Skip to content
LegalVision

What Are the Risks of Using AI as an APP Entity?

Avatar photo

By Paris Roditis
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Artificial intelligence (AI) has revolutionised how businesses use technology, opening up new possibilities for automation and efficiency. However, it is essential to understand what obligations your business may have under the Australian Privacy Principles (APPs) that may affect how you can utilise AI in providing your goods or services. This article explains the key risks of using AI where your business is considered an “APP entity”.

What Are the Australian Privacy Principles (APP)?

Where your business is an APP entity, you must comply with the 13 principles set out in the Privacy Act, which govern how your business may: 

  • collect; 
  • use;
  • disclose; and 
  • store personal information. 

The APPs also state how individuals can access and correct their personal information, and they require APP entities to have a privacy policy that contains specific details.

What is Personal Information?

Personal information refers to any information or opinion which identifies a person or makes them reasonably identifiable.

For example, personal information may include a person’s:

  • name;
  • address;
  • email;
  • telephone number; 
  • photograph; and
  • profession.
Continue reading this article below the form
Loading form

What is an APP Entity?

An APP entity is a business legally required to comply with Australian Privacy Principles.

You will be considered an APP Entity if your business generates more than $3 million in annual turnover. You will also be an APP Entity if you generate $3 million or less in annual turnover, but you:

  • provide a health service and hold health information other than in an employee record;
  • buy or sell personal information; or 
  • are contracted to provide services under a Commonwealth contract. 

Note that if you are a Commonwealth contract service provider, your compliance obligations will only apply to the activities for the Commonwealth contract. 

Key Risks of Using AI as an APP Entity

Every business should take compliance with Australian privacy laws seriously, particularly APP entities. With the rise of AI, the need for privacy protection has never been more important. The following are the key APPs that every APP entity should know before using AI in conducting their business.

Australian Privacy Principal 6: Use and Disclosure 

APP 6 outlines when an APP can use or disclose personal information. Under this principle, APP entities are only permitted to use or disclose personal information for the reason it was collected, also known as the “primary purpose”. 

There are only specific situations where an APP entity may be permitted to use or disclose personal information for a “secondary purpose”. Those exceptions include:

  • where the individual would reasonably expect the APP entity to use or disclose their personal information for a secondary purpose, and that purpose is related to the primary purpose of collection, or in the case of sensitive information, directly related to the primary purpose;
  • where the individual has given consent to a secondary use or disclosure; and
  • where the secondary use or disclosure is required by law or court order. 

Generally, the primary purpose of collection will be to provide services to a customer, and using technologies to assist in that purpose would be permissible. However,  you still have obligations to ensure any third parties you engage treat personal information securely.

For example, a retail store may collect a customer’s name, contact details, order history and payment information to handle their complaint and provide them with a refund. However, if the retailer then used this information for market analysis, they would have used it for reasons other than the primary purpose. 

Similarly, using personal information to train an AI model is likely a secondary purpose, for which one of the exceptions must exist.

As an APP entity, it is essential that if you intend on using or disclosing personal information to AI, you clearly set this out in your privacy policy or privacy collection notice.

Front page of publication
AI Art: Your Legal Considerations Factsheet

This fact sheet outlines your rights and obligations as an AI artist regarding intellectual property and copyright.

Download Now

Australian Privacy Principal 8: Overseas Disclosure

APP 8 outlines the steps an APP entity must take to protect personal information before it is disclosed overseas. It creates an obligation on businesses to take reasonable steps to ensure that any overseas recipient of personal information does not breach the APPs concerning the information.

When using AI as an APP entity, it is essential to note that most AI models store their data overseas. Therefore, when inputting information into AI, you have obligations under this APP and will be accountable for any acts or practices of the AI model concerning the information that would breach the APPs.

There are some exceptions to the requirements in this APP which include:

  • reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs;
  • consent from the individual; and 
  • if required by law. 

However, these exceptions will not apply to notifiable data breaches.

Australian Privacy Principal 11: Security 

Under APP 11, an APP entity must take reasonable steps to protect the personal information it holds from: 

  • misuse;
  • interference; 
  • loss; 
  • unauthorised access; 
  • modification; and 
  • disclosure. 

There is also an obligation on the APP entity to destroy or de-identify personal information in certain circumstances.

Using personal information to train third-party generative AI or providing such information to a generative AI that does not adequately protect that information may cause your business to breach this APP. Therefore, you should avoid disclosing personal information to AI or, at the very least, de-identify any information inputted.

Key Takeaways 

Any APP entity looking to incorporate AI into their business offering must understand their obligations under Australian privacy law when using and disclosing their customers’ personal information. While exceptions will apply in some instances, generally, APP entities must ensure they are only using and disclosing personal information for the primary purpose it is collected. They must clearly state they use AI in their privacy policy and must have measures to protect the information inputted into the AI. 

If you need help with your obligations under Australian privacy laws, our experienced artificial intelligence lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequency Asked Questions

What is personal information?

Personal information is any information or opinion which identifies a person or makes them reasonably identifiable.

How many Australian Privacy Principles are there?

The Privacy Act sets out 13 principles for APP entities to comply with.

Register for our free webinars

Avoiding NDIS Pitfalls: Key Breaches and How to Prevent Them

Online
Understand NDIS pitfalls and reduce the risk of breaches affecting your business. Register for our free webinar.
Register Now

Demystifying M&A: What Every Business Owner Should Know

Online
Understand the essentials of mergers and acquisitions and protect your business value. Register for our free webinar.
Register Now

Social Media Compliance: Safeguard Your Brand and Avoid Common Pitfalls

Online
Avoid legal pitfalls in social media marketing and safeguard your brand. Register for our free webinar.
Register Now

Building a Strong Startup: Ask a Lawyer and Founder Your Tough Questions

Stone & Chalk Tech Central, Level 1 - 477 Pitt St Haymarket 2000
Join LegalVision and Bluebird at the Spark Festival to ask a lawyer and founder your startup questions. Register now.
Register Now
See more webinars >
Paris Roditis

Paris Roditis

Read all articles by Paris

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

Who Is Responsible For Product Liability in The Age of AI?

How Your In-House Team Can Use Augmented Intelligence (the New Artificial Intelligence)

How the Emergence of Artificial Intelligence Impacts the Law

Can I Collect an Individual’s Personal Information From a Third Party?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards