ChatGPT for Australian Lawyers: What the Privacy Act Means for Your Practice

ChatGPT is not a tool built for legal practice. It has no knowledge of professional privilege, no understanding of confidentiality obligations, and no way of knowing that the document you just pasted contains client information. What it does have is broad capability for drafting, summarising, and analysing text, which is genuinely useful for lawyers when used appropriately.

This article describes what happens to data when you use ChatGPT, how Australian privacy law applies to that, and what safer configurations look like for legal practice. It does not provide legal or professional advice. Your relevant state Law Society and the Law Council of Australia are the authoritative sources for your professional obligations regarding AI use.

What Happens to Your Data in ChatGPT

ChatGPT is operated by OpenAI, a US company. Data you enter into ChatGPT is sent to and processed on OpenAI's US-based infrastructure. The key data handling differences by plan, according to OpenAI's published policies as at June 2026:

• ChatGPT Free: Conversations may be used to train OpenAI models by default. Users can opt out in Settings, but the default is training-on.
• ChatGPT Plus (~AUD $30/month): Same default as Free: conversations may be used for training unless you opt out. The opt-out is in Settings, not enabled by default. This means many users on the Plus plan are unknowingly contributing their conversations to model training.
• ChatGPT Team (~AUD $45/user/month): Training on your conversations is disabled by default. Your conversations are not used to train OpenAI models. Data is still processed on OpenAI's US infrastructure.
• ChatGPT Enterprise: No training on your conversations. Additional data processing agreements available. Contact pricing.

Verify current terms at openai.com/policies/privacy-policy before relying on this summary, as these terms can change.

The Privacy Act APP 8 Issue

When a lawyer using ChatGPT enters information about a client that includes personal information (the client's name, contact details, financial position, health information, or other information about an identifiable individual), that information is being disclosed to an overseas recipient: OpenAI, a US company.

The OAIC's guidance on APP 8 outlines the obligations that apply before disclosing personal information to overseas recipients. In summary, the disclosing entity must either take reasonable steps to ensure the overseas recipient does not breach the APPs, or the individual must consent to the disclosure after being informed of the consequences. The OAIC guidance is the authoritative source on this: OAIC: Sending personal information overseas.

For most law firms using ChatGPT for client work, this means understanding what personal information is entering the tool and whether the firm has a basis to make that disclosure.

Professional Privilege: A Separate and Open Question

Professional legal privilege is separate from the Privacy Act. Privilege protects confidential communications between a lawyer and client made for the purpose of giving or receiving legal advice. Disclosing privileged communications to a third party may affect privilege, depending on the circumstances and applicable professional conduct rules.

Whether using ChatGPT with client information affects professional privilege is a live and unsettled issue in Australian legal practice. The Law Council of Australia and relevant state Law Societies are the appropriate bodies to consult on this question. Their guidance takes precedence over anything on this site. Law Council guidance: lawcouncil.asn.au.

Safe Uses of ChatGPT in Legal Practice

The tasks that create the least data risk are those that do not involve entering client-specific information into ChatGPT at all:

• Drafting standard documents from scratch: Describe the type of document and the key terms you need. No client information needs to enter the prompt.
• Summarising publicly available material: Legislation, government consultation documents, publicly available court judgments.
• Preparing generic templates: Email templates, engagement letter frameworks, internal policy documents not tied to a specific client matter.
• Editing and improving your own draft text: If you have already written the substance and are refining language, keep client-identifying details out of what you paste into ChatGPT.
• Research starting points: Identifying relevant legal concepts, statutory frameworks, and general case law direction. Always verify through AustLII, Jade, Westlaw, or LexisNexis before relying on any output.

Uses That Carry Higher Risk

The following uses carry greater risk and warrant more careful consideration before proceeding:

• Uploading or pasting client files: Contracts, letters, statements, medical records, or any document that identifies a client and contains their personal information.
• Entering specific client matter details: Names of parties, financial figures tied to a specific transaction, facts of a particular dispute.
• Drafting advice on client-specific legal questions: Where the prompt necessarily identifies the client and their situation.
• Using ChatGPT Plus for any of the above: The Plus plan's default training setting means this information may be used to improve OpenAI's models unless the opt-out is enabled.

