IPMojo

BOOK AN APPOINTMENT

Digital Law

by

AI-Generated Works & Australian Copyright — What IP Owners Need to Know

Artificial intelligence isn’t just a tool anymore — it’s a collaborator, a co-author, a designer, a composer, and sometimes, a headache. As generative AI models keep reshaping creative industries, the question for lawyers, founders, and creators is simple: Who owns what when AI helps create it?

The Australian Position: Still (Mostly) Human

Under Australian copyright law, protection only arises for an original work that has a human author. Section 32 of the Copyright Act 1968 (Cth) still assumes that authorship is a human act — one involving independent intellectual effort and sufficient human skill and judgment.

That means:

  • If an AI system generates a work entirely on its own, it’s not a “work” under the Act.

  • If a human uses AI as a creative aid, and the human’s contribution involves real creative choice — not just typing a prompt — the resulting work may be protected.

  • But if the human’s input is minimal or mechanical, protection is shaky at best.

There have been plenty of official hints that legislative reform is coming, but for now, the position is clear: no human, no copyright.

Human + AI: Collaboration or Confusion?

In practice, most creative or technical outputs sit in a grey zone between human authorship and full automation.

Take these examples:

  • A marketing team uses Midjourney to create a logo based on multiple prompts and manual refinements.

  • A software developer uses GitHub Copilot to generate snippets, then curates and rewrites them.

  • A songwriter uses Suno or Udio to generate backing tracks, then layers vocals and structure.

In each case, the key question is: how much creative control did the human exert? Ownership (and enforceability) often depends less on the tool, and more on the human story behind the output.

Overseas Comparisons: Diverging Paths

  • United States: The U.S. Copyright Office has refused registration for purely AI-generated works (Thaler v Perlmutter), but allows copyright in human-authored parts of mixed works.

  • United Kingdom: Section 9(3) of the Copyright, Designs and Patents Act 1988 nominally attributes authorship to “the person by whom the arrangements necessary for the creation of the work are undertaken” — a possible (though untested) foothold for AI users.

  • Europe: The EU’s AI Act (Artificial Intelligence Act (Regulation (EU) 2024/1689)) leans heavily toward transparency and data-source disclosure, rather than redefining authorship.

  • China and Japan: Both have started to recognise limited copyright protection for AI-assisted works where human creativity remains substantial.

Australia hasn’t chosen a path yet — but in my view, any eventual reform is likely to echo the UK or EU models rather than the U.S. approach.

What IP Owners Should Do Now

Until the law catches up, contractual clarity is your best protection.

  1. Define ownership up-front: Ensure contracts, employment agreements, and service terms specify who owns outputs “created with the assistance of AI tools.” Clauses that tie ownership to “human input” and “creative control” can avoid later disputes.

  2. Track human contribution: Keep records of prompts, edits, decisions, and drafts — proof of human creativity can become decisive evidence if ownership is challenged.

  3. Check your inputs: Many AI systems are trained on datasets containing copyrighted material. Using their outputs commercially could expose you to infringement risk if the output is too close to the training data.

  4. Disclose AI use where relevant: For regulators (and some clients), transparency is now part of “reasonable steps” under APP 11 of the Privacy Act 1988 (Cth) and emerging AI-governance frameworks.

  5. Consider alternative protection: Where copyright may fail, consider trade marks, registered designs, or even confidential-information regimes for valuable AI-assisted outputs.

The Next Frontier: Authorship by Prompt?

The next legal battleground may well be prompt authorship — whether the person crafting complex or structured prompts can claim copyright in the resulting output or in the prompt itself. Early commentary suggests yes, if the prompt reflects creative skill and judgment, but this remains untested in Australian courts.

Final Thoughts …

AI isn’t erasing copyright — it’s forcing it to evolve. For now, the safest position is that human-directed, human-shaped works remain protectable. Purely machine-generated ones don’t.

But the creative frontier is moving fast, and so is the legal one. If you’re commissioning, creating, or commercialising AI-generated content, assume that ownership must be earned through human input — and documented accordingly.

Australia’s copyright and privacy frameworks are both in flux. Expect further reform by mid-2026, when the government’s broader AI and IP Reform Roadmap is due.

