Trading intangibles across borders: legal and regulatory considerations for Australian resource companies

Intangible assets – once considered peripheral – are now mission-critical to Australia’s mining, oil, and gas industries. As resource companies increasingly depend on digital systems and data-driven services to operate and compete globally, intangible trade has become a key driver of efficiency, innovation and regulatory compliance. 

However, when intangible inputs cross borders – whether imported, exported or internally transferred across jurisdictions – they give rise to numerous legal, tax and regulatory risks. For resources and energy companies, managing these risks is essential to maintaining commercial resilience, meeting security obligations and sustaining global competitiveness.

From cloud-based enterprise systems and digital twins to emissions tracking platforms, AI-driven maintenance tools, and blockchain-enabled supply chain traceability, intangible assets are embedded across the value chain. Many of these services and systems are hosted or supported from offshore, meaning cross-border data flows are a routine part of business. 

At the same time, Australian resource companies are also increasingly exporting their intangible capabilities – such as mine design, offshore project modelling and AI-enhanced energy analytics – into foreign jurisdictions. As intangible trade becomes central to both operations and export strategies, it is also attracting heightened scrutiny, including under national security, cyber governance, tax, and data protection regimes.

Key legal and regulatory issues

Cybersecurity and critical infrastructure – The Security of Critical Infrastructure Act 2018 (SoCI Act) applies to many assets in the mining and oil and gas sectors. LNG plants, gas pipelines, major ports and mineral processing facilities are all likely to be classed as critical infrastructure, as are some mine sites and remote operations centres, particularly where they rely on automated systems integrated with logistics, water or energy networks.

When offshore systems are used as part of the critical infrastructure, the company may become subject to significant reporting and compliance obligations. These systems include SCADA (Supervisory Control and Data Acquisition) platforms (which allow companies to monitor and control industrial processes remotely), production modelling software and predictive maintenance AI tools. Companies may be subject to asset registration requirements, mandatory cyber incident reporting, a government-approved risk management program, supply chain visibility and personnel vetting obligations, and emergency intervention powers in the event of a cyber incident.

This means that even routine digital procurement may carry legal obligations if integrated into core operational systems of critical infrastructure. Examples include purchasing a US-hosted emissions reporting tool or outsourcing IoT analytics to a European vendor.

Privacy and offshore data risks – The Privacy Act 1988 (Cth) imposes specific obligations when personal information crosses borders. Many companies, including mining and energy operators, rely on offshore digital platforms and cloud-based systems to manage personnel, operational, and compliance data, and routinely process sensitive information (including employee and contractor records, health data, site access logs and travel movements) using global systems hosted outside Australia. 

Australian Privacy Principle 8 (APP 8) applies whenever personal information is disclosed to an overseas recipient. This includes hosting personnel data on cloud servers in the United States, European Union or Asia, using foreign vendors for compliance tracking, training or health monitoring tools, granting offshore technical support teams access to local systems and deploying digital surveillance tools such as driver fatigue monitoring and behavioural analytics. Digital surveillance tools may require clear employee notice and consent, particularly where data is processed offshore.

Australian companies remain legally accountable for any breach of the APPs by the overseas provider, and liability can be triggered regardless of the provider's own legal obligations or reputation. To comply, companies must conduct due diligence on foreign vendors' privacy and security standards, include contractual safeguards requiring compliance with the APPs or substantially equivalent protections, and assess jurisdictional risks, particularly where local laws allow broad government access to hosted data or impose data localisation constraints.

Australia's privacy regime is more principles-based and flexible than many global peers. It does not mandate data localisation or maintain a formal list of ‘adequate’ countries, unlike the EU's General Data Protection Regulation (GDPR). 

However, this flexibility places a greater onus on Australian companies to assess and mitigate the risks of offshore data flows. This is especially important in sensitive sectors like energy and mining, where operational data is increasingly intertwined with personal information. Resource companies operating internationally should not assume Australian compliance ensures conformity with global requirements (and that overseas compliance ensures Australian compliance) – inconsistent vendor protections, foreign law exposure and the lack of enforceable adequacy decisions make privacy governance a live legal and reputational risk.

Privacy Act reform is also underway in Australia, with proposed changes including significantly higher penalties for serious or repeated breaches, mandatory privacy impact assessments for high-risk data uses and potential restrictions on cross-border data transfers to high-risk jurisdictions. These reforms would bring Australia closer to EU-style regulation and would further raise the bar for companies relying on global platforms to manage their people and operations. 

Mining and energy companies should treat offshore data storage and processing as a legal and governance issue, not just an IT matter. Data handling decisions made today may become riskier and costlier under the next iteration of the law, particularly those involving global platforms.

Royalties, taxes and transfer pricing – The Australian Taxation Office (ATO) is increasing its scrutiny of cross-border intangible arrangements, in particular software licensing, embedded analytics platforms and digital service delivery. Common arrangements in the resources sector that attract risk include:

• intra-group licensing of digital twins, LNG optimisation software, or proprietary emissions tools;
   
• third-party access to operational platforms from offshore service centres; and
   
• remote engineering or project support integrated into capex planning.