Choosing the Right Plan for Your Practice

For a sole practitioner or small firm using ChatGPT, the minimum appropriate configuration for any task involving client information is ChatGPT Team, which disables training on conversations by default. ChatGPT Enterprise provides additional data processing commitments for larger firms.

If staff are using ChatGPT Plus for work tasks, they may be on a plan that trains on their conversations by default. Confirm the current setting by checking the Data Controls section in ChatGPT Settings. Verify this at the account level, as the setting is per account, not per device.

An alternative worth considering is Claude for Teams (Anthropic), which also does not train on conversations by default and has a 200,000-token context window suited to long documents. Pricing is comparable to ChatGPT Team. The same APP 8 analysis applies to Claude: it is also US-based.

Australian Considerations

Summary of the Australian-specific points for law firms using ChatGPT:

• Privacy Act APP 8: Applies when personal information about clients or individuals enters ChatGPT (a US-hosted service). The OAIC's guidance on cross-border disclosures is the primary reference: oaic.gov.au.
• Professional obligations: The Law Council of Australia and your state Law Society are the authoritative sources for how professional conduct obligations interact with AI use. lawcouncil.asn.au.
• Court guidance: Some Australian courts are issuing practice notes on AI use in proceedings and submissions. Check practice directions for any court in which you appear.
• Privacy policy for your clients: If your firm's privacy policy does not currently disclose that personal information may be shared with AI tool vendors, consider whether an update is warranted.

Related reading: our can staff upload customer data to AI tools and our Claude AI review for Australian business.

Can Australian lawyers use ChatGPT for client work?

AI tools including ChatGPT can assist with drafting and research tasks, but the appropriateness depends on what data you are entering and which plan you are using. ChatGPT Plus trains on conversations by default. ChatGPT Team and Enterprise do not. Entering client personal information into any US-hosted AI tool triggers Privacy Act APP 8 considerations. Your state Law Society and the Law Council of Australia are the authoritative sources for your professional obligations regarding AI use.

Does ChatGPT Plus train on my conversations?

According to OpenAI's published policies as at June 2026, ChatGPT Plus conversations may be used to train OpenAI's models by default. Users can disable this in Settings under Data Controls. The opt-out is not enabled by default. ChatGPT Team and Enterprise plans do not use your conversations for training by default. Verify the current position at openai.com/policies/privacy-policy, as these terms can change.

What is APP 8 and why does it apply to ChatGPT use?

APP 8 is Australian Privacy Principle 8, which governs the cross-border disclosure of personal information under Australia's Privacy Act 1988. When personal information about an individual is disclosed to an overseas recipient, such as a US-based AI service, APP 8 imposes obligations on the disclosing entity. The OAIC has published guidance on what is required: oaic.gov.au. This guidance, not this article, is the authoritative source on what the obligation requires.

Is there a version of ChatGPT that is safer for legal use?

ChatGPT Team and Enterprise disable training on your conversations by default, which addresses one of the main concerns with the consumer Plus plan. Enterprise also provides additional data processing agreements. Neither version offers Australian data hosting. Both process data on US-based infrastructure, which means APP 8 still applies when personal information is involved. For some law firms, the safer configuration is to use AI only for tasks that do not require entering client personal information, regardless of which plan is used.

Should law firms update their privacy policies to mention AI tools?

This is a question for your firm's privacy adviser rather than a content site. The OAIC has noted that businesses should be transparent with individuals about how their personal information is handled, including when it is shared with third-party service providers. If your firm's current privacy policy does not disclose the use of AI tools that process personal information, consider whether an update is consistent with your obligations under APP 1 (which requires an up-to-date privacy policy). The OAIC's guidance on privacy policies is available at oaic.gov.au.