Viewing entries in

Tougher penalties for privacy breaches

The Government has recently announced its intention to reform Australia’s privacy law regime and increase the penalties applicable to entities that breach their obligations under the Privacy Act.

The proposal involves bolstering the resources and powers of the Office of the Australian Information Commissioner (OAIC), and many commentators are expecting this may herald a more aggressive stance from the OAIC as it monitors compliance of entities subject to the Privacy Act.

The amendments that are proposed include:

• an increase to the maximum penalty for serious and repeated breaches to the highest of: $10 million; three times the value of any benefit obtained through the misuse of the personal information; or 10% of the entity’s annual domestic turnover;

• new power for the OAIC to issue infringement notices relating to minor breaches with fines of up to $63,000 for companies and $12,600 for individuals;

• new power for the OAIC to publicise specific breaches and notifying individuals who are affected;

• an obligation for social media and online platform companies to ceases using or disclosing the personal information of individuals upon their request; and

• certain additional rules to protect the personal information of children and other vulnerable groups.

The amendments are scheduled for consultation in the second half of this year. If passed, the tougher penalties together with OAIC’s new power to publicise specific breaches may significantly increase the financial and reputational risks of failing to comply with your privacy obligations.

The Government’s announcement serves as an important reminder for all entities subject to the Privacy Act to ensure appropriate information-handling measures, systems and processes are in place.

At Motus Legal, we have assisted many of our clients in complying with their privacy obligations. Get in touch with us if we can help you too.

ASIC provides further guidance on ICOs

ASIC have released further insight into their stance on, and treatment of, initial coin offerings (“ICOs”) and crypto-assets.

As we have previously mentioned in earlier posts, ASIC’s Information Sheet 225 provides guidance on what obligations may apply to an ICO under the Corporations Act, including when an ICO may be considered to be:

·        an interest in a managed investment scheme;

·        a share in a company;

·        a derivative; and

·        a non-cash payment facility.

Misleading and deceptive conduct

ASIC have recently updated this Information Sheet to stress the prohibition under Australian law relating to misleading and deceptive conduct, and to provide some clarity on how ASIC will apply these laws in the ICO/crypto-asset space.

ASIC notes that the application of certain prohibitions against misleading and deceptive conduct may depend on whether or not the ICO/crypto-asset is a ‘financial product’ under the Corporations Act.  However, it is important to be aware that even if the ICO/crypto-asset is not such a ‘financial product’ under the Corporations Act, the prohibitions against misleading and deceptive conduct under the Australian Consumer Law must still be complied with.

ASIC have provided some helpful examples to assist in understanding what kinds of conduct may be prohibited under these laws, such as:

·        the use of social media to generate the appearance of a greater level of public interest in an ICO;

·        undertaking or arranging for a group to engage in trading strategies to generate the appearance of a greater level of buying and selling activity for an ICO or a crypto-asset;

·        failing to disclose adequate information about the ICO; or

·        suggesting that the ICO is a regulated product or the regulator has approved the ICO if that is not the case.

Undertaking an ICO or other crypto-asset activities that fail to comply with these prohibitions may be a serious breach of Australian law, and ASIC have stressed that they intend to take action in coordination with the ACCC where they consider there is potential misleading and deceptive conduct.

Accordingly, it is crucial that you seek legal advice if you are considering an ICO, and then to work closely with your legal advisors throughout that process.

At Motus Legal, our close involvement with technology companies and our expertise in financial services and capital raisings have allowed us to provide valuable assistance on ICOs, and we are excited to be working with a number of our clients in relation to their ICO plans.

Get in touch with us so we can help you with your plans.

The team at Motus Legal

Equity crowdfunding rules live - September 2017

Legislation allowing public companies to raise equity-based funds from the crowd is set to commence on 29 September 2017.  Under these new rules, compliant public companies will be able to raise capital from a large number of investors, each making a relatively small investment in exchange for shares in the company.

To be eligible, the public company must:
•    Be an unlisted public company limited by shares;
•    Have consolidated gross assets of less than $25 million (including any of the company’s related parties);
•    Have consolidated annual revenue of less than $25 million (including any of the company’s related parties);
•    Have its principal place of business and majority of directors ordinarily residing in Australia;
•    Not have a substantial purpose of investing in security interests in other entities or in managed investment schemes.

Currently, only fully paid ordinary shares may be offered under the regime, and the maximum that may be raised in any rolling 12-month period is $5 million.  Investors will be limited to investing up to $10,000 annually per company.

