Highlights of 2019 and areas to watch in 2020

 

Looking back on 2019

First major fines under the GDPR

If the introduction of the EU General Data Protection Regulation (GDPR) was the talking point for the world of privacy of 2018, the first rounds of serious fines issued under the regulation were definitely the talk of 2019.

We saw a number of unprecedented fines being given in response to the biggest privacy breaches and data leaks of the year, including:

  • hotel giant Marriott was fined $197 million for an ongoing data breach that exposed 5 million unencrypted passwords, 8 million credit card records, and impacted 30 million EU residents.
  • British Airways faced a record fine of $328 million for cyber-attack on their website which resulted in about 500,000 customer records, including credit card details, names, addresses and email addresses being extracted by the attackers.
  • Google was fined $80 million by France’s data regulator, CNIL, for failing to comply with its GDPR obligations due to a lack of transparency and consent in relation to Google’s advertising personalisation.

The nature and scale of the penalties enforced in 2019 indicate that the risks of non-compliance for international businesses, including Australian businesses, with an EU presence, is only likely to increase in 2020.

Mandatory text for defect warranties

In June 2019, we saw changes to Australian Consumer Law as amendments to the  Competition and Consumer Regulations 2010 (Cth) introduced new mandatory wording to be used by suppliers providing warranties against defects for services (or goods and services together). This amendment expands the scope of defect warranties for consumers as the ACL previously only prescribed mandatory text for warranties relating to goods.

The new mandatory wording can be found on the Australian Competition & Consumer Commission (ACCC) website, here.

Amendments to Whistleblower Legislation

More than two years after its introduction to Parliament, the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 (the Act) came into effect on 1 July 2019.

The Act made significant amendments to the Corporations Act 2001 (Cth) and Taxation Administration Act 1953 (Cth), increasing both the protections afforded to whistleblowers and providing greater accountability companies to ensure compliance with whistleblowing obligations.

The key features of these amendments included:

  • widening the definitions of eligible whistleblowers’ and ‘eligible recipients’,
  • expanding the range of misconduct,
  • permitting anonymous disclosures,
  • implementing a whistleblower complaint policy for certain entities, and
  • increasing both civil and criminal penalties.

AI in Public Sector

Some significant implications of public sector use of AI and automation technologies were highlighted during the year.

In this case of Pintarich v Deputy Commissioner of Taxation, the Federal Court of Australia found that Mr. Pintarich remained liable for interest charges on a tax liability, even though he received a computer-generated letter remitting his liability from the Deputy Commissioner of Taxation.

Because of the automated nature of the computer-generated letter, the court ruled that there was no mental process involved in reaching the conclusion, and accordingly, Pintarich could not rely upon the letter.

As automation technologies become more widespread in the public sector, and automated programs begin to replace human mental processes in complex decision making, it will be interesting to see the implications of this case on administrative decision-making in 2020 and beyond. Recent developments include an issue, identified in January this year, with inaccurate ATO general interest charge notices.

Areas to watch this year

Government action in response to the ACCC’s Digital Platform Inquiry

In July, the ACCC released its final report for the Digital Platforms Inquiry, providing a number of recommendations concerning the market dominance of large digital platforms – namely, Google and Facebook. These recommendations included wide ranging regulatory changes to multiple areas, including competition and consumer law, privacy, copyright, and media regulation.

In light of the report, the Federal Government has provided its response, supporting 6 of the 23 recommendations made by the ACCC. The response outlines the government’s commitment to:

  • Allocating $26.9million over four years to establish a new special unit in the ACCC to monitor and report on the state of competition and consumer protection in digital platform markets.
  • Tasking the ACCC to facilitate the development of a voluntary code of conduct to address bargaining power concerns between digital platforms and media businesses.
  • Reforming media regulation to cover both online and offline delivery of media content to Australian consumers.
  • Further strengthening Privacy Act protections, subject to consultation and design of specific measures as well as conducting a review of the Privacy Act.

