Data protection in Australia

King & Wood Mallesons

King & Wood Mallesons advises an array of major global companies on data protection compliance, projects, and regulatory investigations, with standout work on behalf of Facebook, BHP, and Australian government institutions. Sydney-based partner Scott Farrell advised the Treasury on its proposed open banking regime, a complex project including potential legislation and an implementation framework, reflecting his expertise in the data protection space. Elsewhere, the team has notable expertise in blockchain, financial services, and e-commerce data protection matters, and has a successful record on compliance with Australian and international regulatory authorities. In Melbourne, Renae Lattey heads up the practice, while Cheng Lim works with major public and private sector clients on data security and privacy concerns, and Michael Swinson focuses on data economy and transactions. Sydney’s Patrick Gunning has particular experience in the gaming and health sectors, and focuses on the application of data privacy legislation to innovation technology, such as payment platforms, as well as government digital transformation projects.

Practice head(s):

Renae Lattey

Key clients

  • Facebook
  • Australian Government, The Treasury
  • BHP
  • Department of Health (Commonwealth of Australia)
  • GenesisCare

Work highlights

  • Advising the Australian Treasury  on the appropriate model for an “open banking” regime in Australia.
  • Advising Facebook on a number of highly sensitive regulatory matters, including in relation to the ACCC’s Digital Platforms Inquiry, and also in relation to the many follow-on items arising from the Government’s subsequent review and proposed policy changes.
  • Advising BHP’s global Data Protection and Privacy Office, providing global strategic compliance advice.


Allens has a broad dedicated data offering, advising high-profile corporate clients on a broad range of data issues, ranging from compliance and data governance to transactional data, commercialisation, and investigations. The team keeps track of and advises clients on emerging issues within the space, including strategic use of data, data as an asset, and data-driven automated decision-making in the consumer sector. Gavin Smith heads up the firm's TMT and data teams and has particular expertise in data surveillance and enforcement issues in the telecommunications sector, as well as working on life-cycle data governance issues. Valeska Bloch is a dedicated data and cybersecurity lawyer, advising on data commercialisation, the formulation of data compliant products, and data-driven M&A issues, as well as contributing extensively to thought leadership on the topic.

Practice head(s):

Gavin Smith

Other key lawyers:

Valeska Bloch


‘I have been repeatedly impressed by the way in which the team at Allens navigate the complexity of all areas of Australian privacy and data protection law. The expertise, quality, and pragmatism of advice provided by Allens, together with the efficiency and value of the services we receive, have consistently enabled sound assessments and decisions to be made by our business – and in-turn has cemented Allens as one of our trusted legal advisors.’

‘The team has been able to consistently demonstrate a huge depth of knowledge of Data Protection and Privacy law. They have also proven to us that that can get the right balance of compliance with the law and the commercial realities of a business, and in particular a fast-growing technology business.’

‘Available, commercial, and engaging. Open to discussing learning experience and knowledge, and investing in the relationship. Technically adept.’

The team at Allens is phenomenal in regards to data protection. I am incredibly impressed by not only how up to date they are in the field, but how they are significantly ahead of legislation in their advice on best practice in a very commercial manner. Their work is very collaborative, they understand the nuances of their clients’ businesses and how the implications of data legislation and regulation interact specifically with their clients’ objectives. The biggest differentiator I have seen apart from their superior knowledge in the area is their forward approach to providing tailored advice from understanding the specifics of their clients’ needs. In an ever-evolving data world, this is absolutely fundamental to success. Allens take this seriously and have done so better than any other firm I have engaged.’

‘Allens has helped on very complex matters with the potential of public scrutiny. Their professionalism and honesty no matter how bad a situation is is appreciated.’

Key clients

Commonwealth Bank of Australia

Kentucky Fried Chicken





National Australia Bank

Commonwealth Bank of Australia

ASX Limited

Data Republic

Work highlights

  • Advised on all aspects of Westpac’s white-labelled digital banking as a service business, advising on data governance and handling issues, including the application of GDPR and drafting a Data Handling Protocol to govern the project.
  • Advised MedicalDirector on the creation of a new data insights platform for the use of aggregated and de-identified data to create new data insights in health.
  • Advised Canva in relation to its 2019 data breach, which impacted approximately 139 million users and is one of the largest data breaches suffered by an Australian company.

Corrs Chambers Westgarth

Corrs Chambers Westgarth acts on major contentious and non-contentious data-related matters for a range of high-profile clients in the financial services, technology, and retail sectors, with work encompassing policy reviews, privacy compliance and complaints, data access and security issues, and litigation relating to data breaches. Alongside its corporate work, the team also advises national and foreign governments on Australian legal considerations and projects. Sydney-based partner James North heads up the team and supports major corporates on business-critical projects and compliance issues, as well as advising on data elements of transactions. Also in Sydney, the 'fantasticEugenia Kolivos specialises in privacy work and has won praise from a wide range of clients. Philip Catania in Melbourne advises on data-related transactions and privacy proceedings, while Perth-based Helen Clarke works on data breaches, commercialisation issues, and advises multinational businesses on global privacy considerations. Melbourne's Arvind Dixit is highly active in the e-commerce space.

