Australian Privacy Commissioner 'Not Waiting' to Regulate AI

She pointed to "chatter" about the country's recently published national AI plan, saying she was pleased to see its emphasis on privacy and data governance, along with a renewed commitment to update the country's data protection laws.

However, she noted, the DPA issued guidance last year on how privacy laws and AI intersect, and it's monitoring compliance and carrying out enforcement in the context of AI technologies.

In a blog post Thursday, the DPA described a fictional example based on a notification under its data breach notification scheme, which showed "what can go wrong when using publicly available [generative] AI tools like ChatGPT in the workplace."

The watchdog urged businesses to conduct privacy impact assessments to understand the effect of using such tools and help ensure risks can be managed or eliminated, among other steps. It also recommended prohibiting the upload or use of personal information on generative AI products.

In addition, organizations should set out policies and procedures governing their use of such tools, ensure that privacy policies reflect the use of generative AI, and educate staff on how to use those tools responsibly, the DPA said.

The case study is a valuable resource for the regulated community because it gives a concrete example of how existing privacy laws can shape and restrain potentially harmful AI uses, Kind noted.

It also shows that her office's approach to dealing with novel uses of the technology recognizes the need to be flexible and to engage with organizations to help them build compliance throughout their businesses, she added.