Why Australian Businesses Can't Use US Transcription APIs Without Triggering APP 8

What is APP 8?

The Australian Privacy Principles (APPs) are a set of obligations under the Privacy Act 1988 (Cth) that govern how organisations collect, use, store, and disclose personal information. There are 13 principles in total. APP 8 is the one that deals specifically with cross-border disclosure: the act of sending personal information to a recipient located outside Australia.

Under APP 8, before an Australian entity discloses personal information to an overseas recipient, it must take reasonable steps to ensure the overseas recipient won't breach the APPs. In practice, this means either conducting due diligence on the overseas provider's privacy practices, obtaining explicit consent from the individuals whose data is being sent, or relying on a specific exemption (which rarely applies in commercial settings).

Critically, APP 8 does not require that the overseas recipient actually mishandles the data for a breach to occur. The obligation is triggered at the point of disclosure. If you send personal information overseas without meeting the requirements first, you're already in breach, regardless of what the overseas provider does with it.

How Using a US Transcription API Triggers APP 8

Audio recordings very commonly contain personal information. Meeting recordings include names, opinions, financial discussions, and health details. Customer call recordings are almost always personal information by definition. Even a dictated internal memo may include personal information about third parties.

When you call the AssemblyAI API, your audio file is sent to and processed on servers in the United States. Same with Deepgram (US-based infrastructure) and OpenAI's Whisper API (US-based). The moment that file crosses the border, if it contains personal information about an Australian individual, APP 8 is triggered. The Privacy Act defines "disclosure" broadly, and sending a file to a third-party API clearly meets the threshold.

Many developers aren't aware of this because APP 8 isn't prominently discussed in technical circles. It's easy to think "we have a DPA with the vendor" and call it done. But a Data Processing Agreement doesn't satisfy APP 8 on its own. The requirement is that the overseas recipient won't breach the APPs, which is a higher bar than just having a contract in place.

What Are the Consequences?

The Office of the Australian Information Commissioner (OAIC) has powers to investigate, make determinations, and impose civil penalties for serious or repeated Privacy Act breaches. The Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Act 2022 significantly increased the maximum penalties: serious or repeated breaches can now attract civil penalties of up to $50 million (or more, if calculated as a multiple of benefit obtained).

For most businesses the immediate risk is not a $50 million fine. The more likely consequences are regulatory investigation if a breach is reported, the requirement to notify affected individuals under the Notifiable Data Breaches scheme, and the reputational damage that follows. Enterprise customers in regulated sectors (healthcare, legal, financial services, government) increasingly require Privacy Act compliance as a procurement condition. A single incident in any of those verticals can end a vendor relationship and trigger contract-level liability.

There's also a less dramatic but more common risk: your customers find out you're sending their data overseas and they're not happy about it. Australians are increasingly aware of data sovereignty. It's become a meaningful point of trust, particularly in healthcare, legal, and government contexts.

How Australian Data Residency Eliminates the Obligation

The cleanest solution is the simplest one: don't send the data overseas. If transcription is performed entirely within Australia, on Australian infrastructure, there is no cross-border disclosure, and APP 8 is never triggered. You stay within the Privacy Act framework without needing special contractual arrangements or individual consent.

Australian Transcription processes all audio exclusively on AWS infrastructure in Sydney, Australia. Your files are never routed to servers outside the country. Audio and transcripts are permanently deleted immediately after processing, with no retention. Because the data never leaves Australia, APP 8 cross-border obligations are never triggered.

This isn't just a compliance checkbox. It's a genuine architectural choice that makes your privacy obligations simpler. You don't need to conduct due diligence on an overseas vendor's APP compliance, negotiate special terms, or explain cross-border disclosure to your customers. The data stays in Australia. That's the whole answer.

A Note on Exemptions and Edge Cases

There are some circumstances where sending personal information overseas might not trigger APP 8, or where the obligation can be managed. If the individual has expressly consented to the overseas disclosure (with full knowledge of where the data is going), that satisfies APP 8. Some entities operate under specific legislative exemptions. And if you can credibly argue the information is not "personal information" under the Privacy Act definition, APP 8 doesn't apply at all.

In practice, these are edge cases. Most businesses transcribing audio for commercial purposes are handling personal information, and getting consent from every individual mentioned in every recording is not operationally feasible. The pragmatic answer is to process in Australia and not have to rely on exemptions at all.

If you're in a regulated sector, get specific legal advice from a privacy lawyer. This article is intended to explain the technical and practical dimensions, not to substitute for legal counsel.