Data protection in Australia

Allens

Allens advises clients on the full range of data and privacy work, including high-level compliance issues and data breach responses, alongside a growing offering in data governance work and advice on commercial data as a tool for business growth. Clients include major international technology companies, financial services institutions, public sector organisations and multinational businesses. The team is led by Gavin Smith, who handles life-cycle data issues and cyber work, alongside Valeska Bloch, who is an expert in data breach crisis management and transactional data work. Phil O’Sullivan has a notable niche in data compliance and risk management mandates within the defence, aerospace and healthcare sectors, while managing associate David Rountree works with a number of the firm’s top clients across a variety of sectors on data commercialisation and cybersecurity. All lawyers mentioned are in Sydney.

Practice head(s):

Gavin Smith; Valeska Bloch

Testimonials

‘The privacy practice at Allens has a great understanding of our business, and a deep knowledge of Australian privacy law. Allens was absolutely instrumental in negotiations with an Australian regulator, and they had practical solutions and negotiation strategies and were able to manage time in an excellent manner to make sure our submissions were made on time.’

‘The team at Allens are second to none – personable, professional and provide punchy advice. Their lawyers are highly skilled who I can trust implicitly in the provision of advice.’

‘Allens have a team of deep technical experts in the areas of privacy and data and provide strategic and commercially minded advice to major financial services firms. I can count on Allens to provide pragmatic advice that can be readily shared with business partners. The Allens team also outstrip their peers in terms of keeping my team immediately informed of key decisions/regulatory updates that are relevant to this practice area and offering training to the team on areas of interest. The team are approachable and a pleasure to work with as we navigate complex issues.’

‘Valeska Bloch is one of the most brilliant Partners I have ever worked with. She approached every interaction as a true partnership and leaves no stone unturned. No request is ever too obscure for the team to navigate, and we are so appreciative of her support.’

‘I value above all else that the Allens team listen to what I need as a client and always deliver. When you are navigating complex issues, being able to rely on Allens to quickly understand the issue (because they have a deep understanding of the company itself and the legal issues) and provide pragmatic advice is critical to the success of in-house legal teams and the services they deliver to the businesses they support.’

‘Valeska Bloch – Fantastic client engagement.’

‘Partner Gavin Smith is very responsive and demonstrates a deep knowledge of Australian privacy law.’

Key clients

Commonwealth Bank of Australia

Kentucky Fried Chicken

Bunnings

Wesfarmers

Healthmatch

Canva

National Australia Bank

Commonwealth Bank of Australia

ASX Limited

Medical Director

New South Wales Land Registry Services

Victorian Land Registry Services

Work highlights

  • Advised the NSW Government on its investigation of and response to a data breach which occurred in April 2020 affecting the mailboxes of 47 Service NSW staff.
  • Advised Westpac on complex and significant data and security activities across the bank, including on its digital banking-as-a-service business and its data sharing arrangements with its partners Afterpay and SocietyOne.
  • Advised KFC on the design and rollout of its whole-of-business data governance project.

Corrs Chambers Westgarth

Corrs Chambers Westgarth handles a wide range of contentious and non-contentious data privacy and governance matters, working across the financial services, technology, and retail sectors, as well as advising governments on Australian data provisions. The team is led by James North , who has a strong focus on technology, media and telecoms work, and advises major domestic and international businesses, including leading Big Tech clients. Eugenia Kolivos has a strong specialism in complex technology and data commercialisation, alongside privacy advice, while Brisbane’s Helen Clarke handles data breaches, commercialisation issues and global privacy reviews. Melbourne’s Arvind Dixit advises on a wide range of public and private IT projects, including data considerations. Lawyers are in Sydney unless otherwise indicated. Senior associate Jennifer Dean  has now joined Johnson Winter & Slattery.

Practice head(s):

James North

Testimonials

‘The people comprising the team work collegially and cohesively, so as a client we experience integrated and consistent approaches in advice even though it may be provided by a range of team members. Uniformly great cultural and service attributes: great listeners, considered and responsive.’

‘Arvind Dixit’s excellent and precise communication skills mean complex matters can be understood by all managers involved, at all levels of the organisation. Arvind also has a good practical appreciation of how data protection can impact operational and public reputational issues. Arvind can turn around advice rapidly, and we found he was incredibly accessible and responsive whenever we have placed a call at critical times (above and beyond).’

