Increased penalties under proposed privacy legislation amendments

In response to the high-profile Medibank and Optus data breaches in recent weeks, the Albanese Government has sought to introduce legislation to significantly increase penalties for repeated or serious privacy breaches.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, passed the House of Representatives on 9 November 2022, and seeks to increase maximum penalties from $2.22 million currently, to whichever is the greater of:

  • $50 million;
  • If a court can determine the value of a benefit, three times the value of any benefit obtained through the misuse of the information; or
  • If the court cannot determine the value of the benefit, 30% of a company’s adjusted turnover in the relevant period.

Greater powers for the OAIC

The Bill will also afford the Office of the Australian Information Commissioner (OAIC) greater powers to resolve and quickly share information about data breaches, to better protect consumers personal information.

For instance, if the Bill ascends to law, the OAIC will be able to:

  • conduct assessments of an entity’s compliance, or an entity’s ability to comply, with the notifiable data breach regime;
  • request information about an actual or suspected eligible data breach by an entity, or more holistically, the entity’s compliance with the eligible data breach regime under the Privacy Act;
  • share information and documents with enforcement bodies, complaints bodies, and other privacy regulators, and also may share information with any third parties, or publish information, where the sharing of that information is in the public interest;
  • issue infringement notices for failure, without reasonable excuse, to respond, or provide information to the OAIC, where required under the law;
  • in relation to complaints, order an entity to engage an independent adviser to review the acts or practices that were subject to the complaint, and the remediation of that complaint, and additionally, can require an entity to prepare a statement about the conduct in-scope, and provide that information to the complainant or disseminate the statement in the public domain.

More to come in the future

The Commonwealth Attorney General’s Office reports that the significant privacy breaches in Australia in recent weeks have shown that existing safeguards are outdated and inadequate. They further state that the increase in penalties and strengthening of the OAIC’s powers is part of a broader overhaul of the Privacy Act 1988, that will take place in 2023.

The above post is merely general commentary and is not legal advice.

‘True to Label’ remains a priority for ASIC

On 8 September 2022, the Australian Securities and Investments Commission (ASIC) has reported on its surveillance of responsible entities and fund managers for false or misleading representations about investment performance.

Background

ASIC’s managed funds surveillance is the successor to ASIC’s ‘True to Label’ initiative whereby, ASIC originally commenced monitoring of the industry for concerns that fund names did not align or accurately correspond to, the underlying assets and characteristics of the fund.

From October 2021, ASIC commenced its current initiative in taking a broader analysis of performance and risk representations in the marketing material disseminated by funds across the Australian jurisdiction.

Recent surveillance

ASIC’s recent surveillance has reported that thirteen responsible entities or trustees of unregistered managed investment schemes have voluntarily amended or arranged for their respective investment managers to amend, their marketing practices and materials as a result of ASIC’s inquiries. The funds in question, which house a broad range of underlying assets and investment strategies together held approximately $1.4 billion in assets under management. The amendments made and ASIC’s report do not constitute an admission of guilt or a finding of a contravention of statutory provisions by a relevant Court or ASIC.

The regulator’s concerns mainly centred around inadequate warnings regarding past or future returns, comparisons between risk levels of products, and understating the risks of investment when compared to the benefits of the funds.

ASIC’s expectations

ASIC’ expectations in this regard are that marketing material must:

  • give balanced messages about returns, benefits and risks;
  • give clear and prominent risk disclosures;
  • not overstate the reliability, security or safety of an investment;
  • compare products appropriately (e.g. term deposits shouldn’t be seen as comparable in terms of risk levels to leveraged derivatives);
  • disclose the risks of reliance on past performance as an indicator of future returns; and
  • take care with the use of imagery and graphs to ensure they do not confuse the end user.

ASIC Deputy Commissioner Karen Chester stated that ‘our primary concern is retail investors and potentially unsophisticated wholesale investors, especially retirees, making important investment decisions based on marketing that does not accurately represent fund performance.’

Key takeaways

As always, misleading and deceptive conduct within the financial services industry remains a priority enforcement action for ASIC. Responsible entities, trustees of unregistered schemes and investment managers, and all other financial services providers for that matter, must be vigilant in the review process prior to the dissemination of marketing material.

An array of statutory provisions exist in both the Corporations Act 2001 (Cth) and the ASIC Act 2001 (Cth) to outlaw such conduct. Some of these provisions are in fact ‘offence’ provisions of strict liability, which makes a business liable to criminal prosecution even when they did not intend to mislead, deceive or make false representations. Under section 912D(4) of the Corporations Act, breaches of misleading and deceptive conduct laws by Australian Financial Services Licence or Australian Credit Licence holders will also trigger requirements to submit ‘reportable situation’ to ASIC.

Further, it also cannot be overstated, that ASIC is equally concerned with unsophisticated wholesale investors as it is retail clients. As such, financial services businesses should pay careful attention to wholesale clients who solely meet the statutory income or wealth tests, when they may still lack sound knowledge of the risks of their investment.

The above post is merely general commentary and is not legal advice.

ASIC extends transitional arrangements for FFSP relief

On 2 August 2022, the Australian Securities and Investments Commission (ASIC) has again announced an extension of the transitional arrangements to certain exemptions applying to foreign financial services providers (FFSPs) for a further 12 months. The arrangements now expire on 31 March 2024.

Transitional exemptions

Both in the past and currently, FFSPs have been able to avail themselves of the need to hold a fully fledged Australian financial services licence (AFSL) or a foreign AFSL, under certain relief exemptions, such as the ‘limited connection’ relief and ‘sufficient equivalence’ relief. These avenues for relief were due to expire on 31 March 2023 and be replaced by the foreign AFSL regime and further passporting exemptions.

However, in 2022, and because of the effects of COVID-19, the then Liberal Government introduced a new Bill in Parliament to provide new exemptions in place of the abovementioned. These would be called the ‘comparable regulator’ and ‘professional investor’ exemptions. These exemptions would not be subject to an expiry period, but would exist on an ongoing basis for FFSPs. The Treasury saw this approach as necessary to improving conditions for foreign direct investment into Australia post COVID-19, in financial services.

However, owing to the 2022 federal election, the Bill unfortunately lapsed and FFSPs faced an uncertain period, post 31 March 2023.

Further extension

ASIC has now issued the ASIC Corporations (Amendment) Instrument 2022/623 to delay the expiry of the transitional arrangements a further 12 months, to 31 March 2024. This allows FFSPs relying on the relief abovementioned to continue to do so with certainty for a further 12 months.

What’s to come?

It is expected that ASIC and the Treasury will consult further on the Bill in order to provide more cemented regulatory relief for FFSPs relying on an exemption (or those that seek to) by 31 March 2024.  ASIC have reported that this does not affect FFSPs currently operating under a foreign AFSL, and that otherwise, the regulator will continue to hear applications for individual relief from FFSPs on a case-by-case basis.

The above post is merely general commentary on developments and is not legal advice.