Reflections on 2023 and a look ahead at 2024 with the Practical Law Australia team

Practical Law ANZ Article w-041-5216 (Approx. 15 pages)

Reflections on 2023 and a look ahead at 2024 with the Practical Law Australia team

by Practical Law In-house
This article covers a summary of the key themes and substantive legal developments in 2023, and includes a horizon scan from the Practical Law Australia team looking ahead to 2024.
Reflections on 2023 and a look ahead at 2024 with the Practical Law Australia team
2023 saw a number of significant developments and emerging trends across the legal landscape including in relation to:
  • Artificial intelligence (AI). One of the defining occurrences in our world today is the rise of AI, particularly its emerging significance in the legal market. This has not only changed the way traditional legal work is performed but has also introduced new areas to consider in legal ethics and regulation.
  • Environmental, social and corporate governance (ESG). Within the substantive legal space, ESG issues continue to be a key theme as there is a growing understanding of the role companies play in contributing to ESG solutions.
  • The annual general meeting (AGM) season. During this year's AGM season, there was an increased importance given to the annual remuneration report and the initiation of the two-strikes rule, emphasising corporate transparency and accountability.
  • Data breaches and cybersecurity. The realm of corporate cybersecurity has been on the radar owing to recent data breaches. This brings attention to the significance of stringent cybersecurity measures, and the importance of continuous disclosure obligations and mandatory data breach notification obligations.
  • Unfair contract terms. Changes have been initiated to the unfair contract terms regime, with new penalties aimed at offering stronger protection to vulnerable and disadvantaged parties in contract negotiations.
  • Employment law reforms. Reforms continued in this area, most recently with the Fair Work Legislation Amendment (Closing Loopholes) Bill 2023 (Cth) (Closing Loopholes Bill) being introduced into Parliament in September 2023. Among the key reforms proposed in the Closing Loopholes Bill is the criminalisation of the underpayment of wages, or "wage theft". Lawyers have also needed to consider the link between sexual and sex-based harassment and bullying in the workplace, and psychosocial risk in the context of Work Health and Safety laws, necessitating consideration of prevention policies and response measures to manage this risk.

Looking back at 2023

A picture of in-house teams in 2023

Thomson Reuters' State of the Corporate Legal Market was released in March 2023, and revealed an emerging theme of in-house counsel as guardians of the enterprise (for further insights, see Legal update, Thomson Reuters Institute releases 2023 State of the Corporate Law Department Report).
The guardian theme continued throughout the year and was evident in work trends (such as an increase in the volume of counter-cyclical law firm practices such as insurance) resulting from geopolitical influences, growing inflation and increasing interest rate pressures (see Legal update, Thomson Reuters Institute releases 2023 Australia: State of the Legal Market Report).
As an industry, in-house teams shifted their priorities from improved efficiency and a process-driven mindset that has characterised prior years, to protecting and insulating the business from risk. This is demonstrated by the refocus on increased regulatory burdens, heightened compliance risks and proactively trying to reduce litigation. For further related trends, see Legal update, Thomson Reuters releases Tech and the Law 2023 Report.

AI: the theme of 2023

ESG was undoubtedly the theme of 2022, and AI has emerged as the theme of 2023. Most in-house counsel, and lawyers generally for that matter, are still trying to grapple with what AI means: what can be achieved with the technology and how it will ultimately reshape the process that lawyers undertake when advising clients. See for example Article, Thomson Reuters Institute survey report: corporate legal departments see use cases for generative AI & ChatGPT. More recent trends in AI adoption for Australian in-house counsel are included in Legal update, Thomson Reuters releases Tech and the Law 2023 Report.
As new technologies emerge, it is vital that lawyers stay on top of how colleagues are using the technology, and experiment with what works best for them and their enterprise. For further information, see Practice note, Using artificial intelligence (AI) technology in legal departments.
AI technology will continue to develop rapidly. We have seen organisations racing to benefit from the efficiencies and opportunities arising from AI, while at the same time implementing AI governance frameworks to combat legal risks that have been identified, including in relation to copyright infringement, privacy, data protection and the risk of AI bias, especially as it is deployed in the human resources setting.
Organisations have also been considering the significant cost associated with AI adoption, including compliance costs and the expense involved in contracting to make use of AI across an enterprise. While large language model outputs are generally simple, that simplicity is derived from complex algorithms and running those algorithms is highly energy consumptive. While energy costs will be absorbed in the cost base of each AI provider, it is likely to be increasingly important to companies to consider the ESG impact of large-scale adoption of AI, and to factor into their procurement processes questions about the location of servers and the sources of energy used by those servers.
This year we have seen a major federal government consultation on the adoption of safe and responsible AI in Australia and further consultations have been commenced in New South Wales and South Australia (for a tracker that monitors the progress of regulatory developments in relation to AI in Australia, including the recent federal government consultation, see Legislation Tracker, Artificial intelligence regulatory developments: Safe and responsible AI in Australia discussion paper). In 2024, we expect to see some response from the federal government in relation to imposing guardrails for the adoption of AI in Australia although what that regulatory response might be is not clear at this stage.

