In this edition of Gilbert + Tobin's Corporate Advisory Update, we focus on key legal developments over the last month which are particularly relevant to in-house counsel.

AICD publishes new guidance on directors’ oversight of company compliance obligations

On 8 October 2024, the Australian Institute of Company Directors (AICD) published new guidance which specifically focuses on the section 180 duty of care and diligence in overseeing a company’s regulatory compliance obligations, particularly in the current risk environment and ASIC’s focus on this area.

The new guidance includes:

• A new landmark legal opinion by Michael Hodge KC and Sonia Tame (commissioned by the AICD) which clarifies what is required of directors in discharging this duty including: 
  • Individual director accountability versus the board as a collective.
  • The extent to which directors can rely on the advice of management and experts.
  • What role board minutes can play in demonstrating active director oversight.
• An AICD Practice Statement which provides guidance and suggests steps for effective director monitoring and oversight of a company’s regulatory compliance in practice. 

The key takeaways from the new guidance are:

•  A company’s breach of its legal or regulatory compliance obligation does not necessarily mean a director has breached their duty of care and diligence.
• Equally, it is not necessary for a company to actually breach its compliance obligation for a director to be found in breach of their duty of care and diligence.
• Directors must take reasonable steps to place themselves in a position to guide and monitor the company, remain alert to, and act on, ‘red flags’, and challenge management appropriately.
• There may be certain existential risks specific to the company that will require more intensive oversight by directors due to their significance.
• While directors are entitled to rely upon the advice of management and advisers, directors must critically assess such advice and bring their own independent judgment to bear.

See also AICD media release.

Final merger reform Bill introduced

On 10 October 2024, the Treasury Laws Amendment (Mergers and Acquisitions Reform) Bill 2024 was introduced into Parliament, and has now been referred to the Senate Economic Legislation Committee for report by 13 November 2024.

In addition:

• The government has published a response to consultation outlining its response to some of the stakeholder feedback from earlier consultation on exposure draft legislation and notification thresholds).
• The ACCC has published a statement of goals for merger reform implementation outlining its approach to implementing the new regime and to reduce uncertainty during the transition.

The new merger system moves Australia to a mandatory and suspensory notification administrative regime representing a significant departure from the longstanding voluntary informal clearance process with a judicial enforcement model.

Prior to formal commencement, merger parties may elect to notify under the new system from 1 July 2025. Grandfathering provisions apply to mergers authorised or granted informal clearance by the ACCC between 1 July and the end of 2025, provided the acquisition is completed within 12 months of the date of authorisation or clearance.

A recent G+T Insight summarises the practical implications of the Bill (including changes from the exposure draft) and key insights on how the ACCC plans to implement the reforms. 

Largest greenwashing penalty so far of $12.9 million imposed on Vanguard

On 25 September 2024, the Federal Court ordered Vanguard Investments Australia Ltd to pay a $12.9 million penalty, after Vanguard admitted it had made false or misleading representations and engaged in conduct that was liable to mislead the public in relation to an ‘ethically conscious’ fund, in breach of the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act). You can also read about the liability judgment handed down in April here.

A recent G+T Insight analyses the decision including the Court’s rationale, the discount for co-operating with ASIC and how the penalty imposed compares to the recent Mercer case where a penalty of $11.3 million was ordered against Mercer Superannuation (Australia) Limited for similarly making false or misleading greenwashing representations in breach of the ASIC Act. You can read more about the Mercer decision here.

We are still awaiting the penalty in ASIC’s third and final greenwashing case against Active Super, with the Court finding in June 2024 that Active Super made false or misleading representations by claiming it would not invest in companies associated with gambling, tobacco, oil tar sands and coal mining. The matter is listed for hearing later in December, so we expect the penalty judgment to be handed down in 2025.

AASB issues inaugural Australian Sustainability Reporting Standards

Following the passing of the Treasury Laws Amendment (Financial Market Infrastructure and Other Measures) Act 2024 (Cth) and a vote by the Australian Accounting Standards Board (AASB) on 20 September 2024, the AASB has now issued its two inaugural Australian Sustainability Reporting Standards. These standards apply to sustainability reports to be prepared by reporting entities under the new sustainability-related financial disclosure framework in the Corporations Act 2001 (Cth) (Corporations Act).

