South Australia just made deepfakes a criminal offence. The federal fix still hasn't arrived.

On 3 November 2025, South Australia became the first Australian state with standalone criminal laws specifically targeting deepfake creation for non-consensual purposes. If you create or distribute AI-generated imagery of a real person without their consent, with intent to humiliate, degrade, or sexually exploit, you're now looking at criminal penalties in SA.

In Queensland, doing the exact same thing is not covered by any specific deepfake law.

Same country. Same technology. Different rules.

I've been watching Australia's AI governance picture piece together for about two years now, and the deepfake situation is one of the clearer examples of what "regulatory lag" actually looks like in practice. Not abstract. Genuinely patchwork, in a way that creates real problems for victims trying to seek redress, and real uncertainty for businesses trying to figure out what they're allowed to do.

This article is about where things actually stand, what the federal path looks like, and what businesses using AI-generated content need to start thinking about.

What South Australia's law actually does

SA's Criminal Law Consolidation (Intimate Image Abuse and Deepfakes) Amendment Act came into effect on 3 November 2025. The headline is criminal penalties: creating or distributing non-consensual deepfake imagery for the purpose of humiliating, degrading, or sexually exploiting a real person is now a criminal offence in South Australia.

The law doesn't stop at obvious sexual imagery. It also covers violent depictions designed to humiliate or intimidate. And it explicitly captures AI-generated content, not just manipulated photos or video. That matters because a lot of existing intimate-image-abuse legislation in other states was drafted before generative AI made it trivially easy to create convincing synthetic imagery from scratch.

A few things worth noting about the scope. The law is targeted at non-consensual creation for harmful purposes. It doesn't criminalise satire, political commentary, or artistic expression in a blanket way. (Whether the line between satire and harassment will be clear in practice is a different conversation, but the intent of the drafters was to avoid an overbroad law.) It also creates both criminal liability for creators and civil remedies for victims, which means there are two enforcement pathways.

The criminal pathway is what makes this different from what existed before. Previously, most Australian states handled deepfake-related harm through existing harassment or intimate image laws, which often required the content to have been distributed broadly, or required proof of specific intent that was hard to establish. SA's approach creates a cleaner basis for prosecution.

The eSafety picture

Before SA's law came into effect, the main federal enforcement mechanism for deepfake-related harm was the eSafety Commissioner, whose powers under the Online Safety Act extend to overseas operators serving Australian users.

In May 2026, the Commissioner took enforcement action against an Argentina-based AI nudify service that was drawing around 40,000 Australian visits per month. (A nudify service, for anyone who hasn't encountered this category of product: these are tools that generate fake sexualised images of real people using uploaded photos.) Penalties under the Online Safety Act can reach $49.5 million for platform operators who fail to comply with removal notices.

That enforcement action is important context for SA's new laws, because it shows that the regulatory machinery is moving. eSafety isn't waiting for perfect federal legislation before acting. But there's a practical limit to what the Commissioner can do. eSafety focuses on platforms and distribution. It's less suited to the situation where someone creates deepfake content and doesn't publish it on a platform, or where they create it on a platform based in a jurisdiction with limited cooperation agreements.

Criminal law fills that gap, at least at the state level, and at least in SA.

The federal patchwork problem

Here's where things get complicated for anyone who doesn't live in South Australia.

Victoria has some protections under existing image-based abuse legislation. NSW has some coverage too. But most of Australia doesn't have specific deepfake legislation. Queensland, Western Australia, Tasmania, the Northern Territory: no standalone deepfake criminal law.

The obvious problem with state-based regulation for internet crimes is the jurisdictional mismatch. Someone in Queensland can create a deepfake targeting a person in South Australia, and SA's criminal law has limited reach over conduct that occurs entirely in Queensland. Cross-border enforcement in Australian criminal law is complicated at the best of times, and digital content crosses state lines instantaneously.

Senator David Pocock has been trying to address this at the federal level. In November 2025, he introduced the "My Face, My Rights" bill in the Australian Senate. The bill proposes amendments to both the Online Safety Act and the Privacy Act that would give all Australians an explicit legal right over the use of their face and voice in AI-generated content. Not just criminal penalties, but a positive right: your face and your voice are yours, and using them without consent in AI-generated content creates a legal cause of action regardless of which state the content was created in.

The bill also proposes expanded takedown powers and stronger penalties for platforms that don't act quickly on removal requests. (Pocock's bill announcement, November 2025)

It's a well-structured piece of legislation. The framing of an explicit personal right over biometric identity is interesting from a legal architecture perspective, because it creates a property-like interest that doesn't depend on proving harm in the same way a tort claim would. Whether that framing survives committee is another matter. Private senators' bills face a difficult path, and this one is complex enough that it's attracted significant legal attention and a fair amount of debate about implementation detail.

As of June 2026, the bill is in committee. It hasn't passed.

Collective Shout and other victim advocacy groups have been supportive of the federal approach, framing the existing state laws as inadequate precisely because of the cross-border gap. (Collective Shout on the federal bill, December 2025) Their position is straightforward: if you're a victim in Queensland, SA's new law doesn't help you.

What this means if you're running a business

I want to be direct about this section, because I think there's a tendency in articles like this one to treat "what this means for businesses" as a kind of boilerplate obligation that gets filled with generic advice. This matters for specific reasons.

If you're using AI tools to create marketing content, you need to think about two things that probably aren't on your current checklist.

Consent documentation for AI-generated likenesses. If your marketing team is using AI to generate imagery that depicts real people (including AI-generated faces that are modelled on or resemble specific individuals), or if you're using AI voice tools to generate voiceovers using someone's actual voice, you need consent and you need to document it. This isn't new in principle, but the legal framework is shifting in a way that makes informal arrangements inadequate. Under SA's law, non-consensual creation for humiliating or degrading purposes is a criminal offence. That's a higher standard than "we didn't ask but we assumed it was fine."

