Protecting Data Assets – The Legal Landscape And Practical Recommendations

For technology leaders and in-house counsel, the question we hear most often is deceptively simple: "We know our data is valuable - but how do we safely commercialise it?"

In today's digital economy, data has emerged as a critical intangible asset shaping business strategy, fueling technological innovation, and contributing to economic and social benefits. Its value cannot be denied.

Yet, protecting and commercialising data assets is far from straightforward. This article explores the following key takeaways:

1. No single property right in data| Australian law does not grant a definitive proprietary right in data. Instead, businesses must navigate a patchwork of overlapping legal protections, including copyright, contract, confidentiality, and sector-specific regulations.
2. Copyright and IP rights offer limited protection | Copyright only applies to original expression, not raw or automatically generated data, and there is no European-style database right. Other traditional intellectual property rights are largely irrelevant to data assets.
3. Contractual and confidentiality measures are essential | With limited statutory protection, robust contracts and confidentiality agreements are the primary mechanisms for controlling access to and use of data, supported by technical and organisational measures, such as data mapping, security protocols, and staff training.
4. Compliance isn't enough | Privacy and industry regulations are important but do not grant ownership.

By understanding these core principles and implementing practical legal, technical, and organisational measures, Australian businesses can better protect their data assets, manage risk, and unlock new opportunities in the digital age.

Below we explore in further detail the protection, privacy obligations and use of data under Australian law, and provide several practical measures and tips for data owners to protect and manage data assets.

Australia's legal framework for data

The scale and significance of data sets are growing at a rapid pace, demonstrated by a large number of high-value data procurement deals worldwide, the use of vast data sets to train AI models and the increasing prevalence of leveraged corporate data to enable businesses to make better-informed decisions and optimise strategy, products and operations.

Unlike traditional assets, the value lies in the ability of the data to be used to generate insights, inform decisions, and unlock new revenue streams, particularly in the context of emerging AI technologies. As Bran Black, Chief Executive of the Business Council of Australia, remarked in 2025, "AI is our next big lever for economic growth ... If we get this right, AI can deliver a significant productivity boost." But while its value is undeniable, commercialising and protecting data is far from straightforward.

In terms of protection of data assets, data sits uncomfortably within Australia's existing legal framework: there is neither a single statute that grants proprietary title in data nor a discrete intellectual property regime akin to the "sui generis" database right adopted in the European Union.

Instead, businesses must assemble protection from a mosaic of overlapping laws - copyright, contract, confidentiality and sector-specific regulations, each of which confers only partial coverage.

Against that backdrop, any Australian business seeking to preserve the exclusivity, integrity and commercial value of its data assets must adopt a dual strategy. First, it must understand the nature of its data assets precisely and what legal rights and obligations do (and do not) exist.

Secondly, it must implement a suite of technical, organisational and contractual measures designed to compensate for the gaps that Australian law leaves exposed, to remain compliant with law and to keep their data assets secure.

Copyright: thin protection for curated expression, not for raw facts

Copyright remains the most obvious starting point for protection of data, but its utility is often overstated. Protection subsists only where the underlying dataset incorporates the "original expression" of one or more human authors, typically through the creative selection or arrangement of material.

Historically, Australian courts followed a "sweat of the brow" approach, recognising originality based on the labour and expense involved in compiling factual material (Desktop Marketing Systems Pty Ltd v Telstra Corporation Ltd (2002) 119 FCR 491).

However, the Australian courts have re-focused the approach to protection as seen in IceTV Pty Ltd Nine Network Australia Pty Ltd (2009) 239 CLR 458 (High Court Case) and Telstra Corporation Limited v Phone Directories Company Pty Ltd (2010) 194 FCR 142.What is now required is originality in the arrangement of the relevant data, and the preparatory work in collecting such data is irrelevant for copyright purposes.

This requirement creates practical issues for data sets generated automatically. Acohs Pty Ltd v Ucorp Pty Ltd (2010) 86 IPR 492 illustrates the reluctance of Australian courts to recognise human authorship in cases where the connection is weak (such as when compilation is primarily done using computer software).

