Australian Data Sovereignty & Privacy
You stay accountable for your customers' data even after it leaves your laptop. Four questions, asked before every connector, keep your AI team safe — and defensible.
What data sovereignty really means
For an Australian SME it's not just where data sits — it's which laws apply, what the tool stores, and whether information moves to third parties through connectors.
Anthropic handling
Commercial (Team/Enterprise) content isn't used for training by default; consumer plans have a training toggle. By default, traffic may be processed in several countries and stored in the US.
In-region deployment
Mainly via partner platforms — AWS Bedrock (incl. Sydney), Google Vertex AI, Microsoft Foundry. First-party regional controls are limited; don't assume an Australia-only region.
Zero Data Retention
Applies only to eligible API features — not generally to Claude Free, Pro, Max, or most Team/Enterprise product interfaces.
Directional as at June 2026 — re-verify against Anthropic's current data-residency docs and OAIC guidance before relying on it.
The Four-Question Check
Think of one connector you plan to use, answer the four questions, and get a go / caution / hold verdict.
The Australian rules to know
Privacy Act reforms
Higher penalties, a statutory tort for serious invasions of privacy (in force 10 June 2025), stronger APP 11 security, and automated-decision-making disclosure (from late 2026). The APPs apply above the A$3M turnover threshold.
APP 8 — cross-border
Before disclosing personal info overseas you must take reasonable steps to ensure the recipient doesn't breach the APPs — and you stay accountable. Processing through an overseas-hosted AI tool can be a "disclosure".
Practise in a sandbox. Don't paste real bank or customer details where you don't need to. Use least-privilege access, disclose overseas handling where required, and prefer in-region deployment for sensitive data. Educational only — confirm specifics with the OAIC and the legislation.