Practice head(s):

James North


‘Corrs always provide practical advice on all matters relating to privacy, data protection, and IP. They understand the real-world constraints we work under and the evolving nature of the risks we face.’

‘Eugenia Kolivos is fantastic. She is very responsive – including after hours.’

‘Eugenia always understands the commercial imperatives, and always works to provide practical and workable business solutions. She is never a “handbrake” and always works with us to ensure we achieve our business outcomes in a compliant and practical manner.’

‘Eugenia is absolutely lovely to work with. She is always available, very responsive, and most importantly a fantastic lawyer who we really value as one of our external advisors.’

Key clients



Queensland Government




Water Corporation

Victorian Government



Super Retail Group

Collins Foods


Work highlights

  • Advising on all aspects of ING’s implementation of the new consumer data right regime which implements open banking in Australia.
  • Undertaking a full privacy and data audit of Flybuys’ programmatic business including in relation to arrangements with third party data suppliers, DSPs, DMPs, and other ad tech participants, and advising on structuring of arrangements in relation to digital identity management.
  • Advised the Victorian State Government on the creation of a consolidated API gateway (the first of its kind for the Victorian government) for government departments and agencies to share datasets across government and to developers.

Gilbert + Tobin

Gilbert + Tobin advises several household name clients in the financial services and technology sectors on data and privacy considerations, with a focus on regulatory investigations, contentious proceedings, and risk management. The practice leans on multidisciplinary experience and collaborates closely with the firm's disputes, technology, and regulatory practices. A broad team is led from Sydney by Tim Gole, a technology specialist who regularly advises corporates on data protection and compliance matters, alongside transactional support, and Michael Williams, who utilises his intellectual property and cyber expertise to advise clients on risk management issues, including data breaches and self-notification to authorities.

Practice head(s):

Tim Gole; Michael Williams

Key clients

Westpac Banking Corporation




NSW Government – Transport for New South Wales


Macquarie Bank

NSW Government – eHealth

Toys ‘R Us

Qudos Bank

BCI Media Group

Work highlights

  • Advised HealthEngine in response to a regulatory investigation, including settlement proceedings, relating to its presentation of patient reviews and sharing of patient information with third parties.
  • Advised Velocity on the ACCC’s review and investigation into customer loyalty schemes. A major component of the ACCC’s investigation involved reviewing the collection, use and disclosure of consumer data by loyalty.
  • Acting for Qudos Bank in relation to protection of its IP rights, data and confidential information in a dispute with its technology provider Infosys in relation to misuse of Qudos’ IP, data and confidential information.

Bird & Bird

Bird & Bird supports clients with a variety of data protection matters in Australia and globally, including day-to-day privacy compliance, guidance to corporates on serious data breaches, and privacy considerations of M&A transactions. The team has considerable expertise in privacy law, with experience of recent and historic legal reforms. Sophie Dawson is a key name within the team and advises on both day-to-day compliance and strategic issues, including impact assessments and complex cybersecurity matters. Hamish Fraser has a broad practice encompassing data security and transfers, public policy, and advice to global platforms and cloud providers. All lawyers named are in Sydney.


The materials distributed by Bird & Bird during Covid 19 in Privacy and Data Protection law and Employment law have been an invaluable practical resource, particularly in the In house space.

Lisa Vanderwal, Special Counsel is an excellent lawyer, particularly in her currency of evolving Privacy and Data Protection law. She has a wonderful skill of tangible explanations of complex technical issues and is solutions focused.

Great access to the international network of Bird & Bird for latest thinking and practice in other jurisdictions. The team in Australia are also very knowledgeable about local privacy laws and practices.

Sophie Dawson is great – very experienced in this area, and focussed on great client service. Very responsive and taps into the international network readily.

Key clients

Wirecard AG

National Roads and Motorists Association

Work highlights

  • Acted for a global computer game company by notifying the OAIC and Federal law enforcement agencies of a data breach, and advising on the form of notices to individuals.
  • Advising a major company on privacy aspects of Digital Platforms Inquiry, including in relation to submission.
  • Advising a major global financial services company on complex international data flow arrangements, including data transfer agreements between companies in the international group.

