Data is central to modern business operations, and AI increasingly relies on it. As customers become more privacy-aware and regulations tighten, a key question arises: who owns this data?

Recent debates in Europe and the US, particularly regarding the EU’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act), demonstrate that data ownership is less clear-cut than many leaders believe. This uncertainty is significant for Australian organisations planning for AI, personalisation, and data-driven growth (Osano Staff, 2024; Wolford, n.d.; Bloomberg Law, 2023).

EU vs US: Two models your business cannot ignore

European regulators have implemented comprehensive privacy laws. The GDPR grants individuals significant rights to access, correct, delete, and transfer their data, while imposing strict transparency and accountability requirements on organisations. Breaches can result in substantial fines, making privacy by design a board-level priority across Europe (Wolford, n.d.).

The US lacks a single national privacy law, relying instead on a patchwork of state-level laws, led by California’s CCPA/CPRA (California Privacy Rights Act), and sector-specific regulations. For global and digital-first businesses, this creates complex compliance requirements, as permissible data practices vary by state (DLA Piper, 2026; Bloomberg Law, 2023; Osano Staff, 2024).

Despite these regulations, neither model establishes customer data ownership in a property sense. Both frameworks allow organisations to use data under strict conditions, granting individuals control rights rather than outright ownership (Bloomberg Law, 2023; Osano Staff, 2024; Wolford, n.d.).

Where Australia fits – and why it is changing?

Australia’s Privacy Act 1988 and the Australian Privacy Principles (APPs) take a middle-ground approach. They regulate how government agencies and most large businesses collect, use, and protect personal information, and provide individuals with rights to access and correct their data (Cookie Script, 2023; OIAC, n.d.; Falk, 2018).

Business leaders should note three key points:

• Australian law addresses the protection and handling of personal information, not the customers’ “owning” of it as property (OIAC, n.d.; Falk, 2018; Cookie Script, 2023).
• There are exemptions; for example, many small businesses are currently outside the Act, resulting in uneven expectations across the market (Abbott et al., 2026; OAIC, n.d.).
• Regulators indicate that the current framework is insufficient for large-scale data sharing, cloud platforms, and AI (McCullough Robertson Lawyers, 2023; Abbott et al., 2026).

The Federal Government has completed a major review of the Privacy Act and has agreed, or agreed in principle, to most recommended reforms. These include narrowing exemptions, strengthening enforcement, and introducing new obligations for high-risk activities such as AI-driven profiling and automated decision-making (Patto & Zhang, 2023; McCullough Robertson Lawyers, 2023; Abbott et al., 2026).

In practice, compliance requirements for Australian businesses are increasing.

What does this mean for business?

For Australian organisations, the question of data ownership leads to three practical considerations:

1. What can we lawfully do with customer data and AI?

Clearer definitions of purpose, stronger consent, and robust governance of data use in AI models, recommendation engines, and personalisation programmes are now essential. The previous approach of collecting all data without clear intent is increasingly risky (Cookie Script, 2023; McCullough Robertson Lawyers, 2023; Abbott et al., 2026).

2. How do we maintain trust while innovating?

Customers may not legally own their data, but they increasingly behave as if they do, often switching providers if they feel misled or exploited. Transparent communication, easy opt-outs, and respectful use of behavioural and inferred data are becoming central to the brand experience, not just legal compliance (Solove & Hartzog, 2025; Abbott et al., 2026).

3. Are we ready for the next wave of regulation?

With upcoming reforms and tightening global standards, reactive compliance projects will become more costly and disruptive. Businesses that invest early in strong data governance, privacy-by-design processes, and accountable AI will be better positioned as competitors adjust (McCullough Robertson Lawyers, 2023; Wolford, n.d.; Abbott et al., 2026).

A pragmatic Australian approach.

Australia is unlikely to declare that individuals simply “own” all data about them. Instead, the focus is shifting toward whether data handling and use are fair, reasonable, and transparent, particularly when AI is involved (Abbott et al., 2026; Cookie Script, 2023; McCullough Robertson Lawyers, 2023).

