APP 1.7 is a provision of the Privacy Act 1988 (Cth) that came into force on 10 June 2025. The obligation already exists. 10 December 2026 is not when the obligation starts — it is when the OAIC begins active enforcement. From that date, non-compliant organisations face regulatory investigation and civil penalties up to $50 million.

Copilot is in your Microsoft 365. Gemini is in Gmail. Zoom is transcribing your meetings. Xero, MYOB, LEAP, Karbon, and Practice Ignition are processing client data. None of this was formally adopted — and none of it is disclosed in your privacy policy. APP 1.7 requires every one of these systems to be individually named, documented, and in some cases covered by a separate Governance Declaration. The OAIC reviewed 23 organisations in January 2026. Not one was compliant.