Site search
2024 regulatory enforcement trends and what they mean for the year ahead
2024 regulatory enforcement trends and what they mean for the year ahead

AI and technology

Key regulatory and enforcement developments in Australia in 2024

In September 2024, the Department of Industry, Science and Resources (DISR):

  • Introduced a Voluntary AI Safety Standard (Voluntary Standard).1  which includes 10 voluntary guardrails for how Australian organisations should safely and responsibly use and innovate with AI.
  • Published a proposals paper for introducing 'mandatory guardrails' for the use of AI in high-risk settings (Mandatory Guardrails Proposals Paper)2.

For more information on this and related Government initiatives, see our Insight.

The Voluntary Standard is significant because:

  • It expressly foreshadows the principles likely to be adopted in mandatory legislation if introduced, at the very least in respect of 'high-risk' use cases.
  • We expect regulators (including the OAIC, APRA, ASIC, the ACCC and eSafety Commissioner) will look to the standard when enforcing existing principles-and-risk-based regulatory regimes in connection with AI harms.

We have also seen reform to existing regulatory regimes emerge with a focus on AI.

Privacy

On 10 December 2024, the first tranche of reforms to the Privacy Act 1998 (Cth) (Privacy Act) received assent. Among other things, the reforms will require organisations using automated decision-making (ADM) to disclose this in their privacy policy by 10 December 2026 if ADM uses personal information to make decisions that could 'reasonably be expected to significantly affect the rights or interests' of an individual, and include additional transparency requirements.

See our Insight for more information.

Online safety

  • The Basic Online Safety Expectations regime was amended in July 2024 to include an expectation that providers of applicable services that use or enable the use of generative AI take reasonable steps to consider end-user safety and proactively minimise the use of AI for unlawful or harmful activities3.
  • Two new industry standards came into force on 22 December 20244 that are intended to improve online safety by ensuring that providers of relevant services effectively manage risks in respect of particular classes of restricted or illegal online material, and expressly require relevant providers to consider the risks in relation to AI-generated material.
  • The Government brought forward the review of the Online Safety Act 2021 (Cth) 'to keep pace with emerging technologies and their associated harms'.5 We expect that the Government's response may include further regulation in respect of AI within the context of online safety.

Intellectual property

The Government held a number of roundtables with industry leaders in 2023 and released a discussion paper raising copyright considerations with respect to AI. In December 2023, the Government also announced it would establish a copyright and AI reference group as a standing mechanism for ongoing engagement with stakeholders. However, the Government has not yet proposed any specific laws that govern the interaction between generative AI and intellectual property, and it is unlikely that any legislative reforms will be introduced in 2025.

Other

We have also seen regulatory enforcement in relation to AI harms in relation to facial recognition technology (FRT) by the OAIC into a number of retail organisations6 and by ASIC7 in relation to pricing algorithms, following a similar action by the ACCC in 2022.8

What are the likely regulatory and enforcement developments in Australia in 2025?

Although the legislative framework to be adopted for the introduction of the mandatory guardrails and the timing of its introduction are not yet clear, submissions by the key regulators on the Mandatory Guardrails Proposals Paper have indicated broad support for new framework legislation and associated amendments to existing legislation.9

We expect regulators will, in the interim, look to the Voluntary Standard when enforcing existing regulatory regimes in connection with AI harms. Public statements by regulators also indicate a focus on:10

  • Consumer protection (including fake reviews and scams, product safety, misleading and deceptive conduct, unfair trading practices, credit scoring, price optimisation and discrimination. The Australian Treasury has indicated that new and targeted consumer protections to prohibit false and misleading representations to consumers in relation to AI may be introduced11);
  • Market risks (machine-learning based trading algorithms, and collusive autonomous pricing models);
  • Competition (use of AI in digital platform services and algorithmic collusion);
  • Privacy (the first tranche of reforms to the Privacy Act last year, along with comments by the OAIC, highlight that Australian companies should expect greater scrutiny from the OAIC on AI transparency, data governance processes and controls in connection with AI12);
  • Online safety (deepfake and exploitation material); and
  • Operational resilience (which we expect will be a headline issue in 2025 for APRA-regulated entities developing or deploying generative AI tools, noting the commencement from 1 July 2025 of CPS 230 (Operational Risk Management).