This position means that copyright is no longer particularly relevant in Australia for corporate data assets. Modern data is often generated or aggregated automatically by software, often in unstructured or semi-structured form, with minimal human input. Without identifiable human authorship and original expression, both raw and processed data sets generally fall outside copyright protection in Australia.

Australia does not have an equivalent to the European-style "database right", leaving any originality threshold unmet by data assets to languish unprotected by copyright.

Consequently, while businesses should continue to record and assert copyright where curated expression is evident, for example, in highly structured, annotated or labelled training sets, they must regard copyright as supplementary rather than foundational.

Further, other traditional intellectual property rights, including patents, trade marks, designs, and plant breeder rights, while largely technology neutral, are largely irrelevant to data protection.

Contract and confidentiality: the primary mechanisms

With traditional IP rights having limited scope, contractual rights and equitable duties of confidence assume paramount importance for data owners seeking to properly protect and deal with their data.

While data is not recognised as an intellectual property asset in its own right, the party who can lawfully control access to and use of it often enjoys the practical benefit of ownership. This is typically achieved through confidentiality and contract.

Confidentiality

Australian courts have confirmed that confidentiality obligations will apply ifthe information has the necessary quality of confidence, and the circumstances in which the information is imparted are such that there is an understanding that it is to be treated as confidential, or the recipient ought to have realised that the information was to be treated in such a way (Smith Kline & French Laboratories (Aust) Ltd v Secretary, Department of Community Services and Health (1990) 22 FCR 73).

Those requirements are typically satisfied through well-drafted non-disclosure agreements, confidentiality clauses embedded in broader commercial contracts, and robust information-security policies binding employees, contractors and downstream recipients.

Clauses should describe the data with precision, stipulate permissible uses, mandate security measures, impose a clear term (often framed as "until the information enters the public domain") and specify remedies for breach. Data protection clauses could be considered the modern equivalent of property deeds in the context of data ownership.

Equitable obligations can also apply where data is supplied in circumstances importing a duty of confidence, even where there is no written contract. Also, certain individuals, due to their position or the nature of their relationship, may also be subject to obligations of confidence under the Corporations Act 2001 (Cth) or by reason of their fiduciary duties. A person may pursue multiple causes of action, contractual, equitable, and statutory, concurrently for a breach of confidentiality obligations.

Confidentiality protection is most robust where the information is not in the public domain or when the particular method of compiling the data, or the insights drawn from it, remains confidential. Published facts alone lack the necessary quality of confidence without some further and confidential synergistic effect or confidentiality arising from the mere fact of its inclusion in the database.

In general, an non-selective list of information that anyone can access will not be treated as confidential, even if assembling it required time and effort.

However, once information loses its confidential nature, whether through publication, hacking or inadvertent disclosure, confidentiality usually falls away. Continuous access controls, encryption, audit logging and need-to-know restrictions are therefore indispensable corollaries to contractual drafting.

Efforts to establish contractual restraints of confidential information even after the information has been made public may be limited, as seen in Maggbury Pty Ltd v Hafele Australia Pty Ltd (High Court of Australia) and discussed in Little protection for big data? (2020) 23(5) INTLB 91.

Contracts

Website terms of use illustrate both the potential and limitations of contractual control. Website terms of use can create contractual rights against users who agree to them, but these are enforceable only against those parties and not against the public at large. There are still challenges concerning the enforceability of online agreements like "clickwrap", and particularly "browse wrap agreements," in the context of website scraping.

This issue has become prominent with the rise of web scraping to build AI training data sets. Australian courts have not considered the enforceability of web scraping in website terms, and there are no laws explicitly prohibiting web scraping.

Because contractual rights bind only the agreeing party, businesses that publish large volumes of data publicly may have difficulty relying on terms alone to deter web scraping, unless the data sit behind an effective technical gate such as a paywall or login.

However, certain website content may be protected under the Copyright Act 1968 (Cth).