Key compliance issues include:

• transfer pricing, where transactions must be priced at arm's length and supported by proper documentation;
   
• royalty withholding tax, where payments for software or embedded IP may be treated as royalties attracting a 30% tax unless reduced by treaty; and
   
• characterisation risks, where services that include digital delivery components may be reclassified as royalties or technical services for tax purposes. 

The ATO is also increasingly focused on applying Part IVA and Diverted Profits Tax (DPT) to scrutinise intangible arrangements. Part IVA is Australia’s general anti-avoidance provision which allows the ATO to cancel tax benefits derived from arrangements made with the primary purpose of avoiding tax, while DPT targets large multinational companies that shift profits artificially out of Australia to low-tax jurisdictions. 

The ATO’s draft taxation ruling 2024/D1 is targeted at ‘software arrangements’ and the finalisation of the draft ruling is imminent having regard to the High Court of Australia’s recent decision in Commissioner of Taxation v PepsiCo Inc [2025] HCA 30. While the ruling concerns ‘software arrangements’, the ATO is seeking to apply royalty withholding tax in a wide-ranging number of circumstances, including the intangible arrangements of Australian mining and energy companies.

Oil and gas companies face elevated scrutiny where intangibles are licensed across jurisdictions with large inter-company flows and long-term infrastructure contracts. Companies in the resources sector need to ensure that their arrangements are robust in both commercial substance and compliance to mitigate the risk of falling foul of these tax provisions, which could result in costly disputes and penalties with the ATO.

IP and contract management – Clear ownership, use rights and protection of IP is critical for mining and energy companies. This applies when sourcing offshore technologies or exporting technical services. Key considerations include: 

• ensuring imported software or models are licensed for Australian use;
   
• protecting proprietary mine planning or project optimisation tools when exported;
   
• managing open-source components within broader platforms; and
   
• ensuring derivative works and confidential methodologies are contractually ring-fenced.

Without robust IP terms in contractual arrangements, companies risk revenue leakage, loss of control over key capabilities or infringement exposure in foreign jurisdictions.

Export controls and sanctions – Technical exports may fall under Australian sanctions or export control laws. This includes digital emissions models, well optimisation tools and geospatial planning software, particularly when delivered to sanctioned countries or entities, used in offshore defence, dual-use or energy infrastructure, or contain encrypted components or sensitive analytics.

Resources and energy companies operating across Asia, Africa and the Middle East must be especially cautious in structuring cross-border digital service offerings. Even intangible exports such as cloud delivery or remote login can trigger export restrictions under the Autonomous Sanctions Act 2011 (Cth) and Defence Trade Controls Act 2012 (Cth).

How to manage intangible trade risk

To address the risks of trading intangible assets, resource companies should take proactive steps in three key areas. 

1. Procurement and contracting. Intangible risk often enters through procurement. Routine vendor contracts should be reviewed, including those for field operations, asset maintenance, and digital infrastructure. Common issues in mining and oil and gas contracts include:
   
   •    failing to include clear IP ownership or indemnity clauses;
   
   •    omitting cybersecurity obligations for offshore vendors;
   
   •    not specifying data hosting locations or jurisdictional constraints;
   
   •    allowing sub-processing without prior approval; and 
   
   •    excluding obligations to comply with APP 8 when personal data is handled offshore.
    
2. Legal and compliance. Legal and compliance teams should take the lead in identifying and managing intangible trade risk. Key actions for companies include mapping all cross-border intangible flows, including software, data, services and intra-group arrangements, and maintaining a register of material cross-border intangible arrangements, identifying key vendors, hosting jurisdictions, licensing structures and compliance obligations. This is similar to establishing modern slavery or ESG registers. Companies should also embed intangible trade risk in enterprise risk frameworks, particularly where operations rely on offshore platforms or data systems. Legal teams should consider reviewing and updating contracts with foreign vendors and affiliates to clarify IP ownership, data obligations, cyber responsibilities and dispute resolution provisions (which should ideally provide for arbitration as a neutral, procedurally flexible and confidential alternative to litigation before local courts). There should also be a focus on monitoring regulatory changes, especially in the areas of privacy, critical infrastructure, foreign investment, cybersecurity and sanctions, that may affect current or planned arrangements. Teams should also align governance across functions by involving legal, IT, cyber, tax, procurement and operations in decision-making on intangibles.
    
3. Governance. Boards and executive teams must ensure intangible trade risks are governed with the same rigour as physical or financial risks. This means developing a clear understating of the risk and including intangible trade risk in ERM systems and board risk registers, requiring executive-level visibility of foreign-hosted or externally managed platforms, reviewing cross-border digital flows and contracts across key functions, and ensuring sustained oversight of digital suppliers, particularly those supporting operational or critical infrastructure systems.

***

Intangible inputs are now integral to how resources and energy businesses operate, optimise and expand – there needs to be an appropriate balance between driving innovation while ensuring compliance with new layers of regulatory complexity. As these digital assets become more central to business models, they also represent a growing source of legal, tax, and compliance exposure across jurisdictions.

To stay ahead of this rapidly evolving risk landscape, companies should look to embed oversight of intangible trade into procurement processes, legal frameworks and board-level governance. By doing this, companies can proactively manage regulatory change, protect strategic assets and build resilience into their core operations.