Personal information carries specific legal obligations at every stage of its lifecycle. How it is collected, held, used, transferred and commercialised, and deidentified or deleted when its collection purposes have ended determines regulatory exposure, enterprise value and reputational standing. The obligations apply across the public, private and NFP sectors and to any organisation that handles personal information and the Australian enforcement environment is intensifying.
We advise major corporations, government agencies, regulated entities, multinationals and boards on the full spectrum of privacy and data law, from compliance frameworks and governance through to regulatory response, cross-border transactions, mergers and acquisitions and contested assignments.
Areas of expertise
The Australian Privacy Principles (APPs) impose specific obligations on collection, use, disclosure, storage and access that apply across every interaction with personal information. The Office of the Australian Information Commissioner's (OAIC) enforcement posture has sharpened, and the Privacy Act reform agenda, already partly in force, continues to expand obligations across industry and government stakeholders.
We advise on APP compliance frameworks, privacy policy design and mandatory breach notification under the federal or state Notifiable Data Breaches schemes. We manage engagement with privacy regulators across investigations, complaints and enforcement proceedings. We also advise on sector-specific privacy regimes in financial services, health, government and telecommunications, where obligations layer on top of the Privacy Act and carry independent enforcement consequences.
Australian privacy obligations interact with the EU's and UK's GDPR, US HIPAA and state-level frameworks, and a growing number of Asia-Pacific privacy regimes. Getting cross-border data transfer arrangements wrong carries regulatory exposure across multiple jurisdictions simultaneously.
We structure compliant international data transfer frameworks including standard contractual clauses, binding corporate rules and intra-group data sharing agreements. We advise on adequacy assessments, data localisation requirements and the privacy implications of cross-border cloud and SaaS arrangements. Our work covers health data transfers into the US market (including HIPAA and HITECH compliance), EU medical dataset acquisitions under GDPR, and multi-jurisdictional AI regulatory mapping across Australia, Asia-Pacific, the US, UK, Europe and the Middle East.
Boards and senior executives carry exposure for systemic privacy failures. Privacy Act reforms have sharpened this with an expanded penalty regime and clarification of APP11 including technical and organisational measures increasing the consequence of governance failures at the most senior level.
We advise on board-level privacy governance including oversight frameworks, risk reporting structures, privacy officer mandates and the intersection of privacy obligations with director duties. We act across listed companies, regulated financial institutions, government entities and major employers. Where governance failures are alleged, we advise on investigation management, privilege protection and regulatory response.
Health information carries the most stringent protections under Australian law. The obligations apply to hospitals, health insurers, life sciences companies, medical technology providers and AI-driven diagnostics platforms.
Beyond health, other high-value data such as biometric data, financial data, government identifiers, children's data, and information about religious or political affiliation each attract specific responsibilities and carry elevated risk on mishandling or a data breach.
We advise on privacy impact assessments, privacy management frameworks, and data handling for health and aged care providers, AI-driven medical platforms, biometric technology deployments and organisations handling sensitive personal information, whether across regulated sectors including financial services, government and media, or unregulated sectors such as retail, workplaces and transportation.
Mandatory notification under the Privacy Act's Notifiable Data Breaches scheme requires a legal assessment of whether a threshold has been met, a determination of who must be notified and when, and the preparation of communications that satisfy the Act without creating additional liability. The window for these decisions is compressed. Getting them wrong carries regulatory and reputational consequences that are compounded by delay.
We advise on the full notification process: assessing whether an eligible data breach has occurred, advising on timing and content of notices to the Office of the Australian Information Commissioner and affected individuals, and structuring stakeholder communications to manage regulatory and reputational risk in parallel. Notification advice is conducted under privilege and integrated with the incident response legal workstream. We also advise on post-notification engagement with the OAIC and on the interaction between notification obligations under Australian law and equivalent obligations in other jurisdictions where cross-border incidents require coordinated responses.
Monetising data requires legal architecture that keeps the value intact and the risk contained. Licensing arrangements, access agreements and commercialisation structures must address ownership and user rights, consent, anonymisation, regulatory compliance and risk allocation when data is used or shared downstream.
We structure data licensing and access arrangements, advise on data monetisation strategies and design the governance frameworks that make commercial data use defensible. In financial services and energy, we support clients through Consumer Data Right accreditation, data sharing obligation design, consumer consent frameworks and engagement with the ACCC and OAIC. As the CDR expands to further sectors, the compliance architecture required grows in complexity and consequence.
Employers collect substantial personal information about their workforce. Monitoring systems, CCTV, biometric identifiers, performance analytics and remote work technologies engage privacy obligations that most employers have not fully mapped.
We advise on workplace surveillance compliance across state and territory legislation, monitoring and tracking arrangements, biometric collection for access and security purposes, and employee data governance framework design. Work is often conducted alongside our Employment and Safety practice where the issues intersect.
Privacy Impact Assessments (PIA) are required before many technology deployments, system changes and data-sharing arrangements, and are increasingly expected by regulators as evidence of genuine compliance effort. A well-conducted PIA identifies risk before it becomes liability and structures mitigation in a form that withstands regulatory scrutiny.
We conduct privacy impact assessments for technology deployments, digital transformation programs, biometric systems, AI-driven tools and government data initiatives. We design internal privacy governance frameworks including policies, accountability structures, training programs and data registers. This work is integrated with our broader compliance and regulatory engagement practice, ensuring frameworks reflect the current state of the law and are defensible under examination.