Until then: contract it, track it, and own it.

by

Privacy’s First Big Hit: Australian Clinical Labs Fined $5.8 Million for Data Breach Failures

When 86 gigabytes of patient data — including health, financial and identity information — hit the dark web after a ransomware attack, the fallout was always going to be brutal.

Now, in Australian Information Commissioner v Australian Clinical Labs Limited (No 2) [2025] FCA 1224, the Federal Court has handed down a $5.8 million penalty — marking the first civil penalty judgment under the Privacy Act.

And it’s a warning shot for every business holding personal information in Australia.

⚖️ The Case in a Nutshell

Australian Clinical Labs (ACL) — one of the country’s largest private pathology providers — bought Medlab Pathology in late 2021.

What it didn’t buy (or even check properly) were Medlab’s crumbling IT systems: unsupported Windows servers, weak authentication, no encryption, and logs that deleted themselves every hour.

In February 2022, the inevitable happened — a ransomware group calling itself “Quantum” infiltrated Medlab’s servers, exfiltrated 86GB of data, and dumped it online.

ACL’s response was painfully slow. Despite early signs of exfiltration, it:

  • Relied almost entirely on an external consultant’s limited review;

  • Concluded (wrongly) that no data had been stolen;

  • Ignored early warnings from the Australian Cyber Security Centre; and

  • Waited over three months before notifying the OAIC.

🧩 The Breaches

Justice Halley found ACL had seriously interfered with the privacy of 223,000 individuals through three major contraventions of the Privacy Act 1988 (Cth):

  1. Breach of APP 11.1 — Failure to take reasonable steps to protect personal information from unauthorised access or disclosure.

    • The Medlab systems were riddled with vulnerabilities.

    • ACL failed to identify or patch them after acquisition.

    • Overreliance on third-party providers compounded the problem.

  2. Breach of s 26WH(2) — Failure to carry out a reasonable and expeditious assessment of whether the incident was an eligible data breach.

    • ACL’s “assessment” was based on incomplete data and unsupported assumptions.

    • The Court called it unreasonable and inadequate.

  3. Breach of s 26WK(2) — Failure to notify the Commissioner as soon as practicable after forming the belief that an eligible data breach had occurred.

    • ACL delayed nearly a month after confirmation that personal and financial information was on the dark web.

Each breach amounted to a “serious interference with privacy” under s 13G, attracting civil penalties.

💰 The Penalty Breakdown

ACL agreed to pay a total of $5.8 million:

Contravention Section Penalty
Breach of APP 11.1 (223,000 contraventions, treated as one course of conduct) s 13G(a) $4.2 million
Failure to assess breach s 26WH(2) $800,000
Failure to notify OAIC s 26WK(2) $800,000
Total $5.8 million

ACL also agreed to pay $400,000 in costs.

While the theoretical maximum exceeded $495 billion, the Court accepted the agreed penalty as being within the permissible range — particularly given ACL’s cooperation, remorse, and post-breach reforms.

⚙️ “Reasonable Steps” — The New Legal Standard

This judgment finally gives judicial colour to APP 11.1’s “reasonable steps” requirement.
Justice Halley said reasonableness must be assessed objectively, considering:

  • the sensitivity of the information;

  • the potential harm from unauthorised disclosure;

  • the size and sophistication of the entity;

  • the cyber risk landscape; and

  • any prior threats or attacks.

Critically, “reasonable steps” cannot be outsourced — delegation to an IT vendor does not discharge responsibility.  ACL’s overreliance on StickmanCyber was no defence.

🚨 Why It Matters

This decision rewrites the playbook for privacy compliance in Australia:

  • Civil penalties are real — the OAIC now has judicial precedent for enforcement.

  • Each affected individual counts — the Court held that each person’s privacy breach is a separate contravention.

  • “Serious” breaches will be taken seriously — health and financial data, inadequate security, and systemic failures will all tip the scales.

  • M&A due diligence must cover cybersecurity — buying a business means inheriting its data liabilities.

  • Notification delays will cost you — the OAIC expects “as soon as practicable,” not weeks or months.

💡 IP Mojo Take

Privacy can’t be treated anymore like it is just a paperwork exercise — it’s a governance test you can fail in the Federal Court.

