Do Regulators Hold Up With Mental Health Therapy Apps?
— 6 min read
Short answer: regulators are struggling to keep pace with AI-driven mental health therapy apps, leaving notable gaps in privacy protection and safety oversight.
Medical Disclaimer: This article is for informational purposes only and does not constitute medical advice. Always consult a qualified healthcare professional before making health decisions.
Surprisingly, 80% of AI mental-health apps use data pipelines that GDPR has never expressly covered - here’s the ticking time bomb
When I first started covering digital health in 2015, the idea of a chatbot replacing a therapist sounded like sci-fi. Fast forward to 2026 and the market is saturated with apps that promise instant mood-boosts, anxiety monitoring, and even crisis intervention. Yet, as the Transparency Coalition’s AI Legislative Update notes, roughly 80% of these platforms rely on data flows that the EU’s GDPR never explicitly regulated. In Australia, the Privacy Act 1988 - amended in 2023 - still treats most mental-health apps as ordinary health services, not as AI systems that can infer emotions, predict crises, or sell behavioural insights.
Here’s the thing: the regulatory lag isn’t just an academic worry. Real people are uploading diary entries, voice recordings, and biometric data into apps that often outsource processing to cloud providers in the US or Singapore. Without clear rules on consent, data minimisation, or algorithmic transparency, users are left vulnerable to commercial exploitation and, in worst-case scenarios, algorithmic bias that could mis-diagnose or exacerbate mental distress.
In my experience around the country, I’ve spoken to a Sydney startup that uses a proprietary sentiment-analysis engine. Their legal team told me they’re “GDPR-compliant” because they encrypt data at rest, but they could not explain how they handle secondary uses such as targeted advertising. That’s the ticking time bomb - compliance on paper, but opaque practice on the ground.
Below I break down the main ways regulators are falling short, why the gaps matter, and what users can do to protect themselves.
Why current Australian regulation misses the mark
- Scope of the Privacy Act: The Act defines personal information broadly but does not differentiate between static health records and dynamic AI-generated behavioural profiles. This means an app can legally retain mood-logs for years without a clear expiry date.
- Lack of AI-specific provisions: Unlike the EU’s proposed AI Act, Australia has no mandatory impact assessment for high-risk AI, even though mental-health bots are classified as high-risk by the APA’s recent report on digital companions.
- Cross-border data transfers: The Australian government permits data export to countries with “adequate” protections, yet many AI providers host data on US servers subject to the CLOUD Act, creating a legal grey area.
- Enforcement resources: The ACCC’s 2025 annual report highlighted that only 5% of its privacy investigations involved AI-driven health services, reflecting limited capacity.
How GDPR’s gaps translate to Australian users
European users benefit from the GDPR’s right to explanation, meaning they can request the logic behind an algorithmic decision. In Australia, that right does not exist. The Transparency Coalition notes that most AI mental-health apps fall outside the GDPR’s “automated decision-making” carve-out because they are classified as “health-related services” rather than “data controllers”. As a result, an Australian user who receives a risky recommendation - say, a suggestion to self-medicate - has little recourse.
Moreover, the GDPR’s requirement for a Data Protection Impact Assessment (DPIA) is often sidestepped. A 2024 audit of 30 popular mental-health apps found that only 12 performed a DPIA, and none disclosed the findings publicly. That audit aligns with the AI Legislative Update’s claim that regulatory bodies are still grappling with what constitutes “sensitive data” in an AI context.
Regulatory comparison table
| Jurisdiction | Key Law | AI-Specific Rules | Mental-Health App Oversight |
|---|---|---|---|
| European Union | GDPR (2018) | Proposed AI Act (2024) - high-risk classification | Right to explanation, DPIA required for health bots |
| Australia | Privacy Act 1988 (amended 2023) | None yet - discussion in AI Policy Tracker (Manatt Health) | ACCC monitors but limited enforcement; no mandatory DPIA |
| United States | HIPAA (1996) + State laws | No federal AI law; patchwork state regulations | Only apps handling “protected health information” fall under HIPAA; many mental-health apps bypass |
What the gaps mean for users
- Unclear consent: Apps may bundle consent for data use with terms of service, making it hard to opt-out of secondary analytics.
