Reflections on 2023 and a look ahead at 2024 with the Practical Law Australia team

The 2023 AGM season was characterised by some surprise departures from the themes of previous years.

Shareholder-requisitioned resolutions have for some time been used in Australia by shareholders of listed companies who are concerned about the environmental impact of their investments, to encourage companies to disclose climate change and human rights risks, and to combat climate change and human rights abuses.

Compared to 2022, however, shareholder-requisitioned resolutions relating to climate change and other ESG issues are significantly down. Sustainability-related issues do, however, remain a key driver of shareholder activism, despite fewer ESG-related shareholder-requisitioned resolutions.

Another area of focus for this AGM season has been the annual remuneration report, which is a key document that provides detailed information about the company's executive and director remuneration practices. In contrast with the 2022 AGM season, this year, a number of companies listed on the Australian Securities Exchange (ASX) have seen significant increases in votes against their companies. This peaked dramatically on 3 November 2023 with the highly publicised rejection by almost 83% of voting shareholders against the Qantas 2023 remuneration report, being a near record first strike.

Under the two-strikes rule, if 25% or more of the votes cast at an AGM over two consecutive years are against adopting the company's remuneration report, shareholders have the right to bring a spill resolution which, if successful, requires the sitting board (other than the managing director) to vacate their offices at a specially convened spill meeting.

Unsurprisingly, the two-strikes rule is a key tool used by shareholders, particularly shareholder activists, to express dissatisfaction with elements of the board's corporate governance. The threat of a second strike allows shareholders to move for a board spill without calling for a meeting and allows them to hold directors to account for issues that are not directly related to remuneration.

For further information, see Article, Preparing for the 2023 AGM season and Practice note, Shareholder activism: Shareholder-requisitioned resolutions and The two-strikes rule.

2023 has been dominated by the aftermath of some large-scale data breaches such as the 2022 Medibank and Optus data breaches, and, more recently, the Latitude Financial Services (Latitude) data breach that occurred in March this year. These breaches affected millions of people, with the Latitude breach alone involving the theft of 7.9 million drivers' licence numbers. There are currently three class actions against Medibank, one against Optus and Latitude is the subject of an investigation into a potential class action. Three of the class actions are consumer-based and one of the class actions against Medibank is a shareholder claim alleging a contravention of Medibank's continuous disclosure obligations.

Continuous disclosure obligations apply to listed entities under both the Corporations Act 2001 (Cth) (CA 2001) and ASX Listing Rule 3.1, and the basic continuous disclosure obligation for a listed company is to immediately disclose to the ASX any information concerning it that a reasonable person would expect to have a material effect on the price or value of the company's securities.

It follows that the occurrence of a cybersecurity breach or an information security breach potentially falls into this category of information. ASX Listing Rule 3.1A sets out five situations in respect of which an exception to the general disclosure obligation in ASX Listing Rule 3.1 will apply, subject to the information in question remaining confidential in the context of a cyber incident.

However, since confidentiality cannot be assured, it is unlikely that a company could rely on this exception in relation to the incident.

Companies that breach their continuous disclosure obligations risk significant penalties and reputational damage, as well as potential legal action from investors. Directors and officers of ASX-listed companies can be held personally liable for breaches of the continuous disclosure obligations, which means that they may be required to pay damages, legal fees and other costs associated with legal action.

In February 2023, in Australian Securities and Investments Commission v GetSwift Ltd [2023] FCA 100 (GetSwift), the Federal Court of Australia imposed the largest ever penalty on a company for breaching continuous disclosure laws and engaging in misleading and deceptive conduct, ordering GetSwift to pay a $15 million penalty.

The court also ordered former director, chief executive officer and executive chairman, Bain Hunter, to pay $2,000,000 and disqualified him from managing corporations for 15 years. Another former director was ordered to pay a penalty of $1,000,000 and was disqualified for 12 years. These are two of the highest penalties directors have received for corporate misconduct.

In 2021, the continuous disclosure obligations in the CA 2001 were amended so that companies and their officers will now only be liable in civil proceedings in respect of alleged breaches of continuous disclosure obligations where they acted with knowledge, recklessness or negligence (for more information, see Practice note, Responsibilities and obligations of directors of listed companies: Continuous disclosure obligations under the CA 2001).

However, the Australian Securities and Investments Commission (ASIC) still retains its ability to issue infringement notices for breaches of continuous disclosure obligations, regardless of whether the entity acted with knowledge, recklessness or negligence.