‘The Corrs team has excellent expertise in the area of privacy and data protection. Offering a deep understanding of our business and a practical, risk-based approach to advice, our company relies on Corrs as a trusted adviser in relation to data and privacy issues.’

‘Helen Clarke is a respected expert in this practice area, who listens, is friendly and responsive and has a calm and considered approach and you can rely on her.’

‘What we value is not only the Corrs Data Protection Team’s expertise, but the Corrs Team truly working together with the In-house Legal Team as ONE team to deliver great results for our organisation. The Corrs Team’s professionalism, commitment, friendly and easy going approach makes them a pleasure to work with, particularly in challenging circumstances. They live the value of being trusted expert advisers.’

‘Arvind is the kind of knowledgeable and calm adviser that you need in a crisis. He is very responsive when urgent advice is required.’

Key clients

Google

Mastercard International Inc.

Intuit Inc.

Flybuys

NBN Co Limited (National Broadband Network)

StockX

Splunk

Oxfam

Canva

Standards Australia

Woodside

Australia Post

Square

Adobe

Work highlights

  • Advised Mastercard on the Australian privacy and data protection aspects of Mastercard’s acquisition of Finicity Corporation.
  • Advised Splunk on the key privacy and regulatory frameworks applicable to the B2B Cloud market in Australia and compliance with APRA prudential standards.
  • Representing Google in the ‘location history’ proceedings commenced by the ACCC in the Federal Court, in which the regulator alleges that Google engaged in misleading and deceptive conduct in relation to the collection, retention and use of consumers’ location data on Android phones and tablets.

Gilbert + Tobin

Gilbert + Tobin fields a multi-disciplinary team capable of handling work across the data lifecycle, from generation through to compliance and commercialisation, including compliance and risk management advice, incident response, and litigation. The team works with a number of major domestic and international clients, including technology and life sciences companies, financial institutions and government departments. The team is led by Tim Gole , who also heads up the firm’s IT offering and focuses on regulatory compliance advice alongside working on transactional data issues, alongside IP lead Michael Williams , who advises on major data breach investigations, as well as data ownership and use rights, and cyber response strategies. Melissa Fai specialises in data and privacy work, and advises clients on privacy and data protection obligations as well as commercialisation and transactional matters.

Practice head(s):

Tim Gole; Michael Williams

Other key lawyers:

Melissa Fai

Testimonials

‘G+T’s Technology and Digital team led by Tim Gole have deep experience in all aspects of information technology (including data protection, systems integration, cloud and platforms and complex commercial contracts). The team’s advice is commercial and practical as they take the time to understand our business as if they were part of our team. The G+T team innovate by using tech tools to make them exceedingly productive compared to other firms.’

‘Tim Gole’s knowledge of Australian law and extensive practical experience make him an absolute stand out for those in the information technology sector. He turns complex legal issues into simple and plain English drafting which the business understands.’

Key clients

Westpac Banking Corporation

Velocity

HealthEngine

Telstra

NSW Government – Transport for New South Wales

Microsoft

Macquarie Bank

NSW Government – eHealth

Qudos Bank

BCI Media Group Pty Ltd

KKR

PayPal

WiseTech Global Limited

FitBit

Harrison.ai

Insurance and Care NSW (icare)

Work highlights

  • Advising Microsoft on an array of regulatory reforms concerning data protection, security and management, including the enhancement to Australia’s critical infrastructure framework, online safety framework, government surveillance and data privacy, as impacting Microsoft products and services and its Australian enterprise and consumer customers.
  • Advising BCI Media Group on a dispute with competitor CoreLogic Australia Pty Ltd and two subsidiaries.
  • Advising a Commonwealth Government agency on one of the largest class actions in respect of a privacy data breach under the OAIC investigation and enforcement regime.

King & Wood Mallesons

King & Wood Mallesons has strong capabilities in data and cyber security, advising on data policies and regulatory change as well as maintaining an active incident response team, assisting major domestic and multinational clients with major data breaches. Clients include major corporates and technology entities, as well as leading brands. Cheng Lim has a strong record in advising major businesses on data security regulations and data breach responses, including relationships with regulators and customers. Patrick Gunning excels in the financial services space, alongside innovative work on the application of privacy laws to new technologies and developments in data governance. Scott Farrell specialises in fintech and financial services work, working with both public and private sector clients, while Melbourne’s Michael Swinson specialises in commercial transactions involving technology, data assets and intellectual property. Lawyers are in Sydney unless otherwise stated. Renae Lattey leads the team.