Introduction of the Consumer Data Right

In August 2019, the Federal Government passed the Treasury Laws Amendment (Consumer Data Right) Bill 2019 (CDR), amending the Competition and Consumer Act 2010 (Cth), Australian Information Commissioner Act 2010 (Cth) and Privacy Act 1988 (Cth).

The CDR will give consumers the right to safely access certain data about them held by businesses, allowing them to better access information on the products available to them, as well as being able to direct that this information be transferred to accredited, trusted third parties of their choice.

In December, the ACCC announced an updated timeline for the launch of the CDR. The launch has now been pushed back from February to July 2020 for the banking sector.  

The ACCC also announced that it would amend the CDR rules to reflect the revised timetables and consult other phases of the CDR, including its introduction into the energy and telecommunication sectors.

Reforming Australia’s designs system

Australia’s current design system has not been reviewed since the introduction of the Designs Act 2003 (Cth) in 2004. In response to recent concerns regarding its effectiveness and suitability, IP Australia has now commenced a two-phase approach to provide reforms to the system.

The first phase involves progressing and implementing the accepted recommendations from the former Advisory Council on Intellectual Property’s (ACIP) review of the Designs Act. IP Australia is aiming to introduce changes based on these recommendations in 2020.

The proposed changes fall into three topics:

  • examining the scope of design protection,
  • providing early flexibility for designers, and
  • simplifying and clarifying the designs system.

IP Australia aims to introduce changes based on these recommendations this year. 

In the second phase, as part of its ‘Designs Review Project’, IP Australia has also begun a more holistic review considering broad and longer-term reforms to Australia’s designs system. IP Australia will continue its research and consultation with stakeholders throughout 2020, with the aim to further understand and improve design innovation, commercialisation, and the overall designs economy in Australia.

Author: Blake Motbey, Associate

 

Ready for whistleblower protection?

More than 2 years after the Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 was introduced, it’s finally set to come into effect on Monday 1 July 2019.

The Act will apply to disclosures made on or after the commencement date, but can also apply to conduct which occurred before commencement.

The Act has made significant amendments to the Corporations Act 2001 (Cth) and Taxation Administration Act 1953 (Cth). It increases the protections afforded to whistleblowers,  and requires companies to have greater accountability for whistleblowing obligations.

Are you ready for your new whistleblowing obligations?

Why are whistleblowers important?

Whistleblowers perform an integral role by disclosing misconduct such as mismanagement, fraud, corruption, or other wrongdoings, ensuring that companies and organisations are held accountable for their actions under the law, and that employees, customers, and shareholders are protected.

So, it is vital to guarantee strong protections for whistleblowers, especially confidentiality of identity and safety from retaliation.

What are the key changes under the legislation?

The key features of the new legislation include:

  • Widening the definition of ‘eligible whistleblowers’: The range of people who may now make disclosures and be eligible for protection has been extended to include officers, current and former employees, contractors and their relatives.
  • Widening the definition of ‘eligible recipients’ of disclosures: The range of people who may be recipients of disclosures now include senior managers, directors, and auditors.
  • Expanding the range of misconduct: The Act has expanded the types of disclosures that will be protected as ‘misconduct’ or ‘an improper state of affairs or circumstances’ (however, there is an exclusion for most disclosures of personal work-related grievances).
  • Allowing anonymous disclosures.
  • Increasing whistleblower protection: The Act provides stronger protection for whistleblowers,  by expanding the prohibition against victimisation or detriment, and eliminating the requirement of whistleblowers to act in good faith to be protected (however, reasonable grounds to suspect misconduct is required.)
  • Increasing penalties: There are significant civil and criminal penalties for individuals and companies for non-compliance and breach of the new legislation.
  • Implementing whistleblower policy requirement: The Act now requires some entities to implement a compliant whistleblower policy.

What is the whistleblower policy requirement?

Public companies, large proprietary companies, and registrable superannuation entities must now implement and maintain a compliant whistleblower policy.

The whistleblower policy must contain the following information:

  • the protections available to whistleblowers;
  • to whom disclosures are to be made, and how they can be made;
  • how the company will support and protect whistleblowers;
  • the process of investigation for into disclosures by the company;
  • how the company will ensure fair treatment of employees of the company who are mentioned in disclosures; and
  • how the policy is to be made available.