This case cements privacy law as a compliance discipline with teeth.

The OAIC now has a roadmap for future actions — and the Court has made clear that “reasonable steps” means measurable, auditable, and proactive security governance.

For corporate Australia, this is ASIC v RI Advice for the health sector — but under the Privacy Act instead of the Corporations Act.

Expect to see:

  • Increased OAIC enforcement in healthcare, finance, and tech sectors;

  • Board-level scrutiny of data protection measures; and

  • Class actions waiting in the wings, armed with a judicial finding of “serious interference with privacy.”

The privacy bar has just been raised — permanently.

by

First Use vs First File: Vmaisi Trade Mark Squatter Knocked Out

The name Vmaisi might not ring a bell — but in this opposition it was the difference between owning a brand and losing it.

Chengbo Wang, founder of Ningbo Vmaisi Import & Export Co Ltd, knocked out Xiang Chen’s attempt to register Vmaisi in class 20 (non-metal hardware, locks, baby seats).

👉 The battleground? Section 58 of the Trade Marks Act 1995 — ownership.

Wang came armed with real-world evidence: Shopify orders, Amazon listings, and Australian customers clicking “buy now.”

Chen, meanwhile, turned up empty-handed — and with a history of filing other people’s brands without doing much else.  The Delegate wasn’t impressed, calling it the classic playbook of a bad-faith filer.

🔑 Why it matters

  • First use beats first file — ownership flows from actual use, not just getting in line at the filing counter.

  • Global clicks count — Amazon, Shopify and website screenshots can prove Australian use.

  • Conduct matters — a pattern of opportunistic filings can tip the scales against you.

💡 IP Mojo Take

Trade mark squatting isn’t just an “overseas problem” — it’s alive and well here too.

And remember: Australia’s trade mark register is a register of ownership, not ownership by registration. Only the true owner can register a mark. Filing doesn’t magically make you one.

For brand owners:

  • Keep an eye on the register — if you snooze, you lose.

  • Move fast if someone else files your brand.

  • For e-commerce businesses: your digital receipts, analytics, and customer data are gold when proving ownership.

In today’s digital marketplace, your best defence may just be sitting in your Shopify dashboard.

by

Deepfakes on Trial: First Civil Penalties Under the Online Safety Act

The Federal Court has handed down its first civil penalty judgment under the Online Safety Act 2021 (Cth), in eSafety Commissioner v Rotondo (No 4) [2025] FCA 1191.

Justice Longbottom ordered Anthony (aka Antonio) Rotondo to pay $343,500 in penalties for posting a series of non-consensual deepfake intimate images of six individuals, and for failing to comply with removal notices and remedial directions issued by the eSafety Commissioner.

Key Points

1. First penalties under the Online Safety Act

This is the first time civil penalties have been imposed under the Act, making it a landmark enforcement case.

The Commissioner sought both declarations and penalties, with the Court emphasising deterrence as its guiding principle.

2. Deepfakes squarely captured

The Court confirmed that non-consensual deepfake intimate images fall within the Act’s prohibition on posting “intimate images” without consent.

Importantly, it rejected Rotondo’s submission that only defamatory or “social media” posts should be captured.

3. Regulatory teeth and enforcement

Rotondo received notices under the Act but responded defiantly (“Get an arrest warrant if you think you are right”) before later being arrested by Queensland Police on related matters.

His lack of remorse and framing of deepfakes as “fun” aggravated the penalty.

4. Platform anonymity

Although the Commissioner did not object, the Court chose to anonymise the name of the website hosting the deepfakes — reflecting a policy judgment not to amplify harmful platforms.

That said, the various newspapers reporting on this story all revealed the website’s address, but noted it has now been taken down.

IP Mojo is choosing not to reveal that website.

5. Civil vs criminal overlap

Alongside the civil penalties, the Court noted criminal charges under Queensland’s Criminal Code.

This illustrates how civil, regulatory and criminal enforcement can run in parallel.

Why It Matters

  • For regulators: This case confirms the Act has teeth. Regulators can secure significant financial penalties even where offenders are self-represented.

  • For platforms: The Court’s approach signals that services hosting deepfakes are firmly in scope, even if located offshore.

