially automated decisions that could reasonably be expected to significantly affect the rights or interests of an individual. Commencement is 10 December 2026.
For gaming venues, that threshold captures uses such as FRT-driven entry refusal, AML escalation that constrains a patron's access to designated services, and patron risk-scoring that triggers welfare interventions — to the extent each is substantially automated and produces an effect on the patron that is legal or similarly significant.
The transparency amendment sits alongside the existing Australian Privacy Principles — including APP 12 ↗ (access) and APP 13 ↗ (correction), which give individuals access and correction rights against the personal information held by APP entities. Contestability and human oversight appear in the broader Privacy Act reform / OAIC and AI-governance discussion; they are not currently enacted ADM obligations. Venues can usefully prepare privacy policies and operational documentation now ahead of the 10 December 2026 commencement.
The enacted ADM obligation has one element. Beyond it sit two broader reform themes that are not currently statutory obligations but appear consistently in the OAIC and AI-governance discussion, and which clubs may treat as prudent governance.
The transparency obligation sits alongside AUSTRAC's post-31-March-2026 documentation expectations on AML decision-making. The architectural shape both regimes point toward is the same: rule-based explainability, human-in-the-loop review where it's prudent, audit trails capturing both automated and human steps.
The three places gaming venues most commonly deploy automated decision-support — each of which may be affected by the incoming APP 1 transparency obligation and already engages existing APP-level obligations:
What unifies all three: an architectural posture where the automated system surfaces, the human decides, and the audit trail captures both layers. The incoming transparency obligation does not restrict automation; it asks APP entities to explain it. Contestability and human oversight are sensible governance controls and feature in the broader Privacy Act reform direction — clubs that adopt them now are aligning with that direction rather than discharging a current statutory ADM obligation.
The Privacy and Other Legislation Amendment Act 2024 introduces a new APP 1 transparency obligation: APP entities will have to explain in their privacy policies any use of personal information in substantially automated decisions that could reasonably be expected to significantly affect the rights or interests of an individual. Commencement is 10 December 2026. The obligation sits alongside the existing Australian Privacy Principles. Contestability and human oversight are part of the broader Privacy Act reform / AI-governance discussion rather than currently enacted ADM obligations. For gaming venues, the substantially automated decisions most likely to fall in scope of the new transparency obligation include FRT-driven self-exclusion identification, AML alert ranking and dispositioning, and patron risk-scoring.
Three uses of automation that gaming venues commonly deploy are the most likely to fall within the incoming APP 1 transparency obligation. (1) Facial recognition for self-exclusion enforcement — an automated system identifies a patron and the venue acts on the identification (refusing entry). (2) AML transaction monitoring with rule-based or ML-based alert generation — an automated system flags a transaction and the venue acts on the flag (CDD escalation, SMR consideration). (3) Patron risk-scoring used for harm-minimisation decisions — an automated system rates a patron and the venue acts on the rating (welfare check, intervention). Each may be a substantially automated decision producing an effect on the patron that could reasonably be expected to significantly affect their rights or interests — the threshold the APP 1 transparency obligation will use once it commences.
The enacted ADM obligation is a single transparency element commencing 10 December 2026: APP entities will need to update their privacy policies to explain substantially automated decisions that have a legal or similarly significant effect on individuals — what types of decisions, what information is processed, and the consequences. Generic 'we may use technology to support our operations' is unlikely to satisfy the standard once it commences; specifying that FRT is used at the entry to the gaming area for self-exclusion enforcement is the kind of disclosure the amendment points toward. Contestability and human oversight are part of the broader Privacy Act reform direction and the AI-governance discussion, but they are not currently enacted ADM obligations. A patron's existing statutory levers are APP 12 (access) and APP 13 (correction), together with the OAIC complaints pathway.
FRT-driven self-exclusion enforcement is the clearest case for the incoming transparency obligation. When an automated system identifies a self-excluded patron and the venue refuses entry, the patron will be entitled, once the APP 1 amendment commences on 10 December 2026, to a privacy-policy disclosure that explains the use of FRT and the substantially automated decision it informs. The patron's existing statutory levers — APP 12 (access) and APP 13 (correction), together with the OAIC complaints pathway — apply now to the personal information involved. As a matter of governance and direction-of-reform, many clubs already operate FRT with a human-in-the-loop pattern (a staff member confirms the match before refusal is acted on) and a clear path to request a manual review of a contested match; that is consistent with the OAIC's FRT determinations and guidance in retail contexts, even though it is not currently a statutory ADM mandate.
AML alert ranking sits in a slightly different shape because it doesn't directly act on the patron — it surfaces alerts to the AMLCO who then makes the decision. The incoming APP 1 transparency obligation may apply once it commences (10 December 2026) where the ranking system is a substantially automated input into a decision producing an effect on the patron that could reasonably be expected to significantly affect their rights or interests. Practical operational shape: (a) the AMLCO retains genuine review authority (the ranking system surfaces, the AMLCO decides); (b) the rationale behind the ranking is documentable on a customer-by-customer basis (the rule, the threshold, the data trace); and (c) patrons have existing APP 12 access rights to information about how their personal information has been handled, subject to the AML/CTF Act tipping-off provisions at s 123, which constrain what can be disclosed about specific SMRs.
Both fall within the ADM provisions; the obligations apply equally. The practical difference is that rule-based automation is structurally easier to satisfy the explainability obligation — when a patron asks 'why was I flagged?', a rule-based system can produce a clean rule, threshold, and data trace. ML-based ranking can struggle here, particularly with deep models that don't decompose into human-readable explanations. The Privacy Act doesn't ban ML; it just makes pure ML deployments harder to comply with. Most defensible architectures pair rule-based Layer 1 (with transparent explanations) with ML-assisted Layer 2 ranking (where the ML augments but doesn't replace the rule trace).
Five practical categories — the first is tied to the incoming APP 1 amendment, the rest are existing-APP and governance practice. (1) The privacy policy explaining how personal information is used in substantially automated decisions, with version history (ready for the 10 December 2026 commencement). (2) Records of automated decisions — what system fired, what rule, what threshold, what data, what disposition — under the venue's existing record-keeping. (3) Records of access (APP 12) and correction (APP 13) requests received and how they were resolved, with timestamps. (4) Where the venue has chosen to run human review of automated decisions as a governance control, the operational evidence that the review happened. (5) A Privacy Impact Assessment (PIA) for material data-driven deployments, particularly FRT, is OAIC-recommended practice. The records should demonstrate that the privacy obligations are being met operationally, not just acknowledged in policy.
The two regimes point in a similar architectural direction. The post-31-March-2026 AML/CTF Act framework sharpens the documentation standard around AML decision-making — the AMLCO is expected to be able to show why the program flagged what it flagged. The incoming Privacy Act APP 1 transparency obligation (commencing 10 December 2026) will sharpen the privacy-policy disclosure standard around substantially automated decisions with significant effects on individuals. Together they push toward a single architectural shape: automated systems operating with rule-based explainability and human-in-the-loop review where prudent, with audit trails that capture both the automated and the human steps. Venues building toward one tend to align with the other.
How to evaluate a facial-recognition vendor with the ADM provisions in mind — vendor-agnostic, contestable, transparent.
How the AML/CTF Act post-reform framework intersects with the incoming Privacy Act ADM transparency obligation on AML decision-making surfaces.
Where the FRT-driven enforcement layer most often touches the ADM provisions in practice.
Rule-based explainability, human-in-the-loop review, documented audit trails. The incoming APP 1 transparency obligation (10 December 2026) and AUSTRAC's post-31-March-2026 documentation expectations point at the same architectural shape — and so does Venue Axis. First three months free, no card up front.