Substantive legal trends in 2023

AGMs: shareholder-requisitioned resolutions, sustainability and the "two-strikes" rule

The 2023 AGM season was characterised by some surprise departures from the themes of previous years.
Shareholder-requisitioned resolutions have for some time been used in Australia by shareholders of listed companies who are concerned about the environmental impact of their investments, to encourage companies to disclose climate change and human rights risks, and to combat climate change and human rights abuses.
Compared to 2022, however, shareholder-requisitioned resolutions relating to climate change and other ESG issues are significantly down. Sustainability-related issues do, however, remain a key driver of shareholder activism, despite fewer ESG-related shareholder-requisitioned resolutions.
Another area of focus for this AGM season has been the annual remuneration report, which is a key document that provides detailed information about the company's executive and director remuneration practices. In contrast with the 2022 AGM season, this year, a number of companies listed on the Australian Securities Exchange (ASX) have seen significant increases in votes against their companies. This peaked dramatically on 3 November 2023 with the highly publicised rejection by almost 83% of voting shareholders against the Qantas 2023 remuneration report, being a near record first strike.
Under the two-strikes rule, if 25% or more of the votes cast at an AGM over two consecutive years are against adopting the company's remuneration report, shareholders have the right to bring a spill resolution which, if successful, requires the sitting board (other than the managing director) to vacate their offices at a specially convened spill meeting.
Unsurprisingly, the two-strikes rule is a key tool used by shareholders, particularly shareholder activists, to express dissatisfaction with elements of the board's corporate governance. The threat of a second strike allows shareholders to move for a board spill without calling for a meeting and allows them to hold directors to account for issues that are not directly related to remuneration.

Privacy and cybersecurity: data breach class actions

2023 has been dominated by the aftermath of some large-scale data breaches such as the 2022 Medibank and Optus data breaches, and, more recently, the Latitude Financial Services (Latitude) data breach that occurred in March this year. These breaches affected millions of people, with the Latitude breach alone involving the theft of 7.9 million drivers' licence numbers. There are currently three class actions against Medibank, one against Optus and Latitude is the subject of an investigation into a potential class action. Three of the class actions are consumer-based and one of the class actions against Medibank is a shareholder claim alleging a contravention of Medibank's continuous disclosure obligations.
Allegations relating to continuous disclosure obligations
Continuous disclosure obligations apply to listed entities under both the Corporations Act 2001 (Cth) (CA 2001) and ASX Listing Rule 3.1, and the basic continuous disclosure obligation for a listed company is to immediately disclose to the ASX any information concerning it that a reasonable person would expect to have a material effect on the price or value of the company's securities.
It follows that the occurrence of a cybersecurity breach or an information security breach potentially falls into this category of information. ASX Listing Rule 3.1A sets out five situations in respect of which an exception to the general disclosure obligation in ASX Listing Rule 3.1 will apply, subject to the information in question remaining confidential in the context of a cyber incident.
However, since confidentiality cannot be assured, it is unlikely that a company could rely on this exception in relation to the incident.
Companies that breach their continuous disclosure obligations risk significant penalties and reputational damage, as well as potential legal action from investors. Directors and officers of ASX-listed companies can be held personally liable for breaches of the continuous disclosure obligations, which means that they may be required to pay damages, legal fees and other costs associated with legal action.
In February 2023, in Australian Securities and Investments Commission v GetSwift Ltd [2023] FCA 100 (GetSwift), the Federal Court of Australia imposed the largest ever penalty on a company for breaching continuous disclosure laws and engaging in misleading and deceptive conduct, ordering GetSwift to pay a $15 million penalty.
The court also ordered former director, chief executive officer and executive chairman, Bain Hunter, to pay $2,000,000 and disqualified him from managing corporations for 15 years. Another former director was ordered to pay a penalty of $1,000,000 and was disqualified for 12 years. These are two of the highest penalties directors have received for corporate misconduct.
In 2021, the continuous disclosure obligations in the CA 2001 were amended so that companies and their officers will now only be liable in civil proceedings in respect of alleged breaches of continuous disclosure obligations where they acted with knowledge, recklessness or negligence (for more information, see Practice note, Responsibilities and obligations of directors of listed companies: Continuous disclosure obligations under the CA 2001).
However, the Australian Securities and Investments Commission (ASIC) still retains its ability to issue infringement notices for breaches of continuous disclosure obligations, regardless of whether the entity acted with knowledge, recklessness or negligence.
Common themes in the class actions
Although the causes of action are different, there are some common themes with the current data breach class action claims.
The most interesting is the allegation that the very fact that a major data breach has occurred gives rise to an inference that the defendant’s systems and controls were inadequate, and they had failed to meet relevant data protection regulatory requirements.
These claims are variously based on breach of contractual promises, breach of confidence, negligence, misleading representations and breach of continuous disclosure requirements.
This has led to increased vigilance by legal advisers assessing what their organisations are saying about their privacy and data protection practices (for example, in their data management and privacy policies, their contracts and their marketing materials). In addition to these class action claims, we have also seen a response from the regulators.
The Office of the Australian Information Commissioner (OAIC) has opened investigations into Optus, Medibank and Latitude, which could in turn lead to ASIC taking legal action.
We have also seen other regulatory action with the Australian Prudential and Regulation Authority (APRA) imposing an increase in Medibank’s capital adequacy requirement of $250 million following its data breach incident.
So, these developments in 2023 have resulted in legal counsel, senior management and boards taking a close look to ensure their organisations can demonstrate they are complying with regulations regarding data handling and cybersecurity, such as Australian Privacy Principle 11 (APP 11). The Australian Cyber Security Centre has also emphasised the need for all organisations to develop and implement, as a minimum, a tested incident response plan, a business continuity plan and a disaster recovery plan.
For a guide to Practical Law’s resources relating to the legal, practical and commercial issues arising when a data breach occurs, see Toolkit, Data breach incidents.