Practice head(s):

Renae Lattey

Testimonials

‘Ability to consider privacy and data protection in the context of other regulatory requirements.’

‘The team at KWM has unparalleled depth and expertise in the data protection space. We rely heavily on them for their exceptionally clear, practical and context driven advice. The KWM team has demonstrated particular strength in understanding our business and risk profile. This sets them apart in the market.’

‘Michael Swinson is an exceptional partner with a very strong team behind him from SA to grad level. Michael demonstrates a thorough understanding of both our business, the existing law, and the coming trends in the Australian Data Protection space.’

‘Attention to detail.’

‘The team’s deep level of expertise is highly valued and sets them apart from the rest. They always deliver on time and sometimes to difficult and demanding timelines. The partners are approachable and provide advice mostly in a concise easy to read format. In comparison to other firms, mostly I prefer to use KWM because they simplify their advice and present in a way that is easy to quickly digest and forward to internal clients.’

‘All of the individuals I have worked with have the deepest SME knowledge, which means that when we are unable to resolve the issue in-house we know that we can seek the best SME support efficiently and effectively. Some of the partners also have a very pragmatic approach to risk and that approach helps with guidance on particularly grey areas of the law. Cheng Lim and Michael Swinson both have deep expertise but also have different approaches which helps with knowing we are getting different and well thought through perspectives.’

Key clients

Facebook

L’Oreal

HSBC

Energy Security Board

Google

BHP

Power and Water Corporation

Work highlights

  • Advising Facebook on all privacy and data-related matters affecting its business in Australia.
  • Advising on Australian issues for BHP’s global Data Protection and Privacy Office.
  • Advising HSBC on running multi-jurisdictional workshops covering Hong Kong, Singapore and Mainland China to assess and explore the legality and ethics behind proposed uses of customer data by a major global bank.

Baker McKenzie

Baker McKenzie handles the full range of data and privacy work, from regulatory compliance and risk management advice to incident response work for data breaches and cyber attacks. The team counts a number of major international technology companies as clients, advising on product launches and Australian data regulations, with practice co-head Anne-Marie Allgrove playing a key role in this work. Co-head Adrian Lawrence also works with multinationals on their entry into APAC markets, as well as advising on the data aspects of digital transformation transactions. Anne Petterd leads on the drafting, localisation and rollout of commercial data protection policies, while Melbourne’s Toby Patten has a strong focus on privacy regulations in the healthcare sector. Lawyers are in Sydney unless otherwise stated.

Other key lawyers:

Anne Petterd; Toby Patten

Testimonials

‘The team at Bakers has exceptional depth across APAC in the Data Protection space and is an invaluable legal partner for us. We have appreciated their willingness to develop a deep understanding of our business, risk profile and to apply that understanding to providing us high quality and practical legal support.’

‘Anne Petterd is an exceptional partner with a deep understanding of our business, the law and market trends.’

Key clients

Plaid

ByteDance Inc (TikTok)

Luxottica

Medtronic

Marmalade

Aldi

HMS

Orbyt

Philips

IQVIA

Work highlights

  • Advised Plaid on the scope and operation of a novel consumer data right regime in Australia as well as an Integration Agreement with an Australian data aggregator company Basiq.
  • Advising ByteDance on setting up Australian operations.
  • Advised Luxottica on Australian operations, including on various privacy issues.

Bird & Bird

Bird & Bird works prolifically on cross-border data protection and security matters, operating as part of the firm’s global data practice. The team works with major domestic and multinational clients and offers significant expertise across Australian and international data regulations, advising on day-to-day compliance and broader strategic issues including impact assessments and data breach responses. Key names in the Sydney-based team include Sophie Dawson, who advises on incident response and privacy assessments for high-profile corporates and technology companies, and Hamish Fraser, who works with global platforms and cloud providers on data breaches, transfers and policies relating to personal information.