Large-scale digital transformation, cloud migration, system integration and data platform programs generate privacy and data governance obligations that must be addressed during design and delivery, not resolved after go-live. The contracts that govern these programs, the data architectures they establish and the consent and retention frameworks they embed determine legal exposure for the life of the arrangement.
We advise on the privacy and data dimensions of technology procurement, cloud and SaaS contracts, outsourcing arrangements and major digital transformation programs. Work includes assessing privacy exposure in M&A due diligence, managing data obligations arising on restructuring, and maintaining privilege over data breach assessments and regulatory investigation materials. Where data disputes escalate, we work with our Arbitration, Litigation and Dispute Resolution and Class Actions practices on the full range of contested assignments.
We assist buyers and targets to assess compliance with privacy laws, data handling and information security policies and practices, management and reporting of historical or current privacy breaches or complaints, the scope and effectiveness of data breach response plans, compliance with cross-border disclosure requirements, potential regulatory, litigation, or enforcement action relating to privacy or data security, and to identify and mitigate risks that legacy data or systems may pose in compliance or integration, post-acquisition. We advise on notification obligations, integration planning, and ongoing privacy compliance to assist with reducing regulatory and reputational risks through the transaction and post-completion.
Thomsons advises the world’s leading technology, payments and digital asset companies on data privacy architecture for blockchain and tokenised products. We design frameworks that align distributed ledger systems with Australian and global privacy laws, compliance settings and regulator expectations. Our work covers permissioning, data flow mapping, cross-border personal data transfers, and privacy by design principles for decentralised networks, smart contracts, exchanges and custody. We integrate privacy controls and breach notification pathways with token, product and platform governance, anticipating regulatory change and supporting scalable, compliant market entry.
Our experience
Artrya – Cross-border health data, US market entry and EU medical dataset acquisition
Advised Australian AI-driven cardiovascular diagnostics company Artrya on two significant cross-border data assignments. First, its software services agreement and HIPAA/HITECH data security addendum with Tanner Medical Center (US), advising on the intersection of Australian, US federal, Delaware and Georgia state law, with a focus on HIPAA compliance, indemnity regimes, IP protections and data residency requirements. Second, a cross-border data acquisition involving EU medical datasets to underpin Artrya's AI research and regulatory pipeline, requiring GDPR compliance, cross-jurisdictional IP structuring and commercial negotiation for digital health data.
icetana – Multi-jurisdictional AI privacy and data compliance
Advised Australian AI surveillance and analytics company icetana on the legal and regulatory treatment of AI-based technologies and data privacy obligations across seven jurisdictions: Australia, Asia-Pacific, the United States, the United Kingdom, Europe and selected Middle Eastern markets. Work addressed biometric technologies, automated decision-making compliance and AI privacy obligations. Produced a multi-jurisdictional regulatory map and a standardised library of privacy and cybersecurity responses for use across channel partners and enterprise clients in public safety, hospitality, education and event venue sectors.
Brisbane Airport Corporation – Biometric technology and privacy compliance
Advised on a multi-phase privacy compliance and biometric technology program supporting the adoption of facial recognition technology and body-worn cameras across airport security operations. Work covered privacy impact assessments, compliance frameworks under the Privacy Act, regulatory risk management and the governance arrangements required to deploy novel biometric security solutions in aviation and public infrastructure.
Stryker Australia – IP, R&D and cross-border patient data
Advised one of the world's leading medical technology companies on collaborative research arrangements, IP protection and commercialisation, and cross-border patient data privacy compliance across Australian and international frameworks. Our work with Stryker included an extended in-house secondment supporting Stryker's R&D function.
National service provider – Major data breach
Advised a large national service provider on its response to a widespread customer data breach. Led the incident response legal workstream, managed notification obligations under the Notifiable Data Breaches scheme, coordinated engagement with the OAIC and guided communications strategy to manage regulatory and reputational exposure across multiple stakeholder groups simultaneously.
Financial services entity – CDR implementation
Advised a financial services entity in obtaining Consumer Data Right accreditation and building the required data sharing architecture. Provided ongoing compliance engagement with the ACCC and OAIC and assisted with consumer consent framework design and data sharing obligation management.
Multinational services group – Cross-border data transfers
Advised a multinational services group on establishing compliant international data transfer frameworks, implementing standard contractual clauses and intra-group data sharing agreements to govern the transfer of Australian personal data to jurisdictions without equivalent privacy protections.
National not-for-profit – Privacy breach response
Advised a national not-for-profit on mandatory breach notification obligations under the Notifiable Data Breaches scheme, regulator engagement with the OAIC and stakeholder communications strategy following a data incident involving member information.
Global retail and luxury goods groups – Workplace privacy and surveillance
Advised a global luxury goods group and a major international fashion retailer on compliance with Australian privacy and workplace surveillance laws across retail operations. Work covered surveillance policy design, CCTV compliance, employee and customer consent frameworks and alignment with global data standards.
Prominent Australian sports club – Privacy complaint
Advised a prominent Australian sports club in responding to a privacy complaint filed with a national regulator. Work involved analysis of the club's data practices, regulator engagement to address the complaint and design of a resolution strategy.