Although the causes of action are different, there are some common themes with the current data breach class action claims.

The most interesting is the allegation that the very fact that a major data breach has occurred gives rise to an inference that the defendant’s systems and controls were inadequate, and they had failed to meet relevant data protection regulatory requirements.

These claims are variously based on breach of contractual promises, breach of confidence, negligence, misleading representations and breach of continuous disclosure requirements.

This has led to increased vigilance by legal advisers assessing what their organisations are saying about their privacy and data protection practices (for example, in their data management and privacy policies, their contracts and their marketing materials). In addition to these class action claims, we have also seen a response from the regulators.

The Office of the Australian Information Commissioner (OAIC) has opened investigations into Optus, Medibank and Latitude, which could in turn lead to ASIC taking legal action.

We have also seen other regulatory action with the Australian Prudential and Regulation Authority (APRA) imposing an increase in Medibank’s capital adequacy requirement of $250 million following its data breach incident.

So, these developments in 2023 have resulted in legal counsel, senior management and boards taking a close look to ensure their organisations can demonstrate they are complying with regulations regarding data handling and cybersecurity, such as Australian Privacy Principle 11 (APP 11). The Australian Cyber Security Centre has also emphasised the need for all organisations to develop and implement, as a minimum, a tested incident response plan, a business continuity plan and a disaster recovery plan.

For a guide to Practical Law’s resources relating to the legal, practical and commercial issues arising when a data breach occurs, see Toolkit, Data breach incidents.

Reforms to the unfair contract terms regime under the Treasury Laws Amendment (More Competition, Better Prices) Act 2022 (Cth) commenced on 9 November 2023, imposing significant penalties on companies that include unfair terms in their standard form contracts.

Prior to 9 November 2023, under the Australian Consumer Law's unfair contract terms regime, a court could determine that a term of a contract was unfair and therefore void and unenforceable.

From 9 November 2023, the use of unfair contract terms is prohibited, and a court may order significant penalties for violations of this prohibition, including fines of $2.5 million for individuals and $50 million, or more in certain circumstances, for corporations. The new penalties drastically change the risk profile for companies of including unfair terms in their contracts, and compliance with the new regime has involved a significant amount of contract management work for companies, including giving careful consideration to existing contract terms, amending or removing terms that might be considered unfair in any preferred standard form agreement templates, and setting up a clear process for the rollout of new contracts or contract amendments to ensure compliance with the unfair contracts term regime.

For a checklist to assist businesses to determine whether a contract is subject to the unfair contract terms regime, see Checklist, Application of the unfair contract terms regime and assessing whether a term is unfair and for a toolkit that brings this checklist together with Practical Law's other unfair contract terms resources, see Toolkit, Unfair contract terms.

2023 continued the theme of extensive employment law reform, which has been a theme of the Albanese Government, with the:

While specialist employment lawyers have spent the year grappling with comprehensive change across their entire area of practice, two key areas of concern emerged for in-house counsel and their boards.

The first of these is the connection between sexual harassment, sex-based discrimination and bullying on the one hand, and the risk of psychosocial injury under work health and safety laws on the other. The commencement of amendments under the Respect at Work Act 2022 on 13 December 2022 introduced, among other things, a prohibition on hostile work environments and a positive duty for companies to eliminate specific discriminatory conduct (see Toolkit, Sexual harassment and bullying at work). On 12 December 2023, further amendments will commence, under which the Australian Human Rights Commission will have compliance powers in respect of the positive duty to eliminate specific discriminatory conduct (see Practice note, AHRC: Overview of functions and enforcement powers: Functions in respect of the positive duty). In parallel with the amendments under the Respect at Work Act 2022, work health and safety laws have also evolved, with new federal regulations addressing the management of psychosocial risk for the purposes of the model health and safety laws commencing on 1 April 2023. The combined effect of these reforms is to significantly increase the risk of liability for companies and their directors if they fail to take steps to prevent the workplaces they preside over being hostile or allowing the sorts of workplace interactions or behaviours that create psychosocial risk.

The second issue of concern for in-house counsel and their boards is the proposed regime for the criminalisation of underpayment of wages where there is intentional conduct, together with measures that will strengthen compliance and enforcement activity in respect of the underpayment of wages, including by:

While the Closing Loopholes Bill will not be passed this year, it is clear that companies will face increased compliance costs to manage the increased risks associated with underpayments. For a summary of the Closing Loopholes Bill, see Legal update, Closing Loopholes Bill 2023 introduced into Parliament.