Does the Privacy Act apply when your business uses ChatGPT or Copilot?
Yes, if you hold personal information about customers, staff or patients and your turnover is $3 million or more, the Privacy Act 1988 and its 13 Australian Privacy Principles apply the moment that information goes into an AI tool. Businesses under $3 million turnover are likely exempt today, but the exemption is under review and client contracts often require compliance anyway.
The Australian Privacy Principles that matter most for AI
APP 6 governs how you use and disclose personal information, including feeding it to a third-party AI tool. APP 8 covers cross-border disclosure: if the tool processes data offshore, that is a disclosure you need to be able to name in your privacy policy. APP 10 expects reasonable steps to keep personal information accurate, relevant given generative AI can be confidently wrong. APP 11 requires reasonable security safeguards, which extends to how AI vendors handle your data.
Consumer tiers versus business tiers
The single biggest practical risk is staff using a free or consumer AI account instead of an approved business one. Consumer and free tiers commonly reserve the right to train models on user inputs; business and enterprise tiers usually contractually exclude this. It is one line in the terms of service and a large difference in risk, worth confirming before rollout rather than after.
What changes on 10 December 2026
New APP 1 amendments commence requiring your privacy policy to disclose the kinds of personal information used in, and types of decisions made by, computer programs where that decision could reasonably be expected to significantly affect a person's rights or interests. If AI output ever feeds a decision about a customer, employee or applicant, for example screening job applicants or approving a customer request, this is worth planning for now rather than in December.
How Blue Arc helps
We help clients choose the right AI tier for their business, confirm data-handling terms before rollout, and put a simple review step in place for AI output that affects people. See our using AI safely in your Australian business overview, managed services, or get in touch.
For the authoritative detail, see the OAIC's guidance on privacy and the use of commercially available AI products and its automated decision-making transparency guidance.
Frequently asked questions
Does the small-business exemption mean the Privacy Act does not apply to us?
If your turnover is under $3 million you are likely exempt today, but the exemption is under review and may be narrowed, and many client contracts require APP-level compliance regardless. Treat the APPs as good practice now rather than waiting for the exemption to be removed.
Can we use the free or consumer version of an AI tool?
Consumer and free tiers often reserve the right to train models on your inputs. Business and enterprise tiers usually contractually exclude this. Confirm which applies before staff put any customer or personal information into a tool.
What changes on 10 December 2026?
New APP 1 transparency rules commence, requiring your privacy policy to disclose automated decisions that could reasonably be expected to significantly affect a person's rights or interests. This applies whether or not the small-business exemption covers you.
Last reviewed: 1 July 2026. Privacy Act reform is ongoing; check the OAIC links above for the latest.