Who Else Is Hearing Your Meetings? AI Notetakers, Discovery and Data Sovereignty

The Unintended Cost of Convenience

An AI notetaker now sits in meetings that no one would once have thought to record. Management discussions, project reviews, client calls and case conferences are captured word for word and stored without a second thought. Each of those records is discoverable, and each one may be held by a third party, somewhere offshore. The convenience took a moment. The exposure can last for years.

Introduction

AI transcription has become a feature of ordinary working life. It is embedded in Microsoft Teams, Zoom and Webex and offered by a growing list of standalone assistants, and it runs in management meetings, project reviews, client calls and interviews, switched on by people who see a productivity tool rather than a governance decision. Board meetings are part of this, and they were among the first places the risk was named. In May 2025 the Australian Institute of Company Directors and the Governance Institute of Australia cautioned directors about it in their joint statement on minutes and AI.¹  The caution was written for boards. What it describes applies to any meeting that uses the technology.

The law already applies across all of it. The Privacy Act and the Australian Privacy Principles govern any use of AI that involves personal information, and in October 2024 the Office of the Australian Information Commissioner published guidance confirming as much, with the plain instruction that AI products should not be used simply because they are available.²  The risks sit in three layers. There is a legal risk, because the record is discoverable. There is a data risk, because of how the provider stores and uses it. And there is a sovereignty risk, because of where it lives.

These tools default to recording and retention. A verbatim account is easy to create and hard to find or destroy once it sits in a vendor's cloud. The question is no longer confined to any one room. It belongs to every meeting in the organisation, and most organisations have not yet noticed.

The Problem

The record that outlives the meeting

A recording or transcript that is retained is discoverable and admissible as evidence.³  Australian courts give weight to the contemporaneous record.⁴  That principle reaches well past formal minutes. Transcripts of management meetings, project reviews and client calls can be produced in litigation, in a regulatory review, in an employment dispute, or under freedom of information for public sector bodies. A remark made while thinking aloud, captured word for word, can be read back years later in a setting its author never imagined.

The competing record

Risk sharpens when two records of the same meeting exist and do not agree. The formal minute or file note is concise and considered. The transcript is long and literal. Where they diverge, an adverse party can rely on the fuller version and ask why the formal record left something out.⁵  Any team that keeps a proper record and also retains an AI transcript carries that exposure, whether it is a board, an executive committee or a project group.

Who holds the data, and how it is used

The recording rarely stays in-house. Commercially available AI tools store and process meeting content on the provider's systems, and some use customer content to improve or train their models unless that setting is turned off. The OAIC's guidance makes clear that organisations remain accountable under the Privacy Act when they deploy these products, and that privacy must be built in rather than assumed.⁶  The Voluntary AI Safety Standard asks for transparency, data governance and record-keeping across the AI supply chain.⁷  Consent is a live problem, because participants are often unaware a tool is even recording. That is the precise question at the centre of the Otter.ai class action in the United States.⁸

Where the data lives, and how it is secured

Many providers host data offshore. Under Australian Privacy Principle 8 and section 16C of the Privacy Act, an organisation that discloses personal information to an overseas recipient must take reasonable steps to ensure the recipient complies with the Privacy Principles, and remains accountable if it does not.⁹  Data held offshore may also fall within a foreign jurisdiction's access regime. A transcript store is a security target in its own right. If the provider is breached, the organisation may face obligations under the Notifiable Data Breaches scheme,¹⁰  and a regulated entity may face a cascade of further reporting under its prudential information security standard and the Cyber Security Act 2024.¹¹  Few organisations can say where their meeting data is held, who can reach it, or whether it has left the country.

The Case

Consider a company that has enabled an AI notetaker across its management and project meetings. The transcripts save time and accumulate quietly in the meeting platform. A project steering group discusses a safety concern, and a manager, testing the issue out loud, suggests the risk is overstated and the schedule should hold. The group resolves to seek further assurance, and the project record notes that decision and the reason for it. That is an accurate account of a careful process.

Two years later the risk materialises. A regulator and a claimant both seek documents, and the transcript is produced. The manager's aside, stripped of the discussion around it, now reads as an organisation that saw the danger and pressed on. The formal record and the literal transcript tell different stories, and the company must account for the gap. The transcript also shows the tool was a third-party service hosted offshore, which opens a second front on privacy and data security.

The supporting authority is settled. In the James Hardie proceedings the High Court treated the company's contemporaneous record as strong evidence of what had occurred, in preference to later recollection.¹²  A second, fuller record does not help the organisation that created it. Recordings made in a meeting can be admitted into evidence, including where participants knew of the recording and continued, as the Supreme Court of New South Wales accepted in Brown v Etna Developments.¹³  And the tools themselves are already in court over how they record and retain what they hear.¹⁴  The same risk attaches to any meeting captured this way.