The Act has a 6 month transitional period for entities to implement the policy. Accordingly, the last date to ensure your policy is in place is 1 January 2020.

Penalties

There are substantial penalties (both civil and criminal) for the contravention of the new whistleblower protection laws under the Act.

Failure to implement a compliant whistleblower policy may attract a penalty of 60 penalty units (currently $12,600).

However, the most significant penalties arise from breach of confidentiality of the identity of a whistleblower, or victimising (or threatening to victimise) a whistleblower.

The civil penalties for these breaches are:

For an individual, the greater of:

  • 5,000 penalty units ($1.05 million); or
  • 3 times the benefit derived or detriment avoided.

For companies, the greater of:

  • 50,000 penalty units ($10.5m);
  • 3 times the benefit derived or detriment avoided; or
  • 10% of the body corporate’s annual turnover, up to 2.5 million penalty units (currently $210m).

The breaches may also attract criminal penalties for individuals, being:

Breach of confidentiality of identity of a whistleblower:

  • Under the Corporations Act: 6 months imprisonment or 30 penalty units ($6,300) or both;
  • Under the Taxation Administration Act: 6 months imprisonment or 60 penalty units ($12,600) or both.

Victimisation (or threatened victimisation of whistleblower):

  • Under the Corporations Act: 2 years imprisonment or 120 penalty units ($25,200) or both;
  • Under the Taxation Administration Act: 2 years imprisonment or 240 penalty units ($50,400) or both.

What now?

If your entity is covered, the first thing to do is to implement a compliant whistleblower policy.

As part of the policy, given the increased protections and widening of definitions under the new laws, we recommend that you incorporate training to ensure your personnel understand the new obligations under the Act. This is especially important for those people who will be ‘eligible recipients’ of disclosure under the expanded definition.

If you need any assistance in preparing a compliant whistleblower policy, or would like some further information and guidance on how these new whistleblower protection laws may affect your entity, please contact us.

Author: Blake Motbey, Paralegal.

Anti-bribery and corruption requirements for Australian businesses

Many Australian businesses who deal with customers based in the US and UK will be faced with contract clauses requiring compliance with the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act.

There is a lot of doubt and disagreement about the way that these laws apply to conduct outside the home jurisdiction and whether Australian businesses should accept these contract clauses.

Here are some key points to know if you are confronted with a clause like this.

Coverage

Anti-bribery and corruption (ABAC) laws focus on 2 key areas:

  • corruption of public officials; and
  • bribery in the private sector.

Australia

Australia has its own anti-bribery and corruption (ABAC) requirements.  Specific requirements include:

  • State and Territory legislation applying to bribery of public officials and private individuals;
  • Criminal Code (Commonwealth) offences for bribery of Commonwealth officials;
  • Criminal Code offences for bribery of foreign officials (with some application to overseas conduct); and
  • false accounting offences where a business falsely records bribes as legitimate expenses.

Australian laws also catch “grease” payments, also known as facilitation payments.  These are payments to public officials to speed up or smooth out an approval which would have happened anyway, and are distinguished from payments to change an outcome. Grease payments are only permitted if they meet certain criteria, including prompt, accurate records.

We are expecting further tightening of Australian ABAC requirements when the Crimes Legislation Amendment (Combatting Corporate Crime) Bill is implemented, most likely later this year.

US

The FCPA catches all US entities including their overseas subsidiaries; US subsidiaries of overseas entities; overseas entities which issue securities in the US; and overseas entities which take steps towards the corrupt conduct in the US.

It covers corrupt gifts and payments to foreign public officials – defined very broadly – for the purpose of obtaining or retaining business.

Foreign public officials would include, for example, a doctor in a state hospital, or a government official who also acts in a private capacity where the corrupt conduct occurs.

There is no materiality threshold so small gifts are caught – the test is the purpose of the payment or gift.

Controversially, the FCPA does not apply to grease payments, on the basis that they do not change the outcome. These may still be prohibited under the local laws where the conduct takes place.

