The Australian Government recently released its final report on the Review of AI and the Australian Consumer Law (Report). The Report follows the government’s October 2024 discussion paper and public submissions, which closed on 12 November 2024, and subsequent stakeholder roundtables.
The Report concludes that while the characteristics of some AI systems (such as adaptability and self-learning, autonomy and opacity) may increase risks for consumers, the economy-wide, principles-based and technology-agnostic framework remains broadly fit-for-purpose for AI-enabled goods and services and is well-placed and capable of adapting effectively to regulate consumer law risks and potential harms arising from AI now and in the future.
The scope of the existing protections and mechanisms of the Australian Consumer Law (ACL) for providing remedies were found to remain appropriate, and while no AI-specific overhaul is recommended, the government identifies some targeted technical amendments, coupled with expanded guidance, to enhance regulatory clarity in the context of software-enabled goods and services.
Most interestingly, the Report is potentially the start of a broader pivot away from EU AI Act style regulatory approaches. Treasury rejected proposals for AI-specific consumer provisions and declined to recommend immediate mandatory safety standards for AI.
Correctly, the Report notes that principles-based laws such as the ACL inherently have a level and period of uncertainty as to how they will be applied to new and emerging technologies. The alternative approach of prescriptive laws may be relatively clear for a time, but is inherently inflexible and may mean the law does not respond to market developments, leading to gaps.
The Report concludes that the ACL’s principles-based approach has, to date, largely avoided technology specific gaps emerging, reducing the need for regular amendment. As consumers, manufacturers and suppliers become familiar with new technology and as markets mature, uncertainty in the application of the ACL is expected to reduce, and the consideration by courts of matters involving AI-enabled goods and services will produce case law to guide interpretation and provide clarity.
So, by design, there is a trade-off between flexibility and uncertainty, with that uncertainty reducing over time. This warns against knee-jerk regulatory responses to new technologies like AI, and is a careful and thoughtful approach to legislative design.
We have summarised the Report’s six key findings below, including where the Report agreed and disagreed with submissions while providing some commentary as to how the ACL can already respond to AI-consumer risks and harms:
The principles-based protections provided under the ACL are generally well adapted to address the potential consumer law risks of AI-enabled goods and services
The Report notes that the ACL adopts a variety of mechanisms to address consumer imbalance and potential harm and offers a wide range of remedies to consumers where consumer harm does arise, including from AI-enabled goods and services. These protections include:
prohibitions on misleading or deceptive conduct (s. 18), unconscionable conduct (s. 20-22A) and false or misleading representations (s. 29-37)
consumer guarantees that ensure goods and services meet certain minimum standards and rights of remedy for consumers (Part 3-2)
unfair contract terms (Part 2-3)
product safety tools (such as recalls, mandatory safety standards and bans) (Part 3–3)
manufacturer strict liability for goods with a ‘safety defect’ (Part 3-5).
The Report finds these protections are adequate, did not reveal gaps in existing consumer law protections, and are sufficiently flexible to address risks and harms which may arise in an AI-context (including those stemming from the unique characteristics of AI), while retaining core protections, consistency and fairness across different industries and contexts.
Submissions expressed concern that the prohibition on misleading and deceptive conduct, which applies regardless of intention to mislead or deceive, may detrimentally impact small businesses to adopt new AI technologies. However, the Report reiterates that the onus is on all businesses to ensure the technologies they use are fit-for-purpose and must assess the risk that their systems or processes may mislead a consumer. However, the Report notes that in some cases the ACL may operate to protect small businesses (as a consumer) where misleading and deceptive conduct arises as a result of the integration of off-the-shelf AI systems, for example, the consumer guarantees under the ACL will apply, subject to certain exceptions, to a business transaction if the goods or services purchased cost less than $100,000.
The ACL is well placed to address potential consumer law risks and harms associated with AI-enabled goods and services.
Support among submissions for retaining a principles-based, economy-wide, technology-agnostic framework and not expanding the ACL to address harms regulated by other legislative frameworks.
No evidence to support the making of a mandatory safety standard to address emerging AI consumer harms at present, although consideration could be given in the future should the need arise.
Disagreed with submissions for bespoke AI consumer provisions, citing the absence of demonstrated gaps warranting structural changes.
Uncertainty regarding the distinction between goods and services, including AI-enabled goods and services, presents a barrier to applying the ACL to new and emerging technologies
The ACL includes different consumer guarantees and remedy pathways depending on whether a supply is a ‘good’ or a ‘service’. The definitions are mutually exclusive, requiring a transaction to be characterised as a whole as either the supply of goods or the supply of services.
