There is no question that one of the most high-profile legal issues at the moment relates to privacy and data control.   

Recent privacy breaches have highlighted that Australia’s laws may not be as effective as we would like in requiring businesses to take appropriate precautions to prevent the inappropriate release of private information and personal data.

In part, this may be because Australia has a very low penalty regime with respect to privacy breaches. This, and other relevant matters, are currently being considered - and an update to the Privacy Act 1988 has now been drafted and introduced into Parliament.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 considers some of the core elements referred to in the 2021 Exposure Draft. In particular it increases penalties for data breach.  Currently, a corporate entity could be exposed to penalties of up to $2.22 million.

Moving forward, under the new regime, penalties will be the greater of:

• $50 million;

• 3 times the value of the benefit obtained by the company; or

• 30% of the adjusted turnover of the company during the period in which the privacy breach occurred.

Non-corporate entities and individuals will have their penalties raised from $444,000 to $2.5 million.

As highlighted in our November 2021 article New Requirement for Directors to Register for a Director Identification Number, company directors are required by law to apply for a director identification number.

A director ID is a unique identifier that directors apply for once and keep forever. ASIC suggests that the implementation of the director ID system will help prevent the use of false or fraudulent director identities.  All directors of companies, registered Australian bodies, registered foreign companies or Aboriginal and Torres Strait Islander corporations will need director ID’s.

Unfortunately, on 28 October 2022 ASIC published an Alert warning that scammers are pretending to be ASIC, and are approaching Registry customers via email.

Since 2020, the Australian Competition and Consumer Commission has introduced amendments to the Competition and Consumer Act 2010 which enable consumer data information to be shared, in order to facilitate the process known as open banking.

At present, Consumer Data Right legislation solely relates to information held by banks and energy companies.  It is anticipated that there will be a further and more significant roll out of legislation impacting the wider financial sector, as well as other sectors within the economy, in the next several years.

Holman Webb Lawyers is currently assisting broker groups, aggregators and software providers in relation to banking Consumer Data Right requests, and is similarly advising accredited data recipients with respect to their entrance into the financial services area, to enable applications for consumer credit.

The process surrounding the release of Consumer Data Right information is developing rapidly, as new technology emerges. There are privacy concerns relating to the management of this information, with detailed legislation and systems having been introduced to enable this information management to occur.

This article provides a brief analysis of the legislative process.  Readers should note that there will undoubtedly be further change, as the Consumer Data Right process gains traction.

Contained within the Privacy Act 1988 and the Privacy (Credit Reporting) Code 2014 is a regime concerning the collection, storage and use of data relating to an individual’s credit’s history and credit worthiness information.

The Office of the Australian Information Commissioner recently conducted a review of the Code and made several recommendations for change, providing a timely reminder of the nature of the Code and the obligations on all parties involved in requests for credit reporting information.

Franchise agreements often contain restraints of trade. The restraints typically apply for a period of time after the franchise ends, and may restrict franchisees from competing with the network or conducting a similar business within a particular geographical area.

Whilst these restraints can be legitimate and important protections for the franchise network, they can also be a major hinderance for franchisees looking to move onto their next venture.

Clause 23 of the Franchising Code of Conduct can be a way for franchisees to avoid the operation of these restraint clauses. However, it has quite a narrow application - and there numerous proactive steps that franchisees must take to obtain the benefit of the exception.

A common hurdle faced by many early-stage start-ups is trying to raise capital where the company has not yet attained sufficient financial information and/or market data in respect of the business, which makes it difficult to assign a justifiable and substantiated value to the company.

SAFE (simple agreement for future equity) notes are documents that start-ups may consider using to help raise seed capital where there is limited financial data, and or a consistent source of revenue over a tracked period of time.

A SAFE note is a legally binding promise that allows an investor to purchase a specified number of shares for an agreed-upon price at some point in the future.

With the increasing prevalence of malicious cyberattacks, new regulations have been introduced to ensure that the government has knowledge of cyber incidences affecting specific entities in the following industries:

• electricity
• communications
• data storage or processing
• financial services
• water
• healthcare and medical
• higher education and research
• food and grocery comment transport
• space technology

By implementing a mandatory reporting regime, the government seeks to strengthen the security and resilience of critical infrastructure, by empowering the relevant authorities to more immediately address critical cyber incidents - and to develop responses and protections to minimise the risk of future incidents occurring.

It has happened: a company that failed to implement proper cyber security measures in Australia has been taken to court by the regulators, with the company ordered to pay costs of $750,000.

In the matter of the Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Court found that a financial services provider had breached its licence obligations, and failed to act efficiently or fairly by not having in place adequate risk management systems to cater for risks arising in relation to cyber security.

The Federal Court of Australia’s recent judgment in the matter of Energy Resources of Australia Limited [2022] FCA 176 demonstrates the risks to resigning company directors when they, or the company, fail to notify ASIC of their resignation in a timely manner – as well as the consequent time, effort and costs needed to rectify these failures.

The decision is also a reminder that retiring directors wishing to avoid personal responsibility for a company’s conduct need to notify ASIC promptly and effectively.

Companies can now sign documents by electronic means and with directors using electronic signatures. 

On 10 February 2022, the Australian Senate passed the Corporations Amendment (Meetings and Documents) Bill 2021.  The passing of the Bill now clarifies the execution requirements of companies when signing documents (including deeds) - whether in physical or electronic form, or a hybrid of physical and electronic.