Unfair contract terms regime

Reforms to the unfair contract terms regime under the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth) commenced on 9 November 2023, imposing significant penalties on companies that include unfair terms in their standard form contracts.
Prior to 9 November 2023, under the Australian Consumer Law's unfair contract terms regime, a court could determine that a term of a contract was unfair and therefore void and unenforceable.
From 9 November 2023, the use of unfair contract terms is prohibited, and a court may order significant penalties for violations of this prohibition, including fines of $2.5 million for individuals and $50 million, or more in certain circumstances, for corporations. The new penalties drastically change the risk profile for companies of including unfair terms in their contracts, and compliance with the new regime has involved a significant amount of contract management work for companies, including giving careful consideration to existing contract terms, amending or removing terms that might be considered unfair in any preferred standard form agreement templates, and setting up a clear process for the rollout of new contracts or contract amendments to ensure compliance with the unfair contracts term regime.
For a checklist to assist businesses to determine whether a contract is subject to the unfair contract terms regime, see Checklist, Application of the unfair contract terms regime and assessing whether a term is unfair and for a toolkit that brings this checklist together with Practical Law's other unfair contract terms resources, see Toolkit, Unfair contract terms.

Employment law reforms

2023 continued the theme of extensive employment law reform, which has been a theme of the Albanese Government, with the:
  • 2023 commencement of reforms enacted in 2022 under the:
    • Anti-Discrimination and Human Rights Legislation Amendment (Respect at Work) Act 2022 (Cth) (Respect at Work Act 2022);
    • Fair Work Amendment (Paid Family and Domestic Violence Leave) Act 2022 (Cth); and
    • Fair Work Legislation Amendment (Secure Jobs, Better Pay) Act 2022 (Cth) (SJBP Act 2022).
  • The passing of further amendments relating to paid parental leave and Work Health and Safety laws.
  • The introduction into Parliament of the Closing Loopholes Bill.
While specialist employment lawyers have spent the year grappling with comprehensive change across their entire area of practice, two key areas of concern emerged for in-house counsel and their boards.
The first of these is the connection between sexual harassment, sex-based discrimination and bullying on the one hand, and the risk of psychosocial injury under work health and safety laws on the other. The commencement of amendments under the Respect at Work Act 2022 on 13 December 2022 introduced, among other things, a prohibition on hostile work environments and a positive duty for companies to eliminate specific discriminatory conduct (see Toolkit, Sexual harassment and bullying at work). On 12 December 2023, further amendments will commence, under which the Australian Human Rights Commission will have compliance powers in respect of the positive duty to eliminate specific discriminatory conduct (see Practice note, AHRC: Overview of functions and enforcement powers: Functions in respect of the positive duty). In parallel with the amendments under the Respect at Work Act 2022, work health and safety laws have also evolved, with new federal regulations addressing the management of psychosocial risk for the purposes of the model health and safety laws commencing on 1 April 2023. The combined effect of these reforms is to significantly increase the risk of liability for companies and their directors if they fail to take steps to prevent the workplaces they preside over being hostile or allowing the sorts of workplace interactions or behaviours that create psychosocial risk.
The second issue of concern for in-house counsel and their boards is the proposed regime for the criminalisation of underpayment of wages where there is intentional conduct, together with measures that will strengthen compliance and enforcement activity in respect of the underpayment of wages, including by:
While the Closing Loopholes Bill will not be passed this year, it is clear that companies will face increased compliance costs to manage the increased risks associated with underpayments. For a summary of the Closing Loopholes Bill, see Legal update, Closing Loopholes Bill 2023 introduced into Parliament.