UK

The Bribery Act covers the bribery of any person to obtain or retain business or a business advantage. Unlike the FCPA it applies to private sector as well as public sector conduct.

The Bribery Act covers both making and taking bribes, and a foreign public official is defined more narrowly than in the FCPA.

It applies to overseas conduct of UK firms and their subsidaries and emphasises a compliance culture with strict liability corporate offences (that is, there is no requirement to prove the company meant to commit the offence).

There is no exception for grease payments, but the Ministry of Justice has released guidance suggesting that prosecutors will exercise discretion where the company:

  • has a clear policy;
  • has issued guidance to staff;
  • is monitoring compliance;
  • is recording gifts;
  • is taking proper action to inform local governments; and
  • is taking practical steps to curtail grease payments.

Where does this leave Australian suppliers?

Both US and UK companies (and their Australian subsidiaries) are obliged to do supplier due diligence to avoid liability for ABAC issues. For the FCPA, for example, this is understood to include doing business with reputable third parties who are acting in compliance with the FCPA, and this leads to contractual requirements for compliance in Australian supply contracts.

Many Australian companies are naturally reluctant to agree, in a contract, to be caught by overseas legislation that would not otherwise apply to them. It is important to recognise, though, that the customer may have very limited discretion on these issues, meaning that these clauses can be a negotiation roadblock.

Possible compromises to offer include:

  • compliance with your own ABAC policies;
  • compliance with the Criminal Code and applicable State and Territory legislation;
  • compliance with detailed obligations stated in the contract which equate to, but don’t refer to, the overseas legislation; or
  • an obligation to assist the customer with its own compliance.

If, as will often be the case, the customer insists on an express reference to the overseas legislation, then you’ll need to review the detail against your existing legal obligations and your own ethics policies.

If you would like advice on a specific ABAC clause, contact us.

Taking a long-term view of compliance

At Executive Coach Exchange last week, we were discussing how short-termism affects performance.

This discussion was prompted by the recent McKinsey Global Institute and FLCT Global report showing that surveyed US companies with a long-term view consistently outperformed their short-term peers across most financial measures from 2001 to 2014.

The long-term companies had the following results by 2014:

• average revenue growth – 47% higher;
• average earnings growth – 36% higher; and
• average market capitalisation – 58% higher.

The research focussed on companies that were large enough to be under short-term pressure from investors, boards and others, with market capitalisation of over US$5 billion in at least one year during the survey period. They were evaluated against industry peers in an attempt to remove other factors that would affect performance.

The survey was based on five key assumptions about the behaviour of companies with a long-term view. These assumptions included that long-termists would:

  • make more, and more consistent investments in their business;
  • prioritise cash flow, absolute earnings and sustainable margin growth; and
  • be less likely to make an all-out effort to hit quarterly earnings targets by small amounts, where doing so would divert resources from more important priorities.

Indicators of short-termism included:

  • cutting discretionary spending, and delaying new value-adding projects, to avoid earnings misses;
  • higher levels of stock buybacks; and
  • lower capital investment.

This ties in with our earlier discussion about how good compliance can mean good business.

An organisation with a short-term view is likely to treat compliance as a cost centre, and implement a narrow, regulatory-based compliance system.

These organisations will treat compliance as a silo, which distracts from the organisation’s key mission.

There can also be too much attention paid to the possible financial penalties, including personal penalties – the short-term negative consequences of non-compliance – rather than what non-compliance says about the management of the organisation as a whole.

Seen from a long-term perspective, meeting regulatory requirements can be more than a cost centre. Compliance programs can align with and support the achievement of business goals.

Governance, risk and compliance programs, like solid accounting practices, can promote:

  • effective oversight through clearer governance structures
  • alignment of organisational strategy across business units or departments
  • reduced costs through reduced risk exposure
  • higher quality information flow to management
  • integrated management of brand strategy and organisational reputation.

In this way, a solid governance, risk and compliance system can promote your business’ goals and brand value, and help to position you in that long-term group.

If you’d like to discuss compliance programs for your business, contact us.