While the new laws commencing in September relate only to public companies, the rules do allow some lee-way to private companies wishing to convert to a public company in order to access to equity crowdfunding regime.

Private companies are eligible to receive temporary reporting and corporate governance concessions for five years if the private company:
•    converts to a public company after 29 September 2017; and
•    completes an equity crowdfunding capital raise within 12 months.
If the concessions apply, then the converted company will be granted temporary relief from requirements relating to Annual General Meetings, appointing and auditing financial reports, and distributing annual reports to shareholders.

This said, and as we have discussed in previous posts, the Federal Government is currently considering extending the equity crowdfunding regime to private companies (subject to numerous compliance requirements).  Some commentators are suggesting that private companies wishing to obtain equity-based crowdfunding may be well advised to hold-off on converting to a public company until these new laws are either enacted or taken off the table. Watch this space.

At Motus Legal, we have helped many of our clients successfully undertake capital raising to fund their enterprises.  Get in touch with us if you are considering making use of the new equity crowdfunding regime for your own business.

Keep moving.

The team at Motus Legal

Update on notifiable data breach scheme

As we have previously commented on in our blog post late last year, new laws are set to come into effect on 22 February 2018 which will require organisations covered by the Privacy Act 1988 (Privacy Act) to notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals if an unauthorised disclosure of personal information occurs.

The OAIC has published draft resources on their website to assist organisation in understanding their compliance obligations (accessible at:

The draft resources cover:

·       Who must comply with NDB Scheme – the NDB Scheme will apply to you if you are an organisation or Australian government agency that is already covered by the Privacy Act;

·       Which data breaches are notifiable – a data breach is an ‘eligible data breach’ that requires notification if it is likely to result in serious harm to any of the individuals to whom the information relates (note that a data breach does not have to be ‘malicious’, such as a cyber-attack, for it to be an eligible data breach – accidental unauthorised disclosure may still require notification, for example);

·       How to notify – if the NDB Scheme applies to your organisation, your organisation must provide a statement to the OAIC, and notify individuals at risk of serious harm of the contents of that statement, if an eligible data breach occurs;

·       Australian Information Commissioner’s role in the NDB Scheme – the OAIC’s roles include receiving notifications of eligible data breaches, encouraging compliance with the scheme (including regulatory action in the event of non-compliance), and providing advice and guidance about the operation of the scheme.

It is important that you review your organisation’s policies, procedures and systems for securing personal information and preventing data breaches before they occur.  An effective data-breach response plan is also crucial to respond quickly if a data breach does occur, which may be the difference between averting serious harm and a breach requiring notification (which can be highly detrimental to an organisation’s reputation).

At Motus Legal, we have advised many of our clients on complying with their obligations under the Privacy Act.  Get in touch with us to prepare for the NDB Scheme before it comes into effect.

Equity crowdfunding - new rules introduced

The Federal Government's recently introduced draft legislation, the Corporations Amendment (Crowd-Sourced Funding For Proprietary Companies) Bill 2017 (Bill), may at last make equity crowdfunding available to private companies.
You may recall that the Government already passed equity crowdfunding legislation in March (which is to come into effect this September).  However, a major point of contention in that legislation was the inability of private companies (which make up the vast majority of corporations in Australia) to access the regime.
The compliance costs of trading as a public company mean that relatively few private companies will go public in order to raise capital from the crowd under the current regime.  The recently introduced Bill is intended to address this by allowing companies to remain private.
If the Bill is passed by the Government, crowd-sourced investors will not be counted towards the fifty-shareholder limit that applies to private companies (although it is not yet clear what happens when these investors transfer their shares).
Crowdfunded private companies will also be exempt from takeover provisions under Chapter 6 of the Corporations Act; provided that the company amends its constitution to require a person who acquires more than 40% of the voting shares in the company to offer to purchase all other securities in the company on the same terms within 31 days.  The amended constitution must be lodged with ASIC if a crowdfunded company intends to rely on this exemption.
While allowing private companies to access the crowdfunding regime has been broadly welcomed, some commentators are questioning whether the obligations in the new Bill nonetheless require crowdfunded private companies to act as public companies in disguise.
The additional obligations that crowdfunded private companies must comply with under the Bill include:
•    having at least two Australian-based directors;
•    lodging annual financial and directors’ reports, which must be audited if the offer is over $1million;
•    complying with certain 'related party' provisions of the Corporations Act; and
•    maintaining a more comprehensive company register.
This said, the new Bill has been recognised as an important step towards making equity crowdfunding available to private companies and this is certainly an area to watch.
Get in touch with us at Motus Legal to talk more.