Based on the ISSB International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board, the AASB has adopted two separate standards: AASB S1 General Requirements for Disclosure of Sustainability-related Financial Information (AASB S1) and the AASB S2 Climate-related Disclosures (AASB S2). As the new sustainability reporting regime only requires disclosure with respect to climate-related financial risks, the AASB has only issued the AASB S2 as a mandatory standard (and the AASB S1 as a voluntary standard): 

• AASB S1 – a voluntary standard with broadly the same scope and content as IFRS S1. An entity may elect to apply AASB S1 which requires it to disclose information about all sustainability-related risks and opportunities that could reasonably be expected to affect the entity's cash flows, its access to finance or cost of capital over the short, medium or long term.
• AASB S2 – a separate mandatory standard for climate risks which is the standard reporting entities will be required to report against in preparing sustainability reports under the Corporations Act. The AASB 2 incorporates all requirements of IFRS S2, subject to certain modifications. When applicable, AASB S2 requires an entity to disclose information specifically about climate-related risks and opportunities that could reasonably be expected to affect the entity's cash flows, its access to finance or cost of capital over the short, medium or long term.

Both AASB S1 and AASB S2 will inform sustainability reports prepared for annual reporting periods beginning on or after 1 January 2025 (that is the same reporting period for which the largest category of entities will be required to submit sustainability reports under the new sustainability-related financial disclosure framework in the Corporations Act), with the AASB S2 being the criteria the report must contain and the AASB S1 containing broader sustainability criteria that the reporting entity can also elect to report on.

The Auditing and Assurance Standards Board has also released an Exposure Draft: Proposed Australian Standard on Sustainability Assurance ASSA 5010 Timeline for Audits and Reviews of Information in Sustainability Reports under the Corporations Act 2001 which outlines a proposed timeline for when information in a sustainability report would be subject to audit and/or review. Consultation is open until 16 November 2024 (see consultation page), with a view to the standards being adopted in December 2024.

Australia’s cybersecurity legislation package introduced

On 9 October 2024, following extensive consultation in December 2023 and September 2024, a new cybersecurity legislation package was introduced into Parliament. The package was referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report and submissions closed on 25 October 2024.

The package, if passed, will implement seven initiatives under the 2023-2030 Australian Cyber Security Strategy (Strategy), addressing legislative gaps to bring Australia in line with international best practice and take the next step to ensure Australia is on track to become a global leader in cyber security. The package includes:

• The Cyber Security Bill 2024 (Cth), which will address gaps in current legislation to establish Australia's first standalone Cyber Security Act, which comprises, at a high level:
  • A mandatory requirement for a ‘reporting business entity’ to notify the Department of Home Affairs and the Australian Signals Directorate (ASD) if it pays a ransom to a cyber threat actor within 72 hours of making the payment
  • ‘Limited use’ obligations that restrict how cyber security incident information provided to the National Cyber Security Coordinator during a cyber security incident can be shared with and used by other Australian Government entities, including regulators.
  • A requirement for manufacturers and suppliers of internet connected devices to comply with cyber security standards as determined by the Australian Government from time to time.
  • Establishment of a Cyber Incident Review Board to conduct post-incident reviews into significant cyber security incidents.

A recent G+T Insight considers the Bill in more detail.

• The Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (Cth), which will progress and implement reforms under the Security of Critical Infrastructure Act 2018 (Cth) (SOCI Act) to:
  • Clarify existing obligations in relation to systems holding business critical data.
  • Enhance government assistance measures to better manage the impacts of all hazards incidents on critical infrastructure.
  • Simplify information sharing across industry and government.
  • Introduce a power for the government to direct entities to address serious deficiencies within their risk management programs.
  • Align regulation for the security of telecommunications into the SOCI Act.

A recent G+T Insight considers the proposed reforms to the SOCI Act in more detail.

• The Intelligence Services and Other Legislation Amendment (Cyber Security) Bill 2024 (Cth), which:
  • Amends the Intelligence Services Act 2001 (Cth) to legislate a limited use obligation to protect the information voluntarily provided to, or acquired or prepared by, the ASD during an impacted entity's engagement in relation to a cyber security incident or a cyber security incident that may potentially occur.
  • Amends the Freedom of Information Act 1982 (Cth) to include an exemption from Freedom of Information requests for a document given to, or received by, the National Cyber Security Coordinator for the purposes set out under Part 4 of the Cyber Security Bill 2024 (Cth).

See also Department of Home Affairs media release.  

Time for a whistleblower policy and procedure health check?

Some recent developments have shown that companies, now more than ever, need to review and improve their whistleblower management processes and systems.

• The Senate Economics References Committee has recently conducted a thorough review of ASIC's capacity to investigate and enforce misconduct, with findings raising concerns about its effectiveness in protecting investors and maintaining market integrity (see Report). The Committee has made a series of recommendations to address these issues which, if implemented, could have a profound impact on the corporate landscape in Australia by encouraging more whistleblowers to come forward, deterring misconduct, and improving the overall quality of corporate governance. A recent G+T Insight explores the key recommendations concerning whistleblower disclosures from the Report and discusses their potential implications for Australia's whistleblower regime and ASIC's enforcement approach.
• Since the Report was published, the Guardian reported on public interest disclosures made to it by a whistleblower alleging misconduct in the data collection practices of market research agency McNair yellowSquares on Australian Electoral Commission and Department of Defence projects. This situation highlights the risks involved when handling whistleblower disclosures when dissatisfied whistleblowers can approach the media with no notification to the company and raises important questions about transparency and accountability in corporate governance. Another recent G+T Insight provides a deeper dive into the details and implications.

Privacy amendment Bill: a new risk landscape

The Privacy and Other Legislation Amendment Bill 2024 (Bill) was tabled in the House of Representatives on 12 September 2024 and is currently before the Senate.

The Bill focuses on the enforcement regime, protection of children, and dealing with the ills of the online world through the creation of new offences against doxxing and a new tort for serious invasions of privacy. However, it does not implement some of the more substantive proposals from an individual rights perspective – for example, the proposed changes to the definition of ‘personal information’, the ‘fair and reasonable’ requirement for collecting, using and disclosing personal information, and the direct right of action for individuals.

However, the Bill makes material changes to the Privacy Act penalties regime and the breadth of orders that can be made by the Federal Court under the Privacy Act. It also introduces a whole new statutory tort which changes the application of the Privacy Act. These changes have the potential to rewrite the risk profile of Privacy Act compliance in Australia.

A recent G+T Insight considers the key changes proposed by the Bill.

Bill expanding anti-money laundering and counter-terrorism financing regime introduced 

On 11 September 2024 the Attorney-General of Australia, the Hon Mark Dreyfus KC MP, introduced the Anti-Money Laundering and Counter-Terrorism Financing Amendment Bill 2024 which has now passed through the House of Representatives and is currently before the Senate.

The Bill will close a regulatory gap in Australia by expanding the regime to address vulnerabilities within ‘tranche-two’ entities, including lawyers, accountants, real estate professionals and dealers in precious stones and metals. AUSTRAC’s recent Money Laundering National Risk Assessment noted criminals are increasingly exploiting these sectors to conceal illicit wealth and launder money.

The Bill will also help bring Australia into line with international standards set by the Financial Action Task Force (FATF). Australia is now one of only five jurisdictions out of more than 200 that do not regulate these tranche-two entities or ‘gatekeeper’ professions. It means Australia is at serious risk of being ‘grey-listed’ by the FATF, which would not only be damaging to Australia’s international reputation but could result in significant economic harm to Australians and businesses.

The government is taking the opportunity to simplify, clarify and streamline the AML/CTF regime. This will reduce the regulatory burden on businesses and make it easier to understand and implement effective measures to combat financial crime. The reforms will allow businesses to take a risk-based approach, allowing industry to prioritise their resources. The reforms will also lead to better quality financial data and make it easier for businesses to protect themselves from misuse by criminals.

See Attorney General’s media release and AUSTRAC media release.

Thanks to Silvana Wood’s team for this insight.

Proposed scams framework: a whole of ecosystem approach to protecting Australians from scams

On 13 September 2024, the government released exposure draft legislation on Australia’s proposed new scams prevention framework (Scams Framework). Consultation closed on 4 October 2024.

The exposure draft legislation, if passed, will establish a new whole-of-ecosystem approach containing specific ‘principles-based’ legal requirements (that is to prevent, detect, report, disrupt and respond to scams, and to establish governance systems accordingly) for addressing scams and liability for breaching these principles.

A recent G+T Insight looks at the proposed requirements of the Scams Framework in the exposure draft legislation and also discusses the implications for banks, telecommunications companies and digital platform service providers (who it is proposed will initially be subject to the Scams Framework).