Other key lawyers:

Sophie Dawson; Hamish Fraser

Testimonials

‘Access to international resources, highly responsive lead partner in Australia in Sophie Dawson. In a rapidly changing field, this depth of expertise is highly valuable’

‘Sophie Dawson is excellent – highly responsive, very knowledgeable on data protection issues, constantly considering how the field is changing and what that may mean for us.’

‘Fantastic customer service and great communication style. They do not over service like many firms but rather understand what is needed and provide practical and to the point advice.’

‘Sophie Dawson has a wealth of knowledge on data privacy and communicates issues concisely. She proposes practical solutions to problems and seeks to avoid protracted legal disputes.’

Key clients

National Roads and Motorists Association Limited

Work highlights

  • Advised three major Australian media companies in relation to privacy matters.
  • Advised an online advertising company on advertising regulations.
  • Advised various clients on the privacy reforms proposed in the ACCC Digital Platforms Inquiry Report.

Clyde & Co LLP

Clyde & Co LLP  strengthened its data and cybersecurity offering with the arrival of Alec Christie  and his team from Minter Ellison, combining his strong readiness and data strategy practice with the firm’s existing incident response team, led by practice head John Moran, creating an all-in-one service for data and security-related issues. The firm advises a wide range of domestic and international clients in the technology, education and financial services sectors on data breaches and responses, both internally and reporting to regulators, alongside advising boards on data regulations and strategies, as well as readiness and reputational considerations relating to data. Richard Berkahn and Reece Corbett-Wilkins were promoted to partner in early 2021 as part of further expansion of the practice. The team is based in Sydney.

Practice head(s):

John Moran

Testimonials

‘Prompt and thoughtful advice; very practical.’

‘Alec Christie is smart, knowledgeable and has a strong ability to provide practical and actionable advice.’

‘Leading insurance firm in the data protection practice in Australia. Clyde & Co also understand what insurers require and so can provide a seamless incident response to caters to all stakeholders involved. Clyde & Co also publish extensive thought leadership material that is vital for information sharing.’

‘The Clyde & Co team are one of the best Data Protection/Incident Response teams I have had the pleasure to collaborate with in the last few years. The quality of partners and staff is exceptional they are always supportive of myself and our clients. The client feedback is always strong and they really appreciate the input and support provided to them by Clyde & Co.’

‘Everyone that I have worked with at Clyde & Co have been very knowledgeable and always professional they are strong communicating with clients and I never have any reservations introducing anyone from Clyde & Co to my clients. The stand out Partners for me are John Moran, Reece Corbett-Wilkins and Richard Berkahn, I have worked with each of them on different clients/services and I am always impressed with them.’

DLA Piper

DLA Piper bolstered its data and privacy offering with the arrival of Anthony Lloyd from Minter Ellison in early 2021, bringing in significant experience in international standards, privacy frameworks and cybersecurity infrastructure. Elsewhere, the team is led by Melbourne’s Tim Lyons , who advises major international clients including technology, financial services and healthcare entities on data privacy compliance and reporting obligations, while in Sydney Nicholas Boyle also regularly advises on risk management and compliance at the front end, as well as handling ‘back end’ data breach responses alongside investigations and disputes specialist Jonathon Ellis . Sarah Birkett focuses on the application of privacy regulations and notifications, and is particularly strong in the healthcare sector.

Practice head(s):

Tim Lyons

Other key lawyers:

Nicholas Boyle; Jonathon Ellis ; Anthony Lloyd; Sarah Birkett

Testimonials

‘DLA Piper’s legal services are excellent value for money compared to other similar firms. They provide good quality, efficient legal assistance for a very competitive price. Being an international firm they offer great access to resources and legal updates regarding relevant legal developments across the globe, which is very useful.’

‘Nick Boyle and his team provide excellent legal services. They are very responsive and efficient and have a good knowledge of our business and how we operate. Nick is very professional and personable and has excellent market knowledge and experience.’

Key clients

Westpac Banking Corporation

Suncorp

10x Future Technologies

Insurance Australia Group

Super Retail Group

Worldline

Court Services Victoria

Victorian Department of Transport

Victoria Police

Capstone Logistics, LLC

HCL Australia Services Pty Ltd

Speedcast Group

CenITex

Corum Group Limited

Royal Woman’s Hospital (Victoria)

Hannover Life Re of Australasia Ltd

Work highlights

  • Advised Westpac on a range of contracting matters relating to technology contracts involving complex data protection arrangements.
  • Completed a Privacy Impact Assessment for the County Court of Victoria in respect of an urgent project to implement an Electronic Evidence Management and Electronic Court Books Management solution for the County Court of Victoria in response to the Covid-19 lockdowns in Melbourne.
  • Advised Netball Australia on the privacy implications of its use of a player management system in respect of the nationwide “NetSetGo” program and its arrangements with the State Australian Netball Organisations regarding the use of alternatives player management systems.

Maddocks

Maddocks has a specialist data and privacy offering, with dedicated expertise in GDPR, data breach responses and Australian data regulations. The team advises government departments, businesses and major technology players, with a particular focus on the data aspects of IT and technology agreements. Key members of the team include Sydney’s Brendan Tomlinson, who advises on outsourcing and integration projects, cloud-based offerings and data analytics, as well as handling privacy and data commercialisation issues, alongside Canberra-based Katherine Armytage, who is active on behalf of Commonwealth agencies on an array of data sharing and privacy considerations, with standout involvement in Covid-related data privacy issues. Melbourne’s Robert Gregory  is strongly focused on the education space alongside other regulated sectors, while Sydney-based Jeff Goodall  combines compliance advice with work on data breach prevention and response. Sonia Sharma in Sydney has a successful track record in managing large-scale, sensitive data breaches for listed companies and government entities.

Other key lawyers:

Jeff Goodall ; Ooma Khurana

Testimonials

‘Maddocks’ Data Protection team are extremely knowledgeable in the area of data protection and most importantly, responsive. We find that the value for money is exceptional, which is an important factor for our company when selecting external legal advisers.’

‘The team at Maddocks have gone to great lengths to understand the nature of our business and structure, which helps them to provide accurate and concise legal advice. In particular, Jeff Goodall and Ooma Khurana stand out for their advice and commerciality.’

‘Ooma Khurana’s exceptional legal expertise in the area of data protection are complimented by her pragmatic and solutions based approach to potential legal issues and risks. Ooma has been an invaluable external adviser to our Australian company following a friendly takeover by a multinational organisation, helping us to navigate global data protection policies and regulations and how these interact with Australian legislation.’

Key clients

Sony

Diageo

Philips

Sydney Airport

Deutsche Bank

Deloitte

Aristocrat Technologies

Bauer Media

Lendlease

Mirvac

Taronga Zoo

Greencross (Petbarn)

Fitness Lifestyle Group (owner of Fitness First, Goodlife Healthcare and other fitness brands)

Melbourne City Mission

South East Water

City of Monash

Department of Health

Digital Transformation Agency

Department of Defence

Swinburne University of Technology

HMD Global (Nokia)

Equifax

Taking Shape Fashion

Leap Software

Work highlights

  • Advising the Commonwealth, as represented by Health, on the privacy aspects of the COVIDSafe App, including by undertaking an urgent privacy impact assessment (PIA) and preparing the resulting PIA report.
  • Advised Greencross on privacy and data provisions relating to its partnership agreement with Uber.
  • Advising Deutsche Bank’s Australian branch on data protection and privacy compliance.

Hall & Wilcox

Hall & Wilcox supports its clients on a range of privacy issues, including compliance obligations, complaints for breaches of privacy, data security breaches, and GDPR compliance. The team works with public and private sector bodies, advising on privacy policies and submissions to the Australian Information Commissioner alongside representing clients in investigations and conciliation conferences. The team is led by Alison Baker  in Melbourne, who has a broad practice encompassing providing compliance and strategy advice to clients in a broad range of sectors, and data breach response support. Sydney’s Alison Choy Flannigan specialises in the healthcare sector, working with providers in a variety of settings, and has been particularly active in Covid-related data issues.

Practice head(s):

Alison Baker

Other key lawyers:

Alison Choy Flannigan

Testimonials

The team involved have high profiles in the digital/technology space and I often come across their articles/commentaries in this area. I consider them as leading experts.

I have a lot of time and respect for the partners I have dealt with: accommodating, maintain good relationship, responsive, available when required, transparent, understand my company’s business and my particular service requirements. Highly recommend the team to others!