  • For the public: The judgment highlights the law’s adaptability to AI-driven harms — and sends a clear deterrence message.

  • For practitioners: Expect more proceedings of this kind, particularly as the prevalence of AI-generated abuse grows.

by

The Art of Disclaimers: Jacksons v Jackson’s Art Supplies (No 2)

When two businesses with nearly identical names lock horns, things usually come down to trade marks, passing off, and reputation.  But in Jacksons Drawing Supplies Pty Ltd v Jackson’s Art Supplies Ltd (No 2) [2025] FCA 1127, the real fight was over disclaimers, pop-ups, sticky banners, and user attention spans.

Yes, really. Welcome to the future of injunctive relief.

The Backdrop: Two Jacksons, One Internet

  • Jacksons Drawing Supplies (JDS) is the long-standing Australian art supply brand.

  • Jackson’s Art Supplies (JAS) is a UK giant with a strong online presence.

When JAS launched its Australia-specific subdomain (jacksonsart.com/en-au), it didn’t just sell paints and brushes — it displayed Australian flags, quoted in AUD, listed an Adelaide warehouse, and even had an Aussie phone number. To many customers, it looked like the local Jacksons.

The Court (in an earlier decision) held that this conduct contravened s 18 and s 29 of the ACL and amounted to passing off.

Round Two: The Relief Hearing

The question was: what form should the non-pecuniary relief take?

JDS wanted a sticky header disclaimer on every page (always visible). JAS wanted a one-off pop-up disclaimer (dismiss it once and never see it again).

The Federal Court, armed with expert evidence on digital attention, split the difference.

Attention Science Hits the Federal Court

This case is remarkable for its reliance on attention science experts:

  • Michael Simonetti (website developer & SEO expert)
    Warned about “banner blindness”: users ignore sticky headers and disclaimers that look like ads.

  • Dr Karen Nelson-Field (global expert on omnichannel attention science)
    Explained that pop-ups trigger active attention because they interrupt the browsing experience. Sticky headers, by contrast, fade into the background.

  • Professor Mingming Cheng (digital marketing & SEO)
    Highlighted that hyperlinking to JDS’s site could affect search engine algorithms and reinforce associations between the two brands.

The Court accepted that no disclaimer format guarantees it will be read, but opted for the solution most likely to cut through.

The Court’s Orders

Justice Jackson ordered that JAS can’t operate its Australia-specific site (or any site with Australian characteristics) unless it shows a disclaimer:

“Please note: this website is not affiliated with the Australian company Jacksons Drawing Supplies Pty Ltd or its website jacksons.com.au.”

The disclaimer must:

  • Pop up every time a user starts a new browser session, blocking the site until acknowledged.

  • Also appear at the bottom of each page (non-sticky, same size as body text).

  • Be clear, prominent, and legible.

  • Not include any hyperlink to JDS’s site (too much risk of SEO crossover and confusion).

No requirement for phone sales, social media, or ads — because the misrepresentation arose via the website itself.

No Sticky Business

JDS’s sticky header idea was rejected as:

  • Too intrusive, especially on mobile devices.

  • Likely to be ignored due to banner blindness.

  • Damaging to user experience with little benefit.

Pop-ups, despite being annoying, were judged the least-worst option.

Costs: Calderbank Offers Bite Back

The Court also tackled costs.

  • JDS was successful overall, but lost against the third and fourth respondents.

  • JAS had made Calderbank offers (including restricting sales into JDS’s “core markets” and paying a small sum).

  • The Court held JDS was not unreasonable to reject them — the offers didn’t resolve the cross-claim, lacked mutuality, and wouldn’t necessarily prevent consumer confusion.

The result?

  • JDS gets costs against the first and second respondents (with a 15% discount).

  • The third and fourth respondents get indemnity costs from a certain date.

Why This Case Matters

This decision is a practical playbook for how courts may deal with online misrepresentation and passing off in 2025 and beyond:

  1. Disclaimers must do more than exist — they must grab attention. Passive banners won’t cut it.

  2. User experience is relevant — remedies must be proportionate and fair, not ruin the site.

  3. Hyperlinks aren’t a free fix — they can create new risks of association in both consumers’ minds and search engine algorithms.

