Overview

Personal information carries specific legal obligations at every stage of its lifecycle. How it is collected, held, used, transferred and commercialised, and deidentified or deleted when its collection purposes have ended determines regulatory exposure, enterprise value and reputational standing. The obligations apply across the public, private and NFP sectors and to any organisation that handles personal information and the Australian enforcement environment is intensifying.

We advise major corporations, government agencies, regulated entities, multinationals and boards on the full spectrum of privacy and data law, from compliance frameworks and governance through to regulatory response, cross-border transactions, mergers and acquisitions and contested assignments.

Areas of expertise

Our experience

Artrya – Cross-border health data, US market entry and EU medical dataset acquisition

Advised Australian AI-driven cardiovascular diagnostics company Artrya on two significant cross-border data assignments. First, its software services agreement and HIPAA/HITECH data security addendum with Tanner Medical Center (US), advising on the intersection of Australian, US federal, Delaware and Georgia state law, with a focus on HIPAA compliance, indemnity regimes, IP protections and data residency requirements. Second, a cross-border data acquisition involving EU medical datasets to underpin Artrya's AI research and regulatory pipeline, requiring GDPR compliance, cross-jurisdictional IP structuring and commercial negotiation for digital health data.

icetana – Multi-jurisdictional AI privacy and data compliance

Advised Australian AI surveillance and analytics company icetana on the legal and regulatory treatment of AI-based technologies and data privacy obligations across seven jurisdictions: Australia, Asia-Pacific, the United States, the United Kingdom, Europe and selected Middle Eastern markets. Work addressed biometric technologies, automated decision-making compliance and AI privacy obligations. Produced a multi-jurisdictional regulatory map and a standardised library of privacy and cybersecurity responses for use across channel partners and enterprise clients in public safety, hospitality, education and event venue sectors.

Brisbane Airport Corporation – Biometric technology and privacy compliance

Advised on a multi-phase privacy compliance and biometric technology program supporting the adoption of facial recognition technology and body-worn cameras across airport security operations. Work covered privacy impact assessments, compliance frameworks under the Privacy Act, regulatory risk management and the governance arrangements required to deploy novel biometric security solutions in aviation and public infrastructure.

Stryker Australia – IP, R&D and cross-border patient data

Advised one of the world's leading medical technology companies on collaborative research arrangements, IP protection and commercialisation, and cross-border patient data privacy compliance across Australian and international frameworks. Our work with Stryker included an extended in-house secondment supporting Stryker's R&D function.

National service provider – Major data breach

Advised a large national service provider on its response to a widespread customer data breach. Led the incident response legal workstream, managed notification obligations under the Notifiable Data Breaches scheme, coordinated engagement with the OAIC and guided communications strategy to manage regulatory and reputational exposure across multiple stakeholder groups simultaneously.

Financial services entity – CDR implementation

Advised a financial services entity in obtaining Consumer Data Right accreditation and building the required data sharing architecture. Provided ongoing compliance engagement with the ACCC and OAIC and assisted with consumer consent framework design and data sharing obligation management.

Multinational services group – Cross-border data transfers

Advised a multinational services group on establishing compliant international data transfer frameworks, implementing standard contractual clauses and intra-group data sharing agreements to govern the transfer of Australian personal data to jurisdictions without equivalent privacy protections.

National not-for-profit – Privacy breach response

Advised a national not-for-profit on mandatory breach notification obligations under the Notifiable Data Breaches scheme, regulator engagement with the OAIC and stakeholder communications strategy following a data incident involving member information.

Global retail and luxury goods groups – Workplace privacy and surveillance

Advised a global luxury goods group and a major international fashion retailer on compliance with Australian privacy and workplace surveillance laws across retail operations. Work covered surveillance policy design, CCTV compliance, employee and customer consent frameworks and alignment with global data standards.

Prominent Australian sports club – Privacy complaint

Advised a prominent Australian sports club in responding to a privacy complaint filed with a national regulator. Work involved analysis of the club's data practices, regulator engagement to address the complaint and design of a resolution strategy.