Business leaders should view privacy and AI governance as enablers of growth, not obstacles:

• Build cross‑functional data governance that involves legal, IT, marketing, product and risk.
• Only collect data you can explain, and that is required for business outcomes.
• Treat derived data and AI‑generated insights with the same care as raw personal information.
• Ensure customers can easily understand your data practices and decline uses they are not comfortable with.

When executed effectively, this approach is not only about avoiding fines or negative publicity. It is about earning and maintaining the key asset that will differentiate Australian businesses in an AI-driven market: customer trust (Solove & Hartzog, 2025; McCullough Robertson Lawyers, 2023; Abbott et al., 2026).

What this means for you: Australian senior executives and boards?

For Australian directors and senior executives, data and AI are no longer solely IT concerns; they are now central governance, risk, and strategy issues at the board level. Regulators, investors, and customers increasingly expect boards to demonstrate active oversight of data collection, use, security, and governance, especially in the context of AI and advanced analytics (OIAC, 2015; Hughes, 2025; APRA, 2019; Petschler, 2023).

Here is what that means in practical terms:

You will be held accountable for data and AI governance.

The direction of travel is clear: the Privacy Act reforms, the OAIC’s enforcement posture, and prudential standards such as APRA CPS 234 all emphasise that boards are ultimately responsible for information security, privacy governance, and resilience against data‑related incidents. Delegation is no defence; you must be able to show you have asked the right questions, set expectations, and monitored performance (Hughes, 2025; APRA, 2019; Petschler, 2023; Cliffside, n.d.; OAIC, 2015).

Privacy and AI governance are board-level responsibilities.

Just as financial reporting and cyber risk are recurring agenda items, privacy and the use of AI-related data require regular, structured oversight. That includes visibility over how customer data feeds into AI models, where sensitive inferences are being generated, and whether practices would pass an emerging “fair and reasonable” test in the eyes of regulators and the community (APRA, 2019; Petschler, 2023; OAIC, 2026; Attorney-General, 2023; OAIC, 2015; Hughes, 2025).

Boards must balance risk and opportunity.

Data‑driven personalisation, automation and AI can unlock efficiency and growth. However, they also create concentrated risks: large‑scale breaches, opaque decision‑making, discriminatory outcomes, and reputational damage when customers feel surveilled. As stewards of long‑term value, boards need to ensure that data and AI initiatives include early privacy impact assessments, robust controls, and clear accountability for failures – not just a glossy business case (Petschler, 2023; Vollebregt, 2023; Solove & Hartzog, 2025; McCullough Robertson Lawyers, 2023; OIAC, 2015; Hughes, 2025).

Boards require evidence, not just assurances.

Oversight now requires more than management saying, “we are compliant”. Boards should be seeing meaningful reporting on privacy incidents, data breaches, AI use cases, vendor risks and remediation progress, in a format that supports informed challenge and decision‑making. Independent assurance – internal audit, external reviews, or benchmarking against OAIC guidance and relevant standards – is increasingly a necessity rather than a nice‑to‑have (OAIC, 2026; Cliffside, n.d.; OAIC, 2015; Hughes, 2025; APRA, 2019; Petschler, 2023).

Organisational culture is the true differentiator.

The organisations that thrive in this environment will treat responsible data use as part of their culture and brand, not just their compliance programme. Boards set the tone: by linking data and AI governance to organisational values, risk appetite and executive incentives, you can ensure that “can we do this with data?” is always balanced with “should we – and would our customers accept it?” (OAIC, 2015; Hughes, 2025; Petschler, 2023; OAIC, 2026).

In summary, for Australian senior leaders, the focus is shifting from “do we own this data?” to “are we exercising the care, transparency, and accountability that regulators and customers now expect?” Those who meet these expectations will not only avoid compliance issues but also build a competitive advantage based on trust that AI alone cannot replicate (Solove & Hartzog, 2025; Patto & Zhang, 2023; Hughes, 2025; Petschler, 2023; OAIC, 2026; OAIC, 2015).