Quick refresher on privacy and "small businesses"

The Australian Privacy Principles (APPs) contain many obligations and requirements as to how "APP Entities" collect, hold, use and disclose personal information.   An APP Entity is any organisation (whether a sole trader, company, partnership or trust) that is not a "Small Business Operator" - that is, any organisation that does not have less than $3 million annual turnover.
However, even if your organisation is a "Small Business Operator" with annual turnover of less than $3 million, do not assume the APPs don't apply to you.  There are a number of exceptions to the Small Business Operator rule, which may require your organisation to comply with the APPs.
For example, if your organisation has less than $3 million annual turnover but provides health services and holds "health information" about an individual (other than in an employee record), then your organisation must comply with the APPs.  "Health information" includes any personal information about:
•    the health or disability of an individual at any time (whether physical or mental);
•    a health service provided to or requested by an individual; or
•    other information collected to provide, or in providing, a health service.
"Health information" is interpreted broadly.  For example, the records of fitness clubs relating to individuals will fall within this exception, and therefore such fitness clubs must comply with the APPs regardless of whether it was a Small Business Operator with less than $3 million annual turnover.
Another example where your organisation may be required to comply with the APPs (regardless of whether it has less than $3 million annual turnover) is where your organisation discloses personal information about individuals to receive a benefit or advantage, or to provide a service.  This also applies to organisations that provide a benefit, service or advantage to collect personal information about individual from anyone else.  Organisations caught by this include those that sell lists of personal information to another entity so that the other entity can use it for direct marketing.
However, a Small Business Operator will not be required to comply with the APPs for trading in personal information if the Small Business Operator does so with the consent of the individuals concerned.  Whether satisfactory consent has been obtained from the relevant individuals for this to apply then becomes critical to get right.
As you can see, whether your business is bound by the APPs is not simply a matter of whether or not your organisation exceeds an annual turnover of $3 million.  At Motus Legal, we have advised many of our clients on privacy matters and compliance with the APPs, including specifically in the health sector.
Get in touch with us at Motus Legal to find out how the Australian Privacy Principles apply to your business.

Blockchain and Smart Contracts

Last year saw some major developments in blockchain technology. If these trends continue throughout 2017 and beyond, many commentators predict that blockchain technologies will revolutionise business in all sectors and industries.
So – what are these?  At a fundamental level, blockchain technologies provide a means of permanently recording transactions on a tamper-proof digital ledger that is available to the world.
Each “block”, which contains data about a transaction or transactions, must be verified by multiple “nodes” before the block is included on the blockchain ledger. This distributed verification process is intended to make blockchains highly resistant to unauthorised attempts to manipulate the blockchain ledger (such as by trying to process an artificial block with false transaction data). 
For this reason, blockchain technology is often touted by supporters as perhaps the most significant advancement for the Internet since the World Wide Web.   Big call, we know.
Advocates claim that blockchains provide a transparent and secure means for making transactions without requiring a central authority or trusted third party. This apparent ability of blockchains to provide the “trust” required in a transaction has led to predictions that the technology will completely overhaul the way information and assets are stored, tracked and traded across all industries.
Some businesses seem to have recognised this potentially new ground for experimentation and have begun to explore the opportunities. One exciting area is the emergence of “smart contracts” in commercial relationships.
In simple terms, unlike traditional contractual agreements, smart contracts are written in source code and recorded on a blockchain. When a given event occurs (e.g. X transfers money to Y), the smart contract automatically executes and processes the transaction on the blockchain ledger (e.g. title to Y’s shares and other given assets are transferred to X).
In this way, the smart contract is automatically enforced without either party having to trust that the other party will perform their obligations (or having to rely on a central authority or escrow).
That said, it is still now sure how these blockchains (at least for now) can completely replace traditional contractual agreements.  That is because commercial agreements are far broader in scope than the simple processing of transactions, and are carefully drafted to address many more aspects and uncertainties inherent in commercial dealings.
We have a lot of clients in the technology space, and we love talking to them about how technology will affect not only businesses in general, but the ‘business’ of law.

Watch this space and get in touch with us to talk more.

