Do you know what your organisation's apps are collecting? BlackFlag Advisory's passive app assessment surfaces trackers, cross-border transfers and Privacy Act gaps — no systems accessed.

Request an Assessment →
Home / Intelligence / Mobile Apps & Australian Privacy Principles
Privacy & Compliance

Mobile Apps & the Australian Privacy Principles:
What Your Apps Are Doing Without You

Cluny Archibald
Founder, BlackFlag Advisory
April 2026
9 min read

Every Australian organisation that uses mobile applications — whether customer-facing, staff-deployed, or both — is operating within a privacy compliance framework that most have never examined. The Australian Privacy Principles, established under the Privacy Act 1988 (Cth) and significantly strengthened by the Privacy and Other Legislation Amendment Act 2024, place direct obligations on organisations for the personal information their technology ecosystem collects. The apps in that ecosystem are not exempt.

The practical problem is that most organisations have no idea what their apps are actually doing. A field service app approved by an IT manager three years ago may be transmitting staff location data to servers in Singapore. A customer-facing booking app may embed advertising trackers that send behavioural data to third parties in the United States. A productivity app installed informally on a staff member's device under a BYOD policy may request microphone and contact access with no disclosed purpose. None of this is visible without looking. Most organisations have never looked.

What You Need to Understand

  • The Australian Privacy Principles apply to the apps your organisation uses, not just the data you consciously collect
  • APP 8 requires you to take reasonable steps before transferring personal information to overseas recipients — including via third-party apps
  • The 2024 amendments to the Privacy Act introduced significantly higher penalties — up to $50 million or 30% of adjusted turnover for serious breaches
  • App Store privacy labels and developer privacy policies are frequently incomplete, inaccurate, or both
  • BYOD environments create specific exposure where personal devices carry organisational data through apps the organisation has never assessed

What the Australian Privacy Principles Actually Require

The 13 Australian Privacy Principles, which replaced the Information Privacy Principles and National Privacy Principles in 2014, establish a comprehensive framework for how APP entities must handle personal information. APP entities include most private sector organisations with an annual turnover exceeding $3 million, all Australian Government agencies, and a number of other organisations regardless of turnover. Following the 2024 amendments, the threshold for what constitutes a serious breach — and the penalties attached — has increased substantially.

The principles most directly relevant to mobile app usage are APP 1 (open and transparent management of personal information), APP 3 (collection of solicited personal information), APP 5 (notification of collection), APP 6 (use and disclosure), APP 8 (cross-border disclosure), and APP 11 (security of personal information). Each of these creates specific obligations that mobile app usage can breach without the organisation ever having made a deliberate decision to breach them.

APP 1: Open and Transparent Management

APP 1 requires organisations to have a clearly expressed, up-to-date privacy policy that describes how they manage personal information. Critically, that policy must describe the kinds of personal information collected, the purposes for which it is collected, and whether it is likely to be disclosed to overseas recipients. An organisation whose apps collect data that is not described in its privacy policy is in breach of APP 1 — regardless of whether that collection was intentional. The app is collecting on your behalf. The obligation is yours.

In practice, most Australian organisations have privacy policies that describe their conscious data collection practices — form submissions, account registrations, payment processing. Almost none describe the data flows created by their app ecosystem. This is not a minor gap. It is a direct, observable breach that any privacy regulator can identify by reading the policy and comparing it to what the apps are actually doing.

APP 8: Cross-Border Disclosure

APP 8 is the principle most consistently violated by mobile app usage. It requires that before disclosing personal information to an overseas recipient, an APP entity must either take reasonable steps to ensure the recipient will handle the information in a way consistent with the APPs, or obtain the individual's consent to the disclosure. The critical word is "disclosure" — and the transfer of personal information via a third-party app to servers located outside Australia constitutes disclosure under the Act.

Most apps used by Australian organisations transfer data overseas. Analytics SDKs send behavioural data to US servers. Push notification services route through European infrastructure. Cloud storage backends may be hosted in Singapore or Ireland. None of this is inherently prohibited. All of it creates obligations under APP 8 that most organisations have never identified, let alone addressed.

The 2024 Amendment Consequence The Privacy and Other Legislation Amendment Act 2024 introduced the concept of “serious interference with privacy” as a standalone ground for regulatory action, with penalties up to $50 million or 30% of adjusted turnover — whichever is greater — for repeated or serious breaches. The OAIC's enforcement posture has shifted materially. Organisations that have never assessed their app ecosystem are carrying unquantified exposure under a significantly more aggressive regulatory framework than existed two years ago. Source: OAIC, Privacy Act Reform: Key Changes, 2024.