The Report recognises that AI and other software-enabled offerings frequently involve mixed supplies and intangible components which can make it difficult to categorise a supply as a ‘good’ or a ‘service’. While ‘goods’ is already defined to expressly include computer software (s. 2), the granular analysis required in certain supply situations may be beyond the capacity of many consumers, manufacturers and suppliers.
Disagreed with proposals to create a separate category of ‘digital products’ with its own regime (as has been done in the UK), noting that it would add complexity and regulatory burden to the ACL by introducing a third category and moving away from existing experience and case law, without any demonstrated deficit or proven benefit.
Update ACCC regulatory guidance and education materials to provide examples of software-enabled goods and services (including AI) and greater clarity for how the ACL applies to them and mixed supplies.
Targeted amendments to the legislated list of items included within the definition of ‘goods’ to more clearly capture digital products and software-enabled goods (including AI-enabled goods).
The existing remedy and liability provisions under the ACL are broad and remain appropriate in an AI context. Targeted amendments could provide additional clarity
The ACL contains a range of remedies available when a business provides a good or service that does not meet consumer guarantees, including a repair, replacement, refund or contract cancellation, and compensation where a consumer suffers loss or damage because of such failure (Part 5-2). The Report finds the existing remedies available under the ACL are flexible enough for AI contexts, with the appropriateness of a particular remedy dependent on the specific context.
The Report outlines that a common concern raised by stakeholders was that, due to information asymmetries and the opaque and autonomous nature of some AI systems, consumers may face practical evidentiary challenges in successfully accessing the remedies available to them under the ACL. However, the Report noted that the burden of evidence which a consumer may face is context-specific. For more minor matters where a consumer is seeking a remedy under a consumer guarantee, consumers do not need to diagnose the root cause, only that a malfunction has happened. By contrast, the Report finds that the higher evidentiary burden in establishing causation for consumers seeking compensation for damages through a court or tribunal is appropriate given the higher financial and other risks involved for all the parties.
Another concern raised in submissions was that AI supply chains can be global and multilayered with multiple actors contributing to development, deployment and integration of an AI-enabled product, whilst downstream training and fine-tuning of AI models may further complicate supply chains. The Report notes that while AI supply chains can be complex and complicate attribution of liability, this is not unique to AI. While new market participants may require time to understand how the ACL applies to them, the ACL’s architecture is designed to shield consumers from supply-chain complexity. This arises because the ACL takes a ‘market access / supply’ and broad approach as to who is the manufacturer of a good, with importers to, and distributors and retailers within, Australia of goods being considered a manufacturer if there is no Australian office of the maker (s. 7). Further, in the case of the consumer guarantees, consumers may pursue a remedy against the supplier of the failed good (s. 259), rather than ascertaining who the manufacturer is, and where this occurs manufacturers are liable for reimbursing suppliers for the costs of the supplier providing the consumer remedy (s. 259).
General support that the ACL suite of remedies is fit-for-purpose.
The emergence of new technologies over time, including agentic AI, may necessitate further consideration of the mechanisms available under the law, including in establishing liability under the ACL, to ensure the ACL is realising its policy intent.
Disagreed with calls to adopt EU-style presumptions of a causal link between the fault of the manufacturer or supplier and the failure of an AI system (as was contemplated in the now-shelved EU AI Liability Directive), finding insufficient justification to depart from the long-established causation principles under the ACL and the common law.
Targeted amendments to the definition of ‘manufacturer’ to expressly address manufacturers of digital products/software-enabled goods (including AI-enabled goods), would improve clarity regarding the existing obligations of businesses across the AI/software supply chains.
Existing manufacturer defences to defective goods actions available under the ACL remain broadly appropriate in an AI context. Technical amendments may be required to ensure existing defences operate as intended.
Under Part 3-5 of the ACL, a manufacturer of a good is strictly liable to compensate consumers for personal injury and property damage caused by a ‘safety defect’ in the good, being a defect such that the goods are not as safe as a person is entitled to expect that they are. The Report considers key defences available to manufacturers in defective goods actions, including that the safety defect:
did not exist at the time of supply (‘time of supply defence’)
could not have been discovered at the time the manufacturer supplied the goods because there was insufficient scientific or technical knowledge at the time (‘state-of-the-art defence’).
The Report confirms the suitability of existing defences for AI, but identified that the current drafting of the ‘time of supply defence’ which anchors the defence solely to the point of initial supply, may not achieve the policy intent where manufacturers exercise meaningful control over the safety of goods post-initial supply (such as for software-enabled goods where the manufacturer continues to provide updates post-initial supply). The Report notes that other existing provisions of the ACL incorporate the concept of control (see for example, sections 259 (Actions against suppliers of goods) and 271 (Action for goods)).