Unlike the United States, Australia does not have a broad fair use doctrine; instead, it provides only limited fair dealing exceptions. Clearview AI Inc and Australian Information Commissione r [2023] AATA 1069 (8 May 2023) has confirmed there are privacy law issues with scraping biometric information from the internet without consent and disclosing it through use of facial recognition tools.

Similarly, in the "Grubisa" cases (Commissioner Initiated Investigation into Master Wealth Control Pty Ltd t/a DG Institute (Privacy) [ 2024] AICmr 243 (18 November 2024), and (Commissioner Initiated Investigation into Property Lovers Pty Ltd (Privacy) [2024] AICmr 249 (22 November 2024)) confirmed that scraping and distributing distress-sale property data was in breach of website terms and privacy obligations.

Regulatory compliance

Privacy obligations

Where data sets contain personal information, the Privacy Act 1988 (Cth) (Privacy Act) imposes statutory duties on organisations regarding how that information is collected, used, stored, and disclosed.

There are regulatory penalties of AUD50million or 30% of adjusted turnover for serious interferences with privacy, and a new statutory tort for serious invasions of privacy. Critically, however, these provisions are regulatory; they exist to safeguard individuals' privacy rights.

They do not grant businesses ownership or exclusive control over data, nor do they protect corporate data assets from competitors. In other words, compliance with privacy law is necessary but it is not, by itself, a strategy for securing or commercialising proprietary data interests.

At present de-identified or aggregated information falls outside the scope of the Privacy Act. Businesses handling such data are not typically subject to the same regulatory obligations, although they should ensure that robust anonymisation techniques are applied.

Proposed reforms are likely to extend certain obligations to de-identified data sets to prevent re-identification, so businesses should monitor legislative developments closely and ensure robust anonymisation techniques consistent with industry best practice.

Industry-specific data obligations

Industry-specific statutes impose additional obligations without addressing proprietary interests:

• Consumer data right: Competition and Consumer (Consumer Data Right) Rules 2020 (Cth)
• Health data: state and territory health records laws
• Financial/credit data: Corporations Act 2001 (Cth), Anti-Money Laundering and Counter-Terrorism Financing Act (Cth)
• Telecommunications metadata:Telecommunications (Interception and Access) Act 1979 (Cth)
• Marketing data: Spam Act 2003 (Cth), Do Not Call Register Act 2006 (Cth)
• Critical infrastructure sector: Security of Critical Infrastructure Amendment Act 2022 (Cth)

Artificial intelligence (AI)

In the context of AI, the Australian Government has already introduced Voluntary AI Safety Guidelines and has proposed introducing mandatory safeguards for high-risk AI applications, which may impose new provenance, quality and security duties on data, such as traceability and quality-management obligations for training data.

The legal status of synthetic data and AI model weights, specifically whether they inherit licence, copyright or privacy obligations from their source data, remains untested in Australian courts. Maintaining records that track data provenance, licensing, and compliance for all data assets and derived outputs could assist with managing liability.

Responsible data stewardship

Beyond legal requirements, customers, investors and government counterparties increasingly demand evidence of responsible data stewardship. Many organisations, including government and financial institutions, increasingly require evidence of responsible data stewardship.

This evidence includes demonstrating ethical sourcing, transparent data management, and compliance with social and environmental standards. Maintaining clear records and policies is essential for meeting these expectations. Yet, like statutory compliance, these measures do not, by themselves, create enforceable proprietary rights.

Again, these various obligations must be observed where relevant, but their objective is to protect individuals and the public interest, not to provide businesses with ownership of data.

Businesses wishing to secure competitive advantage in their data assets must therefore look beyond compliance, deploying contractual controls, technical safeguards and organisational measures tailored to their specific commercial objectives.

Practical measures to reinforce the legal position

Given the patchwork nature of legal protection, astute businesses complement legal rights with operational and technical safeguards to protect and manage data assets:

1. Data mapping and classification | Catalogue data assets, identify those containing personal, confidential or commercially sensitive information, and assign appropriate protection levels based on criticality and sensitivity.

1. Access governance | Enforce least-privilege access, multi-factor authentication and role-based permissions across all systems. Regularly review and promptly update user access, especially after role changes or departures.Use scoped tokens (digital credentials with limited permissions) for machine access. Segment data environments (divide networks and systems into isolated zones to limit access).

1. Encryption and pseudonymisation |Encrypt data at rest and in transit using industry-standard protocols; remove direct identifiers where possible, especially on mobile devices and backups. For data assets expected to be retained for a decade or more, organisations should begin adopting quantum-safe encryption standards. This future-proofs data security against emerging quantum computing threats.

1. Confidentiality chain-of-custody | Non disclosure agreements for employees and contractors; ensure confidentiality and data protection obligations are mirrored in vendor agreements, including audit rights and back-to-back IP indemnities for data reselling. Maintain a confidentiality register.

1. Licence hygiene | Maintain a 'licence matrix' (a summary table of all inbound and outbound data licence terms); automate the generation of attribution strings for open-source data sets to ensure compliance with licence requirements.
2. Data asset labelling | Label each data set with clear, structured information describing its contents and assign a unique, persistent identifier. This ensures data can be easily found, tracked, and used correctly throughout its lifecycle.

1. Privacy engineering | For sensitive data, protect privacy by adding statistical noise or by using synthetic data that mimics real information without exposing individuals. Keep detailed logs of any tests done to check if individuals could be re-identified.

1. Audit and monitoring | Deploy comprehensive logging, monitoring, and intrusion-detection tools to record access, detect anomalies, facilitate forensic analysis, and evidence contractual or regulatory breaches.

1. Vendor and cloud diligence | Flow-down confidentiality, security, and privacy compliance clauses to third-party processors and supply chain partners; obtain assurance of their security controls and require prompt notification of security or cyber incidents.

1. Incident response planning | Maintain and regularly test a data-breach response plan, ensuring alignment with statutory notification timeframes and clear roles for internal and external coordination. Regularly test 'last-known-good' immutable backups (backups that cannot be altered or deleted) to ensure data recovery in the event of a cyber incident.

Bonus tips

• Cross-border compliance | Record where each data set is stored, both physically and legally.For international data transfers, use approved processes like 'trusted user' approvals or legal agreements to ensure compliance with data transfer laws and protect data across borders.

• Lifecycle management | Define and enforce data retention schedules, automate secure deletion or anonymisation, and document justification for ongoing storage.Ensure secure disposal of physical and electronic media.

• Education and culture | Provide ongoing, role-specific training on confidentiality, privacy compliance, and cyber-security practices.Reinforce that data stewardship is an organisation-wide responsibility, with clear reporting channels for incidents.

• Departure management| On exit of employees, revoke all access, recover company assets, ensure company data is returned or deleted, and remind employees of ongoing confidentiality obligations.

• Exit & M&A Readiness| Automate data-room scripts to export audit trails, licences, and data protection impact assessments, making due diligence faster and supporting higher business valuation by ensuring key compliance documents are readily available.

Putting it all together

Australian law offers no single, definitive property right in data. Instead, protection arises from a constellation of rights and obligations, each illuminating only part of the landscape.

Savvy businesses navigate this terrain by: extracting maximum value from copyright where originality genuinely subsists; maintaining robust confidentiality protection measures and using carefully drafted contracts as their principal shield; scrupulously adhering to privacy and sector-specific legislation and compliance obligations; and embedding technical and organisational controls that support, and in some cases surpass, the minimum legal baseline.

Through that integrated approach (legal, contractual, technological and cultural) Australian businesses can transform the apparent fragility of data protection into a resilient framework that sustains innovation, builds stakeholder trust and unlocks the economic promise of the digital age.

How we can help

If you would like assistance to navigate and implement legal rights, and operational and technical safeguards, to protect and manage data assets, reach out to the authors or one of our experts in the Commercialisation team in Australia.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.