Authors: Kieran Doyle, Nicole Gabryk, Stephen Morrissey, Christy Mellifont, Lana Remedi, Leah Mooney, Joseph Fitzgerald, Matt O’Keefe, Sorawat Wongkaweepairot, Pippa Austin, Gavin Davies, James Stavridis, Katie Kyung, Jorge Nicholas, Amanda Tai, Nuttida Doungwirote, Josh Simonis, Rebekah Maxton, Olivija Radinovic, Anke Joubert, Stefanie Constance, Ilias Tsirogiannis, Phoebe Nikolaou, Miles McConway, Kayleigh Maxwell, Danyon Soligo, Emily McCullough, Olive Huang, Jonty Butler, Alyssa Martino, Maree Pasvanis, Kay Chan and Ariella Tracton

Issue 15 of our Cyber, Data and Technology APAC Bulletin is here, covering key developments and insights for our clients.

This issue highlights major developments in Australia, including critical lessons from the Medibank case on the limits of legal professional privilege, growing regulatory scrutiny on biometric data following decisions involving Bunnings and 2Apply, and increased enforcement activity from ACMA under spam and telecommunications laws. Cyber governance expectations continue to rise, with proposed amendments to the SOCI Act, updated AML/CTF privacy guidance, and evolving obligations for organisations handling sensitive data and critical infrastructure.

Cyber threat activity also remains elevated with continued ransomware evolution, including the expansion of affiliate models targeting critical networks, and increasing sophistication in supply chain attacks. Australia’s broader cyber threat landscape reflects heightened risks across both public and private sectors, alongside emerging concerns such as sanctions exposure in remote hiring practices and large-scale fraud risks in financial systems.

AI, data use and digital innovation remain key focus areas. This edition explores the privacy and security implications of virtual try-on tools, the role of AI within existing consumer protection frameworks, and new global guidance such as NIST’s AI cyber framework. Australia’s long-term direction is also addressed through national expectations for AI infrastructure investment and regulatory positioning on AI risk.

Across the region, regulatory momentum continues. New Zealand has released its National Cyber Security Strategy and increased focus on children’s privacy, while Singapore is advancing AI governance frameworks, mandating stronger cyber standards, and responding to state-linked cyber threats. Thailand is also elevating cybersecurity as a top business risk, alongside increased regional cooperation on cyber resilience and digital trade.

We hope you find this edition both practical and insightful as organisations navigate an increasingly complex cyber, data and technology landscape.

If you’d like to discuss any of the topics covered, please reach out to a member of our team or click here to find out more.