What a Passive App Assessment Finds

A structured passive assessment of an organisation's mobile app portfolio uses publicly available data sources — including App Store privacy labels, Exodus Privacy tracker databases, AppCensus analysis, and developer corporate intelligence — to surface what an app is actually doing without accessing any organisational systems or the app itself. The findings consistently identify issues that the organisations involved were entirely unaware of.

01
Embedded Trackers
Third-party advertising, analytics and behavioural tracking SDKs embedded in apps that have no disclosed commercial justification for their presence in an enterprise context.
02
Excessive Permissions
Requests for microphone, location, contacts or camera access that exceed what the app's stated function requires — and that are not disclosed in the privacy policy or App Store listing.
03
Undisclosed Cross-Border Transfers
Data transmission to servers in the United States, Singapore, Ireland or other jurisdictions with no reference to APP 8 obligations in the developer's privacy policy.
04
Unverifiable Developer Identity
Developer entities that cannot be verified through Australian corporate registries — creating an inability to enforce contractual privacy obligations or pursue remedies in the event of a breach.
05
CVE-Flagged Components
Known software vulnerabilities in app components cross-referenced against the CISA Known Exploited Vulnerabilities catalog — indicating active exploitation risk in identified app dependencies.
06
Policy Non-Compliance
Developer privacy policies assessed against all 13 APPs — identifying where the policy fails to meet minimum disclosure requirements or contradicts the app's actual data practices.

The BYOD Problem

Bring Your Own Device policies create a specific and frequently unexamined privacy exposure. When staff use personal devices for work purposes, the apps on those devices — installed for personal reasons, not organisational ones — may have access to organisational data. A personal productivity app that syncs contacts may ingest client contact details. A navigation app that accesses location history may create records of where staff have been with clients. A personal cloud storage app that offers to back up documents may capture organisational files.

The Privacy Act does not provide a BYOD exemption. If organisational data — including personal information about clients, customers, or employees — flows through personal devices and the apps on them, the organisation's privacy obligations apply to that data regardless of the device it travels on. Most BYOD policies in Australian organisations have never addressed this. Most have never assessed the apps on the personal devices used for work. The exposure is real and largely unexamined.

What Genuine App Governance Looks Like

Organisations that have genuinely addressed their app privacy obligations have three things in common. First, they have an accurate inventory of every app used for organisational purposes — including staff-installed apps on personal devices used for work. Second, each app in that inventory has been assessed against the APPs, with documented findings and a risk rating. Third, the organisation's privacy policy accurately reflects the data flows created by the app ecosystem, including overseas disclosures and the identities of third-party recipients.

Very few Australian organisations can demonstrate all three. The gap between this standard and common practice is wide, and it is a gap that the OAIC is increasingly equipped and motivated to identify.

BlackFlag Advisory Mobile App Assessment BlackFlag Advisory's passive mobile app assessment surfaces exactly what is publicly visible about any app your organisation uses — permissions, embedded trackers, cross-border data flows, developer identity, and APP compliance gaps. No systems are accessed. Findings are consolidated into a structured risk register mapped to all 13 Australian Privacy Principles, with a Board-ready executive summary and a prioritised remediation roadmap. For organisations with multiple apps, a portfolio assessment provides a consolidated risk-ranked scorecard across the entire app catalogue. See blackflagadvisory.com.au/pricing for fixed-price options.

The Practical Starting Point

For most organisations, the practical starting point is an honest inventory. List every app used in the organisation — approved enterprise deployments, apps installed informally by staff, and apps used on personal devices for work purposes. For each, identify what personal information it has access to, where that information is sent, and whether your privacy policy discloses that data flow. The gap between what that exercise reveals and what your privacy policy says is your current APP exposure.

The next step is assessment. Not every app requires the same level of scrutiny — an app that handles client personal information, processes payments, or accesses sensitive organisational data warrants a more thorough assessment than a utility app with no data access. A risk-ranked approach that prioritises high-exposure apps is both practical and defensible as evidence of due diligence. What is not defensible is having done nothing — and discovering the gap when a regulator or a breach forces the question.

Do You Know What Your Apps
Are Actually Doing?

A BlackFlag Advisory mobile app assessment gives your Board a clear, evidenced picture of your app privacy exposure — before the OAIC, a journalist, or a breach forces the question.

Request an Assessment →
What the Assessment Covers

Every BlackFlag Advisory app assessment maps findings to all 13 Australian Privacy Principles, identifies cross-border disclosure obligations under APP 8, surfaces embedded trackers and excessive permissions, and delivers a Board-ready executive summary with a prioritised remediation roadmap. Fixed price. Delivered within five business days. No systems accessed.