REFERENCES

Abbott, C., Pulham, R., Mayhew, S., & Gates, K. (2026, June 3). Australia’s Privacy Framework Set to be Revamped Following the Government’s Response to the Privacy Act Review Report [Law]. The National Law Review. https://natlawreview.com/article/australias-privacy-framework-set-be-revamped-following-governments-response-privacy

APRA. (2019, July 1). CPS 234 Information Security [Government]. Australian Government. APRA. https://handbook.apra.gov.au/standard/cps-234

Attorney-General (2023, 28 September). Government response to the Privacy Act Review Report, Feedback updated. Australian Government. https://consultations.ag.gov.au/integrity/privacy-act-review-report/

Bloomberg Law. (2023, July 11). Comparing U.S. State Data Privacy Laws vs. The EU’s GDPR [Media]. Bloomberg Law. https://pro.bloomberglaw.com/insights/privacy/privacy-laws-us-vs-eu-gdpr/

Cliffside. (n.d.). A legally binding standard for every APRA-regulated entity, not a best-practice guide. Cliffside. Business. https://www.cliffside.com.au/insights/apra-cps-234-compliance-guide/

Cookie Script. (2023, July 10). Australia Privacy Act of 1988 [Technology]. Cookie Script. https://cookie-script.com/privacy-laws/australia-privacy-act-of-1988

DLA Piper. (2026, March 31). Data protection laws in the United States [Law]. DLA Piper. DLA Piper. https://intelligence.dlapiper.com/

F-O

Falk, A. (2018, April 30). OHCHR report on the right to privacy in the digital age [Letter]. Office of the Australian Information Commissioner. https://www.ohchr.org/sites/default/files/Documents/Issues/DigitalAge/ReportPrivacyinDigitalAge/OfficeAustralianInformationCommissioner.pdf

Hughes, A. (2025, August 27). OAIC guidance is law: Privacy compliance, enforcement and the new governance era [Business]. Louder. Louder. https://louder.com.au/2025/08/27/oaic-guidance-is-law-privacy-compliance-enforcement-and-the-new-governance/

McCullough Robertson Lawyers. (2023, December 20). Australia: Government response to the Privacy Act Review Report [Law]. McCullough Robertson Lawyers. McCullough Robertson Lawyers. https://mccullough.com.au/2023/12/20/australia-government-response-to-the-privacy-act-review-report/

Office of the Australian Information Commissioner (OAIC). (2026, May 13). Australian Privacy Principles guidelines [Government]. Australian Government. https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines

Office of the Australian Information Commissioner (OAIC). (2015, May 4). Privacy management framework: Enabling compliance and encouraging good practice [Australian Government]. Australian Government. https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/more-guidance/privacy-management-framework-enabling-compliance-and-encouraging-good-practice

Office of the Australian Information Commissioner (OAIC). (n.d.). Privacy law – an overview. Australian Government. Australian Government. https://ovic.vic.gov.au/privacy/resources-for-organisations/privacy-officer-toolkit/privacy-law-an-overview/

Osano Staff. (2024, August 12). Data Privacy Laws: What You Need to Know in 2025 [Compliance]. Osano. Osano. https://www.osano.com/articles/data-privacy-laws

P-Z

Patto, J., & Zhang, A. (2023, October 3). 2023 Government Response to the Privacy Act Review Report [Business]. PWC. PWC. https://www.pwc.com.au/legal/publications/2023-government-response-to-the-privacy-act-review-report.html

Petschler, L. (2023, November 1). Major changes to Australian privacy laws [Business]. Australian Institute of Company Directors. Australian Institute of Company Directors. https://www.aicd.com.au/good-governance/data/privacy/major-changes-to-australias-privacy-laws.html

Solove, D. J., & Hartzog, W. (2025). The Great Scrape: The Clash Between Scraping and Privacy. California Law Review, 113. https://www.californialawreview.org/print/great-scrape

Vollebregt, E. (2023, August). Privacy Act Review—Preparing for the reforms [Law]. Law Society of South Australia. https://bulletin.lawsocietysa.asn.au/Bulletin/Bulletin/Content/Articles/2023/August/privacy_act_review.aspx

Wolford, B. (n.d.). What is GDPR, the EU’s new data protection law? [European Union]. GDPR. GDPR. https://gdpr.eu/what-is-gdpr/