DLA Piper

DLA Piper advises a variety of corporate clients on data privacy and privacy considerations, including day-to-day compliance advice alongside contentious issues such as regulatory investigations, data breaches, and international risk management. The practice also advises governmental bodies on procurement and legal obligations relating to data. The practice is led by Melbourne-based Tim Lyons, who works with corporate and government clients across the firm's offering, including advice on data breaches, internal private audits, and compliance. Sydney-based Nicholas Boyle advises on front-end data protection and privacy matters, including compliance and business strategy, while Jonathon Ellis handles back-end incident response issues, disclosures, cybersecurity issues.

Practice head(s):

Tim Lyons

Other key lawyers:

Nicholas Boyle; Jonathon Ellis


If you find yourself in the middle of a data breach the DLA team is who you need to manage the minefield of issues that you will face. They will guide you based on their expertise and extensive experience.’

Tim Lyons is the consummate professional who is always commercial and highly responsive when you need him.

Key clients

Omni Bridgeway Limited

Hannover Life Re of Australasia

Guzman y Gomez

Suncorp Group

Ai Media

Employers Mutual

Thales Australia

Work highlights

  • Advising Suncorp on additions to its template contractual arrangements to meet the requirements of APRA’s CPS234 information security standard.
  • Advising Guzman y Gomez Pty Ltd on its Australian privacy practices, including template privacy clauses, template data breach response plan, internal policies and procedures, external facing privacy policy and external facing collection statement.
  • Advising Omni Bridgeway on a privacy compliance project across a number of jurisdictions including updating internal and external privacy policies for compliance with both the GDPR and Australian privacy laws and preparing an Intragroup Data Transfer Agreement.

Herbert Smith Freehills

Herbert Smith Freehills offers a broad range of expertise in data protection issues, with partners experienced in TMT, employment, intellectual property, corporate, and litigation-related issues. The team acts for major corporate and financial services clients on life-cycle security and privacy issues, data elements of internal projects, consumer data requests and issues, and day-to-day privacy compliance, with many matters containing multinational or global elements. The team is led from Melbourne by Julian Lincoln, who is highly experienced in technology and intellectual property issues, advising clients on cybersecurity and transactional matters, alongside special counsel Kaman Tsoi, who heads up the data protection and privacy practice, specialising in information privacy.

Practice head(s):

Julian Lincoln; Kaman Tsoi

Other key lawyers:

Rebekah Gay


We have always been able to rely on HSF to have a host of experts at their fingertips who they bring in to support the challenge at hand (technical data breach/protection experts to complement their legal expertise in the area). This creates a well rounded and well practised team which is reassuring and also ensures swift action. We have always found the team responsive and they inspire confidence during challenging situations.

‘The team member’s genuine care about our organisation and data – making me as a client feel that we are the most important and that nothing is too hard and no concern too great. Rebekah Gay has led a few important issues in the past 12 months and I have been grateful for her calm and considered approach and her significant experience in this area – she inspires confidence during times that are often very challenging with great risk involved. She brings in the right people (legal and otherwise) to join her in providing guidance and advice which is very reassuring.

Key clients

National Australia Bank


Bytedance/Tik Tok







Victorian Funds Management Corporation

Royal Commission into Victoria’s Mental Health System

Work highlights

  • Continuous advice to NAB on technology, data, privacy and interrelated IP aspects of the demerger of a core and large business unit of the bank.
  • Advised Transurban on the transformational upgrade of its enterprise tolling system including in relation to a multi-vendor sourcing model, data protection and management, information security, transition risk management and sourcing strategy.
  • Continuously advising Bytedance on the expansion of various verticals of their business (including TikTok) in Australia.


The team at Maddocks works on high-profile and complex data and privacy matters for major public and private clients such as Sydney Airport, Sony, and several Australian government departments. Matters include privacy considerations relating to Covid-19 tracing, facial recognition software, and responses to critical data breaches. The team is geographically diverse, with a range of specialisms. Sydney's Brendan Tomlinson offers broad expertise across data analytics, transactional work, cybersecurity, and data commercialisation. In Canberra, Katherine Armytage specialises in advising Commonwealth government departments on data-related projects, including privacy risks, data governance, and Privacy Act issues. Melbourne-based Robert Gregory advises a diverse portfolio of corporate clients on data-related governance, sustainability, and IT issues.


Ability to take the matter forward with minimal guidance. Knowledge of the area of law and ability to close matters out.’

Brendan Tomlinson is very approachable and very efficient and provides value for money. Brendan is calm and pragmatic and easily suggests practical solutions for our business.’

Maddock’s have always taken a trusted partner approach with us. Their ability to understand the complexity and nuances of our lines of business, industry, and risk profiles is a particular standout. The trust in the Maddocks Team for our technology needs is well based and continues to be their strength.’

