The Privacy Act 1988 (Cth) requires all businesses to have a privacy policy in place, if that business is an Australian Privacy Principles entity (‘APP entity’).

A privacy policy is a document that sets out how a business collects, holds, uses, and discloses personal information.

Personal information is information that identifies a person, irrespective of whether the information is true or not. This information can include a person’s name, physical or email address, photograph, telephone number, or their payment details.

The Australian Consumer Law has now changed, meaning that businesses with standard contracts will soon be at risk of incurring penalties in excess of $50 million for each unfair contract term within their standard form agreements. 

The definition of small business contracts in section 23(4) will be amended to apply to a business that has either:

1. fewer than 100 employees; or
2. an annual turnover of less than $10 million (calculated on the business’ last income year).

Casual employees are not counted unless employed on a regular and systemic basis, and part-time employees are counted as a fraction of a full-time employee.

The change to this definition potentially expands the scope of businesses that would be captured under this section, as it would no longer be confined to businesses with fewer than 20 employees.

There is no question that one of the most high-profile legal issues at the moment relates to privacy and data control.   

Recent privacy breaches have highlighted that Australia’s laws may not be as effective as we would like in requiring businesses to take appropriate precautions to prevent the inappropriate release of private information and personal data.

In part, this may be because Australia has a very low penalty regime with respect to privacy breaches. This, and other relevant matters, are currently being considered - and an update to the Privacy Act 1988 has now been drafted and introduced into Parliament.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 considers some of the core elements referred to in the 2021 Exposure Draft. In particular it increases penalties for data breach.  Currently, a corporate entity could be exposed to penalties of up to $2.22 million.

Moving forward, under the new regime, penalties will be the greater of:

• $50 million;

• 3 times the value of the benefit obtained by the company; or

• 30% of the adjusted turnover of the company during the period in which the privacy breach occurred.

Non-corporate entities and individuals will have their penalties raised from $444,000 to $2.5 million.

As highlighted in our November 2021 article New Requirement for Directors to Register for a Director Identification Number, company directors are required by law to apply for a director identification number.

A director ID is a unique identifier that directors apply for once and keep forever. ASIC suggests that the implementation of the director ID system will help prevent the use of false or fraudulent director identities.  All directors of companies, registered Australian bodies, registered foreign companies or Aboriginal and Torres Strait Islander corporations will need director ID’s.

Unfortunately, on 28 October 2022 ASIC published an Alert warning that scammers are pretending to be ASIC, and are approaching Registry customers via email.

Since 2020, the Australian Competition and Consumer Commission has introduced amendments to the Competition and Consumer Act 2010 which enable consumer data information to be shared, in order to facilitate the process known as open banking.

At present, Consumer Data Right legislation solely relates to information held by banks and energy companies.  It is anticipated that there will be a further and more significant roll out of legislation impacting the wider financial sector, as well as other sectors within the economy, in the next several years.

Holman Webb Lawyers is currently assisting broker groups, aggregators and software providers in relation to banking Consumer Data Right requests, and is similarly advising accredited data recipients with respect to their entrance into the financial services area, to enable applications for consumer credit.

The process surrounding the release of Consumer Data Right information is developing rapidly, as new technology emerges. There are privacy concerns relating to the management of this information, with detailed legislation and systems having been introduced to enable this information management to occur.

This article provides a brief analysis of the legislative process.  Readers should note that there will undoubtedly be further change, as the Consumer Data Right process gains traction.

Contained within the Privacy Act 1988 and the Privacy (Credit Reporting) Code 2014 is a regime concerning the collection, storage and use of data relating to an individual’s credit’s history and credit worthiness information.

The Office of the Australian Information Commissioner recently conducted a review of the Code and made several recommendations for change, providing a timely reminder of the nature of the Code and the obligations on all parties involved in requests for credit reporting information.

Franchise agreements often contain restraints of trade. The restraints typically apply for a period of time after the franchise ends, and may restrict franchisees from competing with the network or conducting a similar business within a particular geographical area.

Whilst these restraints can be legitimate and important protections for the franchise network, they can also be a major hinderance for franchisees looking to move onto their next venture.

Clause 23 of the Franchising Code of Conduct can be a way for franchisees to avoid the operation of these restraint clauses. However, it has quite a narrow application - and there numerous proactive steps that franchisees must take to obtain the benefit of the exception.

A common hurdle faced by many early-stage start-ups is trying to raise capital where the company has not yet attained sufficient financial information and/or market data in respect of the business, which makes it difficult to assign a justifiable and substantiated value to the company.

SAFE (simple agreement for future equity) notes are documents that start-ups may consider using to help raise seed capital where there is limited financial data, and or a consistent source of revenue over a tracked period of time.

A SAFE note is a legally binding promise that allows an investor to purchase a specified number of shares for an agreed-upon price at some point in the future.

With the increasing prevalence of malicious cyberattacks, new regulations have been introduced to ensure that the government has knowledge of cyber incidences affecting specific entities in the following industries:

• electricity
• communications
• data storage or processing
• financial services
• water
• healthcare and medical
• higher education and research
• food and grocery comment transport
• space technology

By implementing a mandatory reporting regime, the government seeks to strengthen the security and resilience of critical infrastructure, by empowering the relevant authorities to more immediately address critical cyber incidents - and to develop responses and protections to minimise the risk of future incidents occurring.

It has happened: a company that failed to implement proper cyber security measures in Australia has been taken to court by the regulators, with the company ordered to pay costs of $750,000.

In the matter of the Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496, the Court found that a financial services provider had breached its licence obligations, and failed to act efficiently or fairly by not having in place adequate risk management systems to cater for risks arising in relation to cyber security.