A look ahead at 2024

Mergers and acquisitions (M&A)

M&A activity is likely to increase in 2024, after 2023 presented macroeconomic conditions, including inflationary pressures, geopolitical uncertainty and interest rate volatility, that had a cooling effect on deal activity. However, institutional investors have undeployed capital reserves that need to be invested and this is likely to drive activity in 2024.
As economic conditions remain uncertain, one trend from 2023 that is likely to continue into 2024 is the increase in bilateral negotiations in public M&A, including in response to unsolicited offer, in preference to auction processes, as targets prefer deal certainty to the chance to optimise price with fewer deal protections.
Consequently in 2024, listed companies will need to expect and be ready to respond to unsolicited offers. If a listed company does not have a bid response manual, it should consider preparing one, and if it has one, it should review it closely and update it where necessary to ensure the company is fully prepared for an approach. See Practice note, Takeovers: preparing for an unsolicited takeover bid for more information.
Another continuing trend in M&A activity is the ever-increasing importance of ESG in the context of acquisition due diligence. As ESG as a source of risk continues to expand, buyers are expanding the scope of their diligence requests and, for example, focusing their environmental risk queries not only on climate risk, but also on nature-related and sustainability risk generally. Buyers are looking for proper and pro-active disclosure of ESG risk and they want to see that target companies understand the risks they face and are managing those risks.

ESG

The evolving ESG landscape will continue in 2024. In October 2023, the Australian Government released its sustainable finance strategy for consultation (which closes on 1 December 2023). The sustainable finance strategy aims to:
  • Improve transparency on climate and sustainability.
  • Provide more credible and comprehensive information about sustainability opportunities, risks and impacts.
  • Increase the financial system's capabilities and strengthen government leadership and engagement on sustainable finance.
In 2023, the Australian Government confirmed its intention to phase in a new, internationally aligned mandatory climate disclosure reporting regime for large Australian corporations (both listed and large, unlisted corporations) and financial institutions, with coverage expanding over time, and Treasury has just completed its second round of consultation seeking feedback on the key considerations for that regime's design and implementation.
Key proposals include implementing the regime over three years, starting for financial years ending 30 June 2025, and limiting actions for misleading and deceptive conduct for certain forward-looking disclosures to regulator-only action for three years. The detail of these new requirements will be set out in the new Australian Sustainability Reporting Standards, Exposure Drafts of which were released for consultation in October, with submissions due by 1 March 2024.
ASIC is encouraging organisations to start putting into place the systems, processes and governance practices that will be required to meet any new reporting requirements and recommends continuing to report voluntarily in line with the recommendations of the Task Force on Climate-related Financial Disclosure (TCFD) (for more information on the TCFD, see Practice note, Task Force on Climate-related Financial Disclosures (TCFD): recommendations for disclosing climate-related financial information).
We are also seeing momentum growing in relation to sustainability-related topics beyond climate. In September, the Taskforce on Nature-related Financial Disclosure (TNFD) published its final recommendations. The TNFD framework, which incorporates all 11 of the TCFD recommendations to encourage integrated climate and nature reporting, paves the way for entities to incorporate nature-related risks and opportunities into their strategic planning, risk management and financial disclosures (for more information, see Legal update, Taskforce on Nature-related Financial Disclosures publishes final TNFD Recommendations).
Although voluntary at this stage, it is predicted that the TNFD, like the TCFD, will ultimately be adopted into regulatory requirements around the world.
Significantly for company boards, a legal opinion given in October this year has warned that Australian directors could breach their duty of care and diligence if they fail to at least identify their company’s nature-related dependencies and impacts and consider the potential risks those dependencies and impacts may pose to their company.
That opinion recommended certain steps directors can take now to begin discharging their duty of care and diligence in respect of nature-related risks (see Legal update, New legal opinion on nature-related risks and directors' duties: What does it mean for directors?), and there is guidance on how to implement these steps in the TNFD framework.
For key materials on ESG and sustainability considerations, legislation and practice in Australia, see ESG and sustainability toolkit (Australia).