I'll put this plainly: we've had clients at Webcoda who've asked about using AI tools to generate marketing imagery "based on" real public figures or brand ambassadors. The answer has always been to get explicit written consent and to document what was agreed. That's now more important than ever, and I'd suggest extending that practice to any AI-generated human likeness, not just cases where you're clearly working with a recognisable person.

Third-party AI tool liability and the Privacy Act. This is the one that catches businesses by surprise. If you're using a third-party AI tool that processes images of real people, including images you've uploaded or that your users have uploaded, you may have obligations under the Australian Privacy Act regardless of whether you think of yourself as being in the deepfake space.

The Privacy Act applies to organisations with annual turnover above $3 million. Under APP 8.1, if your vendor is processing Australian personal data and has inadequate safeguards, and a breach occurs, you may have Notifiable Data Breach obligations. This isn't specific to deepfakes, but the nudify enforcement action in May 2026 is a reminder that the eSafety Commissioner and the OAIC are both looking at this space, and they're looking at the Australian businesses that are directing traffic to problematic platforms, not just the platforms themselves.

Check your AI tool vendor agreements. Specifically: what data retention policies do they have for uploaded images? What happens if their system is used to generate non-consensual content by other users? What are their commitments around the training data they're using? If those answers aren't in your vendor contract, ask for them in writing before the next contract renewal.

The defamation angle. This one often gets overlooked. Non-sexual deepfakes that depict real people in false and damaging scenarios can also ground defamation claims under existing Australian law, independently of any specific deepfake legislation. If a business created or commissioned AI-generated content that depicted a competitor's executive in a false and damaging scenario, that's not just a potential regulatory issue. It's a potential defamation action. The SA criminal law is new; the defamation exposure is not.

The compliance question for national businesses

Here's the practical problem that SA's law creates for any business operating nationally: you need to comply with the strictest standard in any jurisdiction where your content is distributed or where affected people are located. That's always been true of Australian state law in principle, but the deepfake criminal law makes it concrete in a way that IP-based content rules often didn't.

A business based in Queensland that creates AI imagery for a national campaign, where some audience members are in South Australia, is in the SA law's scope if that imagery depicts real people without consent and meets the harmful-purpose threshold. Whether SA prosecutors would pursue that scenario is a different question. But the legal exposure exists.

The sensible approach is to apply SA's standard nationally, because it's the tightest standard currently in force. Don't create or commission AI-generated imagery of real people without documented consent. Don't use AI voice tools to replicate someone's actual voice without consent. Review your third-party AI vendor arrangements.

That's not a burdensome standard. It's what good practice looked like before SA's law, and it's what the law now requires in the most regulated Australian jurisdiction.

Where this is going

My read of the federal picture is this: Pocock's bill is important as a policy document even if it doesn't pass in the current form, because it's establishing the architecture that federal legislation will eventually follow. The combination of an explicit personal right over biometric identity plus expanded eSafety takedown powers is a sensible framework, and I'd expect to see it or something close to it in eventual federal legislation.

But "eventually" is doing a lot of work in that sentence.

The state-by-state pattern we're seeing with deepfakes has happened before in Australian law. Privacy protections, image-based abuse laws, defamation reform: these things tend to happen at the state level first, then inconsistently, then eventually at the federal level after the patchwork becomes obviously unworkable. We're in the patchwork phase.

My read of it, plainly: federal deepfake legislation won't pass in the current parliamentary term, and Pocock's bill won't make it out of committee in its current form. Not because there's no political will for the outcome, but because the implementation complexity of a biometric personal right is significant, and the federal government has other legislative priorities. The state laws will do the work in the interim, and they'll do it imperfectly.

I'd genuinely like to be wrong about that. The federal framework Pocock is proposing is better than the state-by-state approach for all the reasons I've outlined. But I'm not going to pretend the legislative timeline looks encouraging.

In the meantime: if you're a business creating AI-generated content of real people, assume SA's standard applies to you regardless of where you're based. Get consent in writing. Check your vendor contracts. If you're a victim in a state without specific deepfake legislation, defamation law and the eSafety Commissioner's enforcement powers are your current pathways.

South Australia moved first. They won't be the last. The question for every other state and the federal government is how long they're comfortable leaving that gap open.

Key takeaways

For businesses using AI-generated content:

• Get written consent for any AI imagery or voice work involving real people, and document it
• Review third-party AI tool vendor contracts for data retention and safeguards obligations
• Apply SA's standard nationally, not just in SA, for any content that depicts real identifiable people
• Check your Privacy Act obligations if your AI vendors handle uploaded images of people

On the regulatory picture:

• SA's criminal law (effective 3 November 2025) is the tightest Australian standard currently in force
• Victoria and NSW have some protections; most other states don't have specific deepfake legislation
• Senator Pocock's "My Face, My Rights" federal bill is in committee but hasn't passed
• eSafety Commissioner enforcement under the Online Safety Act applies to overseas platforms serving Australian users, with penalties up to $49.5 million
• Defamation law is a parallel remedy, independent of specific deepfake legislation

On the federal path:

• The patchwork will likely persist through the current parliamentary term
• Federal legislation, when it comes, will probably follow the architecture Pocock's bill establishes
• Until then, compliance with the strictest state standard is the safest approach

Related Article37 min read

Privacy Act 2025: How AI Website Analytics Affect Australian Business Compliance

The Privacy Act 2025 overhaul slashes penalties, adds statutory torts, and forces new APP disclosures on AI analytics stacks before the OAIC demands...

Read full article

---