Work health and safety – key developments in court procedures and case law 

A recent G+T Insight examines two recent developments in work health and safety which will impact safety prosecutions in NSW:

• The resumption of the Industrial Court of New South Wales operating as a superior court of record for work health and safety prosecutions from 1 July 2024 and its signals regarding the manner in which it intends to manage proceedings.
• The recent decision by the Court of Criminal Appeal in Prime Marble & Granite Pty Ltd v SafeWork NSW [2024] NSWCCA 105 that the clock for the two year limitation period under section 232(1)(a) of the Work Health and Safety Act 2011 (NSW) starts ticking when the regulator is aware of a risk that could give rise to an injury or illness and not when the risk materialises. This decision is likely to result in the regulator seriously considering whether to commence proceedings where it identifies a risk, and not merely after an incident occurs, which has generally been the practice to date.

Payday super and employee onboarding reforms

In May 2023, the government announced it was intending to pass legislation that would require employers to pay superannuation at the same time as paying staff salary and wages, starting from 1 July 2026. This reform has come to be known as ‘payday super’.

On 18 September 2024, Treasury released a fact sheet on the payday super reforms confirming the government is still intending to proceed with those reforms. The reforms are still expected to take effect from 1 July 2026. Consultation and drafting will take place during the remainder of 2024.

A recent G+T Insight examines what the government has said in the factsheet in relation to both payday super (and proposed penalties) and proposed new restrictions on advertising superannuation funds to new starters.

A practical update on ancillary liability under the Competition and Consumer Act 2010: Productivity Partners Pty Ltd v ACCC; Wills v ACCC [2024] HCA

Businesses and in-house corporate counsel are frequently plagued by the question of whether the business could be found liable for another’s breach. The question often arises when the business itself is not directly involved in, nor does it have actual knowledge of, the contravention. 

This issue is particularly relevant when the nature of the business is such that it inherently has to rely on another party to do the right thing. For example, businesses that operate platforms (marketplaces) or display third-party claims. It is also relevant to individuals and parent companies involved in making and approving decisions made by companies within a group.

A recent G+T Insight provides a practical summary of the scope of when a party may be knowingly concerned in another’s contravention of the Competition and Consumer Act 2010 (Cth), including an update on a recent High Court judgment that develops this concept and what it means for businesses.

Incorporation of terms by signature and reference: Michael Hill Jeweller (Australia) Pty Ltd v Gispac Pty Ltd [2024] NSWCA 211

In Michael Hill Jeweller (Australia) Pty Ltd v Gispac Pty Ltd [2024] NSWCA 211, the NSW Court of Appeal has allowed Michael’s Hill’s appeal against the Supreme Court decision earlier this year, in part, and reduced Michael Hill’s liability from approximately $2.3million to approximately $360,000 plus interest. However, the findings in relation to incorporation of terms, the focus of this summary, have essentially been upheld.

The case reinforces the rule that if you sign a contract you are bound by the terms of that contract. The terms may include terms that are incorporated by reference even if those terms are not supplied.

By way of reminder of the facts, Gispac provided paper carry bags to Michael Hill. In 2014 and 2015, a Michael Hill employee signed contracts for the future supply of bags and placed a tick in a check box that expressly stated that Michael Hill was agreeing to certain terms and conditions that could be found in a web link provided (Terms). No attempt was made by the employee to open that link and read the Terms. However, it was also not proven that the link worked.

The Supreme Court found that by ticking the box and signing the sales contracts, the Terms were incorporated by reference, and Michael Hill was bound by them. The principle the judge applied was that the act of signing would lead a reasonable person in the position of the other party to believe you were agreeing to the Terms. 

On appeal, the Court (Bell CJ and Payne JA) agreed with the primary judge’s finding that by signing and ticking the box, the Terms were incorporated in to the sales contracts, and it did not matter whether the link was operable at the time of execution or not – Bell CJ stated (at [14]): 

“that part of the clause which stated that the Terms could be found at the particular URL link was not an essential part of the parties’ agreement, objectively ascertained; rather, it was merely pointing out where (or how) Gispac’s Terms could be located, if Michael Hill wanted or needed to consult them”.

Basten AJA agreed that by signing and ticking the box Michael Hill was bound by any identified terms but that there was an evidential void as to the content of the alleged terms.

See our previous G+T Insight on the Supreme Court decision and the implications for incorporation of terms.

Thanks to Professor Gregory Tolhurst, consultant for his contribution to this insight.