The team at Motus Legal

Sandbox for Fintechs

As previously mentioned, fintechs in Australia have recently received a gift from ASIC in the form of an exciting and world-first "regulatory sandbox" initiative. These regulatory exemptions give Australian fintechs the opportunity to enter the market and test their products where they were previously held back by restrictive red-tape.
Under ASIC's recently released regulatory exemptions, eligible fintechs will be able to test certain products on the market for up to 12 months without requiring an Australian Financial Services Licence (AFSL) or an Australian Credit Licence (ACL).

This is exciting news for many fintechs that have found it difficult to really develop their businesses due to the high costs of obtaining these financial licenses.
To be eligible for this licensing relief, your fintech must:
•    have no more than 100 retail clients;
•    plan to test for no more than 12 months;
•    have total customer exposure of no more than AU$5 million;
•    have adequate compensation arrangements (such as professional indemnity insurance);
•    have dispute resolution processes in place;
•    meet disclosure and conduct requirements; and
•    comply with the relevant responsible lending obligations.
If your fintech meets the applicable criteria (including product eligibility requirements), then you are entitled to rely on ASIC's licensing exemptions for a 12-month period; giving you the opportunity to test out your fintech in the marketplace.
We already work with a few fintechs and have many years advising in the financial services sector in Australia, so get in touch with us and let us partner with your fintech.

Keep moving.

The team at Motus Legal

Mandatory privacy breach reporting

New laws, if passed, will require businesses that experience a data breach to notify the Australian Information Commissioner and any affected individuals that an unauthorised disclosure of personal information has occurred.
Cyber attacks and data breaches are becoming increasingly common in commercial life and will be experienced by most organisations at some stage. Now, under the proposed amendments to the Privacy Act 1988, certain businesses that fail to notify the Commissioner and affected individuals as soon as practicable may be exposed to hefty penalties.
Businesses and organisations that are considered "APP Entities" under the Privacy Act 1988 will be subject to the mandatory notification obligations if:
•    there is unauthorised access to or unauthorised disclosure of personal information; and
•    such access, disclosure or loss of personal information is likely to result in serious harm to any of the individuals to whom the information relates.
Providing notification of a data breach will likely result in significant negative publicity and scrutiny from the Commissioner. At Motus Legal, we have advised clients on policies and procedures that can be implemented to minimise the risk of a data breach occurring, as well as responding to claims of breaches of privacy.  However, businesses cannot entirely eliminate the risk that human error, a technology glitch or a malicious hack will cause a data breach.
It is therefore crucial that you act quickly if you become aware that a data breach has occurred or is likely to occur. Under the proposed amendments to the Privacy Act 1988, APP Entities that take effective remedial action before any serious harm occurs may be exempt from the costly mandatory notification obligations.
Get in touch with us at Motus Legal to find out how these new laws will affect your business and how we can help you manage data breaches before they occur.


The team at Motus Legal


Top 4 tips to become cyber resilient

Cyber security is an issue of increasing importance for organisations throughout Australia and the world. As businesses chase the undeniable benefits of going ever-more digital, the related cyber risks cannot be ignored.

It is now generally accepted in the business community that virtually all organisations will experience a cyber-related incident at some stage. Data breaches can lead not only to large civil penalties imposed on companies and personal liability for directors, but can also have a devastating effect on an organisation’s reputation. 

You should therefore view cyber security as not just a technical problem requiring technical solutions. As a key stakeholder in your business, you need to be proactive in implementing an effective management strategy to address cyber risk at all levels of your organisation. 

To enhance cyber resilience and succeed in the digital economy, you should at the very least adopt a strategy to: 
•    determine your business’ exposure to cyber risk, including with respect to its assets, supply chain, personnel, and response resources;
•    promote cyber security governance and raise awareness of cyber risks across your whole business;
•    assess and update your business’ policies and procedures, implement a data breach detection and response plan, and ensure your employees and contractors have the necessary training; and
•    review your business’ insurance policies and coverage.

Do not assume your business has satisfactory procedures in place to deal with cyber threats. Unfortunately, it is often only after a business has experienced a data breach and become exposed to the wide range of liabilities that they recognise the necessity of an effective cyber-resilience strategy.  Don’t let that be you. Get ahead of cyber risk by reviewing the above for yourself, or ask the experts to help.

At Motus Legal, we have helped many of our clients beef up their privacy policies and security procedures, and have provided much needed advice on data, privacy and security-related matters.  Get in touch with us so we can help your business become cyber resilient.

The team at Motus Legal