The Solution

Decide where AI notetakers may operate, and where they must not

Set a clear rule on which meetings may be transcribed, in any part of the organisation. Default the tools off for legal advice, investigations, sensitive personnel matters and any privileged discussion.¹⁵

Keep one authoritative record

The minute, file note or report is the record. Recordings, transcripts and AI drafts are working materials, governed by a retention and destruction policy and destroyed once the record is settled, unless a legal hold requires otherwise.¹⁶

Do due diligence on the provider before adoption

Establish where the data is stored, who can access it, whether it is used to train the provider's models, what security certifications apply, and what the contract permits. Turn off training on customer content. Treat overseas hosting as a cross-border disclosure that engages Privacy Principle 8 and its accountability rule.¹⁷

Build privacy and consent in

Conduct a privacy impact assessment, update privacy notices, and tell participants when a meeting is being recorded. The regulator expects privacy by design, not adoption by default.¹⁸

Secure the data and prepare for incidents

Apply the organisation's information security controls to transcript stores, and map the reporting that a provider breach would trigger, including the Notifiable Data Breaches scheme and, for regulated entities, prudential and Cyber Security Act obligations.¹⁹

Govern it at enterprise level, with board oversight

This is an information governance policy owned across the organisation, not a fix for any single forum, with the board assured that it exists and works. A director's duty of care extends to oversight of material risks of this kind.²⁰

Questions Boards Should Be Asking

Before the organisation relies on AI notetakers in any of its meetings, directors should be able to answer the following:

1. Across the organisation, which meetings are being recorded or transcribed by AI tools, and on whose authority?
2. Where is that data stored, who can access it, and is any of it held or processed outside Australia?
3. Can the provider use meeting content to train its models, and has that been disabled?
4. What does the retention policy require for recordings, transcripts and AI drafts, and when are they destroyed?
5. Is recording disabled for legal advice, investigations and other sensitive matters, so that privilege and confidentiality are preserved?
6. If a transcript were produced in litigation, a regulatory review or a data breach tomorrow, what would it expose?

Conclusion

Any meeting that uses this technology creates a record that is discoverable, held by someone else, and possibly offshore, and the organisation that made it often cannot say where it sits or who can read it. Board meetings drew the first attention, but the exposure runs through management meetings, project reviews and client calls alike. The convenience is real, but it is not free. Directors and executives should be able to show they decided, deliberately, what is recorded across the organisation, where it is kept, how it is secured, and when it is destroyed. The organisations that govern this now will not be explaining it later.

Governance in Practice

Khanterin Partners advises organisations on the governance of AI-assisted meeting records, including recording policy, retention, vendor due diligence and data sovereignty. Engagements are led by the firm's principal advisor, supported where needed by specialist content partners with law enforcement and intelligence backgrounds. The firm helps organisations settle these controls before a record is created that they would later wish they did not hold.

Bibliography

1. Australian Institute of Company Directors and Governance Institute of Australia, Effective Board Minutes and the Use of AI: A Joint Statement (May 2025).
2. Office of the Australian Information Commissioner, Guidance on Privacy and the Use of Commercially Available AI Products (21 October 2024).
3. Australian Institute of Company Directors and Governance Institute of Australia, above n 1.
4. Australian Securities and Investments Commission v Hellicar (2012) 247 CLR 345.
5. Australian Institute of Company Directors and Governance Institute of Australia, above n 1.
6. Office of the Australian Information Commissioner, above n 2.
7. Department of Industry, Science and Resources, Voluntary AI Safety Standard (September 2024).
8. In re Otter.ai Inc Privacy Litigation (US District Court, Northern District of California, commenced 2025).
9. Privacy Act 1988 (Cth) Australian Privacy Principle 8 and s 16C.
10. Privacy Act 1988 (Cth) pt IIIC.
11. Australian Prudential Regulation Authority, Prudential Standard CPS 234 Information Security (2019); Cyber Security Act 2024 (Cth).
12. Australian Securities and Investments Commission v Hellicar, above n 4.
13. Brown v Etna Developments Pty Ltd (Surveillance Devices) [2025] NSWSC 218.
14. In re Otter.ai Inc Privacy Litigation, above n 8.
15. Australian Institute of Company Directors and Governance Institute of Australia, above n 1; Office of the Australian Information Commissioner, above n 2.
16. Australian Institute of Company Directors and Governance Institute of Australia, above n 1.
17. Office of the Australian Information Commissioner, above n 2; Privacy Act 1988 (Cth) Australian Privacy Principle 8 and s 16C, above n 9.
18. Office of the Australian Information Commissioner, above n 2; Department of Industry, Science and Resources, above n 7.
19. Privacy Act 1988 (Cth) pt IIIC, above n 10; Australian Prudential Regulation Authority and Cyber Security Act 2024 (Cth), above n 11.
20. Corporations Act 2001 (Cth) s 180.