Cybersecurity and data protection

Cybersecurity will continue to be at the forefront of every organisation's list of legal risks. Tougher regulation of organisational cybersecurity and data protection in Australia, prioritisation of compliance enforcement by regulators and an increased risk of consumer class actions following data breach incidents means cybersecurity legal risks will not be going away in 2024.
Changes to the Privacy Act 1988 (Cth) (Privacy Act)
Changes slated for the Privacy Act, following the federal government's review, mean that the risk of data breach class actions is likely to increase in the near future. The federal government has recently agreed in principle to introduce a direct right of action for individuals under the Privacy Act (see Legal update, Australian Government releases response to the Privacy Act Review Report). The introduction of this right of action will really clear the way for future actions by individuals whose personal information has been stolen through cyber incidents. For a tracker that monitors the progress of key developments in privacy law reform, including the review of the Privacy Act, see Legislation Tracker, Australian privacy law reform: Review of the Privacy Act.
Introduction of new Prudential Standard CPS 230 Operational Risk Management (CPS 230)
In other regulatory developments affecting cybersecurity obligations, legal counsel will be preparing for the commencement of CPS 230 over the next year (see Legal update, APRA releases final version of Prudential Standard CPS 230 Operational Risk Management). Although CPS 230 will not be commencing until 1 July 2025, affected organisations will be formulating a roadmap to compliance throughout 2024.
Under CPS 230, the board of an APRA-regulated entity will be ultimately accountable for the oversight of its operational risk management. It will need to approve:
  • Tolerance levels for disruptions to critical operations.
  • The organisation's business continuity plan.
  • The organisation’s service provider management policy.
This approach is consistent with the messaging from ASIC around cybersecurity generally. That is, that cybersecurity is squarely a board-level issue. Boards need to consider how cyber risk is included in organisational risk management, the organisation’s incident response plan and, very importantly, how an organisation would communicate with customers, regulators and the market if a cyber incident were to occur.
Directors’ duties and cybersecurity
A failure to appropriately monitor and manage cyber risks, including known or anticipated business risks, could cause a director to breach their statutory duties to exercise their powers with due care and diligence, and in good faith in the best interests of the organisation. If boards do not give cybersecurity and cyber resilience sufficient priority, this creates a foreseeable risk of harm and exposes directors to enforcement action for not acting with reasonable care and diligence.
Cybersecurity really requires a top-down approach, starting with effective and active oversight from the board of directors.
This does not mean directors have to become information technology (IT) experts, but they do need to understand:
  • The types of cyber attacks that are potential threats to their organisation.
  • Which systems and information are particularly vulnerable to attacks.
  • What the potential outcome of a particular cyber attack may be.
  • What can be done to combat potential threats; for example, incident response strategies and procedures.
As with a breach of continuous disclosure obligations, the penalties are severe: in addition to financial penalties and being disqualified from acting as a director or officer of a corporation for a period, directors may be exposed to personal liability for breach of their duties if their companies suffers a cyber incident and they were not able to demonstrate that they took appropriate action to prevent or minimise that risk.
Commonwealth Government Cybersecurity Strategy 2023-2030
In November 2023, the Commonwealth Government released its highly anticipated 2023-2030 Australian Cyber Security Strategy and accompanying action plan. The strategy includes a proposal for legislation to introduce a no-fault, no-liability ransomware reporting obligation for businesses that is to be co-designed with industry.
For a guide to Practical Law's resources relevant to the legal, practical and commercial issues relating to cybersecurity, see Toolkit, Cybersecurity.
End of Document
Resource ID w-041-5216
© 2024 Thomson Reuters. All rights reserved.
Published on 28-Nov-2023
Resource Type Articles
Jurisdictions
  • Australia
  • Australian Capital Territory
  • Federal
  • New South Wales
  • Northern Territory
  • View all
Related Content