Interestingly, the Report found no changes or clarity of application was required to the ‘state-of-the-art defence’. Some have raised concerns that the ‘state-of-the-art defence’ could potentially be relied on by a manufacturer of an AI system where the AI outputs that caused the harm were not predictable or were otherwise due to the AI system self-learning. The Report notes that the defence requires establishing that the safety defect could not have been established by ‘anybody’, not merely by the manufacturer. Whilst we do not necessarily agree with the framing of this by reference to the knowledge of ‘anybody’, we do agree that the defence has a high bar and there is an expectation that manufacturers keep pace with evolving technical knowledge. On this reasoning, given it is known that AI systems can be self-learning, which can result in unpredicted and problematic behaviours, this may constitute a ‘safety defect’ in some circumstances, and a manufacturer would likely find it difficult to rely on the ‘state-of-the-art defence’ if there was an absence of review, auditing or other inbuilt oversight mechanisms in the creation and maintenance of the AI system to mitigate against unpredicted or self-learning behaviours that may cause damage. We think this is the right outcome.
Disagreed with concerns that the ‘state-of-the-art defence’ at present is too broad in the context of AI, but if it is found to be operating in an unintentionally broad manner in the future, consideration should then be given to adjustments.
Support for ensuring the ‘time of supply defence’ does not absolve liability of manufacturers when they continue to exercise meaningful control post supply that affects safety.
Technical amendments may be required to ensure the ‘time of supply defence’ operates as intended in the context of software-enabled goods (including AI-enabled goods), where the manufacturer continues to exercise a degree of control over the good post-supply (potentially by aligning the defence’s trigger to control in appropriate cases rather than the time of supply), with careful drafting required to preserve the defence’s core function.
The nature of AI-enabled goods and services does not necessitate specific changes to current powers available to the ACCC.
The Report finds the ACCC and State and Territory consumer protection agencies have a range of tools available to them to address AI-enabled harms, including injunctions, warning notices, undertakings and enforcement actions, seeking penalties through court action, and intervening in the market to require product recalls. Further, while noting that pursuing actions against entities in other jurisdictions is complex, this is not unique to AI, and the ACCC’s information-gathering powers explicitly specify that the ACCC can serve certain notices in or outside of Australia and leave of the court is no longer required to service originating applications on parties outside of Australia.
Disagreed with submissions to introduce new AI-specific takedown powers, noting the current framework, including to seek injunctions and issue public warning notices, is considered adequate at this time.
Agreed that regular reviews of the ACCC’s powers should continue to ensure their ongoing sufficiency as technologies evolve, including in the context of AI.
The protections available under the ACL provide Australian consumers of AI-enabled goods and services with similar, and in some cases enhanced, protections when compared to those available to consumers in the EU, UK and Singapore.
From a comparative perspective with the EU, UK and Singapore, the Report finds that the ACL performs well in protecting against consumer risks, including those arising from AI. For example:
The UK provides for certain statutory defences to traders against the equivalent of misleading and deceptive conduct provisions.
Australia’s consumer guarantees extend to all services (not just digital services / content as is the case in the EU, and we note there are no consumer guarantees for services in Singapore).
A consumer in Australia may have a longer period to seek a wide range of remedies for a defect based on the consumer guarantees, depending on what is reasonable. While there is a presumption of a defect if it occurs within the first 6 months (in the EU) after initial supply, the EU remedies are generally only available if the failure occurs within 2 years of supply, and in the UK different remedies apply depending on whether the defect occurred before or after the first 30 days of supply).
There is no right to compensation under the UK and Singaporean regimes.
Australia’s consumer protections also apply to some small business transactions (the EU consumer guarantees and unfair contract terms regimes do not apply to business-to-business transactions unless specified).
Conclusion
The findings of the Report reiterate how Australia’s mainly principles-based and technology-neutral laws (of which the ACL is one of many) can be leveraged and remain fit-for-purpose to address and respond to the potential harms and risks of AI through targeted amendments to address identified gaps without significant regulatory overhaul that risks being overly prescriptive and complex.
As with all technological change, consumers, suppliers and manufacturers of AI-enabled products and services must continue to educate themselves as to how these existing rights and obligations apply to them in an AI-context. Increased training and regulatory guidance can play a key role in clarifying the law’s application and assisting organisations in their understanding.
The Report complements a number of other reforms currently underway. This includes to the ACL in relation to unfair trading practices (including deceptive or manipulative online practices), and civil prohibitions and penalties to enhance the consumer guarantees and supplier indemnification arrangements, which are intended to further strengthen the operation of the ACL generally to both traditional goods and services and to AI. There is also the government’s broader reform agenda including in relation to cybersecurity, privacy, online safety, platform regulation and intellectual property, which may serve to supplement the way Australia regulates AI-related risks and harms.