  4. Attention science is evidence — expert testimony on human behaviour online now shapes equitable relief.

  5. Calderbank strategy remains vital — but offers must be clear, mutual, and genuinely address the issues at stake.

Takeaways for Brand Owners

  • Global websites need local strategy. If you’re running an AU subdomain, check your disclaimers and branding.

  • Disclaimers aren’t window dressing. Courts will look at how they’re delivered, not just what they say.

  • Attention matters. Evidence from digital marketing and psychology can sway the outcome.

  • Settlement strategy is as important as trial strategy. Get your Calderbank offers right.

Bottom line: The Federal Court has signalled that in the age of pop-ups, banner blindness, and Google algorithms, effective remedies must be technologically and behaviourally savvy. For IP lawyers and brand managers, Jacksons v Jackson’s is a reminder that protecting reputation online requires more than just words — it requires understanding how consumers really pay attention.

by

Australia’s courts are no longer sitting on the sidelines of the AI debate. Within just a few months of each other, the Supreme Courts of New South Wales, Victoria, and Queensland have each published their own rules or guidance on how litigants may (and may not) use generative AI.

The result? A patchwork of approaches — from strict prohibition to principles-based guidance to pragmatic policy.

NSW: Rules with Teeth

The NSW Supreme Court’s Practice Note SC Gen 23 is the most prescriptive of the three.

  • Affidavits & evidence: AI must not be used to generate affidavits, witness statements, or character references. Each must disclose that no AI was used.

  • Written submissions: AI assistance is permitted, but every citation and authority must be personally verified.

  • Confidential material: Suppression-protected or subpoenaed docs must not go near an AI tool unless strict safeguards exist.

  • Experts: AI use in expert reports requires prior leave of the Court, with detailed disclosure obligations.

This is a black-letter approach: firm rules, mandatory disclosures, and penalties if ignored.

Victoria: Trust and Principles

The Victorian Supreme Court Guidelines (2025) are principles-based.

  • Disclosure of AI-use is encouraged: Especially for self-represented parties, transparency helps judges understand context.

  • Cautions are flagged: Generative AI can be inaccurate, out-of-date, incomplete, jurisdictionally inapplicable, or biased.

  • Responsibility is clear: Lawyers remain fully accountable for accuracy and proper basis. “The AI made me do it” is no defence.

  • Judicial use: Courts confirm AI is not to be used to prepare judgments or reasons.

It’s a trust-but-verify model, leaning on professional responsibility rather than outright bans.

Queensland: Pragmatic First Step

The Queensland Supreme Court AI Guidelines (2025) (which we covered in yesterday’s IP Mojo post) sit somewhere in the middle.

  • The tone is more pragmatic, focused on practicalities like accuracy, confidentiality, and proper verification.

  • The scope is less prescriptive than NSW, but more directive than Victoria.

  • The positioning signals that AI is already here, but stresses that obligations of candour and accuracy remain unchanged.

Qld’s approach reads more like a policy statement than binding rules — but it makes clear that AI use is under judicial scrutiny.

A Timeline of Moves

  • NSW: First issued SC Gen 23 in Nov 2024 (updated Jan 2025, effective Feb).

  • Victoria: Released guidelines in early 2025.

  • Queensland: Followed in Feb 2025 with its policy framework.

So while NSW and Victoria were the early movers, all three now have frameworks in play.

Three States, Three Philosophies

State Approach Key Features
NSW Prescriptive “hard law” Strict bans on affidavits/witnesses, leave required for experts, mandatory disclosure
Victoria Principles-based “soft law” Encourages disclosure, flags risks, trusts practitioner responsibility
Queensland    Pragmatic policy Practical guidance, verification and accuracy focus, less formal but watchful

Why This Matters

For practitioners, this divergence isn’t academic:

  • Forum-specific compliance is now a reality — what’s permissible in Brisbane may be prohibited in Sydney.

  • Harmonisation vs patchwork: Will the states converge over time, or continue down separate paths?

  • Strategic implications: Could litigants engage in forum shopping if one jurisdiction feels more AI-friendly?

One thing is clear: Australian courts are acting fast, and the rules of the litigation game are being rewritten — jurisdiction by jurisdiction.