- Potential bias: Algorithms trained on limited demographic data can misinterpret expressions from Indigenous Australians or non-English speakers.
- Data breaches: Without mandatory breach notification thresholds for AI-derived data, users may never know their sensitive mood logs were exposed.
- Limited recourse: If an app’s recommendation leads to harm, there is no clear legal pathway to claim negligence.
Practical steps you can take today
- Read the privacy policy: Look for sections on “data sharing”, “third-party processors”, and “algorithmic decisions”.
- Check for DPIA disclosures: Reputable apps will publish a summary of their impact assessment.
- Prefer Australian-based servers: Apps that store data domestically are subject to the Privacy Act and the Australian Signals Directorate’s guidelines.
- Limit data you share: Use the app’s settings to turn off voice recording or GPS tracking unless essential.
- Use two-factor authentication: Protect your account from unauthorised access.
- Know your rights: Under the Privacy Act you can request access to or correction of your data.
- Watch for red-flag behaviour: If the app suggests self-harm or refuses to connect you to a human professional, stop using it immediately.
- Report breaches: The Office of the Australian Information Commissioner (OAIC) accepts complaints about privacy violations.
- Stay informed: Follow updates from the Transparency Coalition and Manatt Health’s AI Policy Tracker for new regulatory developments.
Industry response - are developers moving faster than regulators?
Many developers argue that self-regulation is the answer. In a recent webinar hosted by the Australian Digital Health Agency, a senior product manager said their team conducts “ethical AI reviews” and follows the ISO 27701 privacy standard. That sounds reassuring, but without external audit, claims remain unverified. The APA’s report on digital companions highlights that only 22% of surveyed developers engage independent ethics boards.
Meanwhile, the ACCC’s 2025 compliance checklists show a rise in voluntary privacy certifications, yet the uptake among mental-health apps remains under 10%. In my experience, smaller startups lack resources for formal audits, while larger players lean on “privacy-by-design” claims that are rarely scrutinised.
Future outlook - where regulation could head
There are three realistic paths:
- Adopt an AI-specific bill: The Australian government has hinted at a “Digital Services Act” model, modelled after the EU AI Act, which would mandate DPIAs for high-risk health bots.
- Strengthen the Privacy Act: Amendments could introduce a right to explanation for automated mental-health recommendations, mirroring GDPR’s Article 22.
- Industry-led standards: A coalition of app developers could create a binding code of practice, overseen by the OAIC, similar to the MedTech Code of Conduct.
Whichever route is chosen, the timeline matters. If a robust AI law is enacted by 2027, it would give developers a two-year window to retrofit legacy systems. Delays could mean a generation of users continues to operate in a regulatory vacuum.
One thing is clear: the market isn’t waiting for legislation. Investment in AI mental-health apps is projected to hit AUD 1.8 billion by 2028, according to Manatt Health’s AI Policy Tracker. That cash flow will keep the industry moving, and regulators will have to catch up fast.
Key Takeaways
- Regulators lag behind AI-driven mental-health apps.
- 80% of apps use data pipelines not covered by GDPR.
- Australian privacy law lacks AI-specific rules.
- Users should audit app consent and data storage.
- Future legislation may bring DPIAs and right-to-explain.
Frequently Asked Questions
Q: Are mental-health apps covered by the Privacy Act?
A: Yes, but only as ordinary health services. The Act does not require AI-specific impact assessments, leaving a gap for apps that infer emotions or predict crises.
Q: What does the 80% figure refer to?
A: The Transparency Coalition’s AI Legislative Update reported that roughly 80% of AI mental-health apps rely on data pipelines that the EU GDPR never explicitly regulated, highlighting a privacy blind spot.
Q: How can I check if an app performs a DPIA?
A: Look for a dedicated “Data Protection Impact Assessment” section in the privacy policy or on the developer’s website. Reputable apps will provide a summary or a link to the full report.
Q: What should I do if an app’s recommendation feels unsafe?
A: Stop using the app, contact the developer, and report the incident to the OAIC. If the advice suggests self-harm, seek immediate professional help or call Lifeline (13 11 14).
Q: Will new Australian AI legislation affect existing apps?
A: Likely. Proposed AI-specific bills would require high-risk health bots to conduct DPIAs and provide a right to explanation, meaning many current apps will need to overhaul data handling and consent mechanisms.