Key clients

NSW Department of Customer Service

Australian New Zealand Gynaecological and Oncology Group

Work highlights

  • Advising the NSW Department of Customer Service in relation to the End of Life project, a component of the Life Journeys program, on privacy related documentation to cover the handling of data between NSW Government departments.
  • Advising ANZGOG on the legal and regulatory requirements, including privacy and data, concerning the creation of the largest Biobank in Australia for gynaecological and oncology research referred to as the TR-ANZGOG project.

Piper Alderman

Piper Alderman has a strong focus on the IT and financial services sectors, advising on privacy and commercial data considerations, alongside maintaining an incident response offering. The team is led by Melbourne’s Tim Clark , who advises IT clients on data protection and privacy policies, data breach notifications and data collection practices, as well as data considerations for IT contracts, alongside Sydney’s Andrea Beatty, who specialises in the financial services sector and has a focus on incident responses, particularly relating to ransomware attacks.

Practice head(s):

Tim Clark ; Andrea Beatty

Testimonials

‘The firm has strengths in a number of key areas that our business utilises from time to time. I like that my main contact organises other expert advice from within the firm as required after consulting with me on estimated time and cost to do so.’

‘Piper Alderman has been instrumental in the legal aspects of our offering to clients. Flexibility and awareness allow us to add real value to our client’s needs and there is always the willingness to accommodate most situations.’

‘We have found Piper Alderman to work well together to support our legal needs. It is evident that there are different specialties within the Piper Alderman team but our legal needs are managed seamlessly.’

‘Andrea Beatty was fantastic support to the business when we were dealing with a cyber security breach. She was always available and provided expert guidance on the Privacy Act implications and communication strategies.’

‘Our partner Tim Clark has taken the time and interest to intimately understand our business and our highly specialised industry, and this makes for rapid consideration and response to our legal matters.’

Key clients

Allcom Networks

BioGrid Australia Limited

Best Practice Software Pty Ltd

The Entrance Red Bus Services Pty Ltd

Work highlights

  • Advised Biogrid on the terms and conditions and privacy policy for the Australian Rare Cancer Portal.
  • Advised Best Practice Software on its privacy policies in Australia and liaised with counsel in New Zealand in relation to the client’s privacy policies in New Zealand.
  • Advising Allcom Networks on providing Notifiable Data Breach training to Local Councils and schools.

Dentons

Dentons advises a combination of domestic and international clients on data commercialisation mandates alongside a notable offering relating to contentious white-collar crime and money laundering investigations involving data. This service includes data breach responses, fraud and misconduct issues, and disclosures. The team is led by Ben Allen in Sydney.

Practice head(s):

Ben Allen

Key clients

Watches of Switzerland

Avis Budget Group

Work highlights

  • Advising Avis Budget Group on its global privacy and related cybersecurity matters.
  • Advised Watches of Switzerland on anti-money laundering laws and implications for privacy/cybersecurity arising from customer relationship management and database management strategies.

KPMG Law in Australia

Working with both public and private sector clients, the team at KPMG Law in Australia handles a wide range of data and privacy matters, including cybersecurity issues, data protection compliance, commercialisation work and strategies, with particular strength in the public sector and healthcare industry. The team is led from Melbourne by Kate Marshall and Veronica Scott.

Practice head(s):

Kate Marshall; Veronica Scott

Testimonials

‘The KPMG team is unique because it has deep expertise in the application of the GDPR to Australian organisations engaged in international activities, particularly research. They also have an in-depth understanding of the data and privacy issues that arise in clinical research and clinical registries.’

‘Specialist expertise. Also their knowledge of our industry sector. Stand out advisers are Kate Marshall and Veronica Scott.’

Key clients

Commonwealth Department of Health

x15 Ventures (CBA New Digital Businesses Pty Ltd)

Commonwealth Department of Treasury

Monash University

Bega Cheese Limited

AustRoads Incorporated

Youi

nib

Office of the Australian Information Commissioner (OAIC)

Royal Children’s’ Hospital

Lifeline Australia Limited

Medibank Private Group

Adventist Healthcare Limited (AHCL)

Atlassian

Work highlights

  • Advised the Commonwealth Department of Health on a detailed review of its privacy policies, data breach response and data access procedures for the National Cancer Screening Register.
  • Advising Medibank on key strategic privacy projects for the group.
  • Advising Monash University on privacy and data protection considerations.