Key clients




Sydney Airport

Deutsche Bank


Aristocrat Technologies

Bauer Media



Taronga Zoo


Fitness Lifestyle Group

Melbourne City Mission

South East Water

City of Monash

Department of Health

Digital Transformation Agency

Department of Defence

Swinburne University of Technology

Work highlights

  • Trusted advisors to Commonwealth Government Departments, including the Department of Defence, the Department of Health, the Digital Transformation Agency and the Department of Home Affairs.
  • Advising Sydney Airport on complex privacy issues relating to their ground breaking facial recognition technology project involving the innovative use of biometric data.
  • Advised Swinburne University of Technology in relation to a security incident which involved the unauthorised access of personal information of certain Swinburne staff via Swinburne’s payroll online system.

McCullough Robertson

McCullough Robertson advises companies in the technology, life sciences, telecommunications, and media sectors, as well as government departments, on data protection and privacy, transactional data considerations, risk planning, and response issues. Clients include both domestic and multinational companies, with several matters involving cross-border and multijurisdictional elements. Alex Hutchens leads the team, and also heads up the firm's TMT platform, with a range of experience in data elements of transactions, cloud services, and data privacy issues. Matthew McMillan advises corporate clients on data security and commercialisation matters, alongside risk management of data breaches.

Practice head(s):

Alex Hutchens

Other key lawyers:

Matthew McMillan


Great team, I am regularly working with Alex Hutchens. The team is extremely responsive and delivers excellent, very concise support.

Alex Hutchens should receive high praise, his coordinates his team well and the support always meets if not exceeds our expectations.

Key clients

The Prince Charles Hospital Foundation

Police Bank

Alcorn Group

EM Solutions

Insight Network Australia

Macquarie Group

Telstra Corporation

Financial Services Council

Work highlights

  • Advising a multinational leisure tourism provider on Australian jurisdictional issues in relation to a global data breach response.
  • Advised a global independent firm in the design and building industry in relation to its data handling practices in respect of its operations in the Asia Pacific region.
  • Advising the Financial Services Council on the development of a data breach response plan and cyber incident toolkit, and delivering a bespoke privacy any cyber risk training program.

Hall & Wilcox

Hall & Wilcox advises public and private companies in Australia and abroad on a range of matters, including day-to-day privacy compliance, risk management, and data breaches, regulatory investigations and reporting, and internal data policies. The team also acts for local governments and non-profit organisations, as well as supporting start-ups through the firm's Frank offering. Melbourne-based partner Alison Baker heads up the practice, and regularly advises clients on internal privacy audits and matters relating to data breaches. Alison Choy Flannigan is based in Sydney and has a particular focus on the healthcare sector.

Practice head(s):

Alison Baker

Other key lawyers:

Alison Choy Flannigan; Mark Inston


Collegial and responsive always! Expertise is a given. The expertise and professionalism is across the team from partners to juniors.

Mark Inston is my main contact and Alison Baker is another partner I deal with regularly. Both are very professional, personal, approachable, and responsive and accommodating to our urgent requests. They know my expectations very well and I can be very frank with them.

Key clients

Healthdirect Australia

Work highlights

  • Acting for a residential aged care provider with regard to a claim for breach of privacy, including appeals to the Australian Information Commissioner, Australian Human Rights Commission, and NSW Privacy Commissioner.
  • Cross-border assistance to a consulting company following the hacking of their email system.
  • Advised a construction company on the privacy law implications of introducing electronic surveillance on its IT systems and Bluetooth asset tracking.

Mills Oakley Lawyers

Mills Oakley Lawyers formed its national data protection team in 2019, hiring 'passionate' practice head Alec Christie from Hall & Wilcox in Sydney. Christie has a strong record in acting for corporate and public sector clients on privacy policies, strategic data considerations, and cybersecurity, regularly advising multinationals on Australian and global privacy law considerations. Brisbane-based Malcolm McBratney specialises in the healthcare and technology sectors, working with clients on life-cycle IP and data issues. In Melbourne, Joni Pirovich has a particular focus on blockchain and cryptocurrency, with experience in tax law.

Practice head(s):

Alec Christie

Other key lawyers:

Malcolm McBratney; Joni Pirovich


Led by Alec Christie, this team has very good expertise in data protection and privacy issues.

Alec Christie is passionate in this line of work, and in the protection of privacy-related rights. His expertise in this area is highly regarded, very good industry exposure and knowledge, and is very commercially practical.

Key clients



Alcami Interactive

Assist 365

Australian Bureau of Statistics

Australian Securities and Investments Commission

Australian Taxation Office

Cinglevue International

Credit Union Australia

Department of Human Services

ELMO Learning

I-MED Radiology Network

Microsoft Corporation

Thomson Reuters

Toyota Insurance


Western Health

World Vision Australia

Work highlights

  • Supported Microsoft and its global user base in streamlining multi-jurisdictional privacy compliance.
  • Conducted a preparatory privacy review in the lead up to the 2021 Australian Census on behalf of the Australian Bureau of Statistics.
  • Delivered a firm-wide privacy management framework for Credit Union Australia