In Short
AI service agreements set the legal rules for how your business can use AI tools, including what data you can input, how outputs can be used, and who carries liability. If you enter personal information into AI systems, Australian privacy law applies and you remain responsible for any AI-generated content you rely on or publish. Most providers use standard terms you cannot negotiate, so you must assess whether they suit your business before use.
Tips for Businesses
Review AI providers’ terms before adopting tools, especially data use, commercial rights, and liability clauses. Avoid entering personal or confidential information into public AI systems. Update privacy notices, customer agreements, and internal AI policies to reflect AI use. Maintain human review of outputs and assess cross-border data risks.
Summary
This article explains AI service agreement requirements for Australian businesses using AI tools. It is prepared by LegalVision’s business lawyers, a commercial law firm that specialises in advising clients on technology, privacy, and commercial contract compliance.
Most AI providers offer standard terms that you cannot negotiate. You must carefully assess whether they suit your business needs before committing to the service.
If you enter personal information into AI systems, it triggers privacy obligations. You may need to complete a privacy impact assessment and obtain consent. You also remain liable for AI outputs used in your business, with particular risks around false information (hallucination) and copyright infringement.
This article outlines key legal risks in AI service agreements and the steps your business should take to manage privacy and liability.
Practical Tips for Your Business
When using AI tools in your operations, it is important to take practical steps to manage privacy, contractual, and liability risks. The following measures can help reduce exposure and support responsible use:
- do not input your personal information into public AI tools – the Office of the Australian Information Commissioner (OAIC) strongly advises against this due to privacy risks;
- check service agreements before you sell AI-generated content. Some providers restrict commercial use; and
- create clear AI policies and maintain human oversight to manage accuracy and liability risks.
What are AI Service Agreements?
When you use providers like OpenAI, Google, or Microsoft, you enter a contract with them that governs how you use their tools. These agreements specify what data you can input, how you use their tools, who owns the output and who carries the liability. Most providers use non-negotiable standard terms in agreements,for free or public versions.
Continue reading this article below the formCall 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
General vs Personal Information
When using AI, it is important to be aware of the information you put in, such as:
- general information; and
- personal information.
When you input personal information, privacy law applies and you must meet compliance requirements. However, when you input general information, there are risks but fewer regulatory obligations.
Privacy Law Requirements
When You Enter Personal Information
If you enter personal information into an AI system, you must follow the OAIC’s guidance . You should understand several key principles in terms of personal information:
- your privacy policies must clearly disclose your AI use. This includes AI tools such as chatbots, automated decision-making systems and AI-powered customer service platforms;
- you can only use personal information for the primary purpose of which you originally collected it. For example, collecting a customer’s email address to send order confirmations is the primary purpose.;
- you can also use personal information for secondary purposes if:
- the individual consents; or
- the individual would reasonably expect the secondary use and it relates to the primary purpose.
You must understand “reasonable expectation” for compliance and prior to using it for a secondary purpose you must consider:
- your relationship with the individual;
- how you collected the information;
- what you told them at the time;
- whether the AI use relates to the original purpose; and
- community expectations about AI use in your industry.
For example, if you collect customer purchase history to fulfil orders (primary purpose), you can use that data to train an AI recommendation system if it improves the customer’s shopping experience and relates to your service. However, if you use the same data to train a general AI model unrelated to your service, it would not be reasonably expected.
Required Documentation
If you use AI with personal information, you should implement:
- privacy impact assessments using the OAIC’s tool;
- an internal AI policy within your business;
- updated privacy policies reflecting AI use and data handling; and
- human oversight of AI outputs containing personal information.
Sensitive Information Considerations
You must take extra care when entering sensitive or health information into AI. The OAIC indicates it would be “difficult to establish” reasonable expectations for secondary AI use given AI’s unique characteristics and community concerns.
Healthcare practitioners handle health information and must comply with AHPRA requirements. The AHPRA requires practitioners to:
- obtain informed consent before using AI tools for processing patient health information;
- maintain professional responsibility for all AI-generated medical content; and
- document consent for AI use in patient medical records.
Reviewing contracts across your business? Download this free checklist to ensure clear terms, fair risk allocation and stronger commercial outcomes
Commercial Use and Output Ownership
AI service agreements vary significantly in commercial use permissions.
Free or public versions often:
- restrict commercial use; and
- limit data input; and
- use your outputs to train and improve their models
Paid enterprise versions offer:
- broader usage rights;
- better privacy protections;
- allows you to own the outputs; and include opt-outs from using your data for training purposes.
However, the ownership of AI-generated content remains legally complex in Australia. Even if service agreements grant you ownership of outputs, copyright law does not recognise protection for AI-generated content. You also risk copyright infringement if the AI reproduces protected material from its training data.
What are the Risks to Your Business
AI Hallucination and Accuracy
AI can generate false information that appears credible (hallucinations). The Australian Competition and Consumer Commission (ACCC) monitors businesses that publish false AI-generated information, so you must review content before publishing AI outputs.
Using Customer Data for AI Training
If you use customer information to train AI models, you must consider the following legal requirements. Your customer agreements may:
- contain provisions that restrict AI use or
- limit data use only to providing the agreed services.
If you use customer data for AI training, it may breach these agreements.
You should review your customer agreements and update them if necessary. If your agreement prohibits AI use, you must not use customer data to train AI.
Cross-Border Data Transfer
Most AI providers process data overseas through international data centres and cloud infrastructure. For example:
- OpenAI processes data through servers in the United States; and
- Google and Microsoft use global data centre networks across multiple countries.
When you use personal information in these AI tools, you must take reasonable steps to ensure overseas recipients protect personal information according to Australian Privacy Principles. You remain accountable for any privacy breaches that occur overseas.
Key Takeaways
AI service agreements create unique legal challenges requiring careful management. You usually cannot negotiate most agreements and carefully review them before implementation.
You must distinguish between general and personal information use, as personal information triggers significant privacy obligations.
Regulators such as OAIC and ACCC actively monitor AI-generated content. If you take proactive steps now, you avoid future compliance issues.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced AI lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.
Frequently Asked Questions
It may be better if you treat “de-identified” data as personal information. Even with de-identification efforts, there remains a risk that data could be linked back to individuals, particularly with evolving AI technology.
Yes, you remain responsible for the AI outputs your business provides to others, including liability for inaccurate information and copyright infringement. The ACCC monitors businesses publishing false AI-generated information; therefore, making human verification essential.
We appreciate your feedback – your submission has been successfully received.