In addition to the Australian enforcement activity identified above, recent enforcement activity in other jurisdictions provides some guidance as to the potential areas of focus for Australian regulators, including:

  • 'AI washing'—or misleading or exaggerated statements about the use of AI in a company's products or services. Both the US Securities and Exchange Commission (SEC)13 and the Federal Trade Commission (FTC)14 have been focused on this conduct, and ASIC's Chair, Joe Longo, referred to these cases in a recent speech, noting '[t]his is a serious emerging issue and all Australian companies should be on notice that ASIC is on the lookout for this conduct here'.15
  • Misuse of personal and sensitive data—the UK Information Commissioner's Office has been focused on data misuse, including in relation to generative AI chatbots16 and FRT,17 and has issued enforcement notices and fines, and required companies to carry out revised data protection impact assessments. The FTC has also been focused on the extraction and mishandling of sensitive personal data,18 and its actions also continue a trend in its enforcement activity of relying on 'algorithmic disgorgement' as a remedy—the deletion of data that was processed unfairly, and any AI models or algorithms associated with that data.19
  • Deceptive and unfair practices—as part of its 'Operation AI Comply', the FTC has announced five separate enforcement actions against entities that are alleged to have used AI technology in deceptive or unfair ways, including promoting fake reviews, selling 'AI Lawyer' services and claiming they could help consumers make money through online storefronts.20 Regulators in the UK21 and US22 have also made public statements indicating their focus on the use of pricing algorithms.
  • Compliance guidance—the US Department of Justice recently updated its Evaluation of Corporate Compliance Programs (ECCP) to address risks related to AI.23 The ECCP is used by prosecutors to assess corporate compliance programs, and prosecutors will now closely consider the nature of the risk assessments, risk management strategies, controls and ongoing monitoring processes implemented by companies with respect to AI.

Who are the key regulators in relation to this area?

ASIC, the ACCC, the OAIC, eSafety Commissioner, ACMA and APRA.

What are the key sectors of focus?

  • Given the widespread use of AI technologies across the economy, regulation in relation to the deployment of AI is sector agnostic.
  • The Government is proposing to issue more detailed guidance for developers (as opposed to deployers) of AI technologies in the next version of the Voluntary Standard, which would have a tech-sector focus.

Footnotes

  1. Voluntary AI Safety Standard | Department of Industry Science and Resources

  2. Introducing mandatory guardrails for AI in high-risk settings: proposals paper - Consult hub

  3. s8A Online Safety (Basic Online Safety Expectations) Determination 2022. See also Part 4, Online Safety Act 2021 (Cth).

  4. Online Safety (Designated Internet Services—Class 1A and Class 1B Material) Industry Standard 2024; Online Safety (Relevant Electronic Services—Class 1A and Class 1B Material) Industry Standard 2024

  5. Government welcomes report into Australia’s online safety laws

  6. OAIC opens investigations into Bunnings and Kmart | OAIC. OAIC finds against 7-Eleven over facial recognition | OAIC; Statement on Clearview AI | OAIC

  7. 24-234MR ASIC alleges QBE misled customers over pricing discounts | ASIC; 23-228MR ASIC alleges IAG misled home insurance customers on pricing discounts | ASIC; 23-179MR IAL penalised $40 million over pricing discount failures | ASIC

  8. Trivago to pay $44.7 million in penalties for misleading consumers over hotel room rates | ACCC

  9. ASIC – Make a submission - Introducing mandatory guardrails for AI in high-risk settings: proposals paper - Consult hub; ACCC – Make a submission - Introducing mandatory guardrails for AI in high-risk settings: proposals paper - Consult hub; OAIC - Make a submission - Introducing mandatory guardrails for AI in high-risk settings: proposals paper - Consult hub; eSafety Commission - Make a submission - Introducing mandatory guardrails for AI in high-risk settings: proposals paper - Consult hub; ACMA - Make a submission - Introducing mandatory guardrails for AI in high-risk settings: proposals paper - Consult hub

  10. See, for example, ASIC's submission to the 'Inquiry into the uptake of AI technologies in Australia', published in May 2024 - 202405-submission-no-67-uptake-of-ai-technologies-in-australia.pdf; see also the Digital Platform Regulators Forum's submission to DISR's AI discussion paper, published in July 2023

  11. Treasury - Review of AI and Australian Consumer Law: discussion paper

  12. Privacy and Other Legislation Amendment Bill 2024; OAIC – Submission to the DISR's proposals paper for introducing mandatory guardrails for AI in high-risk settings

  13. SEC.gov | SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence

  14. Automators | Federal Trade Commission

  15. LEADERS SURVEY: ASIC chair Joe Longo is on the hunt for ‘AI washing’ and reveals his message to policy makers | The Nightly

  16. Other decisions | ICO

  17. ICO fines facial recognition database company Clearview AI Inc more than £7.5m and orders UK data to be deleted | ICO

  18. FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket | Federal Trade Commission

  19. See, for example, decisions and orders in relation to Rite-Aid, Kurbo and Everalbum.

  20. FTC Announces Crackdown on Deceptive AI Claims and Schemes | Federal Trade Commission

  21. Algorithms: how they can reduce competition and harm consumers

  22. FTC and DOJ File Statement of Interest in Hotel Room Algorithmic Price-Fixing Case | Federal Trade Commission

  23. https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl