Corporate information and the law 9780409333091, 0409333093


342 52 3MB

English Pages [448] Year 2013

Report DMCA / Copyright

DOWNLOAD PDF FILE

Table of contents :
Full Title
Copyright
Foreword
Preface
Table of Cases
Table of Statutes
Table of Contents
Part 1 Overview
Chapter 1 Introduction to Corporate Information and the Law
Overview
Exponential growth in information
Value of information
Information law as a discrete area of study
The domain — ‘corporate information’
The structure
Part 2 — Rights in corporate information
Part 3 — Limits on information sovereignty
Part 4 — Information security and management
Conclusion
Part 2 Rights in Corporate Information
Chapter 2 Copyright in Corporate Information
Copyright protection of corporate information
Theoretical underpinnings of copyright law
Criteria for copyright protection
Literary works
A ‘table’ as a literary work
A ‘compilation’ as a literary work
A ‘computer program’ as a literary work
Material form
Original works
Originality in the context of subsistence
Originality in the context of infringement
Connecting factors
Scope of copyright law protection for corporate information
Evidence of authorship
Reform
Amending the author requirement
A maker v author
Duration
Defences and remedies
Conclusion
Chapter 3 Alternative Approaches to Protecting Corporate Information
Introduction
The European Union’s Database Directive
The purpose of the Database Directive
The European Court of Justice’s interpretation of the database right
British Horseracing Board case
Interpreting the expression ‘obtaining’
Interpreting the expression ‘verification’
Interpreting the expression ‘presentation’
Interpreting the expressions ‘extraction’ and ‘re-utilization’
Summarising the impact of the ECJ approach to interpreting the Database Directive
Applying the ECJ’s ruling in BHB to the facts of recent Australian cases
Duration and remedies
Conclusion
Unjust enrichment
Conclusion
Chapter 4 Confidential Corporate Information
Introduction
The requirements
Identifying the information in suit
Standing
Elements of the action for breach of confidence
Element 1 — Necessary quality of confidence
Element 2 — Circumstances importing an obligation of confidence
Element 3 — Unauthorised use of that information to the detriment of the party communicating it
Controlling the use and disclosure of information by employees
Express confidentiality terms
Defences
Just cause or excuse
Disclosures by whistleblowers
Legal compulsion
Liability and remedies
Conclusion
Part 3 Limits on Information Sovereignty
Chapter 5 Disclosure and Investor Protection
Introduction
Periodic disclosure
The financial report
The directors’ report
The auditor’s report
Liability
Liability of directors and officers
Class action liability
Conclusions — periodic disclosure laws
Fundraising and disclosures
Specific information
General information — reasonable investor standard
Case law concerning the reasonable investor test
Defects in prospectuses
Defences
Due diligence defence for prospectuses
General defence for all disclosure documents
Conclusions — fundraising and disclosures
Takeovers and disclosures
Disclosure under a bidder’s statement
Disclosure under a target’s statement
Relationship between takeover disclosure laws and other information laws
Defects in takeover documents
Conclusion — takeover disclosures
Product disclosure documents and disclosures
Specific requirements
General requirements
Limitations on disclosure
Liability for defective disclosure in a PDS
Conclusion — product disclosure statements
Continuous disclosure
The Australian Securities Exchange (ASX) Listing Rules
Listing Rule 3.1
Element 1 — Becomes aware of any information concerning it
Element 2 — Reasonable person would expect to have a material effect on the price or value
Element 3 — Entity must immediately tell ASX that information
Exceptions under Listing Rule 3.1A
Listing Rule 3.1A.1 — the five situations
Listing Rule 3.1A.2 — The information is confidential and ASX has not formed the view that the information has ceased to be confidential
Listing Rule 3.1A.3 — A reasonable person would not expect the information to be disclosed
Listing Rule 3.1B — false markets
The statutory rules
Generally available information
A person involved in a contravention
Offences
Due diligence defence
Liability under other laws
Conclusions — continuous disclosure
Conclusion
Chapter 6 Disclosure and Consumer Protection
Introduction
Misleading or deceptive conduct
The statutory provisions
Peculiar elements regarding the scope of s 1041H — the meaning of ‘in relation to’
Peculiar elements regarding the scope of s 12DA
The ‘trade and commerce’ limit on the scope of s 12DA, ASIC Act and s 18, ACL
Misleading or deceptive conduct — interpretation and application
Meaning of ‘deceptive’ conduct
Meaning of ‘likely to’
Objective test for assessing misleading or deceptive conduct
Statements that are literally true
State of mind
Transitory effect and disclaimers
Careless conduct
Class of persons to whom conduct is directed
A failure to disclose
Opinions and forward-looking statements
Advertising
Social/digital media cases
Contravention
Conclusions regarding misleading conduct
Specific consumer disclosure laws — regulating form and content
Unfair contract terms
Telecommunications Code
Telecommunications Consumer Protections Code/ACMA
Credit regulation
Conclusion
Chapter 7 Disclosure in the Context of Enforcement and Litigation
Introduction
Disclosure to regulators
ASIC’s information-gathering powers
ACCC’s information-gathering powers
Disclosure in litigation
Power to refuse disclosure
The elements of the privilege
Conclusion
Chapter 8 Other Limits and Controls on the Use of Corporate Information
Introduction
Insider trading
What prohibitions are contained in the law?
Element 1 — Division 3 financial products
Element 2 — What is information?
Element 3 — What is ‘inside information’?
Element 4 — Territorial connection
Element 5 — Trading, procuring and tipping
Exceptions
Withdrawal from registered scheme — s 1043B
Underwriter exception — s 1043C
Legal requirement exception — s 1043D
Communication pursuant to a legal requirement — s 1043E
Chinese wall exception — s 1043F
Own intentions/activities exception — ss 1043H, 1043I and 1043J
Defences to criminal offences
Defences to civil liability
Penalties and other matters
Directors and relevant interests — s 205G
General law and statutory obligations concerning the use of corporate information
Fiduciary duties
Laws that prohibit the use of corporate information by directors, officers and employees
Liability
Market manipulation laws and other information offences
Offences under Part 9.4, Corporations Act
Market misconduct offences under Part 7.10, Corporations Act
Price signalling laws
Private disclosure prohibition
General prohibition
Penalties
Conclusion
Chapter 9 Collection, Use and Disclosure of Personal Information
Introduction
The collection, use and disclosure of personal information
Who does the Privacy Act apply to?
Australian Privacy Principles — APPs
What is ‘personal information’?
Information governance
Collection of personal information
Use and disclosure of personal information
Direct marketing
Cross-border disclosure
Government identifiers
Quality and security of personal information
Access to and correction of personal information
Privacy and credit information — the obligations of credit providers
Who is a credit provider?
Additional obligations
Information governance
Dealing with credit information
Dealing with credit eligibility information
Integrity of credit eligibility information
Use or disclosure of false or misleading information
Quality and security of information
Access to and correction of information
Enforcement
Civil penalties
Complaints and investigations
Other powers of the Commissioner
Conclusion
Part 4 Information Security and Management
Chapter 10 Digitising Corporate Records and the Law
Introduction
Converting paper documents to digital information — the main issues
The principal document retention obligations
Obligations under the Corporations Act
The first ground — applying the plain meaning of the word ‘writing’
The second ground — the facilitative provisions contained in s 1306 of the Corporations Act
The third ground — the facilitative provisions of the ETA
Obligations under tax legislation
Digitised documents and the laws of evidence
Corporations Act — ss 1305, 1306
Uniform Evidence Acts
What constitutes a document?
What are the authentication requirements in relation to secondary evidence?
Tendering/adducing documentary evidence
Exclusionary rules
Queensland, South Australian and Western Australian Evidence Acts
Queensland — Evidence Act 1977
South Australia — Evidence Act 1929
Western Australia — Evidence Act 1906
Production and inspection of documents by regulators
Redundant source documents
Concealment, destruction, mutilation or alteration of books
Conclusion
Chapter 11 Cyber Security and the Law
Introduction
The threat environment within which corporations operate
Cyber security and the law
Privacy law
The ‘reasonable steps’ test
Consequence of a breach
Directors’ duties
Consequence of a breach
Data breach laws
Contract law
Consumer protection laws
Evidence
Conclusion
Bibliography
Index
Recommend Papers

Corporate information and the law
 9780409333091, 0409333093

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

Corporate Information and the Law

Leif Gamertsfelder LLB (1st Class Hons), BA (GU), MInfoTech (UTS), MAppFin (KAPLAN) LexisNexis Butterworths Australia 2013

AUSTRALIA

ARGENTINA AUSTRIA BRAZIL CANADA CHILE CHINA CZECH REPUBLIC FRANCE GERMANY HONG KONG HUNGARY INDIA ITALY JAPAN KOREA MALAYSIA NEW ZEALAND POLAND SINGAPORE SOUTH AFRICA SWITZERLAND TAIWAN UNITED KINGDOM USA

LexisNexis LexisNexis Butterworths 475–495 Victoria Avenue, Chatswood NSW 2067 On the internet at: www.lexisnexis.com.au LexisNexis Argentina, BUENOS AIRES LexisNexis Verlag ARD Orac GmbH & Co KG, VIENNA LexisNexis Latin America, SAO PAULO LexisNexis Canada, Markham, ONTARIO LexisNexis Chile, SANTIAGO LexisNexis China, BEIJING, SHANGHAI Nakladatelství Orac sro, PRAGUE LexisNexis SA, PARIS LexisNexis Germany, FRANKFURT LexisNexis Hong Kong, HONG KONG HVG-Orac, BUDAPEST LexisNexis, NEW DELHI Dott A Giuffrè Editore SpA, MILAN LexisNexis Japan KK, TOKYO LexisNexis, SEOUL LexisNexis Malaysia Sdn Bhd, PETALING JAYA, SELANGOR LexisNexis, WELLINGTON Wydawnictwo Prawnicze LexisNexis, WARSAW LexisNexis, SINGAPORE LexisNexis Butterworths, DURBAN Staempfli Verlag AG, BERNE LexisNexis, TAIWAN LexisNexis UK, LONDON, EDINBURGH LexisNexis Group, New York, NEW YORK LexisNexis, Miamisburg, OHIO

National Library of Australia Cataloguing-in-Publication entry

National Library of Australia Cataloguing-in-Publication entry Author: Title: Edition: ISBN: Notes: Subjects: Dewey Number:

Gamertsfelder Leif. Corporate Information and the Law. 1st edition. 9780409333091 (pbk). 9780409333107 (ebk). Includes index. Confidential business information — Law and legislation. 658.472

© 2013 Reed International Books Australia Pty Limited trading as LexisNexis. This book is copyright. Except as permitted under the Copyright Act 1968 (Cth), no part of this publication may be reproduced by any process, electronic or otherwise, without the specific written permission of the copyright owner. Neither may information be stored electronically in any form whatsoever without such permission. Inquiries should be addressed to the publishers. Typeset in Futura and Sabon. Printed in China. Visit LexisNexis Butterworths at www.lexisnexis.com.au

Foreword A number of significant developments combine to make corporate information more important today than it was in the past. Rapid and ongoing changes have occurred in the technology of collecting, analysing, storing and using information. The explosion of digitised data has released huge amounts of information, some of it potentially valuable, for use by those who can gain access to it. This potentiality has resulted in inevitable demands to enhance the accessibility of corporate data to company officials, managers, employees, government regulators, consumers and ordinary citizens. Coinciding with this development has been the explosion of information in the public sector. Ministries, agencies, tribunals, political actors, and public corporations collect huge amounts of data about citizens, permanent residents and visitors. This data extends to information about corporations operating in, or with others in, the jurisdiction. The serious misuse of information in the hands of government, in the oppressive regimes that grew up in the 20th century, led to demands for greater accessibility to such data and the information they contained. In Australia, this led to Freedom of Information Acts, Ombudsman Acts and the new administrative law, enhancing widespread access to public information, subject only to tightly defined exceptions, justified by arguments of necessity, good government and the rights of others. In the courts, and other institutions that exist for the resolution of significant disputes in society, several common law traditions and rules fostering secrecy came to be doubted. Orality and jury trials, where florid arguments sometimes won the day, were replaced by trial by document and an intolerance of the old procedures, of trial by ambush. Judges, including myself, insisted that the decision-makers’ impressions of the honesty of witnesses should generally be replaced by more objective and reliable means of resolving conflicts. An ounce of contemporaneous documentation, as one judge put it, was worth many pounds of witness demeanour.1 Once this approach was adopted by decision-makers, inevitably it placed a high premium on the paper trail and thus easier and earlier access to objective and authentic information.

In political life, economic considerations came to dominate the ideological scene. The Asian economic crisis of the 1980s and the Global Financial Crisis 20 years later demonstrated the vital importance for individual and community wellbeing of a transparent, honest and efficient corporate sector. This realisation produced ever-increasing demands for more information on corporations because it was appreciated that there has been much truth in the old aphorism that ‘What’s good for General Motors is good for America’. Thus politics became dominated by economics. Economics became dominated by corporate information and its analysis. The officers and employees of corporations had to be held to account and this accountability demanded access to information about their stewardship. These and other developments, during the last 30 years or so have produced a sea change in the law as the old secretive ways of bureaucracy — public and private — began to give way to new and more laws and procedures. In the first Elizabethan era, Sir Francis Walsingham had made it his business to guard the secrets of the Crown. This approach to public information prevailed for nearly 400 years until it began to erode under the pressure of information access laws modelled on initiatives pioneered by those pesky Scandinavians and Americans. The objective of such laws was to ‘let the sunshine in’. Ministers and bureaucrats complained endlessly that this would result in the politicisation of decision-making, a loss of candour by officials, and reluctance to take hard decisions. However, the combination of technological and social developments made the push for greater access to public information irresistible. It continues today.2 Similar forces are now at work in respect of the information of private corporations. In their case, there is a difference. Whereas public officials and corporations owe duties to the public generally, private corporations, in the theory of the law, owe their principal duties to their shareholders. Still, in the modern age, the shareholders of many corporations can be extremely numerous. Many reside in several jurisdictions. Many share with other persons an interest in the integrity and good corporate citizenship of the companies in which they have a financial stake. Additionally, the corporation today is expected to operate in a way that is sensitive to the interests of its employees, to consumers and surrounding society. So it is that many of the demands, earlier made for access to government information have come today to be made equally of private corporations. Such demands are reflected in laws, increasingly enacted, requiring corporations to provide information to government and to the community. Even without such laws, demands may be made that are impossible to resist at

shareholders’ meetings; in the public media; and by civil society organisations increasingly accustomed to, and demanding of, a culture of openness and access to information. This is the context in which Leif Gamertsfelder has written this new and original book. His text fills a gap in legal writing. It selects the topic of corporate information law. It addresses that subject through the prism of corporate law, consumer protection law, civil procedure laws and rules, intellectual property law, information technology law and other rules and regulations. It brings together the threads from these disparate sources of law. So far as I am aware, it is the first text of its kind in Australia. It will be invaluable to corporate officers and senior employees. But it will also be of great value to corporate lawyers, teachers of corporate governance, economists, law students, media and shareholders. Because law is a discipline of taxonomies, it is easy to gain access to expertise in given specialties. But the law in practice does not always operate conveniently according to its taxonomies. We need conceptualists who stand outside the familiar classifications and look afresh at the entire landscape, impacted as it is by laws and practices, federal, state and territory, coming from many directions. This is what the author has set out to do in this book. I congratulate him on his objectives and for sharing his discoveries and analysis with fellow lawyers. The result is a text that examines the central question of whether the law, in particular cases, will oblige or facilitate access to corporate information or will protect it and prevent access for the suggested special benefit of officers, managers and employees, having regard to the circumstances of the case. The author suggests that the law will often provide guidance as to its requirements but will frequently prove unable to deliver the high degree of certainty about the applicable boundaries that corporate officers, managers and employees might wish. These uncertainties, where they exist and where access is demanded, will sometimes require determination by the courts. Those decision-makers will then be compelled to consider carefully relevant sources of law: constitutional, statutory or judicial laws. They will have to weigh them carefully before reaching a conclusion. Naturally, this uncertainty and imprecision will often be a source of frustration and irritation both for corporate officials and for those demanding access to the information. Decisions in particular cases will frequently depend upon the point reached during the particular life cycle of the information in question; whether the collection betokens input of special value or is largely mechanical or automated;

whether the information impinges on the interests of others including personal or confidential interests; and whether the information is question is misleading either generally or when viewed in a particular context. The answer to these questions will often turn on the legal characterisation of the information in question. That resolution will commonly be made in accordance with the perspective of the mythical ‘reasonable person’. Yet, as this book demonstrates, ostensibly reasonable people can sometimes come to opposite conclusions about the same facts and circumstances and the decision appropriate to the particular case. Nowhere is this more evident than in the area of information law. These considerations sometimes make the law puzzling and frustrating for those who must apply it for the corporation and applicant concerned. They make the law intriguing and rewarding for judges, scholars and practitioners as for the author. They have inspired the author to write this book. For readers, the book will have the merit of providing a comprehensive and coherent framework that examines each area of information law in detail, in order to map the boundaries of the categories of obligation, so as to suggest the answers to practical problems that are as clear as the governing law permits. When I was a young lawyer I was keen to enter practice in a particular field of the law. Amongst lawyers then it was something of a closed shop. It boasted a limited number of highly talented (and well remunerated) barristers who received all the leading briefs. Anxious to become one of these privileged few, I approached one of them, a leading Queen’s Counsel who had attended the same high school as I. He was known to have an excellent ‘card system’. In it he was reputed to have annotated all of the relevant statutes, regulations and case decisions, both of courts and tribunals. If I could only get my hands on his cards, I knew that my future would be made. The mysteries would evaporate. I would be on the high road to success. However, my learned friend refused to entertain my request. He clutched his precious cards to his bosom. They were, he declared, his own intellectual property. They gave him a valuable edge in the professional market. I had to battle on in practice, without them. As chance would have it, I eventually gained entry into the field. Later, when I moved elsewhere, remembering this refusal, I freely offered my own card system for publication. For a time it became quite popular, until new changes in the statutory and decisional law consigned it to history.3 Leif Gamertsfelder could have taken the same approach as my distinguished colleague had done so many years earlier. Instead, he has offered his research and analysis, in an increasingly important area of corporate law and practice, to fellow lawyers, corporate officers and the wider world. This act of sharing is

made in the high tradition of the law, by which those who have attained specialised knowledge sometimes elect to share it with others. For this act of professional generosity, I thank him and I praise him. The Hon Michael Kirby AC CMG 18 March 2013 _________________________ 1.

Fox v Percy (2002) 214 CLR 118; [2003] HCA 22. The reference to ounces of evidence and pounds of demeanour is to Atkin LJ in Société d’Avances Commerciales (Société Anonyme Egyptienne) v Merchants’ Marine Insurance Co (The ‘Palitana’) (1924) 20 LlLRep 140 at 152, cited in Fox v Percy at 129 [30].

2.

Shergold v Tanner (2002) 209 CLR 126; [2002] HCA 19; McKinnon v Secretary, Department of Treasury (2006) 228 CLR 423; [2006] HCA 45.

3.

M D Kirby, Industrial Index to Australian Labour Law, 1983, CCH Australia, Sydney (revised P Punch, 1986).

Preface The introduction to this book explains its scope and the reasons for writing it. It is not necessary to repeat those matters here. I hope that the work provides a meaningful contribution to the identification and management of legal risk associated with the creation, collection, use and disclosure of corporate information, but this assessment rests with the reader. I dedicate this book to Eva and Lyle Gamertsfelder. What has made it possible to write this book is the incredible support I have received from my family. Joan, my wife, changed my life for the better from the day we met and together we have three wonderful children — Anika, Riley and Isaac. My family has inspired me to do things I would never have done as a single man. They give me a real sense of purpose. Another person who has been a great inspiration during my career is the Honourable Michael Kirby AC CMG. He has been both a role model and a mentor to me since the 1990s. I am humbled by his support and guidance, and am eternally grateful to him. There are many others who have assisted me and influenced my career (consciously and subconsciously) over the years. Among these, I would like to pay a special tribute to Callum Ross, Prof Brian Fitzgerald, my former colleagues at Norton Rose (previously Deacons) and both my past and current colleagues in the Group Corporate Affairs team at Commonwealth Bank. More broadly, I want to acknowledge the vibrant and dynamic people in the Commonwealth Bank Group for their positive influence on my career. I would like to thank Michael Green of St James’ Hall Chambers, Alon Novy and Jakob Gamertsfelder for their help with aspects of this book. I would also like to express my gratitude to Matthew Poblocki, Liong Lim, Charles Marimuthu, the Kesumas and the Gamertsfelders who graciously endured too many conversations concerning my ideas for this book. Finally, I would like to thank LexisNexis Butterworths for commissioning and publishing this work, and Virginia Ginnane for her skill and patience in editing it.

Leif Gamertsfelder 28 March 2013

Table of Cases References are to paragraphs

A AAPT Ltd v Cable & Wireless Optus Ltd (1999) 32 ACSR 63; BC9902952 .… 5.30 Abbey National plc v The Office of Fair Trading [2009] EWCA Civ 116 .… 6.41 ABC v Lenah Game Meats Pty Ltd [2001] HCA 63; 208 CLR 199 .… 4.20 Aberfoyle Ltd v Western Metals Ltd (1998) 84 FCR 113 .… 5.43 ACCC v Allergy Pathway Pty Ltd (No 2) [2011] FCA 74 .… 6.28 — v Dell Computers Pty Ltd [2002] FCA 847 .… 6.17 — v Google Inc [2012] FCAFC 49 .… 1.13, 6.9 — v Harvey Norman Holdings Ltd [2011] FCA 1407 .… 6.26 — v Kaye [2004] FCA 1363 .… 6.9 — v Telstra Corp Ltd [2004] FCA 987 .… 6.25 — v TPG Internet Pty Ltd [2011] FCA 1254 .… 6.17 — v Trading Post Australia Pty Ltd [2011] FCA 1086 .… 6.9, 6.29 Accounting Systems 2000 (Developments) Pty Ltd v CCH Australia Ltd [1993] FCA 265 .… 11.24 Ackroyds (London) Ltd v Islington Plastics Ltd [1962] RPC 97 .… 4.23 Acohs Pty Ltd v Ucorp Pty Ltd [2010] FCA 577 .… 2.56, 2.60 — v — [2012] FCAFC 16 .… 1.13, 2.56, 2.60 Amber Size and Chemical Co Ltd v Menzel [1913] 2 Ch 239 .… 4.30 AMI v King [2002] NSWSC 1033 .… 8.41 Ansell Rubber Co Pty Ltd v Allied Rubber Industries Pty Ltd [1967] VR 37 .… 4.17, 7.21 ANZ Banking Group Ltd v Westpac Banking Corporation (1988) 164 CLR 662 . … 3.41, 3.42 Arktos Pty Ltd v Idyllic Nominees Pty Ltd (2004) ATPR 42-005 .… 5.9, 5.23, 5.98, 6.30

Asia Pacific Telecommunications Ltd v Optus Networks Pty Ltd [2007] NSWSC 350 .… 8.39 ASIC, in the matter of Chemeq Ltd (ACN 009 135 264) v Chemeq Ltd (ACN 009 135 264) [2006] FCA 936 .… 5.59, 5.95, 5.100, 9.16 ASIC v Australian Lending Centre Pty Ltd (No 3) [2012] FCA 43 .… 6.17 — v Citigroup Global Markets Australia Pty Ltd (ACN 113 114832) (No 4) [2007] FCA 963; (2007) 160 FCR 35 .… 5.64, 8.39, 8.51–8.53 — v Citrofresh International Ltd [2007] FCA 1873 .… 5.9, 5.23, 5.98, 6.30 — v Fortescue Metals Group Ltd [2011] FCAFC 19 .… 5.5, 5.86, 5.91, 5.97, 5.98, 6.4, 6.24 — v Goldy Motors Pty Ltd [2000] FCA 1885 .… 6.17 — v Healey [2011] FCA 717 .… 5.6, 5.10, 5.12–5.20, 5.22, 5.23, 11.14 — v — (No 2) [2011] FCA 1003 .… 5.13, 5.14, 5.23 — v Kaye [2004] FCA 1363 .… 6.17 — v Macdonald (No 11) [2009] NSWSC 287 .… 5.89 — v Narain [2008] FCAFC 120 .… 6.6, 6.7, 9.38 — v Petsas [2005] FCA 88 .… 8.4 — v Rich [2005] NSWSC 417 .… 10.27, 10.28, 10.35 Attorney-General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109 .… 4.11, 4.21 — (UK) v Heinemann Publishers Australia Pty Ltd (1987) 10 IPR 153 .… 4.26 Austen & Butta Ltd v Shell Australia Ltd (1992) 10 ACSR 556 .… 5.47 Australian Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410 .… 9.51 Australian Competition and Consumer Commission see ACCC Australian Federal Police Commissioner v Propend Finance Pty Ltd (1997) 188 CLR 501 .… 7.14, 7.16 Australian Football League v Age Company Ltd [2006] VSC 308 .… 4.13 Australian Hospital Care (Pindara) Pty Ltd v Duggan [1999] VSC 131 .… 7.15 Australian Securities and Investments Commission see ASIC Australian Video Retailers Association v Warner Home Video Pty Ltd [2001] FCA 1719; (2001) 114 FCR 324 .… 2.22 Autodesk Inc v Dyason [1992] HCA 2 .… 2.12

— v — (No 2) [1993] HCA 6; (1993) 176 CLR 300 .… 2.17, 2.26 AWB Ltd v Australian Securities and Investments Commission [2008] FCA 1877 .… 7.6 — v Honourable Terence Rhoderic Hudson Cole (No 5) [2006] FCA 1234 .… 7.16, 7.17, 7.22

B Baltic Shipping Co v Dillon (1993) 176 CLR 344 .… 3.42 Boughey v R (1986) 65 ALR 609 .… 8.18, 8.19 Breen v Williams (1999) 138 ALR 259 .… 1.15 British Horseracing Board Ltd v William Hill Organization Ltd [2001] EWHC 516 (Pat); [2001] IP & T 612 .… 3.7 — v — [2001] EWCA Civ 1268 .… 3.7, 3.22 — v — Case C-203/02, [2004] ECR I-10461 .… 1.13, 3.5, 3.6, 3.8–3.22, 3.26, 3.33, 3.37, 3.43, 3.44 — v — [2005] EWCA Civ 863 .… 3.7, 3.22 Brodel v Telstra Corporation [2004] FCA 505 .… 2.32

C Cadence Asset Management Pty Ltd v Concept Sports Ltd [2005] FCAFC 265 . … 5.33 Campbell v Backoffice Investments Pty Ltd [2009] HCA 25 .… 6.20 Campomar Sociedad Limitada v Nike International Ltd [2000] HCA 12; (2000) 202 CLR 45 .… 6.15, 6.20, 6.21 Candacal Pty Ltd v Industry Research & Development Board (2005) 223 ALR 284 .… 7.17 Cawthorn v Cawthorn [1998] FamCA 37 .… 9.56 Chew v R (1991) 5 ACSR 473 .… 8.52 Citrus Petroleum NL v OMV Australia Pty Ltd (1999) 32 ACSR 1 .… 5.42 Coco v AN Clark (Engineers) Ltd [1969] RPC 41 .… 4.4, 4.7, 4.10, 4.18, 4.22, 4.27 Coleman v Myers [1977] 2 NZLR 225 .… 5.46

Commissioner of Taxation v Pratt Holdings Pty Ltd (2005) 225 ALR 266 .… 7.17 Commonwealth v John Fairfax and Sons Ltd [1980] HCA 44; (1980) 147 CLR 39 .… 2.1, 4.1, 4.11, 4.28, 4.34 — v Vance (2005) 158 ACTR 47 .… 7.15 Commonwealth Director of Public Prosecutions v Fysh [2010] QSC 216 .… 8.22, 8.25 Computer Edge Pty Ltd v Apple Computer Inc [1986] HCA 19; (1986) 161 CLR 171 .… 2.3, 2.4, 2.9 Concrete Constructions (NSW) Pty Ltd v Nelson [1990] HCA 17; (1990) 169 CLR 594 .… 6.9 Coogi v Hysport (1998) 41 IPR 593 .… 2.17 Corporate Affairs Commission of NSW v Yuill (1991) 172 CLR 319 .… 7.5 Cotton v Frost [1936] NZLR 627 .… 2.32 Cultus Petroleum NL v OMV Australia Pty Ltd (1999) 32 ACSR 1 .… 5.43 Cummings v Claremont Petroleum NL (1992) 9 ACSR 583 .… 8.57

D D & J Constructions Pty Limited v Head & ors trading as Clayton Utz (1987) 9 NSWLR 118 .… 8.39 Dalleagles Pty Ltd v Australian Securities Commission (1991) 4 WAR 325 .… 7.16 Danae Investments Trust plc v Macintosh Nominees Pty Ltd (1993) 11 ACLC 273 .… 8.22 Daniels Corporation International Pty Ltd v ACCC [2002] HCA 49; (2002) 213 CLR 543 .… 5.81, 7.5, 7.6, 7.16 Data Access Corporation v Powerflex Services Pty Ltd [1999] HCA 49 .… 2.9, 2.12, 2.17, 2.24, 2.26 David Securities Pty Ltd v Commonwealth Bank of Australia (1992) 175 CLR 353 .… 3.41, 3.42, 3.46 Director General of Fair Trading v First National Bank plc [2002] 1 AC .… 6.42 Director of Public Prosecutions (Cth) v Fysh (2010) 240 FLR 247 .… 8.22, 8.25 — v J M [2012] VSCA 21 .… 8.64

DP Anderson & Co Ltd v Lieber Code Co (1917) 2 KB 469 .… 2.9 Duracell Australia Pty Ltd v Union Carbide Australia Ltd; Re [1988] FCA 380 . … 6.27 Dynamic Supplies Pty Ltd v Tonnex International Pty Ltd (2011) FCA 362 .… 1.13, 2.12 E E Worsley & Co Ltd v Cooper [1939] 1 All ER 290 .… 4.30 Esso Australia Resources v Commissioner of Taxation [1999] HCA 67; 201 CLR 49 .… 4.10, 7.14 Exicom v Futuris (1995) 13 ACLC 1758 .… 8.18, 8.28 Express Newspapers plc v Liverpool Daily Post & Echo plc [1985] FSR 306 .… 2.56 Exxon Corporation v Exxon Insurance Ltd [1982] Ch 119 .… 2.9, 2.32

F Faccenda Chicken Ltd v Fowler [1986] 1 All ER 617 .… 4.29, 4.30 Farah Constructions Pty Ltd v Say-Dee Pty Ltd [2007] HCA 22; (2007) 81 ALJR 1107 .… 3.41, 3.45, 3.46 Federal Commissioner of Taxation v United Aircraft Corporation (1943) 68 CLR 525 .… 1.15 Fixtures Marketing Ltd v Organismos prognostikon agonon podosfairou AE (OPAP) Case C-444/02 [2004] ECR I-10549 .… 3.15 — v Oy Veikkaus Ab Case C-46/02 [2004] ECR I-10365 .… 1.13, 3.4, 3.15 — v Svenska Spel AB Case C-338/02 [2004] ECR I-10497 .… 3.15 Flavel v Roget (1990) 1 ACSR 595 .… 5.72 Football League Ltd v Littlewoods Pools Ltd [1959] Ch 637 .… 2.29 Forkserve Pty Ltd v Pacchiarotta [2000] NSWSC 979 .… 8.56 Forrest v Australian Securities and Investments Commission [2012] HCA 39 .… 5.73, 5.84, 5.91 Fractionated Cane Technology Ltd v Ruiz-Avila (1987) 8 IPR 502 .… 4.21 Franchi v Franchi [1967] RPC 149 .… 4.10 Franklins v Giddins [1978] Qd R 72 .… 4.21 Fraser v Evans [1969] 1 QB 349 .… 4.33 — v NRMA Holdings Ltd (1995) 15 ACSR 590 .… 6.23

— v Thames Television [1983] 2 All ER 101 .… 4.10 Fryar v Systems Services Pty Ltd (1995) 130 ALR 168 .… 9.56

G G v Day [1982] 1 NSWLR 24 .… 4.13 Gartside v Outram (1856) 26 LJ Ch 113 .… 4.34 General Newspapers Pty Ltd v Telstra Corp (1993) 45 FCR 164 .… 6.26 Gilmore v Poole-Blunden [1999] SASC 186 .… 5.38 GIO Australia Holdings Ltd v AMP Insurance Investment Holdings Pty Ltd (1998) 29 ACSR 584 .… 5.29, 5.30 — v — (1998) 30 ACSR 102 .… 5.43 Glengallan Investments Pty Ltd v Arthur Andersen (2002) 1 Qd R 233 .… 7.15 Global Sportsman Pty Ltd v Mirror Newspapers Ltd [1984] FCA 180 .… 6.12, 6.24 Goldberg v Ng (1994) 33 NSWLR 639 .… 7.20 Google Inc v ACCC [2013] HCA 1 .… 6.28 Grant v Downs [1976] HCA 63; (1976) 135 CLR 674 .… 7.17 GSA Industries (Aust) Pty Ltd v Constable (2002) 2 Qd R 146 .… 7.15

H Hamersley Iron Pty Ltd v Lovell (1998) 19 WAR 316 .… 7.11 Hearne v Street [2008] HCA 36; 235 CLR 125 .… 7.11 Hellewell v Chief Constable of Derbyshire [1995] 4 All ER 473 .… 4.21 Henjo Investments Pty Ltd v Collins Marrickville Pty Ltd (No 1) (1988) 39 FCR 546 .… 6.19 HK Frost Holdings Pty Ltd (in liq) v Darvall McCutcheon (a firm) [1999] FCA 570 .… 4.10 Hollinrake v Truswell [1894] 3 Ch 420 .… 2.3, 2.8–2.12, 2.24, 2.32 Home Office v Harman [1983] 1 AC 280 .… 7.11 Hooker Corporation Ltd v Darling Harbour Authority (1987) 9 NSLR 538 .… 7.23 Hooker Investments Pty Ltd v Baring Bros Halkerston & Partners Ltd (1986) 10

ACLR 524 .… 8.18 Hospital Products Ltd v United States Surgical Corporation [1993] HCA 82 .… 8.53 Houghton v Arms [2006] HCA 59; (2006) 225 CLR 553 .… 5.9, 5.23, 5.98, 6.30

I ICAL Ltd v County Natwest Securities Aust Ltd (1988) 13 ACLR 129 .… 8.13 IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14 .… 1.13 1.16, 1.24, 2.2, 2.13, 2.24–2.29, 2.31, 2.34, 2.37, 2.39–2.44, 2.47, 2.51, 2.52, 2.63, 3.2, 3.3, 3.24–3.32, 3.43, 3.44, 4.4 Initial Services Ltd v Putterill [1968] 1 QB 396 .… 4.34 INS v Associated Press 248 US 215 (1918) .… 3.40

J James Hardie Industries NV v ASIC (2010) 274 ALR 85; [2010] NSWCA 332; BC201009843 .… 5.59, 5.64 Johns v Australian Securities Commission [1993] HCA 56; (1993) 178 CLR 408 .… 4.10, 4.11 Jubilee Mines NL (ACN 009 219 809) v Riley (2009) 69 ACSR 659 .… 5.61, 5.66, 5.73, 5.80, 5.84, 8.4, 8.18

K Kennedy v Lyell (1883) 23 Ch D 387 .… 7.16 — v Wallace [2004] FCAFC 337; (2004) 142 FCR 185 .… 7.17 Killen v Brierley (1980) CLC 40-615 .… 8.13 King v Yurisich [2005] FCA 1277 .… 6.9 Kinnor (Pty) Ltd v Finkel 352 JOC WLD .… 2.32 Kinwat Holdings Pty Ltd v Platform Pty Ltd (1982) 1 ACLC 194 .… 8.13 Ku-Ring-Gai Co-Operative Building Society (No 12) Ltd; Re [1978] FCA 50; (1978) 36 FLR 134 .… 6.9 Kwok Fu Shing v Thang [1999] NSWSC 1034 .… 4.13

L Ladbroke (Football) Ltd v William Hill (Football) Ltd [1964] 1 WLR 273; [1964] 1 All ER 465 .… 2.24, 2.26 Leadenhall Australia Ltd v Peptech Ltd (1999) 33 ACSR 307 .… 8.14 Liddell v Lembke (t/as Cheryl’s Unisex Salon) (1994) 127 ALR 342 .… 9.56 Lockheed-Arabia v Owen [1993] 3 All ER 641 .… 10.13, 10.46 Lord Ashburton v Pape (1913) 2 Ch 469 .… 4.1 Lyell v Kennedy (1884) 27 Ch D 1 .… 7.16

M McGuren v Simpson [2004] NSWSC 35 .… 10.13, 10.46 McKinnon and Secretary, Department of Foreign Affairs and Trade; Re [2004] AATA 1365; (2004) 86 ALD 780 .… 7.15 Maggbury Pty Ltd v Hafele Aust Pty Ltd [2001] HCA 70; 210 CLR 181 .… 4.32, 4.33 Mallesons Stephen Jaques v KPMG Peat Marwick [1990] 4 WAR 357 .… 8.38 Mann v Carnell (1999) 201 CLR 1 .… 7.20 Mansfield v The Queen [2012] HCA 49 .… 8.4, 8.10 Marcel v Commissioner of Police of Metropolis [1992] Ch 225 .… 4.11 Mars UK Ltd v Teknowledge Ltd (1999) 46 IPR 248 .… 4.22 Measures v McFadyen [1910] HCA 74; (1910) 11 CLR 723 .… 5.75 Meteryard v Love (2005) 65 NSWLR 36 .… 7.14 Microsoft Corporation v Business Boost Pty Ltd [2000] FCA 1651 .… 2.22 Miller & Associates Insurance Broking Pty Ltd v BMW Australia Finance Ltd [2010] HCA 31 .… 6.13 Minister for Immigration and Citizenship v Kumar (2009) 238 CLR 448 .… 4.34 Moorgate Tobacco Co Ltd v Philip Morris Ltd [No 2] (1984) 156 CLR 414 .… 3.40, 4.10 Morley v Statewide Tobacco Services No 1 [1993] VicRp 32; (1993) 1 VR 423 . … 5.16

N

National Australia Bank Ltd v Idoport Pty Ltd [1999] NSWSC 964 .… 4.28 — v Rusu [1999] NSWSC 539 .… 10.38 National Crime Authority v S (1991) 29 FCR 203 .… 7.17 National Exchange Pty Ltd (ACN 006 079 974) v ASIC [2004] FCAFC 90 .… 6.14, 6.20 Nationwide News Pty Ltd v ACCC (1996) 71 FCR 215 .… 6.26 Newcastle Wallsend Coal Co Pty Ltd v Court of Coal Mines Regulation (1997) 42 NSWLR 351 .… 7.18 Newspaper Licensing Agency Ltd v Marks and Spencer plc [2001] Ch 257 .… 2.27 Nine Films & Television Pty Ltd v Ninox Television Ltd [2005] FCA 356 .… 7.22

O Office of Fair Trading (The) v Abbey National plc [2008] EWHC 875 (Comm) (UK) .… 6.40, 6.41 — v — [2009] UKSC 6 .… 6.41 Optus Networks Pty Ltd v Telstra Corp Ltd [2010] FCAFC 21; (2010) 265 ALR 281 .… 4.5, 4.28, 4.31 Orison Pty Ltd v Strategic Minerals Corporation Nl; Peter Gullan Cross; John Swire-Thompson; Asha Capital Corporation Ltd and Asha Energy Pty Ltd; Re [1987] FCA 263 .… 6.9

P Pancontinental Mining Industries Ltd v Goldfields Ltd (1995) 16 ACSR 463 .… 5.3, 5.29, 5.30, 5.43 Parkdale Custom Built Furniture Pty Ltd v Puxu Pty Ltd [1982] HCA 44; (1982) 149 CLR 191 .… 6.11, 6.13 Pavey & Matthews Pty Ltd v Paul (1987) 162 CLR 221 .… 3.41, 3.42, 3.46 Phosphate Co-Operative Co of Australia Pty Ltd v Shears [1989] VR 665 .… 5.71 Pihiga Pty Ltd v Roche [2011] FCA 240 .… 6.9 Poseidon Ltd v Adelaide Petroleum NI [1991] FCA 663 .… 6.23

Pratt Holdings Pty Ltd v Federal Commissioner of Taxation (2004) 207 ALR 217 .… 7.18 Primac Holding Ltd; Re (1996) 22 ASCR 212 .… 5.43 Printers and Finishers Ltd v Holloway [1964] 3 All ER 731 .… 4.30 Propend Finance Pty Ltd v Commissioner of Australian Federal Police (1995) 58 FCR 224 .… 7.16

R R v Berkshire 4 QBD 469 .… 5.75 — v Department of Health; Ex parte Source Informatics Ltd [2000] 2 WLR 940 .… 4.26 — v Evans [1999] VSC 488 .… 8.15, 8.25, 8.26 — v Firns [2001] NSWCCA 191; (2001) 51 NSWLR 548 .… 5.64, 5.88, 8.4, 8.14 — v Reid (1999) 2 VR 605 .… 8.62 — v Rivkin [2004] NSWCCA 7 .… 8.10, 8.19 — v Staines [1997] EWCA 1525 .… 8.10 — v Tomaiuolo [2007] SASC 34 .… 8.62 — v Wall [2002] NSWCCA 42 .… 8.62 Raffoul v Blood Transfusion Service of the Australia Red Cross Society (1997) 76 IR 383 .… 9.56 Rapid Metal Developments (Australia) Pty Ltd v Anderson Formrite Pty Ltd [2005] WASC 255 .… 4.28 Regal (Hastings) Ltd v Gulliver [1967] 2 AC 134 .… 8.57 Reid Sigrist Ltd v Moss Mechanism Ltd (1932) 49 RPC 461 .… 4.30 Richard Kirby v Centro Properties Ltd VID326/2008, FCA .… 5.22 Robb v Green [1895] 2 QB 215 .… 4.30 Robinson v Sands & McDougall Proprietary Ltd [1916] HCA 51; (1916) 22 CLR 124 .… 2.8 Rohde and Rohde (1984) FLC 91-592 .… 9.55 Rosetex Company Pty Ltd v Licata (1994) 12 ACSR 779 .… 8.56

S Saltman Engineering Co Ltd v Campbell Engineering Co Ltd [1963] 3 All ER 413; (1948) 65 RPC 203 .… 4.23 Sands & McDougall Pty Ltd v Robinson [1917] HCA 14; (1917) 23 CLR .… 2.24 Sanofi-Aventis Australia Pty Ltd v Apotex Pty Ltd (No 3) (2011) FCA 846 .… 1.13 Seager v Copydex Ltd (1967) RPC 349 .… 4.4 Securities and Exchange Commission v Matiera 745 F 2d 197 (1984) .… 1.1 Seven Network Ltd v News Ltd [2005] FCA 142 .… 7.17 — v — [2005] FCA 864 .… 7.21 — v — (No 12) [2006] FCA 348 .… 7.22 Smith v Queen [2008] WASCA 128 .… 10.50 Smith, Kline and French Laboratories (Australia) Ltd v The Secretary to the Department of Community Services and Health [1990] FCA 151 .… 4.27 — v —; Re (1991) 20 IPR 643 .… 4.25 Southern Equities Corporation Ltd (in liq) v Arthur Andersen & Co (No 6) [2001] SASC 398 .… 7.17 Southern Real Estate Pty Ltd v Dellow (2003) SASR 1; [2003] SASC 318 .… 8.55 Springfield Nominees Pty Ltd v Bridgelands Securities Ltd (1992) 38 FCR 217 . … 7.11 Stevens v Kabushiki Kaisha Sony Computer Entertainment [2005] HCA 58 .… 2.22 Stuart Alexander and Co (Interstate) Pty Ltd v Blenders Pty Ltd [1981] FCA 152 .… 6.27 Sullivan v FNH Investments Pty Ltd t/as Palm Bay Hideaway [2003] FCA 323 . … 1.13, 2.32 Sunlec International Pty Ltd v Electropar Ltd (2008) 79 IPR 411 .… 2.32

T Taco Co of Australia Inc v Taco Bell Pty Ltd (1982) 42 ALR 177 .… 6.21 Talbot v General Television Corp Pty ltd [1980] VR 224 .… 4.10

TCN Channel Nine Pty Ltd v Network Ten Pty Ltd (No 2) (2005) 145 FCR 35 . … 2.28 Telstra Corporation Ltd v Australis Media Holdings (1997) 41 NSWLR 147 .… 7.18 — v First Netcom Pty Ltd [1997] FCA 860 .… 4.24, 4.25 — v Minister for Communications, Information Technology and the Arts (No 2) [2007] FCA 1445 .… 7.15, 7.17 — v Phone Directories Company Pty Ltd [2010] FCA 44 .… 1.13, 2.25, 2.31, 2.37, 2.47, 2.48, 2.52–2.54, 2.56, 2.63, 3.2, 3.3, 3.33, 3.43, 3.44, 4.4 — v — [2010] FCAFC 149 .… 2.48–2.51, 2.54–2.56, 3.10, 3.33 Terrapin Ltd v Builders’ Supply Co (Hayes) Ltd [1967] RPC 375 .… 4.40 Tillmanns Butcheries Pty Ltd v Australasian Meat Industry Employees’ Union [1979] FCA 85 .… 6.12 Tobacco Institute of Australia Ltd v Australian Federation of Consumer Organisations Inc; Re [1992] FCA 630 .… 6.26 Trade Practices Commission v Sterling (1979) 36 FLR 244 .… 7.16, 7.18 Trevorrow v South Australia (No 4) (2006) 94 SASR 64 .… 4.21 Trkulja v Google Inc LLC (No 5) [2012] VSC 533 .… 2.52

U University of London Press v University Tutorial Press Ltd [1916] 2 Ch 601 .… 2.8, 2.24 Unsworth v Tristar Steering and Suspension Australia Ltd [2007] FCA 1081 .… 7.23

V Victoria Park Racing and Recreation Grounds Co Ltd v Taylor [1937] HCA 45; (1937) 58 CLR 479 .… 2.3, 2.24, 3.39, 3.40 Vokes Ltd v Heather (1945) 62 RPC 135 .… 4.29

W Waterford v Commonwealth [1987] HCA 25; (1987) 163 CLR 54 .… 7.15

Wessex Dairies Ltd v Smith [1935] 2 KB 80 .… 4.30 Westfi Ltd v Blend Investments Pty Ltd (1999) 31 ACSR 69 .… 5.30 Westgold Resources NL v St George Bank Ltd (1998) 29 ACSR 396 .… 8.18, 8.28 Wheeler v Le Marchant (1881) 17 Ch D 675 .… 7.18 William Hill (Football) Ltd v Ladbroke (Football) Ltd [1980] RPC 539 .… 2.13 Winterton Constructions Pty Ltd v Hambros Australia Ltd and Properties Pty Ltd; Re [1992] FCA 582 .… 6.22

Y Yorke v Lucas (1985) 158 CLR 661 .… 6.12

Table of Statutes References are to paragraphs

Commonwealth Acts Interpretation Act 1901 s 2C(1) .… 9.60 s 10 .… 10.17 s 10A .… 10.17 s 15AB .… 9.24 s 25 .… 10.54 s 25A .… 10.57–10.59 Australian Consumer Law see Competition and Consumer Act 2010 Sch 2 Australian Securities and Investments Commission Act 2001 .… 5.22, 10.53, 10.56 Pt 3 .… 7.6 Pt 3, Div 1 .… 7.4 s 1(1) .… 7.6 s 1(2) .… 7.6 s 1(3) .… 7.6 s 5 .… 6.4, 6.35 s 12BAB .… 6.8 s 12BB .… 6.24 ss 12BF–12BM .… 6.35 s 12DA .… 6.3, 6.4, 6.8, 6.9, 6.30, 11.24 s 12DA(1A) .… 6.4 s 12DB .… 6.3, 6.31 s 12GF .… 6.30 s 29 .… 10.53, 10.59 s 30 .… 4.38, 7.4, 10.53 s 30A .… 7.4 s 33 .… 7.4

s 35 .… 7.4 s 51 .… 7.4 s 68 .… 7.6 s 69 .… 7.6 s 127 .… 4.38, 7.12 Banking Act 1959 .… 8.66 Competition and Consumer Act 2010 Pt XID .… 7.9 s 44ZZT .… 8.66 s 44ZZU .… 8.68, 8.69 s 44ZZV(2) .… 8.68 s 44ZZV(3) .… 8.68 s 44ZZW .… 8.67 s 44ZZX .… 8.68, 8.69 s 44ZZY .… 8.68, 8.69 s 44ZZZ .… 8.68 s 76(1)(a) .… 8.71 s 76(1A) .… 8.70 s 76(1B) .… 8.71 s 76(5) .… 8.70 s 79B .… 8.71 s 82 .… 8.71 s 84 .… 8.68, 8.69 s 86E .… 8.71 s 87 .… 8.71 s 87CB .… 11.25 s 131 .… 6.4 s 131A .… 6.4 s 155 .… 4.38, 7.9 s 155(7) .… 7.9 s 155(7B) .… 7.9 s 155AAA .… 7.12 s 155AA .… 7.12 s 236 .… 11.24

s 237 .… 11.24 Sch 2 .… 6.35 Sch 2, s 4 .… 6.24 Sch 2, s 18 .… 6.3, 6.4, 6.9, 6.21, 6.30, 9.19, 11.24 Sch 2, s 23(1) .… 6.37 Sch 2, s 23(3) .… 6.36 Sch 2, s 24 .… 6.38, 6.39, 9.33 Sch 2, s 24(1) .… 6.38 Sch 2, s 24(1)(b) .… 6.38 Sch 2, s 24(2) .… 6.39 Sch 2, s 24(3) .… 6.39 Sch 2, s 24(4) .… 6.38 Sch 2, s 25 .… 6.38 Sch 2, s 26(1)(a) .… 6.36 Sch 2, s 26(1)(b) .… 6.36 Sch 2, s 26(1)(c) .… 6.36 Sch 2, s 26(2) .… 6.36 Sch 2, s 27(1) .… 6.37 Sch 2, s 27(2) .… 6.37 Sch 2, s 28 .… 6.36 Sch 2, s 29 .… 6.3, 6.31 Sch 2, s 151 .… 6.3, 6.31 Sch 2, s 207 .… 6.3 Sch 2, s 209 .… 6.28 Sch 2, s 236 .… 6.30 Sch 2, s 237 .… 6.30 Competition and Consumer Regulations 2010 reg 48 .… 8.66 reg 49 .… 8.66 Copyright Act 1968 .… 2.4 Pt III, Div 3 .… 2.64 s 9(2) .… 1.16 s 10 .… 2.7, 2.11, 2.12, 2.16 s 10(1) .… 2.3

s 14(1) .… 2.28 s 22(1) .… 2.19, 2.21 s 29 .… 2.62 s 31(1)(a) .… 2.28 s 32(1) .… 2.24, 2.35 s 32(2) .… 2.24, 2.35 s 32(2)(c) .… 2.50 s 32(4) .… 2.36 s 33(2) .… 2.62 s 33(3) .… 2.62 s 36(1) .… 2.28 ss 40–43C .… 2.63 s 47F .… 11.1 s 80 .… 2.62 s 115(2) .… 2.64 s 184 .… 2.36 Copyright Amendment Act 1984 .… 2.12, 2.16 Copyright Amendment (Digital Agenda) Act 2000 .… 2.16 Copyright (International Protection) Regulations 1969 reg 4 .… 2.36 Corporate Law Economic Reform Program Act 1999 .… 5.33 Corporations Act 1989 .… 10.16, 10.17 Corporations Act 2001 .… 5.22, 8.4, 10.5, 10.15–10.18, 10.53, 10.56 Ch 2M.2 .… 10.6, 10.7 Ch 5 .… 4.37 Ch 6CA .… 5.50, 5.61, 11.18 Ch 6D .… 5.50 Pt 2M.2 .… 5.11 Pt 2M.3 .… 5.11 Pt 6CA .… 4.9, 4.37 Pt 7 .… 6.4 Pt 7.1 .… 6.8 Pt 7.1 Div 3 .… 5.50, 6.4, 6.5, 8.7, 8.8, 8.17 Pt 7.1 Div 4 .… 6.4, 6.5

Pt 7.1 Div 5 .… 8.8 Pt 7.9 .… 5.56 Pt 7.10 .… 6.6, 8.64 Pt 7.10 Div 2A .… 6.30 Pt 9.4 .… 8.62 Pt 9.4AA .… 5.93 s 9 .… 5.9, 5.32, 5.66, 5.68, 5.74, 8.24, 10.6, 10.10, 10.12, 10.63 s 25 .… 10.10–10.12 s 52 .… 6.30 s 79 .… 5.90, 6.30, 8.59 s 79(c) .… 5.91 s 93AA .… 5.93 s 111AD .… 5.60 s 111AE .… 5.60 s 111AL .… 5.60 s 111AM .… 5.60 s 180 .… 5.12, 5.18, 5.98 s 180(1) .… 5.5, 5.9, 5.13, 5.14, 5.18, 5.98, 5.99, 11.13, 11.16 s 183 .… 1.21, 8.50, 8.52, 8.54–8.56, 8.59 s 183(2) .… 8.57, 8.58 s 184 .… 1.21, 8.50, 8.52 s 184(3) .… 8.60 s 189 .… 5.17 s 205G .… 8.47, 8.49 s 206C .… 5.9, 5.92, 11.16 s 247A .… 10.53 s 286 .… 10.6, 10.8, 10.12, 10.14, 10.15, 10.28 s 286(1) .… 10.9 s 286(2) .… 10.6 s 292 .… 5.5 s 295(2) .… 5.5 s 295(2)(b) .… 5.5 s 295(3) .… 5.5 s 295(4)(c) .… 5.5

s 295(4)(d) .… 5.5 s 296 .… 5.5, 5.12 s 297 .… 5.5, 5.12 s 298 .… 5.12 s 299 .… 5.12 s 299(1) .… 5.6 s 299(1)(d) .… 5.6, 5.12 s 299(3) .… 5.6 s 299A .… 5.6, 5.12 s 299A(3) .… 5.6 s 300(1) .… 5.7 s 300(10) .… 5.7 s 300(11) .… 5.7 s 300A .… 5.7 s 301 .… 5.8 s 302 .… 5.4 s 307A .… 5.8, 5.24 s 308(a) .… 5.8 s 308(b) .… 5.8 s 311 .… 7.8 s 319 .… 5.11 s 319(3) .… 5.11 s 344 .… 5.5, 5.9, 5.12, 5.13, 5.18, 5.20 s 344(2) .… 5.11 s 411(3)(b) .… 5.71 s 414(2) .… 8.35 s 422 .… 7.8 s 438D .… 7.8 s 601FD .… 5.13 s 636 .… 5.48 s 636(1) .… 5.41, 5.42 s 636(1)(a) .… 5.41 s 636(1)(b) .… 5.41 s 636(1)(f) .… 5.41

s 636(1)(g) .… 5.28, 5.30, 5.41 s 636(1)(m) .… 5.41, 5.42, 5.47, 5.53 s 638 .… 5.48 s 638(1) .… 5.45, 5.46 s 638(1A)(a) .… 5.45 s 638(1A)(b) .… 5.45 s 638(2) .… 5.45 s 638(3) .… 5.45 s 661B .… 5.40 s 662B .… 5.40 s 663B .… 5.40 s 664A(3) .… 8.35 s 664C .… 5.40 s 665B .… 5.40 s 670A .… 5.48, 6.4 s 670A(3) .… 5.48 s 670B .… 5.48 s 670D .… 5.48 s 674 .… 5.22, 5.23, 5.59, 5.98, 5.99 s 674(1) .… 5.60 s 674(2) .… 5.90, 5.92 s 674(2)(c) .… 5.91 s 674(2)(c)(ii) .… 5.2 s 674(2A) .… 5.90, 5.91, 5.96, 5.98 s 674(2B) .… 5.91, 5.96, 5.97 s 675(1)(b) .… 5.60 s 676 .… 5.88 s 676(2) .… 5.88 s 677 .… 5.52, 5.70, 5.71 s 707(3) .… 5.28 s 707(5) .… 5.28 s 708A .… 5.26 s 708AA .… 5.26 ss 710–713 .… 5.30, 5.41

s 710 .… 5.30, 5.32, 5.42, 5.45 s 710(1) .… 5.28 s 710(1)(a) .… 5.28 s 710(1)(b) .… 5.28, 5.53 s 710(2) .… 5.28 s 710(3) .… 5.28 s 711 .… 5.27, 5.32 s 712 .… 5.28, 5.32 s 713 .… 5.26, 5.32, 5.42 s 714 .… 5.26, 5.32 s 715 .… 5.26, 5.32 s 715A .… 5.26 s 728 .… 5.32, 5.33, 6.4 s 728(1) .… 5.32 s 728(1)(a) .… 5.32 s 728(1)(b) .… 5.32 s 728(2) .… 5.30, 5.32 s 728(3) .… 5.32, 5.35, 5.37, 5.38, 5.48 s 729 .… 5.32, 5.33, 5.35, 5.37, 5.38, 5.48 ss 731–733 .… 5.48 s 731 .… 5.35 s 733 .… 5.34, 5.37 s 733(1) .… 5.37 s 733(2) .… 5.34, 5.37 s 761A .… 8.8, 8.24 s 761E(1) .… 8.24 s 761G .… 5.50 s 761GA .… 5.50 s 769B(3) .… 8.20, 8.37 s 912D .… 7.8, 11.18 s 988A .… 10.6 s 990K .… 7.8 s 1010A(1) .… 5.50 s 1010A(2) .… 5.50

s 1013C .… 5.53 s 1013C(2) .… 5.53 s 1013C(3) .… 5.50 s 1013C(4) .… 5.50 s 1013C(6) .… 5.50 s 1013D .… 5.51, 5.53 s 1013D(1) .… 5.51 s 1013D(1)(a) .… 5.51 s 1013D(1)(b) .… 5.51 s 1013D(1)(c) .… 5.51 s 1013D(1)(d) .… 5.51 s 1013D(1)(f) .… 5.51 s 1013D(1)(g) .… 5.51 s 1013D(1)(h) .… 5.51 s 1013D(1)(i) .… 5.51 s 1013E .… 5.52, 5.53 s 1013F .… 5.53, 5.54 s 1013F(1) .… 5.54 s 1013F(2) .… 5.54 s 1013FA .… 5.53, 5.54 s 1013H .… 5.50 s 1013J .… 5.50 s 1013K .… 5.50 s 1021B(1) .… 5.56 s 1021D .… 5.56 s 1021E .… 5.56, 5.57 s 1021H .… 5.56 s 1022A .… 6.4 s 1022A(1) .… 5.55 s 1022B(3)(b)(i) .… 5.55 s 1022B(3)(b)(ii) .… 5.55 s 1022B(7) .… 5.57 s 1041A .… 8.64 s 1041B .… 8.64

s 1041B(1) .… 8.64 s 1041C .… 8.64 s 1041C(1) .… 8.64 s 1041D .… 8.64 s 1041E .… 5.92, 6.3, 6.31 s 1041E(1) .… 8.64 s 1041F(1) .… 8.64 s 1041G .… 8.64 s 1041G(1) .… 8.64 s 1041H .… 5.9, 5.23, 5.91, 5.92, 5.98, 5.99, 6.3–6.8, 6.30, 8.64, 11.24 s 1041H(3) .… 6.4 s 1041I .… 5.92, 6.30 s 1041K .… 6.4 s 1042A .… 8.9, 8.11 s 1042B .… 8.23 s 1042B(a) .… 8.21, 8.22 s 1042B(b) .… 8.21, 8.22 s 1042C .… 8.12, 8.15 s 1042C(1)(a) .… 8.15 s 1042C(1)(b)(i) .… 8.42 s 1042C(1)(b)(ii) .… 8.15 s 1042C(1)(c) .… 8.15 s 1042D .… 5.52, 8.17, 8.18 s 1042G .… 8.20 s 1042H .… 8.20 s 1043A .… 8.25 s 1043A(1) .… 8.5, 8.25, 8.27, 8.28, 8.32, 8.34, 8.37 s 1043A(1)(b) .… 8.19 s 1043A(1)(c) .… 8.24 s 1043A(1)(d) .… 8.24 s 1043A(2) .… 8.6, 8.24, 8.36 s 1043A(2)(d) .… 8.24 s 1043A(2)(e) .… 8.24 s 1043B .… 8.31

s 1043C .… 8.32 s 1043C(1)(a) .… 8.32 s 1043C(1)(c) .… 8.32 s 1043C(2)(b)(i) .… 8.33 s 1043D .… 8.34 s 1043E .… 8.36 s 1043F .… 8.37–8.39 s 1043G .… 8.37 s 1043G(2) .… 8.37 s 1043H .… 8.40 s 1043I .… 8.40 s 1043J .… 8.40 s 1043K .… 8.37 s 1043M .… 8.42, 8.43 s 1043M(2) .… 8.42 s 1043M(2)(a) .… 8.42 s 1043M(2)(b) .… 8.33, 8.43 s 1043M(3) .… 8.42 s 1043M(3)(a) .… 8.42 s 1043M(3)(b) .… 8.43 s 1043N .… 8.33, 8.43 s 1305 .… 10.25, 10.27 s 1305(2) .… 10.28 s 1306 .… 10.8, 10.14, 10.25, 10.26 s 1306(1) .… 10.14 s 1306(1)(b) .… 10.14 s 1306(2)(a) .… 10.14 s 1306(5) .… 10.27 s 1306(6) .… 10.27, 10.28, 10.56 s 1307 .… 10.63, 10.64 s 1307(1) .… 10.65 s 1307(3) .… 10.65 s 1308(1)(a) .… 8.62 s 1308(2) .… 8.62

s 1308(4) .… 8.62 s 1309 .… 8.62 s 1311 .… 5.11, 8.45 s 1311(1) .… 5.11, 5.94 s 1311(1A) .… 5.11 s 1311(3) .… 5.11 s 1311(4) .… 5.11 s 1311(5) .… 5.11 s 1312 .… 5.11, 9.97, 11.11 s 1317AA(1)(a) .… 4.36 s 1317AA(1)(b) .… 4.36 s 1317AA(1)(d) .… 4.36 s 1317AA(1)(e) .… 4.36 s 1317AB .… 4.36 s 1317DA .… 8.44 s 1317E .… 5.9, 5.92, 8.59, 11.16 s 1317E(1) .… 5.92 s 1317E(1)(jf)–(jg) .… 8.44 s 1317G .… 5.9, 8.60, 8.64, 11.16 s 1317G(1) .… 5.92 s 1317G(1)(b)(iii) .… 5.92 s 1317H .… 5.9, 5.92, 8.60, 11.16 s 1317HA .… 8.44 s 1317S .… 5.13, 5.14, 5.92, 8.43 s 1318 .… 5.13, 5.14, 5.92 s 1324 .… 5.9, 5.23, 5.92, 6.30, 11.16 Sch 3 .… 5.11, 8.45, 8.63 Corporations Regulations 2001 regs 7.1.11–7.1.28 .… 5.50 reg 7.6.02AB .… 5.50 reg 7.6.02AC .… 5.50 reg 7.6.02AD .… 5.50 reg 7.6.02AE .… 5.50 reg 7.6.02AF .… 5.50

reg 9.12.01 .… 8.30 Crimes Act 1914 s 4AA .… 5.11, 8.45, 8.49, 8.60, 8.64, 9.97, 9.101, 11.11 Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 .… 5.11, 8.45, 8.49, 8.60, 8.64, 9.97, 9.101, 11.11 Criminal Code 1995 s 5.2 .… 5.32 s 5.6(1) .… 5.32 s 6.1 .… 5.11 s 9.2 .… 5.11 s 11.2 .… 5.56 Do Not Call Register Act 2006 .… 9.59 Electronic Transactions Act 1999 .… 10.8, 10.15, 10.16 s 11 .… 10.60 s 12 .… 10.17, 10.18, 10.20, 10.22 Electronic Transactions Regulations 2000 Sch 1 item 28 .… 10.15 Sch 1 item 30 .… 10.15 Evidence Act 1995 .… 10.27, 10.30–10.39 s 47(1) .… 10.37 s 48 .… 10.37 s 48(1) .… 10.38 s 48(1)(b) .… 10.37 s 48(1)(d) .… 10.37 s 48(1)(e) .… 10.37 s 59 .… 10.39 s 69 .… 10.39 s 117 .… 4.10 s 118 .… 4.10, 7.14, 7.18 s 119 .… 7.14, 7.18 s 122(2) .… 7.19 s 122(3) .… 7.19 Extradition Act 1988 .… 11.2 Family Law Act 1975

s 79A .… 9.55 Fringe Benefits Tax Assessment Act 1986 .… 10.5, 10.22 Income Tax Assessment Act 1936 .… 10.5, 10.19 s 262A .… 10.19 s 264 .… 4.38 National Consumer Credit Protection Act 2009 .… 6.49, 6.50, 9.86, 9.90 s 117(1)(b) .… 9.97 s 120(1) .… 9.97 s 133AC .… 6.50 s 133AD .… 6.50 s 133AE(4) .… 6.50 s 133AF .… 6.50 s 133BC .… 6.50 s 178 .… 6.50 Sch 1 .… 6.49 Sch 1, Pt 2 .… 6.49 National Consumer Credit Protection Regulations 2010 .… 6.49 Sch 5 .… 6.50 National Credit Code see National Consumer Credit Protection Act 2009 Sch 1 Privacy Act 1988 (as amended, with effect from 12/03/2014) .… 1.24, 9.2, 11.1, 11.8 Pt IIIA .… 9.80, 9.83, 9.90, 9.101, 9.105 Pt IIIA, Div 3 .… 9.84, 9.94 Pt IIIA, Subdiv F .… 9.99 s 2A .… 9.57 s 5B .… 9.86 s 6 .… 9.7 s 6(1) .… 9.26, 9.27, 9.29, 9.50, 9.73, 9.83, 9.90 s 6C .… 9.4 s 6D(1) .… 9.4 s 6D(4) .… 9.4 ss 6G–6K .… 9.81 s 6G(1) .… 9.81

s 6G(2) .… 9.81 s 6M(1) .… 9.82 s 6N .… 9.82 s 13G .… 9.100, 9.101 s 13G(1)(a) .… 9.101 s 13G(2)(a) .… 9.101 s 15 .… 9.5 s 16C .… 9.62–9.64 s 20C(3)(a) .… 9.90 s 21A(2) .… 9.83 s 21B .… 9.84 s 21B(2) .… 9.84 s 21B(3) .… 9.84 s 21B(4) .… 9.84 s 21B(5) .… 9.84 s 21B(7) .… 9.84 s 21C .… 9.85 s 21C(1) .… 9.85 s 21C(3)(a) .… 9.85 s 21C(3)(b) .… 9.85 s 21C(3)(c) .… 9.85 s 21C(3)(d) .… 9.85 s 21D .… 9.86, 9.89, 9.90, 9.94, 9.95 s 21D(3) .… 9.86 s 21D(3)(c) .… 9.90 s 21D(6) .… 9.86 s 21D(7) .… 9.86 s 21E .… 9.87 s 21F .… 9.88 s 21F(3) .… 9.88 s 21G .… 9.86, 9.89–9.91 s 21G(2) .… 9.89, 9.90 s 21G(3) .… 9.89, 9.90 s 21G(3)(a) .… 9.90

s 21G(3)(b) .… 9.90 s 21G(3)(c) .… 9.90 s 21G(3)(d) .… 9.90 s 21G(3)(e) .… 9.90 s 21G(3)(f) .… 9.90 s 21G(3)(g) .… 9.90 s 21G(4) .… 9.90 s 21G(5) .… 9.90 s 21G(6) .… 9.91 s 21G(7) .… 9.91 s 21G(8) .… 9.91 ss 21K–21N .… 9.90 s 21P .… 9.92 s 21P(1) .… 9.92 s 21P(2) .… 9.92 s 21Q .… 9.93 s 21Q(1) .… 9.93 s 21Q(2) .… 9.93 s 21Q(3) .… 9.83, 9.93 s 21R .… 9.94, 9.95 s 21R(1) .… 9.94 s 21R(2) .… 9.94 s 21S .… 9.98, 11.8, 11.11 s 21S(1) .… 9.96 s 21S(2) .… 9.97 s 21S(2)(c) .… 9.97 s 21S(3) .… 11.8 s 21T .… 9.99 s 21T(8) .… 9.99 s 21U .… 9.99 s 21U(2) .… 9.99 s 21U(3) .… 9.99 s 21U(4) .… 9.99 s 21V(2) .… 9.99

s 21V(3) .… 9.99 s 21V(6) .… 9.99 s 21W .… 9.99 s 27(2) .… 9.105 s 28A(1)(a) .… 9.105 s 28A(1)(b) .… 9.105 s 33C(1)(a) .… 9.106 s 33C(1)(b) .… 9.106 s 33C(2) .… 9.106 s 33E .… 9.107 s 33F .… 9.107 s 36 .… 9.102 s 38 .… 9.102 s 40(1) .… 9.102 s 40(1A) .… 9.102 s 40(2) .… 9.102, 9.103 s 40A .… 9.102 s 43 .… 9.102 s 44 .… 9.102 s 45 .… 9.102 s 46 .… 9.102 s 47 .… 9.102 s 52(1) .… 9.103, 9.104 s 55 .… 9.103 s 55A(1) .… 9.104 s 55A(2) .… 9.104, 9.105 s 55A(5) .… 9.104 s 55B .… 9.104 s 55B(6) .… 9.104 Sch 1, APP 1 .… 9.59, 9.60, 9.102 Sch 1, APP 1.2 .… 9.16, 9.17, 9.19 Sch 1, APP 1.3 .… 9.18, 9.19, 9.84 Sch 1, APP 1.4 .… 9.20, 9.21, 9.84 Sch 1, APP 2 .… 9.33

Sch 1, APPs 3–5 .… 9.22 Sch 1, APP 3.2 .… 9.22–9.24, 9.27, 9.33, 9.36 Sch 1, APP 3.3 .… 9.25 Sch 1, APP 3.4 .… 9.26 Sch 1, APP 3.5 .… 9.28 Sch 1, APP 3.6 .… 9.28 Sch 1, APP 4 .… 9.29 Sch 1, APPs 5–13 .… 9.29 Sch 1, APP 5.2 .… 9.30 Sch 1, APP 5.2(f) .… 9.34 Sch 1, APP 5.2(i) .… 9.35 Sch 1, APP 5.2(j) .… 9.35 Sch 1, APP 6 .… 9.40, 9.41, 9.43, 9.86, 9.90, 9.91 Sch 1, APP 6.1 .… 9.36, 9.37 Sch 1, APP 6.2 .… 9.37, 9.39 Sch 1, APP 6.2(a) .… 9.38 Sch 1, APP 6.2(a)(ii) .… 9.38 Sch 1, APP 6.2(b) .… 9.39 Sch 1, APP 6.2(c) .… 9.39 Sch 1, APP 6.2(d) .… 9.39 Sch 1, APP 6.2(e) .… 9.39 Sch 1, APP 6.6 .… 9.40 Sch 1, APP 6.7 .… 9.40 Sch 1, APP 7 .… 9.40, 9.41, 9.43, 9.59, 9.91 Sch 1, APP 7.1 .… 9.41, 9.43, 9.45, 9.48 Sch 1, APP 7.2 .… 9.45, 9.47, 9.49 Sch 1, APP 7.2(a) .… 9.46 Sch 1, APP 7.2(b) .… 9.46, 9.47 Sch 1, APP 7.2(c) .… 9.47 Sch 1, APP 7.2(d) .… 9.47 Sch 1, APP 7.3 .… 9.48, 9.57 Sch 1, APP 7.3(a)(i) .… 9.49 Sch 1, APP 7.3(a)(ii) .… 9.49 Sch 1, APP 7.3(b) .… 9.49, 9.50

Sch 1, APP 7.3(c) .… 9.49, 9.58 Sch 1, APP 7.3(d) .… 9.58 Sch 1, APP 7.3(d)(i) .… 9.58 Sch 1, APP 7.3(d)(ii) .… 9.58 Sch 1, APP 7.4 .… 9.59 Sch 1, APP 7.6 .… 9.59 Sch 1, APP 7.8 .… 9.59 Sch 1, APP 8 .… 9.61, 9.86, 9.91 Sch 1, APP 8.1 .… 9.60–9.64, 9.67 Sch 1, APP 8.2 .… 9.61, 9.64 Sch 1, APP 8.2(a) .… 9.65, 9.66 Sch 1, APP 8.2(b) .… 9.67 Sch 1, APP 8.2(c) .… 9.67 Sch 1, APP 8.2(d) .… 9.67 Sch 1, APP 9 .… 9.40, 9.68 Sch 1, APP 9.1 .… 9.69 Sch 1, APP 9.2 .… 9.70, 9.91 Sch 1, APP 9.2(a) .… 9.70 Sch 1, APP 10 .… 9.83, 9.93 Sch 1, APP 10.1 .… 9.71 Sch 1, APP 10.2 .… 9.71 Sch 1, APP 11 .… 9.98 Sch 1, APP 11.1 .… 9.72, 11.8, 11.11 Sch 1, APP 11.2 .… 9.73 Sch 1, APP 12 .… 9.74 Sch 1, APP 12.1 .… 9.74 Sch 1, APP 12.3 .… 9.74 Sch 1, APP 12.3(b) .… 9.74 Sch 1, APP 12.3(c) .… 9.74 Sch 1, APP 12.3(d) .… 9.74 Sch 1, APP 12.3(e) .… 9.74 Sch 1, APP 12.3(h) .… 9.74 Sch 1, APP 12.3(j) .… 9.74 Sch 1, APP 12.3(i) .… 9.74

Sch 1, APP 12.4(a)(i) .… 9.75 Sch 1, APP 12.4(b) .… 9.75 Sch 1, APP 12.5 .… 9.75 Sch 1, APP 12.6 .… 9.75 Sch 1, APP 12.8 .… 9.75 Sch 1, APP 12.9 .… 9.75 Sch 1, APP 12.10 .… 9.75 Sch 1, APP 13 .… 9.76 Sch 1, APP 13.1 .… 9.76 Sch 1, APP 13.2 .… 9.76 Sch 1, APP 13.3 .… 9.76 Sch 1, APP 13.4 .… 9.76 Sch 1, APP 13.5 .… 9.76 Sch 3, NPP 2.1 .… 9.51 Sch 3, NPP 5.1 .… 9.18 Sch 3, NPP 5.2 .… 9.18 Sch 3, NPP 9(a) .… 9.62 Privacy Amendment (Enhancing Privacy Protection) Act 2012 .… 9.2, 9.3, 9.6, 11.8 Spam Act 2003 .… 9.59 Sch 2, cl 2 .… 9.50 Tax Administration Act 1953 .… 10.5, 10.22 Telecommunications Act 1997 .… 6.44 s 121 .… 6.48 s 570(3) .… 6.48 Telecommunications Consumer Protections Code .… 6.44, 6.45 4.1.1 .… 6.46 4.1.2 .… 6.46 4.1.2(g) .… 6.46 4.1.2(f) .… 6.46 4.2 .… 6.47 Trade Practices Act 1974 s 52 .… 6.11, 6.23, 6.24 s 85(3) .… 6.28

s 155 .… 7.6 Trade Practices Amendment (Australian Consumer Law) Act (No 2) 2010 . … 6.40 s 3 .… 6.36, 9.33 Sch 7 item 8 .… 6.36, 9.33

Australian Capital Territory Evidence Act 2011 .… 10.27, 10.30–10.39 s 47(1) .… 10.37 s 48 .… 10.37 s 48(1) .… 10.38 s 48(1)(b) .… 10.37 s 48(1)(d) .… 10.37 s 48(1)(e) .… 10.37 s 59 .… 10.39 s 69 .… 10.39 s 118 .… 7.14, 7.18 s 119 .… 7.14, 7.18 s 122(2) .… 7.19 s 122(3) .… 7.19

New South Wales Civil Liability Act 2002 s 3A(2) .… 11.22 Crimes Act 1900 Div 5 .… 3.38 s 308H .… 3.38 Evidence Act 1995 .… 10.27, 10.30–10.39 s 47(1) .… 10.37 s 48 .… 10.37 s 48(1) .… 10.38 s 48(1)(b) .… 10.37 s 48(1)(d) .… 10.37

s 48(1)(e) .… 10.37 s 59 .… 10.39 s 69 .… 10.39 s 118 .… 7.14, 7.18 s 119 .… 7.14, 7.18 s 122(2) .… 7.19 s 122(3) .… 7.19 Dictionary Pt 1 .… 10.32 Dictionary Pt 2 cl 8 .… 10.33 Fair Trading Act 1987 s 28 .… 6.35 Uniform Civil Procedure Rules 2005 r 21.2 .… 4.38 r 21.7 .… 7.11 r 21.10 .… 4.38

Northern Territory Evidence Act .… 10.27, 10.30–10.39 s 47(1) .… 10.37 s 48 .… 10.37 s 48(1) .… 10.38 s 48(1)(b) .… 10.37 s 48(1)(d) .… 10.37 s 48(1)(e) .… 10.37 s 59 .… 10.39 s 69 .… 10.39 s 118 .… 7.14, 7.18 s 119 .… 7.14, 7.18 s 122(2) .… 7.19 s 122(3) .… 7.19

Queensland Evidence Act 1977 .… 10.40–10.46

s 97 .… 10.41 s 106 .… 10.43, 10.45 Fair Trading Act 1988 s 16 .… 6.35

South Australia Evidence Act 1929 .… 10.47 s 45C .… 10.47, 10.48 s 45C(2) .… 10.47 s 45C(2)(a) .… 10.47 s 45C(2)(b) .… 10.47 s 45C(2)(c) .… 10.47 s 45C(2)(d) .… 10.47

Tasmania Evidence Act 2001 .… 10.27, 10.30–10.39 s 47(1) .… 10.37 s 48 .… 10.37 s 48(1) .… 10.38 s 48(1)(b) .… 10.37 s 48(1)(d) .… 10.37 s 48(1)(e) .… 10.37 s 59 .… 10.39 s 69 .… 10.39 s 118 .… 7.14, 7.18 s 119 .… 7.14, 7.18 s 122(2) .… 7.19 s 122(3) .… 7.19

Victoria Evidence Act 2008 .… 10.27, 10.30–10.39 s 47(1) .… 10.37

s 48 .… 10.37 s 48(1) .… 10.38 s 48(1)(b) .… 10.37 s 48(1)(d) .… 10.37 s 48(1)(e) .… 10.37 s 59 .… 10.39 s 69 .… 10.39 s 118 .… 7.14, 7.18 s 119 .… 7.14, 7.18 s 122(2) .… 7.19 s 122(3) .… 7.19 Fair Trading Act 1999 .… 5.22

Western Australia Evidence Act 1906 .… 10.48–10.52 s 73A .… 10.48, 10.50, 10.51 s 73A(1) .… 10.48 s 73A(3) .… 10.50 s 79C .… 10.51 s 79C(2a) .… 10.51 Fair Trading Act 2010 s 19 .… 6.35

India Information Technology (Amendment) Act 2008 s 43A .… 9.66

International EU Database Directive .… 2.61, 3.1–3.5, 3.38 art 1(1) .… 3.4 art 1(2) .… 3.4 art 7 .… 3.16

art 7(1) .… 3.4, 3.5, 3.8, 3.12–3.15, 3.22, 3.28 art 7(2)(a) .… 3.4 art 7(2)(b) .… 3.4 art 7(4) .… 3.5 art 7(5) .… 3.5 art 9 .… 3.36 art 10(1) .… 3.34 art 10(3) .… 3.34 World Trade Organization’s Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) .… 2.14 art 9.2 .… 2.3, 2.4 art 10.2 .… 2.3, 2.14

New Zealand Copyright Act 1994 s 5 .… 2.59

United Kingdom Copyright and Rights in Databases Regulations 1997 reg 20 .… 3.36 reg 23 .… 3.36 Copyright, Designs and Patents Act 1988 .… 3.35 s 9(3) .… 2.58 Data Protection Act 1998 .… 9.66 s 1 .… 9.66 s 42 .… 9.66 s 43 .… 9.66 Unfair Terms in Consumer Contracts Regulations 1999 reg 6(2) .… 6.40

United States of America Restatement of the Law of Torts (First)

art 757 .… 4.17

Contents Foreword Preface Table of Cases Table of Statutes Part 1 Overview Chapter 1

Introduction to Corporate Information and the Law

Overview Exponential growth in information Value of information Information law as a discrete area of study The domain — ‘corporate information’ The structure Part 2 — Rights in corporate information Part 3 — Limits on information sovereignty Part 4 — Information security and management Conclusion Part 2 Rights in Corporate Information Chapter 2

Copyright in Corporate Information

Copyright protection of corporate information Theoretical underpinnings of copyright law Criteria for copyright protection Literary works A ‘table’ as a literary work

A ‘compilation’ as a literary work A ‘computer program’ as a literary work Material form Original works Originality in the context of subsistence Originality in the context of infringement Connecting factors Scope of copyright law protection for corporate information Evidence of authorship Reform Amending the author requirement A maker v author Duration Defences and remedies Conclusion Chapter 3

Alternative Approaches to Protecting Corporate Information

Introduction The European Union’s Database Directive The purpose of the Database Directive The European Court of Justice’s interpretation of the database right British Horseracing Board case Interpreting the expression ‘obtaining’ Interpreting the expression ‘verification’ Interpreting the expression ‘presentation’ Interpreting the expressions ‘extraction’ and ‘re-utilization’ Summarising the impact of the ECJ approach to interpreting the Database Directive

Applying the ECJ’s ruling in BHB to the facts of recent Australian cases Duration and remedies Conclusion Unjust enrichment Conclusion Chapter 4

Confidential Corporate Information

Introduction The requirements Identifying the information in suit Standing Elements of the action for breach of confidence Element 1 — Necessary quality of confidence Element 2 — Circumstances importing an obligation of confidence Element 3 — Unauthorised use of that information to the detriment of the party communicating it Controlling the use and disclosure of information by employees Express confidentiality terms Defences Just cause or excuse Disclosures by whistleblowers Legal compulsion Liability and remedies Conclusion Part 3 Limits on Information Sovereignty Chapter 5 Introduction

Disclosure and Investor Protection

Periodic disclosure The financial report The directors’ report The auditor’s report Liability Liability of directors and officers Class action liability Conclusions — periodic disclosure laws Fundraising and disclosures Specific information General information — reasonable investor standard Case law concerning the reasonable investor test Defects in prospectuses Defences Due diligence defence for prospectuses General defence for all disclosure documents Conclusions — fundraising and disclosures Takeovers and disclosures Disclosure under a bidder’s statement Disclosure under a target’s statement Relationship between takeover disclosure laws and other information laws Defects in takeover documents Conclusion — takeover disclosures Product disclosure documents and disclosures Specific requirements General requirements Limitations on disclosure

Liability for defective disclosure in a PDS Conclusion — product disclosure statements Continuous disclosure The Australian Securities Exchange (ASX) Listing Rules Listing Rule 3.1 Element 1 — Becomes aware of any information concerning it Element 2 — Reasonable person would expect to have a material effect on the price or value Element 3 — Entity must immediately tell ASX that information Exceptions under Listing Rule 3.1A Listing Rule 3.1A.1 — the five situations Listing Rule 3.1A.2 — The information is confidential and ASX has not formed the view that the information has ceased to be confidential Listing Rule 3.1A.3 — A reasonable person would not expect the information to be disclosed Listing Rule 3.1B — false markets The statutory rules Generally available information A person involved in a contravention Offences Due diligence defence Liability under other laws Conclusions — continuous disclosure Conclusion Chapter 6

Disclosure and Consumer Protection

Introduction Misleading or deceptive conduct The statutory provisions

Peculiar elements regarding the scope of s 1041H — the meaning of ‘in relation to’ Peculiar elements regarding the scope of s 12DA The ‘trade and commerce’ limit on the scope of s 12DA, ASIC Act and s 18, ACL Misleading or deceptive conduct — interpretation and application Meaning of ‘deceptive’ conduct Meaning of ‘likely to’ Objective test for assessing misleading or deceptive conduct Statements that are literally true State of mind Transitory effect and disclaimers Careless conduct Class of persons to whom conduct is directed A failure to disclose Opinions and forward-looking statements Advertising Social/digital media cases Contravention Conclusions regarding misleading conduct Specific consumer disclosure laws — regulating form and content Unfair contract terms Telecommunications Code Telecommunications Consumer Protections Code/ACMA Credit regulation Conclusion Chapter 7

Disclosure in the Context of Enforcement and Litigation

Introduction Disclosure to regulators ASIC’s information-gathering powers ACCC’s information-gathering powers Disclosure in litigation Power to refuse disclosure The elements of the privilege Conclusion Chapter 8

Other Limits and Controls on the Use of Corporate Information

Introduction Insider trading What prohibitions are contained in the law? Element 1 — Division 3 financial products Element 2 — What is information? Element 3 — What is ‘inside information’? Element 4 — Territorial connection Element 5 — Trading, procuring and tipping Exceptions Withdrawal from registered scheme — s 1043B Underwriter exception — s 1043C Legal requirement exception — s 1043D Communication pursuant to a legal requirement — s 1043E Chinese wall exception — s 1043F Own intentions/activities exception — ss 1043H, 1043I and 1043J Defences to criminal offences Defences to civil liability

Penalties and other matters Directors and relevant interests — s 205G General law and statutory obligations concerning the use of corporate information Fiduciary duties Laws that prohibit the use of corporate information by directors, officers and employees Liability Market manipulation laws and other information offences Offences under Part 9.4, Corporations Act Market misconduct offences under Part 7.10, Corporations Act Price signalling laws Private disclosure prohibition General prohibition Penalties Conclusion Chapter 9

Collection, Use and Disclosure of Personal Information

Introduction The collection, use and disclosure of personal information Who does the Privacy Act apply to? Australian Privacy Principles — APPs What is ‘personal information’? Information governance Collection of personal information Use and disclosure of personal information Direct marketing Cross-border disclosure

Government identifiers Quality and security of personal information Access to and correction of personal information Privacy and credit information — the obligations of credit providers Who is a credit provider? Additional obligations Information governance Dealing with credit information Dealing with credit eligibility information Integrity of credit eligibility information Use or disclosure of false or misleading information Quality and security of information Access to and correction of information Enforcement Civil penalties Complaints and investigations Other powers of the Commissioner Conclusion Part 4 Information Security and Management Chapter 10 Digitising Corporate Records and the Law Introduction Converting paper documents to digital information — the main issues The principal document retention obligations Obligations under the Corporations Act The first ground — applying the plain meaning of the word ‘writing’ The second ground — the facilitative provisions contained in s 1306 of the Corporations Act

The third ground — the facilitative provisions of the ETA Obligations under tax legislation Digitised documents and the laws of evidence Corporations Act — ss 1305, 1306 Uniform Evidence Acts What constitutes a document? What are the authentication requirements in relation to secondary evidence? Tendering/adducing documentary evidence Exclusionary rules Queensland, South Australian and Western Australian Evidence Acts Queensland — Evidence Act 1977 South Australia — Evidence Act 1929 Western Australia — Evidence Act 1906 Production and inspection of documents by regulators Redundant source documents Concealment, destruction, mutilation or alteration of books Conclusion Chapter 11 Cyber Security and the Law Introduction The threat environment within which corporations operate Cyber security and the law Privacy law The ‘reasonable steps’ test Consequence of a breach Directors’ duties Consequence of a breach

Data breach laws Contract law Consumer protection laws Evidence Conclusion Bibliography Index

[page 1]

Part 1 Overview



[page 3]

Chapter 1 Introduction to Corporate Information and the Law

OVERVIEW Our era has been styled … as the “age of information”. Francis Bacon recognized nearly 400 years ago that “knowledge is power”, but only in the last generation has it risen to the equivalent of the coin of the realm: Securities and Exchange Commission v Matiera.1

1.1 Information is power. Information has value. Corporations seek to realise the value of information in a range of ways — by exploiting the competitive advantage it confers, through exchange, by improving the dialogue with consumers and by furthering corporate strategy. Corporate information also has value for parties external to the corporation, including consumers, competitors, regulators, investors and the market more generally. The success of corporations is directly influenced by how well they manage the legal rights and obligations associated with this information. Put simply, a corporation’s ability to synthesise value from, or protect value in, information is only as good as its information governance framework. An effective information governance framework also conditions the extent to which a corporation can prevent or minimise value destruction, including losses associated with penalties, compensation payments or reputation damage associated with a breach or alleged breach (civil or criminal) of information laws. [page 4] 1.2 The objective of this work is to assist corporations in this context in six principal ways: (1) Given the key role that corporate information plays in the information

economy, there is a logical need to bring together as a central reference, under a single framework, all of the key laws that create rights or impose obligations in respect of corporate information. (2) By considering relevant laws within a unified framework, the scope of each law and their inter-relationships become more apparent. Among other things, this approach assists in identifying the limits of corporate sovereignty over information (ie, through the interplay of laws that confer rights and the laws that impose obligations). It can also assist with the identification of any potential gaps in the legal framework and raise significant questions that must be considered and addressed. (3) On a related note, this approach accommodates the transmutable nature of corporate information when considered from an information law perspective. That is, in certain cases, corporate information can trigger legal issues across a wide spectrum of information laws. By examining these laws within one framework, we are better able to appreciate the issues that arise in this context. (4) This framework approach allows the consistencies and inconsistencies (explicable or otherwise) between the relevant information laws and differing jurisdictions to be more readily identified and discussed. For example, this enables us to compare and contrast the approach courts take to determining (eg, by reading up or down) the scope or application of information laws, including by invoking public policy. (5) A wide-ranging review of information laws illustrates the fundamental role that the concept of ‘reasonableness’ plays in determining the requirements of many information laws. (6) Finally, the combined effect of enhancing our understanding of the rights and obligations across the spectrum of information laws, is that we are better equipped to identify steps that corporations should take to develop, implement and continuously improve information governance policies, practices and procedures. This is especially important in an environment where the volume and value of corporate information is increasing exponentially.

EXPONENTIAL GROWTH IN INFORMATION 1.3

The world is producing more information than at any time in history.

According to research by the McKinsey Global Institute and McKinsey’s Business Technology Office ‘[t]he amount of data in our [page 5] world has been exploding’.2 It is estimated that the total amount of digital information in the world reached 2.7 zettabytes in 2012.3 To put that in perspective, in 2006 the world’s entire digital content was approximately 0.5 zettabytes. If 0.5 zettabytes of ‘digital content were printed and bound into books it would form a stack that would stretch from Earth to Pluto 10 times’.4 Earth is about 5.9 billion kilometres from Pluto. At a predicted 2.7 zettabytes, the world’s total digital content could form a stack that would stretch from Earth to Pluto over 50 times. In addition, ‘the world’s digital output is increasing at such a rate that those stacks of books are rising quicker than Nasa’s [sic] fastest space rocket’.5

VALUE OF INFORMATION 1.4 Granted, not all of this information will be corporate information. However, one could safely assume that the rapid rate of growth in digital information globally is a useful proxy for the rate of growth in corporate information. As Cumming and Crompton observe, corporate information is a key asset in the information economy: Historically, the assets of a company could easily be quantified by numbers on a balance sheet, or physical assets. In the information age, this is no longer the case. Information is arguably the most critical asset in any organisation. Keeping it safe and preserving its value is one of the most difficult challenges. Personal information makes the challenge more complex with rising community expectations and legal and regulatory factors impacting on an organisation’s activities.6

Corporations that best manage their information will create value for stakeholders and have a competitive advantage over their rivals. For example, the collection and analysis of the ever-increasing volume of data available to corporations, so-called ‘big data’, ‘will become a key basis of competition, underpinning new waves of productivity growth, [page 6]

innovation, and consumer surplus’.7 Forbes has reported that a survey of corporations found: … [a]n overwhelming majority of companies (73 percent) have already leveraged data to increase revenue. Of those companies that have already increased revenue, 57 percent used data to increase an existing revenue stream. Notably, the remaining 43 percent used data to create entirely new sources of revenue.8

Of course, in addition to the value that can be extracted from big data, corporations can exploit other information in order to create value. Trade secrets are highly valuable. Information assets can be monetised and create or derive value for a corporation directly or indirectly for the company (eg, advertising revenue associated with Google search results). 1.5 It must be noted, however, that stakeholders other than the corporation may have claims on corporate information in one form or another. The collection, use and disclosure of personal information will subject a corporation to a range of onerous information management obligations. Corporations that effectively manage personal information in accordance with these obligations will not only avoid legal or reputational sanction, but more importantly maintain the trust of consumers. Other stakeholders in the information governance sector are investors and potential investors. For instance, a corporation is required to disclose certain information to investors and potential investors under periodic and continuous disclosure regimes. This information has (at least theoretical) value to those stakeholders (ie, they presumably have better pricing information), and this same information may have either positive value or negative value to the disclosing entity (ie, its stock price and market capitalisation may go up or down upon disclosing the relevant information). There is yet other information that a corporation may voluntarily disclose to the market, for the purposes of, for example, promoting the sale of its goods or services through digital or traditional marketing. However, where information that is disclosed to the market, for whatever reason, is defective (ie, it is misleading or not accurate, complete or otherwise disclosed in a timely manner) it may distort value exchanges on markets. In these cases, a party may rely on this defective information to its detriment. They may then attempt to recover from the corporation any lost value. 1.6 Corporations can realise yet more value by digitising the manner in which they secure and maintain corporate information. Traditionally,

[page 7] corporations largely maintained information in paper form. The paper records were retained as a source of truth (ie, records of the business conducted by the corporation) in order to satisfy record retention obligations. More modern corporations have moved to a mix between paper (as the source of truth) and digital (for workflow purposes) formats. Wholly digital corporations will leverage the law to ensure that they reduce costs and increase efficiencies by adopting a fully digital approach to satisfying information retention obligations. As corporations adopt digital business models, they need to be aware of the risks of doing so and implement adequate controls to preserve the value in their digital assets. The value in these assets may be misappropriated by anyone who obtains access, authorised or otherwise, to confidential information stored on a corporation’s network (eg, hackers or employees who download customer lists to establish competing businesses or who trade on inside information). 1.7 As mentioned above, a corporation that both understands all the laws that confer rights in information and best manages its information in accordance with those laws will optimise its competitive advantage.

INFORMATION LAW AS A DISCRETE AREA OF STUDY 1.8 Information technology is the infrastructure that supports the information economy. Information technology itself has been the focus of many legal texts and scholarly articles over the last decade.9 These works have refined existing, or offered new, organising principles for analysing and managing the legal issues associated with the use of technology in the information age. They have been of great benefit to corporations and those who advise corporations when managing legal issues that arise in connection with maintaining large-scale information technology operations, including for the purposes of conducting electronic commerce. 1.9 But what is missing in Australian legal literature is a comprehensive text on corporate information and the law — a work that specifically focuses on the laws that apply to the way in which corporations create, use, disclose and secure information.

[page 8] Until now, texts have focused on the laws that more generally relate to the actual technology used to create, process, transmit and store information. Their emphasis appears to be principally on technology rather than information. This is somewhat surprising given that so much economic value resides in information. 1.10 There are certainly works that cover aspects of information law. Many of the legal texts that cover intellectual property law or information technology issues usually include sections that deal specifically with information law issues. For example, intellectual property law books will often contain chapters or sections that deal with rights in information.10 Further, books dealing with electronic commerce or cyber law will also generally cover some information law topics such as rights in databases,11 privacy in the online context12 and aspects of information security and digital evidence.13 Corporate law, finance law and other specialist texts will often deal to varying degrees with specific information law topics such as inside information,14 continuous disclosure,15 misuse of company information,16 conflicts of interest,17 marketing18 and other relevant topics.19 These texts, however, fail to give information law a coherent framework. There is a growing need to provide a central reference for those who are interested in studying this critical area or are otherwise subject to various [page 9] information laws. It is hoped that by bringing these laws together, it can help those impacted by the laws to better understand them, the express or implicit policies underpinning them and, where relevant, manage their compliance in a holistic or comprehensive manner. 1.11 By examining information law within a single framework, this book aims not only to identify and examine key laws that belong to a single taxonomy, but also to demonstrate how these laws interconnect. A simple example helps to demonstrate this point. Consider, for example, a corporation that collects information from customers in the course of its business. This process immediately raises privacy issues and confidentiality issues. The same business then collects information about the customers’ purchasing habits and stores that

information in a database. Presuming the corporation has addressed issues relating to ownership of this information and any related privacy issues, it may make extracts of that information available to analytics firms in return for a fee. Over time, the information it collects becomes a reliable indicator for the financial performance of the corporation. Once information attains this attribute, issues concerning periodic disclosure and continuous disclosure potentially arise for the corporation, on the one hand, and issues concerning insider trading potentially arise for both the corporation and the analysts to which it provides the information, on the other. If the corporation was the victim of a cyber attack and some of this information was stolen (including credit card details), questions may arise as to whether the corporation implemented adequate security controls as required under law — such as whether directors and other officers of the corporation applied the right level of care and diligence in ensuring management had developed and maintained an effective information governance framework in this context. If the consequences of the attack were sufficiently serious, more questions would arise as to whether further disclosures would need to be made to the market under continuous disclosure laws. Finally, any applicable regulators (including the Privacy Commissioner) and class action lawyers could seek information concerning the incident in order to help them determine whether action should or could be taken by them in response to the incident. Such action could in turn uncover a range of other issues related to the management of corporate information that may trigger further potential liability for the organisation. 1.12 It is hoped that by providing a more complete view of information law it will facilitate enhanced corporate information governance. Improved outcomes in this context should in turn maximise returns for [page 10] shareholders through value creation or avoiding or minimising costs associated with regulatory action, class actions or reputational damage. From an academic perspective, the analysis undertaken in this book will also serve to shed some light on the completeness, effectiveness and appropriateness of existing laws relating to corporate information. Effective and appropriate

information laws are an essential pre-condition to ensuring that corporate endeavour is facilitated in an information economy. This is not to say that developing a framework within which it is possible to order and characterise information law is a straightforward matter. It is not. However, the aim of this text is to take initial steps towards that objective so that the above goals may be achieved over time. Before concluding this introduction, it is necessary to define the term ‘corporate information’.

The domain — ‘corporate information’ 1.13 Given that the key expression used in this book is ‘corporate information’, it is essential to define the meaning of that term at the outset. For the purposes of this book, ‘corporate information’ is used as a convenient label to describe information that a corporation collects, creates, uses, discloses or stores, and which has some degree of value to the corporation or an external stakeholder. In this sense, the expression is an umbrella term for a wide range of information types. For example, the term covers management reports and other financial or performance information relating to the corporation. It extends to informational assets of the corporation such as personal information of customers, know-how, trade secrets, research and development information and informational products that a corporation can monetise.20 It is also intended to cover the information that corporations use or otherwise convey to actual and potential customers in order to create value through the sale of goods and services. Such information will, of course, include information used during the [page 11] course of marketing and advertising activities,21 but it also includes the terms and conditions contained in consumer contracts.

THE STRUCTURE 1.14 The main body of this book is divided into four distinct parts. Part 1 contains this introduction to the topic. Part 2 will examine issues relating to

ownership of corporate information. Part 3 will explore issues concerning the boundaries that exist in terms of the sovereignty over corporate information. Part 4 will discuss issues that arise in connection with the integrity and security of corporate information.

Part 2 — Rights in corporate information 1.15 The second part of this book (Chapters 2–4) focuses on issues relating to sovereignty that corporations have over information. That is, it explores the rights that corporations can have in corporate information. The rights in this context are strong in some cases and rather ‘thin’ in others. For example, the High Court of Australia has repeatedly rejected the proposition that information per se is proprietary in nature.22 For example, in Breen v Williams (1999) 138 ALR 259 Dawson and Toohey JJ expressed the view that there ‘can be no proprietorship in information as information, because once imparted by one person to another, it belongs equally to them both’.23 Over 50 years earlier Latham CJ remarked in Federal Commissioner of Taxation v United Aircraft Corporation (1943) 68 CLR 525 that: I am unable to regard the communication of information as constituting a transfer of property. Upon such a communication the transferor still has everything that he had before and the transferee continues to hold what he has received.24

These comments make sense from a traditional property law perspective. A key feature of property is that it can be alienated.25 It is clear from the statements set out above that information is not capable [page 12] of being alienated as such. However, what is also clear is that the law will provide certain proprietary or monopoly rights to the creators or owners of corporate information in certain circumstances. Chapter 2 discusses the protection that is available for corporate information under copyright law and the shortcomings of that regime in this context. Chapter 3 considers laws that could address the potential shortcomings under the copyright regime, namely laws analogous to those set out in the European Union’s Database Directive and the law of unjust enrichment. Chapter 4 reviews the protection that the laws of confidentiality afford to corporate information. The law of contract will be

mentioned where relevant, although it will not be the subject of a dedicated section or chapter. 1.16 Ultimately, the level and degree of protection afforded to corporate information by law will vary depending on the type of corporate information and how it is, or intended to be, collected, used or disclosed by the corporation. For example, Google Inc would presumably have protection for its non-public search algorithms under, among other things, contract (eg, contracts with employees and suppliers that assist with the development of the algorithm), laws of confidential information and copyright as an original work.26 However, the search results actually served to web browsers as a result of the application of the algorithm would not attract copyright protection under Australian law, would not be confidential information and would, arguably, not attract any significant protection under the relevant contract with users.27 The lack of protection in the latter case may not matter to Google from a practical perspective. Although one cannot foresee how creatively a party may utilise the information in the future, there is no apparent value to a competitor or a free rider in the information provided in response to an individual query other than for the purpose of a user clicking on the relevant link.

Part 3 — Limits on information sovereignty 1.17 Chapters 5–9 will examine legal issues that compel disclosure of corporate information or impose other boundaries, limits or controls on the use of such information. [page 13] 1.18 Chapter 5 will study the laws that compel corporations to disclose certain information where the underlying purpose of such disclosure is investor protection. The principal laws that will be covered in this section include laws that mandate certain disclosures of corporate information to investors or the market. Such laws include periodic disclosure laws, and those relating to continuous disclosure, the issuing of securities and takeovers. 1.19 Chapter 6 will examine laws that are based on a strong consumer protection philosophy. That is, the Chapter will examine laws that require

corporations to ensure that information it communicates to the market or consumers generally complies with prescribed norms, namely that such information is not misleading, deceptive or false. Chapter 6 will also discuss the trend of imposing increasingly prescriptive requirements in terms of the content and form of disclosures to consumers. This trend will be illustrated by reference to recent developments in this area. 1.20 Chapter 7 will focus on laws that require corporations to disclose information under the information-gathering powers of two key regulators, the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission. It will also briefly discuss the requirements to disclose corporate information to private parties in connection with litigation. Chapter 7 will close with a discussion on the scope of the right of persons to refuse to provide information to regulators or parties in civil litigation by asserting legal professional privilege. 1.21 Chapter 8 will examine other limits or controls on the use of corporate information. For example, it will feature a discussion on insider trading, fiduciary duties and conflicts of interest. The Chapter will also include a discussion on the laws or methods that a corporation can use to limit the use of its corporate information or information concerning it by other parties. Examples of these include laws regulating comparative advertising, those regulating the misuse of corporate information (eg, under ss 183 and 184 of the Corporations Act) and steps that corporations can take to protect against the misuse of information that damages the reputation of the corporation or its officers and employees. 1.22 Chapter 9 will review the new privacy laws that will commence on 12 March 2014. The main focus will be outlining what these laws require in terms of the collection, use and disclosure of personal information and credit information. [page 14]

Part 4 — Information security and management 1.23 Part 4 contains two chapters. Chapter 10 will demonstrate how corporations are able to take advantage of the operational efficiencies that the law offers corporations seeking to digitise their information retention

infrastructure. Chapter 11 will outline the current security threats to corporations, the legal obligations on corporations in terms of information security and the controls that this may require corporations to impose in order to discharge their legal obligations.

CONCLUSION 1.24 The protection and regulation of corporate information are concepts that are at once fascinating and confounding. Information, at different times and from different perspectives, can be characterised as fungible, dynamic, polymorphic, ephemeral, permanent, objective or subjective. The same information can be with or without value, depending on when, how or where it is created, conveyed or used. Whether the law will protect or regulate corporate information will depend on how it is characterised by the court or lawyers at a given point in time. Much depends on the views of the mythical reasonable person. It is the process of characterisation or evaluation that is most interesting from the perspective of an information lawyer. For example, under copyright law a work must, among other things, be characterised as the product of a human author who has exercised ‘independent intellectual effort’28 or ‘sufficient effort of a literary nature’.29 There are no constant, objective criteria for determining whether these thresholds have been satisfied. The characterisation process becomes one based on ‘fact and degree’ and the circumstances of the given case. Whether confidential corporate information can be protected at law will depend on, among many other things, the extent to which it remains confidential. Some disclosures (even on social media sites) are not fatal to information losing its confidentiality at law, but again this is a matter for judgment based on fact and degree. The legal characterisation of the meaning of information is critical to determining whether it will trigger continuous disclosure obligations. Information must be evaluated in context. Information that may appear to be disclosable at first blush may not be disclosable at law because of the prevailing circumstances in which it arises. The prevailing circumstances may ‘cancel out’ the materiality of the information. Importantly, the [page 15]

continuous disclosure regime will not require the disclosure of misleading or false information. Conversely, the insider trading laws will regulate the use of any inside information whether such information is true or false. When the focus moves to takeovers, capital raisings and the issuing of financial products, the law uses the reasonable investor test to assess what may need to be disclosed. If a corporation acts reasonably in disclosing information in this context, it can avoid liability even if the information is found to be misleading and investors incurred loss in reliance on such information. Again, whether information is ‘personal information’ for the purposes of the Privacy Act 1988 (Cth) will in many cases depend on the context in which the information is collected and used. For example, an IP address, user ID or mobile phone number may not be ‘personal information’ for the purposes of the Privacy Act, depending on what other information is collected with, or related to, that information. As there are no objective tests, much will depend on whether a court would consider that a person could be identified by this information having regard to all the circumstances of the case. These are just some of the features of information law that make it such a compelling and important field of study. It is the variability associated with information law that makes it a challenging and rewarding field of study. The aim of this book is to add to the body of knowledge in this context by providing a central framework for the study of corporate information and the law so that this variability can be examined, and the underlying patterns and principles can be identified and evaluated. _________________________ 1.

Securities and Exchange Commission v Matiera 745 F 2d 197 (1984) at [1] per Kaufman J.

2.

McKinsey Global Institute and McKinsey’s Business Technology Office ‘Big Data: The Next Frontier for Innovation, Competition, and Productivity’, June 2011, .

3.

International Data Corporation (IDC) Press Release ‘IDC Predicts 2012 Will Be the Year of Mobile and Cloud Platform Wars as IT Vendors Vie for Leadership While the Industry Redefines Itself’, 1 Dec 2011, .

4.

R Wray ‘Internet Data Heads for 500bn Gigabytes’ The Guardian, 18 May 2009, .

5.

See fn 4, Wray.

6.

S Cumming and M Crompton, Independent Review of ACC’s Privacy and Security of Information, The Accident Compensation Corporation of New Zealand and Office of the Privacy Commissioner of New Zealand, 22 August 2012, 3.

7.

See fn 2, McKinsey.

8.

R Cohen ‘It’s Not the Size of Your Data, It’s How You Use It’, 5 June 2012, .

9.

See, for example, E E Clark, G Cho, A Hoyle and P Hynes, Cyber Law in Australia, Kluwer International, The Hague, Netherlands, 2010; A Fitzgerald, Going Digital 2000: Legal Issues for Ecommerce, Software, and the Internet, Prospect Media, St Leonards, 2000; Y F Lim Cyberspace Law: Commentaries and Materials, Oxford University Press, Melbourne, 2002; P Quirk and J Forder, Electronic Commerce and the Law, 2nd ed, John Wiley & Sons, Australia, 2003.

10. J McKeough, A Stewart and P Griffith, ‘The Concept of Rights in Information’, Intellectual Property in Australia, 3rd ed, LexisNexis Butterworths, Australia, 2004. 11. B Fitzgerald and A Fitzgerald ‘Copyright, Moral Rights and Rights in Databases’, Cyberlaw: Cases and Materials on the Internet, Digital Intellectual Property and Electronic Commerce, LexisNexis Butterworths, Australia, 2002; and see fn 9, Quirk et al, ‘Further Intellectual Property Issues’. 12. See fn 9, Lim, ‘Privacy and the Internet’. 13. A Gahtan, Electronic Evidence, Carswell, Toronto, 1999; L Gamertsfelder, R McMillan, A Handelsman, P Hourigan, E-Security, Lawbook Co, Sydney, 2002. 14. See, for example, R Baxt, A Black and P Hanrahan, ‘Insider Trading’, Securities and Financial Services Law, 7th ed, LexisNexis Butterworths, Australia, 2008; G Lyon and J J du Plessis, The Law of Insider Trading in Australia, The Federation Press, 2005. 15. For example, see fn 14, Baxt et al, ‘Continuous Disclosure’. 16. For example, see R Baxt, ‘Statutory Duty Not to Make Improper Use of Information’, Duties and Responsibilities of Directors and Officers, 19th ed, LexisNexis Butterworths, Australia, 2009, p 65. 17. J Farrar, ‘The Duty to Avoid Self-Dealing’, Corporate Governance: Theories, Principles and Practice, Oxford University Press, Melbourne, 2008. 18. This refers, for example, to marketing that is covered in traditional marketing law texts. See B Clarke, B Sweeney and M Bender, Marketing and the Law, 4th ed, LexisNexis Butterworths, Australia, 2010; A Bruce, Consumer Protection Law in Australia, LexisNexis Butterworths, Australia, 2011; C Lockhart, The Law of Misleading and Deceptive Conduct, 2nd ed, LexisNexis Butterworths, Australia, 2011. 19. In relation to defective disclosure issues, see, for example, fn 14, Baxt et al, ‘Liability for Defective Disclosure’. 20. For example, telephone directories (Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44); television program guides (IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14 (IceTV)); safety data sheets (Acohs Pty Ltd v Ucorp Pty Ltd [2012] FCAFC 16); horse racing data (British Horseracing Board Ltd v William Hill Organization Ltd of Case C-203/02, [2004] ECR I10461); and sporting fixtures data (Fixtures Marketing Ltd v Oy Veikkaus Ab Case C-46/02 [2004] ECR I-10365). It also includes information used to derive sales such as a compatibility chart (Dynamic Supplies Pty Ltd v Tonnex International Pty Ltd (2011) FCA 362) and information contained in a medicinal product guide (Sanofi-Aventis Australia Pty Ltd v Apotex Pty Ltd (No 3) (2011) FCA 846). 21. For example, advertising slogans (see Sullivan v FNH Investments Pty Ltd t/as Palm Bay Hideaway [2003] FCA 323) and Google Adwords (see Australian Competition and Consumer Commission v Google Inc [2012] FCAFC 49). 22. A Fitzgerald and B Fitzgerald, Intellectual Property: In Principle, Lawbook Co, Australia, 2004, 7.15. 23. Breen v Williams (1999) 138 ALR 259 at [15] per Dawson and Toohey JJ . 24. Federal Commissioner of Taxation v United Aircraft Corporation (1943) 68 CLR 525 at 534. 25. Professor Ziff has noted that the ownership of property is made up of a collection of rights or incidents

of property with alienation being one such right or incident: see B Ziff, Principles of Property Law, Carswell, Toronto, 1994. 26. The High Court of Australia has acknowledged the coexistence of copyright and confidentiality up until the point of publication: see fn 20, IceTV at [36]. See also s 9(2), Copyright Act 1968 (Cth). 27. ‘Google’s Terms of Service’, Google, . 28. See fn 20, IceTV at [33] and [48]. 29. At [99].

[page 17]

Part 2 Rights in Corporate Information



[page 19]

Chapter 2 Copyright in Corporate Information

COPYRIGHT PROTECTION OF CORPORATE INFORMATION 2.1 Many forms of corporate information can attract copyright protection. However, it must be stressed that its application to some forms of corporate information (especially databases) is particularly problematic. While copyright protection can apply to any work concurrently protected by the law of confidentiality, copyright protection will ordinarily be more important to a corporation where the relevant work is going to be supplied to third parties or made available to the public by the corporation. Where information is supplied to the market at large, that result will necessarily follow.1 This is not to say that copyright protection is only desirable or useful in circumstances where confidentiality does not apply;2 it is just that it assumes special significance where corporate information is being traded as an information asset or is otherwise made generally available.

THEORETICAL UNDERPINNINGS OF COPYRIGHT LAW 2.2 In relation to copyright’s theoretical underpinnings, in IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14 (IceTV) French CJ, Crennan and Kiefel JJ noted that: … [c]opyright legislation strikes a balance of competing interests and competing policy considerations. … The ‘social contract’ envisaged by the Statute of Anne, and still underlying the present [Copyright] Act, was

[page 20]

that an author could obtain a monopoly, limited in time, in return for making work available to the reading public.3

This balancing theme is also referred to by Gummow, Hayne and Heydon JJ in their joint judgment in IceTV, where their Honours said that: … the purpose of a copyright law respecting original works is to balance the public interest in promoting the encouragement of “literary”, “dramatic”, “musical” and “artistic works”, as defined, by providing a just reward for the creator, with the public interest in maintaining a robust public domain in which further works are produced.4

2.3 A critical outcome of this balancing of competing policy considerations is that copyright does not protect information or facts per se.5 However, what copyright does protect is the ‘particular form of expression which an author convey[s] ideas or information to the world’6 and the selection and arrangement of that information.7 This principle reflects what is known as the idea/expression distinction. 2.4 The idea/expression distinction is a key principle underpinning the Copyright Act 1968 (Cth) (the Act).8 Copyright law protects the form of expression that an author reduces to a material form in an unpublished or published literary work; not the actual idea or information conveyed in the work. Accordingly, under copyright law, corporate information is not capable of being ‘owned’ as such. It is merely the form of the expression that is created which is protected. The Act protects a wide range of works, including literary, artistic and dramatic works, and other subject matter such as broadcasts and sound recordings. However, the focus of this chapter will be solely on the protection extended to corporate information comprising a literary work because, if corporate information is to be protected under copyright at all, it will invariably present itself in the form of literary works as opposed to other types of works. [page 21] 2.5 In determining whether a particular selection, arrangement or expression of information is protected by copyright, the courts will apply the various requirements set out in the Act. The following sections will discuss these requirements.

CRITERIA FOR COPYRIGHT PROTECTION 2.6

Copyright protection is available under the Act if four key requirements

are satisfied. Corporate information will attract copyright protection if it: (1) is a literary work; (2) is expressed in material form; (3) is original; and (4) has a relevant connection with Australia. These requirements are easily expressed, but they can be difficult to apply in practice. This is especially so in relation to some forms of corporate information. Each requirement and how it applies to corporate information is discussed below.

Literary works 2.7 Among other things, the Act affords protection to literary works. The term ‘literary work’ is defined in s 10 of the Act in a non-exhaustive manner as including: (a) a table, or compilation, expressed in words, figures or symbols; and (b) a computer program or compilation of computer programs.

2.8 In order to obtain effective guidance as to what can constitute a ‘literary work’, it is necessary to refer to the case law.9 A leading case in this context is Hollinrake v Truswell [1894] 3 Ch 420. In an often-cited statement of what the term ‘literary work’ covers, Lord Davey expressed the view that a ‘literary work’ is one that is ‘intended to afford either information and instruction, or pleasure, in the form of literary enjoyment’.10 The decision of Peterson J in University of London Press v University Tutorial Press Ltd [1916] 2 Ch 601 further clarified the meaning of the terms when his Honour said: In my view the words ‘literary work’ cover work which is expressed in print or writing, irrespective of the question whether the quality or style

[page 22] is high. The word ‘literary’ seems to be used in a sense somewhat similar to the use of the word ‘literature’ in political and electioneering literature and refers to written or printed matter.11

This statement was further elaborated on in Robinson v Sands & McDougall

Proprietary Ltd [1916] HCA 51; (1916) 22 CLR 124 where the High Court said that a ‘literary work need not have literary merit’.12 2.9 The statement in Hollinrake was approved by the court in Exxon Corporation v Exxon Insurance Ltd [1982] Ch 119 and also applied by the High Court in Computer Edge Pty Ltd.13 In the latter case Mason and Wilson JJ were of the view that the cases applying the definition were not ‘intended to establish a comprehensive or exhaustive definition of a literary work for copyright purposes’.14 In the same case Brennan J also observed that: If the print or writing in which the work is expressed conveys information or instruction, albeit to a limited group with special knowledge, it is immaterial that the information or instruction is not expressed in the form of words, phrases or sentences. Thus a telegraphic code has been held to be a literary work though the words of the code were meaningless in themselves: D P Anderson & Co Ltd v Lieber Code Co (1917) 2 KB 469.15

In Data Access Corporation v Powerflex Services Pty Ltd [1999] HCA 49 (Powerflex) the High Court stressed that it is acceptable for a literary work to ‘serve utilitarian rather than aesthetic ends’ and, in this regard, stated that a ‘map and a recipe book are obvious examples’.16 2.10 Accordingly, if a work satisfies the fairly low standards described above it will be a literary work. It would seem in many cases that corporate information would satisfy the Hollinrake requirement in that the very purpose of corporate information is invariably to convey information and instruction even if, for example, that is to a limited group with specialist knowledge or the information and instruction only serve utilitarian purposes. Much corporate information will only serve utilitarian purposes. [page 23]

A ‘table’ as a literary work 2.11 The general principle in Hollinrake regarding what constitutes a ‘literary work’ is supplemented by the definition in s 10 of the Act. That is, the term ‘literary work’ is defined in s 10 to include a ‘table’, ‘compilation’ and a ‘computer program’. The term ‘table’ which appears in s 10 is not defined in the Act. The Macquarie Dictionary defines the word ‘table’ to include relevantly: ‘an arrangement of words, numbers, or signs, or combinations of them, … to exhibit a set of facts or relations in a definite, compact, and comprehensive form; a synopsis or scheme.’ Further, the Explanatory Memorandum to the Copyright

Amendment Bill 1984 (which amended the definition of ‘table’ in the Act) stated that: … [b]y removing the requirement that tables or compilations be in a visible form it is made clear that a computerised data bank [ie, a database], for example, may be treated as a compilation being a literary work. It is also important because data is often stored in a computer as a table.17

2.12 If it is not already implicit in this definition of ‘table’ itself, a table would still need to satisfy the statement set out in Hollinrake in order to be capable of being a literary work. That is, any table containing corporate information would, at the very least, need to convey information and instruction. In light of the fact that the usual aim in developing a table incorporating corporate information is for the purpose of conveying information or instruction, it will inevitably follow that such a table would constitute a literary work for the purposes of s 10 of the Act. Examples of tables that have been held to be literary works are a table containing product compatibility information,18 a table containing authorisation codes19 and a table containing bit patterns used for compressing data used within a computer.20

A ‘compilation’ as a literary work 2.13 In relation to the ‘compilation’ element contained in the definition of ‘literary work’, the High Court in IceTV observed that the statutory texts in both the United Kingdom and Australia with respect to the protection of a ‘compilation’ are sparse.21 But the justices did refer to what Diplock LJ said in relation to compilations in William Hill [page 24] (Football) Ltd v Ladbroke (Football) Ltd [1980] RPC 539. In that case, Diplock LJ commented that: The derivation of ‘compile’ is from the Latin ‘compilatio’ or plunder, and, following the Shorter Oxford Dictionary, I should regard its natural meaning as being to gather together material from various sources, and a ‘compilation’ as a product of such an activity.22

Further, the Macquarie Dictionary defines ‘compilation’ as the ‘act of compiling’ with the word ‘compile’ defined as meaning, relevantly: ‘to put together (literary materials) in one book or work’ and ‘to make (a book, etc.) of materials from various sources.’

2.14 The above definitions are consistent with the relevant provision of the 1994 Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS agreement). The TRIPS agreement, which Australia is a signatory to, is one of a number of instruments that establish a minimum international standard for the protection of intellectual property. Article 10(2) of the TRIPS agreement provides guidance as to what constitutes a compilation: Compilations of data or other material, whether in machine readable or other form, which by reason of the selection or arrangement of their contents constitute intellectual creations shall be protected as such. Such protection, which shall not extend to the data or material itself, shall be without prejudice to any copyright subsisting in the data or material itself.

This passage expressly indicates that gathering, selecting and/or arranging existing materials from various sources are the quintessential elements in the act of compiling. 2.15 The combined effect of the above references leads to the conclusion that any corporate information that comprises a selection or arrangement of data or other information is capable of being a compilation (and therefore a ‘literary work’) for the purposes of the Act. The relevant data or other information elements would not need to be copyrightable on a stand-alone basis although that could theoretically be the case.

A ‘computer program’ as a literary work 2.16 The term ‘computer program’ is defined in s 10 of the Act to mean: ‘… a set of statements or instructions to be used directly or indirectly in a computer in order to bring about a certain result.’ The interesting aspect of this definition is that there is no mention of the data that may ordinarily reside in or interact with a computer program. The term [page 25] ‘computer program’ was inserted into the Act by amendments made in 1984. The original definition of the term (which was in force until the current version was introduced by the Copyright Amendment (Digital Agenda) Act 2000 (Cth)) provided that a ‘computer program’ was ‘a set of instructions (whether with or without any related information)’. The Explanatory Memorandum to the 1984 amending legislation stated that:

The phrase ‘whether with or without related information’ is intended to make clear that the protected program may include material other than instructions for the computer (such as information for programmers or users of the program, or data to be used in connection with the execution of the program).23

2.17 The 1984 definition of the expression ‘computer program’ provided express grounds for arguing a corporate database system was a computer program. For example, one could have plausibly argued under that definition that data in a database was designed to be used in connection with the execution of related set of Structured Query Language (SQL) statements.24 For example, in the Powerflex case, Gleeson CJ, McHugh, Gummow and Hayne JJ noted that: Moreover, the definition is concerned with instructions which ‘cause a device having digital information processing capabilities to perform a particular function’ and in many cases it will be necessary for instructions to be accompanied by related information if those devices are to perform quite ordinary computer functions.25

The scope to run this argument under the current definition does not present itself. It is likely that the courts would distinguish between a set of statements (ie, SQL statements) on the one hand (ie, what Gleeson CJ, McHugh, Gummow and Hayne JJ referred to in the Powerflex case as ‘the structure, choice of commands and combination and sequencing of commands’)26 and, on the other hand, the data that is read or written to the table in a database. 2.18 In most cases corporate information will not constitute a computer program for the purposes of the Act. A computer program (such as a Database Management System like Microsoft’s SQLServer, IBM’s DB2 or Oracle’s RDBMS) may in fact be used in the development of a database, [page 26] and a set of statement or instructions (such as SQL statements) may be used to gather, select or arrange relevant information in a database. But that will not mean that the information is part of the computer program and it is likely that courts would draw a sharp distinction between the two under current law.

Material form 2.19 The Act does not provide any protection for works (including literary works) until such time as the applicable work is first expressed in a material form. Section 22(1) of the Act provides that:

A reference in this Act to the time when, or the period during which, a literary, dramatic, musical or artistic work was made shall be read as a reference to the time when, or the period during which, as the case may be, the work was first reduced to writing or to some other material form. [Emphasis added.]

2.20 This requirement reflects the core principle underlying copyright law that it is the expression of information and not the information itself that is afforded protection under the law. The key elements of the requirement are ‘writing’ and ‘material form’. These terms are defined in the Act as follows: material form, in relation to a work or an adaptation of a work, includes any form (whether visible or not) of storage of the work or adaptation, or a substantial part of the work or adaptation, (whether or not the work or adaptation, or a substantial part of the work or adaptation, can be reproduced). writing means a mode of representing or reproducing words, figures or symbols in a visible form, and written has a corresponding meaning.

2.21 Corporate information expressed on paper self-evidently satisfies the requirement of ‘writing’ contained in s 22(1) of the Act. However, the concept of ‘material form’ clarifies that the types of media that copyrightable expressions can be embodied in extend well beyond paper. For example, corporate information expressed in Word, Excel or PowerPoint documents attached to an email or stored in a file directory would satisfy the material form requirement. Other forms of digital storage would also satisfy the relevant requirements, including information stored in secondary memory such as hard disks, CDs, DVDs, memory sticks or memory chips. Even corporate information stored in primary computer memory such as Random Access Memory (RAM) or Read Write Memory (RWM) could constitute information stored in a ‘material form’. Ultimately, whether or not corporate information embodied in RAM/RWM will satisfy the ‘material form’ requirement, will depend on the facts of the relevant case. [page 27] 2.22 The case of Stevens v Kabushiki Kaisha Sony Computer Entertainment [2005] HCA 58 (Stevens) found that information stored in RAM is not information in a material form.27 That proposition is correct in respect to the law that applied at the relevant time. In Stevens, Gleeson CJ, Gummow, Hayne and Heydon JJ relied on Emmett J’s judgment in Australian Video Retailers Association v Warner Home Video Pty Ltd [2001] FCA 1719; (2001) 114 FCR 324 (Warner). In that case, among other things, Warner Home Video had to show that the reproduction of part of a video stored in RAM within a DVD player or in

a personal computer was in a material form. Its definition at the relevant time required that any allegedly infringing reproduction had itself to be capable of further reproduction. That is, one had to be able to access and copy any infringing material in RAM for the infringing matter to be in a ‘material form’ for the purposes of the Act.28 This ‘further reproduction’ requirement has since been omitted from the definition of material form. If Warner was decided under current law, the result would have been different. Nevertheless, Emmett J’s statement in Warner that the definition of material form includes forms of storage that are not visible, such as ROM and RAM, remains good law.29 Emmett J also noted that: It is clear enough that the definition [of material form] was intended to be far reaching and to cover not only ROM and RAM but also other types of storage to be developed in the future — see Microsoft Corporation v Business Boost Pty Ltd [2000] FCA 1651 at para [14].30

2.23 Of course, the actual circumstances may weigh against such a finding in a given case (eg, if the storage in RAM is fleeting or ephemeral), but the general principle stated by Emmett J is a sound one.

Original works 2.24 In addition to showing that a work satisfies the test in Hollinrake and is stored in a material form, a literary work must be original.31 [page 28] The concept of originality and authorship are correlative.32 The Act does not ‘impose double conditions’.33 That is, a human must author a work and in that sense the work originates from the author: the concepts are two sides of the same coin. In other words, the ‘originality which is required relates to the expression of the thought. But the Act does not require that the expression must be in an original or novel form, but that the work must not be copied from another work — that it should originate from the author’.34 In IceTV, French CJ, Crennan and Kiefel JJ expressed the view that the originality requirement should be applied in two contexts: first, when determining originality in the context of the subsistence of copyright and, second, when determining originality in the context of alleged infringement.

The two-step approach espoused by French CJ, Crennan and Kiefel JJ is entirely consistent with that of earlier cases. In Ladbroke (Football) Ltd v William Hill (Football) Ltd [1964] 1 All ER 465 (Ladbroke), the court held that the correct approach was to ‘first determine whether the plaintiff’s work as a whole is ‘original’ and protected by copyright [the first step], and then to inquire whether the part taken by the defendant was substantial [the second step]’.35 The key distinction between the two steps is the focus on the ‘whole of the work’ in the first step and the focus on the ‘reproduced part’ in the context of the whole work in the second step.36 The application of these steps follows.

Originality in the context of subsistence 2.25 In the context of subsistence, what must be shown to establish originality is that a human author created the applicable work and that it was not copied. It must also be shown that in creating the work an author must exercise ‘independent intellectual effort’37 or ‘sufficient effort of a literary nature’.38 Whether an author has exercised sufficient [page 29] ‘independent intellectual effort’ or ‘sufficient effort of a literary nature’ in creating a form of expression is a matter of fact and degree.39 As noted in 2.24, the test is applied to the relevant work ‘as a whole’.

Originality in the context of infringement40 2.26 Inherent originality In the context of infringement, it must be determined whether the part of a work that is reproduced is an original. If the work as a whole originated from a human author, it will be original. In addition to the part reproduced originating from an author; it must also have a level of ‘inherent originality’.41 In other words, the part reproduced must be original when assessed in isolation; its collocation within a broader original work will not in itself imbue the reproduced part with originality. In Ladbroke, Lord Pearce said that: The reproduction of a part which by itself has no originality will not normally be a substantial part of the copyright and therefore will not be protected. For that which would not attract copyright except

by reason of its collocation will, when robbed of that collocation, not be a substantial part of the copyright and therefore the courts will not hold its reproduction to be an infringement.42

2.27 This statement illustrates that a literary work as a whole may attract copyright when assessed for the purposes of originality in the context of subsistence, but when a part of that work is scrutinised closely in the context of infringement, it may be found to lack the required level of originality. Put another way, when robbed of its collocation with the rest of the work, the reproduced part of the work may lack any or sufficient originality (ie, either because it did not originate from a human author or a human author did not exercise independent intellectual effort or sufficient effort of a literary nature in expressing the work) and therefore not be able to constitute a reproduction of a [page 30] substantial part of the original work. Stewart et al echo this view in stating that ‘… infringement will not occur if an unoriginal part of the work is taken, even if substantial in terms of quantity’.43 This point was stressed by Peter Gibson LJ in Newspaper Licensing Agency Ltd v Marks and Spencer plc [2001] Ch 257 when he said: ‘I do not understand how in logic what is an insubstantial part of a work can when aggregated to another insubstantial part of another work become a substantial part of the combined work’.44 This statement was cited with approval by French CJ, Crennan and Kiefel JJ in IceTV in the following passage: Assuming copyright subsists in the Weekly Schedule (as admitted by IceTV and IceTV Holdings) and in the Nine Database, each Weekly Schedule (and each week’s version of the Nine Database) is accepted by Nine in this Court to be a separate copyright work. If there were no reproduction of a substantial part from any of the individual works, the conclusion must be that there was no infringement of copyright in any of the works. The fact that there was “systematic copying” of time and title information over a period of time, from many of the individual works, does not alter that conclusion. To the extent that there are nineteenth century cases to the contrary, they should not be followed. It is sufficient for the purposes of discussing infringement in this appeal to focus on a single Weekly Schedule (or a single week’s version of the Nine Database), as what is said will apply to all of them.45

2.28 Substantiality — a focus on quality Copyright in a work will only be infringed if a substantial part of that work is copied.46 It has been said that this is a key requirement of copyright law and one of the most difficult to apply.47 If the reproduced part is original, then a court will assess whether the part taken was substantial in both quantitative and qualitative perspectives, with the latter being the critical factor.48 In IceTV, French CJ, Crennan and Kiefel JJ stated that: … in order to assess whether material copied is a substantial part of an original literary work, it is

necessary to consider not only the extent of what is copied: the quality of what is copied is critical. This principle has a long provenance and it is particularly apposite when considering a compilation. Some compilations are no more than a selection

[page 31] or arrangement of facts or information already in the public domain. When the particular form of expression contains facts and information, it is not helpful to refer to “the rough practical test that what is worth copying is prima facie worth protecting”. To take an example, facts are obviously worth copying for purposes such as a narrative work of history which depends on secondary sources. It is equally unhelpful to refer to the “commercial value” of the information, because that directs attention to the information itself rather than to the particular form of expression. [Citations omitted.]49

2.29 In this respect, one can see the paramount influence that quality has in this regard. The higher the quality of the part reproduced, the less important the amount taken becomes. Conversely, it would seem to follow that the less original corporate information is in this context, the more information that will need to be taken in order to constitute a substantial reproduction. That is, one needs to determine whether enough of the applicable material has been reproduced to constitute a substantial reproduction of the original work.50 It is also possible for a substantial part of a work to be reproduced where there is systematic or repeated copying from the one work.51 This principle could have a very important application in the context of corporate databases, however, care needs to be used in this context as copyright will not protect the underlying ideas or information in a compilation; it will only protect the form of the expression. As Gummow, Hayne and Heydon JJ observed in IceTV: … baldly stated matters of fact … are inseparable from and co-extensive with their expression … If the facts be divorced from the other elements constituting the compilation in suit … then it is difficult to treat [them] as the reproduction of a substantial part … in the qualitative sense required by the case law.52

On a related point, Upjohn J expressed the view in Football League Ltd v Littlewoods Pools Ltd [1959] 1 Ch 637 that in the context of a compilation of facts and information: If the defendants like to use the information contained in the chronological list and prepare their own lists by “scrambing” the order of matches so

[page 32]

that the divisions were all mixed up and so that there was no alphabetical order, it is possible that it could be successfully argued that they were using only the information and were not reproducing the compilation.53

2.30 In summary, the originality requirement is to be applied at two points in the forensic process. First, one must assess the originality of a literary work as a whole in the context of subsistence. And, second, in the context of infringement, one must assess whether the relevant part that has been reproduced is in fact itself original when assessed without the benefit of collocation. If it is determined that in fact an original part of a work has been reproduced, then it must be determined whether that part is a ‘substantial part’ of the original work. 2.31 Corporate information — originality in the context of subsistence The application of the originality requirement in the context of subsistence should generally result in a positive outcome in relation to many forms of traditional corporate information. For example, management reports, board papers, strategy papers, business proposals or reports and the like will usually be created by a named author who will reduce some form of information or instruction to written form. In most cases it would also be a fairly straightforward exercise to demonstrate that the relevant author had exercised ‘independent intellectual effort’54 or ‘sufficient effort of a literary nature’ such that the material is original when considered as a whole. However, the originality requirement in this context can result in no copyright protection being afforded to more recent and burgeoning forms of corporation information (eg, databases containing ‘Big Data’) created as a result of significant investment in technology. Indeed, the more technology that a corporation employs in developing or creating corporate information, the more likely that copyright protection will not apply as a result of the originality requirement. This was the case in the Phone Directories decisions (discussed in detail at 2.48) where originality could not be demonstrated because the evidence showed that the work was computer-generated and did not originate from a human author. 2.32 In addition to the issues associated with databases, two other types of corporate information that struggle to attract copyright are individual words and slogans. Trade marks or quasi trade marks such [page 33]

as ‘Exxon’,55 ‘SmartFax’56 and ‘LePacer’57 do not attract copyright protection because they do not satisfy the test in Hollinrake in that they do not convey information and instruction, or afford pleasure in the form of literary enjoyment. Corporate or marketing slogans are also generally denied copyright protection as plaintiffs have not satisfied the court that slogans demonstrate the appropriate level of ‘judgment, effort or skill’ to render them literary works. For example, in Sullivan v FNH Investments Pty Ltd t/as Palm Bay Hideaway [2003] FCA 323 the judge found that the slogans ‘Somewhere in the Whitsundays’ and ‘the Resort that Offers Precious Little’ were not protected by copyright as the plaintiff could not ‘point to anything which showed the requisite degree of judgment, effort and skill to make it an original literary work in which copyright may subsist’.58 Interestingly, commentators in the United Kingdom have expressed the view that in relation to advertising copy, ‘it may be said that the courts would be more ready to protect even short passages nowadays, since such material is now recognized generally to require creative talent of a high order for its composition’.59 2.33 Corporate information — originality in the context of infringement In many situations, it is not hard to envisage the originality requirement in the context of infringement being satisfied, especially where the reproduced part comprised a traditional form of corporate information (such as management reports, board papers, strategy papers, business proposals or reports and the like). In many cases such a reproduced part would have originated from an author (who is probably specifically named in the relevant document or named in any meta data associated with the document if it is in digital form). Given the purposes of such documents, it would not be unusual for a reproduced part to have inherent originality. However, there could [page 34] clearly be situations where such information contains material created by another party (like a chart from a ratings agency or a government department or material that is provided by a consultant) and therefore would not be original in the sense that it did not originate from a human associated with the plaintiff. Where

originality did exist, whether the reproduced part was a substantial part would be a matter for evidence. 2.34 In relation to corporate information in compilations or databases, where the information is inseparable from the form of its expression, it may not have the relevant inherent originality in this context. This was the case in IceTV in respect of the information copied by IceTV Pty Ltd from Nine’s program schedule. No amount of copying of this type of information will render such a reproduction a ‘substantial part’ of the original work for copyright purposes. Alternatively, in a case where corporate information is reproduced from a compilation or database and it has some inherent originality, but it may be of such low level that an insufficient quantity of the original work (ie, corporate information) was reproduced to constitute a ‘substantial part’ and therefore no infringement will have occurred. Issues relating to the application of the originality requirement to databases will be discussed in more detail at 2.37ff.

Connecting factors 2.35 The final requirement in order to attract copyright protection is for the work to have a connecting factor. The so-called connecting factors effectively create a personal or territorial link between the relevant work and Australia. What is required here depends on whether the literary work is published or unpublished. In the case of unpublished works, s 32(1) of the Act provides that copyright will exist in an unpublished literary work if the author: (a) was a qualified person at the time when the work was made; or (b) if the making of the work extended over a period — was a qualified person for a substantial part of that period.

Section s 32(2) of the Act provides that copyright will exist in a published literary work where, relevantly: … (c) the first publication of the work took place in Australia; (d) the author of the work was a qualified person at the time when the work was first published

2.36 Finally, s 32(4) of the Act defines the expression ‘qualified person’ to mean an Australian citizen or a person resident in Australia. It will be a matter for evidence if corporate information has the relevant link. An issue [page 35]

in this context is that if corporate information is created, say in the form of database, by non-citizens or non-residents in an offshoring context, a corporation will need to rely on the operation of international copyright recognition provisions to establish the relevant connecting factor.60

SCOPE OF COPYRIGHT LAW PROTECTION FOR CORPORATE INFORMATION 2.37 As discussed above, as a general rule copyright does provide a level of protection for corporate information. This is particularly the case in relation to the more traditional forms of corporate information (such as management reports, board papers, strategy papers, business proposals or reports and the like). However, copyright is poorly suited to providing protection for corporate information contained in corporate databases. This is not surprising given copyright’s origins as a law that was designed to protect the copying of books.61 Its scope and sophistication have developed since those times, but despite that development it is not able to afford protection to databases in a consistent manner or at all. The legal and economic consequences of the copyright not extending protection to corporate databases in some circumstances will depend on whether a corporation commercially exploits the information assets contained in the database. If it does, then the law of confidentiality will not be of any assistance. The law of contract may be of some assistance, but if the copying occurs outside a contractual arrangement (as it did in IceTV and the Phone Directories cases — discussed below), then the lack of copyright protection will have significant legal and, potentially, economic implications for the corporation. 2.38 There are two key factors that make copyright an unsuitable vehicle for protecting corporate information in databases. These factors both derive from the ‘originality’ requirement and the need to show: (a) A human author created the database or compilation. (b) In the event that there is more than one human author, the need to show that all authors worked collaboratively in creating the database or compilation.

These factors are explored below. [page 36]

Evidence of authorship 2.39 As noted in 2.38, for corporate information contained in a database to be protected by copyright law, it needs to be the work of a human author. In IceTV Gummow, Hayne and Heydon JJ observed in relation to Nine’s compilation that the evidence did not disclose the existence of a human author.62 Among other things, whether or not evidence in this case would have made any difference to the result is worth exploring. 2.40 The first factor that raises evidential difficulties in this context is the dynamic nature of databases. As the High Court said in IceTV, an essential aspect of copyright law is identifying the work that is the subject of a copyright claim. This can be a problematic task. A database is by its very nature dynamic; it is designed to change. If a database is always changing, it is very difficult to identify its boundaries (ie, what it contained) and who was involved in ‘authoring’ it at that point in time (or up until that point in time). Obviously, this factor will influence how a case is run and what evidence is led (or indeed can be led). 2.41 A related and more specific issue relates to the technical nature of databases. Relational databases contain tables made up of columns and rows. Corporate relational databases have many tables that are related to each other. Groups of tables may also have relationships with other groups of tables. In any given case it is necessary to consider whether each table is a work for copyright purposes or whether a group of tables constitutes the work. The identification of the boundaries of the work (ie, database) is critical as it will impact the evidence that will be required to be led in order to establish copyright, including who the authors of the relevant work are and whether it is original in the requisite sense. This is always likely to be a difficult task. The difficulty in identifying the applicable work in this context was remarked upon in IceTV.63 2.42 Assuming that the work in suit can be identified with sufficient particularity, then the next evidential issue that needs to be addressed in these cases is providing evidence that sufficiently identifies the human authors of the relevant work. This was an issue that was commented on by the court in IceTV,64 but was not necessary to decide in that case because of the concession by IceTV Pty Ltd regarding the fact that copyright subsisted in the work in suit. It appears the court would have [page 37]

been keen to receive evidence on this point if it had been the court of first instance. While the decision did not turn on this point, Gummow, Hayne and Heydon JJ in IceTV observed that there was little evidence of the type discussed above. Gummow, Hayne and Heydon JJ commented that: Further, while the evidence described the giving of access to information in the Nine Database (“dumping”) as enabling persons with this access to view or in some cases modify the proposed programme schedule …, there was no evidence about how the information in the Nine Database came to be assembled in the way it was when those persons viewed it or sought to modify it. Nor was there evidence about who it was who decided that information should be assembled in this way.65

2.43 In the same part of their joint judgment the justices then cited passages from a text66 by Professor Davison that is relevant in this context. The first passage from Professor Davison’s text cited in the judgment of Gummow, Hayne and Heydon JJ outlines the possible difficulties in demonstrating authorship of databases:67 There is some argument that some databases do not have authors in the copyright sense. This argument is based on the proposition that electronic databases are arranged automatically by the computer program … The operator may simply key in the data in an undiscriminating manner or insert data that are already in digital form, and the data may be organised by the computer program. There may be no originality associated with the selection of the data included in the database, particularly if the selection consists of all the available material relating to a particular topic. It could be further argued that, as the arrangement has occurred automatically as a consequence of the operation of the computer program that manipulates the data, the supposed author of the database has not in fact authored it.68

2.44 The second passage from Professor Davison’s text that the justices cite outlines possible approaches to addressing the evidential issues identified in the preceding passage. In the relevant passage Professor Davison expresses the view that these approaches:69 … require some understanding of the process of creating and updating an electronic database. First, the actual creation and updating of a database is rarely as simple as indiscriminately keying new data into some form of digital storage … A decision has to be made about defining the records

[page 38] and fields (or the rows and columns) that are to be contained within the database … Even though the final result is produced by the ‘work’ of a computer in arranging the material in this way, human thought went into the scheme of the database and the conception of how the material would look to the external user … The second response … is based on the proposition that the authors of databases can claim authorship by virtue of having considered the possible outcomes of their input into the database. They have chosen the software used in the database and therefore chosen the operations that it can carry out on the data included. [Original emphasis.]70

2.45 The passages from Professor Davison’s work cited by Gummow, Hayne and Heydon JJ do provide a possible approach to establishing human authorship in databases. The approach seeks to highlight the independent intellectual effort that humans exercise in designing and developing databases. That effort is not insignificant. Human effort is required at many steps during the design, operation and maintenance of any large corporate database. Expanding on the steps identified by Professor Davison with respect to relational databases in 2.43 and 2.44, the ‘authorial’ activity in this context can be grouped into a number of broad steps. First, a database is the result of structures created by human authors. The type of corporate database that is being developed will determine the level of skill, labour and judgment that human ‘authors’ will need to apply in order to develop the database. The development of a large relational database will invariably require the development of a complex data model or schema within the database itself. Popular relational databases include IBM’s DB2, Microsoft SQL Server and the open source MySQL. Common uses include use as operational databases (such as Customer Relationship Management databases and personnel databases) and data warehouses used to support the retrieval, quantitative analysis and data mining. On the other hand, a non-relational database such as a NoSQL database will require less design work within the database itself, but this design work needs to be done within applications that read and write to the applicable database. Examples of popular non-relational databases include CouchDB and DynamoDB. In many cases the data model or schema for these databases will just comprise a key-value store, where a key is mapped to an object whose structure is determined by the human authors that develop the applications that read or write to the database. [page 39] Second, the relevant ‘authors’ will need to specify the actual operations (eg, read, write or delete operations) that will be able to be performed on the data or structures that will be used within a database. Third, humans will need to implement validation rules to ensure that the actions of users conform to the structures specified for the database and so as to maintain the integrity of the database. Fourth, human ‘authors’ will need to determine what indexes to maintain on the database to enable effective searching. Fifth, a human author

will usually, but not always, be involved in exercising significant skill, labour and judgment in migrating existing data into a newly created database. The combined effect of these steps is that a human author is intimately involved in creating the form in which data is expressed within a database. Indeed, the form of expression is generally dictated by the relevant human author, although this will depend again on the circumstances. For example, a telephone directory and a customer relationship database will contain information where the form of the expression is largely determined by the person who designs the database and applications that interact with it; much like an architect determines the form a house will take. The analogy does not apply with as much force in terms of unstructured data. A social media post by a customer or potential customer who follows or is otherwise linked to a company is an example of unstructured data. That is, the actual post may be free form text, but even in this type of context the form is regulated by the humans that designed the technology used to create the post. The database within which the post will be stored will typically contain much metadata that will be produced and stored alongside the post. Such metadata will be produced as a direct result of how the design decisions of human authors were implemented within the applicable database and related applications. 2.46 It needs to be remembered in this context that a database is by definition a compilation of materials. Some data may well be created by the database itself based on a design decision (eg, automatically created fields within the database), but usually it will be a compilation of materials that have originated, or will originate, from various sources. The sources of these inputs may be human operators who enter data that will be collected, validated, stored and indexed in the manner determined by the developer or developers of the database. Another source could be generated autonomously by computers (eg, the number of unique visitors to a website, transactions conducted at a point of sale terminal or readings from sensors that track GPS signals from mobile phones). However, the compilation of the data or the arrangement of the data that is entered into a database is ultimately predetermined by a human or humans exercising individual intellectual effort. [page 40] 2.47

The approach advocated by Professor Davison and the observations

outlined above comprise a plausible approach to persuading courts that humans other than the mere operators of computers could be considered authors of the output of a database or a work that is produced from that database. But the cases post-IceTV have either not adopted the wider abstract approach set out by Professor Davison or continue to focus on the last step in the creative process and then look for an immediate, direct link to a computer or human in order to determine authorship. The first major database case following IceTV was Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44 (Phone Directories). The issue of authorship was raised in that case and the resolution of that issue had a critical bearing on the outcome of the case. 2.48 Telstra v Phone Directories In the Phone Directories cases, Telstra claimed copyright in compilations (ie, White Pages and Yellow Pages directories) that were developed at substantial cost. The processes leading up to the print run involved much human activity, but the key steps that actually led to the final versions of the directories being rendered were all performed by a computer. At first instance, it was held that the directories produced were not original literary works for the purposes of the Act because the evidence established that they were actually ‘computer-generated’ works.71 On appeal, the Full Federal Court upheld Gordon J’s decision.72 Perram J’s judgment in particular illustrates the approach courts are bound to take where the evidence indicates that a computer performs the key transformative step in creating a work: Who were the people who reduced these directories to their material form? Material form matters because a work is made when it is first reduced to writing or “some other material form” … Further, “material form” by s 10 includes “any form (whether visible or not) of storage of the work …” which, plainly enough, will cover the situation where a work is first assembled as a computer file. In this case, there is no doubt that the directories first took on a material form when a computer file known as the “galley file” was generated which contained the full listing as it would appear for each directory (without the art work). … I have no doubt if the galley file (or some physical analogue of it) had been generated by humans this would have meant that the directories were original works. Since the Act stipulates that compilations are literary works it follows generally that those who reduce a compilation to material form are likely to be its authors provided there is sufficient intellectual or literary effort involved in

[page 41] the process of reduction. In this case, the putting together of each directory required the application of a large number of internal house rules, the extraction of relevant customer entries from a much larger database of all customers and the sorting into relevant formats. The work involved might not be regarded as highly creative but that is not the test, particularly where the literary effort required

must be that which attends the creation of a compilation rather than, for example, a novel or a history. Had the tasks been attended to manually an original work would have ensued.73

2.49 Yates J echoed these statements. His Honour was of the view that the steps taken by the computer used to generate the directories were transformative. Therefore, any nexus between human authorship and the work that existed prior to transformation was cut at that point. Yates J expressed his key findings on this point as follows: Contrary to [Telstra’s] submission, the Genesis Computer System was not a mere tool utilised by [Sensis] employees for this purpose. To describe the functioning of the system in this way obscures the fact that the activities carried out by the Genesis Computer System in the “Book Extract” process were transformative steps that were obviously fundamental to the making of the compilation in each case. It was those activities that resulted in each compilation taking the form that it did. Those activities replaced what would otherwise have been, no doubt, the extensive work of individuals deploying their respective intellectual resources and capacities to select, order and arrange the listings as they appeared in each [White Pages Directory] or [Yellow Pages Directory], albeit in accordance with specifically mandated rules and procedures. When carried out by individuals, activities of this kind undoubtedly would have been of an authorial nature and would have been counted as an essential contribution to the making of the compilation in each case. However, in the present case, these activities, essentially, were not those of an author for copyright purposes. [Telstra and Sensis], no doubt for good commercial reasons, effectively supplanted the involvement of authors in carrying out those transformative steps. In this connection it is not to the point that [Sensis] employees were also involved (as [Telstra] submitted) in selecting, customising, maintaining and operating the computer systems that were deployed in the production of the directories, including particularly in relation to the “Book Extract” process. Those activities are akin to educating, training or instructing individuals, and maintaining a sufficient number of them, to carry out the discrete activities of selecting, ordering and arranging material to create the individual compilations. However, the two bodies of activity should not be confused for one another.74

[page 42] 2.50 Chief Justice Keane came to the same conclusion on the point of authorship as Perram and Yates JJ.75 The court did not believe it was a requirement to identify all human authors; just that it had to be shown that human authors existed. Chief Justice Keane observed that: … One may accept that identification by name of each and every author is not necessary in order to make out a claim that copyright subsists under s 32(2)(c): what is necessary, however, is that it be shown that the work in question originates from an individual author or authors.76

2.51

Perram J described the requirement as follows:

The appellants submitted that the learned primary judge had erred by holding that they failed because they had not identified each individual author. I do not believe her Honour made such a finding. To the contrary, her Honour said “[i]f an author or authors … cannot be identified at all, in

contradistinction to a situation where the author’s or authors’ exact identity cannot be identified, copyright cannot subsist” … I do not read her Honour, therefore, as having required that the appellants literally name the authors but only that they demonstrate that the authors existed. If I am wrong in my reading of the primary judge’s reasons, however, I would not accept that it is necessary to identify each author. All the Act requires … is that there be an original work first published in Australia. The necessity for there to be an original work carries with it the necessity for there to be an author or authors but all that needs to be demonstrated is that such persons exist. Their identification is not legally required by the concept of an original work. The statement by Gummow, Hayne and Heydon JJ in IceTV that “[t]o proceed without identifying the work in suit and without informing the inquiry by identifying the author and the relevant time of making or first publication, may cause the formulation of the issues presented to the court to go awry” … is, I think, a counsel of wisdom rather than a legal stipulation.77

Accordingly, it is submitted that the plaintiff need just show that authors exist as opposed to having identify them all may not greatly alter the evidential burden. A corporation will still need to identify a development process and show that human authors took certain steps in creating a work. To do this successfully, a corporation would need to ensure it maintains accurate records of the development process that identify with some specificity the roles humans played in the development process and, where any external authors create works, that such work is assigned to the corporation. Whether such authors are specifically identified would not be strictly necessary, but potentially desirable in some cases. [page 43] 2.52 The Phone Directories case is a clear signal that that courts will be looking for evidence of humans performing authorial roles. The fact that the High Court denied Telstra’s special leave application in respect of this decision demonstrates that it did not consider any mistake of law had been made.78 As an aside, it is interesting in cases concerning defamation that courts are much more willing to ‘look through’ technology to designers of applicable systems in order to find that human actors created the result complained of in a suit. For example, in a defamation context the court in Trkulja v Google Inc LLC (No 5) [2012] VSC 533 said that: [t]he plaintiff accepted (correctly in my view) that he had to establish that Google Inc intended to publish the material complained of. While much was made by counsel for Google Inc of the fact that there was no human intervention between the request made to the search engine and the publication of search results, and of the fact that the system was “fully automated”, the plaintiff’s point was that Google Inc intended to publish everything Google’s automated systems (which systems its employees created and allowed to operate) produced. Specifically, the plaintiff contended that Google Inc intended to publish the material complained of because while the systems were automated, those systems were the consequence of computer programs, written by human beings, which programs

were doing exactly what Google Inc and its employees intended and required. On this basis, it was contended that each time the material complained of was downloaded and comprehended, there was a publication by Google Inc (the operator and owner of the relevant search engines), as intended by it.79 … The jury were entitled to conclude that Google Inc intended to publish the material that its automated systems produced, because that was what they were designed to do upon a search request being typed into one of Google Inc’s search products.80

2.53 The Full Federal Court’s decision in Phone Directories indicates that in a copyright context the courts will not ‘look through’ technology to the human actors that designed systems that produce works, especially in the absence of any evidence that compels them to do so. Accordingly, without legislative reform the law of copyright will not be able to afford protection for large-scale corporate databases in Australia for two reasons. First, Phone Directories demonstrates that it will be incredibly difficult to provide the required evidence of human authorship when technology performs the final ‘transformative step’ in the production of a [page 44] work. Second, even if evidence of some human authorship was produced and accepted, it would be difficult to demonstrate that such authors collaborated so as to satisfy the joint authorship requirement in the Act. The collaboration issue is discussed below at 2.60.

Reform 2.54 The judgments in Phone Directories apply the Act well. However, they describe an archaic legal framework that fails both to protect certain areas of commercial endeavour and promote the investment in informational products that provide valuable information and instruction to the community. That is, Telstra’s informational product was produced at great expense. Phone Directories was a free rider as it contributed nothing towards the production of the Telstra databases and derived its own revenue, in part, as a result of its freeriding. This outcome hardly seems appropriate from a commercial perspective, especially against the backdrop of information economy. As much was indicated

by the trial judge and the Full Federal Court. Gordon J commented in her first instance decision that: [i]t is not open to me to ignore the express words of the Copyright Act to expand protection consistent with that set out in the [European Directive on the legal protection of databases] as summarised by the High Court. That is a matter for Parliament and, in my view, a matter which they should address without delay.81

2.55 Chief Justice Keane also found in the Full Federal Court that the directories were not compiled by human authors and that this may give rise to a perception of injustice.82 His Honour then went on to say: Whether or not that means that legislative reform of the kind adopted in the European Union by the Directive of the European Parliament and of the Council on the Legal Protection of Databases is warranted is a matter for the legislature. This Court can give effect to the statutory monopoly conferred by the Act only in conformity with the terms of the Act.83

2.56 These decisions echo concerns first raised over a decade earlier by a group of copyright experts. In 1999 the Copyright Law Review Committee (CLRC) in its review of copyright protection for computer-generated material84 identified evidence that courts had adopted an [page 45] approach of ‘analogising computers with the historical tools of authors’ in order to satisfy the ‘authorship’ requirement under the Act.85 However, the CLRC was also concerned that: If the analogy were to break down, computer-created material will not receive the higher level of protection even though that material reflects significant intellectual effort by the person who undertakes its creation. That is an outcome that differentiates between creators on the basis of the tools used by them, and discriminates against those using the most advanced (i.e. computer-based) tools.86

The CLRC’s fears were crystallised in both the first instance and Full Federal Court Phone Directories decisions.87 The inability of the analogy to extend to computer-generated work was summarised by Perram J as follows: Whilst humans were ultimately in control of the software which did reduce the information to a material form, their control was over a process of automation and they did not shape or direct the material form themselves (that process being performed by the software). The directories did not, therefore, have an author and copyright cannot subsist in them.88

Given the case law in this area, it is appropriate to consider how the issues raised above may be addressed by way of reform.

Amending the author requirement 2.57 The CLRC recommended that in order to modernise the law in this context the Act would need to be amended. In making the recommendation the CLRC acknowledged the centrality of the human author concept, but it envisaged that it was desirable to tie that concept to a ‘creation or production’ test rather than the requirement to ‘author’ a work. The CLRC explained this proposal as follows: The majority of the Committee recognises, however, that it will continue to be necessary to be able to connect copyright subject matter with a human, not the least for the purpose of determining which, if any, innovation threshold is satisfied. The approach that the majority of the Committee recommends is to conceptualise the connection not as one of

[page 46] ‘authoring’ the work, but instead as one of ‘undertaking the creation or production of’ the copyright material. In so doing, the majority of the Committee intends that the focus be moved from the issue of whether the computer utilisation can be analogised with traditional tool utilisation, to the more germane issue of which human should be the one identified as sufficiently associated with the creation or production of the material for the purpose of the innovation threshold.

2.58 There is some merit to this proposal. Indeed, the same approach has actually been adopted in New Zealand and in the United Kingdom. The approach is reflected in s 9(3) of the Copyright, Designs and Patents Act 1988 (UK) which provides as follows: In the case of a literary, dramatic, musical or artistic work which is computer-generated, the author shall be taken to be the person by whom the arrangements necessary for the creation of the work are undertaken.

2.59 Consequently, the introduction of this provision into United Kingdom copyright law shifted the focus from ‘authoring’ of a work to identifying the ‘human who is sufficiently associated with the creation or production of the material’. The New Zealand approach in this context is also instructive. Section 5 of the Copyright Act 1994 (NZ) provides, relevantly, as follows: Meaning of author (1) For the purposes of this Act, the author of a work is the person who creates it. (2) For the purposes of subsection (1), the person who creates a work shall be taken to be, — (a) in the case of a literary, dramatic, musical, or artistic work that is computer-generated, the person by whom the arrangements necessary for the creation of the work are undertaken: … (3) The author of a work of any of the descriptions referred to in subsection (2) may be a natural

person or a body corporate. [Emphasis added.]

2.60 It is evident from the extract above that the legislatures in both New Zealand and the United Kingdom have sought to address the issue of who is an author of a computer-generated work in substantially the same manner. However, it is not clear if Australian copyright law was amended in a similar way whether the amendments would provide a full or partial response to the problems discussed above in this context. This is due to the fact that where two or more authors have been involved in authoring a literary work the Act requires that they have collaborated in [page 47] producing that work.89 This will continue to be the case irrespective of whether one is dealing with ‘authors’ or ‘arrangers’. Much will turn on what level of abstraction courts applied the deeming provisions. If they were applied at a high level of abstraction (ie, at the body corporate level), a single entity would be deemed to be the author of multiple components of a work. This would overcome issues with the collaboration requirement as a body corporate by definition cannot collaborate with itself. If the test was applied at a lower level of abstraction (eg, at the level of human authorship), then there would still be the need to demonstrate collaboration. There may be scant evidence of this collaboration; especially where a legal contest arises regarding copyright many years after the database was first created. Evidence would need to be adduced that demonstrated that the relevant human authors (including, for example, database designers, the database developers, persons who modify the database design or structure over time, persons who input data and so forth) have all worked collaboratively in creating the one indivisible original work.

A maker v author 2.61 Another option for avoiding the difficulties that the application of traditional copyright requirements imposes in the context of the protection of databases is to avoid attempting to shoehorn databases into copyright law. This would involve adopting a sui generis regime to protect databases modelled on the European Union’s Database Directive. Such an approach would avoid further

fragmentation of the Act and ensure that the rights afforded to works recognised under the Act (like the duration of copyright) were not inappropriately extended to databases. That directive and the scope of the rights it provides under EU law and the scope of the rights that it may be able to afford if analogous laws were introduced in this jurisdiction are discussed in Chapter 3.

DURATION 2.62 The duration of copyright is dependent on whether the relevant work is published or unpublished. Indeed, Stewart et al note that ‘[t]he distinction between published and unpublished works is now no longer [page 48] relevant except with respect to the period of copyright protection.’90 The duration of copyright in published literary works lasts for 70 years from the end of the calendar year in which the author died.91 If the relevant work has joint authors, then the period starts to run from the end of the calendar year in which the last author dies.92 In the case of unpublished literary works, copyright subsists for a period of 70 years from the end of the calendar year in which publication first occurs.93 Under the Act, s 29 provides that a literary work will be deemed to be published ‘… if, but only if, reproductions of the work … have been supplied (whether by sale or otherwise) to the public’. The expression ‘supplied … to the public’ appears to mean when the work is first offered to the public whether or not a sale actually occurs.94 In any event, in terms of corporate information that is protected by copyright, the duration of the protection is significant.

DEFENCES AND REMEDIES 2.63 Where corporate information is afforded copyright protection as a literary work and copyright in that work has been infringed, there are very limited circumstances where a defence will apply. The main defences are the fair dealing defences set out in ss 40 to 43C of the Act. These defences cover fair dealings in the work for purposes such as research or study, criticism or review, parody or satire and use in judicial proceedings. These defences will not apply in cases

where valuable corporation information has been copied by another corporation for business purposes — eg, in cases such as IceTV and Phone Directories assuming copyright subsisted. 2.64 The remedies that are available for a breach of copyright include ‘an injunction (subject to such terms, if any, as the court thinks fit) and either damages or an account of profits’.95

CONCLUSION 2.65 In the absence of change in this context, copyright will continue to discriminate against those corporations that embrace technological [page 49] developments. In Phone Directories both Perram and Yates JJ acknowledged that if humans performed the task that the computer did in that case, copyright would have subsisted. The only feasible manner in which a corporation such as Telstra can create and maintain a record of tens of millions of data fields is to employ technology. In this light, it can be seen that the author/originality correlative stands in the way of progress and innovation in an information economy. Indeed, the more technology that a corporation employs in a producing works, the greater the challenge it faces when attempting to establish copyright in compilations and other works. It should be noted that the issues relating to the originality issue are not limited to the creation of databases by corporations; the same issues could deprive corporations of other technologically-based developments such as large-scale computer programs. The greater the scale of development, the greater the risk that copyright will not be available. It is remarkable that copyright law has protected ‘lottery tickets, money boxes, belt buckles, routine business correspondence, forms and office memoranda’,96 but cannot protect the investment of millions of dollars in valuable compilations that are generated by computers designed and implemented by humans. _________________________ 1.

A situation where information lost its confidentiality was referred to in IceTV Pty Ltd v Nine Network

Australia Pty Ltd [2009] HCA 14 (IceTV) at [36] per French CJ, Crennan and Kiefel JJ, and at [163] per Gummow, Hayne and Heydon JJ. 2.

See, for example, Commonwealth of Australia v John Fairfax and Sons Ltd [1980] HCA 44; (1980) 147 CLR 39, a case where confidentiality in information was lost, but an injunction based on copyright law was granted.

3.

See fn 1, IceTV at [24].

4.

See fn 1, IceTV at [71].

5.

See, for example, Victoria Park Racing and Recreation Grounds Co Ltd v Taylor [1937] HCA 45; (1937) 58 CLR 479 at 497 per Latham CJ and at 511 per Dixon J; Computer Edge Pty Ltd v Apple Computer Inc [1986] HCA 19; (1986) 161 CLR 171 at 181 per Gibbs CJ. In international law, the concept that ideas and information should not be protected as such is reflected in articles 9.2 and 10.2 of the World Trade Organization’s Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

6.

Hollinrake v Truswell [1894] 3 Ch 420 at 424 per Lord Hershell LC.

7.

See fn 5, Computer Edge Pty Ltd v Apple Computer Inc at 181 per Gibbs CJ. See also the definitions of ‘literary work’ and ‘writing’ in s 10(1) of the Act.

8.

In international law, the idea/expression dichotomy is contained in art 9.2 of TRIPS.

9.

A Stewart, P Griffith and J Bannister, Intellectual Property in Australia, 4th ed, LexisNexis Butterworths, Australia, 2010, 6.14.

10. Hollinrake v Truswell [1894] 3 Ch 420 at 428. 11. University of London Press v University Tutorial Press Ltd [1916] 2 Ch 601 at 608. 12. Robinson v Sands & McDougall Proprietary Ltd [1916] HCA 51; (1916) 22 CLR 124 at 133. 13. See fn 5, Computer Edge Pty Ltd v Apple Computer Inc at [10] per Brennan J. See also [10] per Gibbs CJ. 14. At [10] per Mason and Wilson JJ. 15. At [10] per Brennan J. 16. Data Access Corporation v Powerflex Services Pty Ltd [1999] HCA 49 (Powerflex) at [23] per Gleeson CJ, McHugh, Gummow and Hayne JJ. 17. Explanatory Memorandum, Copyright Amendment Bill 1984 (EM) at [26]. 18. Dynamic Supplies Pty Ltd v Tonnex International Pty Ltd [2011] FCA 362. 19. Autodesk Inc v Dyason [1992] HCA 2 at [29] per Dawson J. 20. See fn 16, Powerflex. 21. See fn 1, IceTV at [72] per Gummow, Hayne and Heydon JJ. 22. William Hill (Football) Ltd v Ladbroke (Football) Ltd [1980] RPC 539 at 550. 23. See fn 17, EM at [18]. 24. See R Evenden, Copyright Protection of Computer Programs in Australia, (NSW Society for Computers and the Law, March 2001): . See also Autodesk v Dyason (No 2) [1993] HCA 6; (1993) 176 CLR 300 at [21] and [24] per Gaudron J; Coogi v Hysport (1998) 41 IPR 593 at 618 per Drummond J. 25. See fn 16, Powerflex at [32]. 26. See fn 16, Powerflex at [86].

27. See Stevens v Kabushiki Kaisha Sony Computer Entertainment [2005] HCA 58 (Stevens) at [75] per Gleeson CJ, Gummow, Hayne and Heydon JJ. 28. Australian Video Retailers Association v Warner Home Video Pty Ltd [2001] FCA 1719; (2001) 114 FCR 324 (Warner) at [100]. 29. See fn 28, Warner at [103]. The High Court thought it unnecessary to decide this point in Stevens (see fn 27), but was seemingly inclined to the same view: at [75] per Gleeson CJ, Gummow, Hayne and Heydon JJ. 30. See fn 28, Warner at [101]. 31. See ss 32(1) and 32(2), the Act. 32. Sands & McDougall Pty Ltd v Robinson [1917] HCA 14; (1917) 23 CLR 49 at 55 per Isaacs J. 33. See fn 1, IceTV at [34]. 34. University of London Press Ltd v University Tutorial Press Ltd [1916] 2 Ch 601 at 608–9. See also fn 1, IceTV at [33]; fn 16, Powerflex at [22]; fn 32, Sands & McDougall Proprietary Ltd v Robinson; and fn 5, Victoria Park Racing and Recreation Ground Co Ltd v Taylor at 511. Originality is a matter of degree, depending on the amount of skill, judgment or labour that has been involved in making the work: see Ladbroke (Football) Ltd v William Hill (Football) Ltd [1964] 1 All ER 465 at 469, 473 and 475. 35. See fn 34, Ladbroke at 469. 36. See fn 1, IceTV at [38]–[41]. 37. See fn 1, IceTV at [33] and [48]. 38. See fn 1, IceTV at [99]. 39. See fn 1, IceTV at [99]. See also Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44 at [25] and [26] per Gordon J. 40. Other requirements such as the need to demonstrate objective similarity between a work and a copy of the work and a causal link between the plaintiff’s work and the defendant’s reproduction will not be discussed in this book. For further details of other elements that must be proven in order establish infringement, see fn 9, Stewart et al, Ch 8. 41. See fn 16, Data Access Corporation v Powerflex Services Pty Ltd at [87]. 42. See fn 34, Ladbroke at 481. The High Court noted at [46] of the IceTV case (see fn 1), that the statements of Lord Pearce were approved in earlier cases that came before the High Court, namely: Autodesk v Dyason (No 2) (see fn 24) at 305 per Mason CJ (in dissent); Powerflex (see fn 16) at [83]– [84] per Gleeson CJ, McHugh, Gummow and Hayne JJ. 43. S Ricketson and C Creswell, The Law of Intellectual Property: Copyright, Designs & Confidential Information (looseleaf service), 2nd ed (rev), Lawbook Co, Sydney, 2002 at [9.30] quoted in Stewart et al (see fn 9), [8.4]. 44. Newspaper Licensing Agency Ltd v Marks and Spencer plc [2001] Ch 257 at 269. 45. See fn 1, IceTV at [21]. 46. See the combined effect of ss 14(1), 31(1)(a) and 36(1) of the Act. 47. TCN Channel Nine Pty Ltd v Network Ten Pty Ltd (No 2) (2005) 145 FCR 35 at [9] per Finkelstein J. 48. See fn 1, IceTV at [30]. 49. See fn 1, IceTV at [30]–[31]. 50. See fn 1, IceTV at [157].

51. The copying of weekly fixtures from a complete list of a season’s fixtures: Football League Ltd v Littlewoods Pools Ltd [1959] Ch 637. This principle is also reflected in the Database Directive in relation to the taking of small parts of the same work: see Chapter 3, 1.6. Cf the position discussed at 2.27 where systematic copying of unoriginal parts of a work was discussed. 52. See fn 1, IceTV at [170]. 53. See fn 51, Football League Ltd v Littlewoods Pools Ltd at 657. 54. See fn 1, IceTV at [33]–[48]. 55. See Exxon Corporation v Exxon Insurance Ltd [1982] Ch 119. 56. See Brodel v Telstra Corporation [2004] FCA 505. 57. See Kinnor (Pty) Ltd v Finkel 352 JOC WLD. 58. Sullivan v FNH Investments Pty Ltd t/as Palm Bay Hideaway [2003] FCA 323 at [112]–[113]. Cf the New Zealand cases of Sunlec International Pty Ltd v Electropar Ltd (2008) 79 IPR 411 where the slogan ‘Field Friendly — the Best Choice for Field Work’ was held to be a copyright work’ and Cotton v Frost [1936] NZLR 627, which found copyright subsisted in the slogan ‘You Get All Four in One Dental Plate’. However, these decisions seem to be based on a sweat of the brow or industriousness approach to originality: see J Barrett, ‘Copyright and Commercial Slogans’, 3 Web JCLI (2009), . 59. Hon Mr Justice Laddie, P Prescott, M Vitoria, A Speck and L Lane, The Modern Law of Copyright and Design, 3rd ed, LexisNexis Butterworths, London, 2000, p 88, cited in Barrett, see fn 58. 60. See s 184 of the Act and Copyright (International Protection) Regulations 1969 (Cth), Reg 4. See also A Fitzgerald and D Eliades, Intellectual Property, 3rd ed, Thomson Reuters, Australia, 2008. 61. See fn 9, A Stewart et al, 5.2. For further commentary on copyright issues and databases see B Fitzgerald, A Fitzgerald, E Clark, G Middleton and Y F Lim, Internet and E-commerce Law, Business and Policy, Lawbook Co, Sydney, 2011, [4.340]–[4.360]. 62. See fn 1, IceTV at [151]. 63. See fn 1, IceTV at [141]–[145] per Gummow, Hayne and Heydon JJ. 64. See, for example, fn 1, IceTV at [150] per Gummow, Hayne and Heydon JJ. 65. See fn 1, IceTV at [150] per Gummow, Hayne and Heydon JJ. 66. M Davison, The Legal Protection of Databases, Cambridge University Press, Australia, 2003. 67. See fn 1, IceTV at [151] per Gummow, Hayne and Heydon JJ. 68. See fn 66, Davison, p 21. 69. See fn 1, IceTV at [151] per Gummow, Hayne and Heydon JJ. 70. See fn 66, Davison, pp 22–3. 71. See Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44 at [338] and [340] per Gordon J. 72. See Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCAFC 149 at [89] and [90] per Keane CJ; at [112] per Perram J; and at [167] and [168] per Yates J. 73. At [113]. 74. At [167]–[168]. 75. At [89]–[90]. 76. At [57].

77. At [127]. 78. See High Court of Australia, . Note that Gummow J, who also wrote one of the joint judgments in IceTV, heard the special leave application together with Bell J. 79. Trkulja v Google Inc LLC (No 5) [2012] VSC 533 at [16] per Beach J. 80. At [18]. 81. Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44 at [30]. 82. Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCAFC 149 at [96]. 83. At [97]. 84. Copyright Law Review Committee, Simplification of the Copyright Act 1968: Part 2 — Categorisation of Subject Matter and Exclusive Rights, and Other Issues, Commonwealth of Australia, 1999. 85. The CLRC referred, by way of an example, to Express Newspapers plc v Liverpool Daily Post & Echo plc [1985] FSR 306. In that case the court found that ‘a series of grids and letter sequences generated by computer was a literary work authored by the person who had written the relevant computer program’ [emphasis added]: CLRC, Simplification of the Copyright Act 1968, see fn 84, 5.44. 86. See fn 84, CLRC, 5.44. 87. See also Acohs Pty Ltd v Ucorp Pty Ltd [2010] FCA 577; Acohs Pty Ltd v Ucorp Pty Ltd [2012] FCAFC 16. 88. Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCAFC at [118]–[119] per Perram J. 89. A ‘work of joint authorship’, as recognised under the Act, requires that the literary work in question ‘has been produced by the collaboration of two or more authors and in which the contribution of each author is not separate from the contribution of the other author or the contributions of the other authors’: See fn 1, IceTV at [23] per French CJ, Crennan and Kiefel JJ. See also fn 87, Acohs Pty Ltd v Ucorp Pty Ltd [2010]; Acohs Pty Ltd v Ucorp Pty Ltd [2012]. 90. See fn 9, Stewart et al, 5.4. 91. s 33(2) of the Act. 92. s 80. 93. s 33(3). 94. See fn 9, Stewart et al, 6.47. 95. s 115(2), of the Act. Note that there are a number of acts that will not constitute copyright infringement: see Div 3, Pt III of the Act. 96. D Vaver, ‘Rejuvenating Copyright’ (1996) 75 Can Bar Review 69 at 74, quoted in Stewart et al, see fn 9, 6.14.

[page 50]

Chapter 3 Alternative Approaches to Protecting Corporate Information

INTRODUCTION 3.1 The development of a large-scale corporate database requires significant investment, including human, technical or financial investment. As we saw in Chapter 2, copyright provides protection for the form in which the contents of a database are expressed, but it does not provide protection for the mere investment in gathering or obtaining those contents. The failure of copyright law to extend protection to the investment in databases begs the question: what other forms of protection are available? Other areas of law that may provide protection include contract law, laws concerning breach of confidence, laws analogous to the European Database Directive and the law of unjust enrichment. Contract law is capable of providing protection for databases, but most of the cases in this area involve the appropriation of facts and information from databases that have been made available to the public in circumstances where the entity appropriating the information has no contractual relationship with the developer or owner of the database. In these situations the law of contract is obviously incapable of providing protection. The laws concerning breach of confidence are capable of protecting databases that are confidential, but will clearly not provide any protection for databases which are made publicly available. Many of the cases in this area relate to databases that were made generally available to the public either in whole or in part. Consequently, this chapter will discuss whether: [page 51]

the implementation of laws analogous to the European Database Directive; and the law of unjust enrichment; are capable of providing protection to databases in this context.

THE EUROPEAN UNION’S DATABASE DIRECTIVE 3.2 In IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14 (IceTV), Gummow, Hayne and Heydon JJ observed that: In the absence of implementation of laws analogous to the kind described in the [European Database] Directive, the matters now in issue cannot be resolved by concluding, as did the Full Court, that Ice appropriated “the fruits of Nine’s skill and labour”.1

That observation raises some fundamental questions. For example, what form of protection would the implementation of laws analogous to those set out in Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (Database Directive) afford to largescale corporate databases? What lessons are to be learnt from the manner in which courts in the European Union have interpreted and applied the Database Directive? Would laws of this type have resulted in different outcomes in cases such as IceTV and Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44 (Phone Directories). These are key questions for a jurisdiction such as Australia, which may ultimately decide that it is necessary to implement laws analogous to the Database Directive in order to address the inability of copyright and other laws to protect databases. 3.3 This section will commence with an outline of the key provisions of the Database Directive followed by an analysis of how the Database Directive has been interpreted and applied by courts in the European Union. The section will then conclude with a discussion on how laws analogous to the Database Directive may have affected the outcomes of cases such as IceTV and Phone Directories (assuming the Australian courts took the same approach as the European Union to the interpretation of such laws) if they had been in force at the relevant times. [page 52]

The purpose of the Database Directive 3.4

The purpose of the European Union’s Database Directive is to:

… promote and protect investment in data storage and processing systems which contribute to the development of an information market against a background of exponential growth in the amount of information generated and processed annually in all sectors of activity.2

This purpose is given effect to by the various provisions of the Database Directive. Article 1(1) of the Database Directive speaks of protecting databases in any form. Article 1(2) defines a database to be ‘a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means’. The sui generis database right is actually set out in Art 7(1) of the Database Directive in the following terms: Member States shall provide for a right for the maker of a database which shows that there has been qualitatively and/or quantitatively a substantial investment in either [sic] the obtaining, verification or presentation of the contents to prevent extraction and/or re-utilisation of the whole or of a substantial part, evaluated qualitatively and/or quantitatively, of the contents of that database.

For the purposes of this provision, ‘extraction’ means ‘the permanent or temporary transfer of all or a substantial part of the contents of a database to another medium by any means or in any form’3 and ‘re-utilisation’ means ‘any form of making available to the public all or a substantial part of the contents of a database by the distribution of copies, by renting, by on-line or other forms of transmission’.4 3.5 The scope of the protection is extended by Art 7(5) of the Database Directive which prohibits: ‘repeated and systematic extraction and/or reutilisation of insubstantial parts of the contents of the database implying acts which conflict with a normal exploitation of that database or which unreasonably prejudice the legitimate interests of the maker of the database.’ Art 7(4) provides also that the database right set out in Art 7(1) is to ‘apply irrespective of the eligibility of that database for protection by copyright or by other rights. Moreover, it shall apply irrespective of eligibility of the contents of that database for protection by copyright [page 53] or by other rights’.5 Equally, the sui generis right is without prejudice to rights

existing in respect of their content.6 Overall, the provisions of the Database Directive that specify the nature and scope of the database right are expressed in relatively clear terms. At first blush they seem to create a right that is potentially quite broad. Indeed, writing prior to British Horseracing Board and others Ltd v William Hill Organization Ltd of Case C-203/02, [2004] ECR I-10461 (BHB) being decided by the European Court of Justice (ECJ), Professor Davison expressed the view that the relevant provisions confer ‘an extraordinary degree of sui generis protection’.7 The next section will examine how the relevant provisions have been interpreted and applied by the ECJ and whether that has narrowed the scope of protection provided by the database right.

The European Court of Justice’s interpretation of the database right British Horseracing Board case 3.6 A leading case concerning the scope of the protection set out in the Database Directive is the ECJ’s judgment in the BHB case. The BHB case originated in the United Kingdom. An appeal from that decision was then heard by the Court of Appeal, which referred the matter to the ECJ. In turn, the ECJ’s ruling was then considered and applied by the Court of Appeal. These decisions are discussed below. 3.7 In the UK case at first instance, British Horseracing Board Ltd v William Hill Organization Ltd [2001] EWHC 516 (Pat.); [2001] IP & T 612, Laddie J held that the British Horseracing Board’s (BHB) database was protected by a number of database rights and that William Hill breached those rights.8 Laddie J described the steps that BHB took to develop its databases as follows: … BHB maintains a computerised collection of information (which the parties called the ‘BHB Database’) which is constantly being updated

[page 54] with the latest information. Computerisation began in 1964 when the Jockey Club had the functions now controlled by BHB. The scale and complexity of the data kept by BHB has grown with time. According to the particulars of claim:

The establishment of the BHB Database has involved, and its maintenance and development continues to involve, extensive work, including the collection of raw data, the design of the database, the selection and verification of data for inclusion in the database and the insertion and arrangement of selected data in the database. The cost of establishing the BHB Database was considerable. The cost of continuing to obtain, verify and present its contents is approximately £4 million per annum and involves approximately 80 employees and extensive computer software and hardware. … There are a huge number of records contained within the BHB Database including many which must be accurately stored and processed each day. It covers not only all of the information set out above but much more. It includes a collection of data accumulated over many years by way of the registration of information supplied by owners, trainers and others concerned in the racing industry. It contains the names and other details of over one million horses, tracing back through many generations. It contains details of registered owners, racing colours, registered trainers and registered jockeys. It also contains pre-race information, that is to say information relating to races to be run in Great Britain and made available in advance of the race. This covers the place and date on which a race-meeting is to be held, the distance over which the race is to be run, the criteria for eligibility to enter the race, the date by which entries must be made, the entry fee payable, the amount of money the racecourse is to contribute to the prize money for the race, the initial name of the race and the like. Close to the day of a particular race, the pre-race information is expanded to include the time at which the race is provisionally scheduled to start, the final name of the race including, where applicable, sponsor’s name, the list of horses entered in the race, their owners and trainers and the relative weights these horses will carry. The final stage of pre-race information includes the list of intended or ‘declared’ runners, their riders, the absolute weight each will carry, its saddle-cloth number, the stall from which it will start and its owner’s racing colours. The BHB computerised records contain all of this information. After each race, details of the outcome are recorded. An estimated total of 800,000 new records or changes to existing records are made each year. Maintaining the BHB Database does not consist only of receiving and entering data in BHB’s computer. It involves extensive checking of data obtained from a number of sources. … No purpose would be served by setting out in this judgment the detail of this collection and verification process, but some flavour of it can be gathered by reference to part of the process undertaken for or on behalf of BHB in relation to declarations made by trainers. Such declarations have to be made by a fixed deadline

[page 55] shortly before the race is due to be run. They are normally made by telephone. As Dr Khan explained: The pre-race information compiled for each race is the product of a painstaking process of verification which is aimed to ensure that the information is wholly accurate and reliable. Without there being virtually 100% accuracy in the information presented for each race, the confidence of those involved in racing, including bookmakers and their customers, could not be assured.9

William Hill, a leading provider of off-track bookmaking services in the United Kingdom and elsewhere, had an informal contractual arrangement to receive a raw data feed from BHB so that it could use data derived from the BHB database for its own internal purposes. The informal contract did not limit

the uses to which the raw data deed could be put to by William Hill.10 William Hill displayed information derived from BHB’s database on its online website. The relevant information comprised the names of declared starters for a race; the date, time and/or name of the race; and the name of the applicable racecourse. Laddie J held that such use was an infringement of BHB’s database rights.11 In an appeal by William Hill, the UK Court of Appeal was inclined to support the judgment of Laddie J in the lower court,12 but as it determined that ‘questions of interpretation of European law were involved’, it referred those questions to the ECJ for a preliminary ruling.13 The ECJ’s ruling in the BHB case is discussed below.

Interpreting the expression ‘obtaining’ 3.8 Recall that Art 7(1) of the Database Directive affords protection to a maker of a database where there has been qualitatively and/or quantitatively a substantial investment in the obtaining, verification or presentation of the contents of the database. The ECJ dealt with the ‘obtaining’ and ‘verification’ requirements in the BHB ruling and the ‘presentation’ requirement in other rulings that it handed down on the same day as the BHB ruling. Those other rulings also concerned the interpretation of the Database Directive.14 In the BHB case, the ECJ said that for the purposes of the Database Directive: [page 56] The expression ‘investment in … the obtaining … of the contents’ of a database … must be understood to refer to the resources used to seek out existing independent materials and collect them in the database. It does not cover the resources used for the creation of materials which make up the contents of a database.

In relation to the applicable information in the BHB database, the ECJ was of the view that it was created by BHB rather than obtained by it. Accordingly, the database right did not extend to such information. As a consequence, the ECJ was of the view that William Hill did not infringe any database rights by reutilising the BHB information on its betting website. The ECJ’s distinction between ‘creation’ on the one hand and ‘obtaining’ on the other is arguably one that is consistent with the wording of Art 7(1). The word ‘obtaining’ does suggest that one needs to ‘get’, ‘gather’ or ‘procure’ data from a source. However, why does that need to be a source external to a

corporate entity? The application of the ‘creation doctrine’ is liable to generate curious outcomes, which will be outlined below. Finally, even if the ‘creation doctrine’ is a valid one, it is argued that the manner in which the ECJ applied the distinction in the BHB case was not supported by the facts of the case. 3.9 An incorrect application of the creation doctrine to the facts? It would seem that BHB actually obtained content for its database from numerous third parties. Regardless of what data it may have also created (eg, the name of a horse race), BHB was entirely dependent on obtaining information from third parties concerning horse owners, trainers, jockeys and horses. This information would have had to originate from persons other than the BHB, especially critical information about horses that would run in a race fixture and the jockeys that would ride them. Put another way, BHB could not create the relevant information if they hadn’t obtained it from other persons. What one does not have, one cannot include in a database. There is also a material distinction between the database structure that a corporation creates (eg, a database table containing a data field called ‘horse owner’, ‘horse name’ or ‘jockey name’) and obtaining data to insert into that field. The latter data entry activity cannot be construed as ‘creation’ in any meaningful sense. It is merely a recording task. If one does not create the underlying information, one is not a creator in this context. 3.10 It is doubtful that Australian courts (interpreting laws analogous to the Database Directive) would arrive at the same result on the facts [page 57] of the BHB case. For example, in Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCAFC 149, Telstra had compiled a large corporate database containing the names and other details of telephone subscribers. Telstra collected these details from subscribers. Keane CJ observed that in these circumstances: … there can be no doubt that a person who is “a mere scribe” is not an author for the purposes of the Act … The name and address of a particular subscriber does not relevantly “originate” with an employee who takes a note of these details from the subscriber. This information is factual in its nature: it is not “created” by the person who merely records it … Nor does the form of the compilation originate with the individual who engages the mechanical processes to produce the compilation.

3.11

Broader implications The BHB ruling also has broader implications.

First, consider location data collected from mobile phones which is used by a research company to estimate how many people visit major retail shopping precincts during different trading periods (eg, Easter, Christmas, weekend, weekdays, etc). This information would be a highly valuable form of ‘big data’.15 It could provide more insights to retailers about how their marketing campaigns affect consumers. It could provide analysts with another data point for their review of retail stock performance.16 However, it is not clear under the ruling of the ECJ in BHB whether the data (ie, unique mobile signal data) existed independently prior to collection or was created by the research company. On one view, the data had no independent existence in material form prior to the relevant phone signals being received and stored in a database by the researchers. This act of storing may amount to creation on the reasoning of the ECJ. If that were the case, the research company would not enjoy a database right under the ‘creation doctrine’ and would not be able to rely on that particular right to exploit commercially the database it developed. This may compel corporations like the research company mentioned above to develop somewhat artificial operating models to ensure that their databases fall within the scope of the Database Directive. For example, the research company mentioned above could incorporate a company to collect or create data and then sell that data to another group company in order to avoid the creation doctrine applying. [page 58] 3.12 Second, the approach taken by the ECJ in BHB is not technologically neutral. Take for example the facts of that case. The ECJ was of the view that the receipt by a call centre operator of information from horse owners amounted to the ‘creation’ of information by BHB when the call centre operator entered the relevant information into the applicable system. On this reasoning, if the relevant trainer or horse owner were to submit the same information electronically via a web form, it would seem that the relevant information would be pre-existing (in the sense it was created by the relevant trainer or horse owner) and therefore collected by BHB. The next section examines the ECJ’s interpretation of the expression ‘verification’ as used in Art 7(1) of the Database Directive.

Interpreting the expression ‘verification’ 3.13 In relation to the ‘verification’ element contained in Art 7(1) of the Database Directive, the ECJ in BHB ruled as follows: The expression ‘investment in … the … verification … of the contents’ of a database must be understood to refer to the resources used, with a view to ensuring the reliability of the information contained in that database, to monitor the accuracy of the materials collected when the database was created and during its operation. The resources used for verification during the stage of creation of materials which are subsequently collected in a database do not fall within that definition.

3.14 Again, the last sentence in this statement by the court is curious. The elements of ‘obtaining’, ‘verification’ and ‘presentation’ in Art 7(1) are expressed disjunctively. The court seemingly ignores this and proceeds to limit the potential scope of the verification element by effectively stating that any investment concerning materials that have been created by the entity is to be disregarded. This deprives the verification element of its natural scope. It would seem that granting a database right on the basis of a substantial investment in the verification of contents of a database alone would be consistent with the aims of the Database Directive. It is hard to accept that the ECJ’s approach to the interpretation of the ‘obtaining’ and ‘verification’ elements could promote exponential growth in the amount of information generated and processed annually in all sectors of activity within the European Union. Further, in relation to the particular facts of the BHB case, if one accepts the arguments set out in 3.9–3.12 that the facts that BHB was held to have ‘created’ were in fact ‘obtained’, then the ECJ made an error on the facts of the BHB case. It erred to the extent that it excluded the investment in verification activities from being considered where that verification activity related to data that was deemed to have been ‘created’. [page 59] If applicable data that formed part of the database was not in fact created by BHB but in fact ‘obtained’ in the relevant sense, then the verification activities of BHB should not have been ruled to be incapable of satisfying the ‘verification’ requirement under the Database Directive.

Interpreting the expression ‘presentation’

3.15 The ECJ did not make a ruling on the ‘presentation’ requirement in the BHB case, but it did so in other cases it handed down on the same day. One of those rulings was Fixtures Marketing Ltd v Oy Veikkaus Ab Case C-46/02 [2004] ECR I-10365,17 in which the ECJ held that: The expression ‘investment in … the … presentation of the contents’ of the database concerns, for its part, the resources used for the purpose of giving the database its function of processing information, that is to say those used for the systematic or methodical arrangement of the materials contained in that database and the organisation of their individual accessibility.18

Again, this requirement is expressed disjunctively. The ‘presentation’ element is independent of the other elements set out in Art 7(1). The requirement, as explained by the court, reflects investment in the design and structuring of the database, the development of its processing capabilities or operations and also its protocols for allowing access to the data contained in the database. These steps ordinarily require a substantial investment of resources, yet the court in the Fixtures Marketing case again focused on linking the ‘presentation’ of data back to the ‘creation’ of it by Fixtures Marketing Ltd. Once that association was made, then it proved fatal to Fixtures Marketing Ltd’s attempt to prevail on the ‘presentation’ point.

Interpreting the expressions ‘extraction’ and ‘re-utilization’ 3.16 Direct or indirect copying caught The ECJ’s rulings were logical and compelling in respect of the approach taken to the application of the infringement elements set out in Art 7 of the Database Directive. In relation to the terms ‘extraction’ and ‘re-utilization’ the court ruled that those terms refer to any unauthorised acts of appropriation and distribution and do not imply direct access to a database is required. That is, the terms extraction or re-utilisation refer to any unauthorised act and the fact that the maker of the database has made it available to [page 60] the public does not affect the rights of the maker in this context.19 Each case will turn on its facts and how well the technology-related issues are articulated by counsel for the relevant parties. 3.17 Substantial part A breach of the Database Directive occurs if a party extracts or re-utilises a substantial part of the database evaluated quantitatively

and/or qualitatively. In cases such as this, fixing or identifying the ‘four corners’ of the relevant database is a crucial first step albeit one that is often fraught. It is often a difficult task to define where a database starts and ends. The scope of the database ultimately defined will have a significant bearing on whether one can prove that a substantial part has been taken. In comparative terms, the greater the size of a database, the smaller the part that is taken becomes. As stated above, a database is defined in the Database Directive as ‘a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means’. But this could be all-embracing. At one end of the spectrum, a customer contact list or a collection of data arranged in alphabetical order on a simple website would fall within the scope of the definition. At the other end of the spectrum, it is potentially arguable that the entire database infrastructure supporting Google searches, distributed over 13 data centres across the globe,20 is a ‘database’. 3.18 Quantitative evaluation of substantial part The ECJ in the BHB case ruled that the expression substantial part evaluated quantitatively of the contents of a database: ‘refers to the volume of data extracted from the database and/or re-utilized, and must be assessed in relation to the volume of the contents of the whole of that database.’21 In practice, defining a database more broadly may assist in demonstrating that a substantial investment was made in order to develop it, although in these cases it might then be harder to show that a substantial part was taken of that database (at least on a quantitative basis). 3.19 Qualitative evaluation of substantial part In relation to the expression ‘substantial part evaluated qualitatively of the contents of a database’, the ECJ in the BHB case was of the view that it: … refers to the scale of the investment in the obtaining, verification or presentation of the contents of the subject of the act of extraction

[page 61] and/or re-utilisation, regardless of whether that subject represents a quantitatively substantial part of the general contents of the protected database. A quantitatively negligible part of the contents of a database may in fact represent, in terms of obtaining, verification or presentation, significant human, technical or financial investment.22

3.20 The ECJ stressed that the ‘intrinsic value of materials affected by the act of extraction and/or re-utilisation does not constitute a relevant criterion for the assessment of whether the part at issue is substantial’.23 This is because the

focus in applying this test is determining the qualitative aspects of the investment in developing the database as opposed to whatever intrinsic value information may have. In some cases, information may be intrinsically valuable, but not require much effort to obtain, verify or present. 3.21 Applying the quantitative and qualitative tests to the facts in BHB, the ECJ found that the material extracted from the BHB database and re-utilised by William Hill on its websites represented only a ‘very small proportion’ of the whole of BHB’s database.24 Accordingly, the part in issue was not substantial from a quantitative perspective.25 In relation to the qualitative test, the ECJ noted in the BHB case that the information published by William Hill concerned only limited aspects of the BHB database, namely the names of all the horses running in a specific race, the date, the time and/or the name of the race and the name of the applicable racecourse. Importantly, in this context, the investment in ‘creating’ data could not be taken into consideration. The court then went on to state that: In order to assess whether those materials represent a substantial part, evaluated qualitatively, of the contents of the BHB database, it must be considered whether the human, technical and financial efforts put in by the maker of the database in obtaining, verifying and presenting those data constitute a substantial investment. BHB and Others submit, in that connection, that the data extracted and re-utilised by William Hill are of crucial importance because, without lists of runners, the horse races could not take place. They add that those data represent a significant investment, as demonstrated by the role played by a call centre employing more than 30 operators. However, it must be observed, first, that the intrinsic value of the data affected by the act of extraction and/or re-utilisation does not constitute a relevant criterion for assessing whether the part in question is substantial, evaluated qualitatively. The fact that the data extracted and re-utilised

[page 62] by William Hill are vital to the organisation of the horse races which BHB and Others are responsible for organising is thus irrelevant to the assessment whether the acts of William Hill concern a substantial part of the contents of the BHB database. Next, it must be observed that the resources used for the creation as such of the materials included in a database cannot be taken into account in assessing whether the investment in the creation of that database was substantial … The resources deployed by BHB to establish, for the purposes of organising horse races, the date, the time, the place and/or name of the race, and the horses running in it, represent an investment in the creation of materials contained in the BHB database. Consequently, and if, as the order for reference appears to indicate, the materials extracted and re-utilised by William Hill did not require BHB and Others to put in investment independent of the resources required for their creation, it must be held that those materials do not represent a substantial part, in qualitative terms, of the BHB database.26

Summarising the impact of the ECJ approach to interpreting the Database Directive 3.22 In summary, the ECJ’s ruling represented a comprehensive defeat for BHB. Ultimately, the outcome in the case effectively turned on one point; the distinction that the ECJ made between ‘obtaining’ material and ‘creating’ data. Interestingly, once the United Kingdom Court of Appeal was provided with the preliminary ruling from the ECJ in the BHB case, it unanimously applied it according to its terms despite some compelling arguments from counsel for BHB27 and notwithstanding the fact that it was inclined to support Laddie J’s first instance judgment in 2001.28 Ultimately, and not surprisingly, a clearly influencing factor was, as Lord Clarke (one of the judges who heard the 2001 appeal by William Hill which resulted in the matter being referred to the ECJ for a ruling) put it in his judgment: ‘… was to ensure, so far as possible, that the relevant directive is construed in the same way throughout the European Union’. The judgment may impose consistency, but with respect, the judgment is not a compelling one. The ECJ’s position on the relevant issues set out above remains unchanged since it handed down its ruling in the BHB case.29 Arguably, a better approach would have been to adopt [page 63] a slightly broader interpretation of the requirements set out in Art 7(1) of the Database Directive, which would seem to be more in keeping with the objectives of the legislation. A broader approach would involve abandoning the ‘creation doctrine’ and adopting an approach that is consistent with what was recommend by Advocate General Stix-Hackl in her opinion in the BHB case.30 In that opinion, the Advocate General was of the view that the interpretation of the expression ‘obtaining’ in Art 7(1) should be approached as follows: We must base our discussion on the thrust of the protection conferred by the sui generis right, in other words the protection of the creation of a database. Creation can then be seen as an umbrella term for obtaining, verification and presentation. … [I]f we take the umbrella term creation, in other words the supplying of the database with content, as a basis, both existing and newly created data could be covered.31

Adopting such an approach would be consistent with the objectives of the

Database Directive and would avoid creating a legal framework that promotes form over substance. Alternatively, if it is necessary to maintain a distinction in this context, it would have been open to a court in the ECJ’s position in the BHB case to characterise the receipt of information from horse owners and so forth as data gathering rather than data creation. The next section will discuss whether laws analogous to the Database Directive (interpreted in the same manner as the ECJ has interpreted them) would have resulted in different outcomes in recent leading Australian cases concerning compilations and databases.

Applying the ECJ’s ruling in BHB to the facts of recent Australian cases 3.23 In this section, the key rulings of the ECJ that were discussed above will be applied to the facts of cases that were decided under Australian copyright law. The aim of this analysis is to determine how the implementation of laws analogous to those contained in the Database Directive may have altered outcomes in leading cases involving copyright in compilations or databases. [page 64] 3.24 IceTV v Nine In the IceTV case, the data that was ‘extracted’ and ‘reutilised’ by Ice was data comprising the time that a program was scheduled to be broadcast and the title of the relevant program to be broadcast. The first step in this hypothetical enquiry is to determine whether the time and title data was part of a database and, if so, the form of the database. In IceTV there was some doubt as to whether the relevant data was part of a compilation called a Weekly Schedule contained in both a Microsoft Excel spreadsheet and a text file, or part of a larger database called the Nine Database.32 For present purposes, we will assume that the Weekly Schedule was the relevant database. That database contained four types of information, namely: (a) time information; (b) title information; (c) additional information concerning the program, eg, whether it was live or a repeat, wide screen, high definition and its program classification; and

(d) program synopses.33 3.25 The Weekly Schedule set out this information for the daily broadcasting cycle for a seven-day period. Accordingly, it would satisfy the definition of a database for the purposes of the Database Directive as it would be ‘a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means’.34 The next step would be to consider the substantial investment requirement. 3.26 In order for protection to be afforded under the Database Directive, a maker of a database needs to make a substantial investment, evaluated qualitatively and/or quantitatively, in obtaining, verifying or presenting the contents the database.35 In IceTV French CJ, Crennan and Kiefel JJ observed that ‘it was not seriously in dispute that skill and labour was expended on producing the Weekly Schedules … The evidence disclosed [page 65] considerable skill and labour involved in programming decisions’.36 Much of that skill and labour was directed to determining at what time/date to broadcast a program and compiling related information. However, based on the decision of the ECJ in BHB, any data or information that is created for the purposes of storing in a database is to be disregarded. On that view, the time information was ‘created’ as a direct result of programming decisions. It was not obtained in any meaningful sense; it was determined by Nine employees. The synopses information was also created by Nine. Both of these items then should be disregarded for the purposes of the hypothetical analysis. Accordingly, only the investment in obtaining the title and additional information could be considered for the purpose of determining whether a substantial investment had been made by Nine. 3.27 Although the title and additional information was first set down in a larger database (the Nine Database) the maker, Nine, clearly obtained many of those titles from other parties and did not create them. Exceptions may be titles such as ‘National Nine News’. Putting any exceptions to one side, the skill, labour and other investment, expended by Nine in obtaining the title information for inclusion in the Weekly Schedule is relevant to determining whether the database right would protect such a database.

3.28 What investment is required to obtain title and additional information? It would seem open in this context to argue that Nine acquired the right to broadcast a program at significant cost so that it could include the pre-existing title information (and other information) into a compilation such as the Weekly Schedule. In this context, a title to a television program is very valuable to a broadcaster. The title of the program will generally be what determines a viewer’s program selection, and that in turn has a direct bearing on advertising revenues. As a general rule, a broadcaster must invest a substantial amount of money in order to be able to have the ability and right to include title information in its program schedule. Without the underlying rights in the media and licence, a broadcaster is unable to include the program’s title in its program schedule. The counterargument would be that Nine’s investment in this context was directed at obtaining certain legal rights. The investment directed to actually recording the words in a title (and relating information) in a database or compilation was trivial. If the affirmative argument was [page 66] accepted, then it follows that Nine would have made a substantial investment in obtaining the contents of a database. Conversely, if the counterargument was accepted, it would not be possible to argue that the investment in obtaining the title information and related program information (such as the classification of the program) and verifying that information before presenting it in the Weekly Schedule could constitute a substantial investment for the purposes of Art 7(1). Much would turn on evidence. Assuming for the sake of argument that a database right was made out, it is now instructive to consider infringement issues. 3.29 The next step in this hypothetical inquiry is to determine whether Ice infringed the database right by extracting or re-utilising a substantial part, again evaluated quantitatively and/or qualitatively. Having defined the boundaries of the database (ie, the Weekly Schedule) it is then necessary to consider whether the time and title information extracted and re-utilised by Ice was a substantial part of that database. 3.30

From a quantitative perspective, it is arguable that the time information

taken by Ice would have been substantial because the evidence at trial showed that in some cases time and title information was copied in respect of 17 out of 31 time slots (52 per cent). In other cases, the information was copied 13 out of 29 cases (45 per cent).37 On any view these figures seem to satisfy the substantiality test in a quantitative sense. Accordingly, infringement could be found in this case on this basis alone. It is not necessary, unlike in copyright law, also to consider the qualitative test in this context as the two tests are independent, but we will do so for completeness. 3.31 In relation to the qualitative dimension of the test, it is necessary to determine the quality of what is taken by reference to the investment expended by the maker of the database in obtaining, verifying or presenting the contents of the database. In this context, the time information has to be disregarded because the investment in creating that is not to count for the purposes of this test. As discussed above, the investment directed to actually recording the title information in the Weekly Schedule may count in this context, but much would depend on whether the affirmative argument or the counterargument discussed in 3.28 above were accepted. If the affirmative argument was accepted then it would almost certainly follow that a substantial part of the database was extracted and/or re-utilised by IceTV. The opposite result would follow if the counterargument was accepted. [page 67] 3.32 The above discussion illustrates the dimensions of the database right and how it may apply to the facts of one well-known Australian case. Again, the contentious issue in this case would have been whether the title information required sufficient investment by Nine. The existence of the database right in this hypothetical rested on the outcome on that point. 3.33 Telstra v Phone Directories The facts of another widely reported celebrated case can also be used to demonstrate the different outcomes that may follow if laws analogous to the Database Directive were implemented in Australia. In Phone Directories (Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44), Telstra failed in its attempt to claim copyright in its directories. In that case there was no doubt that Telstra expended significant investment in obtaining, verifying and presenting data in its directories.

However, there may be an argument, based on BHB, that the subscriber information that is included in the database is ‘created’ by Telstra (based on the ‘creation doctrine’ adopted by the ECJ) and therefore does not qualify for protection. That outcome would seemingly prove fatal to Telstra’s attempt to establish a database right. Telstra would then be left to show that it expended significant human, technical or financial investment in obtaining, verifying or presenting information to which the creation doctrine did not apply. Ultimately, the amount of such residual information or data would seem to be negligible. In that scenario, no database right would arise as Telstra would not be able to show that there had been a substantial investment in obtaining, verifying or presenting the relevant data or information. As discussed in 3.10, there is an argument, however, that the approach taken to applying the creation doctrine in BHB would not be followed in Australia. If the approach Keane CJ outlined in the Full Federal Court’s decision in Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCAFC 149 were to be applied in this context, Telstra would almost certainly be able to prove sufficient investment for the purposes of establishing a database right. If such a right existed, then infringement would almost certainly follow on both quantitative and qualitative bases as Phone Directories appropriated much of the information in Telstra’s databases.

Duration and remedies 3.34 Art 10(1) of the Database Directive provides that the duration of the database right is for a period of 15 years. However, Art 10(3) in effect [page 68] provides for a rolling 15-year period of protection for databases that are constantly being modified or changed. Art 10(3) provides as follows: Any substantial change, evaluated qualitatively or quantitatively, to the contents of a database, including any substantial change resulting from the accumulation of successive additions, deletions or alterations, which would result in the database being considered to be a substantial new investment, evaluated qualitatively or quantitatively, shall qualify the database resulting from that investment for its own term of protection.

3.35

The remedies that are available for a breach of the database can vary

according to the jurisdiction. However, in the United Kingdom the remedies that are available under the laws that implemented the Database Directive include an action for infringement of copyright all such relief by way of damages, injunctions, accounts or otherwise is available to the plaintiff as is available in respect of the infringement of any other property right.38 These remedies are the same as the remedies provided for under the Copyright, Designs and Patents Act 1988 (UK) in respect of copyright infringement. 3.36 In this context, it is also important to note that some exceptions to the database rights are contemplated in the Database Directive. Art 9 of the Database Directive provides as follows: Member States may stipulate that lawful users of a database which is made available to the public in whatever manner may, without the authorization of its maker, extract or re-utilize a substantial part of its contents: (a) in the case of extraction for private purposes of the contents of a non-electronic database; (b) in the case of extraction for the purposes of illustration for teaching or scientific research, as long as the source is indicated and to the extent justified by the non-commercial purpose to be achieved; (c) in the case of extraction and/or re-utilization for the purposes of public security or an administrative or judicial procedure.39

Conclusion 3.37 It is not clear that the ruling in the BHB case and related rulings of the ECJ support the stated aim of the Database Directive. The immediate consequence of these cases is that the protection afforded by the Database Directive has not been the expansive right that some thought that it may [page 69] have been when it was first introduced.40 The issues discussed above concerning the scope and application of the law in this context need to be considered and debated by any jurisdiction contemplating introducing laws analogous to the Database Directive.

UNJUST ENRICHMENT 3.38

Broadly speaking, the law of unjust enrichment is based on the principle

that one party should not be unjustly enriched at the expense of another party. Unjust enrichment is an area of the law that could provide protection for informational assets in a similar way to how these assets are protected by the tort of misappropriation in the United States, or as they are intended to be protected under laws such as the European Database Directive. The law of unjust enrichment is an area of the common law, that may be able to provide protection for informational products beyond that which is available under statute (eg, copyright) or other recognised intellectual property frameworks (eg, breach of confidence).41 The reason why this type of protection may be required is simple. Increasingly, information itself represents economic value. For instance, Michael Harte, a leading global technologist, calls data the ‘new oil of the digital world’.42 However, if someone appropriates $100 worth of my oil I would have a claim in conversion against a person who commits the conversion. Criminal penalties may also apply under various statutes.43 If a person appropriates for her own use information (which is not copyrightable, confidential or the subject of a contract) that I have spent $1 million creating, collecting, verifying and presenting, it will not give rise to any civil action although in some cases such appropriation may constitute a criminal offence.44 As increasing amounts of value are stored in information and that value is generating absolute or incremental wealth in its own right, it is appropriate to consider whether the law of unjust enrichment (or at least the categories of case that it explains) should evolve to recognise misappropriation of valuable information. Arguably, this would prevent free-riding by others who would misappropriate the valuable investments [page 70] of others. That is, to ensure that one does not reap where one does not sow. There are, however, significant obstacles to the adoption of such an approach. 3.39 In the case of Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479 (Victoria Park) a radio station was able to broadcast calls of horse races which were held on the plaintiff’s land. The station’s race caller stood on a viewing platform erected on land next to the race course. There was no doubt that the information that was relayed by the race caller was of value to the radio station. The plaintiff, the entity that invested in creating the information that was obtained by the defendant, sought an injunction to restrain

the radio station from engaging in the conduct. Dixon J in this judgment observed that: … the courts of equity have not in British jurisdictions thrown the protection of an injunction around all the intangible elements of value, that is, value in exchange, that may flow from the exercise by an individual of his powers or resources … it is not because the individual has by his efforts put himself in a position to obtain value for what he can give that his right to give becomes protected by law … but because the intangible … he claims falls within a recognised category to which legal or equitable protection attaches.45

What is clear from this statement is that a claim must fall within a ‘recognised category’ before the law or equity will respond. 3.40 Almost 50 years after the decision in Victoria Park, Deane J delivered the judgment in Moorgate Tobacco Co Ltd v Philip Morris Ltd [No 2] (1984) 156 CLR 414 (Moorgate). In Moorgate, Deane J approved of the comments of Dixon J in Victoria Park which are cited above and then went on to discuss the applicability of the United States concept of unfair competition under Australian law. The relevance of his Honour’s discussion in this context is that the United States tort of misappropriation is based on the broad notion of unjust enrichment, although cases are ‘sometimes lumped under the notion of unfair competition’.46 Deane J expressed the view that the bare notion of ‘unfair competition does not in itself, provide a sufficient basis for relief under the law of this country’.47 In discussing the seminal United States case concerning the tort of misappropriation, namely INS v Associated Press 248 US 215 (1918), [page 71] his Honour expressed a preference for the dissenting judgment of Brandeis J on the basis that ‘one searches in vain in the majority judgment for any identification of the ingredients of that general wrong … [of] unfair competition in business’.48 That is, in using the expression ‘ingredients of [the] general wrong’ his Honour was referring to the ‘recognised category’ of case that Dixon J referred to in Victoria Park. If it were not possible to identify the ‘recognised category’ then a claim would fail. Accordingly, it can be seen that the High Court is extremely reluctant to uphold claims concerning the protection of value exchanges that fall outside ‘recognised categories’. 3.41

The ‘recognised category’ of case notion was stressed by Deane J to be a

limitation on the scope of unjust enrichment law in Pavey & Matthews Pty Ltd v Paul (1987) 162 CLR 221. In that case, Deane J noted that ‘[i]mportant as is the high level principle against unjust enrichment, it must not be mistaken for a rule of immediate liability. It merely coordinates or gives direction to the many specific grounds for restitution’.49 This statement was cited with approval in David Securities Pty Ltd v Commonwealth Bank of Australia (1992) 175 CLR 353.50 In Farah Constructions Pty Ltd v Say-Dee Pty Ltd [2007] HCA 22; (2007) 81 ALJR 1107 Gleeson CJ, Gummow, Callinan, Heydon and Crennan JJ expanded on this point by stating that: … whether enrichment is unjust is not determined by reference to a subjective evaluation of what is unfair or unconscionable: recovery rather depends on the existence of a qualifying or vitiating factor falling into some particular category. In David Securities Pty Ltd v Commonwealth Bank of Australia, Mason CJ, Deane, Toohey, Gaudron and McHugh JJ gave as instances of a qualifying or vitiating factor mistake, duress or illegality … . [U]njust factors are commonly concerned with vitiation or qualification of the intention of a claimant. [Citations omitted.]51

This case clearly articulates that the key to recovery under the law of unjust enrichment is identifying the existence of a qualifying or vitiating factor falling into a particular or ‘recognised category’. 3.42 The ‘recognised cases’ where unjust enrichment explains why a remedy is provided include cases involving mistaken payments [page 72] (whether the payment was made due to a mistake of fact or a mistake of law)52 and cases where there is a total failure of consideration.53 The mistake cases demonstrate that where a plaintiff’s intention to transfer value was vitiated due to the operative mistake it would be unjust for the defendant to retain the benefit that it obtained at the expense of the plaintiff (assuming no defences applied). Similarly, in the total failure of consideration cases, it is clear that the plaintiff’s qualified intention to pass value to the defendant is conditioned on consideration passing from the defendant to the plaintiff. Similarly, in this category of case, it would be unjust for the defendant to retain the benefit it received at the expense of the defendant.54 3.43 The vitiated intention cases provide one basis for arguing that the law of unjust enrichment should apply to cases where there is unauthorised taking of value. This is due to the fact that in vitiated intention cases the ultimate outcome was that there was no intention to permit the transfer at all and they generally

occur outside a contractual arrangement. This is also the same outcome in misappropriation cases. Good examples of where there is no intention to transfer value in information and where information is willfully appropriated are the BHB, IceTV and Phone Directories cases discussed in Chapters 2 and 3. In those cases, the transfer of value occurred by dint of the relevant defendants appropriating (outside a contractual relationship) for their own commercial uses information that the relevant plaintiffs had created. At no time did the respective plaintiffs form an intention, mistaken or otherwise, to transfer the information (and the value in the information) to the defendant. The vitiating factor of mistake is not applicable as no ‘mistake’ was made. However, it is argued that mistake cases and appropriation cases of this kind are analogous. Ultimately, the plaintiff in either scenario does not have any time to form an intention to actually transfer value to the defendant. In the mistake cases, the law merely invalidates the intention of the plaintiff such that the intention never existed. In misappropriation cases, the outcome should be no different. No valid intention was formed on the part of the plaintiff to transfer value to the defendant. It is the consequences of the deliberate act of the defendant which should be reversed. It seems incongruous that the law will provide a response where a plaintiff mistakenly enriches a party, but it will not respond where that [page 73] party willfully appropriates value. To illustrate this incongruity, consider the following two examples. 3.44 Consider a database creator who mistakenly transfers valuable information (eg, the type of information that was the subject of the BHB, IceTV and Phone Directories cases) to another, providing the information can be attributed a value, the law may respond to reverse that transfer of value, but it will not undo that transfer of value if a party appropriated the same information for its own purposes. In the former case, intention to provide the value was vitiated and in the latter case there was no intention to provide or transfer value at all because of the appropriation by the defendant. It seems odd that if a plaintiff exercises no will

at all and therefore makes no mistake the law will not respond. Consider also a situation where a plaintiff agrees, for consideration, to transfer value in the form of information (eg, it develops a database for the defendant). If there is a total failure of consideration, but the other party accepts the benefit of those services, the law of unjust enrichment will provide a remedy. However, the unjust enrichment will not respond if the other party appropriates the same information for its own purposes if there is no relationship with the plaintiff.

Conclusion 3.45 The discussion above has attempted to show that there are grounds for extending the law of unjust enrichment (or at least the recognised categories of case that explains why an enrichment is ‘unjust’) to categories of case that are analogous to those that are already recognised. Maintaining the distinction between, in particular, mistake/vitiated intention cases on the one hand and misappropriation/‘no intention’ cases on the other seems to reflect the rigidity of the common law actions on the case rather than the principled evolution of the common law. Perhaps the distinction in some minds constitutes the intellectual floodgates that hold back indeterminancy or will otherwise undermine the central principle of stare decisis.55 Indeed, it is important to recognise that unjust enrichment is not a definitive legal principle according to its own terms as was forcefully pointed out by the court in Farah: Unjust enrichment is not a “definitive legal principle according to its own terms”. If it were not so, as Gummow J pointed out in Roxborough v Rothmans of Pall Mall Australia Ltd:

[page 74] [S]ubstance and dynamism may be restricted by dogma. In turn, the dogma will tend to generate new fictions in order to retain support for its thesis. It also may distort well settled principles in other fields, including those respecting equitable doctrines and remedies, so that they answer the newly mandated order of things. Then various theories will compete, each to deny the others. There is support in Australasian legal scholarship for considerable scepticism respecting any all-embracing theory in this field, with the treatment of the disparate as no more than species of the one newly discovered genus. … The areas in which the concept of unjust enrichment applies are specific and usually longestablished. [Citations omitted.] 56

3.46

However, even though, as the court pointed out in Farah, the areas in

which the concept of unjust enrichment applies are ‘long-established’, this does not rule out any development of the law. Concerns expressed by the court in Farah cannot be read as denying that the law of unjust enrichment (or any law for that matter) evolves. Even precedent requires something to be done for the first time.57 Examples of the evolution of the law in this context are Pavey and David Securities. In both of those cases, significant extensions of the law of unjust enrichment occurred. What is contended here is merely to extend the qualifying or vitiating factors recognised in mistake and total failure of consideration cases to cases where there is no intention to transfer value to a defendant. 3.47 Of course, the discussion above has only addressed one principal issue associated with extending unjust enrichment law in this context. Other issues would include being able to show that the defendant was actually enriched, that the enrichment was at the expense of the plaintiff (without merely assuming that they have standing) and that no defences applied in the circumstances.58 These issues however are more easily navigated than the threshold issues discussed above. _________________________ 1.

IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14 (IceTV) at [139].

2.

Case C-46/02 Fixtures Marketing Ltd v Oy Veikkaus at [31].

3.

Art 7(2)(a), Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996.

4.

Art 7(2)(b).

5.

Art 7(4).

6.

Art 7(4).

7.

M Davison, The Legal Protection of Databases, Cambridge University Press, Australia, (2003), p 4.

8.

British Horseracing Board Ltd v William Hill Organization Ltd [2001] EWHC 516 (Pat.); [2001] IP & T 612 (BHB v WHO) at [60]. The parties conducted the case according to the text used in the Database Directive rather the laws that had been introduced in the United Kingdom to implement the Directive. This approach is evidently not uncommon in cases involving European Union legislation: see, for example, British Horseracing Board Ltd v William Hill Organization Ltd (BHB v WHO) [2005] EWCA Civ 863 at [8].

9.

See fn 8, BHB v WHO [2001] EWHC 516 (Pat.); [2001] IP & T 612 at [4]–[9].

10. See, for example, BHB v WHO [2001] EWCA Civ 1268 at [12]. 11. See, fn 8, BHB v WHO [2001] EWHC 516 (Pat.); [2001] IP & T 612 at [60] and [76]. 12. See fn 10, BHP v WHO [2001] EWCA Civ 1268 at [45]. 13. See fn, 10, BHB v WHO [2001] EWCA Civ 1268. 14. Fixtures Marketing Ltd v Oy Veikkaus Ab Case C-46/02 [2004] ECR I-10365; Fixtures Marketing Ltd v

Svenska Spel AB Case C-338/02 [2004] ECR I-10497. Fixtures Marketing Ltd v Organismos prognostikon agonon podosfairou AE (OPAP) Case C-444/02 [2004] ECR I-10549. 15. For a discussion about the uses of big data, see A McAfee and E Brynolfsson, ‘Data Drives Better Decisions’, Boss — Harvard Business Review, 12 November 2012, 46. 16. Of course, this issue does raise inside information issues which will be discussed in Chapter 8. 17. See also Fixtures Marketing Ltd v Svenska Spel AB Case C-338/02 [2004] ECR I-10497; Fixtures Marketing Ltd v Organismos prognostikon agonon podosfairou AE (OPAP) Case C-444/02 [2004] ECR I-10549. 18. Fixtures Marketing Ltd v Oy Veikkaus Ab Case C-46/02 [2004] ECR I-10365 at [37]. 19. British Horseracing Board Ltd v William Hill Organization Ltd of Case C-203/02, [2004] ECR I10461 (BHB) at [67]. 20. Google Inc, ‘Google Data Centers’, 2012, . 21. See fn 19, BHB at [70] and [82]. 22. See fn 19, BHB at [71]. 23. At [71]. 24. At [19]. 25. At [74]. 26. See fn 19, BHB at [76]–[80]. 27. See fn 8, BHB v WHO [2005] EWCA Civ 863 at [12]–[20]. 28. See fn 10, BHB v WHO [2001] EWCA Civ 1268 at [45]. 29. A Maggs and B Trimmer, ‘Are You Creating Data? Then the Database Directive is (Probably) Not for You!’, Wragge & Co, 21 March 2012, . 30. Case C-203/02, Opinion of Advocate General Stix-Hackl delivered on 8 June 2004, ECR I-10415. Opinions from Advocate Generals are provided for the ECJ to consider when making its rulings. These opinions are non-binding. 31. See fn 30, opinion of Advocate General Stix-Hackl at [38]–[40]. 32. See fn 1, IceTV at [147]. Apparently, the confusion was in part due to Nine’s attempts to demonstrate that the Weekly Schedule was in fact a reproduction of the Nine Database. From an evidential perspective this would have assisted its case in terms of proving authorship, which is not a relevant consideration in terms of this hypothetical. 33. At [119]. 34. Art 1(2), Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996. 35. Art 7(1). 36. See fn 1, IceTV at [53]. See also [108]–[118] per Gummow, Hayne and Heydon JJ. 37. See fn 1, IceTV at [179]. 38. See the Copyright and Rights in Databases Regulations 1997 (UK), reg 23. 39. See also reg 20. 40. See, for example, M Davison, The Legal Protection of Databases, Cambridge University Press, Australia, 2003, p 4. 41. See B Fitzgerald and L Gamertsfelder, ‘A Conceptual Framework For Protecting the Value of

Informational Products through Unjust Enrichment Law’, 1997, 16 Aust Bar Rev 257. 42. J Hutchinson and D Ramli, ‘Banks Dig for Data “Oil” in Online World’, 6 November 2012, . 43. See, for example, Div 5 of the Crimes Act 1900 (NSW). 44. See s 308H, Crimes Act. 45. Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479 (Victoria Park) at 509. 46. See fn 41, Fitzgerald et al, 260. 47. Moorgate Tobacco Co Ltd v Philip Morris Ltd [No 2] (1984) 156 CLR 414 (Moorgate) at 440. 48. At 441–2. 49. Pavey and Matthews Pty Ltd v Paul (1987) 162 CLR 221 at 256–7. 50. In Farah Constructions Pty Ltd v Say-Dee Pty Ltd [2007] HCA 22; (2007) 81 ALJR 1107 (Farah) at 379 per Mason CJ, Deane, Toohey, Gaudron and McHugh JJ, See also Australia and New Zealand Banking Group Ltd v Westpac Banking Corporation (1988) 164 CLR 662 at 673 per Mason CJ, Wilson, Deane, Toohey and Gaudron JJ. 51. See fn 50, Farah at [150]. 52. See ANZ Banking Group Ltd v Westpac Banking Corporation (1988) 164 CLR 662; David Securities Pty Ltd v Commonwealth Bank of Australia (1992) 175 CLR 353. 53. Pavey & Matthews v Paul (1987) 162 CLR 221; Baltic Shipping Co v Dillon (1993) 176 CLR 344. 54. See, further, fn 41, Fitzgerald et al, 271. 55. L Aitken, ‘Unforgiven: Some Thoughts on Farah Constructions Pty Ltd v Say-Dee Pty Ltd’, 2007, 29 Aust Bar Rev 195 at 205. 56. See fn 50, Farah at [151]. 57. A P Herbert, Uncommon Law, 3rd ed, Methuen & Co, London, 1937, p 109, cited in Aitken, see fn 55. 58. See, fn 41, Fitzgerald et al, 265, 271ff.

[page 75]

Chapter 4 Confidential Corporate Information

INTRODUCTION 4.1 The action for breach of confidence plays a large role in providing protection for corporate information, especially in protecting traditional forms of confidential corporate information such as management information and reports, strategy papers, business know-how, customer lists, business proposals and trade secrets. An equitable action for breach of confidence may be brought to prevent the disclosure of confidential information. The doctrine allows a court to ‘restrain the publication of confidential information improperly or surreptitiously obtained or of information imparted in confidence which ought not to be divulged’.1 4.2 Stewart et al have stated that the ‘closest our legal system comes to protecting “pure information” is by way of the action for breach of confidence’.2 So, an action for breach of confidence will provide protection for actual information itself (regardless of the form it takes) in appropriate cases whereas in copyright, for example, protection will only be afforded to the form in which the information is expressed. 4.3 This chapter will commence with a discussion of the key requirements that need to be satisfied in order for an ‘owner’ of corporate information to protect that information against a breach of confidentiality. Among other things, it will also examine how the equitable action of breach of confidence may be altered or supplemented by contract. [page 76]

THE REQUIREMENTS 4.4

The key requirements that a plaintiff needs to satisfy in order to bring a

successful action for breach of confidence are: proper identification of the information in suit; proof of standing to bring an action; and demonstration that the three key elements of the action are satisfied. These requirements are discussed in detail below followed by a review of potential defences to an unauthorised disclosure and remedies.

Identifying the information in suit 4.5 The first key step in a breach of confidence action is to identify with precision the information in suit. This is similar to the requirement that is regularly stressed by courts in copyright cases.3 But, unlike under copyright law, the information need not be expressed in ‘material’ form. A breach of confidence will still be actionable, if the information had been communicated entirely orally (or even visually),4 although a plaintiff must be able to describe the applicable information with a sufficient degree of specificity.5

Standing 4.6 Once the information in suit has been adequately identified, the next step in an action for breach of confidence involves identifying whether a putative plaintiff corporation ‘owns’ (in a broad sense) the applicable information. This is important in order to show that the corporation has the standing to bring a breach of confidence action. In this context a corporation’s contracting processes may be called in to support their case. A corporation will often have the benefit of an express term that confers ownership of any information or other material created by an employee in the course of their employment in the corporation. In addition, in the absence of express provisions, terms will often be implied in employment agreements with the effect that any information ‘discovered or created by the worker in the course of their employment will “belong” to the [page 77]

employer’.6 Thus, in the employment context, the information will usually belong to the corporation. Similarly, where a corporation engages a consultant or other third party under a contract for services, the contract will ordinarily address information ownership issues. If the relevant information originates in whole or part from the engagement of the third party, then the applicable contract will need to be reviewed to ascertain whether the corporation can claim sufficient ‘ownership’ of the information in suit to bring an action for breach of confidence. Where a corporation has not been diligent in contracting with third parties it may discover that information it thought it ‘owned’ actually belongs to a third party supplier. This would mean that the corporation would not have standing to bring an action for breach of confidence. 4.7 Assuming, however, that the two pre-conditions discussed in 4.5 and 4.6 can be satisfied, a plaintiff will then need to show that each element of the breach of confidence action is made out.

Elements of the action for breach of confidence 4.8 The classic statement of the three requirements that need to be satisfied in order to prove a breach of confidence is in Coco v A N Clark (Engineers) Ltd [1969] RPC 41 (Coco), where Megarry J held that: … three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself … must ‘have the necessary quality of confidence about it’. Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it.7

4.9 The next sections will examine the manner in which the individual elements of this test have been interpreted, applied and extended in subsequent cases.

Element 1 — Necessary quality of confidence 4.10 Establishing that information had at all relevant times the necessary quality of confidence associated with it is essential in order to maintain an action for a breach of confidence. As an aside, an understanding of how confidence is maintained is also essential for other purposes. For example, it assists with the

analysis of whether an exception to mandatory disclosure under the Listing Rules and the Corporations Act 2001 (Cth) [page 78] is available8 and also in determining whether legal professional privilege may be lost.9 Understanding when information may be in the public domain will also assist in determining whether an allegation of insider trading can be sustained. 4.11 As noted above, in order to attract protection, information must also have a certain quality that warrants protection. A threshold principle is that information must relate to a developed idea or matter.10 For example, in Coco Megarry J spoke of information being a product of the human brain whether it be termed skill, ingenuity or originality.11 This concept cannot be taken too far though. Information could, as Megarry J further acknowledged in Coco, be constructed solely from materials which are common knowledge12 and need not be novel.13 Indeed, information need not have any commercial value, although the preservation of its confidentiality or secrecy ought to be worth protecting from the perspective of the plaintiff.14 Further, information in the public domain or trivial information will not be protected. However, the fact that information is known to other people will not mean it is not confidential.15 These issues were discussed in Johns v Australian Securities Commission [1993] HCA 56; (1993) 178 CLR 408 (Johns case). In Johns case Gaudron J explained that: The primary significance of the notion of “public domain” lies in the fact that no obligation of confidence and, hence, no right to confidence can come into existence unless the information involved has “the necessary quality of confidence”. Thus, it has been said that no obligation attaches to “trivial tittle-tattle” or to information “which is public property and public knowledge”. Information which lacks “the necessary quality of confidence” because it is “public property and public knowledge” or “common knowledge” is often said to be in the public domain. In that context, the question whether information is in the public domain is largely one of fact. That is not to say that questions of law may not arise because, for example, the material has been used in a particular way or in a particular forum. [Citations omitted.]16

[page 79]

It follows from the discussion above, that corporate information will be capable of satisfying the first element of the test in Coco so long as it is: the product of the human brain; not ‘trivial tittle-tattle’; and not in the public domain. However, in this context it is essential to stress the last point made by Gaudron J above, namely that the question of whether information is in the public domain, is largely one of fact. 4.12 Mason J in Commonwealth v John Fairfax & Sons Ltd [1980] HCA 44; (1980) 147 CLR 39 was of the view that ‘the circulation of about 100 copies of a book may not be enough to disentitle the possessor of confidential information from protection by injunction’.17 In Johns case it was held that the tendering of evidence to a court would result in the information tendered being put in the public domain. In that case, Brennan J explained this concept as follows: A defendant who, having received information in circumstances which impose a duty of confidence, makes a limited publication in breach of that duty, can be restrained from further breaching the duty by making a wider publication. But that is not the present case. Here the transcripts were exhibits tendered before the Royal Commission sitting in public. HWT and the ABC obtained copies of the exhibits as documents already in the public domain. When the proceedings of a court, tribunal or commission created by statute or in exercise of the prerogative are open to the public and a fair report of the proceedings can lawfully be published generally, it is not possible to regard information published in those proceedings as outside the public domain. Information published in those circumstances enters the public domain by a lawful gate. Once in the public domain, it can be freely used or disseminated. [Citations omitted.]18

In coming to this view, Brennan J relied in part on the UK decision in Marcel v Commissioner of Police of Metropolis [1992] Ch 225. In that case BrowneWilkinson VC observed that: … there can be no breach of the duty of confidence once the information or documents are in the public domain and the confidentiality has therefore disappeared. In the case of the … documents which have been read in open court, they have now lost their confidentiality by disclosure in open court.19

[page 80] 4.13 In relation to transitory disclosures of information, in G v Day [1982] 1 NSWLR 24 the plaintiff gave information to authorities which was subsequently relied on to exhume a body and conduct a further inquest into the death of the

person whose body was exhumed. The informant’s name had been mentioned fleetingly on television on two occasions. The plaintiff sought an injunction preventing further publication of his name. This was resisted on the basis that his name had entered the public domain. The court granted an injunction and reasoned, relevantly, that the brief disclosures on television did not put the informant’s name into the public domain. However, the court did note that if the disclosure had been in a newspaper (ie, a permanent form of disclosure) then different considerations may well have applied. In Kwok Fu Shing v Thang [1999] NSWSC 1034 Austin J commented as follows: Where information has been published on a non-confidential basis generally, it cannot be treated as confidential. But a prior transitory publication of information, which may not be remembered or discovered by all of those who would be interested in it, does not necessarily defeat an obligation of confidentiality, where what is sought to be restrained is a more permanent and enduring form of disclosure. Consequently, in my view, the publication of a verbal account of the contents of the videotape in Hong Kong would not prevent the plaintiff from enjoining the defendants from making the videotape available for viewing in a public way such as by release on the Internet.20

4.14 In Australian Football League v Age Company Ltd [2006] VSC 308 Kellam J was of the view in that case that speculation and gossip posted on social media sites were not enough to put information that was the subject of such speculation and gossip in the public domain. His Honour explained his reason for this decision as follows: If speculation, gossip or even assertion from an anonymous source, thus being incapable of being verified or in any way held accountable, is to be regarded as the putting of information in the public domain, then the opportunity for the unethical, and the malicious, to breach confidentiality and then claim that there is no confidentiality is unrestrained. For example, an unethical intending publisher could, without having access to confidential information, speculate by use of an assumed name, as to what might be confidential. This speculation could be placed on a number of discussion fora under a number of pseudonyms and asserted to be fact.21

[page 81] 4.15 Read together, these decisions can be summarised in two propositions. First, they indicate that if confidential information that has putatively been put into the public domain is not specific and not otherwise susceptible to being verified, then it is unlikely that such information will have been put in the public domain as a matter of fact. Second, they indicate that if a disclosure of confidential information is made in a public forum, but that disclosure is fleeting or brief, then that disclosure would also not constitute information being put in the public domain.

Accordingly, in relation to the first proposition, if information was posted to a social media site such as Twitter or Facebook, speculating about a secret product development by a corporation or an impending takeover by one corporation of another — but the post went no further than mere generalised speculation or supposition — then that post would not affect any confidentiality in the underlying matter. On the other hand, if the information that was posted was relatively specific and was also published in a mainstream newspaper (online or print) there is a strong argument that the relevant information would lose its confidential nature.22 In relation to the second proposition, if, for example, confidential corporate information was uploaded to a listed company’s Facebook site in error (such as information about the launch of a new product that was uploaded prematurely) and was only viewed by a few people prior to being taken down, that in itself would not render the relevant information non-confidential provided that the information was not disseminated by the few people who did view the applicable information. 4.16 Issues peculiar to corporate information Beyond the issues mentioned immediately above, the first element of the test articulated by Megarry J raises particular issues in relation to information that is used within a corporation. By its very nature corporate information will be disclosed to and used by a range of persons or entities associated with the corporation. For example, directors, officers and employees of the company will all need to have access to confidential corporate information over time. Consultants, advisers, auditors and business partners will also need to have access to and use such information. The disclosure to, and use by, a potentially large number of corporate actors will necessarily create a tension with the concept of confidentiality. [page 82] 4.17 In Ansell Rubber Co Pty Ltd v Allied Rubber Industries Pty Ltd [1967] VR 37 Gowans J had to consider whether a corporation had maintained sufficient confidentiality regarding its trade secrets. If the subject matter was not kept confidential or secret, then the defendants could not be found to have engaged in a breach of confidence. Gowans J referred to six factors set out in the

US Restatement of the Law of Torts (First) that determine trade secrecy.23 The factors cited by Gowans J were as follows: (1) The extent to which the information is known outside of [the corporation’s business]; (2) The extent to which it is known by employees and others involved in [the corporation’s business]; (3) the extent of measures taken by [the corporation] to guard the secrecy of the information; (4) the value of the information to [the corporation] and to [its] competitors; (5) the amount of effort or money expended by [the corporation] in developing the information; (6) the ease or difficulty with which the information could be properly acquired or duplicated by others.24

4.18 Ultimately, Gowans J applied these principles to the facts of the case and found in favour of the corporate plaintiff (ie, the information was confidential). Notwithstanding, that outcome it must be stressed that the factors outlined above constitute guidance only. Care should be used in applying them. Nevertheless, they do reflect a common sense approach to determining whether confidentiality of information has been maintained by a corporation. The guidance reflects a number of practical steps that corporations should take in managing confidential information. First, corporations should ensure that such information is only shared with any person (internal or external) on a ‘need-to-know’ basis (factors (1) and (2)). Second, a corporation should take reasonable steps to maintain confidentiality when disclosing or distributing information. For example, where appropriate, by obtaining confidentiality acknowledgements from employees, obtaining nondisclosure agreements from third parties, encrypting information or making information available via ‘read only’/password-protected websites and training staff on how to manage confidential information (factor 3). Should a potential breach situation arise, the corporation should be in a position to identify the applicable information with some specificity [page 83] (ie, identify the information in suit), the value of that information to the corporation and the investment it had to make in order to create that information (factors 4 and 5). Among other things, factor 6 goes to the nature and quality of the information in suit and alludes to the factors discussed in 4.10.

Element 2 — Circumstances importing an obligation of confidence 4.19 The second element identified by Megarry J was that the relevant information must be imparted in circumstances that import an obligation of confidence. Megarry J expressed the view that the second element should be approached as follows: [I]f the circumstances are such that any reasonable man standing in the shoes of the recipient of the information would have realised that upon reasonable grounds the information was being given to him in confidence, then this should suffice to impose upon him the equitable obligation of confidence.25

4.20 Relationship One factor that will put the reasonable person on notice in this context is the relationship between the discloser and the putative confidant. Where the relationship is commercial (ie, strategic alliance partners or joint venturers) or is one involving employment, then a court may more readily infer circumstances of confidentiality.26 In such cases, the second element of Megarry J’s test would be satisfied. However, in making this inference, a court would have to be satisfied that there was implicit agreement that confidentiality was required. 4.21 Compulsory, solicited and unsolicited communications In the absence of a relationship that gives rise to an inference in these cases, one needs to examine the particular circumstances in which the relevant information was communicated. If information is compelled, for example, by a regulator, then it is unlikely to adversely affect the confidentiality of the information. However, a particular threat to confidentiality exists where the applicable information is conveyed to another party in circumstances where the disclosure effectively amounts to a voluntary disclosure with no expectation, at least in the eyes of a reasonable person, of confidentiality arising. In general, confidentiality is unlikely to be adversely affected in circumstances where: [page 84] (1) disclosure of information was compelled by a regulator — If the disclosure of information is compelled, eg, by a regulator using its investigative powers, then it is arguable that the information that is disclosed does not lose its confidential status.27 Of course, if the same or similar information is

subsequently read out in open court and reported by the media, confidentiality will be lost as the relevant information will have entered the public domain. (2) information is obtained surreptitiously and improperly — In such cases, it is unlikely that confidentiality will be lost.28 For example, minutes of a directors’ meeting that have been surreptitiously obtained will not destroy confidentiality in that information. (3) information is received by accident — This is unlikely to affect the confidential nature of the information. An obligation of confidentiality can be recognised even if there is no particular relationship between the parties and no deliberate wrongdoing. This principle would apply when a person receives information that they know or ought to know is confidential, by virtue of the circumstances in which it is received.29 4.22

Confidentiality is likely to be adversely affected in circumstances where:

(1) the requested information was provided without any restrictions put on its use — Where information is disclosed to an individual who requested it and no explicit or implicit restrictions on its use or disclosure are sought by the party disclosing the information, it is likely that confidentiality will be lost.30 (2) unsolicited information was disclosed and no restrictions are put on its use — If a disclosing party discloses confidential information to another without seeking to impose any restrictions on its use or on its disclosure by the receiving party, it is likely that the applicable information will not be communicated in circumstances importing duty of confidence.31 [page 85] (3) information is blurted out in public — Information that is blurted out in public, whether at an industry function or a major conference, is likely to adversely affect the confidentiality of information.32 (4) information is obtained from reverse engineering — In a corporate context, confidential information can be obtained through the process of reverse engineering. Reverse engineering involves the study of a lawfully acquired product or service to ascertain the trade secrets or confidential information that influenced its design. The successful use of such techniques can lead to

confidentially being lost.33

Element 3 — Unauthorised use of that information to the detriment of the party communicating it 4.23 The third and final element of the test outlined by Megarry J comprises two sub-elements. First, under Megarry J’s formulation there must be unauthorised use. Second, that use must also cause detriment. 4.24 Unauthorised use Whether use of confidential information by a receiving party is unauthorised will depend on the scope of authorisation.34 In Telstra Corp Ltd v First Netcom Pty Ltd [1997] FCA 860, Telstra fulfilled the role of both a service provider to First Netcom and also a competitor in a different capacity. This type of arrangement can occur frequently in a range of industries within Australia, including telecommunications, information technology and financial services. A key issue that Lockhart, Beaumont and Hill JJ had to decide in this case was the scope of Telstra’s authority to use the Netcom customer lists for its own competitive purposes upon the termination of the service arrangements between Telstra and Netcom. The court expressed its view as follows: The question whether a duty of confidence exists in information will largely depend upon the circumstances in which that information is communicated. If the circumstances are such that a reasonable person would have realised that the information was communicated in confidence then that would generally suffice to impose the equitable obligation. In the present circumstances there is no doubt that customer details were supplied by First Netcom to Telstra solely for use by Telstra for the purposes of the telecommunication service agreement between them. It could scarcely be suggested that Telstra could use the information to promote its own and competing services without restraint. Indeed, a customer list is the most

[page 86] obvious example of information the confidentiality of which the courts will secure by injunctive relief. On the other hand, that does not necessarily mean that Telstra might not be able to utilize the information to communicate to customers of First Netcom, if so to do was within the scope of the purposes for which the information was communicated to Telstra, that is to say, for the purposes of giving effect to the agreement between First Netcom and Telstra for the provision of telecommunication services to persons who are customers of First Netcom and a fortiori of Telstra. If the situation were that, once Telstra terminated the agreement with First Netcom, customers of First Netcom would be left without a telecommunications service, then it may well be implicit in the relationship with First Netcom that Telstra should, or at least could, communicate with customers to

advise them that the agreement with First Netcom had come to an end, and that they had choices which included contracting with Telstra. However, we have been told from the bar table, and it appears to be common ground, that it may be possible for First Netcom to come to an agreement with another third party supplier for the provision of telecommunication services for First Netcom customers, so that the fact that the Telstra/First Netcom agreement had been terminated would not in any way affect customers, who would continue to be billed by First Netcom and have their local calls supplied by Telstra, albeit through a third party supplier. In these circumstances, in our view, it cannot be necessary for the purposes of the agreement between Telstra and First Netcom that customers of First Netcom be notified of the termination. Thus, for Telstra to use the customer list for the purpose of communicating to customers of First Netcom the fact of termination of the First Netcom/Telstra agreement (and in the result to obtain a commercial advantage) would be to use the list for a purpose for which it was not supplied to Telstra. In these circumstances, we think that the injunction restraining communication with customers of First Netcom should stand. [Citations omitted.]35

4.25 It is clear from this passage that the starting point in determining the scope of authorisation to use another corporation’s confidential information is the purpose for which the information was originally disclosed by the confider. However, the court clearly indicated that once the original purpose for disclosure comes to an end, the interests of parties other than the disclosing party’s interest could be a relevant factor when considering the scope of authorisation issues. In the First Netcom case, the interests of both First Netcom and Telstra were discussed in the context of the termination of their relationship. However, it must be stressed that ultimately the interests of Telstra were only contemplated as a last resort. As other options were available to [page 87] supply First Netcom customers, Telstra’s interests in taking advantage of First Netcom’s customer information were not allowed to prevail. 4.26 Disclosures to government The limited ability to consider the interests of confidees who are private parties can be contrasted with disclosures to the government. It seems that where the government or a government agency receives corporate information in discharging its public functions, its interests may be taken into account in determining the scope of any authorisation provider by a confider. In the case of Re Smith, Kline and French Laboratories (Australia) Ltd v The Secretary to the Department of Community Services and Health (1991) 20 IPR 643 (Smith, Kline and French), the Full Court of the Federal Court stated that:

The test of confider’s purpose will not ordinarily be appropriate where each party’s interest is quite different, and known to be so. Here, the confider’s purpose is simple and narrow, the confidee’s much broader. S K and F had only the purpose of having its applications approved. A person supplying confidential information to the government for the purpose of obtaining a licence (or a permission or concession) would ordinarily assume that the government would not destroy the application file after the confider had attained his purpose. The confider would probably expect that the information would be kept against the day when it might be needed to serve the government’s legitimate interests: for example, to provide a record in case the decision is challenged as improper; to enable statistical information to be collected; or, acting directly against the interests of the confider, to compare the information supplied with the confider’s subsequent performance, in determining whether to cancel the licence.36

The court then proceeded to develop this point by citing a statement by McHugh J in an earlier case. The relevant case was Attorney-General (UK) v Heinemann Publishers Australia Pty Ltd (1987) 10 IPR 153 where McHugh J said: [T]he relationship between the modern State and its citizens is so different in kind from that which exists between private citizens that rules worked out to govern the contractual, property, commercial and private confidences of citizens are not fully applicable where the plaintiff is a government or one of its agencies. Private citizens are entitled to protect or further their own interests, no matter how selfish they are in doing so … (b)ut governments acts [sic], or at all events are constitutionally required to act, in the public interest.37

[page 88] The statements in Smith, Kline and French contrast with the strict approach to authorisation developed in cases involving private parties. 4.27 A further point to note in the context of authorisation is that if the same information that is used by a confider is modified such that it cannot be characterised as the same information that was received in confidence, it may follow that the confider is free to do what it likes with that information. For example, if a corporation modifies personal information that it has received from customers (ie, it modifies the information so that the data subjects’ identities cannot be ascertained from the information ) so that it is not capable of breaching the confider’s interest (ie, the data subjects’ privacy) then any confidence in the information in its original form will not have been breached.38 This principle will be important in cases involving big data where corporations may collect or receive vast amounts of information from various sources for specific purposes (eg, conducting transactions with the corporation), but then seek to use that same information for data analytics. It is likely in this scenario that at least some of the information which the corporation originally

receives will be ‘owned’ by a third party. However, if the relevant information is de-identified or otherwise modified so that, post-transformation, it is not the same information that was originally received, the corporation may be able to argue that it does not require authorisation to use the transformed information. 4.28 Detriment In the case of corporate information, there is some doubt as to whether the detriment sub-element identified by Megarry J is actually required to be satisfied at all. Indeed, it is important to note the Megarry J himself did not conclusively determine the point in Coco.39 In the first instance decision of Smith Kline & French Laboratories (Australia) Ltd v Secretary, Department of Community Services and Health [1990] FCA 151 Gummow J expressed the view that ‘equity intervenes to uphold an obligation of conscience and not necessarily to prevent or to recover loss’ and that ‘the obligation of conscience is to respect the confidence, not merely to refrain from causing detriment to the plaintiff’.40 In that connection, Gummow J was of the view that what needed to be established was not detriment but rather that ‘there is actual or threatened misuse of [confidential] information, without the consent [page 89] of the plaintiff’.41 Johnson J echoed these observations in Rapid Metal Developments (Australia) Pty Ltd v Anderson Formrite Pty Ltd [2005] WASC 255 where his Honour stated that ‘the requirement for proof of detriment is inconsistent with the established notion that the basis for the exercise of equitable jurisdiction is to enforce the obligation of confidence’.42 More recently, the Full Federal Court in Optus Networks Pty Ltd v Telstra Corp Ltd [2010] FCAFC 21; (2010) 265 ALR 281 concluded that all that is required is that ‘there must be an actual or threatened misuse of the information without … consent’.43 Other cases have also questioned the need to satisfy the detriment requirement. In National Australia Bank Ltd v Idoport Pty Ltd [1999] NSWSC 964 Santow J expressed the following view in respect of the third element: Whether under the third element detriment is required, is open to question, though Mason CJ [sic] in Commonwealth v John Fairfax & Sons Ltd (1980) 147 CLR 30 at 50–57 concluded that it was an essential ingredient; per contra R P Meagher, W M C Gummow and J R F Lehane “Equity: Doctrines and Remedies[”] 3rd ed (1992) para 4110. Here I am satisfied the disclosure has sufficient potential to cause detriment, either in jeopardising legal privilege or potentially in seeking advantage in the litigation.

If the requirement for detriment is one that needs to be satisfied, Fitzgerald and Fitzgerald have noted that detriment will be readily inferred in ‘in most cases involving commercial … information’.44 It is also clear from the passage cited above from the National Australia Bank case that actual or potential detriment will suffice. In this context, in Commonwealth v John Fairfax & Sons Ltd, Stewart et al have commented that the curial statements in this context support the general proposition expressed in Attorney-General (UK) v Guardian Newspapers Ltd (No 2) [1988] 3 WLR 776 that:45 … it is in the public interest that confidences should be respected, and the encouragement of such respect may in itself constitute a sufficient ground for recognising and enforcing the obligation of confidence even where the confider can point to no specific detriment.46

[page 90] The statements by Mason J in in Commonwealth v John Fairfax & Sons Ltd concerning the necessity to demonstrate detriment in this context are best construed as applying to government information and not corporate information. That is, in cases where government has brought an action for a breach of confidence, it will be necessary for it to demonstrate detriment, but otherwise the more liberal interpretations of the requirement discussed above apply in relation the confidential information of non-government parties such as corporations. In any event, even in cases where the government is seeking to bring an action, Mason J noted that embarrassment may suffice to establish detriment.47

Controlling the use and disclosure of information by employees 4.29 A further issue in respect of the use of confidential corporate information by employees is the level of control that corporations can exert over the information actually disclosed to employees. This is a crucial matter in an economy where the volume and value of corporate information are increasing rapidly and in an environment where such information can be copied with relative ease in many cases by employees.48 The manner in which control can be exerted differs depending on whether employment is continuing or employment has ceased. 4.30

The obligations of an employee to their employer are to be determined by

the terms and conditions set out in the employment contract.49 In the absence of any express terms, an employee’s use and disclosure of confidential information are governed by implied terms.50 Of course, it would be possible for implied terms to co-exist with express terms as long as they were not inconsistent with the express terms. The key term that is implied into the employment contract is the duty of good faith and fidelity.51 The content of the duty can be summarised as follows: (1) The scope of the duty varies according to the nature of the employment contract.52 (2) The duty of good faith or fidelity will be breached if an employee creates or copies confidential information (eg, a list of the employer’s [page 91] customers) for use after their employment ceases or deliberately memorises such information despite the fact that there is no general prohibition on a former employer engaging in trade or commerce with a customer of a former employer or using their acquired knowledge in competition with a former employer (except of course in cases where a restrictive covenant applies).53 The implied term of fidelity and good faith falls away once employment comes to an end. However, following the cessation of employment, a narrower implied term will impose an obligation on the former employee not to use trade secrets (or equivalent information) of the former employer. Examples of trade secrets are chemical formulae54 and designs or special methods of construction.55 Importantly, however, the post-employment obligation goes no further than this. In the absence of a restrictive covenant, the employee is generally free to use any other information acquired during the course of their employment. The distinction is neatly explained by Cross J in Printers and Finishers Ltd v Holloway [1964] 3 All ER 731 where his Honour said: In this connexion one must bear in mind that not all information which is given to a servant in confidence and which it would be a breach of his duty for him to disclose to another person during his employment is a trade secret which he can be prevented from using for his own advantage after the employment is over, even though he has entered into no express covenant with regard to the matter in hand. For example, the printing instructions were handed to [the first defendant] to be used by him during his employment exclusively for the plaintiffs’ benefit. It would have been a breach of duty on his part to divulge any of the contents to a stranger while he was employed, but many of

these instructions are not really “trade secrets” at all. [The first defendant] was not, indeed, entitled to take a copy of the instructions away with him but insofar as the instructions cannot be called “trade secrets” and he carried them in his head, he is entitled to use them for his own benefit or the benefit of any future employer.56

4.31 It is evident from the above discussion that much turns on whether information is a trade secret or is equivalent to a trade secret. The court in Faccenda expressed the view that in order to determine whether information is a trade secret, or other confidential information that may be used after employment ceases, one must have regard to all [page 92] the circumstances of the case. The court also noted that in conducting this analysis it may be useful to have regard to the following factors:57 (1) The nature of the employment — Employees who routinely handle sensitive information may be subject to a higher standard as they may be expected to appreciate the sensitive nature of the relevant information as opposed to an employee that only comes into contact with sensitive information infrequently. (2) The nature of the information — The term implied post-employment will only apply to trade secrets of information which, while not properly described as a trade secret, is in all the circumstances of such highly confidential nature that it requires the same protection as trade secrets. (3) Whether the employee made it clear that the information was confidential — The duty implied post-employment may apply more readily to information where an employer takes overt steps to make it known to employees that certain information is a trade secret or is otherwise of an equivalent nature. (4) Whether the information was kept separate from other non-confidential or less confidential information — Where putatively highly confidential information is co-mingled with other information that is plainly less confidential or not confidential at all, it will be unlikely that the implied duty will apply to the former information.

Express confidentiality terms

4.32 Contractual clauses can co-exist with58 and be used to modify or extend the equitable obligations of confidence. The advantages of contractual provisions are that they may provide more specificity regarding the scope of the obligation of confidentiality, the purposes for which the information may be used and the duration of the obligation.59 However, one potential disadvantage is that if the relevant provisions are not drafted carefully, they may be unenforceable as a restraint of trade unless a plaintiff can demonstrate the reasonableness of the restraint. In Maggbury Pty Ltd v Hafele Aust Pty Ltd [2001] HCA 70; 210 CLR 181 the appellants sought to have injunctive relief restored that would make the respondents treat certain information as confidential in perpetuity. This is indeed what the express covenants in a confidentiality [page 93] deed required. The difficulty was that the appellants themselves had made the relevant information public. The majority held that the terms of the deed infringed the common law doctrine of restraint of trade. As no steps were taken to show that the restraints of trade in the form of the relevant provisions could be justified as reasonable in the interests of the public and the parties, they were invalid.60 Interestingly, the majority also stated that the fact that a term that is a restraint of trade has been freely bargained for ‘provides no sufficient reason for concluding that the doctrine [of restraint of trade] should not apply’.61 4.33 In light of the decision in Maggbury, corporations should take care in using contractual devices to overreach in terms of the protection they seek for confidential information. While a contract may be able to clarify and perhaps even incrementally extend obligations of confidence that may be imposed by equity, Maggbury indicates that if a corporation seeks to go too far beyond the boundaries that would be acceptable at equity, then the doctrine of restraint of trade may render such provisions invalid. It is clear that the scope of the protections that may be provided for at equity will be a reference point for assessing the reasonableness of any contractual obligation that is sought to be imposed. For example, the majority in Maggbury noted that if the relevant restraint in the deed had a time limit after the public

disclosure of the applicable information, the majority considered that such a term would be reasonable as a ‘head start’ handicap.62 Such a concept is analogous to the ‘springboard doctrine’ in equitable breach of confidence cases: see 4.40.

DEFENCES Just cause or excuse 4.34 There is some doubt about the scope to plead a defence in relation to disclosures of confidential information under Australian law.63 The basic principle is that liability for disclosure will not be imposed where the defendant has ‘just cause or excuse’ for making the disclosure.64 However, what constitutes a just cause or excuse is not entirely clear. [page 94] Helpfully, Stewart et al have identified the development of two distinct approaches in case law. In one line of cases it seems that disclosure will be excused where it reveals an iniquity65 or ‘any misconduct of such a nature that it ought in the public interest to be disclosed’.66 Mason J has interpreted the iniquity rule as making legitimate disclosures that would ‘protect the community from destruction, damage or harm’ and went on in that case to state that ‘[i]t has been acknowledged that the defence applies to disclosures of things done in breach of national security, in breach of the law (including fraud) and to disclosure of matters which involve danger to the public’.67 These statements show that the iniquity rule has been interpreted quite broadly and does not specifically require the identification of any specific wrong or misconduct by a person,68 although that will obviously follow in cases involving the disclosure of, for example, fraud. In the other line of cases, a slightly broader approach seems to be developing where disclosure is excused ‘whenever the public interest in publication outweighs the public interest in confidentiality’.69 Although Stewart et al acknowledge that the latter approach has been rejected by some Australian judges.70 4.35 Regardless of which approach may prevail over time, it is clear in a corporate context that the tests do require a fairly high threshold to be satisfied

for the otherwise unauthorised disclosure of corporate information to be excused. Accordingly, it would be a fairly rare event for the defence to apply to most unauthorised disclosures of corporate information.

Disclosures by whistleblowers 4.36 Whistleblower legislation permits the disclosure of information (including confidential information) in certain circumstances. To fall within the terms of the relevant provisions, a whistleblower must be a current officer of a company, a current employee of a company or a person who has an existing contract for the supply of good or services [page 95] to a company (or an employee of such as person).71 If such a person has reasonable grounds for suspecting that certain information indicates that the company or an officer or employee of the company may have contravened a provision of the Corporations law, they may disclose such information to any of the following: ASIC; an auditor of the company; or a director, secretary or senior manager or other authorised person.72 The disclosure must however be made in good faith.73 If a disclosure of information is made under the relevant provisions, the person making the disclosure cannot, among other things, be subject to any civil or criminal liability nor can any contractual or other remedy (eg, equitable) be enforced against that person.74 This immunity applies even if the suspicions of the whistleblower ultimately turn out to be ill founded. 4.37 The allegations levied at management of Autonomy Corp plc (prior to its acquisition by Hewlett-Packard) are an example of the type of situation in which the whistleblower provisions could be engaged. The allegations relate to the internal accounting practices of Autonomy. Put simply, the allegations were that Autonomy overstated its book value by at least US$5 billion by misstating revenue and by utilising other accounting devices in breach of accounting standards.75 Presumably this was in order to justify a higher sale price to Hewlett-Packard which bought Autonomy in late 2011. The relevant allegations came to light through disclosure by a whistleblower (who was an employee of the merged HP-Autonomy entity at the time of making

the allegations). The whistleblower provisions can be characterised as an extension of, or supplement to, the ‘iniquity rule’, discussed at 4.33.

Legal compulsion 4.38 Disclosures that occur under legal compulsion will be excused by law. An example of a statute which may require the disclosure of confidential corporate information is the continuous disclosure regime.76 Under that regime information must be disclosed in certain circumstances and the fact that the information is confidential will not always justify non-disclosure.77 Disclosure of confidential information would also be [page 96] compelled by law if it is required to satisfy a notice to produce78 or an order for discovery.79 The confidential nature of information will not excuse nondisclosure, although in these cases special rules may be put in place to manage the relevant disclosure, especially where a competitor is involved in the litigation.80 Other disclosures of confidential information compelled by law include those in response to notices served by a regulator.81

LIABILITY AND REMEDIES 4.39 A key distinction between the protection afforded by contract and equity in relation to breaches of confidence is that a contractual remedy will depend on identifying a wrong doing by a party where privity exists. In the case of equity, the net can be cast much wider for potential defendants. This is important because confidential information can rapidly find its way into the hands of parties that have no direct relationship with the confider. Information may pass between contracting companies, into the hands of related parties and then be disseminated to third parties. In respect of equitable actions, Stewart et al’s analysis of the relevant case law leads them to express the view that: … the courts have adopted a broad approach in this context and any party who receives information ‘as a result of another’s breach of confidence may be liable for using or disclosing it, or restrained from doing so, once they have actual or constructive notice of the breach. No dishonesty need be shown.82

4.40 This is an entirely appropriate approach given the ease in which the laws of breach of confidence could otherwise be circumvented. Innocent third parties would seem to have two arguments available to them in order to mitigate any injustice that may arise in these cases. First, a party should not be held to account for profits or be liable to pay compensation prior to having actual or constructive knowledge of a breach of confidence. Second, a party could argue that no liability [page 97] should be imposed where they changed their position to their detriment in reliance on the information prior to being on notice of a breach.83 4.41 The primary remedies for a breach of confidence are injunctions (both interim and final), account of profits and damages. In particular cases injunctions will be granted even though the relevant confidential information has entered the public domain. This remedy is based on the ‘springboard doctrine’. The seminal statement of the doctrine is found in Roxburgh J’s judgment in Terrapin Ltd v Builders’ Supply Co (Hayes) Ltd [1967] RPC 375 where he stated that: … a person who has obtained information in confidence is not allowed to use it as a spring-board for activities detrimental to the person who made the confidential communication, and spring-board it remains even when all the features have been published or can be ascertained by actual inspection by any member of the public.84

What this means in practice for corporations which are bound by confidentiality obligations is that they cannot use information the subject of those obligations for commercial purposes until such time as the information has been put in the public domain and a sufficient period of time has passed which will allow the information to be fully absorbed by the market. In Terrapin the plaintiff had shared confidential designs of pre-fabricated structures it was developing with the defendant. The plaintiff subsequently supplied the structures to the market meaning that the information that was contained in the designs was able to be ascertained by the market generally through observation, analysis or reverse engineering. However, these processes take time. The defendant attempted to gain a ‘head start’ on competitors by utilising the designs it had received from the plaintiff to make its own prefabricated structures in competition with the plaintiff. Notwithstanding the confidential information was now available in the public domain, the court

granted an injunction sufficient to handicap the defendant until such time as the market had absorbed the information that had been made available.85

CONCLUSION 4.42 It is important to be aware of the key concepts and principles that underpin the law of confidentiality due to the vital role that they play in [page 98] protecting the value in corporate information. An understanding of the law in this context assists corporations to recognise situations that create legal risk for them (either as confiders or confidees) and provides insights into how to design and implement appropriate controls to manage that risk. Further, knowledge of these concepts and principles also throws light on the application of other information laws. For example, the law of confidentiality helps inform legal analysis of continuous disclosure obligations, the application of legal professional privilege (ie, in determining when confidentiality may be lost) and also whether information has entered the public domain for the purposes of the insider trading laws. _________________________ 1.

Commonwealth v John Fairfax & Sons Ltd [1980] HCA 44; (1980) 147 CLR 39 at [21] per Mason J, citing Lord Ashburton v Pape (1913) 2 Ch 469 at 475 per Swinfen Eady LJ.

2.

A Stewart, P Griffith and J Bannister, Intellectual Property in Australia, 4th ed, LexisNexis Butterworths, Australia, 2010, 6.1.

3.

See, for example, IceTV Pty Ltd v Nine Network Australia Pty Ltd [2009] HCA 14 at [150] per Gummow, Hayne and Heydon JJ; Telstra Corporation Ltd v Phone Directories Company Pty Ltd [2010] FCA 44 at [27] per Gordon J.

4.

Seager v Copydex Ltd (1967) RPC 349.

5.

See Coco v AN Clark (Engineers) Ltd [1969] RPC 41 (Coco) at 57 per Megarry J; Optus Networks Pty Ltd v Telstra Corp Ltd [2010] FCAFC 21; (2010) 265 ALR 281 at [39].

6.

See fn 2, Stewart et al, 4.1.

7.

See fn 5, Coco at 47.

8.

See Listing Rule 3.1A and Pt 6CA Corporations Act 2001 (Cth).

9.

See, for example, Esso Australia Resources v Commissioner of Taxation [1999] HCA 67; 201 CLR 49,

and ss 117 and 118, Evidence Act 1995 (Cth). 10. Fraser v Thames Television [1983] 2 All ER 101. See also H K Frost Holdings Pty Ltd (in liquidation) v Darvall McCutcheon (a firm) [1999] FCA 570 at [60]–[61] per Finn J. 11. See fn 5, Coco at 47. 12. At 47. 13. Talbot v General Television Corp Pty ltd [1980] VR 224. 14. Moorgate Tobacco Co Ltd v Philip Morris Ltd (No 2) (1984) 156 CLR 414 at 438 per Deane J. 15. See Franchi v Franchi [1967] RPC 149. 16. Johns v Australian Securities Commission [1993] HCA 56 (Johns) at [7] per Gaudron J. 17. See fn 1, Commonwealth v John Fairfax & Sons Ltd at [38]. 18. See fn 16, Johns at [29] per Brennan J. 19. Marcel v Commissioner of Police of Metropolis [1992] Ch 225 at 237. See also Attorney-General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109 at 215, 268 and 282. 20. Kwok Fu Shing v Thang [1999] NSWSC 1034 at [33]. His Honour also cited academic work in support of this approach: see also J Stuckey-Clarke in P Parkinson (ed), The Principles of Equity, Lawbook Co, Australia, 1996 at pp 436–437. 21. Australian Football League v Age Company Ltd [2006] VSC 308 at [55] per Kellam J. 22. It should be noted that the Australian Securities Exchange adopts a similar approach to determining when information loses its confidential nature for the purposes of the Listing Rules. The ASX will consider that specific and accurate speculation by analysts or the media will be compelling evidence that confidentiality has been lost for the purposes of the continuous disclosure rules: see ASX Listing Rules Guidance Note 8 (2013), 27 and Listing Rules 3.1 and 3.1A. 23. The US Restatement of the Law of Torts (First), see Art 757. 24. Ansell Rubber Co Pty Ltd v Allied Rubber Industries Pty Ltd [1967] VR 37 at 49–50. 25. See fn 5, Coco at 48. 26. See fn 2, Stewart et al, 4.9. 27. See fn 16, Johns. 28. Franklins v Giddins [1978] Qd R 72. See ABC v Lenah Game Meats Pty Ltd [2001] HCA 63; 208 CLR 199 at [34]–[43] per Gleeson CJ for a discussion about when private acts of a corporation may be entitled to protection. See also Hellewell v Chief Constable of Derbyshire [1995] 4 All ER 473 at 476 regarding the surreptitious recording of private acts. 29. See fn 19, Attorney-General v Guardian Newspapers Ltd (No 2) at 281 per Goff LJ. 30. Trevorrow v South Australia (No 4) (2006) 94 SASR 64. 31. Fractionated Cane Technology Ltd v Ruiz-Avila (1987) 8 IPR 502. 32. See fn 5, Coco at 47–8. 33. Mars UK Ltd v Teknowledge Ltd (1999) 46 IPR 248. 34. See Saltman Engineering Co Ltd v Campbell Engineering Co Ltd [1963] 3 All ER 413; (1948) 65 RPC 203; Ackroyds (London) Ltd v Islington Plastics Ltd [1962] RPC 97. 35. Telstra Corp Ltd v First Netcom Pty Ltd [1997] FCA 860 at 869. 36. Re Smith, Kline and French Laboratories (Australia) Ltd v The Secretary to the Department of Community Services and Health (1991) 20 IPR 643 at 655.

37. Attorney-General (UK) v Heinemann Publishers Australia Pty Ltd (1987) 10 IPR 153 at 254, cited in Re Smith, Kline and French, see fn 36, at 656. 38. See R v Department of Health; Ex parte Source Informatics Ltd [2000] 2 WLR 940. 39. Megarry J noted that the authorities were divided on this point: see fn 5, Coco at 48. 40. Smith Kline & French Laboratories (Australia) Ltd v Secretary, Department of Community Services and Health [1990] FCA 151 at [134]. 41. See fn 40, Smith Kline & French Laboratories (Australia) Ltd at [54]. 42. Rapid Metal Developments (Australia) Pty Ltd v Anderson Formrite Pty Ltd [2005] WASC 255 at [78]. 43. See fn 5, Optus Networks Pty Ltd v Telstra Corp Ltd at [39]. 44. A Fitzgerald and B Fitzgerald, Intellectual Property: In Principle, Lawbook Co, Australia, 2004, 7.50. 45. See fn 2, Stewart et al, 4.13. 46. Attorney-General (UK) v Guardian Newspapers Ltd (No 2) [1988] 3 WLR 776 at 782. 47. See fn 1, Commonwealth v John Fairfax & Sons Ltd at [35]. 48. See J Hutchinson, ‘Small Business Suffer from Theft of Data’, Australian Financial Review, 11 December 2012, p 23. 49. Faccenda Chicken Ltd v Fowler [1986] 1 All ER 617 (CA) (Faccenda) at 625. 50. At 625. 51. At 625. 52. Vokes Ltd v Heather (1945) 62 RPC 135. 53. See, for example, Robb v Green [1895] 2 QB 215; Wessex Dairies Ltd v Smith [1935] 2 KB 80. 54. Amber Size and Chemical Co Ltd v Menzel [1913] 2 Ch 239. 55. Reid Sigrist Ltd v Moss Mechanism Ltd (1932) 49 RPC 461. 56. Printers and Finishers Ltd v Holloway [1964] 3 All ER 731 at 738 ff. See also E Worsley & Co Ltd v Cooper [1939] 1 All ER 290. 57. See fn 49, Faccenda at 626–7. 58. See fn 5, Optus Networks Pty Ltd v Telstra Corp Ltd at [37]–[38]. 59. See, further, A Fitzgerald and D G Eliades, Intellectual Property, 3rd ed, Thomson Reuters, Australia, 2008, pp 118–21. 60. Maggbury Pty Ltd v Hafele Aust Pty Ltd [2001] HCA 70; 210 CLR 181 (Maggbury) at [57] per Gleeson CJ, Gummow and Hayne JJ. Note that Kirby J and Callinan J, in separate judgments, would have allowed the appeal. 61. See fn 61, Maggbury at [56] per Gleeson CJ, Gummow and Hayne JJ. 62. At [50]. 63. See fn 44, Fitzgerald et al, 7.55. 64. Fraser v Evans [1969] 1 QB 349. 65. See Gartside v Outram (1856) 26 LJ Ch 113 at 114. 66. Initial Services Ltd v Putterill [1968] 1 QB 396. 67. See fn 1, Commonwealth v John Fairfax & Sons Ltd at [50]. 68. See also Minister for Immigration and Citizenship v Kumar (2009) 238 CLR 448 at [27], citing R G

Toulson and C M Phipps, Confidentiality, 2nd ed, Sweet & Maxwell, United Kingdom, 2006, §6-022, in a passage that supports the proposition that misconduct on the part of a person needs to be identified in order for disclosures to be excused. 69. See fn 2, Stewart et al, 4.19. 70. See fn 2, Stewart et al, 4.19. 71. See s 1317AA(1)(a) of the Corporations Act 2001 (Cth). 72. See ss 1317AA(1)(b) and 1317AA(1)(d). 73. See s 1317AA(1)(e). 74. See s 1317AB. 75. See, for example, P Svensson, ‘HP Says Fraud Prompted $5 Billion Overpayment’, 21 November 2012, . 76. See Pt 6CA Corporations Act. 77. See, further, Chapter 5. 78. See, for example, r 21.10, Uniform Civil Procedure Rules 2005 (NSW). 79. See, for example, r 21.2. 80. See J Hunter, C Cameron and T Henning, Litigation, 7th ed, LexisNexis Butterworths, Australia, 2005, 7.45. 81. See, for example, notices that can be served by the respective regulators under s 30, Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act), under s 155 of Competition and Consumer Act 2010 (Cth) or under s 264 of the Income Tax Assessment Act 1936 (Cth). It should be noted that a regulator is subject to its own obligation of confidentiality in respect of that information (see s 127, ASIC Act) unless that information is ultimately disclosed in court: see discussion re Johns case at 4.10. 82. See fn 2, Stewart et al, 4.14. 83. See fn 2, Stewart et al, 4.15. 84. Terrapin Ltd v Builders’ Supply Co (Hayes) Ltd [1967] RPC 375 at 391. 85. See P Radan and C Stewart, Principles of Australian Equity and Trusts, LexisNexis Butterworths, Australia, 2009, 8.117.

[page 99]

Part 3 Limits on Information Sovereignty



[page 101]

Chapter 5 Disclosure and Investor Protection

INTRODUCTION 5.1 The focus of Chapter 5 is on the laws that impact on a corporation’s sovereignty over its own information by mandating that the corporation make certain disclosures of this information. These laws are:1 periodic disclosure laws; laws requiring disclosures when making offers of securities; laws requiring disclosures in takeovers; disclosure required under product disclosure statements; and continuous disclosure laws. These laws are to be contrasted with those discussed in Chapter 6 (‘Disclosures and Consumer Protection’) that are engaged when a corporation releases information to others voluntarily. 5.2 The overarching aim of all the laws listed above is to address information asymmetry (ie, where one party possesses more or superior information compared to another), although the approach in each area of law differs. The aim of these disclosure laws is to ‘promote market confidence and to ensure the development of a transparent and [page 102] well-informed securities market where every participant has equal access to information and participates on a level playing field’.2 Self-evidently, these laws are designed to protect investors. Investor protection laws generally have a strong focus on process rather than outcomes. That is, if

the processes used to prepare and verify the relevant information are reasonable, the person that prepared the information will, broadly speaking, not be liable for losses that arise due to reliance on that information (even where the information is erroneous).3 However, the continuous disclosure laws differ in one respect. Those laws impose strict liability on a corporation for a failure to comply with disclosure requirements,4 but include a ‘reasonable steps’ defence in respect of persons involved in a contravention. The imposition of strict liability for breaches of continuous disclosure laws aligns with a consumer protection philosophy whereas the inclusion of a ‘reasonable steps’ defence reflects an investor protection philosophy. 5.3 The essential focus of the discussion below is on the substantive information that a corporation must disclose under the applicable laws, rather than on the administrative or other steps that must be taken in this context.5 The focus is also on the tests applied to determine what information needs to be disclosed. Fundamentally, all of the laws discussed in this chapter have one central aim. That is, to ensure the disclosure of information that, at its most basic, will inform a decision of, or have an influence on a decision by, an investor. These laws achieve this outcome by the imposition of various forms of civil and criminal liability on relevant parties. The laws attempt to balance potential liability by reference to the concept of reasonableness. That is, the concept of reasonableness is generally manifest in either an element of a contravention or an element of a defence. The philosophy upon which the various approaches are based is implicitly that no person should be punished if they are acting reasonably. But this begs the question: how does one demonstrate that they have acted reasonably? A key requirement in this context will be the ability to lead evidence concerning the use of appropriate due diligence processes supported by, among other things, effective policies and training. [page 103] The due diligence approach to compliance in this area is essential, as ascertaining what is required to be disclosed in any context will be ‘a matter for judgment and assessment in light of all the evidence, facts and circumstances in each particular … context and this will necessarily differ from case to case’.6 An

appropriately adapted due diligence process will allow all of the relevant evidence, facts and circumstances to be considered so that appropriate judgments and assessments can be made and tested.

PERIODIC DISCLOSURE 5.4 The periodic disclosure regime is the cornerstone of corporate disclosure laws. The obligations set out in the periodic disclosure laws are conditioned in many cases by reference to a test of ‘reasonableness’ or ‘reasonable steps’. Recent case law has provided guidance on just what such tests require. A failure to comply with the periodic disclosure laws can result in significant liability for companies and their directors and officers. The core obligations in this area of the law relate to the production of three primary documents which must be prepared each financial year7 in respect of certain regulated entities. These are: the financial report for a financial year; the directors’ report for a financial year; and the auditor’s report. Each of these reports and their requirements will be discussed below.

The financial report 5.5 Under s 292 of the Corporations Act public companies (among other entities) must provide a financial report and a directors’ report annually. A ‘financial report’ for a full financial year must contain the following: the financial statements for the year (ie, the profit and loss statement for the year; balance sheet as at the end of the year; statement of cash flows for the year; and, where required by accounting standards, a consolidated set of financial statements;8 [page 104] the notes to the financial statements;9 and

the directors’ declaration about the financial statements and notes. The financial report must comply with applicable accounting standards.10 Further, the financial statements and the notes to those statements must give a ‘true and fair’ view of the financial position and performance of the applicable reporting entity.11 The requirements concerning the directors’ declarations are interesting because they provide one illustration of how the concept of ‘reasonableness’ tempers the otherwise strict application of liability in the context of the periodic disclosure laws. The directors’ declaration includes the ‘solvency declaration’. That is, a declaration by the directors that, in their opinion: there are reasonable grounds to believe that the company will be able to pay its debts as and when they become due (s 295(4)(c)); and declarations that in the directors’ opinion the financial report complies with accounting standards and provides a ‘true and fair view’ (s 295(4)(d)). The concept of ‘reasonableness’ is imported into these provisions by virtue of the requirements set out in ss 180(1) and 344. It is also implicit in the nature of an opinion. The Full Federal Court in Australian Securities and Investments Commission v Fortescue Metals Group Ltd [2011] FCAFC 19 explained the law relating to opinion as follows: … [a] statement which is ordinarily and reasonably understood as a statement of opinion is not apt to mislead if the opinion is genuinely and reasonably held by the maker of the statement. That is because the audience would understand that the statement was made on the basis that it expresses a view on which a different opinion might also be entertained, not a matter of fact about which no doubt can be entertained.12

Accordingly, if the ‘reasonableness’ touchstones are satisfied in this context, liability will not be imposed even if the opinion is ultimately found to be incorrect. [page 105]

The directors’ report 5.6 The annual directors’ report must contain both general and specific information. In relation to general information, among other things, s 299(1) provides that the directors’ report must:

contain a review of operations during the year of the entity reported on and the results of those (a) operations; and (b) give details of any significant changes in the entity’s state of affairs during the year; and (c) state the entity’s principal activities during the year and any significant changes in the nature of those activities during the year; and (d) give details of any matter or circumstance that has arisen since the end of the year that has significantly affected, or may significantly affect: (i)

the entity’s operations in future financial years; or

(ii) the results of those operations in future financial years; or (iii) the entity’s state of affairs in future financial years; and (e) refer to likely developments in the entity’s operations in future financial years and the expected results of those operations; and (f)

if the entity’s operations are subject to any particular and significant environmental regulation under a law of the Commonwealth or of a State or Territory–give details of the entity’s performance in relation to environmental regulation.

Under s 299A, additional general information must also be included where an entity is listed. This refers to information that members of the listed entity would reasonably require to make an informed assessment of: (a) the entity’s operations; (b) the entity’s financial position; and (c) the entity’s business strategies and prospects for future financial years.13 The requirements set out under ss 299(1)(d) and 299A were the subject of litigation in Australian Securities and Investments Commission v Healey [2011] FCA 717 (Healey No 1). We will discuss that issue in some detail below. In relation to both the general information that is required to be reported and the additional information that listed entities must provide, material may be omitted from the directors’ report if such material is likely to result in unreasonable prejudice to the reporting entity or group. If material is omitted on this basis, the report must say so.14 5.7 In terms of the specific information that is required to be set out in the directors’ report, an entity must include information on: dividends [page 106] and distributions; details about directors; potential conflicts between officers of the entity who also play a role in the audit firm of the entity; options issued by the company and to whom they are issued.15 Additional specific information requirements for public companies include: additional information about the

directors’ experience, qualifications and special responsibilities; and details about attendance by directors at board meetings and their interests in the entity.16 Further, public companies must also include a remuneration report which outlines a range of details that must be included in relation to director and senior executive remuneration.17

The auditor’s report 5.8 In addition to the requirements set out above, the annual financial report must be audited.18 The audit must be conducted in accordance with applicable auditing standards.19 A key requirement in this context is that the auditor must report to members on whether: the auditor is of the opinion that the financial report is in accordance with the Corporations Act, including whether the report complies with accounting standards; and it provides a ‘true and fair view’ of the financial position and performance of the applicable reporting entity.20

Liability 5.9 Civil liability Directors and officers21 may incur civil liability in connection with a failure by a company to comply with the periodic [page 107] reporting obligations discussed above. Where a company fails to lodge required reports in accordance with statutory requirements, directors and officers may be liable for a breach of their duties under s 180(1) (statutory duty of care) and directors may further be liable for a breach of s 344 (statutory duty to take all reasonable steps to ensure that periodic reports comply with the law). Such contraventions are both civil penalty provisions under s 1317E, attracting a maximum penalty of $200,000 for individuals.22 It may also lead to compensation orders under s 1317H or injunctions and other orders under s 1324.

Disqualification orders could also be imposed under s 206C. In addition, the company and any other person involved in a contravention of the law (including directors, officers and auditors) may be liable in a civil action (including in a class action) for providing misleading or deceptive information in a report to investors and the market.23 5.10 In many cases, civil liability will be the main legal consequence flowing from a failure to lodge compliant reports primarily because of the lower standard of proof required in such cases. It is very difficult to establish criminal culpability for an information offence beyond all reasonable doubt in light of the inherent subjectivity involved in such cases. On the other hand, proving civil liability on the balance of probabilities is a comparatively easier task. Civil liability issues in this context were considered in detail in Healey No 1, discussed later in the chapter. It is clear from that case that the touchstone for liability will be whether defendants take ‘reasonable steps’ to ensure that reports contain certain information. The relevant obligations do not require perfection. 5.11 Criminal liability Section 319 of the Corporations Act imposes an obligation on a company24 to lodge any report it must prepare or obtain within prescribed periods.25 An offence based on s 319 is subject to strict liability.26 A contravention of s 319 is punishable by a fine of up [page 108] to 25 penalty units and/or six months imprisonment.27 Section 344(2) of the Act provides that a person commits an offence if they fail to take all reasonable steps to ensure compliance with Pt 2M.2 (financial records) and Pt 2M.3 (financial reporting) and the contravention is dishonest. The penalty for a breach of that provision is a maximum fine of 2000 penalty units and/or imprisonment for up to five years.

Liability of directors and officers 5.12 In Healey No 1 (see 5.6) a key issue was whether the directors and officers of entities within the Centro group of companies were liable for a failure to disclose information required to be disclosed in reports by virtue of ss 299 and 299A of the Corporations Act. It was alleged that the relevant group of

companies failed to disclose approximately $2 billion of short-term liabilities by classifying them as non-current liabilities, and failed to disclose guarantees of short-term liabilities of an associated company of about US$1.75 billion that had been given after the balance date.28 The failure to correctly classify the relevant debts was found to amount to a failure to provide relevant information in accordance with the applicable accounting standards in breach of s 296 and a failure to give a true and fair view of the financial position and performance of the relevant entities contrary to s 297. The failure to disclose the guarantees given after the balance date was held to be a failure to comply with the requirement to include a material matter in the directors’ report in accordance with s 299(1)(d) and a failure to include in the directors’ report a matter that members of the entity would have reasonably required to be included under s 299A.29 In turn, both of these failures amounted to a breach under s 298. The combined effect of these failures was that the directors (and one officer) [page 109] failed to take reasonable steps to ensure compliance with the periodic disclosure regime and therefore the directors breached their obligations under ss 180 and 344 and the relevant officer (the chief financial officer) breached his obligations under s 180. 5.13 In coming to its conclusions, while there was no finding of dishonesty on the part of any of the directors, the court in Healey No 1 found: … in the specific circumstances the subject of this proceeding, that the directors failed to take all reasonable steps required of them [under s 344], and acted in the performance of their duties as directors without exercising the degree of care and diligence the law requires of them [under s 180(1)].30

In the penalty hearing associated with Healey No 1, the directors applied to be exonerated from liability under ss 1317S and 1318 of the Act, but that application failed: Australian Securities and Investments Commission v Healey (No 2) [2011] FCA 1003 (Healey No 2). However, except in the case of the managing director, Mr Scott, no penalties were imposed on the non-executive directors.31 In Healey No 2 the court imposed a $30,000 fine on Mr Scott.32 5.14 In relation to Mr Nenna (the chief financial officer of the Centro group and an ‘officer’ for the purposes of the Corporations Act), the court held in

Healey No 1, largely based on admissions Mr Nenna made in the proceedings, that he had contravened s 180(1).33 In Healey No 2 the court declared that Mr Nenna has breached the law by recommending to the directors a resolution to approve the relevant annual financial report and the directors’ report where he knew, or ought to have known, that the reports did not comply with the law and by failing to take all reasonable steps to rectify such non-compliance.34 Mr Nennal applied to be exonerated from liability under ss 1317S and 1318 of the Act, but that application also failed. A two-year management disqualification order was imposed on Mr Nenna.35 [page 110] 5.15 The liability findings in Healey No 1 beg a critical question: what reasonable steps should directors and officers take in preparing and approving the information that is required to be set out in periodic reports? In summary, Middleton J was of the view that ‘directors of substantial publicly listed entities are required to apply their own minds to, and carry out a careful review of, the proposed financial statements and the proposed directors’ report, to determine that the information they contain is consistent with the director’s knowledge of the company’s affairs, and that they do not omit material matters known to them or material matters that should be known to them’.36 5.16 Reasonable steps under s 344 More specifically, in respect of the duty of directors to take ‘all reasonable steps’ under s 344, in Healey No 1 Middleton J observed that: … the standard of “all reasonable steps” is determined objectively by reference to the particular circumstances of the case37… any assessment of ‘reasonable steps’ must be made in the circumstances as they were at the time, rather than with the benefit of hindsight38 directors [are required to] take a diligent and intelligent interest in the information either available to them or which they might appropriately demand from the executives or other employees and agents of the company39 a director is obliged to inform himself or herself as to the financial affairs of the company to the extent necessary to form each year the opinion required for the directors’ statements. Although that is only an annual obligation, it presupposes sufficient knowledge and understanding of the company’s affairs and its financial records to permit the opinion of solvency to be formed40

5.17 In terms of reliance by directors on others in this context, in Healey No 1 Middleton J expressed the view that: … it cannot be denied that directors have been and are entitled to rely upon specialist advice.

However, everything will depend upon the circumstances of the case, and whether a director has taken all reasonable steps will depend upon an analysis of the facts before the Court. Undoubtedly, what is encompassed by taking all “reasonable steps” will differ depending upon the entity, the complexity of the entity’s business and the internal

[page 111] reporting procedures within the entity. However, it will also depend on the nature of the task the director is obliged to undertake.41

5.18 Duty of care and diligence of a reasonable person The conclusions that Middleton J reached in Healey No 1 in relation to the obligation of ‘all reasonable steps’ under s 344 did not differ markedly from the conclusions his Honour reached in relation to the substance of directors duties under s 180(1). In explaining the scope of the directors’ obligations under s 180 of the Act, Middleton J made the following observations: Directors are required to take reasonable steps to place themselves in a position to guide and monitor the management of the company. A director must become familiar with the fundamentals of the business in which the corporation is engaged; a director is under a continuing obligation to keep informed about the activities of the corporation; directorial management requires a general monitoring of corporate affairs and policies, and a director should maintain familiarity with the financial position of the corporation …42 While directors are required to take reasonable steps to place themselves in a position to guide and monitor the management of the company, they are entitled to rely upon others, at least except where they know, or by the exercise of ordinary care should know, facts that would deny reliance. There was no suggestion in this proceeding that the reliance on others was not warranted, nor was there any prior alerting to cause trust in those whom the directors had relied upon was misplaced …43 The salient feature here is that each director armed with the information available to him was expected to focus on matters brought before him and to seriously consider such matters and take appropriate action. This task demands critical and detailed attention, and not just ‘going through the motions’ or sole reliance on others, no matter how competent or trustworthy they may appear to be. Directors cannot substitute reliance upon the advice of management for their own attention and examination of an important matter that falls specifically within the Board’s responsibilities as with the reporting obligations. The Act places upon the Board and each director the specific task of approving the financial statements. Consequently, each member of the board was charged with the responsibility of attending to and focusing on these accounts and, under these circumstances, could not delegate or ‘abdicate’ that responsibility to others.44

[page 112] 5.19

In addition to the matters canvassed by Middleton J above, in Healey No

1 his Honour was of the view that in order to discharge their obligations under the Corporations Act directors must ‘have the ability to read and understand the financial statements’45 and have ‘a sufficient knowledge of conventional accounting practice concerning the basic accounting concepts in accounts, and to apply that knowledge based upon the information each director has or should have if he or she adequately carried out their responsibilities’.46 Further, Middleton J observed that a director will not be excused from liability merely because they have to deal with voluminous materials. In this connection, Middleton J noted that: A board can control the information it receives. If there was an information overload, it could have been prevented. If there was a huge amount of information, then more time may need to be taken to read and understand it. The complexity and volume of information cannot be an excuse for failing to properly read and understand the financial statements. It may be for less significant documents, but not for financial statements.47

5.20 It is clear from Healey No 1 that where the law explicitly imposes an obligation on a director (eg, under s 344) the scope for reliance on others will be narrower than might otherwise be the case. The directors must not merely rely on management and external advisers. They should act, at least in the context of periodic disclosures, ‘as the final filter, taking care to read and understand the financial accounts’.48 It is also clear that the engagement of external assistance and the implementation of a due diligence process alone will not satisfy the directors’ legal obligation, especially where a material, apparent mistake is made in statutory reports. As Middleton J noted in the case: … [t]he omissions in the financial statements the subject of this proceeding were matters that could have been seen as apparent without difficulty upon a focussing by each director, and upon a careful and diligent consideration of the financial statements. As I have said, the directors were intelligent and experienced men in the corporate world. Despite the efforts of the legal representatives for the directors in contending otherwise, the basic concepts and financial literacy required by the directors to be in a position to properly question the apparent errors in the financial statements were not complicated.49

[page 113]

Class action liability 5.21 In addition to the internal management liability issues discussed above, a failure to comply with periodic disclosure laws creates potential liability for a

company, its directors and its officers through a class action. While it is true that a class action is merely an aggregation of claims that could theoretically be brought severally, it is more likely than not that failures by listed companies to comply with periodic disclosure laws will be the subject of one or more class actions rather than numerous individual claims. Indeed, the failures by the Centro group in relation to periodic disclosure generated a number of class actions against the company. 5.22 Claims against the company In 2012 a hearing (involving numerous class actions) commenced in the Federal Court concerning allegations that the Centro group caused loss to investors due to its failure to comply with disclosure laws. Proceedings that were representative of the numerous class actions in this context were those commenced in the name of Richard Kirby v Centro Properties Ltd VID326/2008, Federal Court of Australia (Melbourne) (Centro). The headline claims in the Centro class action were for $600 million.50 The first principal claim made against the defendants in the Centro class action related to the ‘classification issue’.51 Put simply, the investors claimed that the misclassification of short-term liabilities in the relevant periodic reports understated current debt and overstated non-current debt. These statements were claimed to be in breach of the prohibitions against misleading conduct in the Corporations Act, the Australian Securities and Investments Commission Act (2001) (Cth) (ASIC Act) and the Fair Trading Act 1999 (Vic).52 The second primary allegation made against defendants in the Centro class action related to the ‘refinancing risk issue’. The essence of this claim was that the defendants failed to disclose to the market, in circumstances where they had an obligation to do so, that they had short-term debt which was about to mature and that they could not refinance that debt or could only refinance it at an increased cost. It was alleged that this was a contravention of the continuous disclosure obligations in s 674 of the Corporations Act.53 [page 114] The classification issue and the refinancing risk issue were the subject of extensive evidence in Healey No 1 and there is no doubt that the consideration of those issues helped the Centro class action plaintiffs develop their pleadings. In this sense, it can be seen that regulatory action by regulators can subsidise to some extent downstream civil proceedings.

In addition to the class action claims discussed above, the defendants claimed against their auditor, PricewaterhouseCoopers (PwC). The principal claim involved allegations that PwC engaged in misleading or deceptive conduct by making representations to their clients (ie, Centro entities) concerning the relevant financial statements the subject of the audit. Among other things, the applicable Centro entities claimed that ‘PwC represented that the financial statements were appropriate for approval by the Board of Directors in that they complied with the Corporations Act and relevant accounting standards, including AASB101, when in fact they did not’.54 The Centro entities denied liability in relation to the claims against them in the class actions and PwC denied liability to the applicable Centro entities in respect of the claims made against it on a number of grounds. Ultimately, the class action cases and the claims against PwC were not the subject of a final judgment as they were settled for a global sum of $200 million.55 In this sense, the case demonstrates the magnitude of the liability that can flow from failure to comply with periodic disclosure laws, even where the failure is a consequence of inadvertence. 5.23 Claims against directors and officers The potential liability in these cases however does not stop at the boundaries mapped out in Healey No 1 and Healey No 2. For example, it is entirely possible for investors to bring actions against directors and officers for misleading or deceptive conduct under s 1041H of the Corporations Act (or comparable legislation) or for a breach of s 674 (continuous disclosure) in the circumstances in which liability for the defendants was alleged to arise in the Centro class actions. The liability of directors and officers in relation to claims for misleading or deceptive conduct would be as principals. In the Full Court of the Federal Court in Arktos Pty Ltd v Idyllic Nominees Pty Ltd (2004) ATPR 42-005, the court held that: … [t]he authorities show that a director of a corporation who acts on its behalf in the course of trade or commerce also acts himself or herself

[page 115] in trade or commerce and, if the corporation is liable [for misleading conduct] …, they also attract primary liability under the same statute.56

A director or officer would also potentially be liable to pay damages for a breach of s 674 under either s 1317H or s 1324.

5.24 Liability for auditors The discussion regarding the Centro related proceedings above also amply illustrates the legal exposure that auditors face when periodic reports they audit are found to contain incorrect or misleading information. In addition to the exposure mentioned above, auditors also face breaching audit-specific provisions of the Corporations Act. For example, it is an offence punishable by a fine of up to 50 penalty units not to conduct an audit in accordance with auditing standards as required by s 307A. In the Centro case, the lead auditor ultimately offered an enforceable undertaking to ASIC (which ASIC accepted) in connection with alleged audit failings, under which he undertook not to act as an auditor for two and a half years.57

Conclusions — periodic disclosure laws 5.25 The proceedings relating to Centro provide guidance as to what the ‘reasonable steps’ test requires in the context of periodic disclosures. They also vividly demonstrate the significant duties of officers and, particularly, directors with respect to periodic disclosure. Importantly, those matters also demonstrate the expansive nature of liability in this context. In order to manage the legal risk in this context it would be good practice to implement due diligence-like procedures in respect of some, or key, aspects of the preparation of periodic reports. The next section discusses the disclosure obligations under fundraising provisions.

FUNDRAISING AND DISCLOSURES 5.26 In this section we will discuss the nature of the information that is required to be disclosed in connection with the offer of securities or fundraisings.58 This section will not review in any detail other requirements (procedural or otherwise) associated with fundraisings [page 116] as the core focus of this book is on information governance and, more specifically in this section, mandatory information disclosures. The key disclosure document in the context of capital raisings is the prospectus.59 As such, the discussion in this section will concentrate on the principal disclosure

obligations under prospectuses. There are two categories of information that need to be disclosed in this context: specific information and general information. Any information contained in a prospectus must also be expressed in a clear, concise and effective manner: s 715A of the Corporations Act.60

Specific information 5.27 The specific information that is required to be included in a prospectus basically relates to details about the terms of the offer being made, information about interest and fees and other administrative matters.61

General information — reasonable investor standard 5.28 The general information that must be set out in the prospectus is ‘all the information that investors and their professional advisers would reasonably require to make an informed assessment’ of the matters set out in the table set out below:62 Disclosures Type of offer Matter that must be addressed The rights and liabilities attaching to the securities offered. 1

Offer to issue (or transfer) shares, debentures or interests in a managed investment scheme.

The assets and liabilities, financial position and performance, profits and losses and prospects of the body that is to issue (or issued) the shares, debentures or interests.

[page 117]

The

rights

and

liabilities

attaching to: –

the interest or option;



the underlying securities.

for an option–the capacity of the person making the offer to issue or deliver the underlying securities. If the person making the offer is: 2

Offer to grant (or transfer) a legal or equitable interest in securities or grant (or transfer) an option over securities.



the body that issued or is to issue the underlying securities; or



a person who controls that body;

the assets and liabilities, financial position and performance, profits and losses and prospects of that body. if s 707(3) or (5) applies to the offer–the assets and liabilities, financial position and performance, profits and losses and prospects of the body whose securities are offered. The general disclosure obligation is cast in broad terms. It is often referred to as the ‘reasonable investor test’ or standard.63 As Austin and Ramsay note, the essential matters that need to be disclosed relate to the ‘rights and liabilities that are acquired through the investment, and matters about the relevant body going to the assessment of the value of the securities (assets and liabilities, financial position and performance, profits and losses and prospects)’.64 The reasonable investor test is one of the broadest disclosure obligations imposed by law. However, it is subject to two important limitations. First, the prospectus must contain information about the above matters ‘only to the extent to which it is reasonable for investors and their professional advisers to expect to

find the information in the prospectus’.65 Second, such information is required to be set out in the prospectus ‘only if a person whose knowledge is relevant: (i) actually knows the information; or (ii) in the circumstances ought reasonably to [page 118] have obtained the information by making enquiries’.66 Historically, these limitations have been applied in such a way as to actually expand the amount of information disclosed.67 Over-disclosure in this connection was identified as an issue in the Explanatory Memorandum (EM) to the Corporate Law Economic Reform Program Bill 1998. Paragraph 8.5 of the EM provided as follows: The requirement that a prospectus contain all information that investors and their professional advisers ‘expect to find’ has in practice expanded the disclosure test. For example, in practice issuers have had regard to other prospectuses and included certain types of information merely because it has been included historically or is contained in other prospectuses. This is not the intention of the provision. The words ‘expect to find’ are intended to limit, and not expand, the disclosure test.

Accordingly, the expressions ‘only to the extent’ and ‘only if a person’ in s 710(1) should be read as limitations. Further clarification on how to interpret and apply the reasonable investor test is set out in s 710(2) and (3). Notwithstanding the points raised above, it is still not always clear what information the test actually requires to be included in a prospectus. Some further guidance can be derived from commentators and case law. Both the interpretation of the reasonable investor test in connection with prospectuses and in connection with takeovers are relevant here as the reasonable investor test applies in takeover contexts where securities are offered as consideration: see s 636(1)(g).

Case law concerning the reasonable investor test 5.29 In Pancontinental Mining Industries Ltd v Goldfields Ltd (1995) 16 ACSR 463 Tamberlin J observed at 475 that what information is necessary to discharge disclosure obligations: … is a matter for judgment and assessment in the light of all the evidence, facts and circumstances in each particular… context and this will necessarily differ from case to case.

Austin and Ramsay state that the information ‘professional advisers would reasonably require or expect to find … in a prospectus in order to make [an] informed assessment of the stated matters must be judged objectively by

reference to the material that is available publicly to professional advisers; it is not relevant to refer to the reasoning process actually employed by officers of the company or to other confidential or private information’.68 However, in GIO Australia Holdings Ltd [page 119] v AMP Insurance Investment Holdings Pty Ltd (1998) 29 ACSR 584 (GIO) Emmett J was of the view that the fact that a bidder, subject to the reasonable investor test: … has material upon which it is prepared to base its decision to invest in [a target] does not necessarily lead to the conclusion that that information is appropriate for disclosure.

His Honour went on to indicate in that case that one must balance disclosure with the benefits of the potential disadvantages of disclosure of information, especially where the relevant information is be based on speculation in so far as it relates to the operations of GIO.69 The general thrust of these statements though leads to a narrowing of the potential scope of the duty. 5.30 A further problematic issue in this context is whether the reasonable investor test requires the inclusion of forward-looking statements or profit forecasts in prospectuses. Section 728(2) of the Act provides that: A person is taken to make a misleading statement about a future matter (including the doing of, or refusing to do, an act) if they do not have reasonable grounds for making the statement.

The issue concerning forward-looking statements arises because s 710, as part of the reasonable investor test, requires the disclosure of information concerning the prospects of a body issuing securities. In GIO, Emmett J was of the view that: … [f]orecasting, by its very nature, is prone to error. On the other hand, so long as a forecast is accompanied by appropriate caveats and details of underlying assumptions, a forecast will nevertheless be of greater assistance than no forecast at all. If an offeror has a reasonable basis for giving a combined entity forecast, such a forecast ought to be given.70

Accordingly, issuers need to consider whether they can point to one or more reasonable bases for including forward-looking statements in a prospectus. Something more than ‘information that is speculative or based on mere matters of opinion or judgment’ is required though as it will not be supported by reasonable grounds.71 Conversely, a statement that is too specific or not appropriately qualified may also breach the law. For example, in Westfi Ltd v

Blend Investments Pty Ltd (1999) 31 ACSR 69 a bidder made a takeover offer for all of the shares in the target. The consideration included scrip, hence the relevance of this case [page 120] in the context of prospectuses.72 Among other things, the bidder statement included an unqualified dividend forecast. This was to the effect that the bidder’s profit would remain unchanged despite the fact that the target entity had experienced recent losses and therefore it would be unlikely to make a positive contribution to profits on an expanded capital base (assuming that the takeover occurred). The court was of the view that the specific statement regarding dividends was a prediction and that no basis for it was set out in the bidder’s statement. Alternatively, it was of the view that if it were not capable of being characterised as a prediction, it was ‘misleadingly framed so as to read as if it were one’.73 In this context, Wheeler J expressed the view (echoing Emmett J in GIO) that: … [w]hile forecasting is by its very nature prone to error, so long as the forecast is accompanied by appropriate caveats and details of underlying assumptions, a forecast would nevertheless be of greater assistance than no forecast at all. If an offeror has a reasonable basis for giving a combined entity forecast, such a forecast should be given.74

5.31 In practice, the application of this test and the disclosure it requires needs to be considered in light of the relevant case law and subject to diligence processes in order to effectively manage legal risk associated with a defective prospectus.

Defects in prospectuses 5.32 Section 728 prohibits the offer of securities under a defective disclosure document. Section 728 creates three separate prohibitions. A person will contravene the Act if they offer securities under a prospectus (or any other disclosure document):75 that contains a misleading or deceptive statement;76 [page 121]

that omits material required to be in that document by law;77 where a new circumstance arises following lodgement of the prospectus and that circumstance would have been required by law to be disclosed in the prospectus if it had arisen before the disclosure document was lodged.78 In relation to forward-looking statements included in a prospectus or other disclosure document, a ‘person is taken to make a misleading statement about a future matter (including the doing of, or refusing to do, an act) if they do not have reasonable grounds for making the statement’: see s 728(2). A contravention of any of the prohibitions contained in s 728(1) confers a right on any person who suffers loss as a result of the relevant contravention to recover that loss from a range of persons connected with the disclosure document, including the person making the offer and each director of the body making the offer.79 A contravention of the law in this context will amount to a criminal offence where a breach of s 728(1) is materially adverse from the point of view of an investor.80 Baxt et al describe this offence as involving a person withholding ‘bad news’ from investors81 although a prosecutor would have to prove that the relevant person had this intention.82 The maximum penalty for this offence is 200 penalty units and/or five years imprisonment. 5.33 The severe penalties imposed under ss 728 and 729 were recast into their present form by the Corporate Law Economic Reform Program Act 1999 (Cth). Paragraph 8.1 of the Explanatory Memorandum accompanying the applicable Bill stated that a purpose of the sections was ‘to ensure that issuers continue to provide full disclosure in the associated prospectus’ and to ensure that ‘issuers will be liable to [page 122] investors in relation to the prospectus’.83 However, the level of liability associated with defective prospectuses and other disclosure documents is moderated by the defences that are available.

Defences

5.34 There are a number of defences to liability for a defective prospectus. The key defences are the so-called due diligence defence and the reasonable reliance defence.84

Due diligence defence for prospectuses 5.35 The due diligence defence is set out in s 731. Under s 731 a person will not be liable under s 729 or commit an offence under s 728(3) in connection with a prospectus85 if the person: made all inquiries (if any) that were reasonable in the circumstances; and after doing so, believed on reasonable grounds that the statement was not misleading or deceptive; or after doing so, believed on reasonable grounds that there was no omission from the prospectus in relation to that matter. 5.36 In order to establish this defence, a person would need to demonstrate that an effective due diligence program was designed and implemented.86 Such a program would need to be appropriate in light of the size, scale and complexity of the issuer. The program would need to demonstrate that it facilitated an active and critical process of inquiry.87 Another important reference point in this context will be the governance practices and procedures used in the industry generally and the extent of the similarity between those practices and procedures and those adopted by the relevant entity.

General defence for all disclosure documents 5.37 In addition to the specific defence in relation to defective prospectuses mentioned above, a defence that may excuse liability for [page 123] defective prospectuses and all other disclosure documents is set out in s 733. Section 733(1) provides that liability will not arise under s 729 or s 728(3) if they reasonably relied on information given to them by others. This defence is only available however if the reliance is placed in someone other than a director, employee or agent of the issuing company. For these purposes, a person is not

considered an agent of the company merely because they perform a particular professional or advisory function for the company: s 733(2). Rajapakse notes that s 733(2) recognises that: … when disclosure documents are prepared, much of the information they contain is likely to come from outside experts and professional advisers … As a matter of policy, it seems reasonable that the issuer should be able to rely on the expertise of external experts and professional advisers, since this is why professional advisers are engaged in the first place. [References omitted.]88

5.38 What will constitute reasonable reliance on information provided by others will need to be determined on the facts of a given case. However, it has been held in an analogous context that reliance on erroneous legal advice can constitute reasonable reliance.89 Given that an issuer will always engage lawyers to assist with the preparation of a prospectus, the reasonable reliance defence is one legal risk mitigant available to persons who would otherwise be liable under s 729 or s 728(3).

Conclusions — fundraising and disclosures 5.39 The fundraising provisions of the Corporations Act impose some of the most stringent disclosure obligations on companies, directors and other persons at law. An understanding of these obligations is a first step towards compliance; although, in practice it will be the steps that corporations and their human agents take in the designing and implementing due diligence programs to minimise the risk of issuing a defective document. There is a clear emphasis in this area of the law on the use of robust due diligence processes. Parties ignore this emphasis at their peril.

TAKEOVERS AND DISCLOSURES 5.40 This section discusses key information disclosures that need to be made in connection with takeovers.90 The key disclosures required to be [page 124] made in a takeover context need to be set out in takeover documents. A list of all takeover documents is set out below: (a) a bidder’s statement;

(b) a takeover offer document; (c) a notice of variation of a takeover offer; (d) a target’s statement; (e) a compulsory acquisition notice under s 661B or s 664C; (f)

a compulsory buy out notice under s 662B, s 663B or s 665B; and

(g) a report that is included in, or accompanies, a statement referred to in (a) to (f) above. This section will focus on the content requirements of two key takeover documents: the bidder’s statement and the target’s statement.

Disclosure under a bidder’s statement 5.41 Section 636(1) of the Corporations Act sets out 14 categories of information that must be included in a bidder’s statement. For example, a bidder must include in its statement its name,91 the date of the statement92 and any cash payable (if any) for bid securities.93 For present purposes, the focus will be on one requirement, namely the general disclosure requirement in s 636(1)(m). The reason that this disclosure requirement is the focus of this section is because it is one that is comparatively difficult to apply in practice. Section 636(1)(m) provides that a bidder’s statement must, in addition to the inclusion of the specific information required, include information that: (a) is material to a security holder’s decision whether to accept an offer; (b) is known to the bidder; and (c) does not relate to the value of the securities offered as consideration under the bid.94 However, the bidder does not need to disclose this information if it would be unreasonable to do so because it was previously provided. [page 125] 5.42 The requirement in s 636(1)(m) is designed to complement the specific heads of disclosure elsewhere in s 636(1),95 but the scope of the requirement

should not be read down by reference to the specific requirements set out in s 636(1): Citrus Petroleum NL v OMV Australia Pty Ltd (1999) 32 ACSR 1. However, subsection (m) is applied only to actual knowledge of material matters unlike s 710 (in relation to fundraising), that requires actual knowledge or knowledge that ought reasonably to have obtained by making reasonable enquiries. Another difference is that s 636(1)(m) sets out a reduced standard for information already disclosed to the holders of securities in the target entity, whereas prospectus disclosure has the same reduced level only in relation to continuously quoted securities: s 713.96 Accordingly, the disclosure standard in s 636(1)(m) imposes, at least in theory, a lower standard of disclosure when compared to the prospectus standard. 5.43 In Pancontinental Mining Industries Ltd v Goldfields Ltd, Tamberlin J derived 11 principles from case law concerning the disclosure requirements under s 636. The relevant principles for present purposes are set out below (citations omitted):97 Materiality is a question for the court although evidence may be tendered to enable the court to understand why certain matters are material or why they are not. It is a question of mixed fact and law and it depends on the facts and is to be determined on a case by case basis. The underlying policy is the desirability of ensuring that the acquisition of shares in companies takes place in an efficient, competitive and informed market. The disclosure of speculation is not required and indeed is to be avoided. There is a distinction between information which might be useful and relevant for a shareholder in the offeree company and information which is in fact known to the offeror at the date of the [bidder’s] statement. The object is to put shareholders in possession of the information required to enable them to make an informed and critical assessment of the offer and an informed decision whether to accept it. Information is material which could affect the shareholders’ assessment of whether the offeror is likely to improve its offer, the prospects of a competing offer, and the prospects of the shares if retained. A relevant question is

[page 126] whether the information would assist shareholders to assess critically the attractiveness of the offer. Consideration of a [bidder’s] statement involves a question as to whether full and sufficient information has been given to enable the offeree to make a judgment concerning how valuable the acquisition will be to the offeror, and thus of making an informed assessment of whether the offeror may be prepared to pay more for the shares than its offer suggests. Materiality of information, where there is a complex proposal, involves difficult questions of

commercial judgment and matters of degree as to future conduct about which there can be honest and reasonable differences of opinion. It is necessary to bear in mind that the statement should illuminate the issues rather than confuse them by canvassing all the pros and cons of every possibility. The objective is to present a document which can be understood by members of the public and which does not confuse. This includes a considerable degree of selectivity designed to confine the information to that which is really useful. An avalanche of trivial detail is to be avoided. [The bidder’s] statement must be read fairly as a whole and not in discrete parts or selectively.

These themes have been echoed in other cases. For example, see Cultus Petroleum NL v OMV Australia Pty Ltd (1999) 32 ACSR 1 at 3 for the requirement that circumstances of the bid must always be taken into account. In Aberfoyle Ltd v Western Metals Ltd (1998) 84 FCR 113, Finkelstein J held that the obligation under 636(1)(m) does not extend to speculation or opinions; it relates to facts not opinions or assessments based on variable assumptions or predictions. Therefore, no evaluation of target shares or economic modelling of those shares needs to be disclosed. However, in Re Primac Holding Ltd (1996) 22 ASCR 212 Dowsett J distinguished between information (that must be disclosed if material) and opinions in the sense of business judgments that do not need to be disclosed — although the opinion of an expert such as a valuer may well be inside the scope of the materiality disclosure obligation. In GIO Australia Holding Ltd v AMP Insurance Investment Holdings Pty Ltd (1998) 30 ACSR 102 Emmett J expressed the view that a financial forecast by the bidder of the combined entity which would be produced by a successful bid should be made and disclosed if there were reasonable grounds for making the forecast. However, his Honour did not make an order in that case compelling AMP to provide such forecasts and tempered his views by stating that ‘there are difficulties in making forecasts and, on one view, their utility is in any event quite limited’.98 [page 127] 5.44 To the extent that there is any disagreement in the cases as to what needs to be included in a statement, Austin and Ramsay believe that these differences can be explained by the facts of each case. In particular, Austin and Ramsay are of the view that the scope of disclosable material under a cash bid, as opposed to a scrip bid (or cash and scrip bid), is likely to be much narrower.99 Although one should not take this reasoning too far. A holder of the class of securities the

subject of a bid requires all material information in order to assess whether they will receive appropriate consideration for their shares.

Disclosure under a target’s statement 5.45 The target’s statement is an opportunity for the directors to provide information and views to shareholders about bids or competing bids so as to influence their response to those bids. A target’s statement must include a statement by each director recommending why an offer should be accepted or rejected and the reasons for the director making such a recommendation.100 In addition to other requirements, a target’s statement must include all relevant information that holders of the bid class securities and their professional advisers would require in order to make an informed assessment of whether to accept the offer: s 638(1). However, only information which is reasonable for investors and their advisers to expect to find in the statement needs to be included.101 In this sense, the test is a ‘reasonable investor’ test, but there is a critical difference from the reasonable investor test set out in s 710: the only information that needs to be included in a target’s statement is information known to the directors of the target.102 Additional limitations on the required scope of disclosure are set out in s 638(2). For example, the target does not have to provide any information that the holders of the relevant securities would reasonably be expected to know at the time of the bid. 5.46 In addition to statutory disclosure duties set out above, a director owes a general duty to not mislead shareholders. Also a potential duty of care when recommending acceptance: Coleman v Myers [1977] 2 NZLR 225. These duties supplement the disclosure duties contained in s 638 and must be considered when the directors turn their minds to the preparation of the target statement. [page 128]

Relationship between takeover disclosure laws and other information laws 5.47 Austin and Ramsay identify circumstances that may give rise to a party being subject to competing obligations under takeover disclosure laws, on the one hand, and other information laws on the other which would make it difficult

or impossible to comply with the disclosure obligations under the takeover disclosure laws. For example, if a bidder obtains confidential information relating to a target via the bidder’s nominee directors on the board of the target, the bidder may be prevented from making a bid for the target if that information is material for the purposes of s 636(1)(m). The argument is that the bidder may be restrained from disclosing the relevant information because of the duties of confidence owed by the nominee directors to the target. In those circumstances, the bidder could not comply with the disclosure obligations under s 636(1)(m). A related problem is that if the information was not made generally available (in the bidder’s statement or otherwise), the bidder could also be in breach of the insider trading laws.103 One potential way around this problem is for nominee directors to ensure that the arrangements concerning their appointment explicitly allow for disclosures of confidential information where such disclosure is required by law. However, this may not be a complete answer to the issue. It may be that s 636(1)(m) requires a disclosure at law, but in essence it really is a condition attaching to the exercise of a discretion by the bidder company (ie, the company that appointed the nominee directors). In that light, it may be difficult to argue that a contractual exclusion in the form described above could be engaged.

Defects in takeover documents 5.48 Section 670A prohibits a person from giving a defective takeover document. The defects that create liability are expressed in similar terms to those discussed above in respect of defects in prospectuses. A contravention is an offence in some cases, ie, where the misleading statement or omission of new circumstances is materially adverse from the perspective of the investor.104 Section 670B provides a right to recover losses from, among others, bidder’s and directors of a bidder where such [page 129] losses result from a defective statement.105 Section 670D provides a range of defences for liability arising under s 670A(3) and s 670B. Again, these defences only apply to defects in documents required to be disclosed at law. These are

largely the same as the defences set out in ss 731–733 discussed above, with one notable exception. As there is no need for the extensive due diligence and verification required in relation to the preparation of a prospectus, there is no due diligence defence.106 That is, there is generally no ‘reasonable enquiries’ obligation under s 636 or s 638 (being an obligation that justifies the due diligence defence); the disclosure obligations under ss 636 and 638 are limited to actual knowledge. The key defence in this context is the ‘reasonable reliance’ defence. The comments made above in relation to this defence in the context of fundraising are equally apposite here: see 5.38–5.39.

Conclusion — takeover disclosures 5.49 Notwithstanding the comparatively narrower scope of liability for defective documents (when compared to liability that arises in fundraising contexts), again, the primary way in which corporations and others can effectively manage legal risk is by implementing appropriate levels of due diligence. There are no bright line answers to questions that arise in this context (or related contexts of that matter). However, the review and testing that occurs in a structured due diligence context is the only way in which to triangulate the truth with some degree of accuracy.

PRODUCT DISCLOSURE DOCUMENTS AND DISCLOSURES 5.50 This section will focus on the disclosure requirements relating to product disclosure statements. A product disclosure statement must be provided in a range of circumstances where financial products are issued to retail clients.107 The content requirements of product disclosure documents (PDS) follow a similar pattern to those for prospectuses [page 130] and takeover disclosure documents in that there are specific content requirements (called ‘main requirements’ by the legislature) and general content

requirement.108 Any information included in a PDS must be worded and presented in a clear, concise and effective manner.109

Specific requirements 5.51 The disclosures specifically required by s 1013D are statements and information. The main ‘statement’ required to be disclosed is the name and contact details of the issuer/seller.110 In addition, a wide range of specific information must be set out in a PDS under s 1013D. The specific information that is listed in s 1013D must be included to the extent that a retail client would reasonably require it in order to make a decision to acquire a financial product. The types of information that s 1013D requires to be set out in a PDS include: information about the cost of the product;111 information about dispute resolution schemes;112 information about taxation implications;113 and information about cooling off regimes.114 Broader categories of information that s 1013D(1) requires must be set out in a PDS include information about any: significant benefits to which a holder of the product will or may become entitled, the circumstances in which and times at which those benefits will or may be provided, and the way in which those benefits will or may be provided;115 significant risks associated with holding the product;116 and other significant characteristics or features of the product or of the rights, terms, conditions and obligations attaching to the product.117 [page 131] These broader disclosure requirements involve a degree of subjectivity. The subjectivity results in a tendency to over-disclose in this context.

General requirements 5.52 The specific or ‘main’ disclosure requirements set out above are supplemented by the general disclosure requirement set out in s 1013E. Section 1013E provides as follows:

… a Product Disclosure Statement must also contain any other information that might reasonably be expected to have a material influence on the decision of a reasonable person, as a retail client, whether to acquire the product.

The test included in this provision is a variation of the influence standard used in the deeming provision for continuous disclosure and insider trading purposes.118 It may be argued that the test sets a higher threshold than in other disclosure contexts. That is, the standard requires more than an expectation of mere influence; the level of influence must be ‘material’. However, it cannot seriously be argued that this test differs substantially from any other. All that the adjective ‘material’ adds is to confirm that immaterial or trivial influence is to be disregarded. This requirement is implicit in all other mandatory disclosure contexts.

Limitations on disclosure 5.53 Sections 1013C(2), 1013F and 1013FA provide limits on the disclosures required in respect of PDSs. Section 1013C provides that the specific disclosure obligations set out in s 1013D and the general obligation in s 1013E are limited to the knowledge of those persons preparing the PDS. This differs from the knowledge requirements set out in s 710(1)(b) in respect of fundraising which requires disclosure of information actually known or information which ‘in the circumstances ought to reasonably to have obtained … by making inquiries’. It is substantially similar though to the disclosure obligation in s 636(1)(m) (in the context of takeovers) which limits disclosure to information that is actually known by the bidder. The omission of the ‘due diligence’ requirement was intended to avoid the need for extensive due diligence on the part of the person preparing the PDS.119 A further difference between the PDS regime and the fundraising regime is that ‘only the information requirements of retail persons, and not also their professional advisers, [page 132] need to be taken into account’ when considering what needs to be disclosed in a PDS.120 5.54 Also, information need not be included in the PDS if it would not be reasonable for a retail person considering whether to acquire the product to find

the information in the statement: s 1013F(1). Section 1013F(2) sets out a nonexhaustive list of factors that are to be taken into account when considering whether it would be unreasonable to include certain information in a PDS. These factors include consideration of the nature of the product, how well it is understood and the types of things that retail clients may reasonably be expected to know. The law also further limits disclosure where the PDS relates to a continuously quoted security121 due to the fact that certain information relating to the applicable product will already be in the public domain due to compliance with periodic and continuous disclosure obligations.

Liability for defective disclosure in a PDS 5.55 Civil liability In general, a person who suffers loss in connection with a defective PDS may recover that loss from a number of people, including the person ‘by whom, or on whose behalf, the disclosure document or statement was prepared’ (s 1022B(3)(b)(i)) or from any person ‘involved in the preparation of the disclosure document or statement who, directly or indirectly, caused the disclosure document or statement to be defective or contributed to it being defective’ (s 1022B(3)(ii)). A defective PDS is one that includes a misleading statement or one that omits required information.122 5.56 Criminal liability The PDS regime contains a wide range of offences concerning defective documents.123 Among other offences, a person who prepares a PDS or supplementary PDS that is defective faces criminal liability if conduct falls within ss 1021D, 1021E or 1021H. A person who aids, abets, counsels or procures the commission of an offence by the person who prepared the PDS also contravenes the relevant section: s 11.2 of the Criminal Code. For the purposes of the offence provisions, a PDS is defective if it contains a misleading or deceptive statement or it omits certain information required by Pt 7.9 but only if the statement or omission ‘is or would be materially adverse from the point of view of a reasonable person considering whether to proceed to acquire the [page 133] financial product concerned’: s 1021B(1). The penalties for the various criminal

offences relating to a defective PDS range from 10 penalty units to 200 penalty units and/or imprisonment of up to five years. 5.57 Defences It is a defence to civil liability in connection with a defective PDS if a person ‘took reasonable steps to ensure that the disclosure document or statement would not be defective.’124 Defences to the offence provisions are also available in some cases. For example, like the position in respect of civil liability, it is a defence to criminal liability under s 1021E if a person ‘took reasonable steps to ensure that the disclosure document or statement would not be defective.’ While there is not a due diligence defence per se in this context, the use of an effective due diligence process would be an essential element in establishing this defence. Again, these defences are only available in respect of the actual defective PDS.

Conclusion — product disclosure statements 5.58 The PDS regime is a highly ‘directed’ or prescriptive disclosure regime. Nevertheless, there are still requirements for a range of what might be termed ‘subjective’ decisions to be made about what information may need to be set out in a PDS under both the specific and general content categories discussed above. Again, the key legal risk mitigant in this context is the implementation of an appropriate due diligence program.

CONTINUOUS DISCLOSURE 5.59 The continuous disclosure regime operates between the periods when there is enhanced disclosure about a corporation. For example, enhanced disclosure occurs under the fundraising, takeover and periodic disclosure regimes discussed above. The principles underpinning the continuous disclosure regime were described as follows by the NSW Court of Appeal in James Hardie Industries NV v ASIC (2010) 274 ALR 85; [2010] NSWCA 332; BC201009843 (Hardie) at [355]–[356]: … [it] is designed to enhance the integrity and efficiency of Australian capital markets by ensuring that the market is fully informed. The timely disclosure of market sensitive information is essential to maintaining and increasing the confidence of investors in Australian markets, and to improving the accountability of company management. It is also integral to minimising incidences of insider trading and other market distortions. It is also to be noted that s 674 is remedial legislation to enhance the public interest and to protect individual investors. It should be construed

[page 134] beneficially “so as to give the fullest relief which the fair meaning of its language will allow”. [Citations omitted.]125

5.60 The continuous disclosure regime has two limbs. One limb applies to listed disclosing entities and the other to unlisted disclosing entities.126 The focus here will be on the former, looking at the statutory requirements that apply to ‘listed disclosing entities’. An entity will be a ‘listed disclosing entity’, if any or all of the securities issued by that entity are ‘enhanced disclosure securities’ (ED securities) and the entity is listed.127 Accordingly, each body in the S&P/ASX 200 would issue ED securities and, by definition, be a ‘listed disclosing entity’. 5.61 The continuous disclosure requirements for listed disclosing entities are those contained in relevant listing rules, which are underpinned by statute. The relevant listing rules are ASX Listing Rules (LR) 3.1, 3.1A and 3.1B. The statutory provisions that underpin these listing rules are contained in Ch 6CA of the Corporations Act. Chapter 6CA is not engaged unless disclosure is required under the listing rules and an entity fails to disclose the applicable information. In other words, a breach of the listing rules is a pre-requisite to any contravention of the continuous disclosure regime.128 Due to the structure of the continuous disclosure regime, the requirements of the Listing Rules will be discussed first followed by a discussion of the statutory provisions that reinforce those rules.

The Australian Securities Exchange (ASX) Listing Rules 5.62 As discussed above, the statutory penalties for a breach of the continuous disclosure regime are only engaged if the Listing Rules require information to be disclosed. The relevant rules are set out in LRR 3.1–3.1A. Basically, information is disclosable under LR 3.1 if it meets the tests set out in that rule, unless the elements of the exception set out in LR 3.1A are satisfied at all times. We will first discuss the requirements of LR 3.1 and then discuss the three elements of the exception in LR 3.1A at 5.75. [page 135]

Listing Rule 3.1 5.63 Listing Rule 3.1 contains a broad disclosure obligation. Listing Rule 3.1A provides some exceptions to the disclosure obligation as long as the conditions set out in that rule are satisfied.129 The text of the rule is set out below: Listing Rule 3.1 Once an entity is or becomes aware of any information concerning it that a reasonable person would expect to have a material effect on the price or value of the entity’s securities, the entity must immediately tell ASX that information.

5.64 There is very little case law that defines the terms set out in LR 3.1. Although the listing rules are a creature of contract,130 it would be remiss to place too much emphasis on this point in light of judicial characterisations of the continuous disclosure regime. The courts have stated, in the context of the statutory regime which reinforces the relevant listing rule, that the applicable test is ‘an objective test, determined ex ante the relevant event which requires disclosure’: see Hardie.131 In the same case, the court stated that the continuous disclosure regime: … is remedial legislation to enhance the public interest and to protect individual investors. It should be construed beneficially “so as to give the fullest relief which the fair meaning of its language will allow”… [Citations omitted.]132

5.65 Further, in interpreting the relevant listing rules, it is important to note that expressions that are used in those rules, which are not specifically defined in the listing rules, have that same meaning as those terms in the Corporations Act, unless the context requires otherwise: LR 19.3. Listing Rule 19.9 expressly provides that ASX Guidance Notes and the Explanatory Notes under each Listing Rule do not form part of the listing rules. However, where a contractual analysis of the arrangements is appropriate, ASX Guidance Note 8: Continuous Disclosure: Listing [page 136] Rules (LR) 3.1–3.18 (reissued 1 May 2013) (Guidance Note 8) could aid in the interpretation or construction of the meaning of key terms of the ‘contract’. The key elements of LR 3.1 are: (a) awareness of information concerning the entity;

(b) that a reasonable person would expect to have a material effect on the price or value of the entity’s securities; (c) must be disclosed immediately to ASX. These elements (using the language of LR 3.1) are discussed below.

Element 1 — Becomes aware of any information concerning it 5.66 Awareness Listing Rule 19.12 provides that ‘an entity becomes aware of information if, and as soon as, an officer133 of the entity … has, or ought reasonably to have, come into possession of the information in the course of the performance of their duties as an officer of that entity’. ASX’s stated intention of including this definition of ‘aware’ in the listing rules was to ensure that corporations that had poor processes and procedures in place could not avoid their continuous disclosure obligations by showing they had no actual knowledge of relevant information. However, in assessing one’s constructive knowledge in this context care needs to be taken to ensure that one does not impute awareness of knowledge or information to a company based on erroneous assumptions.134 5.67 The definition of awareness addresses when information is attributed to an entity, but it does not address the related issue of when facts or circumstances become sufficiently clear to constitute knowledge and lead to ‘awareness’. In some cases, information will be complete, accurate and meaningful without any (or little) verification or further inquiry being required. However, at the other end of the spectrum, significant time and resources may be required to verify whether information is complete, accurate or reliable. In other cases, information will emerge gradually or in stages. These issues need to be kept in mind when considering whether any corporate actor has become aware of any information in the relevant sense. We will return to the issue of the maturity of information below. 5.68 Information concerning it The term information is not defined in the listing rules; nor is it defined in the Corporations Act.135 The Macquarie [page 137] Dictionary defines information as ‘… 1. knowledge communicated or received

concerning some fact or circumstance. 2. knowledge on various subjects, however acquired. 3. the act of informing. 4. the state of being informed’. The key element of this definition then is ‘knowledge concerning some fact or circumstance’. Of course, for the purposes of the LR 3.1, the relevant facts or circumstances must ‘concern’ the relevant entity. However, the source of the facts or circumstances is irrelevant. Even facts or circumstances that concern an entity and are generally available are seemingly caught under the LR 3.1. Guidance Note 8 attempts to narrow the ambit of this phrase by stating that: … a listed entity would not be expected under Listing Rule 3.1 to disclose publicly available information about external events or circumstances that affect all entities in the market, or in a particular sector, in the same way. All other things being equal, that is not information “concerning it” [at p 8].

5.69 The statement above seems to be a departure from the literal meaning of LR 3.1, commentators’ interpretation of this requirement and, indeed, ASX’s historical approach to it.136 Nevertheless, the objective that the statement is intending to achieve (ie, signal that the ASX is not going to treat generally available information as needing to be disclosed or confirmed) is a good one. However, it does seem to rely on an elliptical qualification to the expression ‘concerning it’. ASX’s view of the scope of the term is important though as it indicates to listed entities how ASX will enforce the rule. Its statement in this connection clearly reduces unnecessary compliance costs for business and results in no diminution in terms of the information available to investors. Given that the statutory provisions in the Corporations Act carve out generally available information, the issue does not arise in that context: see 5.85ff.

Element 2 — Reasonable person would expect to have a material effect on the price or value 5.70 Material effect The next key issue is how to determine whether information will have a material effect on the price or value of a security. Section 677 of the Corporations Act defines ‘material effect’ in the following terms: … a reasonable person would be taken to expect information to have a material effect on the price or value of [a security] if the information would, or would be likely to, influence persons who commonly invest

[page 138]

in securities in deciding whether to acquire or dispose of the [relevant] securities.

The word ‘influence’ is defined in the Macquarie Dictionary in the following terms: noun 1. invisible or insensible action exerted by one thing or person on another … 2. power of producing effects by invisible or insensible means: spheres of influence. 3. a thing or person that exerts action by invisible or insensible means … verb (t) (influenced, influencing) 5. to exercise influence on; modify, affect, or sway … 6. to move or impel to, or to do, something

5.71 It is argued that the above definitions, read in context of the continuous disclosure regime, illustrate that the deeming provision in s 677 requires that mere influence is not satisfactory; something more is required. Non-material influence should be disregarded. The applicable information should have a material effect on the investor’s investment decision (ie, buy, sell or hold) or the relevant investor should be likely to act on the information or the investor should change their position based on the new information. The materiality connotation of the term influence is recognised in Guidance Note 8, that states as follows: ASX would point out that whether information would or would be likely to influence a decision has been used as a proxy to test the materiality of information in other contexts and in other jurisdictions. For example, in addressing the test for disclosure of information in scheme document under the precursor to section 411(3)(b) (requiring the disclosure of information material to the making of a decision by a member participating in the scheme on whether to agree to the scheme), Brokking J commented in Phosphate Co-Operative CO of Australia Pty Ltd v Shears [1989] VR 665 that: “If a fact would tend to influence a sensible member’s decision on whether the scheme is in his [sic] interests, then it is ‘material’”. Used in the context of section 677, ASX considers that the word “influence” carries its own connotation of materiality. In ASX’s view, to trigger section 677, the information in question must be of a character that would, or would be likely to, influence persons who commonly invest in securities to make a decision to acquire or dispose of an entity’s securities and not merely play some minor and immaterial role in such a decision.137

The reference to ‘likely’ to influence investors should be interpreted as probable not merely possible.138 [page 139] 5.72 In addition, in determining what information may be disclosable, one should consider the information in context. This principle has long been the approach adopted by the courts. For example, in Flavel v Roget (1990) 1 ACSR 595, O’Loughlin J stated that determining the materiality of information is a two-fold task: [F]irst, the [relevant information] itself must be individually assessed, but, secondly, that assessment

must then be made within the framework of the company and its affairs … Sometimes this second test may not be necessary; sometimes the nature of the [information] might speak for itself. Its importance might be of such magnitude that, irrespective of the size of the company, irrespective of the general affairs of the company, irrespective of the state of the economy of the country, its importance achieves such prominence that immediate advice to the Home Exchange is the only course of action to adopt. But there can be many cases where the … [information is] not susceptible to such an immediate and obvious evaluation. Much will depend upon the identity of the particular company; what one company should advise the Stock Exchange might not have to be advised by a second company; what should be advised by a company at one stage in its career might not have to be advised at another stage of its career because of changed circumstances.139

Guidance Note 8 reflects and expands on these views by stating that ‘information needs to be looked at in context, rather than in isolation, against the backdrop of: the circumstances affecting the listed entity at the time; any external information that is publicly available at the time; and any previous information the listed entity has provided to the market (eg, prospectus or PDS, under its continuous or period disclosure obligations or by way of earnings guidance)’.140 5.73 In order to assist in the evaluation of whether information is material in this context, ASX also proposes that officers ask themselves two questions in respect to the relevant information. These are as follows: (1) “Would this information influence my decision to buy or sell securities in the entity at their current market price?” (2) “Would I feel exposed to an action for insider trading if I were to buy or sell securities in the entity at their current market value?”141 The first question merely restates the ‘influence’ test in the first person in a colloquial form. Accordingly, it provides little guidance [page 140] to what the relevant test requires. The second question illustrates that continuous disclosure laws are, to a certain degree, the mirror to the negative obligations of the insider trading regime142 and reminds us that the ‘material effect’ test in both regimes is almost identical. However, beyond this, the question does not assist in determining what ‘material effect’ actually means in the context of continuous

disclosure. Further, it reduces a plural test to a singular test. This may allow subjectivity to creep into the decision-making process. The applicable test must be considered objectively from the perspective of ‘persons who commonly invest in securities’. A subjective focus may lead to error; the ‘influence’ test needs to be applied to investors as a whole within the relevant class. In some cases it may be important to consider the type of investors that typically invest in a certain security, eg, traders looking for a shortterm capital gain as opposed to long-term investors looking for dividend terms.143 Further, the views of the investor who infrequently or rarely trade should also be disregarded, as well as the views of the general public.144 Finally, a key observation in Jubilee Mines NL (ACN 009 219 809) v Riley (2009) 69 ACSR 659 was that reasonable persons would not expect incomplete or misleading information to be disclosed145 or information that is necessarily qualified such that the qualification would mean the information would not influence investor decisions.146 In determining what is material one also must have regard to the actual intentions and circumstances of the relevant corporate entity and not presumptive intentions.147 [page 141] 5.74 Price or value The term ‘price’ is self-explanatory. The term ‘value’148 is best interpreted as ASX indicates in its Guidance Note 8: Where securities are traded on a licensed market, one would generally expect information that will have a material effect on the value of an entity’s securities also to have a material effect on their price, through the ordinary forces of supply and demand. There could be circumstances, however, where information has a material effect on the market’s assessment of the value of a security without that translating into a material change in the price of the security. This might occur, for example, if security prices in the market generally or in a particular sector are moving materially in one direction and the information causes the market to assess the value of the security differently and to hold its price at or about the current level. In these circumstances, ASX considers that the information is still having material effect on the price of the security in question, in the sense that it is maintaining the price level that would not otherwise be the case, but the reference to ‘value’ in Listing Rule 3.1 puts this issue beyond any doubt. It also caters for the situation where there is no market price for an entity’s securities, such as might be the case it its securities are in a trading halt or suspension.149

One could add to the situation described in the last sentence the situation where trading is very thin or non-existent.150

Element 3 — Entity must immediately tell ASX that information. 5.75 Until information is sufficiently mature or verified, an officer of the corporation cannot be ‘aware’ of it. Once he or she is aware of it, then there is a duty to disclose the information to ASX immediately. The word ‘immediately’ is not defined in the listing rules or in the Corporations Act. The Macquarie Dictionary defines ‘immediately’ to mean, relevantly ‘… without lapse of time, or without delay; instantly; at once’. Guidance Note 8 does provide some useful commentary concerning the approach the courts have taken to the term ‘immediately’. Guidance Note 8 states that ‘[j]udicial authority in analogous situations confirms that the word “immediately” should not be read as meaning “instantaneously”, but rather as meaning “promptly and without delay”’.151 It then goes on to cite that authority: The words forthwith and immediately have the same meaning. They are stronger then the expression within a reasonable time, and imply prompt, vigorous action, without any delay, and whether there has been such

[page 142] action is a question of fact, having regard to the circumstances of the particular case.152

In interpreting the term ‘immediately’ it should be remembered that it only applies to information that will or is likely to have a material effect on the price or value of securities. Once the entity is ‘aware’ of that information it must be disclosed immediately. This however does not mean that appropriate corporate governance should not be followed. A corporation should ensure that it takes such steps that are reasonable in the circumstances (in accordance with defined continuous disclosure policies and procedures) in order for senior executives to approve of the relevant information being disclosed to the market. The governance steps are essential if corporations are to ensure they comply with both their continuous disclosure obligations and their obligations not to make misleading statements.

Exceptions under Listing Rule 3.1A 5.76 Listing Rule 3.1 does not apply to particular information while each of the following is satisfied in relation to the information:

3.1A.1 One or more of the following 5 situations applies: It would be a breach of a law to disclose the information; The information concerns and incomplete proposal or negotiation; The information comprises matters of supposition or is insufficiently definite to warrant disclosure; The information is generated for the internal management purposes of the entity; or The information is a trade secret; and 3.1A.2 The information is confidential and ASX has not formed the view that the information has ceased to be confidential; and 3.1A.3 A reasonable person would not expect the information to be disclosed.

5.77 Even if disclosure is required under LR 3.1, disclosure is not required unless all of the relevant conditions set out above in LR 3.1A are satisfied. These exceptions are not always easy to apply in practice. The five situations set out in LR 3.1A.1 will be discussed immediately below.

Listing Rule 3.1A.1 — the five situations 5.78 Breach of law In relation to this element of the test, it is not clear whether a breach of the law would include a disclosure that may give rise to an action for damages or injunctive relief, although ASX takes [page 143] the view in Guidance Note 8 that the relevant breaches are limited to breaches of ‘a specific statute, regulation, rule, administrative order or court order binding on the listed entity’.153 It is curious that ASX lists a binding order of a court (which could include an injunction to restrain a breach of confidentiality) as sufficient to engage LR 3.1A.1, but then goes on to state that it does not believe that breaches that might give rise to injunctive relief or other relief would not engage the relevant provision.154 5.79 Incomplete proposal or negotiation Broadly speaking, a unilateral proposal (eg, the declaration of a dividend) will remain incomplete until the board of directors approves it. A proposal that requires certain conditions to be satisfied in addition to broad approval, will remain incomplete until those conditions are satisfied (eg, lodgment of a bidder’s statement with ASIC). A negotiation will remain incomplete until an agreement is entered into or the arrangement it contemplates is otherwise given effect to.155

5.80 Supposition or insufficiently definite information ASX states that supposition is ‘something which is assumed or believed without knowledge or proof’.156 It then goes on to state that information about a matter will be insufficiently definite to warrant disclosure if: (a) it is ‘so vague, embryonic or imprecise’; (b) the veracity of such information is ‘so open to doubt’; or (c) ‘the likelihood of the matter occurring, or its impact if it does occur, is so uncertain’ that a reasonable person would not expect it to be disclosed.157 It would seem remarkable that a reasonable person would ever consider that information ‘so vague, embryonic or imprecise’, ‘so open to doubt’ or otherwise ‘so uncertain’ as ever being disclosable under LR 3.1. Assuming, without accepting, that information of this nature were to be disclosed, significant qualifications would need to travel with it. But these qualifications would render the information meaningless. Without such qualifications it would seem that the information would be positively misleading.158 In this context, it would seem more appropriate to interpret supposition and other information that is insufficiently definite to warrant disclosure as information that a reasonable person would consider to be disclosable under LR 3.1 but which it would also be sensible to exclude under LR 3.1A because it was not at the relevant time sufficiently mature. For example, it is entirely possible that an accounting standard or some other external standard or rule [page 144] which binds a corporation has been amended or is about to be amended. Initial internal modelling may suggest that the financial impact of the applicable change is within a certain range, with one end of the range representing a less than material financial impact, and the other end of the range representing a possible material financial impact. It is arguable that a reasonable person would consider the results of the initial internal modelling as insufficiently definite to warrant disclosure until a consulting accountant or the corporation’s auditors had a chance to verify the impact in more precise terms. 5.81 Information generated for internal management purposes Guidance Note 8 indicates that this situation covers all internally generated information (such as budgets, forecasts, management accounts, minutes of management meetings, business plans and strategic plans) as well as information generated by

external entities, including accountants and lawyers.159 The interesting issue the reference to ‘lawyers’ raises is whether privileged information needs to be disclosed at all. The continuous disclosure regime does not expressly or impliedly abrogate professional privilege.160 It would seem that as long as legal advice was not improperly used to circumvent the operation of the continuous disclosure laws,161 then legal professional privilege could be used to refuse to disclose certain information under the Listing Rules’ contractual framework, as such a privilege is a substantive legal right.162 5.82 Trade secrets Trade secrets were discussed in Chapter 4 (see, for example, 4.16, 4.21, 4.29–4.30). At first blush it is surprising that a trade secret would ever need to be disclosed to the market. But, if a trade secret has lost its confidentiality, then it is in the public domain and there is nothing to disclose in any event. If a trade secret maintains its confidentiality, it is arguable that no reasonable person would ever consider that it should be disclosed by a corporation.

Listing Rule 3.1A.2 — The information is confidential and ASX has not formed the view that the information has ceased to be confidential 5.83 Many of the issues regarding confidentiality, the loss of confidentiality and how confidential information enters the public domain [page 145] are discussed in Chapter 4. Only two points will be added here. First, under LR 3.1A.2 the relevant test is conditioned by ASX not forming ‘the view that the information has ceased to be confidential’. This means that corporations should take care not to take an overly legalistic or technical approach to determining when confidentiality may be lost. Corporations should also ensure that they take reasonable steps to monitor traditional media and digital media in order to determine whether a certain matter has lost confidentiality. Second, a reference to a potential spoiling tactic that Austin and Ramsay suggest could be used by entities in this context is apposite. The authors point out that it is possible under the Listing Rules for a party with inside knowledge of a transaction to leak information to the market about that transaction (say using a Facebook or Twitter account for that purpose) and force premature disclosure by one or more other

parties under the disclosure rules. Any premature publicity that ensues may effectively spoil the transaction.163

Listing Rule 3.1A.3 — A reasonable person would not expect the information to be disclosed 5.84 In respect of LR 3.1A.3, Guidance Note 8 expresses the view that, as a general rule, where information falls into one of the categories set out in LR 3.1A.1 and LR 3.1A.2, then a reasonable person would not expect that information to be disclosable.164 Guidance Note 8 then proffers the view that this general rule ‘has a very narrow field of operation. It will only be tripped if there is something in the surrounding circumstances sufficient to displace the general rule’.165 Again, this is sensible guidance. The note then states that the reasonable person test is an objective one that ‘is to be judged from the perspective of an independent and judicious bystander and not from the perspective of someone whose interests are aligned with the listed entity or with the investment community’.166 This statement must not be taken too far. The case law clearly demonstrates that it is essential in assessing other requirements under the continuous disclosure regime to have regard to the knowledge of directors about a company’s situation167 and the type of investors who may be members of the audience to which information may be disclosed.168 [page 146]

LISTING RULE 3.1B — FALSE MARKETS 5.85

Listing Rule 3.1B provides as follows:

If ASX considers that there is or is likely to be a false market in an entity’s securities, and asks the entity to give it information to correct or prevent a false market, the entity must give ASX the information it asks for.

5.86 In its Guidance Note 8, the ASX states that it will use this power to correct a false market that may arise due to a corporation neither confirming nor denying reasonably specific and credible commentary or speculation that may appear in conventional or social media.169 This power to compel a corporation to make a corrective disclosure should be contrasted with the requirement to make

a corrective disclosure that was discussed in Fortescue. In that case, Keane CJ (with whom Emmett and Finkelstein JJ agreed) emphasised that the continuous disclosure regime does not in itself impose an obligation to correct information already provided to the ASX. Corrective disclosures became necessary where corrective information would itself become price sensitive information if ‘that information was information which would, or would be likely to, influence investors in deciding whether to acquire or dispose of shares’ in the regulated entity.170

THE STATUTORY RULES 5.87 As discussed in 5.61 above, the statutory rules are not engaged unless information is required to be disclosed under the Listing Rules. We have discussed when information is disclosable under the relevant listing rules above. The statutory regime conditions liability for a failure to comply with the listing rules in two key ways. First, a breach of the statutory regime will only occur where the information that should have been disclosed under the listing rules in not ‘generally available information’. Second, liability for a breach of the statute can be extended to any person who is involved in the relevant breach. These two issues will be discussed in turn below.

Generally available information 5.88 Whether information is generally available is governed by s 676. Section 676(2) provides that information is generally available if: (a) it consists of readily observable matter; or [page 147] (b) without limiting the generality of paragraph (a), both of the following subparagraphs apply: (i)

it has been made known in a manner that would, or would be likely to, bring it to the attention of persons who commonly invest in securities of a kind whose price or value might be affected by the information; and

since it was so made known, a reasonable period for it to be (ii) disseminated among such persons has elapsed. Further, information is also generally available if it consists of deductions, conclusions or inferences made or drawn from the matters referred to in (a) or (b) above. In determining whether a reasonable period had passed for the purposes of this definition, one would need to have regard to, among other things, the manner which information became generally available and also completeness and complexity of the relevant information. 5.89 The concept of ‘readily observable matter’ was considered in R v Firns (2001) 51 NSWLR 548, which was a case concerning insider trading. The court held that the term extends to information which could be observed even if no person actually observed it. Conversely, in Australian Securities and Investments Commission (ASIC) v Macdonald (No 11) [2009] NSWSC 287 the court expressed the view that information contained in documents lodged with ASIC did not constitute ‘readily observable matters’. This was due to the fact that ordinary investors would find it difficult to locate the applicable information in circumstances where the applicable company had changed its name several times.

A person involved in a contravention 5.90 As discussed above, liability is extended to any person who is involved in a breach of s 674(2).171 A person is involved in a contravention of a law if, and only if, the person: (a) has aided, abetted, counselled or procured the contravention; or (b) has induced, whether by threats or promises or otherwise, the contravention; or (c) has been in any way, by act or omission, directly or indirectly, knowingly concerned in, or party to, the contravention; or (d) has conspired with others to effect the contravention.172

[page 148] In The Explanatory Memorandum to the Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Bill 2003 stated that the inclusion of the ‘involvement’ offence in s 674(2A) was: … intended to apply to individuals with real involvement in a contravention of the continuous

disclosure provisions … Involvement in a contravention therefore requires some form of intentional participation and actual knowledge of the essential elements of the contravention.173

5.91 In Fortescue Keane CJ found that Mr Forrest had been ‘involved’ in misleading conduct and stated as follows: Forrest’s knowing participation in the relevant events leading to FMG’s contravention of s 1041H of the Act established that Forrest was involved in FMG’s contraventions of s 1041H within the meaning of s 79(c) of the Act. Forrest knew of the terms of the framework agreements; and it can reasonably be inferred that he knew of the disparity between these terms and FMG’s representations about them. He was also a person involved in FMG’s contravention of s 674(2)(c) of the Act by virtue of s 674(2A). Accordingly, he contravened s 674(2A) unless he established the defence under s 674(2B) of the Act.174

Although the finding regarding misleading conduct was overturned by the High Court,175 the decision on this point still illustrates that it does not require much for one to have the relevant intention to participate and have the requisite knowledge of all the essential elements of the contravention.

Offences 5.92 Civil offence A breach of s 674(2) constitutes a breach of a civil penalty provision: see s 1317E(1). Accordingly, any person who contravenes that provision may be subject to a disqualification order under s 206C or a pecuniary penalty order under s 1317G(1).176 The maximum penalty for an individual is $200,000 and $1 million for a body corporate: s 1317G(1B). Compensation orders may also be made under s 1317H as well as other orders under s 1324. If a claim is brought under s 1041E or s 1041H in connection with false or misleading conduct in the context continuous discourse, then a person who suffers loss or damage as result of that conduct may recover that loss or damage from [page 149] the person who engages in the conduct or any person who is involved in the contravening conduct: s 1041I. 5.93 In addition, ASIC may issue infringement notices for up to $100,000 for an alleged contravention of the continuous disclosure laws177 and also may accept an enforceable undertaking under s 93AA, ASIC Act in relation to the contravention. If a person complies with the infringement notice or ASIC

accepts an enforceable undertaking, broadly speaking, no further action will be taken. 5.94 Criminal offence A breach of the continuous disclosure regime is also an offence: s 1311(1). The maximum penalty for an offence is 200 penalty units or imprisonment for five years (or both). 5.95 In determining the appropriate level of penalty to be imposed in any regulatory context, the court will look at a range of factors, including the culture of compliance at an organisation which is subject to the continuous disclosure regime. In Chemeq, French J noted that: In considering the appropriate penalty for the contravention by a corporation of a regulatory requirement … it is relevant to consider whether the corporation has in place policies and procedures designed to achieve compliance with such requirements. The Court will consider the form and content of the policies and procedures and also the measures adopted by the corporation to ensure that they are understood and applied. A well drafted set of policies and procedures will mean little if there is no follow up in terms of training of company officers (including directors) and, where appropriate, refresher training. In the present case there is provision for induction training but no clear evidence of follow-up and refresher training. Compliance policies and procedures will not be effective unless there is, within the corporation, a degree of awareness and sensitivity to the need to consider regulatory obligations as a routine incident of corporate decision-making. This kind of general sensitivity to the issues underpins what is sometimes called a ‘culture of compliance’. It does not require a risk averse mentality in the conduct of the company’s business, but rather a kind of inbuilt mental check list as a background to decisionmaking. This may be more difficult to achieve where, as in the present case, there is a positive obligation that is not related to any particular decision. The conduct of corporate business may involve consideration of the many shifting circumstances that make up a dynamic business environment. To identify those matters, including changes in circumstance, which attract the obligation of continuous disclosure, may not always be a

[page 150] straightforward exercise. There will be clear cases, and not so clear cases. There should be some process for ensuring that changes in circumstances or market information requiring disclosure are identified. Absent a positive monitoring mechanism, the company’s compliance system may leave open the risk of non-disclosure by oversight.178

Due diligence defence 5.96 Section 674(2B) contains a defence to liability for a person who is involved in a listed entity’s contravention. It provides that a person does not contravene s 647(2A) if the person proves that they:

took all steps (if any) that were reasonable in the circumstances to ensure that the listed (a) disclosing entity complied with its obligations under subsection (2); and (b) after doing so, believed on reasonable grounds that the listed disclosing entity was complying with its obligations under that subsection.

5.97 The application of this defence was explored in Fortescue. Although the finding in that case was overturned by the High Court, the relevant discussion is instructive as to what will not satisfy the test. In that case Keane CJ observed that: Forrest argues that … he was protected by s 674(2B) because there were “reasonable grounds” upon which he had formed the belief that the agreements were binding. There are two difficulties with this argument. First, a person relying on s 674(2B) must, by virtue of subsection (a), show that he or she took all steps that were reasonable to ensure compliance with the entity’s disclosure obligations. Forrest was unable to point to any steps he took to ensure that the framework agreements were, in law, binding agreements to the effect represented by FMG. The trial judge was prepared to infer that Huston [a solicitor] had provided legal oversight in relation to FMG’s dealings since late 2004. Counsel for Forrest argued that it could be inferred that reasonably necessary steps had been taken to ensure that the agreements were binding. But the only available evidence on this point shows that Huston examined the agreements in January 2005, that is to say, well after FMG and Forrest had made the impugned announcements. There is no evidence Huston was consulted by Forrest before this time. There is also no evidence that Forrest consulted with any other adviser other than Huston to seek advice as to whether the agreements he had signed were apt to achieve a binding agreement to build and transfer the infrastructure for the Project. Secondly, ASIC was able to show that Forrest’s own communications were inconsistent with a belief on his part that FMG had made a binding agreement for the construction of the infrastructure for the Project. Forrest’s own document … shows that he knew that further steps were necessary to reach agreement on the scope, financing, subject matter and

[page 151] price of the Project. This email shows that Forrest knew that FMG was still involved in a bargaining process with the Chinese. At the time when this email was written, Forrest plainly did not entertain, and it may be inferred had never entertained, reasonably or at all, the opinion that the terms of the framework agreements were effective as binding agreements to build, finance, and transfer the infrastructure involved.179

LIABILITY UNDER OTHER LAWS 5.98 It is not only the liability that arises under the statutory continuous disclosure regime that one needs to be concerned about in this context. Liability can also arise in this connection for directors and officers under s 180 and for entities, directors, officers and other persons under, for example, s 1041H of the Corporations Act. Liability in these cases arises in the following manner. First,

ASIC or another party will allege that a voluntary statement made by a company to the market is misleading (ie, not being a statement that is required to be made under mandatory disclosure laws). Second, if the statement is sufficiently misleading, it could give rise to an obligation under s 674 to provide corrective information to the market. This situation would arise where say the market was trading upwards based on the misleading disclosure. The corrective information itself would be price-sensitive information that should be immediately disclosed, because the reasonable person would expect this information to be likely to influence persons who commonly invest in securities in making buy or sell decisions in relation to the applicable company’s securities. Third, if the company fails to disclose the relevant information, it will be in breach of s 674. In addition, in this situation, directors and officers who engage in misleading conduct on behalf of the company could be liable as principals.180 Their conduct may also attract liability under s 674(2A) (involvement in a contravention) and they may also be liable for a failure to discharge their duty under s 180(1). This scenario is based on the liability scenario that the Full Federal Court accepted in Fortescue,181 although the outcome in that decision was overturned by the High Court on a different basis.

CONCLUSIONS — CONTINUOUS DISCLOSURE 5.99 In practice, most of the difficulty in the context of continuous disclosure is not associated with considerations concerning whether [page 152] information is generally available or not, but rather whether it is material for the purposes of the law and whether the exceptions under the listing rules apply. Further, not only should a corporation and its directors and officers be concerned about liability under s 674 in this context, but also under s 180(1) and, for example, under s 1041H. Liability in this context can be managed though the implementation of appropriate policies, training, compliance and other due diligence practices and procedures. 5.100 An observation from French J in Chemeq provides a salutary conclusion to this section: It must be accepted that there will be differing opinions in particular instances about what requires

disclosure and what does not. From the point of view of proper risk management against the possibility of contravention, a conservative approach which favours disclosure is to be preferred. Certainly those who play calculated risk games of non-disclosure in the shadow of the Rules cannot expect indulgence from the courts if their assessments are not accepted.182

CONCLUSION 5.101 This chapter provides a snapshot of the legal obligations and issues that can arise in the context of mandatory disclosure. The discussion in this chapter illustrates the onerous obligations imposed on a corporation and its directors and officers in relation to mandatory disclosure. It also reveals that interpreting and applying the relevant laws is by no means a trivial task. It is not. Indeed, complying with these laws is one of the most difficult tasks under corporations legislation. Arriving at a conclusion as to what needs to be disclosed in any given situation can often be a fraught process. This is why it is so essential to have effective policies and compliance frameworks in place to manage risk in this context. A process of fundamental importance in this connection is the due diligence process however it is designed and implemented to suit the purposes of the corporation in a given situation. _________________________ 1.

While these laws apply broadly to companies, schemes and disclosing entities, the focus of this chapter will be on the mandatory disclosure obligations imposed on listed corporations in keeping with the overall theme of this book. The laws relating to the disclosures that must be made under a scheme of arrangement are not discussed here, but see, for example, T Damian and A Rich, Schemes, Takeovers and Himalayan Peaks, 3rd ed, the Ross Parsons Centre of Commercial, Corporate and Taxation Law Monograph Series, Sydney, 2013, [5.6.2] (general disclosure in an explanatory statement) and [5.6.3] (specific disclosures in an explanatory statement) for a discussion of the relevant requirements.

2.

R Baxt, A Black and P Hanrahan, Securities and Financial Services Law, 7th ed, LexisNexis Butterworths, Australia, 2008, [1.3].

3.

See R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 15th ed, LexisNexis Butterworths, Australia, 2013, [22.020].

4.

Although the concept of ‘reasonableness’ is an element of the disclosure obligation itself: see s 674(2) (c)(ii) Corporations Act 2001 (Cth).

5.

There are many good texts which discuss the administrative and other steps that must be taken in this context: see, for example, fn 2, Baxt et al; and fn 3, Austin et al.

6.

Pancontinental Mining Industries Ltd v Goldfields Ltd (1995) 16 ACSR 463 at 475 per Tamberlin J.

7.

There is also a requirement for certain entities to prepare half-yearly reports: see Corporations Act s 302. See also R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 13th ed, LexisNexis Butterworths, Australia, 2007, 10.130.

8.

If a consolidated set of statements is provided, an entity is not required to prepare parent company statements: s 295(2)(b).

9.

The notes to the financial statements are: (a) disclosures required by the regulations; (b) notes required by the accounting standards; and (c) any other information necessary to give a true and fair view (see s 297): s 295(3).

10. s 296. 11. s 295(2). 12. Australian Securities and Investments Commission v Fortescue Metals Group Ltd [2011] FCAFC 19 (Fortescue) at [113]. 13. See s 299A(1). 14. See ss 299(3) and 299A(3). 15. See s 300(1). 16. See ss 300(10) and 300(11). 17. See s 300A. 18. s 301. 19. See s 307A. 20. See ss 308(a) and 308(b). 21. Under s 9 of the Corporations Act the term ‘officer’ of a corporation means: (a) a director or secretary of the corporation; (b) a person: (i) who makes, or participates in making, decisions that affect the whole, or a substantial part, of the business of the corporation; or (ii) who has the capacity to affect significantly the corporation’s financial standing; or (iii) in accordance with whose instructions or wishes the directors of the corporation are accustomed to act (excluding advice given by the person in the proper performance of functions attaching to the person’s professional capacity or their business relationship with the directors or the corporation); or (c) a receiver, or receiver and manager, of the property of the corporation; or (d) an administrator of the corporation; or (e) an administrator of a deed of company arrangement executed by the corporation; or (f) a liquidator of the corporation; or (g) a trustee or other person administering a compromise or arrangement made between the corporation and someone else. 22. Although the contravention would need to be, among other things, serious: s 1317G. 23. For example, under s 1041H of the Corporations Act. Directors and officers could have liability under this provision as principals: see Arktos Pty Ltd v Idyllic Nominees Pty Ltd (2004) ATPR 42-005 at 48,795. See also Houghton v Arms [2006] HCA 59; (2006) 225 CLR 553 at 566 and Australian Securities and Investments Commission v Citrofresh International Ltd [2007] FCA 1873 (Citrofresh). 24. The requirement also extends to schemes and other disclosing entities. 25. See s 319(3). 26. Section 6.1 of the Criminal Code 1995 (Cth) states that ‘[i]f a law that creates an offence provides that the offence is an offence of strict liability: (a) there are no fault elements for any of the physical elements of the offence; and (b) the defence of mistake of fact under section 9.2 is available’. 27. See s 1311 and Sch 3 of the Corporations Act. Section 1311(1) sets out certain circumstances in which a person will be guilty of an offence. Section 1311(1A) provides that s 1311(1) does not apply (ie, no offence occurs) unless a penalty for any provision listed in that subsection is specified in Sch 3. The penalty for any offence determined by the application of ss 1311(1) and 1311(1A) is the penalty specified in Sch 3 (s 1311(3)) unless a particular provision of the Act actually specifies a penalty (s 1311(4)) or, if no penalty is specified in Sch 3 or in a specific provision, five penalty units

(s 1311(5)). The maximum financial penalty for a contravention can be increased by a multiple of five if the offender is a body corporate: s 1312. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 28. See Australian Securities and Investments Commission v Healey [2011] FCA 717 (Healey No 1) at [9]. 29. See fn 28, Healey No 1 at [497]. 30. See fn 28, Healey No 1 at [8]. Note that similar obligations to those set out in s 180(1) of the Act are imposed on officers of responsible entities (see s 601FD). The Healey No 1 litigation also involved allegations and findings relating to the obligations contained in s 601FD. However for the sake of simplicity, discussion on those issues has not been included in this section. 31. See Australian Securities and Investments Commission v Healey (No 2) [2011] FCA 1003 (Healey No 2) at [3]. Note though that adverse costs orders were made against directors. 32. See fn 31, Healey No 2 at [4]. 33. See fn 28, Healey No 1 at [6]. 34. See fn 31, Healey No 2 and declarations that were made at the beginning of the judgment in respect of Mr Nenna as the eighth defendant. 35. See fn 31, Healey No 2. 36. See fn 28, Healey No 1 at [13]. 37. At [143]. 38. At [149]. 39. At [143]. 40. At [147]. Citing with approval statements made in Morley v Statewide Tobacco Services No 1 [1993] VicRp 32; (1993) 1 VR 423. 41. At [162]. Note that s 189 (reliance on information or advice provided by others) was not considered by the court, nor was reliance on others by an officer an issue that was canvassed due to admissions made by Mr Nenna in this case. 42. At [166]. 43. At [167]. 44. At [174]–[175]. 45. At [124]. 46. At [211]. 47. At [229]. This rule applies irrespective of the number of boards that a director may sit on: see [222]. 48. At [582]. 49. At [23]. 50. S Danckert, ‘Lawyers Flock to Centro Class Actions Worth $600m’, 5 March 2012, . 51. See, for example, Richard Kirby v Centro Properties Ltd VID326/2008, Federal Court of Australia (Melbourne) (Centro). 52. C Rome-Sievers, ‘Developments in Insolvency and Corporations , 19 June 2012. 53. See fn 52, C Rome-Sievers.

Law’,

54. See fn 52, C Rome-Sievers. 55. Maurice Blackburn Lawyers, press release, ‘Record $200m Centro Class Action Settlement Approved’, 19 June 2012, . 56. See fn 23, Arktos, 48,795. See also Houghton v Arms [2006] HCA 59; (2006) 225 CLR 553 at 566; and fn 23, Citrofresh. 57. ASIC, ‘Enforceable Undertakings Register’, . 58. As to when a prospectus is required see Austin et al, see fn 3, [22.070]. Note also the short form prospectus requirements in s 713 of the Corporations Act in relation to continuously quoted securities, although these do not reduce the scope of the ‘reasonable investor’ test. However, the cleansing notice process for certain offers under ss 708AA and 708A do not require the ‘reasonable investor’ test to be met in limited circumstances. 59. See Austin et al, see fn 3, [22.260]. Note that a full prospectus is not always required. Other disclosure documents include a profile statement (s 714, Corporations Act) and an offer information statement (s 715, Corporations Act). Also, there are special context rules for prospectuses in relation to certain offers, eg, offers of continuously quoted securities: s 713, Corporations Act. 60. ASIC’s Regulatory Guide 228 (Prospectuses: Effective Disclosure for Retail Investors) states that: ‘We consider that your prospectus will generally be “clear, concise and effective” if it: a. highlights key information …; b. uses plain language …; c. is as short as possible; d. explains complex information, including any technical terms; and e. is logically organised and easy to navigate’: [228.24]. 61. See s 711. 62. s 710. 63. See fn 3, Austin et al, [22.320]. 64. At [22.320]. 65. s 710(1)(a). 66. s 710(1)(b). 67. There is no doubt that the conservatism demonstrated in this context is in part due to the severe penalties that are imposed for a failure to comply: see 5.32–5.33. 68. See fn 3, Austin et al, [22.320]. 69. GIO Australia Holdings Ltd v AMP Insurance Investment Holdings Pty Ltd (1998) 29 ACSR 584 (GIO) at 629 per Emmett J. 70. See fn 69, GIO at 621 per Emmett J. 71. AAPT Ltd v Cable & Wireless Optus Ltd (1999) 32 ACSR 63; BC9902952 at [137] per Austin J. See also fn 3, Austin et al, [22.330]. 72. Scrip bids require prospectus standard disclosure under ss 710–713: see s 636(1)(g), Corporations Act. 73. Wesfi Ltd v Blend Investments Pty Ltd (1999) 31 ACSR 69 at 74 per Wheeler J. 74. At 71 per Wheeler J, citing GIO (see fn 69) with approval. Cf Pancontinental Mining Ltd v Goldfields Ltd (1995) 16 ACSR 463. See also ASIC, ‘RG 170 — Prospective Financial Information’, . 75. For the purposes of s 728 a disclosure document is defined as meaning: (a) a prospectus for the offer; or (b) a profile statement for the offer; or (c) an offer information disclosed statement for the offer: see s 9. 76. See s 728(1)(a). Note that liability under this provision can only arise if the misleading statement is

actually included in the disclosure document itself: see fn 2, Baxt et al, [8.18]. 77. See s 728(1)(b). The material required to be included is described in ss 710, 711, 712, 713, 714 and 715. The most significant material is that required under s 710, which is discussed above. 78. Again, the material ‘required by law’ to be included in the prospectus or other disclosure document is described in ss 710, 711, 712, 713, 714 and 715. A deficiency of the type mentioned in the third prohibition can be remedied through a supplementary or replacement document. 79. s 729. 80. s 728(3). 81. See fn 2, Baxt et al, [8.22]. 82. ss 5.2 and 5.6(1) of the Criminal Code 1995 (Cth). 83. See Cadence Asset Management Pty Ltd v Concept Sports Ltd [2005] FCAFC 265 at [30] per Merkel, Weinberg and Kenny JJ. 84. Other defences include ss 733(2) (withdrawal of consent) and 733 (unawareness of new matter). 85. Note that the defences are limited to prospectuses. The defence will not apply to statements in or omissions from documents other than the prospectus. 86. For, further information, see fn 2, Baxt et al, [5.36] and [5.37]. 87. P J Rajapakse, ‘Issuance of Residential Mortgage-Backed Securities in Australia — Legal and Regulatory Aspects’ (2006) UNSWLawJl 42, note 94. 88. See fn 87, Rajapakse. 89. Gilmore v Poole-Blunden [1999] SASC 186 at [119]. 90. For details in takeovers generally, including when a takeover offer must be made, see fn 2, Baxt et al, Ch 15, ‘Mergers and Acquisitions’. 91. s 636(1)(a). 92. s 636(1)(b). 93. s 636(1)(f). 94. The carve-out concerning information that ‘does not relate to the value of the securities offered as consideration under the bid’ is necessary, as such information will be caught by the operation of s 636(1)(g) which applies the reasonable investor test of disclosure under ss 710–713. 95. See fn 3, Austin, [23.470]. 96. At [23.470]. 97. See fn 74, Pancontinental at [466]–[468]. 98. At 103. 99. See Austin et al, see fn 3, [23.470]. 100. s 638(3). 101. s 638(1A)(a). 102. s 638(1A)(b). 103. See fn 3, Austin et al, [23.500]; and the discussion of Austen & Butta Ltd v Shell Australia Ltd (1992) 10 ACSR 556 where these issues arose. 104. s 670A(3). Compare s 728(3) in the fundraising context. 105. s 670B. Compare s 729 in the fundraising context.

106. See fn 3, Austin et al, [23.640]. 107. See fn 2, Baxt et al, [6.11]ff. The term ‘retail client’ is defined in ss 761G and 761GA, Corporations Act as expanded upon by Regs 7.1.11–7.1.28, Corporations Regulations as amended by Regs 7.6.02AB, 7.6.02AC, 7.6.02AD, 7.6.02AE and 7.6.02AF. The definition of ‘financial product’ is set out in Div 3, Pt 7.1, Corporations Act. Although note that the offer of securities is carved out of the PDS regime as disclosure requirements for securities are dealt within Ch CA and Ch D of the Act: see s 1010A(1). Further, the PDS regime also does not generally apply to debentures: s 1010A(2). 108. There is a range of information that needs to be disclosed in addition to that prescribed by the specific and general requirements. For example, information about whether the product is able to be traded (s 1013H); that the PDS is lodged with ASIC but ASIC takes no responsibility for its contents (s 1013J); and where a PDS contains a statement made by a person, the person must consent and the PDS must disclose that consent (s 1013K) and other statements regarding affiliation (ss 1013C(4) and 1013C(6)). The Corporations Regulations also contain further disclosure requirements. 109. s 1013C(3). 110. s 1013D(1)(a). Other statements are set out in the Regulations. 111. s 1013D(1)(d). 112. s 1013D(1)(g). 113. s 1013D(1)(h). 114. s 1013D(1)(i). 115. s 1013D(1)(b). 116. s 1013D(1)(c). 117. s 1013D(1)(f). 118. ss 677 and 1042D. 119. See Revised Explanatory Memorandum the Financial Services Reform Bill, [14.74]. 120. See fn 119, [14.94]. 121. ss 1013F and 1013FA, Corporations Act. 122. See s 1022A(1). 123. See fn 2, Baxt et al. 124. s 1022B(7). 125. James Hardie Industries NV v ASIC (2010) 274 ALR 85; [2010] NSWCA 332; BC201009843 (Hardie). See also Australian Securities and Investments Commission, in the matter of Chemeq Ltd (ACN 009 135 264) v Chemeq Ltd (ACN 009 135 264) [2006] FCA 936 (Chemeq) at [43]–[45] per French J. 126. ss 674(1) and 675(1)(b). 127. See the combined effect of ss 111AD, 111AE, 111AL and 111AM. 128. Jubilee Mines NL (ACN 009 219 809) v Riley (2009) 69 ACSR 659 (Jubilee) at [41]. 129. Note also that LR 3.1B provides that, notwithstanding any other rule, an entity must provide information that ASX (the Australian Securities Exchange) requests, in order to prevent a false market in the relevant entity’s securities. This rule, however, is not relevant for present purposes. 130. See fn 2, Baxt, et al, [12.7]–[12.8]. 131. See fn 125, Hardie at [546], citing R v Firns [2001] NSWCCA 191; (2001) 51 NSWLR 548 at [83];

Australian Securities and Investments Commission v Citigroup Global Markets Australia Pty Ltd (No 4) [2007] FCA 963; (2007) 160 FCR 35. 132. See fn 125, Hardie at [356]. 133. Here, the term ‘officer’ has the same meaning as in s 9 of the Corporations Act and includes a director, secretary or senior executive/manager of the corporation. 134. See fn 128, Jubilee at [109]. 135. Irrelevantly for present purposes, s 9 defines information to include ‘complaint’. 136. See fn 2, Austin et al, [10.300]. See also G Lyon and J J du Plessis, The Law of Insider Trading in Australia, Federation Press, Australia, 2005, p 171. 137. See ASX Guidance Note 8: Continuous Disclosure: Listing Rules (LR) 3.1–3.1B (reissued 1 May 2013) (Guidance Note 8), p 9 fn 19. 138. See fn 2, Baxt et al, [7.10]. 139. Flavel v Roget (1990) 1 ACSR 595 at 602–3. 140. Guidance Note 8, 11. 141. Guidance Note 8, 10. 142. See fn 136, G Lyon and J J du Plessis, p 172, citing M Gething, ‘Insider Trading Enforcement: Where are We Now and Where do We Go From Here?’ (1998) 16 Company and Securities Law Journal 607, 612. 143. See fn 128, Jubilee at [122]. See also the majority judgment of French CJ, Gummow, Hayne and Kiefel JJ in Forrest v Australian Securities and Investments Commission [2012] HCA 39 (Forrest) where the relevant audience ‘comprised investors (both present and possible future investors) and, perhaps, some wider section of the commercial or business community’: at [36]. In a separate concurring judgment, Heydon J expressed the view that the relevant audience or class ‘comprised superannuation funds, other large institutions, other wealthy investors, stock brokers and other financial advisers, specialised financial journalists, as well as smaller investors reliant on advice’: at [105]. 144. See fn 2, Baxt et al, [7.10]. 145. See fn 128, Jubilee at [87]. 146. At [123]. 147. At [109]. 148. This term is defined in s 9 of the Corporations Act to mean ‘in relation to an asset, includes amount’. 149. See Guidance Note 8, p 7, fn 11. 150. See fn 136, G Lyon and J J du Plessis, p 182. 151. See Guidance Note 8, p 13. 152. Queen v Berkshire 4 QBD 469 at 471 per Cockburn CJ, referred to with approval by the High Court in Measures v McFadyen [1910] HCA 74; (1910) 11 CLR 723. 153. Guidance Note 8, 31. 154. See Guidance Note 8, 31. 155. See Guidance Note 8, 31–32. 156. See Guidance Note 8, 33. 157. See Guidance Note 8, 33.

158. This is exactly the type of situation discussed in Jubilee, see fn 128. 159. See Guidance Note 8, 34. 160. See discussion at 7.13ff, concerning legal professional privilege. 161. See discussion in J Hunter, C Cameron and T Henning, Litigation, 7th ed, LexisNexis, Australia, 2005, [8.62] regarding improper purposes. 162. See Daniels Corporation International Pty Ltd v Australian Competition and Consumer Commission [2002] 213 CLR 543. 163. See fn 2, Austin et al, [11.300]. 164. See Guidance Note 8, 38. 165. See Guidance Note 8, 38. 166. See Guidance Note 8, 37. 167. See, for example, fn 128, Jubilee at [109] where Martin CJ expressed the view that certain subjective intentions are necessary in determining what a reasonable person would consider to be disclosable information. 168. See, for example, fn 128, Jubilee at [163] where it was not challenged that the reasonable person test is to be applied by having regard to a specific sub-set of investors. See also fn 143, Forrest at [105] where Heydon J noted that it is necessary to have regard to the nature of an audience to which information or statements are directed. 169. See Guidance Note 8, 39ff. 170. See fn 12, Fortescue at [184]. 171. s 674(2A) Corporations Act. 172. s 79. 173. The Explanatory Memorandum to the Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Bill 2003, 5.447. 174. See fn 12, Fortescue, at [191]. 175. See fn 143, Forrest. 176. Although an individual will only generally be the subject of such an order if their conduct is serious: s 1317G(1)(b)(iii). Note also the power to grant an injunction and/or damages in lieu of an injunction under s 1324. Further, this assumes that a person is not relieved of liability under s 1317S or s 1318 of the Corporations Act. 177. See Pt 9.4AA Corporations Act. 178. See fn 125, Chemeq at [84]–[87]. 179. See fn 12, Fortescue, [193]–[194]. 180. See fn 23, Arktos, 48,795. See also Houghton v Arms [2006] HCA 59; (2006) 225 CLR 553 at 566; and fn 23, Citrofresh. 181. See, for example, fn 12, Fortescue at [191]–[202] per Keane CJ. 182. See fn 125, Chemeq at [87].

[page 153]

Chapter 6 Disclosure and Consumer Protection

INTRODUCTION 6.1 Chapter 5 discussed the laws regarding compulsory disclosure of corporate information to the market and investors. Broadly speaking, the philosophy underlying those laws is one of investor protection. Laws that aim to protect investors generally have a strong focus on process rather than outcomes. That is, if the processes that prepare and verify the relevant information are reasonable, the person that prepared the information will, generally, not be liable for losses that arise due to reliance on that information (even where the information is erroneous).1 On the other hand, the philosophy underlying consumer protection laws, the focus of this chapter, is quite different. Consumer protection laws are outcomefocused. They impose strict liability where a person engages in certain specified conduct or fails to achieve a certain standard of conduct. It does not matter that the relevant person acted in good faith. Intention is also not relevant. Further, unlike in the investor protection context, the concept of reasonableness does not generally feature in this category; liability is imposed irrespective of whether the person who prepared the information was acting reasonably or how much effort they expended in preparing or verifying the relevant information.2 However, there is one exception to this. It is necessary to consider whether there is a reasonable basis for opinions or forward-looking statements and, in this sense, strict liability is not imposed. 6.2 The consumer protection laws that apply to the operations of a corporation are many and varied. The principal ones though fall into two categories. First, there are general laws that impose a standard or norm of [page 154]

conduct concerning, among other things, the information that corporations provide to other persons or the market (ie, the misleading or deceptive conduct provisions). Second, there are laws that specifically regulate the content and form of certain disclosures to consumers (eg, unfair contract terms provisions and laws relating to the provision of credit). The primary focus of this chapter will be on the former although the latter category of laws will be discussed in order to illustrate developing trends in this area by reference to a selection of laws. This chapter will be divided into the following sections: Misleading or deceptive conduct; and Specific consumer disclosure laws — regulating form and content.

MISLEADING OR DECEPTIVE CONDUCT This section of the book will examine the statutory provisions that prohibit a person from engaging in misleading or deceptive conduct. The norm of conduct established by these provisions is expressed in relatively succinct terms, but the case law regarding their application is voluminous and highly textured.

The statutory provisions 6.3 This section will discuss the law relating to misleading or deceptive conduct. For simplicity, the provisions will be referred to as misleading conduct provisions.3 These are found in three separate statutes: Provision s 1041H, Corporations Act 2001 (Cth)

Regulated conduct A person must not, in this jurisdiction, engage in conduct, in relation to a financial product or a financial service, that is misleading or deceptive or is likely to mislead or deceive. [page 155]

s 12DA, Australian Securities and Investments Commission

A person must not, in trade or commerce, engage in conduct in relation to financial

Act 2001 (ASIC Act)

services that is misleading or deceptive or is likely to mislead or deceive.

s 18, Australian Consumer Law (ACL)4

A person must not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive.

6.4 As shown above, s 1041H only applies to conduct in relation to a ‘financial product’ or a ‘financial service’ as those terms are defined in Pt 7 of the Corporations Act.5 Section 12DA applies in respect of ‘financial services’ as defined in the ASIC Act, being a definition that varies in some respect from that contained in Pt 7 of the Corporations Act. The prohibition contained in s 18 of the ACL applies broadly across the economy. The application of these laws is, however, subject to these express limitations: The misleading conduct provisions in s 1041H do not apply to conduct that contravenes s 670A (misleading takeover documents), s 728 (misleading fundraising documents) or in relation to defective Product Disclosure Statements (PDSs) within the meaning of s 1022A.6 The misleading conduct provisions in s 12DA of the ASIC Act do not apply to conduct that contravenes s 670A (misleading takeover documents), s 728 (misleading fundraising documents) or in relation to defective PDSs within the meaning of s 1022A.7 The misleading conduct provisions in s 18 of the ACL do not apply to conduct in relation to ‘financial products’ and ‘financial services’ as such conduct will be regulated (if at all) by relevant provisions of the Corporations Act.8 To the extent that they form part of the law of the states or territories, the misleading conduct provisions in s 18 of the ACL do not apply to conduct that contravenes s 670A (misleading takeover documents), [page 156] s 728 (misleading fundraising documents) or in relation to defective PDSs within the meaning of s 1022A.9 In practice, subject to the exclusions set out above, proceedings relating to misleading conduct are often commenced under more than one of the provisions mentioned above given the overlapping and supplementary nature of the laws.10

The next section will discuss some aspects of the application of these laws that are peculiar to each regime and the section that follows will discuss common elements of the prohibitions.

Peculiar elements regarding the scope of s 1041H — the meaning of ‘in relation to’ 6.5 As discussed above, the conduct prohibited by s 1041H applies in relation to ‘a financial product’ as defined in Pt 7.1 Div 3 and the term ‘a financial service’ as defined in Pt 7.1 Div 4. A key issue in this context is the degree to which the term ‘in relation to’ limits the application of the provision. 6.6 It is clear from the case law that the expression ‘in relation to’ is to be given a wide meaning. In Australian Securities and Investments Commission v Narain [2008] FCAFC 120 (Narain) Finkelstein J expressed the following views concerning this threshold issue: … the words “in relation to” require a relationship or connection between two subject matters. In the context of Part 7.10 generally, and s 1041H in particular, the expression ought to receive broad construction. One important object of the Part is to ensure that participants in the market for financial products and financial services act with integrity and honesty and that consumers are adequately protected. To further this object I do not think the connection between misleading statements on the one hand and shares in a company on the other must necessarily be immediate or direct. I particularly do not accept as a necessary condition for conduct to be “in relation to a financial product” that the conduct must “on its face” refer to or, as the judge would have it, “deal with” the financial product. With great respect to those who hold the opposite view, that approach gives s 1041H an unnecessarily narrow construction; a construction that will not promote its objects.11

6.7 Against this backdrop, the key issue that needed to be decided in Narain was whether misleading statements in a press release constituted conduct that was in relation to a financial product or service. In Narain [page 157] the managing director of a listed company (CTF) prepared a press release that contained misleading statements about one of its products. The press release claimed that one of CTF’s products had significant medicinal properties which they in fact did not possess. The managing director then authorised its company secretary to send the release to the ASX, that in turn published it on its announcements platform. It was asserted that CTF provided the release to the ASX in purported discharge of its continuous disclosure obligations.

The price of CTF’s securities increased from $0.255 to $0.70 (an increase of over 200 per cent) following the publication of the release, before falling again to $0.295 upon the making of a further corrective announcement by CTF. In this connection, Finkelstein J held that: … the real question that must be answered is this. Is the publication on the ASX of a statement that, as in this case, a reasonable person would expect to have, or would be likely to have, a material effect on the price or value of CTF shares, conduct that “relates to” those shares? I am in no doubt that it does. Indeed, in my view, the statements in the Release “relate to” CTF shares whether one takes a narrow or broad view of those words. There is a sufficient connection between the statements and CTF shares by reason of (1) the content of the statements, concerning, as they do, the business of CTF, and (2) the place of their publication, namely on the exchange where the shares are traded.12

This case illustrates the broad scope of the prohibition set out in s 1041H.

Peculiar elements regarding the scope of s 12DA 6.8 For s 12DA to apply, there must be conduct in relation to ‘financial services’ and that conduct must be ‘in trade or commerce’. The definition of that term in s 12BAB of the ASIC Act is wider than the corresponding term used in Pt 7.1 of the Corporations Act (which is the definition that controls the scope of the application of s 1041H). Importantly for present purposes, the definition in the ASIC Act extends to credit facilities, which are not included in the definition in Pt 7.1 and could also amount to dealing in one’s own securities.13

The ‘trade and commerce’ limit on the scope of s 12DA, ASIC Act and s 18, ACL 6.9 For the prohibitions contained in s 12DA of the ASIC Act or s 18 of the ACL to apply, the relevant conduct must be in ‘trade or commerce’. [page 158] The classic statement of the meaning of this term is found in Re Ku-Ring-Gai Co-Operative Building Society (No 12) Ltd [1978] FCA 50; (1978) 36 FLR 134 per Deane J: The terms “trade” and “commerce” are not terms of art. They are expressions of fact and terms of common knowledge. While the particular instances that may fall within them will depend upon the varying phrases of development of trade, commerce and commercial communication, the terms are clearly of the widest import … They are not restricted to dealings or communications which can

properly be described as being at arm’s length in the sense that they are within open markets or between strangers or have a dominant objective of profit-making. They are apt to include commercial or business dealings … which are not within the mainstream of ordinary commercial activities [even if those activities are] … not compatible with a dominant objective of profit-making.14

The term is concerned with activities that are in trade or commerce and not in respect of trade or commerce.15 The former concept has a restrictive operation.16 The relevant conduct must ‘bear a trading or commercial character’.17 Examples of conduct that is capable of falling within the term ‘trade or commerce’ are as follows: False statements contained in an audit report: King v Yurisich [2005] FCA 1277. Statements made on the radio, the internet and in newspapers: ACCC v Kaye [2004] FCA 1363. The use of Google Adwords by a corporation: Australian Competition and Consumer Commission v Trading Post Australia Pty Ltd [2011] FCA 1086; Australian Competition and Consumer Commission v Google Inc [2012] FCAFC 49. Statements made by directors in the notes to a notice of a meeting to consider a proposed acquisition: Re Orison Pty Ltd v Strategic Minerals Corporation Nl; Peter Gullan Cross; John Swire-Thompson; Asha Capital Corporation Ltd and Asha Energy Pty Ltd [1987] FCA 263. Misleading conduct in the course of ‘without prejudice’ negotiations: Pihiga Pty Ltd v Roche [2011] FCA 240. [page 159]

Misleading or deceptive conduct — interpretation and application 6.10 The previous sections examined the elements which limit the scope of the respective regimes and which are peculiar to one or more of those regimes. This section will examine how the courts have interpreted the norm of conduct set out in the respective statutory provisions and will also examine the numerous principles and factors that influence how the courts apply the law.

Meaning of ‘deceptive’ conduct 6.11 The word ‘deceptive’ adds nothing to the statutory prohibition. In Parkdale Custom Built Furniture Pty Ltd v Puxu Pty Ltd [1982] HCA 44; (1982) 149 CLR 191 per Gibbs CJ noted that: One meaning which the words “mislead” and “deceive” share in common is “to lead into error”. If the word “deceptive” in s. 52 stood alone, it would be a question whether it was used in a bad sense, with a connotation of craft or overreaching, but “misleading” carries no such flavour, and the use of that word appears to render “deceptive” redundant.

Meaning of ‘likely to’ 6.12 The expression ‘likely to’ only means that conduct has potential to have the required effect. The relevant conduct does not in fact have to mislead or deceive.18 In Tillmanns Butcheries Pty Ltd v Australasian Meat Industry Employees’ Union [1979] FCA 85 Deane J expressed the following view concerning the word ‘likely’: The word “likely” can, in some context, mean “probably” in the sense in which that word is commonly used by lawyers and laymen, that is to say, more likely than not or more than a fifty per cent chance (“an odds-on chance”). It can also, in an appropriate context, refer to a real or not remote chance or possibility regardless of whether it is less or more than fifty per cent. When used with the latter meaning in a phrase which is descriptive of conduct, the word is equivalent to “prone”, “with a propensity” or “liable”.19

Objective test for assessing misleading or deceptive conduct 6.13 Whether conduct is misleading or deceptive is to be assessed by the court on an objective basis. Further ‘evidence that members of the public [page 160] have actually been misled is not conclusive’.20 The key requirement is that the impugned conduct leads, or is likely to lead, a person into error. This concept was recently repeated in Miller & Associates Insurance Broking Pty Ltd v BMW Australia Finance Ltd [2010] HCA 31 where French CJ and Kiefel J noted that for ‘conduct to be misleading or deceptive it … suffices that it leads or is likely to lead into error’.21 Determining this issue involves a question of fact.

Statements that are literally true 6.14 A person can be led into error by a statement even when it is literally true. In National Exchange Pty Ltd (ACN 006 079 974) v Australian Securities & Investments Commission [2004] FCAFC 90 Jacobson and Bennett JJ expressed the view that: In our opinion, no such distinction can be drawn. A document which, when read as a whole, is factually true and accurate may still be capable of being misleading if it contains a potentially misleading primary statement which is corrected elsewhere in the document but without the reader’s attention being adequately drawn to the correction.22

State of mind 6.15 The intention of the person engaging in conduct is not relevant for the purposes of determining misleading conduct. However, if a person did intend to mislead another, then that would support a finding that the statutory prohibition was breached.23 6.16 The state of mind of a person is also relevant where it is alleged that the person is ‘involved in’ a contravention.

Transitory effect and disclaimers 6.17 Conduct will amount to a breach of the prohibition even if the relevant conduct is transitory or trivial and then subsequently corrected at the point of sale or otherwise.24 For example, it will not be enough for terms and conditions of a contract to correct any misleading statements that appear on a corporation’s website or in a banner ad.25 [page 161] However, as Miller points out, ‘a transitory or ephemeral impression, if misleading, but which is immediately dispelled, may, depending on the circumstances, be of no commercial significance [and] may not be actionable, at least in damages cases’.26 In these cases a regulator may however seek declarations on public policy grounds. For example, in Australian Securities and Investments Commission v Australian Lending Centre Pty Ltd (No 3) [2012] FCA 43, ASIC commenced proceedings under the ASIC Act against the

Australian Lending Centre Pty Ltd (ALC) and related parties alleging those entities had engaged in misleading conduct and unconscionable conduct. In that case, with one exception, there was no live dispute or controversy between the ALC and persons whom had been adversely impacted by the relevant conduct, as those issues had been resolved prior to ASIC commencing its action. Nevertheless, ASIC sought declarations of contraventions of the ASIC Act for public interest reasons. Perram J observed that a regulator has standing to pursue declarations in this context27 and then expressed his view on whether such orders should be made in cases of the type before him in the following manner: Whether the power should be exercised is a different question. Against the making of these declarations it might be said that … there is presently no dispute between the persons to whom the loans were extended and ALC/SLC [Sydney Lending Centre Pty Ltd]. So viewed, there is no controversy to which the proposed declarations may be seen as being apt to quell. But I do not think that this should be accepted. The declarations will fulfil the purpose of vindicating ASIC’s claim that ALC/SLC’s conduct did involve contraventions of the ASIC Act and this in turn is likely to provide clarity as to how comparable lending practices of the kind under consideration fit within that regulatory framework. I am satisfied in those circumstances that the making of declarations will not be moot and will serve a purpose with real utility.28

6.18 The fact that disclaimers and fine print are used will not allow a corporation to escape liability under the law if such disclaimers or fine print (including the use of terms such as ‘conditions apply’ or asterisks) are not sufficiently prominent or clear to negative the misleading conduct.29 [page 162]

Careless conduct 6.19 The prohibition imposes strict liability on a person who engages in misleading conduct. Liability for misleading conduct will not be excused merely because of a failure by a person affected by the conduct — eg, they were careless or could have ascertained that the applicable conduct was misleading by making proper enquiries.30

Class of persons to whom conduct is directed 6.20 Not all misleading statements will be actionable. The quality of conduct must be determined by reference to the class of person towards whom the

conduct is directed. This will either be identified persons or the public at large. Where the conduct is directed at the public at large, the effect of the conduct must be evaluated by reference to what its effect would have been on an ordinary or reasonable member of the relevant class.31 Although it should be noted that the range of responses of reasonable members of such a class will vary and the range of these responses needs to be taken into account.32 Where the conduct is directed to identified individuals: … it is not necessary that he or she be reconstructed into a hypothetical, “ordinary” person. Characterisation may proceed by reference to the circumstances and context of the questioned conduct. The state of knowledge of the person to whom the conduct is directed may be relevant, at least in so far as it relates to the content and circumstances of the conduct.33

6.21 In some cases, liability will not arise due to the qualities of the person to whom conduct is directed. Any extreme or fanciful assumptions by persons should be disregarded.34 Miller has noted that where ‘only persons who are extremely stupid or gullible are misled the conduct is unlikely to be regarded as misleading or deceptive’.35

A failure to disclose 6.22 In some cases silence can amount to misleading conduct. In Re Winterton Constructions Pty Ltd v Hambros Australia Ltd and [page 163] Properties Pty Ltd [1992] FCA 582 Hill J expressed the following views on this topic: [I]t is difficult to see how a mere silence could, of itself, constitute conduct which is misleading or deceptive or likely to mislead or deceive. However, if the circumstances are such that a person is entitled to believe that a relevant matter affecting him or her adversely would, if it existed, be communicated, then the failure to so communicate it may constitute conduct which is misleading or deceptive because the person who ultimately may act to his or her detriment is entitled to infer from the silence that no danger of detriment existed. Thus, where a duty to speak is imposed, silence may constitute misleading and deceptive conduct.36

6.23 The courts appear more reluctant to find a person liable in this context where commercial dealings take place at arm’s length. However, this does not mean that a corporation engaged in such discussions has a licence to deceive. In Poseidon Ltd v Adelaide Petroleum NI [1991] FCA 663 Burchett J expressed the view that:

I do not think it has ever been suggested that s. 52 strikes at the traditional secretiveness and obliquity of the bargaining process. Traditional bargaining may be hard, without being in the statutory sense misleading or deceptive. No one expects all the cards to be on the table. But the bargaining process is not therefore to be seen as a licence to deceive.37

Ultimately, whether silence can amount to misleading conduct will depend on all the circumstances. In Fraser v NRMA Holdings Ltd (1995) 15 ACSR 590 the Full Court stated that: While s 52 itself does not by its terms impose an independent duty of disclosure which would require a corporation or its directors to give any particular information to members asked to consider a motion in general meeting, where information for that purpose is promulgated, unless the information given constitutes a full and fair disclosure of all facts which are material to enable the members to make a properly informed decision, the combination of what is said and what is left unsaid may, depending on the full circumstances, be likely to mislead or deceive the membership.38

Opinions and forward-looking statements 6.24 Generally, a corporation may not be liable under the misleading conduct provisions if it provides an opinion or makes a statement that relates wholly to a future matter. This issue will turn on whether or not the corporation had reasonable grounds for holding the opinion [page 164] or making the statement.39 The fact that opinions or forward looking statements are, in hindsight, flawed or otherwise erroneous, will not in themselves be enough to establish liability. In Global Sportsman Pty Ltd v Mirror Newspapers Ltd [1984] FCA 180 the court stated that: The non-fulfilment of a promise when the time for performance arrives does not of itself establish that the promisor did not intend to perform it when it was made or that the promisor’s intention lacked any, or any adequate, foundation. Similarly, that a prediction proves inaccurate does not of itself establish that the maker of the prediction did not believe that it would eventuate or that the belief lacked any, or any adequate, foundation. Likewise, the incorrectness of an opinion … does not of itself establish that the opinion was not held by the person who expressed it or that it lacked any, or any adequate, foundation. … An expression of opinion which is identifiable as such conveys no more than that the opinion expressed is held and perhaps that there is basis for the opinion. At least if those conditions are met, an expression of opinion, however erroneous, misrepresents nothing.40

In Australian Securities and Investments Commission v Fortescue Metals Group Ltd [2011] FCAFC 19, Keane CJ expanded on this point: A statement which is ordinarily and reasonably understood as a statement of opinion is not apt to

mislead if the opinion is genuinely and reasonably held by the maker of the statement. That is because the audience would understand that the statement was made on the basis that it expresses a view on which a different opinion might also be entertained, not a matter of fact about which no doubt can be entertained.41

Advertising 6.25 All modern corporations promote their goods and services to consumers through advertising. The cases concerning advertising exhibit a wide spectrum of judicial approaches. In ACCC v Telstra Corp Ltd [2004] FCA 987, Gyles J expressed the following view: … the numerous cases in this field [make] it perfectly apparent that individual judges vary considerably in their assessments of the effect of advertising. Some take a robust view and credit consumers with a fair amount of cynicism about advertisements and a fair amount of ability

[page 165] to make their own judgments. Others are convinced of the power of advertisements and are protective of the consumer. Neither side is right or wrong — it is a matter of opinion.42

6.26 In cases involving advertising, a certain degree of ‘puffing’ or exaggeration is to be expected in commercial dealings.43 In determining whether advertising is misleading one needs to consider the dominant impression conveyed by the material to the ordinary reasonable person.44 In addition, the advertisement should be considered as a whole and not be minutely examined to ascertain its meaning as most consumers only consider advertising fleetingly.45 Where the advertisement conveys more than one meaning, there is a need to consider whether each of the meanings that are reasonably conveyed is misleading.46 Where a good or service is advertised as being free, but qualifications apply, a corporation will need to clearly spell out such qualifications in order to negative the attractive force of the use of the word ‘free’.47 Merely highlighting to consumers that conditions apply will not be sufficient to overcome the effect of the word ‘free’.48 In summary, the use of the term ‘free’ will inevitably be a high-risk marketing strategy. 6.27 In terms of comparative advertising, a more onerous obligation is imposed on advertisers. In Stuart Alexander and Co (Interstate) Pty Ltd v Blenders Pty Ltd [1981] FCA 152 Lockhart J stated that: When a person produces a television commercial that, not only boosts his own product but, as in this case, compares it critically with the product of another so that the latter is shown up in an

unfavourable light by the comparison, in my view he ought to take particular care to ensure that the statements are correct.49

A key obligation of advertisers in these cases is to ensure that any comparison is fair. All relevant facts and matters should be included in any comparison to make sure it is fair. In Re Duracell Australia Pty Ltd [page 166] v Union Carbide Australia Ltd [1988] FCA 380 Burchett J commented on the role of unfairness in this way: In the area of comparison advertising, it has repeatedly been said that particular care is required. An unfair comparison may, quite simply, because it is unfair, be misleading. It may mislead a consumer into thinking there is a basis for a choice where, in truth, there is not; or that a choice may be made on grounds which are not truly valid.50

Social/digital media cases 6.28 Social media Recently, the Advertising Standards Board (ASB) issued a determination that held the provisions of the Advertiser Code of Ethics (which, among other things, prohibit misleading or deceptive advertising and marketing) apply not only to information that a corporation may post on its website (or Facebook pages) but also to any user-generated information posted on such media.51 This determination puts the onus on corporations which are subject to the Advertiser Code of Ethics (the Ethics Code) to be more vigilant regarding the information that is posted on their social media sites and, where appropriate, delete user-generated material from those sites. However, the ASB’s determinations are part of a self-regulatory regime, which at most only has contractual force. For guidance as to how the law applies to social and digital media in this context, one needs to consider applicable judicial pronouncements. In Australian Competition and Consumer Commission v Allergy Pathway Pty Ltd (No 2) [2011] FCA 74 (Allergy Pathway) considered the liability of Allergy Pathway Pty Ltd for user-generated posts on the Twitter and Facebook pages maintained by that corporation. In that case Finkelstein J said: It has been shown, indeed it was not disputed, that Allergy Pathway knew that persons had published testimonials on its Twitter and Facebook pages and that it took no steps to have them removed. I infer that one reason Allergy Pathway did not remove the testimonials was that it wanted to take the benefit of the praise for its services. Another possible reason is that Allergy Pathway thought the testimonials added legitimacy to its business.

While it cannot be said that Allergy Pathway was responsible for the initial publication of the testimonials (the original publisher was the third party who posted the testimonials on Allergy Pathway’s Twitter and Facebook pages) it is appropriate to conclude that Allergy Pathway accepted responsibility for the publications when it knew of the publications and decided not to remove them. Hence it became the publisher of the

[page 167] testimonials. In any event it is clear that it caused them to continue to be published from the time it became aware of their existence, which is enough to put Allergy Pathway in breach of the second limb of its undertaking.52

In Google Inc v Australian Competition and Consumer Commission [2013] HCA 1 (Google), the High Court confirmed that, where an online platform provider allows others to create content on those platforms, the platform provider will not be liable for any misleading representation created by other parties unless ‘it would appear to ordinary and reasonable members of the relevant class that the corporation has adopted or endorsed that representation’.53 Thus, it can be seen that the mere provision of a communication medium or platform will not render the platform provider liable, unless one creates misleading content or adopts or endorses misleading content created by others. In Google, French CJ, Crennan and Kiefel JJ expressed the following views in relation to the platform provided by Google Inc: … each relevant aspect of a sponsored link is determined by the advertiser. The automated response which the Google search engine makes to a user’s search request by displaying a sponsored link is wholly determined by the keywords and other content of the sponsored link which the advertiser has chosen. Google does not create, in any authorial sense, the sponsored links that it publishes or displays. That the display of sponsored links (together with organic search results) can be described as Google’s response to a user’s request for information does not render Google the maker, author, creator or originator of the information in a sponsored link. The technology which lies behind the display of a sponsored link merely assembles information provided by others for the purpose of displaying advertisements directed to users of the Google search engine in their capacity as consumers of products and services. In this sense, Google is not relevantly different from other intermediaries, such as newspaper publishers (whether in print or online) or broadcasters (whether radio, television or online), who publish, display or broadcast the advertisements of others. The fact that the provision of information via the internet will — because of the nature of the internet — necessarily involve a response to a request made by an internet user does not, without more, disturb the analogy between Google and other intermediaries. To the extent that it displays sponsored links, the Google search engine is only a means of communication between advertisers and consumers.54

[page 168]

Accordingly, if a platform provider merely provides digital infrastructure that acts as a conduit for others to communicate with each other, then it is unlikely that the platform provider will be liable for misleading statements contained in user-generated content. However, each case will turn on its facts. If a platform provider also edits or closely monitors posts or otherwise has their attention drawn to a misleading statement (as was the case in Allergy Pathway), then the likelihood of infringement increases significantly. In the circumstances of the Google case, it was not necessary for the High Court to consider the application of s 85(3) of the Trade Practices Act 1974 (Cth). However, the High Court did observe that section provided a defence to ‘an intermediary publisher who has endorsed or adopted a published representation of an advertiser without appreciating the capacity of that representation to mislead or deceive may have resort to a statutory defence’.55 Finally, it is useful to note that the Australian Competition and Consumer Commission has published guidelines that are broadly consistent with the case law discussed above.56 6.29 Google Adwords In Australian Competition and Consumer Commission v Trading Post Australia Pty Ltd [2011] FCA 1086 it was held that certain advertisements which advertisers paid Google to display as ‘Sponsored Links’ were, among other things, misleading or deceptive. In that case, various advertisers paid Google a fee to display an advertisement in the ‘Sponsored Links’ section of a search engine results page (SERP). The advertisements were displayed in the SERP whenever a user searched for a specific word or phrase which the advertiser had registered with Google and in respect of which it paid a fee (Google Adwords). The order in which the advertisements were displayed reflected the price that an advertiser was willing to pay for the relevant Google Adword. An example of an advertisement that was displayed in the ‘Sponsored Links’ section of the SERP is set out below: Kloster Ford New/Used Fords – Search 90,000 + auto ads online. Great finds daily!

[page 169] The above text is referred to as a ‘Google Snippet’. Nicholas J was of the view that the URL (while less prominent than the title) was not fine print and would

not escape the attention of a user.57 His Honour held that an ordinary and reasonable member toward whom the advertisement was directed would read the above Google Snippet as a whole and would appreciate that by clicking on the link they would be taken to .58 However, his Honour found that, among other things, the Trading Post engaged in misleading or deceptive conduct by publishing the Klosters Ford advertisement. The advertisement was likely to mislead or deceive in that it conveyed a representation that there was an association or affiliation between Klosters Ford and Trading Post when in fact there was none. In particular, his Honour found that the advertisement conveyed a representation by Trading Post that information about Klosters Ford could be found at Trading Post’s website when in fact such information could not be located on that site.59 It is clear from the judgment that whether certain advertisements used in the ‘Sponsored Links’ section (which is now called the ‘Ads’ section) are misleading will depend on the Google Adword the advertiser uses, the text used within the Google Snippet, the representations that the text conveys when read as a whole and any presumed knowledge of the relevant class of person to whom the advertisements are directed. In addition to Trading Post, a number of other advertisers were also found to have engaged in misleading or deceptive conduct for reasons similar to the ones mentioned above. The decision of Nicholas J in respect of the advertisers was not the subject of any appeal.

Contravention 6.30 Civil liability is imposed on any person as principal who contravenes the following sections: s 1041H of the Corporations Act; s 12DA of the ASIC Act; or s 18 of the ACL. Liability arises under s 1041I of the Corporations Act; s 12GF of the ASIC Act; and ss 236 and 237 of the ACL respectively. Liability is imposed on persons who contravene the law as principals. Ordinarily the corporation will be a principal and, in certain cases, directors and officers will be liable as principals. For example, in Arktos Pty Ltd v Idyllic Nominees Pty Ltd (2004) ATPR 42-005 the Full Court held that: … [t]he authorities show that a director of a corporation who acts on its behalf in the course of trade or commerce also acts himself or herself

[page 170]

in trade or commerce and, if the corporation is liable [for misleading conduct] …, they also attract primary liability under the same statute.60

In addition to persons who are principally liable for a contravention, liability under these provisions extends to individuals who are ‘involved in the contravention’. Among other things, a person will be involved in a contravention if he or she: (a) has aided, abetted, counselled or procured the contravention; or (b) has induced, whether by threats or promises or otherwise, the contravention; or (c) has been in any way, by act or omission, directly or indirectly, knowingly concerned in, or party to, the contravention; or (d) has conspired with others to effect the contravention.61

However, in such cases it will be necessary to show knowledge or intention on the part of the alleged wrongdoer. Any person who suffers loss as a result of a contravention of the law is able to recover compensation from the wrongdoer under the relevant provisions.62 In order for a person to receive damages however it would of course be necessary for that person to prove that they relied on the impugned conduct. Injunctions and other orders are also available.63 Liability under the relevant provisions may also be modified by the operation of applicable proportionate liability regimes.64 6.31 A breach of the misleading conduct provisions discussed above does not constitute a criminal offence. However, a breach of related information laws may constitute an offence. These laws prohibit the making of false representations.65

Conclusions regarding misleading conduct 6.32 The misleading conduct provisions condition many aspects of a corporation’s interaction with consumers and other parties. The norm [page 171] of conduct that they prescribe has a profound impact on the manner in which corporations, directors and other corporate officers carry out corporate functions. This applies particularly when it comes to providing or disclosing information of all forms, including communicating with shareholders, engaging in advertising or making announcements to the market.

SPECIFIC CONSUMER DISCLOSURE LAWS — REGULATING FORM AND CONTENT 6.33 The previous section examined the general prohibition on misleading conduct. That prohibition is expressed using a handful of words. In other areas however there is an increasing tendency to introduce greater levels of prescription in the consumer protection environment. This section will examine a number of laws that illustrate this trend. One thing that these laws have in common is the degree of prescription they impose regarding the form and content of disclosures to consumers. The areas of legislative development relevant to this discussion are: unfair contract terms; Telecommunications Consumer Protections Code/ACMA; and credit regulation.

Unfair contract terms 6.34 The unfair contract terms provisions contain one disclosure requirement that has impact on the form of disclosure that corporations and others make in standard form consumer contracts. Before we examine that disclosure or ‘transparency’ issue, it is necessary to outline the general requirements of the relevant provisions. 6.35 The unfair contract terms provisions are contained in Sch 2 (Australian Consumer Law) Competition and Consumer Act 2010 (Cth) (CCA). The unfair contract terms in the ACL apply to all consumer contracts although they do not apply to consumer contracts for the supply of financial products or financial services.66 Unfair contract terms in that context are governed by equivalent provisions in the ASIC Act.67 [page 172] The constitutional reach of the law is also extended under state law.68 For simplicity, this section will focus on the laws set out in the ACL.69 6.36

The unfair contract terms under the ACL apply to consumer contracts

entered into on or after 1 July 2010 and the terms of existing contracts renewed or varied on or after 1 July 2010.70 A ‘consumer contract’ is defined in s 23(3) of the ACL as a contract for: (a) a supply of goods or services; or (b) a sale or grant of an interest in land; to an individual whose acquisition of the goods, services or interest is wholly or predominantly for personal, domestic or household use or consumption.71

Accordingly, the unfair contract terms do not apply to business-to-business contracts. Further, the law does not apply to: terms that define the main subject matter of the contract;72 terms that set the upfront price payable under a contract73 (being consideration that is provided or is to be provided for the relevant supply, sale or grant and which is disclosed at or before the time the contract is entered into, but does not include any fee that is payable on a contingency basis);74 terms required to be included by state or territory law;75 terms in marine salvage/towing, charter party, carriage of goods by ship contracts or provisions in a constitution, managed investment scheme or other kind of body.76 6.37 A term of a consumer contract is void if the term is contained in a standard form contract and the term is unfair.77 Ascertaining whether a consumer contract is a standard form contract is a question of fact. However, s 27(1) provides that if a party alleges that a contract is a [page 173] standard form contract it is presumed to be so unless the another party proves otherwise. Section 27(2) also contains a list of factors that a court must take into account in determining this issue. Broadly speaking, if a consumer contract is prepared by a supplier and presented to a consumer on a ‘take it or leave it’ basis it will be almost impossible to resist the conclusion that it is a standard form contract.78 6.38 Section 24 of the ACL defines the meaning of ‘unfair’. Under s 24(1) a term of a consumer contract is unfair if: (a) it would cause a significant imbalance in the parties’ rights and obligations arising under the

contract; and (b) it is not reasonably necessary in order to protect the legitimate interests of the party who would be advantaged by the term; and (c) it would cause detriment (whether financial or otherwise) to a party if it were to be applied or relied on.

Without limiting the scope of s 24, a non-exhaustive list of 14 kinds of terms which may be capable of being unfair are set out in s 25. Section 24(4) provides that for the purposes of s 24(1)(b), ‘a term of a consumer contract is presumed not to be reasonably necessary in order to protect the legitimate interests of the party who would be advantaged by the term, unless that party proves otherwise’. 6.39 In determining whether a term of a contract is unfair for the purposes of s 24, a court may have regard to any matter which it considers relevant, but it must have regard to the extent to which the impugned term is transparent and the contract as a whole: s 24(2). Section 24(3) provides that a term is ‘transparent’ if the term is: (a) expressed in reasonably plain language; and (b) legible; and (c) presented clearly; and (d) readily available to any party affected by the term.

It is this transparency requirement that forms the basis of the disclosure obligation under the unfair contract regime. If a consumer cannot understand the information conveyed in terms governed by the law, then there is a risk that those terms may be rendered void. [page 174] 6.40 The transparency requirement was discussed in the Explanatory Memorandum (EM) to the Trade Practices Amendment (Australian Consumer Law) Bill (No 2) 2010. The EM states that the lack of transparency is not likely, of itself, to be determinative of whether a term is unfair because one must always have regard to the substantive nature and effect of the term being conveyed to the consumer.79 Transparency, on its own account, cannot overcome underlying unfairness in a contract term.80 Equally, transparency cannot in the ordinary course, on its own account, give rise to unfairness. However, ‘[a] lack of transparency in the terms of a consumer contract may be a strong indication of the existence of a

significant imbalance in the rights and obligations of the parties under the contract.’81 While the law is structured in a different manner in the United Kingdom,82 the approach articulated in the EM on this particular point is broadly consistent with the approach taken to the transparency requirement by United Kingdom courts. For example, in the decision of The Office of Fair Trading v Abbey National plc [2008] EWHC 875 (Comm) (UK) (Abbey) Smith J expressed the view that a term of a consumer contract ‘which is not in plain intelligible language is necessarily unfair’ but that ‘[i]ts clarity might be relevant to the assessment of its fairness’.83 6.41 In Abbey, Smith J was of the view that the determination of ‘whether terms are in plain intelligible language is to be considered from the point of view of the typical consumer or the average consumer’.84 On appeal, the United Kingdom Court of Appeal agreed with his Honour’s decision on this point.85 During the course of his decision Smith J also observed that, for the purposes of United Kingdom law: contract terms should be sufficiently clear to enable the typical customer to have a proper understanding of it for sensible and practical purposes; and [page 175] where contract terms relate to complex subject matter, the drafter of the terms should focus on what it is essential for the customer to know rather than err on the side of caution and attempt overly detailed explanations which could detract from explaining clearly what the customer does need to know.86 Another factor that will play a key role in the determination of whether a term is transparent is the extent to which conflicts within consumer documentation give rise to a lack of clarity. Where Smith J did make adverse findings against certain banks in terms of whether terms were not in plain intelligible language, it was on the basis of conflicts within the documentation and their resultant lack of clarity to the hypothetical customer.87 6.42 A further factor that needs to be considered in this context is the prominence with which terms that are disadvantageous to a consumer are disclosed. In relation to the plain intelligible language requirement under United Kingdom law, Lord Bingham made the following comments in Director General of Fair Trading v First National Bank plc [2002] 1 AC:

Openness requires that the terms should be expressed fully, clearly and legibly, containing no concealed pitfalls or traps. Appropriate prominence should be given to terms which might operate disadvantageously to the customer.88

6.43 Many corporations regularly review their standard form contracts to ensure the enforceability of terms, eg, under consumer protection laws, such as the prohibition on engaging in misleading conduct or unconscionable conduct. The transparency requirement and other requirements under the unfair contract terms regime are yet more reasons for corporations to carefully review their policies, practices and procedures. A failure to ensure appropriate transparent disclosure in this context could contribute to contractual terms being rendered void. The legal consequence that flows from a contractual term being void is to restore parties substantially to their pre-contractual positions.89

Telecommunications Code 6.44 Another legal development that illustrates a trend toward greater prescription recently took place in the telecommunications [page 176] context with the registration under telecommunications law of the Telecommunications Consumer Protections (TCP) Code by the Australian Communications and Media Authority. In keeping with recent trends, the provisions of the new Code are highly prescriptive. We will examine these provisions below. It would seem that these provisions have been introduced to address some form of market failure, in the absence of other laws adequately addressing the issue. If this is correct, it is surprising given the scope of the misleading conduct laws discussed above.

Telecommunications Consumer Protections Code/ACMA 6.45 The Telecommunications Consumer Protections Code (the Code) is registered under the Telecommunications Act 1997 (Cth). Its aim is to ensure telecommunications suppliers provide consumers with a range of disclosures. These disclosures have largely been implemented to address issues with what is

popularly referred to as ‘bill shock’. The key disclosures include the provision of summaries concerning products and services that are offered by a supplier and certain matters required to be disclosed in advertising. 6.46 Critical information summaries The summary that needs to be provided to each customer regarding service offerings must be entitled ‘Critical Information Summaries’. This summary must include a range of prescribed details including: the minimum term of the arrangement; any important conditions, restrictions or qualifications concerning a service offering; the minimum and monthly charge payable if susceptible to being calculated; and warnings about roaming costs.90 The summary must be no longer than two A4 pages.91 Consistent with the transparency requirements discussed above and the ‘clear, concise and effective’ requirements discussed elsewhere in this chapter, the Code requires that the summary must be comprehensible and drafted in plain language.92 These requirements reinforce other obligations that require a supplier to ‘communicate its offers in a way which is clear, accurate and not misleading’93 and ensure that the language used in offers (including language used in advertising) is ‘suited to the intended audience’ and information that it provides about its offer is ‘comprehensible, clear and accurate … without exaggeration or omission of key information’.94 It [page 177] is obvious that the Code places a particular emphasis on ‘transparency’ concepts. This is in keeping with trends in other areas of the law in consumer contracts such as the legislative developments mentioned above in relation to unfair contract terms. 6.47 Advertising requirements The Code contains very prescriptive requirements relating to the advertising by telecommunications suppliers. For example, the Code: prohibits the use of headline claims that are effectively negatived by disclaimers or fine print; prohibits the use of the term ‘unlimited’ unless the ordinary use of the service to which the term relates is genuinely unlimited and not subject to exclusions; the term ‘free’ must not be used in relation to the supply of a service or

hardware unless such hardware or service is not paid for; and prohibits the use of any performance claims unless such claims can be substantiated.95 The Code contains many other similar requirements. What is surprising from a disclosure perspective is the level of detail actually set out in the Code in respect of the use of language. None of the requirements seem to address issues that would otherwise be capable of being caught by misleading or deceptive conduct provisions of the CCA. While there is a role for prescription in regulatory contexts, it would seem preferable that where existing laws are capable of addressing market failures, those laws ought to be used to do just that, rather than create ever more prescriptive levels of regulation. However, in some respects this is a moot point as in the current environment the trend appears to be in the other direction. 6.48 A breach of the Code can have serious ramifications for corporations it covers. If a complaint is not resolved internally (ie, by the company directly with the customer) or via the Telecommunications Industry Ombudsman (TIO), the TIO may refer the matter to the Australian Communications and Media Authority (ACMA). In appropriate cases, ACMA may issue a written direction to a supplier bound by the Code.96 Failure to comply with such a direction is subject to a maximum penalty of $250,000 for corporations.97 [page 178]

Credit regulation 6.49 Another area where there has historically been a prescriptive approach to disclosure requirements is in relation to the supply of credit. The latest manifestations of these requirements are the National Consumer Credit Protection Act 2009 (Cth), the National Credit Code and the National Consumer Credit Protection Regulations 2010 (Cth). As may be expected, the disclosure requirements are voluminous in this context. For example, see Pt 2 of the National Credit Code.98 In recent times the number of requirements has also been increasing in line with the general trend to increase the level of legislative prescription regarding disclosures to consumers. It is not possible to examine those disclosure obligations here, but it is instructive to review the requirements concerning the Key Facts Sheet; a recent addition to the family of disclosure

obligations in this context. This examination will illustrate the level of specificity that the law requires in the credit context. 6.50 The National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) provides that a Key Facts Sheet must be supplied in relation to a standard home loan99 and in relation to a credit card contract.100 This section will focus on the requirements relating to the Key Facts Sheet for a standard home loan. A Key Facts Sheet for a standard home loan must be in the form of Sch 5 to National Consumer Credit Protection Regulations 2010 (Cth) (Regulations). Schedule 5 uses a two-column ‘Schumer’ box to list all the information a credit provider must communicate to their customer. In addition, the Key Facts Sheet must satisfy the following requirements: the Key Facts Sheet must be in A4 size; all text in the Key Facts Sheet must be black on a white background, unless otherwise specified in this regulation; the text, except the heading, in the ‘Description of this home loan’ box must be black on a light blue background; the text in the second row of the ‘Estimated cost of this home loan’ box must be black on a light blue background; the headings to all boxes must be white on a blue background; all other headings must be blue on a white background. [page 179] What is arresting about these requirements is their depth of detail. It seems surprising that any law would need to dictate the colours used in a disclosure document, yet they do and presumably that addresses a form of market failure. A failure to comply with the above requirements attracts a civil penalty of up to 2000 penalty units and can be an offence attracting a fine of up to 50 penalty units. There are limited defences to liability.101 In addition, a court may order a person who breaches a civil penalty provision or who commits an offence to pay compensation if another person suffers loss or damage as a result of that contravention or offence.102 6.51

The prescriptive nature of the laws in this context is their hallmark.

While the philosophy on which the laws are based may be sound, the real issue in this context is that the development of the law is accretive and never subtractive. That is, new prescriptive regulation is added to the regulatory framework yet there are no significant attempts to trim any existing regulatory excess. In this connection, it seems that the general philosophy is that more, rather than less, disclosure is better.

CONCLUSION 6.52 The discussion in this chapter identified the elegant approach to addressing market failure in the form of misleading conduct. The provisions of the relevant statutes are expressed with great economy and have been interpreted flexibly by the courts to cover a wide range of disclosure and other communications made by corporations and their agents. The combination of the law and the case law applying it seems to provide a very comprehensive framework for protecting consumers from misleading conduct. However, there have been other perceived market failures which continue to trigger further regulatory intervention. The unfair contract terms regime was recently introduced on an economy-wide basis. It imposes additional requirements on corporations in terms of information that they disclose or communicate to consumers. Further, other laws have been introduced in specific sectors of corporate activity to impose additional, highly prescriptive requirements on corporations that operate in those sectors in terms of what they disclose to their consumers. Whether or not all of these laws are truly necessary, only time will tell. What is apparent, however, is the increasing trend to increase the information law burden on corporations. _________________________ 1.

See R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 15th ed, LexisNexis Butterworths, Australia, 2013, 22.020.

2.

See further fn 1, Austin et al, 22.020.

3.

Noting that the ‘deceptive’ element is redundant as it adds nothing to the scope of the relevant laws: see 6.11. The focus of this section will be on misleading conduct provisions, but it is common for such claims to run together with claims that the relevant conduct amounts to a false representation and is therefore actionable under s 29 of the ACL, s 12DB of the ASIC Act and s 1041E of the Corporations Act. Note also that in some cases making a false representation may amount to an offence. See, for example, s 151 of the ACL which is cast in the same terms as s 29 of the ACL, but a breach of that provision constitutes an offence. Limited defences may be available in this context: see, for example, s 207 of the ACL.

4.

The ACL is set out in Sch 2 to the Competition and Consumer Act 2010 (Cth).

5.

These terms are defined respectively in Pt 7.1 Div 3 and Pt 7.1 Div 4, Corporations Act.

6.

See s 1041H(3), Corporations Act. The liability for defective disclosure in these three instances was discussed in Chapter 5.

7.

See s 12DA(1A), ASIC Act. The liability for defective disclosure in these three instances was discussed in Chapter 5.

8.

See ss 131 and 131A, Competition and Consumer Act. For the relevant definitions of the terms ‘financial product’ and ‘financial services’ see s 5, ASIC Act.

9.

See s 1041K, Corporations Act.

10. See, for example, Australian Securities and Investments Commission v Fortescue Metals Group Ltd [2011] FCAFC 19 (Fortescue), which illustrates the interplay between the provisions at [179]–[180]. 11. Australian Securities and Investments Commission v Narain [2008] FCAFC 120 at [9]. 12. At [12]. 13. R Baxt, A Black and P Hanrahan, Securities and Financial Services Law, 8th ed, LexisNexis Butterworths, Australia, 2012, 8.50. 14. Re Ku-Ring-Gai Co-Operative Building Society (No 12) Ltd [1978] FCA 50; (1978) 36 FLR 134 at [44] per Deane J. 15. See Concrete Constructions (NSW) Pty Ltd v Nelson [1990] HCA 17; (1990) 169 CLR 594. 16. At [7] per Mason CJ, Deane, Dawson and Gaudron JJ. 17. At [7]. 18. Yorke v Lucas (1985) 158 CLR 661 at 675 per Brennan J. 19. Tillmanns Butcheries Pty Ltd v Australasian Meat Industry Employees’ Union [1979] FCA 85 at [10] per Deane J. See also Global Sportsman Pty Ltd v Mirror Newspapers Ltd [1984] FCA 180 at [14] per Bowen CJ, Lockhart and Fitzgerald JJ. 20. Parkdale Custom Built Furniture Pty Ltd v Puxu Pty Ltd [1982] HCA 44; (1982) 149 CLR 191 at [8] per Gibbs CJ. 21. At [15]. 22. National Exchange Pty Ltd (ACN 006 079 974) v Australian Securities & Investments Commission [2004] FCAFC 90 at [50]. 23. See Campomar Sociedad Limitada v Nike International Ltd [2000] HCA 12; (2000) 202 CLR 45. 24. ACCC v Dell Computers Pty Ltd [2002] FCA 847. 25. ACCC v TPG Internet Pty Ltd [2011] FCA 1254. 26. See R V Miller, Miller’s Australian Competition and Consumer Law Annotated, 34th ed, Lawbook Co, Australia, 2012, 1.S2.18.110. 27. Australian Securities and Investments Commission v Australian Lending Centre Pty Ltd (No 3) [2012] FCA 43 at [271]. See also Australian Competition and Consumer Commission v Goldy Motors Pty Ltd [2000] FCA 1885 at [30] per Carr J; Australian Competition and Consumer Commission v Kaye [2004] FCA 1363 at [199] per Kenny J. 28. See fn 27, Australian Securities and Investments Commission v Australian Lending Centre Pty Ltd (No 3) at [272]. 29. See fn 26, Miller, 1.S2.18.180 and 1.S2.18.195.

30. Henjo Investments Pty Ltd v Collins Marrickville Pty Ltd (No 1) (1988) 39 FCR 546. 31. Campomar Sociedad Limitada v Nike International Ltd [2000] HCA 12; (2000) 202 CLR 45; National Exchange Pty Ltd (ACN 006 079 974) v Australian Securities & Investments Commission [2004] FCAFC 90. 32. See fn 26, Miller, 1.S2.18.55 and 1.S2.18.60. 33. Campbell v Backoffice Investments Pty Ltd [2009] HCA 25 at [26] per French CJ. 34. See fn 31, Campomar Sociedad Limitada at [105]. 35. See fn 26, Miller, 1.S2.18.70. Cf the remarks of Franki J that the ‘extraordinarily stupid person’ would not be protected by the forerunner to s 18, ACL: Taco Co of Australia Inc v Taco Bell Pty Ltd (1982) 42 ALR 177. 36. Re Winterton Constructions Pty Ltd v Hambros Australia Ltd and Properties Pty Ltd [1992] FCA 582 at [77]. 37. Poseidon Ltd v Adelaide Petroleum NI [1991] FCA 663 at [2]. 38. Fraser v NRMA Holdings Ltd (1995) 15 ACSR 590 at 590–1. 39. See, for example, s 12BB, ASIC Act and s 4, ACL. In such cases the respondent will generally need to displace an adverse assumption: see s 4, ACL and s 12BB, ASIC Act. Note the requirement that in respect of an opinion, it must be genuinely held and there must have been a reasonable basis for holding the opinion: see fn 10, Fortescue at [112] per Keane CJ. 40. See fn 19, Global Sportsman Pty Ltd v Mirror Newspapers Ltd at [18]–[19]. 41. See fn 10, Fortescue at [113]. 42. ACCC v Telstra Corp Ltd [2004] FCA 987 at [50]. 43. General Newspapers Pty Ltd v Telstra Corp (1993) 45 FCR 164. 44. Australian Competition and Consumer Commission v Harvey Norman Holdings Ltd [2011] FCA 1407. 45. Re Tobacco Institute of Australia Ltd v Australian Federation of Consumer Organisations Inc [1992] FCA 630. 46. See fn 26, Miller, 1.S2.18.155. 47. See fn 26, Miller, 1.S2.18.250. 48. Nationwide News Pty Ltd v ACCC (1996) 71 FCR 215. 49. Stuart Alexander and Co (Interstate) Pty Ltd v Blenders Pty Ltd (1981)] 37 ALR 161 at 163. 50. Re Duracell Australia Pty Ltd v Union Carbide Australia Ltd [1988] FCA 380 Burchett at [13]. 51. J Lee, ‘Watchdog Clamps Down on Facebook’ SMH, 6 August 2012, . 52. Australian Competition and Consumer Commission v Allergy Pathway Pty Ltd (No 2) [2011] FCA 74 at [32]–[33]. 53. Google Inc v Australian Competition and Consumer Commission [2013] HCA 1 at [15] per French CJ, Crennan and Kiefel JJ. 54. See fn 53, Google at [68]–[69] per French CJ, Crennan and Kiefel JJ. 55. At [74]–[75] per French CJ, Crennan and Kiefel JJ. Note that upon the enactment of the Competition and Consumer Act, the defence in s 85(3) of the Trade Practices Act was moved to s 209 of the ACL. 56. ACCC, ‘Using Social Media to Promote Your Business’, . 57. Australian Competition and Consumer Commission v Trading Post Australia Pty Ltd [2011] FCA 1086

at [125]. 58. At [126]. 59. See, further, at [130], [131], [135] and [136]. 60. At 48,795. See also Houghton v Arms [2006] HCA 59; (2006) 225 CLR 553 at 566; Australian Securities and Investments Commission v Citrofresh International Ltd [2007] FCA 1873. Note also in this context the effect of s 52 of the Corporations Act which states that ‘a reference to doing an act … includes a reference to causing, permitting or authorising the act or thing to be done’. 61. s 79, Corporations Act. 62. See s 1041I, Corporations Act; s 12GF, ASIC Act; and ss 236 and 237, ACL. 63. See, for example, s 1324, Corporations Act. 64. See, for example, Div 2A, Pt 7.10, Corporations Act. 65. See ss 29 and 151 of the ACL; s 12DB of the ASIC Act; and s 1041E of the Corporations Act. 66. The terms ‘financial product’ and ‘financial service’ are defined in s 5, ASIC Act. 67. See ss 12BF–12BM, ASIC Act and s 131A(2)(b), CCA. 68. See, for example: s 28, Fair Trading Act 1987 (NSW); s 16, Fair Trading Act 1989 (Qld); and s 19, Fair Trading Act 2010 (WA). 69. For a detailed analysis of the unfair contract terms, see J Paterson, Unfair Contract Terms in Australia, Thomson Reuters, Australia, 2012. 70. See s 3 and item 8, Sch 7, Trade Practices Amendment (Australian Consumer Law) Act (No 2) 2010 (Cth). 71. The determination of what is acquired for a personal, domestic or household purpose has a subjective element to it: see fn 26, Miller, [1.S2.23.30]. 72. See s 26(1)(a), ACL. 73. See s 26(1)(b), ACL. 74. See s 26(2), ACL. 75. See s 26(1)(c), ACL. 76. See s 28, ACL. 77. See s 23(1), ACL. 78. For an account of the emergence of standard form contracts see H B Sales, ‘Standard Form Contracts’ (1953) 16(3) Modern Law Review 318. For a discussion of the use of standard form contracts in a digital environment, see J M Paterson, ‘Consumer Contracting in the Age of the Digital Natives’ (2011) 27 JCL 152; and D Clapperton and S Corones, ‘Unfair Terms in “Clickwrap” and Other Electronic Contracts’ (2007) 35 ABLR 152. 79. Explanatory Memorandum (EM) to the Trade Practices Amendment (Australian Consumer Law) Bill (No 2) 2010 at [5.39]. 80. EM, [5.39]. 81. EM, [5.38]. 82. There are some significant differences under United Kingdom law. For example, a term of consumer contract under the Unfair Terms in Consumer Contracts Regulations 1999 (UK) provides that certain terms of a contract cannot be assessed for unfairness if the term is in plain intelligible language: Reg 6(2).

83. The Office of Fair Trading v Abbey National plc [2008] EWHC 875 (Comm) (UK) (Abbey) at [84]. 84. At [89]. 85. Abbey National plc v The Office of Fair Trading [2009] EWCA Civ 116 at [117]. However, the ultimate conclusions of the Court of Appeal were reversed on appeal to the United Kingdom Supreme Court for different reasons: The Office of Fair Trading v Abbey National plc [2009] UKSC 6 at [89]. 86. See fn 83, Abbey at [119]. 87. At [150]–[153] and [218]–[220]. Affirmed by the United Kingdom Court of Appeal in The Office of Fair Trading v Abbey National plc [2009] UKSC 6 at [121]. 88. Director General of Fair Trading v First National Bank plc [2002] 1 AC at [17]. 89. See J W Carter, E Peden and G J Tolhurst, Contract Law in Australia, 5th ed, LexisNexis Butterworths, Australia, 2007, [18-43]–[18-46]. 90. See 4.1.2, the Telecommunications Consumer Protections Code. 91. See 4.1.2(g). 92. See 4.1.2(f). 93. See 4.1.1. 94. See 4.1.1. 95. See 4.2. 96. See s 121, Telecommunications Act 1997 (Cth). Regulatory Guide — No 4 Remedial Directions (issued August 2011) sets out ACMA’s approach to the use of its enforcement powers: . 97. See s 570(3), Telecommunications Act 1997 (Cth). 98. The National Credit Code is set out in Sch 1 to the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act). 99. See ss 133AC and 133AD, NCCP Act. 100. See s 133BC. 101. See ss 133AE(4) and 133AF. 102. See s 178.

[page 180]

Chapter 7 Disclosure in the Context of Enforcement and Litigation

INTRODUCTION 7.1 The chapter contains a brief review of the laws that require corporations to disclose information in connection with enforcement related activities or litigation. The overarching purpose of these laws is to address information asymmetry (ie, where one party possesses more or superior information compared to another) on a post-event basis in order to identify a corporation or other party that may have failed to ‘play by the rules’, as it were. This chapter will outline key laws that compel disclosure by corporations to two principal regulators, being the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC). It will then briefly mention the litigation rules that may compel the disclosure of corporate information. 7.2 The final part of the chapter will then discuss the primary ground on which a person may refuse to provide information or documents to regulators or to private parties in connection with litigation, namely by exercising the substantive legal right of legal professional privilege.

DISCLOSURE TO REGULATORS 7.3 From time to time corporations may be required to disclose corporate information in response to requests from regulators. In this section we will outline the core information-gathering powers of two principal regulators, ASIC and the ACCC, that are most likely to [page 181]

investigate the conduct of a corporation and request information from a corporation or others in connection with such an investigation.

ASIC’s information-gathering powers 7.4 ASIC has a range of powers available to it in order to gather information from corporations and other persons. These powers include: a power to hold a formal hearing into certain matters (although not in relation to investigations);1 the power to conduct investigations into suspected contraventions of corporations legislation;2 the power to examine persons;3 the power to issue a notice to produce books;4 and the right to apply for a warrant to seize books.5 7.5 Wherever a person is called to give evidence or produce books or other information by ASIC it can claim two forms of privilege, namely a limited form of privilege against self-incrimination and legal professional privilege. The availability of the former is uncontroversial, but does not provide the power to the witness to withhold information; the privilege merely limits the uses to which such information can be put by ASIC.6 More controversially, a person may rely on legal professional privilege in order to resist providing information. In Corporate Affairs Commission of NSW v Yuill (1991) 172 CLR 319 (Yuill) the court was required to examine provisions in the predecessor legislation to the ASIC Act. The relevant provisions modified the manner in which a lawyer could claim legal professional privilege. The argument was that in modifying the law in this context, the law impliedly abrogated legal professional privilege for all other persons. The court upheld this argument. Accordingly, in practice, ASIC and others have maintained that legal professional privilege cannot be used to resist disclosure to ASIC under its information-gathering powers. However, Yuill was decided prior to Daniels Corporation International Pty Ltd v Australian Competition and Consumer Commission [2002] HCA 49; (2002) 213 CLR 543 (Daniels). [page 182] In Daniels the full bench of the High Court held that legal professional privilege was not impliedly abrogated by the law that conferred investigatory powers and functions on the ACCC. In the course of that judgment, the decision in Yuill was criticised by a number of judges. Gleeson CJ, Gaudron, Gummow

and Hayne JJ stated that in light of their reasoning in Daniels ‘… it may be that Yuill would now be decided differently’.7 After reviewing the cases prior to and following Yuill, Kirby J expressed the view in his judgment that ‘Yuill may have been wrongly decided’.8 7.6 In this connection, Gordon J in AWB Ltd v Australian Securities and Investments Commission [2008] FCA 1877 expressed the view that legal professional privilege ‘… is a rule of substantive law which may be availed of by a person to resist the giving of information or the production of documents which would reveal communications between a client or his or her lawyer made for the dominant purpose of giving or obtaining legal advice or the provision of legal services’.9 Her Honour then went on to express the view that: … [i]n the absence of a statutory provision to the contrary, legal professional privilege may be availed of to resist the giving of information or the production of documents in accordance with investigatory procedures of the kind contained in s 155 of the Trade Practices Act 1975 (Cth) (“the TPA”): Daniels Corporation [2002] HCA 49; 213 CLR 543 at [10] and [11]. Despite differences in language between the TPA and the ASIC Act, no different result ensues. There is no express provision in the ASIC Act abrogating legal professional privilege. Moreover, there is nothing in the ASIC Act supporting the contention that the abrogation of legal professional privilege is a necessary implication: see eg ss 1(1), 1(2), 1(3), Pt 3 and, in particular, ss 68 and 69.10

7.7 Legal commentators have expressed the view that her Honour’s statements are compelling.11 It is difficult to disagree. Accordingly, corporations and their advisers should resist any request by ASIC for information where the corporation can validly claim that the applicable information is legally privileged. Indeed, in more recent times ASIC has adopted a practice of accepting that a valid claim for legal professional privilege is a reasonable excuse for not disclosing documents to it under a statutory notice. Issues concerning legal professional privilege are discussed in 7.12ff. [page 183] 7.8 In addition to the disclosures that need to be made in response to statutory notices, note also that ASIC obtains information about potential and actual contraventions of the law by virtue of the fact that certain persons (eg, auditors and external administrators) have an ongoing obligation to provide such information to it.12 Further, certain persons (eg, financial services licensees) have an ongoing obligation to disclose significant breaches to ASIC.13

ACCC’s information-gathering powers 7.9 ACCC has a wide range of powers to gather information. Under Part XID of the Competition and Consumer Act 2010 (Cth) (CCA), the ACCC may in certain cases (eg, where there has been a potential contravention of the CCA) obtain information by entering premises under a search warrant.14 More usually, the ACCC will exercise its powers under s 155, CCA. The powers conferred by s 155 are extremely wide.15 A person who is subject to a s 155 notice can again invoke two privileges, namely, a limited form of privilege against selfincrimination and legal professional privilege. Both of these privileges are codified in the CCA so that no controversy arises in this context.16 Accordingly, legal professional privilege can be used to resist the exercise of ACCC’s information-gathering powers.

DISCLOSURE IN LITIGATION 7.10 There are a number of ways in which a corporation can be compelled to disclose information during litigation. The main disclosure obligations in this context arise in connection with discovery (referred to as disclosure in Queensland) in both pre-trial and post the commencement of proceedings, notices to produce, subpoenas and a range of other processes.17 A corporation is able in certain circumstances to resist providing information in this context. For example, in respect [page 184] of discovery, a corporation may validly not disclose a document if the applicable document is: not in its possession, custody, or power;18 not relevant;19 or legally privileged or contains information that is legally privileged.20 7.11 When a party obtains access to a corporation’s information during the course of litigation (eg, through discovery, a notice to produce or a subpoena), that party has a strict duty not to use such information for any collateral purpose.21 A breach of this duty is a contempt.

POWER TO REFUSE DISCLOSURE 7.12 Generally, the fact that information is confidential will not be an excuse to refuse to disclose that information to a regulator exercising its informationgathering powers or a litigant seeking information under rules of court. However, information that is disclosed to a regulator must be treated as confidential.22 The confidential nature of information will not excuse nondisclosure in civil proceedings, although in these cases special rules may be put in place to manage the relevant disclosure, especially where a competitor is involved in the litigation.23 7.13 One substantive right that corporations have to refuse to disclose arises under legal professional privilege. Corporations routinely rely on privileged information to inform themselves of their legal rights and obligations across all areas of corporate activity. It is a highly valuable form of corporate information. This section will discuss the [page 185] basic elements of legally privileged information and the circumstances in which confidentiality, and therefore the privilege itself, is lost.

The elements of the privilege 7.14 Legal professional privilege protects only confidential communications between a lawyer and client (and in some cases a third party) made for one of two ‘dominant’ purposes:24 (a) to enable the client to obtain legal advice (the ‘legal advice privilege’); and/or (b) in relation to actual or anticipated litigation (the ‘litigation privilege’).25 The privilege arises at common law and under statute.26 7.15 Legal adviser For the privilege to arise, the communication must relate to a person acting in his or capacity as a lawyer.27 A lawyer must be independent of the client for the privilege to arise.28 The courts have held legal professional privilege is capable of attaching to confidential communications between clients and external legal advisers and also salaried legal advisers of a corporation. However, in both cases, the relevant lawyer must be ‘consulted in a professional

capacity in relation to a professional matter and the communications are made in confidence and arise from the relationship of lawyer and client’.29 7.16 Communications Legal privilege can attach to many types of communications, but it will not extend to communications which are ‘purely commercial or of a public relations character’.30 The types of [page 186] communications that are protected under the privilege include ‘all statements, conversations, documents (including memos and notes of conversations), and mechanically or electronically stored information’.31 Legal professional privilege extends to ‘documents that record legal work carried out by the lawyer for the benefit of the client, such as research memoranda, collations and summaries of documents, chronologies and the like, whether or not they are actually provided to the client’.32 7.17 Onus The party claiming privilege carries the onus of proving that the communication is privileged. That is, he or she must provide that the communication was made for the dominant purpose of obtaining legal advice or legal services in connection with actual or apprehended litigation.33 A ‘dominant purpose’ is one that predominates over other purposes; it is the prevailing or paramount purpose.34 It is to be noted in this context that the mere labelling of communications as privileged will not necessarily be determinative of their actual nature. For example, labelling emails or documents ‘confidential and legally privileged’ will not mean they are confidential and privileged. Nor will mere assertions that communications are privileged be sufficient (unless of course the matter is not contested).35 However, where ‘communications take place between a client and his or her independent legal advisers, or between a client’s in-house lawyers and those legal advisers, it may be appropriate to assume that [privilege applies] …, absent any contrary indications’.36 Where communications take place between a client and an in-house lawyer the courts may [page 187]

require evidence of the independence of the lawyer. In the absence of such evidence the claim for privilege may fail.37 7.18 Communications to third parties Both common law and statutory rules extend the litigation privilege to communications between a lawyer or a client on the one hand and a third party on the other, where the communication is in reference to litigation that has started or is reasonably apprehended.38 However, the application of the legal advice privilege is narrower. The statutory rules in the Evidence Acts do not confer privilege on a communication between a lawyer and a third party where the communication is for the purposes of providing legal advice to a client.39 Under common law, the legal advice privilege can extend to communications between a client and a third party, but not to communications between a lawyer and a third party.40 The application of the law in this context has significant implications for the manner in which third parties are engaged to assist client corporations to seek legal advice (ie, where litigation is not on foot or reasonably apprehended). 7.19 Loss of privilege Under the Uniform Evidence Acts, s 122(2) relevantly provides that privilege is lost ‘if the client or party concerned has acted in a way that is inconsistent with the client or party’ maintaining privilege in the relevant communication. Without limiting the scope of s 122(2), s 122(3) provides that privilege is lost in the following specific cases: the client or party knowingly and voluntarily disclosed the substance of the evidence to another person; or the substance of the evidence has been disclosed with the express or implied consent of the client or party. 7.20 At common law, privilege in a communication is lost if either the gist of the communication is intentionally disclosed41 or a person entitled to the benefit of the privilege engages in conduct that is inconsistent with the maintenance of the confidentiality that privilege protects.42 [page 188] 7.21 Crucially, in a corporate context, the disclosure of confidential information from one officer of the company to another will not constitute a

waiver of privilege. In Seven Network Ltd v News Ltd [2005] FCA 864 Graham J observed as follows: Where a corporate client has received legal advice, any disclosure of the terms of that advice or the substance thereof from one officer to another within the corporation will not constitute a “disclosure to another person” and thereby result in a loss by the client [ie, the corporation] of the relevant privilege.43

However, corporations need to ensure that the disclosure of legal advice is limited. In this sense, it is useful to recall the second and third factors listed by Gowans J in Ansell Rubber Co Pty Ltd v Allied Rubber Industries Pty Ltd [1967] VR 37 concerning the maintenance of controls over trade secrets. Adapting those factors for present purposes, a corporation should have a policy regarding the distribution of legal advice generally (ie, strictly limited to those who need to know] and implement measures to ensure that the information is not accessed by other persons. 7.22 There are a number of cases where corporations or their officers have referred to legal advice in order to advance or improve their commercial positions in settlement negotiations or otherwise make statements to the media or market. There have also been a number of cases where the disclosure of the gist of advice has destroyed the confidentiality of the privileged information. In AWB Ltd v Honourable Terence Rhoderic Hudson Cole (No 5) [2006] FCA 1234 Young J concluded that a mere reference to the existence of legal advice will not necessarily amount to a waiver of privilege.44 In Nine Films & Television Pty Ltd v Ninox Television Ltd [2005] FCA 356 the party claiming privilege made the following statement to the media: ‘We’ve engaged Stuart Littlemore QC and he has reviewed everything in great detail and we’re moving forward based on his recommendations.’45 Tamberlin J rejected the submission that this statement revealed the gist of advice provided by Stuart Littlemore QC.46 His Honour stated that ‘[o]n a fair and reasonable reading, the statement to the effect that senior counsel had been engaged and that he had reviewed matters in detail and that steps were being taken based on his recommendations is not sufficient to amount to a waiver of the legal advice. The substance or content of the advice is not disclosed with specificity or clarity’.47 The case of Seven [page 189] Network Ltd v News Ltd (No 12) [2006] FCA 348 is a case where the gist of advice provided to a corporate client was actually disclosed. That decision

involved a report to Optus’ board entitled the ‘Project Alchemy Board Paper’. The paper contained a section headed ‘Legal Risks’ which included the following statement: Optus will defend vigorously any claims brought by C7. Our legal advice is that the risk of damages being awarded against Optus is low.48

The board paper was disclosed to all other parties to the litigation. They, in turn, argued that the statement set out above, waived privilege in the underlying legal advice. Sackville J agreed with this view and stated that ‘waiver has come about because Optus has voluntarily disclosed the gist or conclusion of the legal advice recorded in the document identified in the [board paper]’.49 This case is a useful reminder to corporations to ensure that any reports on legal matters to the board or other officers within the company are made by lawyers and kept separate from other commercial matters. 7.23 It is important to note that inadvertent or accidental disclosure will not amount to waiver. Where a disclosure of information is not authorised or where it is obvious that privileged information has been inadvertently disclosed, privilege will not be lost.50 On the other hand, waiver will occur where a client knowingly and voluntarily discloses the substance of a privileged communication to another person in circumstances where the disclosure was not made on a confidential basis. The former and the latter outcomes are consistent with the common law principle that the loss of privilege occurs where there is conduct that is inconsistent with the maintenance of the confidentiality that the privilege protects.

CONCLUSION 7.24 The laws regarding disclosure in the context of regulatory action and litigation are playing an increasing role in the transparency of corporations. It is essential for lawyers advising corporate clients to ensure that they are aware of the applicable requirements and, importantly, the narrow boundaries within which legal professional privilege will be available to prevent disclosure in response to a demand for information by a regulator or a private litigant (including class action representatives). _________________________ 1.

See s 51, Australian Securities and Investments Commission Act (2001) Cth (ASIC Act). Section 51 specifically excludes a hearing being held in order to advance an investigation into a suspected

contravention, among other things, of the corporations legislation. For rules that apply to such hearings see Australian Corporation Law — Principles and Practice, Sydney, LexisNexis online looseleaf, [15.3.0005]ff. 2.

See Div 1, Pt 3, ASIC Act.

3.

See fn 2, ASIC Act.

4.

See, for example, ss 30, 30A and 33, ASIC Act.

5.

See s 35, ASIC Act.

6.

See L J Richards and M J Bransgrove, ‘Examinations under the Corporations Act and the ASIC Act’, paper presented at College of Law, 5 March 2012, 31, and R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 15th ed, LexisNexis Butterworths, Australia, 2013, [3.170].

7.

Daniels Corporation International Pty Ltd v Australian Competition and Consumer Commission [2002] HCA 49; (2002) 213 CLR 543 (Daniels) at [35] per Gleeson CJ, Gaudron, Gummow and Hayne JJ.

8.

At [58] per Kirby J.

9.

AWB Ltd v Australian Securities and Investments Commission [2008] FCA 1877 at [22].

10. At [23]. 11. See fn 6, Richards et al, 33–4. 12. See, for example, ss 311, 422, 438D and 990K, Corporations Act 2001 (Cth). 13. See s 912D, Corporations Act. 14. For guidance on ACCC use and disclosure of information see ACCC/AER, ‘Information policy — The Collection, Use and Disclosure of Information’, 2008, . 15. See R V Miller, Miller’s Australian Competition and Consumer Law Annotated, 34th ed, Lawbook Co, Australia, 2012, [1.155.5]. 16. See ss 155(7) and 155(7B), CCA respectively. 17. See further, Halsbury’s Laws of Australia, LexisNexis online looseleaf (Halsbury’s), [325-4150]ff (pretrial discovery), [325-4165]ff (discovery after commencement of proceedings), [325-5750] (interrogatories) and [325-7250]ff (subpoenas), [325-7615], [325-7620] (notices to produce), [1951810] (notices to admit facts) and [325-3605]ff (requests for particulars). 18. See, for example, Halsbury’s, [325-4250]ff in the context of discovery post commencement of proceedings. 19. See, for example, Halsbury’s, [325-4200] concerning relevance in the context of discovery. 20. See, for example, Halsbury’s, [325-4280] in relation to discovery. For more information see generally, ‘Discovery, Interrogatories and Inspection’, B Cairns, Australian Civil Procedure, 9th ed, Thomson Reuters, Sydney, 2011; and ‘Discovery & Gathering Evidence’, J Hunter, C Cameron and T Henning, Litigation I — Civil Procedure, 7th ed, LexisNexis, Australia, 2005. 21. See, for example, Hearne v Street [2008] HCA 36; 235 CLR 125; Home Office v Harman [1983] 1 AC 280; Hamersley Iron Pty Ltd v Lovell (1998) 19 WAR 316; Springfield Nominees Pty Ltd v Bridgelands Securities Ltd (1992) 38 FCR 217; and r 21.7, Uniform Civil Procedure Rules 2005 (NSW). Note though that Australian courts have procedures in place for the making of an application to be released from the undertaking in appropriate circumstances. Such applications turn on factual circumstances that are beyond the scope of this work. 22. See s 127, ASIC Act, and ss 155AAA and 155AA, CCA. 23. One situation where this arises is in patent and other intellectual property cases. See also fn 20, Hunter

et al, [7.45]. 24. For a discussion of the ‘dominant purpose’ requirement, see Esso Australia Resources v Commissioner of Taxation [1999] HCA 67; 201 CLR 49. 25. See fn 20, Hunter et al, [8.6] referring to Australian Federal Police Commissioner v Propend Finance Pty Ltd (1997) 188 CLR 501, and ss 118 and 119 of the Uniform Evidence Acts. 26. See, for example, Uniform Evidence Acts, ss 118 and 119. For differences between the regimes, see fn 20, Hunter et al, [8.14]. Where the statutory regimes apply, they override the common law to the extent of any inconsistency as a result of the principles concerning codification: see also Meteryard v Love (2005) 65 NSWLR 36. 27. See fn 1, Australian Corporation Law — Principles and Practice, [15.1.0095]. 28. Telstra Corporation Ltd v Minister for Communications, Information Technology and the Arts (No 2) [2007] FCA 1445. 29. See Waterford v Commonwealth [1987] HCA 25; (1987) 163 CLR 54 (Waterford) at 96 per Dawson J; see also Deane J at 79–82. There is some debate as to whether a lawyer needs to hold a practising certificate: see Dawson J in Waterford at 96; GSA Industries (Aust) Pty Ltd v Constable (2002) 2 Qd R 146 at 150; Glengallan Investments Pty Ltd v Arthur Andersen (2002) 1 Qd R 233 at 245. However, in Commonwealth v Vance (2005) 158 ACTR 47, the Full Court saw this as an essential condition: at [23]–[35]. See also Australian Hospital Care (Pindara) Pty Ltd v Duggan [1999] VSC 131 at [111]; Re McKinnon and Secretary, Department of Foreign Affairs and Trade [2004] AATA 1365; (2004) 86 ALD 780 at 785 [51]. 30. AWB Ltd v Honourable Terence Rhoderic Hudson Cole (No 5) [2006] FCA 1234 (AWB) at [44] per Young J. 31. See fn 1, Australian Corporation Law — Principles and Practice, [15.1.0095]. 32. See Daniels Corporation International Pty Ltd v Australian Competition and Consumer Commission [2002] 213 CLR 543 at 563 [44] per McHugh J; Commissioner of Australian Federal Police v Propend Finance Pty Ltd [1997] HCA 3; (1997) 188 CLR 501 at 550 per McHugh J; Dalleagles Pty Ltd v Australian Securities Commission (1991) 4 WAR 325 at 333–4 per Anderson J; Trade Practices Commission v Sterling (1979) 36 FLR 244 at 245–6 per Lockhart J; Kennedy v Lyell (1883) 23 Ch D 387 at 407; Lyell v Kennedy (1884) 27 Ch D 1 at 31 per Bowen LJ; Propend Finance Pty Ltd v Commissioner of Australian Federal Police (1995) 58 FCR 224 at 266 per Lindgren J. 33. See Grant v Downs [1976] HCA 63; (1976) 135 CLR 674 at 689; Commissioner of Taxation v Pratt Holdings Pty Ltd (2005) 225 ALR 266 at 278 [30]; and see fn 30, AWB at [63]. 34. See fn 30, AWB at [44] per Young J. 35. See Grant v Downs [1976] HCA 63; (1976) 135 CLR 674 at 689 per Stephen, Mason and Murphy JJ; National Crime Authority v S (1991) 29 FCR 203 at 211–2 per Lockhart J; Candacal Pty Ltd v Industry Research & Development Board (2005) 223 ALR 284 at [70]; Seven Network Ltd v News Ltd [2005] FCA 142 at [6]–[8]; Kennedy v Wallace [2004] FCAFC 337; (2004) 142 FCR 185 at [12]–[17] per Black CJ and Emmett J and at [144]–[145] and at [166]–[171] per Allsop J; and Southern Equities Corporation Ltd (in liq) v Arthur Andersen & Co (No 6) [2001] SASC 398. 36. See fn 30, AWB at [44] per Young J. 37. Telstra Corporation Ltd v Minister for Communications, Information Technology and the Arts (No 2) [2007] FCA 1445 at [35]–[39] per Graham J. 38. See fn 20, Hunter et al, [8.20], referring to Wheeler v Le Marchant (1881) 17 Ch D 675; Trade Practices Commission v Sterling (1978) 36 FLR 244, ss 118 and 119 of Uniform Evidence Acts and Newcastle Wallsend Coal Co Pty Ltd v Court of Coal Mines Regulation (1997) 42 NSWLR 351 at 389.

39. See Telstra Corporation v Australis Media Holdings (1997) 41 NSWLR 147; and see fn 38, Newcastle Wallsend Coal Co Pty Ltd. 40. See Pratt Holdings Pty Ltd v Federal Commissioner of Taxation (2004) 207 ALR 217. 41. Goldberg v Ng (1994) 33 NSWLR 639 at 670. 42. See Mann v Carnell (1999) 201 CLR 1. 43. Seven Network Ltd v News Ltd [2005] FCA 864 at [56]. 44. See fn 30, AWB at [167]. 45. Nine Films & Television Pty Ltd v Ninox Television Ltd [2005] FCA 356 at [18]. 46. At [32]. 47. At [26]. 48. Seven Network Ltd v News Ltd (No 12) [2006] FCA 348 at [4]. 49. At [12]. 50. See Hooker Corporation Ltd v Darling Harbour Authority (1987) 9 NSLR 538; Unsworth v Tristar Steering and Suspension Australia Ltd [2007] FCA 1081.

[page 190]

Chapter 8 Other Limits and Controls on the Use of Corporate Information

INTRODUCTION 8.1 After reviewing laws in Chapters 5 to 7 dealing with disclosure of information to the market and investors, to consumers and to regulators and other parties, the focus in this chapter will be on the laws that prohibit the use and disclosure of certain information or otherwise place constraints on the use of corporate information. These laws are: (1) insider trading laws; (2) general law and statutory obligations concerning the use of corporate information; (3) market manipulation laws and other information offences; and (4) price signalling laws. 8.2 Each of these laws imposes some form of constraint on the use or disclosure of corporate information. The first three categories of laws prohibit or otherwise seek to regulate the exploitation of an informational advantage or otherwise seek to prevent market failure by ensuring misinformation is not released to the market. On the other hand, price signalling laws are laws that are designed, at least in theory, to prevent disclosures that may result in market failure, by reducing the uncertainty that is the cornerstone of competitive markets. Each of these laws will be discussed in turn below.

INSIDER TRADING 8.3 The insider trading provisions have been characterised as the negative mirror to the positive obligations of the continuous disclosure

[page 191] regime.1 However, they do not constitute a perfect mirror. In this connection, the Corporations and Markets Advisory Committee (CAMAC) noted in its Insider Trading Discussion Paper in June 2001 that the continuous disclosure provisions were:2 … designed to improve market fairness and market efficiency by requiring disclosing entities to publish price-sensitive information promptly, thereby assisting all investors to make properly informed decisions about the allocation of their investment funds. Timely disclosure was also intended to help reduce the opportunities for insider trading as well as counter the creation of false markets or the distortion of markets through the dissemination of rumours or false information.3 The continuous disclosure and insider trading provisions both apply to any information that is not generally available and that a reasonable person would expect, if it were generally available, to have a material effect on the price or value of particular securities. However, the continuous disclosure provisions have various exceptions not found in the insider trading provisions. This difference seeks to reflect differing obligations: continuous disclosure involves an obligation to disclose information to the market, whereas insider trading involves an obligation to refrain from trading when aware of the information. In summary: The definition of “information” in the insider trading provisions includes matters of supposition and other matters that are insufficiently definite to warrant being made known to the public. Where this information is materially price sensitive, an insider is precluded from transaction in affected securities. By contrast, these matters, and any information concerning an incomplete proposal or negotiation, are exempt from the continuous disclosure requirements, as release of this information could be misleading (given that it is uncertain or unsettled) or commercially damaging. The continuous disclosure provisions have exemptions for information generated for the internal management purposes of a company and trade secrets, given their commercial sensitivity. There are no equivalent exempts under the insider trading provisions. Indeed, trading when aware of these matters should be covered by the insider trading law, provided that they are materially pricesensitive. Continuous disclosure only covers relevant information generated within, or otherwise known to, the disclosing entity. That entity cannot be obliged to disclose any information that is relevant to itself, but of which it is unaware. By contrast, a person who is aware of

[page 192] inside information cannot avoid the insider trading provisions merely because that information is generated by some external source and is unknown to the entity whose securities are traded.4

8.4 Accordingly, while there are similarities between the two regimes, there are some stark differences. However, as is clear from the above passage, identifying and articulating these similarities and differences can help us to better understand and apply the relevant law.5 For a similar reason, it is important to understand the policy justifications for regulating insider trading.6

The most compelling policy justification seems to be that a person should not unfairly exploit informational advantages.7 In this vein, the insider trading regime in the Corporations Act 2001 (Cth) has been described as a law about trading with informational advantage.8 This is a very appropriate characterisation and helps justify this interpretative approach to the laws.9

What prohibitions are contained in the law? 8.5 The insider trading laws contain three prohibitions: a trading offence, a procuring offence and a tipping offence. The trading and procuring offences are set out in s 1043A(1) of the Corporations Act, that provides as follows: (1) Subject to this Subdivision, if: (a) a person (the insider) possesses inside information; and (b) the insider knows, or ought reasonably to know, that the matters specified in paragraphs (a) and (b) of the definition of inside information in section 1042A are satisfied in relation to the information;

[page 193] the insider must not (whether as principal or agent): (c) apply for, acquire, or dispose of, relevant Division 3 financial products, or enter into an agreement to apply for, acquire, or dispose of, relevant Division 3 financial products; or (d) procure another person to apply for, acquire, or dispose of, relevant Division 3 financial products, or enter into an agreement to apply for, acquire, or dispose of, relevant Division 3 financial products.

8.6 The tipping or communication offence is set out in s 1043A(2). That section provides as follows: (2) Subject to this Subdivision, if: (a) a person (the insider) possesses inside information; and (b) the insider knows, or ought reasonably to know, that the matters specified in paragraphs (a) and (b) of the definition of inside information in section 1042A are satisfied in relation to the information; and (c) relevant Division 3 financial products are able to be traded on a financial market operated in this jurisdiction; the insider must not, directly or indirectly, communicate the information, or cause the information to be communicated, to another person if the insider knows, or ought reasonably to know, that the other person would or would be likely to: (d) apply for, acquire, or dispose of, relevant Div 3 financial products, or enter into an

agreement to apply for, acquire, or dispose of, relevant Division 3 financial products; or (e) procure another person to apply for, acquire, or dispose of, relevant Division 3 financial products, or enter into an agreement to apply for, acquire, or dispose of, relevant Division 3 financial products.

Both the trading/procuring prohibition and the tipping prohibition require proof of five different elements (or groups of elements). These elements are discussed below.

Element 1 — Division 3 financial products 8.7 In order for a contravention of the provisions to occur a person must have inside information about ‘relevant Div 3 financial products’. This term is defined in the law to mean: (a) securities; or (b) derivatives; or (c) interests in a managed investment scheme; or (ca) debentures, stocks or bonds issued or proposed to be issued by a government; or

[page 194] (d) superannuation products, other than those prescribed by regulations made for the purposes of this paragraph; or (e) any other financial products that are able to be traded on a financial market.10

8.8 The element of this definition that gives rise to the most uncertainty is (e). The definitions of the term ‘financial products’ and the term ‘financial market’ are those used Ch 7 of the Corporations Act generally.11 The expression ‘able to be traded’, in relation to a financial market, includes financial products admitted to quotation on the market.12 Particular Div 3 financial products that are ordinarily able to be traded on a licensed market are taken to be ‘able to be traded’ on that market even though trading in those products on that market is suspended. Commentators have observed that it: … might be argued that para (e) of the definition of “Division 3 financial products” has the effect of limiting the concept to financial products that are able to be traded on a financial market. However, the better view is that, while all quoted financial products are necessarily included, unquoted financial products will be within the definition if they are of the kinds referred to in paras (a)–(d) inclusive.13

The types of instruments that this ‘catch-all’ definition would include, for

example, would be FX spot trades.

Element 2 — What is information? 8.9

By virtue of s 1042A, the term ‘information’ includes:

(a) matters of supposition and other matters that are insufficiently definite to warrant being made known to the public; and (b) matters relating to the intentions, or likely intentions, of a person.

8.10 Information can be inside information even if the identity of the party in possession of the information needs to investigate the identity of the company concerned.14 A communication and the underlying state of affairs that it implies can be inside information: R v Rivkin [2004] NSWCCA 7 (Rivkin).15 The source of the information in Rivkin was relevant to the question of its reliability.16 However, the concept of reliability in this sense effectively equates to apparent reliability. [page 195] In Mansfield the High Court held that ‘information’ for the purposes of the insider trading provisions can include purely false information. In that case the defendants were provided with information concerning the financial performance of a listed company by its managing director. The information appeared to be true and the source appeared to be reliable, but in fact the information was entirely false. The High Court held that it is no defence to liability in such a case if the information turns out to be false. Heydon J captured the concept of apparent reliability in the passage cited below: Valuable-seeming material may be true or false or partly true — which of these it is cannot be known until a time after it is acted on. But the legislation proceeds on the basis that “insiders” should not be allowed to use that material when it is not publicly available. A key element in the prohibition on insider trading is … information which “a reasonable person would expect … to have a material effect on the price or value of securities”. “Untrue” information can have that effect as well as “true” information … “untrue” information may influence people who acquire securities in deciding whether or not to acquire or dispose of them if the untruthfulness is unknown to them. Or if the untruthfulness is known to them, those people can use this knowledge in deciding whether or not to acquire or dispose of the securities. The insider trading provisions, read as a whole, catch conduct by those who trade on the basis of untruths.17

Element 3 — What is ‘inside information’? 8.11 One will only have possession of ‘inside information’ if they have information which is not generally available and a reasonable person would expect that it would have a material effect on the price or value in the products to which it relates if it were generally available.18 8.12 Generally available The expression ‘generally available’ is defined in s 1042C which provides that information is generally available if: (a) it consists of readily observable matter; or (b) both of the following subparagraphs apply: (i)

it has been made known in a manner that would, or would be likely to, bring it to the attention of persons who commonly invest in Division 3 financial products of a kind whose price might be affected by the information; and

[page 196] (ii) since it was made known, a reasonable period for it to be disseminated among such persons has elapsed; or (c) it consists of deductions, conclusions or inferences made or drawn from either or both of the following: (i)

information referred to in paragraph (a);

(ii) information made known as mentioned in subparagraph (b)(i).

8.13 A number of cases have considered whether information is generally available. In Kinwat Holdings Pty Ltd v Platform Pty Ltd (1982) 1 ACLC 194 the publication of an affidavit on the public record in a media article together with a stock exchange announcement were sufficient to make the relevant information generally available. In the case of ICAL Ltd v County Natwest Securities Aust Ltd (1988) 13 ACLR 129 Bryson J denied an application for an injunction on the basis that the information that was purportedly price sensitive had been admitted into evidence and therefore the information was held to be generally available.19 However, in Killen v Brierley (1980) CLC 40-615 it was held that a report by a chairman at a company’s annual general meeting was not publication to the world at large. 8.14 In Leadenhall Australia Ltd v Peptech Ltd (1999) 33 ACSR 307 it was observed that the selective disclosure via broker reports could be enough to make the relevant information ‘generally available’.20 However, as a general rule, it is hard to see why information that may be contained in a broker’s

newsletter and information that is provided by company executives in private briefings to investors would render the information ‘generally available’. It would have more of a private character than ‘generally available’ information. Despite this, if one takes the ruling in R v Firns (2001) 51 NSWLR 548 to its logical conclusion, then any of the situations discussed above would render information ‘generally available’ because all such information would be ‘readily observable’.21 As a general proposition, the more open and accessible that an information network is, the more likely that information existing in that network would be ‘generally available’.22 8.15 The springboard doctrine The insider trading provisions do attempt, through s 1042C(1)(b)(ii), to prevent ‘those who are privy to [page 197] information prior to its release from exploiting whatever value it has immediately upon its release’.23 Any person that may have prior knowledge of the relevant price sensitive information will be prevented from trading for a ‘reasonable period’ under the relevant provision.24 Although, given the disjunctive nature of s 1042C, this prohibition would only apply if the relevant information was not characterised as ‘generally available’ by virtue of s 1042C(a) (readily observable matter) or s 1042C(c) (deductions). 8.16 Big data The ‘generally available’ element presents some issues for corporations that have advanced data analysis capabilities and which apply these capabilities to data that are not obtained from public sources. With the advent of ‘big data’ techniques, information that was previously not ascertainable from internal corporate data sources can now be unlocked quite readily. However, in many cases this information is being derived from underlying data sources that are not publicly accessible. Accordingly, corporations in this context need to take extreme care concerning who has access to such information and what purposes it is used for. 8.17 The next element that must be shown to be satisfied relates to the materiality of the relevant information. Information can only be inside information if a reasonable person expects it will have a material effect on the price or value of certain financial products. Section 1042D is the key provision. It states that:

… a reasonable person would be taken to expect information to have a material effect on the price or value of particular Division 3 financial products if (and only if) the information would, or would be likely to, influence persons who commonly acquire Division 3 financial products in deciding whether or not to acquire or dispose of the first-mentioned financial products.

8.18 Material effect on price or value The phrase a ‘reasonable person would be taken to expect’ requires an objective assessment of materiality.25 Further, in Jubilee it was held that when considering materiality issues, it is important to consider all relevant information in context.26 The statements in Jubilee in this context are also supported by commentators.27 In respect [page 198] of the expression ‘likely to’ as used in s 1042D, in Boughey v R (1986) 65 ALR 609 (Boughey) the court was of the view that the phrase ‘likely to’ is synonymous with probable (ie, being more probable than not).28 Further, the materiality test needs to be evaluated for the specific type of security in suit. It does not apply to the corporation but to ‘securities’. Also, the relevant information must have a material effect on the price of the securities actually traded, procured or tipped (ie, parcel of shares) not the class of securities as a whole.29 The laws do not prevent the trading in securities that are unaffected by the relevant information.30 As the cases demonstrate, decisions concerning materiality issues will largely turn on expert evidence in the same way that the determination of materiality issues do in continuous disclosure cases.31 8.19 Possession of information Section 1043A(1)(b) requires evidence of actual or constructive knowledge that the information was generally available and, if it were, it would have a material effect on price or value.32 In Rivkin it was held that a defendant’s constructive knowledge is to be determined by ‘having regard to all the relevant circumstances, including the [defendant’s] mental state at the time’.33 That test applied by the court in Rivkin derives from Boughey where Mason, Wilson and Deane JJ stated that in applying a constructive knowledge test ‘what was relevant was what the applicant himself, with his actual knowledge and capacity, ought to have known in the circumstances in which he was placed’.34 8.20 Section 1042G specifically provides that a corporation is taken to possess any information that an officer of the corporation possesses if that information became known to the officer in the course of performance of duties as an officer.35 There is an argument that the knowledge of a company’s directors,

employees and agents could also be attributed to the company by operation of s 769B(3). [page 199]

Element 4 — Territorial connection 8.21 The insider trading provisions apply where one or both territorial connection requirements are satisfied. The insider trading prohibitions will apply to: (1) acts and omissions that occur in Australia in relation to ‘Division 3 financial products’,36 regardless of where the issuer of the products: (a) is formed, resides or is located; or (b) carries on business. (2) acts and omissions that occur outside Australia in relation to securities issued by: (a) a person who carries on business in Australia; or (b) a body corporate that is formed in Australia.37 8.22 These provisions address the territorial limitations which were held to apply in Danae Investments Trust plc v Macintosh Nominees Pty Ltd (1993) 11 ACLC 273. In that case the court held that the law at the time did not apply to the purchase or sale of securities issued by a company incorporated in Australia where the relevant transaction occurred in the United Kingdom. The issue of where a relevant act or omission is said to ‘occur’ for the purposes of ss 1042B(a) and 1042B(b) was the focus of the decision in Director of Public Prosecutions (Cth) v Fysh (2010) 240 FLR 247. In that case, Wilson J was of the view that: … [the defendant] acquired/disposed of the … when the transfers [executed via the ASX trading platform] took effect according to the ASTC Settlement Rules. That occurred in Sydney. If I am wrong in that, and he acquired/disposed of them only when his name/the name of the buyer of the … shares was entered on the companies’ share registers, that occurred on entry on the CHESS Subregisters in Sydney.38

8.23 Lyon and du Plessis have noted that, despite the breadth of the territorial connection contained in s 1042B, some conduct will not be caught. For example,

if a person commits an act or omission outside Australia and the act or omission relates to securities of a body corporate [page 200] that is neither incorporated in or carrying on business in Australia, the insider trading laws will not apply.39

Element 5 — Trading, procuring and tipping 8.24 As set out in 8.5, s 1043A(1)(c) provides that an insider must not (whether as principal or agent) apply for, acquire or dispose of relevant Div 3 financial products, or enter into agreements to do so if Elements 1–4 are satisfied. Section 1043A(1)(d) prohibits an insider (whether as principal or agent) from procuring another person to engage in the same activities where Elements 1–4 are satisfied. The term ‘procure’ includes to cause.40 As noted in 8.6, s 1043A(2) also prohibits an insider directly or indirectly communicating inside information to another person if the insider knows or ought reasonably to know that the other person would or would be likely to apply for, acquire or dispose of relevant Div 3 financial products (or enter into agreements to do so) or otherwise procure another person to engage in these activities: see ss 1043A(2)(d) and 1043A(2)(e). In addition to needing to establish Elements 1–4 are satisfied in a communicating or ‘tipping’ context, the law requires that the communication or tipping relate to Div 3 financial products that are able to be traded in a financial market operated in Australia. This geographical limitation does not apply to the trading and procuring offences. In light of the centrality of the ‘apply for’, ‘acquire’, ‘dispose of’ concepts and the concept of ‘entering into an agreement’ to do any of these things to the offence provisions, it is necessary to discuss these in some detail. Under the law, financial products can be ‘acquired’ from the relevant issuer or from other persons.41 For example, financial products can be acquired on secondary markets.42 The term ‘dispose’ as used in the prohibition includes the act of terminating or closing out the legal relationship that constitutes the financial product.43

8.25 It is unlikely that an investor who instructs a broker to acquire financial products will ‘apply for’ the applicable products or enter into [page 201] an agreement to do so.44 It is likely that an agreement to ‘acquire’ the products would only come into existence if and when the broker executed the instruction.45 For example, the broker may be instructed to cancel the order before it was met on market. This reasoning is supported by the finding in Commonwealth Director of Public Prosecutions v Fysh [2010] QSC 216. In that case, in determining when securities were acquired for the purposes of s 1043A(1), Wilson J expressed the view that: In my view Fysh acquired/disposed of the shares within the meaning of s 1043A when the transfers took effect according to the ASTC Settlement Rules. That occurred in Sydney.46

8.26 A person will not ‘enter into an agreement’ in the relevant sense merely by instructing an agent to acquire or dispose of the products. The agreement will be entered into only when the relevant person’s offer is accepted according to the rules of the relevant market.47 8.27 While it may seem controversial at first blush, it will not be a contravention of s 1043A(1) if a person decides not to trade in particular Div 3 financial products even if that decision is taken because of inside information that the person possesses. This would allow a person to cancel an unexecuted buy order or maintain a holding that they may have been intending to sell based on price sensitive information that is not generally available. CAMAC discussed this issue in its 2003 report into insider trading report as follows: Currently, an insider may lawfully use inside information to refrain from trading, may disclose this information to any other persons for that purpose or may procure another person not to trade.48

Ultimately CAMAC recommended that the law did not need to be amended in this context. CAMAC gave the following reasons for in support of its recommendation: Without a trade there is no actual counterparty to be disadvantaged. The mere fact that an informed person benefits from deciding not to trade, or a potential counterparty misses out on the possible benefit that would have accrued if trading had taken place, should not attract criminal liability.

[page 202]

An informed person who advises others not to trade may not necessarily avoid some liability. For instance, this advice could breach fiduciary duties of confidentiality. Also, a person who discloses inside information is at risk of breaching the insider trading provision if the recipient decides to trade in affected financial products, rather than merely abstain from trading.49

8.28 Where the price of a transaction is fixed for a specific parcel of securities prior to a person obtaining inside information, that person may deal in those securities in limited circumstances. In Westgold Resources NL v St George Bank Ltd (1999) 17 ACLC 327, Westgold granted Emlen Pty Ltd (Emlen) a put option in respect of 20 million shares in St Barbara Mines Ltd (St Barbara). Under the terms of the put, the option could be exercised at 40c per share on 30 June 1998. On 30 June 1998, Emlen knew that St Barbara was in financial trouble and that it had difficulties with its financiers. At the time, shares in St Barbara were trading at approximately 10c. Westgold alleged that the information possessed by Emlen was materially price sensitive because if the market were to discover the disadvantageous terms of the put option (from Westgold’s perspective) investors would sell out of St Barbara shares. In this connection, Westgold sought to prevent Emlen exercising its put option at 40c per share alleging that it would constitute a breach of the forerunner to s 1043(1). Anderson J regarded this contention as ‘astonishing’ and said that: There could not be the remotest connection between information that might adversely affect the market price of shares trading at 10 cents and a decision to exercise a put option at 40 cents. Another way of putting this is to say that the insider information did not affect the price of the securities in question, that is, the securities to be delivered under the put option. The price of those securities was set by the terms of the put option at 40 cents, and that price could not be affected by insider information: see Exicom Pty Ltd v Futuris Corp Ltd (1995) 123 FLR 394 at 400; 13 ACLC 1758 at 1763. Even if it is the case that no causal link need be shown between the transaction and possession of insider information, the circumstances prevailing in this case are such that I would have declined to grant any discretionary relief under the Law pursuant to the insider trading provisions.50

[page 203] 8.29 The clear rationale underpinning this decision is that one needs to consider the effect of information on the ‘relevant Division 3 financial products’. In this case these products constituted the parcel of securities that was the subject of the put option. The release of the relevant information to the market would have had no effect on the price or value of that particular parcel of securities as the value of those securities was fixed by the terms of the put option.

Exceptions 8.30 There are numerous exceptions to liability arising under the insider trading prohibitions.51 The exceptions that are applicable to corporations are discussed below. In addition to the exceptions discussed below, defences to criminal and civil liability will be discussed in 8.42 and 8.43 respectively.

Withdrawal from registered scheme — s 1043B 8.31 Section 1043B provides an exception relating to dealings by a trustee concerning a member’s withdrawal from a registered scheme. A trustee or manager of a scheme will not be liable under the law if a member withdraws from or redeems their interest in a registered scheme and the amount paid to the member on withdrawal is calculated (so far as is reasonably practicable) by reference to the underlying value of the assets of the financial or business undertaking or scheme, common enterprise, investment contract or time-sharing scheme to which the member’s interest relates, less any reasonable charge for acquiring the member’s interest. This exception was necessary according to the Explanatory Memorandum to the Corporations Amendment Bill 1991 in order to: … [address a potential] conflict between the redemption requirements of a trust manager under a trust deed and the insider trading provisions. Trust deeds must provide redemption facilities under the Corporations Law and in doing so the trust deed may specify that the buy-back price is to be adjusted on a periodic basis to reflect the underlying value of the assets of the trust and that units are to be brought back at the price quoted at the time of the application for redemption. In such circumstances, the buyback price may not at any given time reflect all material information in the possession of the trust manager and to avoid contravening the insider trading provisions by waiting for the price to reflect all such information the manager may be in breach of the trust deed.52

[page 204]

Underwriter exception — s 1043C 8.32 Section 1043C provides an exception to the dealing and procuring prohibitions in s 1043(1) in respect of: applying for or acquiring securities or managed investment scheme products under underwriting or sub-underwriting agreement;53 entering into an agreement for the purpose of so applying or acquiring;54 or

disposing of securities or managed investment scheme products acquired under such an agreement.55 8.33 There are also exceptions for communications for the purposes of procuring a person to enter into sub-underwriter arrangements or apply for any securities that the underwriter acquires under its arrangements with an issuer.56 As Lyon and du Plessis note, there is no exception for persons who subscribe for shares after being approached by an underwriter or a sub-underwriter,57 although Baxt et al note that the same knowledge is a defence to criminal proceedings58 and the court’s discretion to provide relief from civil liability59 provides protection in this context.60

Legal requirement exception — s 1043D 8.34 The prohibition in s 1043(1) does not apply to the acquisition of financial products under a requirement imposed by the Corporations Act. The Explanatory Memorandum to the Corporations Amendment Bill 1991 explained the intended scope of this exception: … in relation to arrangements, reconstructions and takeovers, sections 414, 701 and 703, in certain circumstances, require a body corporate to purchase shares from dissenting shareholders, where those shareholders so request. Where the body corporate does so while in possession of inside information it will not be taken to breach the insider trading provisions.

8.35 The exception would not however extend to discretionary acts of the purchaser as those acquisitions would not arise under a requirement ‘imposed’ on the person.61 [page 205]

Communication pursuant to a legal requirement — s 1043E 8.36 Section 1043A(2) does not apply in connection with a communication of information pursuant to a requirement imposed by a Commonwealth, State or Territory or any other regulatory authority. The Explanatory Memorandum to the Corporations Amendment Bill 1991 explained the scope at [353]: Concern has been expressed that the communication of information under a legal requirement, for example, to the Australian Securities Commission or the Australian Securities Exchange, might come within the prohibition against communication of inside information in subsection 1002G(3). Proposed section 1002L provides an exemption from that prohibition where information is communicated pursuant to a legal requirement.

Chinese wall exception — s 1043F 8.37 A Chinese wall or ‘information barrier’ exception for corporations is available under s 1043F.62 That provision provides that a body corporate does not contravene subs 1043A(1) by entering into a transaction or agreement at any time merely because of information in the possession of an officer or employee (ss 1042G(2) and 769B(3) deal with the attribution of knowledge)63 of the body corporate, if: (a) the decision to enter into the transaction or agreement was taken on its behalf by a person or persons other than that officer or employee; and (b) it had in operation at that time arrangements that could reasonably be expected to ensure that the information was not communicated to the person or persons who made the decision and that no advice with respect to the transaction or agreement was given to that person or any of those persons by a person in possession of the information; and (c) the information was not so communicated and no such advice was so given. 8.38 A central element of the exception set out in s 1034F is contained in subpara (b); the requirements for a so-called ‘information barrier’ or a ‘Chinese wall’. In Mallesons Stephen Jaques v KPMG Peat Marwick [1990] 4 WAR 357, Ipp J described the Chinese wall concept used in the context of a law firm partnership in the following terms: [page 206] The derivation of the nomenclature (“chinese wall”) is obscure. It appears to be an attempt to clad with respectable antiquity and impenetrability something that is relatively novel and potentially parlous.64

8.39 However, the concept is looked on more favourably in the financial services sector, where it is utilised widely. Indeed, the efficient and effective functioning of that sector would be put in jeopardy if this exception did not exist in the Corporations Act. In Australian Securities and Investments Commission v Citigroup Global Markets Australia Pty Ltd (ACN 113 114832) (No 4) [2007] FCA 963, Jacobson J made the following observations about the types of arrangements that would ordinarily constitute effective Chinese walls: In Bolkiah, Lord Millett … drew upon the observations in the Law Commission Consultation Paper

to illustrate the type of organisational arrangements which would ordinarily be effective: see also Law Commission Consultation Paper at [4.5.2]. –

the physical separation of departments to insulate them from each other;



an educational programme, normally recurring, to emphasise the importance of not improperly or inadvertently divulging confidential information;



strict and carefully defined procedures for dealing with situations where it is thought the wall should be crossed, and the maintaining of proper records where this occurs;



monitoring by compliance officers of the effectiveness of the Chinese wall;



disciplinary sanctions where there has been a breach of the wall.65

His Honour then proceeded to note that care must be taken in this regard, stating that: … warnings have been sounded in other authorities about the risk of leakage through Chinese walls. Thus, for example, Bryson J said in D & J Constructions Pty Limited v Head & ors trading as Clayton Utz (1987) 9 NSWLR 118 at 123: … it is not realistic to place reliance on such arrangements in relation to people with opportunities for daily contact over long periods, as wordless communication can take place inadvertently and without explicit expression, by attitudes, facial expression or even by avoiding people one is accustomed to see, even by people who sincerely intend to conform to control.

[page 207] A reminder that Chinese walls may sometimes be porous is to be found in the recent decision of Bergin J in Asia Pacific v Optus.66

After making these remarks, Jacobson J then referred to the evidence of the Chinese walls arrangements that Citigroup had in place to manage information risks in this context: Mr Monaci’s statement of evidence set out in great detail the measures which Citigroup has in place. These appear to me to comply with the requirements stated by the UK Law Commission and adopted by Lord Millett in Bolkiah. [These arrangements] … are as follows: –

physical separation by departments;



educational programmes;



procedures for dealing with crossing the wall;



monitoring by compliance officers;



disciplinary sanctions.

Mr Monaci also referred in other parts of his statement to Citigroup’s policies and procedures for the identification and management of conflicts of interest that arise in its business. He referred to some of the written policies which apply to Citigroup’s Australian operations. … Mr Monaci said … that Citigroup’s written policies are available to all employees and regular training is provided. He said … that the written policies make clear that employees must be alert to

the possibility of conflicts and “escalate any issues in relation to actual, apparent or potential conflicts of interest.”67

Ultimately, after considering all these issues and the evidence of Citigroup’s Chinese wall arrangements, Jacobson J held that the arrangements that Citigroup put in place to manage the misuse of information in this context were effective to satisfy the requirement in s 1043F.68

Own intentions/activities exception — ss 1043H, 1043I and 1043J 8.40

Three provisions of the law provide an exception to s 1043(1) for:

natural persons;69 a body corporate in respect of the activities of an officer of that body corporate;70 an officer of a body corporate;71 [page 208] where they possess inside information and that information arises as a result of: the relevant person’s own intentions in respect of dealings in financial products issued by another party (eg, to build up a stake in a corporation ahead of its own takeover plan); or it being a counterparty to substantial transactions made by another counterparty in the over the counter (OCT) market, irrespective of whether those transactions actually went ahead or not.72 8.41 In the case of AMI v King [2002] NSWSC 1033, Barrett J illustrates how this exception can work: The first basis on which AMI founds its case for such relief is that certain of the defendants engaged in insider trading contrary to statutory provisions for the time being in force when, in October 1999, they became the grantees of options to purchase shares in AMI in circumstances where the exercise price under each option was a fraction of one cent (i.e. 0.22 cent) but the shares were trading on the stock exchange at prices in the general vicinity of 4 cents per share and continued to trade at that price after the grant of the options. The parties to the option transactions, it was said, were in possession of the information that they proposed to deal and did deal, by way of the taking of the options, on a basis that ascribed to the shares a very substantially lower value than was indicated by the market price. That information, it was said, was of the price sensitive kind [regulated by insider trading laws] … and, furthermore, the parties to the option transactions knew that the information

was not generally available, thus satisfying the [relevant condition in the law] …. That being the case, so the argument runs, the parties to the option contracts, by entering into those contracts, contravened [the law]. A corresponding argument is advanced in relation to the exercise of each option in early 2000, with exercise occurring at the stipulated price of 0.22 cent per share, when the market price was of the order of 7.5 cents.73

However, in light of these facts, Barrett J held that the ‘own intentions’ defence applied in that case because the price sensitive information that came into being was information related to the own intentions of the defendant (ie, the entering into the option contracts by the defendant on its own behalf). Accordingly, the plaintiff’s claim for relief was refused. [page 209]

Defences to criminal offences 8.42 Section 1043M provides defences to criminal offences arising under the insider trading prohibitions. Subsections (2) and (3) provide defences to the trading and communications offences respectively. They are the publication defence and the equal information defence. The former will apply, for example, where a defendant may have obtained or derived price information from information made available in the manner contemplated by s 1042C(1)(b)(i) prior to a reasonable period having passed.74 The latter defence applies where the counterparty to a transaction knew or ought reasonably have known the relevant inside information.75

Defences to civil liability 8.43 The court may also exercise discretion to relieve a person from civil liability under ss 1043N or 1317S. Section 1043N applies to the same circumstances as s 1043M in relation to defences to criminal proceedings: see 8.42. Section 1317S confers a discretion on the court to relieve (partly or fully) a person from liability in connection with the contravention of a civil penalty provision where the person acted honestly and the person ought fairly be excused from liability having regard to all the circumstances.

Penalties and other matters

8.44 A breach of the insider trading provisions is a financial services civil penalty provision.76 A breach attracts a pecuniary penalty of up to $200,000 for an individual and $1 million for corporation.77 In addition, a compensation order may be made under s 1317HA which allows a court to order a person who has breached a financial services civil penalty provision to compensate another person for damage suffered as a result of the breach. Baxt et al note the potential difficulties that arise in this context when calculating loss or damage.78 8.45 The criminal penalties for a breach of the insider trading provisions are extremely high. Section 1311 and Sch 3 provide that the maximum criminal penalty for an individual is imprisonment for 10 years and/or [page 210] a fine the greater of the following: 4,500 penalty units;79 or if the court can determine the total value of the benefits that have been obtained by one or more persons and are reasonably attributable to the commission of the offence — three times that total value. In the case of a corporation, the maximum penalty is a fine, the greatest of the following: (a) 45,000 penalty units; (b) if the court can determine the total value of the benefits that have been obtained by one or more persons and are reasonably attributable to the commission of the offence — 3 times that total value; or (c) if the court cannot determine the total value of those benefits — 10% of the body corporate’s annual turnover during the 12-month period ending at the end of the month in which the body corporate committed, or began committing, the offence. 8.46 Section 1043O provides that the court can make a range of other orders, including injunctions or orders cancelling agreements.

Directors and relevant interests — s 205G 8.47 The laws that require the disclosure of a director’s interests have an interesting provenance. The laws were in fact the first regulatory response to issues concerning insider trading and therefore are mentioned in this section for

that reason. The reason for the implementation of the laws was, in fact, the rejection at the time of the need for insider trading laws. It was thought that a law imposing a legal obligation on a director regarding their trading in shares was a more effective approach than addressing concerns about insider trading. The origins of s 205G were discussed in the Cohen Committee Report (1945) (CMD 6649).80 In its report, the Cohen Committee rejected the need for the introduction of insider trading laws, but noted as follows:81 Whenever directors buy or sell shares of the company of which they are directors, they must normally have more information than the other party to the transaction and it would be unreasonable to suggest that they were thereby debarred from such transaction; but the position is different when they act not on their general knowledge but on a particular piece of information known to them and note the time known to the general body

[page 211] of shareholders, e.g., the impending conclusion of a favourable contract or the intention of the board to recommend an increased dividend. In such a case it is clearly improper for the director to act on his inside knowledge, and the risk of his doing so is increased by the practice of registering shares in the names of nominees. None the less we do not recommend a prohibition on directors holding shares in the names of nominees. This is a useful convenience to the director and prohibition could be readily evaded, e.g., through the medium of a company controlled by the director. We do, however, consider that the law should be altered so as to discourage improper transactions of the kind we have indicated. Even if the legislation is not entirely successful in suppressing improper transactions, a high standard of conduct should be maintained, and it should be generally realised that a speculative profit made as a result of special knowledge not available to the general body of shareholders in a company is improperly made. We would add that some directors who would not themselves take advantage of inside information do not so clearly appreciate the impropriety of letting it be known to their friends that events as yet unknown to the shareholders have made the shares of the company an attractive purchase.

8.48

The Cohen Committee then went on to say that:

The best safeguard against improper transactions by directors and against unfounded suspicions of such transactions is to ensure that disclosure is made of all their transactions in the shares or debentures of their companies … The fact that disclosure is obligatory will of itself be a deterrent to improper conduct and the shareholders can, if they think fit, ask for an explanation of transactions disclosed in the return which we recommend it has been represented to us that disclosure by directors of their transactions in shares of their companies might be injurious to the shareholders; for example, if a director for legitimate private reasons sold his holding, the disclosure of the sale might give rise to an unwarranted rumour that the company had experienced misfortune, and the price of the shares would fall. We think, however, that the very fact that disclosure of transactions by directors was compulsory, would tend to negative this false impression, and in the event of misconception it would always be open to the director to make a statement as to the reasons for his transactions. The practice in the United States of America is to require the disclosure of directors’ transactions and it does not appear that this has had any unfortunate results.82

8.49 The modern equivalent of the laws that were contemplated by the Cohen Committee are set out in s 205G (Notifiable interests) of the Corporations Act. Of course, this provision now applies in addition to the existing insider trading laws. That section provides that a director of a listed public company must notify the relevant market operator of [page 212] any interests she has in the securities of the company (or a related body corporate) or in contracts under which she is entitled to a benefit in the form of a right to shares, debentures or interest in a managed investment scheme made available by the company (or a related body corporate).83 A failure to comply with the disclosure obligations is a strict liability offence attracting a maximum penalty of up to 10 penalty units84 and/or imprisonment of up to three months.

GENERAL LAW AND STATUTORY OBLIGATIONS CONCERNING THE USE OF CORPORATE INFORMATION 8.50 The law concerning fiduciary duties and other related statutory duties impose certain controls on the use of corporation information. The obligations that arise under fiduciary law and the statutory requirements contained in ss 183 and 184 of the Corporations Act will be the focus of this section.

Fiduciary duties 8.51 Various relationships are of a fiduciary nature. The relationship between a director and the company is a fiduciary relationship, although the category of relationships is not a closed one. In Australian Securities and Investments Commission v Citigroup Global Markets Australia Pty Ltd (No 4) [2007] FCA 963 made the following observations about the scope and content of the fiduciary duty: The distinguishing or over-riding duty of a fiduciary is the obligation of undivided loyalty … This duty embodies “the twin themes” of preventing undisclosed conflict of duty and interest (or of duty and duty), and of prohibiting misuse of the fiduciary position … A fiduciary must act in good faith; he must not make a profit out of his trust; he must not place himself in a position where his duty and

his interest may conflict; he may not act for his own benefit or the benefit of a third person without the informed consent of his principal. [Citations omitted.]85

8.52 A key obligation that arises in connection with a fiduciary’s duty of good faith is that directors and other officers who owe the duty must not exploit company assets or information to make a profit or to [page 213] obtain some other advantage.86 This is a core obligation of the duty. It is important to note in this context that a very high duty is imposed; ‘[i]n particular, the fiduciary duty with respect to information does not depend on showing that the information is confidential’.87 Although a fiduciary’s duty in this context can be excluded or modified with the fully informed consent of the principal,88 it is unlikely that a company would ever permit a director to use company information in a manner that allowed the director to make a profit or obtain some other advantage.89 Indeed, the prohibitions discussed in ss 183 and 184 below would seem to preclude that situation from arising. Accordingly, the fiduciary obligations constitute a significant control on the use of corporate information by directors and any other executive officer who may be subject to the duty. 8.53 In addition to the duty that is imposed on directors, it is possible for a corporation to assume a fiduciary duty.90 If such a duty is imposed on a corporation, that in turn will have consequences to the information that the corporation obtains in connection with the relationship. In particular, it may limit the manner in which a corporation uses the information. If, of course, the information is price sensitive then other restrictions would apply in addition to those imposed by the general law.91 However, in this case a corporation will have much greater scope to obtain consent from a client to exclude or modify the fiduciary duty.92

Laws that prohibit the use of corporate information by directors, officers and employees 8.54 This section will discuss the laws that reflect and extend certain fiduciary obligations in relation to the use of corporate information. The primary laws that

will be discussed in this context are the obligations imposed on directors, officers and employees under s 183 of the Corporations Act. Section 183 provides as follows: [page 214] (1) A person who obtains information because they are, or have been, a director or other officer or employee of a corporation must not improperly use the information to: (a) gain an advantage for themselves or someone else; or (b) cause detriment to the corporation. (2) A person who is involved in a contravention of subsection (1) contravenes this subsection.

8.55 There is some debate as to the extent to which s 183 reflects or extends the general rules of equity. In Southern Real Estate Pty Ltd v Dellow (2003) SASR 1; [2003] SASC 318, Debelle J stated that: Section 183 prohibits a director of a company from improperly using information obtained as a director to gain advantage for themselves or someone else or to cause detriment to the company. That obligation is also a fiduciary duty. It is an instance of the fiduciary duty to act in good faith.93

8.56 This approach suggests s 183 merely reflects the general laws. Also, in Forkserve Pty Ltd v Pacchiarotta [2000] NSWSC 979 Young J observed that there were not any major differences between the two regimes. His Honour characterised this similarity as follows: … the general coverage of the obligations under [s 183] are not to any major extent wider than the duties under the general rules of equity. There are some extensions made by the statute in that there is taken away some problems of privity, there is conferred a statutory right to receive damages or compensation where under the general law there would only be an account of profits and other ancillary advantages. However, generally speaking, if there has been no improper use of information under the general equitable principles, there is no improper use of information under the statute.94

8.57 However Austin and Ramsay believe the statutory provision is wider than the general law in a number of specific respects, namely as follows: The provision applies to any officer or employee. Liability arises under the provision if an advantage flows to any other person, whereas under the general law a director is not liable to account for profits gained by another.95 The statutory provision is a civil penalty provision that imposes consequences well beyond those imposed by the general law.

[page 215] Section 183(2) is deemed to apply to anyone involved in the contravention (whether that person is an officer, employee or any other person for that matter), whereas the general law principles only apply to fiduciaries and those who knowingly assist them. The obligations in s 183(2) continue indefinitely, whereas under the general law principles may not continue indefinitely.96 Section 183(2) allows a company to recover an amount equal to the profit made by the person who contravenes (or any other person)97 whereas at general law the company may only recover profit from a fiduciary. In this context the company may also be able to impose a constructive trusteeship on a third party who assists the fiduciary with knowledge of the breach. However, the general law does not permit the company to recover from the fiduciary an amount equivalent to the profit obtained by the third party.98 8.58 Austin and Ramsay then go on to note that s 183(2) is narrower in scope than the general law in two respects: First, the statutory provision only applies where the improper use of the information relates to the gaining of an advantage for the officer or employee (or any other person) or causing detriment to the company. In this connection, the general law does not require either the advantage or detriment elements. Second, the statutory provision applies only where use is made of the relevant person’s position, whereas the general law indicates a move away from a strict causal connection.99 The differences that Austin and Ramsay point out are significant ones that clearly demonstrate dissimilarities between the two regimes. It is essential to be aware of these differences in order to manage legal risk in this context.

Liability 8.59 Section 183 is a civil penalty provision.100 Liability is imposed on any person who contravenes the provision or any person who is involved in the contravention.101

[page 216] 8.60 A breach attracts a pecuniary penalty up to $200,000 for an individual and $1 million for corporation.102 In addition, a compensation order may be made under s 1317H that allows a court to order a person who has breached a civil penalty provision to compensate another person for damage suffered as a result of the breach. In addition, if a current or past director, officer or employee dishonestly uses a company’s information with the intention of gaining an advantage or causing detriment (or is reckless to such matters), they may be subject to criminal sanction under s 184(3). The maximum penalty for a breach of s 184(3) is 2000 penalty units and/or five years imprisonment.103

MARKET MANIPULATION LAWS AND OTHER INFORMATION OFFENCES 8.61 In addition to the laws discussed elsewhere in this chapter, the Corporations Act contains a number of laws that prohibit the use of false information. These provisions will be referred to generally as information offences.

Offences under Part 9.4, Corporations Act 8.62 Part 9.4 provides a wide range of information offences. For example, it is an offence: for a corporation to advertise or publish a misleading statement about the capital of the company;104 for a person to knowingly lodge a misleading document with ASIC;105 for a person to make or authorise the making of a statement in a document without taking reasonable steps to ensure that statement was not misleading;106 and for a person to give or authorise the giving of false or misleading information to directors, auditors or market operators knowing that such information is false or misleading.107

[page 217] 8.63 A contravention of these provisions is an offence and the maximum penalties include fines of 100 –200 penalty units and/or two to five years imprisonment depending on which provision is contravened.108

Market misconduct offences under Part 7.10, Corporations Act 8.64 In addition, to the information offences set out above, Pt 7.10 of the Corporations Act sets out a number of offences in relation to market misconduct. One of these, the prohibition on engaging in misleading or deceptive conduct in s 1041H (misleading or deceptive conduct), has been examined elsewhere in this book: see Chapter 6. However, Pt 7.10 does contain numerous other prohibitions on market misconduct. The offences include a prohibition on: market manipulation (ie, creating or maintaining artificial prices);109 market rigging (eg, conduct that would give a false impression of active trading or a false impression of the price for a financial product);110 entering into an artificial transaction where that results in price movements;111 the dissemination of information about illegal transactions;112 dishonest conduct;113 and the making of false or misleading statements in certain circumstances where the maker is indifferent to the falsity or knows the statement is false.114 Of the various offences set out in Pt 7.10, the following are civil penalty provisions: ss 1041A (market manipulation); 1041B(1) (false trading and market rigging); 1041C(1) (false trading and market rigging); and 1041D (dissemination of information about illegal transactions). Penalties for a breach of those civil provisions are a maximum of $200,000 for individuals and $1,000,000 for corporations.115 In addition, criminal liability arises under ss 1041A, 1041B(1), 1041C(1), 1041D, 1041E(1), 1041F(1) and 1041G(1). The penalties for a breach of those provisions by an individual are imprisonment for

[page 218] 10 years and/or a fine the greater of the following: 4500 penalty units;116 or if the court can determine the total value of the benefits that have been obtained by one or more persons and are reasonably attributable to the commission of the offence — three times that total value. In the case of a corporation, the maximum penalty is a fine, the greatest of the following: (a) 45,000 penalty units; (b) if the court can determine the total value of the benefits that have been obtained by one or more persons and are reasonably attributable to the commission of the offence — three times that total value; or (c) if the court cannot determine the total value of those benefits — 10 per cent of the body corporate’s annual turnover during the 12-month period ending at the end of the month in which the body corporate committed, or began committing, the offence.

PRICE SIGNALLING LAWS 8.65 New laws prohibiting the disclosure of certain information commenced operation in June 2012. These laws are commonly referred to as price signalling laws although they regulate the disclosure not only of information concerning price, but also information relating to supply intentions and corporate strategy. The policy justification for these laws is that certain disclosures by corporations reduce competition (or have a propensity to do so) and ought to be prohibited because of this anti-competitive effect. Price signalling is often characterised as a manifestation of price fixing. The conduct effectively involves collusion by one party disclosing, directly or indirectly, its pricing intentions with an expectation that the other party will adjust its pricing in response to the disclosure, but there is no firm arrangement or understanding that this result will occur. In this connection the Explanatory Memorandum to the Competition and Consumer Amendment Bill (No 1) 2011 stated that: Anti-competitive price signalling and information disclosures to competitors facilitate prices above the competitive level and can lead to inefficient outcomes for the economy and lower wellbeing for consumers (these practices are sometimes referred to as facilitating, coordinated or concerted practices). However they fall short of an explicit cartel arrangement because they do not involve a contract, arrangement

[page 219] or understanding. Anti-competitive price signalling and information disclosures can occur as part of a wider cooperation agreement, or as a stand-alone practice absent of an explicit cartel arrangement.117

8.66 It should be noted that currently the price signalling laws only apply to disclosures made concerning the deposit-taking activities of, and the provision of credit by, entities regulated under the Banking Act 1959 (Cth).118 However, the applicable Regulations contain a process for extending the application of the laws to other sectors of the economy or economy-wide for that matter.119 The price signalling laws contain two prohibitions: the private disclosure prohibition and the general prohibition. These are discussed below.

Private disclosure prohibition 8.67 The private disclosure prohibition is set out in s 44ZZW of the Competition and Consumer Act 2010 (Cth) (CCA). That section provides as follows: A corporation must not make a disclosure of information if: (a) the information relates to a price for, or a discount, allowance, rebate or credit in relation to Division 1A goods or services supplied or likely to be supplied, or acquired or likely to be acquired, by the corporation in a market (whether or not the information also relates to other matters); and (b) the disclosure is a private disclosure to competitors in relation to that market; and (c) the disclosure is not in the ordinary course of business.

8.68 As mentioned above, the only Div 1A goods or services that this law applies to currently are deposits and credit. A disclosure will be made by a corporation if a director, employee or agent of the corporation made the disclosure.120 If that disclosure relates to the ‘price for, or a discount, allowance, rebate or credit’ in relation to regulated goods and services’ and is not in the ordinary course of business the corporation will be in breach of the prohibition.121 It is submitted that the phrase ‘ordinary course of business’ must refer to what a reasonable person would consider a legitimate practice. [page 220]

The application of the prohibition is also excluded in a number of situations.122 However, notwithstanding these exclusions, the provision still applies to a range of trivial disclosures. For example, the law would prohibit a bank teller from one organisation speaking to a bank teller from another organisation about standard variable rates, even if those rates were generally available.123

General prohibition 8.69 The general prohibition is set out in s 44ZZX. That provision effectively prohibits a corporation from disclosing pricing, strategy or capacity related information concerning Div 1A goods or services (currently deposit and lending goods or services) to any person (whether or not competitors) where the purpose of the disclosure is to substantially lessen competition in a market.124 In determining whether a disclosure was made for the purposes of substantially lessening competition in a market, the matters to which a court may have regard include: whether the disclosure was a private disclosure to competitors; the degree of specificity of the information; whether the information relates to past, current or future activities; how readily available the information is to the public; and whether the disclosure is part of a pattern or similar disclosures by the corporation. In certain circumstances the general prohibition will not apply.125

Penalties 8.70 The maximum civil penalties for a breach of the price signalling laws are very high. The maximum civil penalty that can be imposed on a corporation for a breach of the laws is the greater of: $10 million; three times the value of the benefits of the contravention (if ascertainable); and if the value of the benefits that flow from a contravention cannot be

[page 221] ascertained, 10 per cent of annual turnover126 in the 12 months before the contravention.127 8.71 For individuals the maximum civil penalty is a fine of up to $500,000.128 Individuals may also be disqualified from managing corporations.129 Further, any person involved in a contravention can be subject to penalty.130 In addition, persons who suffer loss as a result of the conduct may be able to obtain an order for compensation or recover damages.131 Criminal penalties do not apply in respect of the price signalling laws.

CONCLUSION 8.72 This chapter focused on the laws that prohibit the use and disclosure of certain information or otherwise place constraints on the use of corporate information. The range of laws that play a role in this context are many and varied. Attempting to interpret and apply these information laws can often be problematic, although on deeper analysis, the challenge is not nearly an insurmountable as it might seem at first blush. _________________________ 1.

G Lyon and J J du Plessis, The Law of Insider Trading in Australia, Federation Press, Australia, 2005, p 172, citing M Gething, ‘Insider Trading Enforcement: Where are We Now and Where do We Go From Here?’ (1998) 16 Company and Securities Law Journal 607, 612.

2.

CAMAC, Insider Trading Discussion Paper, June 2001, .

3.

At [2.63].

4.

At [2.64].

5.

For example, it helps us to reconcile the outcomes in Mansfield v The Queen [2012] HCA 49 (Mansfield) (false information can be price sensitive information) and Jubilee Mines NL (ACN 009 219 809) v Riley (2009) 69 ACSR 659 (Jubilee) (misleading information is not price sensitive information).

6.

For a discussion concerning the various justifications, see R Baxt, A Black and P Hanrahan, Securities and Financial Services Law, 7th ed, LexisNexis Butterworths, Australia, 2008, [17.2]ff.

7.

See, for example, Report of the House of Representatives Standing Committee on Legal and Constitutional Affairs, Fair Shares for All — Insider Trading in Australia, AGPS, Canberra, October 1990, 3.3.6; Australian Securities and Investments Commission v Petsas [2005] FCA 88 at [11] per Finkelstein J; R v Firns [2001] NSWCCA 191 at [48].

8.

R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 13th ed, LexisNexis Butterworths, Australia, 2007, [9.600]

9.

Note also that legislation prohibiting insider trading is a feature of the securities laws of most countries that have significant capital and securities markets: see Australian Corporation Law — Principles and Practice, LexisNexis online looseleaf, [7.13.0115].

10. See s 1042A, Corporations Act. 11. See Pt 7.1, Div 3 and Pt 7.1, Div 5, Corporations Act. 12. See s 761A. 13. See fn 9, Australian Corporation Law — Principles and Practice, [7.13.0185]. 14. See R v Staines [1997] EWCA 1525 at [8]. 15. R v Rivkin [2004] NSWCCA 7 (Rivkin) at [131]–[134]. 16. See fn 15, Rivkin at [137]. 17. See fn 5, Mansfield at [72]–[73]. 18. See s 1042A. 19. ICAL Ltd v County Natwest Securities Aust Ltd (1988) 13 ACLR 129 at 167. 20. See Leadenhall Australia Ltd v Peptech Ltd (1999) 33 ACSR 307 at [130] and [132]. 21. See fn 9, Australian Corporation Law — Principles and Practice, [7.13.0160]. 22. At [7.13.0160]. 23. At [7.13.0170]. 24. See R v Evans [1999] VSC 488; BC9908092 for an illustration of how this provision works. 25. See fn 1, Lyon et al, p 25. 26. See fn 5, Jubilee at [109]. 27. See fn 1, Lyon et al, p 26. 28. Boughey v R (1986) 161 CLR 10 at [3]–[4] per Gibbs CJ and at [12]–[14] per Mason, Wilson and Deane JJ. 29. Westgold Resources NL v St George Bank Ltd (1998) 29 ACSR 396 at 440. 30. See Hooker Investments Pty Ltd v Baring Bros Halkerston & Partners Ltd (1986) 10 ACLR 524 at 528 per McHugh JA; Exicom v Futuris (1995) 13 ACLC 1758 at 1763. 31. See fn 1, Lyon et al, p 28. 32. See fn 1, Lyon et al, p 23. 33. See fn 15, Rivkin at [94]. 34. See fn 28, Boughey at [32]–[33]. 35. A similar provision applies in relation to partnerships: s 1042H. 36. The focus of this section will be on ‘securities’, although as we saw in 8.7, the prohibitions apply to a wide range of financial products. 37. See ss 1042B(a) and 1042B(b). See also the territorial connection in relation to the communication/tipping offence, discussed in 8.24. 38. See Director of Public Prosecutions (Cth) v Fysh [2010] QSC 216 at [77] and [78]. 39. See fn 1, Lyon et al, p 14, citing Ford, Austin and Ramsay, Ford’s Principles of Corporations Law, LexisNexis looseleaf service, update no 42, 6/2004, 9537 [9.650]. 40. See s 9.

41. See s 761E(1) and the note to the section. 42. See s 761E(1). 43. See s 761A. 44. See fn 9, Australian Corporation Law — Principles and Practice, [7.13.0165] and discussion of R v Evans [1999] VSC 488. 45. See fn 9, Australian Corporation Law — Principles and Practice, [7.13.0165]. 46. Commonwealth Director of Public Prosecutions v Fysh [2010] QSC 216 at [77]. 47. See discussion of R v Evans [1999] VSC 488 in fn 9; Australian Corporation Law — Principles and Practice, [7.13.0145]. 48. CAMAC, Insider Trading Report, November 2003, 3.5.1. 49. See fn 48, Insider Trading Report, 3.5.3. 50. Westgold Resources NL v St George Bank Ltd (1999) 17 ACLC 327 at 367. 51. Note that reg 9.12.01, Corporations Regulations 2001 (Cth) also provides for some exceptions to liability. 52. Explanatory Memorandum to the Corporations Amendment Bill 1991 (EM) at [347]. 53. See s 1043C(1)(a). 54. See s 1043C(1)(b). 55. See s 1043C(1)(c). 56. See s 1043C(2)(b)(i). 57. See fn 1, Lyon et al, p 76. 58. See s 1043M(2)(b). 59. See s 1043N. 60. See fn 6, Baxt et al, [18.32]. 61. See fn 1, Lyon et al, p 79. For example, acquiring securities under ss 414(2) or 664A(3). 62. Similar exceptions are provided for partnerships and AFSL holders: see ss 1043G and 1043K respectively. The key requirement under all of these provisions is the existence of effective Chinese walls. 63. It is important to note that s 1042G(2) does not expressly exclude the operation of s 769B(3): see fn 6, Baxt et al, [17.21]. 64. Mallesons Stephen Jaques v KPMG Peat Marwick [1990] 4 WAR 357 at 371–2. 65. Australian Securities and Investments Commission v Citigroup Global Markets Australia Pty Ltd (ACN 113 114832) (No 4) [2007] FCA 963 (ASIC v Citigroup) at [319]. 66. At [320]–[321]. 67. At [449]–[451]. 68. At [604]. 69. See s 1043H. 70. See s 1043I. 71. See s 1043J. 72. See fn 6, Baxt et al, [18.35].

73. AMI v King [2002] NSWSC 1033 at [4]. 74. See ss 1043M(2)(a) and 1043M(3)(a); and see fn 6, Baxt et al, [18.39]. 75. See ss 1043M(2)(b) and 1043M(3)(b). 76. See ss 1317DA and 1317E(1)(jf)–(jg). 77. See s 1317G. 78. See fn 6, Baxt et al, [18.42]. 79. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 80. See fn 8, Austin et al, 2007, [9.610]. 81. Cohen Committee Report (1945) (CMD 6649), [86]. 82. See fn 81, Cohen Committee Report, [87]. 83. Other requirements as to when the notice must be lodged and the form of it are set out in s 205G. 84. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 85. See fn 65, ASIC v Citigroup at [289]–[291]. 86. See Chew v R (1991) 5 ACSR 473 at 499 per Malcolm CJ. 87. R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 15th ed, LexisNexis Butterworths, Australia, 2013, [9.210]. 88. See fn 65, ASIC v Citigroup at [293]–[294] per Jacobson J. 89. Indeed, directors have a duty to use company resources only for the benefit of the company: see fn 87, Austin et al, 2013, [8.080]. 90. See Hospital Products Ltd v United States Surgical Corporation [1993] HCA 82; and fn 68, ASIC v Citigroup. 91. See, for example, the situation that arose in fn 65, ASIC v Citigroup. 92. See fn 65, ASIC v Citigroup at [337]. 93. Southern Real Estate Pty Ltd v Dellow (2003) SASR 1; [2003] SASC 318 at [25]. 94. Forkserve Pty Ltd v Pacchiarotta [2000] NSWSC 979 at [28], repeating what his Honour had said in Rosetex Company Pty Ltd v Licata (1994) 12 ACSR 779. 95. See Regal (Hastings) Ltd v Gulliver [1967] 2 AC 134n for an illustration of this principle. 96. Indeed, as noted in Chapter 4, an employee’s obligations post-employment may narrow significantly in this context, especially in the absence of written restrictive covenants: see 4.29ff 97. See Cummings v Claremont Petroleum NL (1992) 9 ACSR 583 for an example of recovery against a third party. 98. See fn 87, Austin et al, 2013, [9.290]. 99. See fn 87, Austin et al, 2013, [9.290]. 100. See s 1317E. 101. See s 79 for the definition of ‘involved’. 102. See s 1317G.

103. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 104. See s 1308(1)(a). 105. See s 1308(2). See also R v Tomaiuolo [2007] SASC 34; R v Wall [2002] NSWCCA 42. 106. See s 1308(4). 107. See s 1309. See also R v Reid (1999) 2 VR 605. 108. See Sch 3, Corporations Act. 109. See s 1041A. See also DPP (Cth) v J M [2012] VSCA 21 as to what constitutes an ‘artificial price’. 110. See s 1041B. 111. See s 1041C. 112. See s 1041D. 113. See s 1041G. 114. See s 1041E. 115. See s 1317G. 116. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 117. Explanatory Memorandum to the Competition and Consumer Amendment Bill (No 1) 2011 at [1.8]. 118. See s 44ZZT, CCA and reg 48, Competition and Consumer Regulations 2010 (Cth). 119. See reg 49, Competition and Consumer Regulations. 120. See s 84, CCA. See also s 44ZZU that deems when a disclosure is made to another entity. 121. See also s 44ZZV(2) that contains certain anti-avoidance provisions. 122. See ss 44ZZY and 44ZZZ. 123. See s 44ZZV(3). 124. See s 84, CCA in respect of the attribution of disclosures made by directors, employees and agents to a corporation and also s 44ZZU that deems when a disclosure is made to another entity. 125. See s 44ZZY. 126. The term ‘annual turnover’ is defined in s 76(5). 127. See s 76(1A). 128. See s 76(1B). 129. See s 86E. 130. See s 76(1)(a). 131. See ss 79B, 82 and 87.

[page 222]

Chapter 9 Collection, Use and Disclosure of Personal Information

INTRODUCTION 9.1 The collection, use and disclosure of personal information are integral to the operation of corporations that supply goods or services to consumers. Such information is extremely valuable and is an ‘asset class’ of its own.1 However, the collection, use and disclosure of such information are regulated by privacy law. This chapter will focus on both the laws that regulate personal information generally and the laws that specifically regulate credit information. 9.2 The first part of this chapter will examine the obligations that are imposed on corporations generally under the Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).2 The primary focus of that part will be on the laws concerning the collection, use and disclosure of personal information. The second part of this chapter will examine how the new laws will impact corporations that are credit providers under the amended Act (excluding any examination of credit reporting codes, as such codes were not available at the time of publication). [page 223] The amending legislation provides for the most significant changes to the Privacy Act in over 20 years.3 The key changes in the Privacy Act that impact corporations are as follows: increased disclosure obligations; enhanced information governance obligations;

the obligation to provide consumers with greater scope to ‘opt out’ of direct marketing; new rights for individuals to access and correct credit reports; the introduction of comprehensive credit reporting; a higher standard of protection to an individual’s ‘sensitive information’; the conferral of new powers on the Commonwealth Privacy Commissioner with respect to complaints, investigations and remedies; and new civil penalty orders, including up to $1.1 million in fines for privacy breaches in certain circumstances. Many of the amendments contained in the new legislation were precipitated by a wide-ranging report by the Australian Law Reform Commission (ALRC) entitled For Your Information: Australian Privacy Law and Practice, containing over 295 recommendations for reform.4 9.3 The amendments set out in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 commence on 12 March 2014. Where it is necessary to draw a distinction, the term ‘current Act’ will be used to refer to the provisions of the Act that apply up until 12 March 2014 and the term ‘amended Act’ will be used to refer to the provisions of the Act that apply on and from 12 March 2014. Where no distinction is made, reference to the Act is to the amended Act.

THE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION Who does the Privacy Act apply to? 9.4 The current Act applies to a wide range of entities. This position will not change materially under the amended Act. Broadly speaking, the provisions under the current Act which relate to the collection, use and disclosure of personal information apply to ‘organisations’ and ‘agencies’. The term ‘agencies’ refers to public bodies [page 224]

and other governmental entities and is not relevant for the purposes of this chapter. The term ‘organisations’ is defined in s 6C of the current Act (which will not change under the amended Act) as meaning individuals, body corporates, partnerships, other unincorporated associations and trusts, but excludes small business operators and other entities.5 A small business operator is one that has an annual turnover of $3,000,000 or less6 and does not otherwise fall into one of six exceptions. For example, where the small business operator deals in personal information for a benefit, provides a health service or is a credit reporting body.7 Organisations (also known as ‘APP entities’ under the amended Act) that collect, use and disclose personal information are subject to the National Privacy Principles under the current Act. Although some definitions will change, under the amended Act, those same organisations will become subject to the requirements set out in the Australian Privacy Principles (APPs). The APPs are the focus of this section of this chapter. The terms ‘organisation’, ‘APP entity’ and ‘corporation’ are used interchangeably in this chapter.

Australian Privacy Principles — APPs 9.5 Under the amended Act, the general obligations that all corporations, which collect and use personal information must comply with, are imposed by s 15, that provides that an: ‘APP entity must not do an act, or engage in a practice, that breaches an Australian Privacy Principle’. 9.6 The APPs have been designed and organised in a manner that reflects the personal information management lifecycle. The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (EM) explains this approach to the design of the APPs as follows: The order in which the APPs appear is intended to reflect the cycle that occurs as entities collect, hold, use and disclose personal information. This broadly consists of the following stages: planning in advance how to meet obligations in relation to the handling of personal information; considering whether information may or should be collected; collecting information;

[page 225]

providing notification of collection to the individual concerned; using or disclosing the information for the purpose for which it was collected or for an allowable secondary purpose; maintaining the integrity of personal information by securely storing it and ensuring its quality; and when the information is no longer necessary for the functions or activities of the entity, destroying it or ensuring that it is no longer personal information. To this end, the APPs have been set out in Parts that move through each of the above elements of the information-handling chain.8

Consequently, each ‘part’ of this section will discuss the APPs in groupings that reflect the thematic organisation of those privacy principles in the amended Act. While each APP will not be discussed in its entirety, the key aspects or most important aspects of each APP will be covered. The main parts of this section will affect the themes mentioned above being: information governance; the collection of personal information; use and disclosure of personal information; quality and security of personal information; and access to and correction of personal information. Prior to discussing the APPs within each of these parts, however, it is first necessary to identify what constitutes ‘personal information’ for the purposes of the current or amended Act.

What is ‘personal information’? 9.7 The starting point for any analysis of a corporation’s obligations under the Privacy Act is to identify the scope of information that is caught by both the current and the amended Act. Up until March 2014, s 6 of the current Act will define ‘personal information’ as follows: … information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. [Referred to in this section as the ‘current definition’].

Upon the commencement of the amendments to the Act, the expression ‘personal information’ will change to: … information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.

[Referred to as the ‘new definition’ in this section.]

[page 226] 9.8 At first blush there does not appear to be much difference between the two definitions. One key change recommended by the ALRC that has found its way into the new definition, is that the new definition now requires information or an opinion to be ‘about an identified individual, or an individual who is reasonably identifiable’ as opposed to information or an opinion ‘about an individual whose identity is apparent, or can reasonably be ascertained’. The reason for the change appears to be to align the relevant definition with international precedent9 and to address philosophical issues concerning the distinction between the terms identity and identification.10 Ultimately, though, not much seems to turn on the distinction. 9.9 If one’s identity11 is apparent, or can reasonably be ascertained, it follows that the relevant information would be personal information for the purposes of the current definition. Similarly, if one can be identified at any point in time, then it also follows that their identity has been ascertained at that point of time. The act of identifying leads inexorably to ascertaining the identity of an individual. A further change that is also implemented in the new law relates to how one is identified. The current definition required an identity to be apparent, or reasonably ascertainable from the relevant information or opinion. The new definition omits the requirement for an individual to be identified or identifiable from information or an opinion. The rationale behind this change is that with greater potential and/or capacity of corporations to conduct data matching and data linking, the requirement for information to be ‘from the information or opinion’ was potentially limiting. That is, information or an opinion on its own may not enable one to identify an individual, but it may when linked to other data sources. 9.10 On one view, information of the first kind would not be ‘personal information’ under the current definition. However, this would seem to be an odd result for two reasons. First, upon linking of data sources, the relevant information would seem to form personal information under the current definition. If no linking ever occurred, no personal information ever existed. Second, the effort and investment required to link the relevant information needs to be considered. If a corporation intends to or routinely does link information in order to

enhance its customer profiles and the steps required to link that information are straightforward, then a corporation should have considered treating [page 227] such information as ‘personal information’ for the purposes of the current definition. This is because the identity of the relevant customer or customers could have reasonably been ascertained from the information by linking it to other readily accessible information sources. 9.11 The same result however follows on the new definition. If a corporation has no intention of linking data sources (which in themselves do not identify an individual but in combination may), this lack of intention should be considered in determining whether an individual is reasonably identifiable. Other factors would include the technical difficulty associated with such ‘linking’ and any required investment. 9.12 These issues were identified by Microsoft in its submission to the ALRC for its Report 108. In respect of the ‘reasonableness’ test, Microsoft said: This test necessitates a consideration of the cost, difficulty, practicality and likelihood of the organisation linking information with other personal information accessible to it, and not merely whether the organisation would be able to link the information after incurring substantial expenditure … In Microsoft’s experience as a large organisation that handles and processes significant volumes of personal information for its business purposes, it is apparent to us that just because an organisation holds, or is capable of accessing, various pieces of information about an individual, it does not follow that it will always combine this information to ascertain the identity of that individual. In many cases it is not practical or useful for this to be done, and so it simply does not occur.12

The EM reflects the substance of these statements. It states that: The new definition will refer to an individual who is, ‘reasonably identifiable’. Whether an individual can be identified or is reasonably identifiable depends on context and circumstances. While it may be technically possible for an agency or organisation to identify individuals from information it holds, for example, by linking the information with other information held by it, or another entity, it may be that it is not practically possible. For example, logistics or legislation may prevent such linkage. In these circumstances, individuals are not ‘reasonably identifiable’. Whether an individual is reasonably identifiable from certain information requires a consideration of the cost, difficulty, practicality and likelihood that the information will be linked in such a way as to identify him or her.

9.13 From one perspective, these statements reflect the approach that would have been taken to interpreting the same issue under the current definition. Accordingly, it is not clear that the scope of the amended

[page 228] definition has changed much if at all. Indeed these sentiments were acknowledged in the EM, which notes that: The proposed definition does not significantly change the scope of what is considered to be personal information. The application of ‘reasonably identifiable’ ensures the definition continues to be based on factors which are relevant to the context and circumstances in which the information is collected and held.13

9.14 The key issue for corporations under the new definition (as it was under the current definition) is to assess their information collection and management practices on an ongoing basis to determine whether information they collect is ‘personal information’ for the purposes of the Act. This is a critical, but not necessarily straightforward, task, especially in the information age. For example, information that is on its face clearly not personal information (eg, a cookie ID or a dynamic IP address) could become so once correlated or linked with other snippets of information. For example, the ALRC observed that a mobile telephone number, email address or IP address could be, or could become, ‘personal information once that information was linked to a particular individual due to the accretion of information around the number or address’.14 9.15 This ‘accretion issue’ is one that is extremely important in the context of the information economy and the increasing use of ‘big data’. Corporations need to ensure that they do not inadvertently breach the Act due to a mistaken belief that individual data sets do not constitute ‘personal information’ when, in aggregate, they actually do have such status.

Information governance 9.16 The objective of APP 1 is to ‘ensure that APP entities manage personal information in an open and transparent way’. A new requirement in APP 1 is the information governance requirement set out in APP 1.2, which provides as follows:15 An APP entity must take such steps as are reasonable in the circumstances to implement practices, procedures and systems relating to the entity’s functions or activities that:

[page 229]

(a) will ensure that the entity complies with the Australian Privacy Principles and a registered APP code (if any) that binds the entity; and (b) will enable the entity to deal with inquiries or complaints from individuals about the entity’s compliance with the Australian Privacy Principles or such a code.

9.17 While this requirement may have been implicit in law as it stood prior to the amendments to the Privacy Act, from 12 March 2014 it will be an express requirement. If a corporation fails to adopt a comprehensive approach to information governance and fails to design and implement reasonable practices, procedures and systems which are reasonable in light of its information collection and use practices, then it could be at risk of breaching this APP. The EM noted that policies and practices under APP 1.2 could include: training staff and communicating to staff information about the agency or organisation’s policies and practices; establishing procedures to receive and respond to complaints and inquiries; developing information to explain the agency or organisation’s policies and procedures; and establishing procedures to identify and manage privacy risks and compliance issues, including in designing and implementing systems or infrastructure for the collection and handling of personal information by the agency or organisation.16

9.18 The next specific information governance step that corporations are required to take is to have a clearly expressed and up-to-date privacy policy: APP 1.3. The express requirement to have an ‘up-to-date’ policy is a new one. The provisons of the current Act only requires as follows: An organisation must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.17

9.19 The requirement to maintain an up-to-date privacy policy (the ‘currency requirement’) is a logical one, but by the same token it may require significant efforts by a corporation to ensure that the policy and corporate practice remain in lockstep. If they do not, then it will give rise to a potential breach of APP 1.3. In addition, the failure to maintain an up-to-date policy may be indicative of a breach of the obligation to maintain effective information governance structures under APP 1.2. The publication of an out-of-date policy may also amount to a misleading [page 230] representation which may be actionable, for example, under s 18 of the Australian Consumer Law (ACL).

9.20 The information that APP 1.4 requires to be set out in a privacy policy includes information concerning the kinds of ‘personal information collected and held; how such information is collected and held; the purposes for which the entity collects, holds, uses and discloses personal information; access and correction procedures; complaint-handling procedures; and information about any cross-border disclosure of personal information that might occur’.18 The requirement for potential cross-border disclosures is a new and interesting one for corporations. 9.21 Under APP 1.4 an organisation must include the following information in its privacy policy: (f)

whether the entity is likely to disclose personal information to overseas recipients;

(g) if the entity is likely to disclose personal information to overseas recipients—the countries in which such recipients are likely to be located if it is practicable to specify those countries in the policy.

These requirements are new. Presumably, the ‘recipient’ of the relevant information must be a person (body corporate or natural person). If this is the case, it would seem to rule out disclosure to a ‘machine’. That is, it may be the case that a corporation may be able to utilise information technology facilities used in other countries (eg, such as those that support cloud technologies) and not have to ‘disclose’ any information to the persons that provide such infrastructure to the corporation. Whether a ‘disclosure’ to recipients occurred in these cases would be a matter of fact. If technology infrastructure was provided by a overseas-based entity (say, an operator of world-class data centres in Singapore) and the data stored on that infrastructure by an Australian corporation was only accessible in the ordinary course due to the implementation of logical security protocols, it would seem improbable that one could characterise that situation as a ‘disclosure’ for the purposes of this APP. The final APP we will discuss under the information governance banner is APP 2. APP 2.1 requires corporation to provide an option for individuals not to identify themselves when dealing with the corporation unless APP 2.2 applies. [page 231] APP 2.2 provides that the ‘anonymity’ option need not be provided if the

corporation is required or authorised to identify individuals or it is impracticable to provide an ‘anonymity’ option.

Collection of personal information 9.22 The key disclosures that a corporation must make when it is collecting personal information are set out in APP 3–APP 5. APP 3.2 provides as follows: If an APP entity is an organisation, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for one or more of the entity’s functions or activities.

9.23 APP 3.2 permits an organisation to collect personal information provided it is ‘reasonably necessary’ for one or more of the organisation’s functions or activities. The concept of what is ‘reasonably necessary’ was discussed in some length in the EM at p 53: A number of the APPs allow for collection, use or disclosure where the entity believes that the collection, use or disclosure is ‘reasonably necessary’ for a particular purpose. It is intended that this be interpreted objectively and in a practical sense. It is not intended to provide a lower level of protection compared with the existing NPPs, where an objective test is implied. In relation to the requirement that an entity must not collect, use or disclose personal information unless it is reasonably necessary for a particular purpose, function or activity, this is intended to reflect the following. The first is that the collection, use or disclosure is reasonably necessary to pursue that particular purpose, function or activity. Whether the collection, use or disclosure is reasonably necessary is to be assessed from the perspective of a reasonable person (not merely from the perspective of the entity proposing to undertake the activity). Where a reasonable person would not regard the purpose, function or activity in question as legitimate for that type of entity, the collection, use or disclosure of personal information will not be ‘reasonably necessary’ even if the entity cannot effectively pursue that function or activity without collecting, using or disclosing the personal information.

9.24 The first two paragraphs of this statement are unobjectionable. It would, however, seem that the objective test is conditioned by the circumstances of the actual entity in question. On that point, it appears that the statement contained in the third paragraph above goes, with respect, well beyond the plain and ordinary meaning of the language set out in APP 3.2. There seems to be no justification for stating in the EM that in applying the hypothetical test one should have regard to whether [page 232] a purpose or function of an entity is ‘legitimate for that type of entity’. That is

not the test expressed, nor is this consistent with the ordinary meaning of the words, in APP 3.2. While the EM is not law, courts can look to it in ascertaining the meaning of a legislative provision.19 9.25 APP 3.3 is expressed in straightforward terms. The requirements it imposes in relation to organisations are set out below: An APP entity must not collect sensitive information about an individual unless: (a) the individual consents to the collection of the information and: … (ii) … the information is reasonably necessary for one or more of the [organisation’s] functions or activities; or (b) subclause 3.4 applies in relation to the information.

9.26 APP 3.4 relates to what could be categorised as unusual situations (eg, collection of information under a law/court order, collection for the purposes of providing a health service or for enforcement related activities). For most corporations (except for those in the health services sector) none of the exceptions set out in APP 3.4 will apply in the usual course of business. There is one possible exception to this situation, though, and that relates to the use of biometric information. With a rapid increase in security-related incidents,20 organisations are looking for ways in which to use biometric data to identify [page 233] individuals for the purposes of internet transactions.21 However, under the Act, biometric information is defined as sensitive information.22 The EM notes at p 62 that the references to biometric information and biometric templates have been added to the definition section of the amended Act and that: The inclusion of … [the references to biometric information and biometric templates] will implement the Government’s response to ALRC Recommendation 6-4. The Government agreed with the ALRC that biometric information had similar attributes to other sensitive information and it was therefore desirable to provide it with a higher level of protection. Given the broad nature of what can be considered biometric information, the definition makes it clear that the additional protections only extend to that biometric information which is specifically being collected for the purpose of automated biometric verification or biometric identification.

9.27 If any biometric information is being used for the purpose of automated biometric versification or biometric identification, then it follows that the more

onerous collection obligation in APP 3.2 will apply. Accordingly, organisations that wish to use biometric data to interact with their customers will need to obtain consent from such customers. The expression ‘consent’ is defined in s 6(1) of the Act as ‘… express or implied consent’. The EM notes at 54 that: Consent is a defined concept within the current Privacy Act which will be retained in the amended Act. Consent is defined to mean ‘express consent or implied consent’. Express consent exists where a person makes an informed decision to give their voluntary agreement to collection, use or disclosure taking place. Whether consent can be said to be implied depends entirely on the circumstances. Consent may be implied when, in the circumstances, the individual and the relevant entity have each engaged in conduct that means that it can be inferred the individual has consented, even though the individual may not have specifically stated that he or she gives consent. Consent, in many circumstances, can be withdrawn at any time. In such circumstances, the consent no longer exists, and an entity would no longer be able to rely on consent having been given when dealing with the individual’s personal information.

[page 234] Consistent with the Government’s response to ALRC Recommendation 19-1, the Government encourages the development and publication of appropriate guidance by the OAIC about what is required of agencies and organisations to obtain an individual’s consent for the purposes of the Privacy Act.

9.28 The requirements discussed above are supplemented by the requirements in APP 3.5 to only collect personal information by lawful and fair means and also APP 3.6 which provides that an organisation must only collect information about an individual from the relevant individual, unless it is unreasonable or impracticable to do so. 9.29 APP 4 provides that an organisation which receives unsolicited personal information, must make a determination as to whether it would have been permitted under the Act to collect such information if it had in fact solicited such information. If the information could not have been lawfully collected, the organisation must destroy or de-identify such information unless it is not reasonable or lawful to do so in the circumstances. One such circumstance may be where an organisation ‘has received unsolicited personal information from a law enforcement agency to assist that agency in its investigations’.23 In that case it would not be reasonable (and potentially unlawful) to dispose of the relevant information until the enforcement agency no longer requires assistance.

Another circumstance where this situation may arise is in relation to complaints. For example, an organisation with a large consumer base may receive unsolicited complaint-related information that contains personal information and even sensitive information (including regarding the health of an individual). Whether it would not be reasonable or unlawful to destroy or de-identify the relevant information in such a case would depend on the nature of the material provided and the nature of the complaint. If the information can be destroyed or de-identified,24 that is the end of the matter. If the information cannot be destroyed or de-identified, then APP 5–APP 13 will continue to apply as if the organisation had collected the information under APP 3. 9.30 The final disclosure required in the collection phase is set out in APP 5. APP 5.1 provides that an organisation must at or before the time [page 235] it collects personal information (or, if that is not practicable, as soon as practicable thereafter) take such steps (if any) as are reasonable in the circumstances to notify the individual of the matters set out in APP 5.2. The matters requiring notification under APP 5.2 are: (a) the identity and contact details of the APP entity; (b) if: (i)

the APP entity collects the personal information from someone other than the individual; or

(ii) the individual may not be aware that the APP entity has collected the personal information; the fact that the entity so collects, or has collected, the information and the circumstances of that collection; (c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order — the fact that the collection is so required or authorised (including the name of the Australian law, or details of the court/tribunal order, that requires or authorises the collection); (d) the purposes for which the APP entity collects the personal information; (e) the main consequences (if any) for the individual if all or some of the personal information is not collected by the APP entity; (f)

any other APP entity, body or person, or the types of any other APP entities, bodies or persons, to which the APP entity usually discloses personal information of the kind collected by the entity;

(g) that the APP privacy policy of the APP entity contains information about how the individual may access the personal information about the individual that is held by the entity and seek the

correction of such information; (h) that the APP privacy policy of the APP entity contains information about how the individual may complain about a breach of the Australian Privacy Principles, or a registered APP code (if any) that binds the entity, and how the entity will deal with such a complaint; (i)

whether the APP entity is likely to disclose the personal information to overseas recipients;

(j)

if the APP entity is likely to disclose the personal information to overseas recipients — the countries in which such recipients are likely to be located if it is practicable to specify those countries in the notification or to otherwise make the individual aware of them.

9.31 The disclosure about the purposes for which information is collected needs to be carefully considered and periodically reviewed by a [page 236] corporation. The requirement under APP 5.2(d) to notify the individual of the purposes of the collection of personal information is important as it determines the scope of a corporation’s rights to use information and the scope of its ‘secondary purpose’ rights: see discussion at 9.36ff. 9.32 The disclosure regarding the main consequences of not providing personal information is an interesting one. The primary consequence in this context will be that it will not be able to provide goods or services to the individual. However, some corporations, such as financial institutions, are required by law to collect personal information under anti-money laundering/counter-terrorism financing laws.25 In such cases the notification obligation does not add terribly much other than perhaps to educate the relevant individual or individuals. 9.33 If a potential customer refused to provide the required personal information in a financial services context, it would be necessary to decline to provide financial goods or services to that individual. However, if a corporation trading in consumer white goods stated that the main consequence of not providing personal information was that the supplier would not supply goods (even in a cash transaction), then arguably that term may be unfair for the purposes of unfair contract legislation as a term that: causes significant imbalance in the parties’ rights and obligations under the contract; is not reasonably necessary in order to protect the legitimate interests of the supplier; and

it would cause detriment to the consumer.26 Two key issues in this context would be whether such a requirement to provide personal information was a term of a contract at all and whether such a term would cause detriment to the consumer. If the consumer does not enter into a contract with a supplier due to the fact that a term of a proposed standard form contract would require them to provide certain personal information, then no contract exists. A contract must be formed for the unfair contract laws to apply and for the affected consumer to be able to bring an action under those laws.27 If a contract was formed, the consumer would have to show detriment. [page 237] In this context it should also be noted that the collection of potentially unnecessary personal information may be a breach of APP 3.2 (obligation to only collect information that is reasonably necessary for one or more of the organisation’s functions), but that does not necessarily mean the consumer has suffered detriment for the purposes of s 24 of the ACL. It is possible though for the consumer to argue that the giving up of personal information amounts to a loss of right to transact anonymously (APP 2) and that could constitute a disadvantage or detriment on the part of the consumer. 9.34 APP 5.2(f) is another disclosable matter that could, at least theoretically, make consumers baulk at entering into a contract with a supplier. If, for example, an onshore company stated that it regularly shares information with entities that the consumer objects to, what consequences follow from that objection? If no contract has been entered, then the unfair contracts regime cannot apply. Even if it did, it would be difficult to show any detriment to the consumer beyond their mere objection. The case against finding that the term is unfair would be even greater if the supplier could show that it was reasonably necessary in the context of its operations to share personal information with the entities or types of entities disclosed. 9.35 The final disclosure that will be discussed is in APP 5.2(i) and (j), which together require an organisation to notify individuals of the likely disclosure of personal information to overseas recipients and the countries in which such recipients are located, if practicable to do so.

It is difficult to see why such a disclosure is necessary. The requirement seems to be an outworking of the belief that keeping data onshore is more secure than data offshore.28 What the legislators and consumers should be more concerned about is the security of information rather than its geographical or physical location. While physical security associated with servers and databases that store personal information is an important pre-condition to maintaining the overall security of personal information, a far more important factor is logical security. Once personal information is accessible over a network and that network is connected to other networks (eg, the internet), the key to ensuring that information remains secure is robust logical security. For instance, it would be far preferable to have my personal information located in India in a data centre where the both the physical and logical security were extremely good than have that same information stored in [page 238] Australia in a data centre where the level of physical security was high, but the level of logical security was low. It is not the location of data that provides assurance; it is the overall level of both physical and logical security.29 Accordingly, the requirements in APP 5.2(i) and (j) may provide some illusory comfort to some individuals, but largely impose a disclosure burden on organisations for no perceivable benefit.

Use and disclosure of personal information 9.36 APP 6.1 implicitly provides that an organisation may use or disclose personal information for the primary purpose for which it was collected.30 It is critical for a corporation to accurately describe the purposes for which it collects information under APP 5.2(d) as this will not only assist in the determination of whether such collection is reasonably necessary for one or more of the entity’s functions or activities under APP 3.2, but that disclosure under APP 5.2(d) also determines the scope of the primary purpose and secondary purpose concepts contained in APP 6.1. 9.37 Under APP 6.1 an organisation must not use or disclose the information for another purpose (the secondary purpose) unless (a) the individual has

consented to such use or disclosure; or (b) an exception applies. Under APP 6.2 an organisation will be able to use personal information for a secondary purpose if: (a) the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is: (i)

if the information is sensitive information — directly related to the primary purpose; or

(ii) if the information is not sensitive information — related to the primary purpose; or (b) the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or (c) a permitted general situation exists in relation to the use or disclosure of the information by the APP entity; or (d) the APP entity is an organisation and a permitted health situation exists in relation to the use or disclosure of the information by the entity; or (e) the APP entity reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

[page 239] 9.38 In relation to the exception in APP 6.2(a), in most cases it will be unusual for corporations to collect sensitive information from its customers or about its customers. One exception to this is the collection and use of biometric information used in connection with verification and identification purposes. In light of this, any secondary use of such information will necessarily be limited in practice to purposes that are directly related to the purpose for which such information is collected. Should there be a need for wider use or disclosure of information by a corporation, then the logical approach would be to secure an individual’s consent to a broader set of primary purposes or secondary uses or disclosures. In terms of personal information that is not sensitive, a corporation is able to use personal information for any secondary purpose where such purpose is related to the primary purpose.31 The meaning of a similar phrase was considered in Australian Securities and Investments Commission v Narain [2008] FCAFC 120. In that case, Finkelstein J stated that ‘the words “in relation to” require a relationship or connection between two subject matters’.32 Accordingly, so long as a corporation can identify a relationship or connection between the primary purpose of collection and a secondary purpose, it will be

able to use personal information (excluding sensitive information) for that secondary purpose. 9.39 The other exceptions set out in APP 6.2 relate to: requirements required or authorised by law (APP 6.2(b)); five general exemptions for organisations, including for the collection, use or disclosure relating to investigations of unlawful conduct by the organisation, court proceedings or confidential alternative dispute purposes (APP 6.2(c)); use or disclosure that is necessary to provide a health service (APP 6.2(d)); and use or disclosure in connection with law enforcement (APP 6.2(e)). 9.40 APP 6.6 is a deeming provision. It provides that that if a body corporate collects personal information from a related body corporate, then the primary purpose of the latter body is imputed to the former body corporate in order to determine the primary and secondary purposes for which the former body can use or disclose personal information that it collects from a related body corporate. APP 6.7 states that APP 6 does not apply to direct marketing or the use of government identifiers as those matters are dealt with in APP 7 and APP 9 respectively. [page 240]

Direct marketing 9.41 APP 7.1 provides that personal information must not be used or disclosed for the purposes of direct marketing. The Act does not define the term ‘direct marketing’. The definition of that term is important as it in turn determines the scope of APP 7 and its relationship to APP 6. If an overly broad interpretation of direct marketing is adopted, it will squarely cut down the scope of APP 6. 9.42 The Code of Practice of the Australian Direct Marketing Association (ADMA) defines the term direct marketing to mean: … the marketing of goods or services or the seeking of donations through means of communication at a distance where: (a) consumers are invited to respond using a means of communication at a distance; and (b) it is intended that the goods or services be supplied under a contract negotiated through a means of communication at a distance.33

9.43 The Macquarie Dictionary defines the term direct marketing to mean ‘… a marketing technique in which the producer bypasses retailers and sells directly

to the customer’. In a review that it conducted in 2005, the Office of the Privacy Commissioner (OPC) defined the term to mean ‘[t]he promotion and sale of goods and services directly to the consumer’.34 The EM states that ‘[d]irect marketing involves communicating directly with a consumer to promote the sale of goods and services to the consumer’.35 It then goes on to say that direct marketing communications ‘could be delivered by a range of methods including mail, telephone, email or SMS’.36 An express or implicit element in all of these definitions is that direct marketing involves direct approaches to an identifiable individual as opposed to mass-marketing (or indirect marketing) to an unknown class or classes of persons. The ADMA definition which includes the ‘at a distance’ element would exclude marketing that was conducted ‘in person’ such as instore or over the counter marketing. If on the other hand a broader interpretation of the term was adopted, in person marketing that occurs within a store could fall within the definition of ‘direct marketing’. In such cases APP 6 would not apply and corporations would need to ensure that in person marketing conducted [page 241] instore complied with APP 7 by engaging one of the exemptions. This would appear to be too broad an application of the principles in APP 7. When a person enters a store, in one sense they are initiating contact with an organisation in a commercial environment. Any instore marketing could be reasonably expected in the circumstances and this situation falls squarely into the territory covered by APP 6. On the other hand, marketing which occurs at a distance, potentially intrudes on one’s personal space or time and is not associated with any contact initiated by an individual would seem to be a more appropriate subject for the specific regulation contained in APP 7.1. 9.44 Indeed, the EM suggests that direct marketing for the purposes of the Act is contact initiated by a corporation ‘at a distance’. This implication arises from the statement in the EM that ‘[t]he direct marketing communication could be delivered by a range of methods including mail, telephone, email or SMS’. While the words used leave open the possibility that in person marketing could

fall within the definition of direct marketing, it is telling that not one example provided in the EM contemplates a person-to-person interaction instore or otherwise face to face. In summary, it is argued that the most appropriate definition of direct marketing is one that is initiated by a marketer and is conducted ‘at a distance’, eg, email/mail outs and cold calling. 9.45 The general prohibition in APP 7.1 is subject to a number of exceptions. The first two exceptions overlap somewhat. APP 7.2 provides that: … an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if: (a) the organisation collected the information from the individual; and (b) the individual would reasonably expect the organisation to use or disclose the information for that purpose; and (c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and (d) the individual has not made such a request to the organisation.

9.46 The requirement in APP 7.2(a) is not difficult to apply. It should be clear in most cases from what source personal information is collected unless, for example, information from various sources is commingled in databases. The second requirement, contained in APP 7.2(b), is somewhat less clear in the sense that corporations that have relationships with thousands or millions of customers or otherwise have a large number of [page 242] individuals who they market to cannot consider whether each customer would reasonably expect the corporation to use or disclose information for a given purpose. Practical necessity means that consideration of this type of matter can generally only be made at a class or universal level. That is, a corporation needs to identify a factor that confirms or denies the existence of the relevant ‘reasonable expectation’. Such factors may include the notifications provided to customers when they first enter into a relationship with an organisation, terms of applicable contracts and what is disclosed in the corporation’s privacy policy. 9.47 Taken together these matters will enable a corporation to determine with some confidence whether an individual customer would reasonably expect to receive direct marketing. The requirement in APP 7.2(c) provides that a

corporation must provide a simple means for individuals to opt out of receiving direct marketing. The requirement in APP 7.2(d) relates to the requirement in APP 7.2(b). It is inconceivable that an individual could ever reasonably expect to receive direct marketing if they had notified a corporation that they do not want to receive direct marketing. If the law is read in this way, there are only effectively three core requirements in APP 7.2: direct collection; reasonable expectation; and the provision of an opt-out mechanism. 9.48 APP 7.3 provides another exception to the general prohibition of direct marketing in APP 7.1. APP 7.3 provides that an organisation may use or disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing if: (a) the organisation collected the information from: (i)

the individual and the individual would not reasonably expect the organisation to use or disclose the information for that purpose; or

(ii) someone other than the individual; and (b) either: (i)

the individual has consented to the use or disclosure of the information for that purpose; or

(ii) it is impracticable to obtain that consent; and (c) the organisation provides a simple means by which the individual may easily request not to receive direct marketing communications from the organisation; and (d) in each direct marketing communication with the individual: (i)

the organisation includes a prominent statement that the individual may make such a request; or

[page 243] (ii) the organisation otherwise draws the individual’s attention to the fact that the individual may make such a request; and (e) the individual has not made such a request to the organisation.

9.49 It is difficult to determine just when APP 7.3(a)(i) could apply. It may be intended to capture the situation where a former customer of a corporation may have opted out of receiving direct marketing a number of years earlier, but now has initiated a new relationship with a corporation. In that situation, there would be reasonable grounds for expecting that the individual may not wish to receive direct marketing. The circumstances in which APP 7.3(a)(ii) will apply are clear; if a corporation does not collect information from an individual, then the more onerous obligations in APP 7.3 must be complied with rather than those set out

in APP 7.2. The other main requirements are set out in APP 7.3(b) and APP 7.3(c). 9.50 APP 7.3(b) requires an organisation to obtain consent prior to using or disclosing information for direct marketing unless obtaining consent is impracticable. Taking the concept of consent first, the term consent is defined in the Act as meaning ‘express consent or implied consent’.37 Express consent is a relatively straightforward concept. On the other hand, what can constitute implied consent is more problematic. A similar concept of inferred consent is used in the Spam Act 2003 (Cth), that regulates the sending of commercial electronic messages for the purposes of promoting goods, services or other matters. Clause 2 in Sch 2 of the Spam Act contains the principal definition of ‘consent’ which provides that term includes: … (b) consent that can reasonably be inferred from: (i)

the conduct; and

(ii) the business and other relationships; of the individual or organisation concerned.

9.51 In Australian Communications and Media Authority v Clarity1 Pty Ltd [2006] FCA 410 the defendant argued that the mere provision of a functional ‘unsubscribe’ facility in a communication sent to an email recipient was sufficient to infer that the recipient consented to receiving unsolicited commercial messages. In support of their argument, the respondents relied on the Office of the Privacy Commissioner’s (OPC) Guidelines to the National Privacy Principles [page 244] (which provided non-enforceable guidance in relation to the principles that commenced in 2001) concerning the consent requirements in NPP 2. In this context, Nicholson J noted as follows: The respondents place reliance on comments at pp 37–8 of the Office of the Federal Privacy Commissioner in ‘Guidelines to the National Privacy Principles’ issued in September 2001. There it was stated that ‘it may be possible to infer consent from the individual’s failure to opt out provided that the option to opt out was clearly and prominently presented and easy to take up’. However, that statement must be read against a further statement where, after listing a number of factors said likely to enhance the possibility of the drawing of an inference of consent, the passage concluded:

It is unlikely that consent to receive marketing material on-line could be implied from a failure to object to it. This is because it is usually difficult to conclude that the message has been read and it is generally difficult to take up the option of opting out as it is commonly considered that there are adverse consequences to an individual from opening or replying to email marketing — such as confirming the individual’s address exists. This may also apply where material is distributed using other automated processes. (This would not prevent an organisation from seeking opt in consent on-line if NPP 2.1 allowed it).38

9.52 Nicholson J nevertheless went on to state that ‘such publications cannot control the interpretation of an Act of Parliament. The words of the Act must speak for themselves and be interpreted according to the normal rules of statutory construction’.39 The judge also noted that if an inference of consent is to be drawn from the fact that an individual has failed to reply to an unsolicited communication: … the foundations for it must be found in the circumstances. There are powerful features of the evidence which are inconsistent with the drawing of any such inference and militate against it. They are also inconsistent with any inference being drawn from any prior business relationship constituted by the initial sending of an electronic message to a recipient.40

9.53 In the context of unsolicited electronic commercial email, Nicholson J held that the mere fact that the respondent sent a message to an electronic address and did not receive a response from the recipient did not provide ‘a proper foundation for an inference of consent’.41 [page 245] His Honour then set out five other reasons for why consent could not be inferred in that case, namely: The entire relationship between the respondent and the email recipients was constituted in the absence of bilateral communication in circumstances where the respondent obtained the recipients’ email addresses without their knowledge.42 The fact that is was entirely possible that an email was not read by a recipient who was therefore unaware of an opt-out mechanism, mitigated against inferring consent, especially in a spam context.43 The evidence in the case suggested that there was no legitimate attempt to obtain consent from the recipient, ie, the respondent was going to send the email irrespective of whether consent was obtained.44 The volume of unsolicited emails sent made it improbable that the

respondents could have been aware that consent was in place prior to dispatching tens of millions of emails.45 9.54 It is important to appreciate that the views Nicholson J expressed in that case were against the backdrop of a professional spam undertaking. However, if: direct marketing was undertaken by a reputable corporation; the communication had a prominent, easy-to-use opt-out mechanism; and the communication included contact details; then it would be arguable that consent could be implied in these circumstances. Certainly, the apprehension of ‘adverse consequences’ referred to by the OPC (see 9.51) could not in any reasonable person’s mind exist in these circumstances. Ultimately, however, such issues cannot be pre-determined. Each case will need to be determined on its facts. 9.55 As discussed above, it is not necessary to obtain consent if it is impracticable to do so. But this begs the question: what will be impracticable in this context? The Macquarie Dictionary defines the term ‘impracticable’ to mean relevantly: ‘… not practicable; that cannot be put into practice with the available means’. [page 246] The question of what is impracticable is a very important one. The meaning of the word ‘impracticable’ was reviewed in Rohde and Rohde (1984) FLC 91-592. In that case Gee J concluded that that term, as used in s 79A of the Family Law Act 1975 (Cth), meant something different than impossible and said at 79,768 that: [t]he word “impracticable” means gleaning a definition from the Shorter Oxford Dictionary, “not practicable”, “that cannot be carried out or done”; “practicably impossible”; “unmanageable”; “intractable”.

9.56 In Cawthorn v Cawthorn [1998] FamCA 37 the court, after referring to the decision in Rohde and Rohde, expressed the view that the term impracticability ‘is capable of a very narrow application or a very broad application depending upon … the intent of Parliament’.46 The court proceeded to hold that the expression should be interpreted narrowly in that case. In Raffoul

v Blood Transfusion Service of the Australia Red Cross Society (1997) 76 IR 383 the court was of the view that the term ‘impracticable’ as used in the Industrial Relations Act 1988 (Cth): … should be construed in its strict sense. I have expressed the view that the word “impracticable” should be construed in its strict sense. See Liddell v Lembke (t/as Cheryl’s Unisex Salon) (1994) 127 ALR 342, at 367–8 and Fryar v Systems Services Pty Ltd (1995) 130 ALR 168, at 185 and 189 … practicability is not a matter of … convenience, or even … undesirability.

9.57 In interpreting the meaning of ‘impracticable’ for the purposes of the Privacy Act it is useful to note the balancing of interests recognised in s 2A of the Act which provides that the objects of the Privacy Act are relevantly: (a) to promote the protection of the privacy of individuals; and (b) to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities …

This latter recognition points to a broader rather than a narrower test, but one that is nevertheless a higher standard than one based on reasonableness. Parliament used the concepts of reasonable steps and reasonable expectations throughout the APPs, but did not use the concept of reasonableness in APP 7.3. Instead the concept of ‘impracticable’ was used. Nevertheless the word ‘impracticable’ as used in APP 7.3 would not seem to suggest an overly narrow interpretation such as actual ‘impossibility’, but something that reflects the definition in the Macquarie [page 247] Dictionary. That is, the term should be interpreted as meaning that obtaining consent will be impracticable if an organisation cannot, using the means that it has available to it or that an organisation of its type ought to have available to it, obtain express or implied consent. 9.58 In addition to the consent requirement, APP 7.3(c) mandates an organisation to provide a simple means for an individual to opt out of receiving direct marketing communications. Further, APP 7.3(d) requires that an organisation include a prominent statement in each direct marketing communication that the individual can make a request not to receive direct marketing communications47 or otherwise bring the fact that such a request can be made to the attention of the individual.48

9.59 APP 7.4 provides that sensitive information may be used for the purpose of direct marketing as long as an organisation has obtained the express or implied consent of the individual before using such information for that purpose. Interestingly, there is no requirement to provide an opt-out facility in such marketing. However, the outcome will probably be achieved by APP 7.6 which provides that an individual can request an organisation cease direct marketing to the individual or otherwise cease using their personal information for facilitating direct marketing by other organisations and also to reveal the source of the relevant information (which may or may not be the individual themselves). The combined effect of the requirements set out in APP 7 is to require an organisation to implement and maintain comprehensive information management policies in respect of personal information that it collects, uses or discloses in the course of any direct marketing activities. A failure to do so will not only make it difficult for an organisation to demonstrate that is complying with its direct marketing obligations under APP 7, but also put it at risk of being in breach of its information governance obligations in APP 1. Finally, it should be noted that APP 7 does not apply to the extent that any of the following apply: (a) the Do Not Call Register Act 2006 (Cth); (b) the Spam Act 2003 (Cth); or (c) any other Act of the Commonwealth, or a Norfolk Island enactment, prescribed by the Regulations.49

[page 248]

Cross-border disclosure 9.60 APP 8.1 requires that, before an organisation discloses personal information to an overseas recipient50 (ie, a person other than the organisation or the individual to whom the information relates), the organisation must ‘take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the Australian Privacy Principles (other than APP 1) in relation to the information’. 9.61 The first issue in this context is to determine whether a disclosure has been made to an overseas recipient. In light of how technology works, it is arguable that a range of transfers of personal information in electronic form

across an open network such as the internet or a closed network (such as dedicated links between servers or databases located in different jurisdictions) may not amount to a disclosure to an overseas person. The EM explicitly recognises one such example: [APP 8] is not intended to apply where personal information is routed through servers that may be outside Australia. However, entities will need to take a risk management approach to ensure that personal information routed overseas is not accessed by third parties. If the information is accessed by third parties, this will be a disclosure subject to APP 8 (among other principles).51

The essence of this point made in the EM is if information is securely routed across an open network such as the Internet, then such transfers should not amount to a disclosure to an overseas person for the purpose of APP 8. By extension, if routing of information through overseas routers does not constitute a disclosure for the purposes of APPs, then neither should secure storage of data on servers located overseas as long as access is limited to the organisation that stores the information on such servers. Where disclosure does actually occur then the requirements in APP 8.1 or APP 8.2 will need to be satisfied. 9.62 APP 8.1 — Accountability approach In a major departure from the ‘adequacy approach’ set out in the NPPs, the APPs adopt what has been referred to as an ‘accountability approach’. The adequacy approach [page 249] is reflected in NPP9(a) which states that if an organisation ‘reasonably believes that [an overseas] recipient of [personal] information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles’, then the organisation may transfer the information to that recipient. That is, in order to satisfy NPP9(a) an organisation was required to hold a certain belief. If that belief was reasonably held, but it transpired that the relevant recipient was not subject to a law, binding scheme or contract substantially similar to the NPPs, it would not amount to a breach of NPP. That position has changed under the APPs where an organisation attempts to rely on APP 8.1. That is because the so-called accountability approach has been incorporated in s 16C of the Act. Section 16C provides that: (1) This section applies if: (a) an APP entity discloses personal information about an individual to an overseas recipient;

and (b) Australian Privacy Principle 8.1 applies to the disclosure of the information; and (c) the Australian Privacy Principles do not apply, under this Act, to an act done, or a practice engaged in, by the overseas recipient in relation to the information; and (d) the overseas recipient does an act, or engages in a practice, in relation to the information that would be a breach of the Australian Privacy Principles (other than Australian Privacy Principle 1) if those Australian Privacy Principles so applied to that act or practice. (2) The act done, or the practice engaged in, by the overseas recipient is taken, for the purposes of this Act: (a) to have been done, or engaged in, by the APP entity; and (b) to be a breach of those Australian Privacy Principles by the APP entity.

9.63 Accordingly, if an organisation does not take such steps that are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs (excluding APP 1), then the organisation will be accountable for any breach by the overseas recipient of the APPs by virtue of s 16C.52 [page 250] The most obvious means to satisfy the obligation in APP 8.1 would be to enter into a binding contract with the applicable overseas recipient that imposed obligations on that recipient which reflected the APPs. The performance by the counterparty to the contract should also be monitored and/or audited. The contract ideally would also be enforceable, at the domestic organisation’s election, in either the applicable overseas jurisdiction or Australia.53 There are, however, a range of exceptions to the requirement set out in APP 8.1. 9.64 APP 8.2 APP 8.1 (and the deeming rule in s 16C of the Privacy Act) will not apply if a subclause in APP 8.2 is engaged. APP 8.2 provides that APP 8.1 does not apply to disclosures of personal information to an overseas recipient if, relevantly: (a) the entity reasonably believes that: (i)

the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and

(ii) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme; or (b) both of the following apply: (i)

the entity expressly informs the individual that if he or she consents to the disclosure of the information, subclause 8.1 will not apply to the disclosure;

(ii) after being so informed, the individual consents to the disclosure; or (c) the disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order; or (d) a permitted general situation (other than the situation referred to in item 4 or 5 of the table in subsection 16A(1)) exists in relation to the disclosure of the information by the APP entity; …

9.65 In order to engage subclause APP 8.2(a), an organisation needs to form the required reasonable belief. The EM explains the intent of APP 8.2(a) as follows: The “reasonable belief” test will allow entities to make decisions based on the information available to them and the context of a particular disclosure. The term ‘substantially similar’ will not be defined, and provides flexibility in considering the regulatory elements of the overseas

[page 251] jurisdiction. The term “at least” will be used to ensure that stricter obligations than the APPs will still be compliant. It is not essential that the overseas jurisdiction have an office equivalent to the OAIC in order to provide accessible enforcement mechanisms. It should be possible for a range of dispute resolution or complaint handling models to satisfy this requirement. Effective enforcement mechanisms may be expressly included in a law or binding scheme or may take effect through the operation of crossborder enforcement arrangements between the OAIC [Office of the Australian Information Commissioner] and an appropriate regulatory authority in the foreign jurisdiction.

9.66 An example of a legal framework that would satisfy the requirement in APP8.2(a) would be the Data Protection Act 1998 (UK) as it has broadly similar requirements to those set out in the APPs and a ‘data subject’54 may take action to enforce their rights under that statute.55 However, it is not clear, for example, that the equivalency test would be satisfied by the privacy laws that exist in India. While s 43A of the Information Technology (Amendment) Act 2008 (India) provides that body corporates implement ‘reasonable security practices’ in relation to ‘sensitive personal information’ and are also subject to certain obligation concerning the collection, disclosure and trans-border transfers of sensitive personal information,56 there is scope to argue that the regime falls short of being ‘substantially similar’ in substance and also whether foreign individuals can bring an action to enforce rights under these provisions. An organisation would need to obtain specific advice on these points in order to be able to form a reasonable belief for the purposes of APP 8.2(a). 9.67

APP 8.2(b) is another alternative open to organisations in this context.

That provision is unlikely to be overused. The many steps involved here — informing the individual of the requirements of APP 8.1, then explaining that those requirements will not apply and then having [page 252] to ensure that the individual consents — would not seem very appealing for an organisation or an individual. The exceptions set out in APP 8.2(c) (disclosures required or authorised by law) and APP 8.2(d) (certain narrow permitted exceptions) are likely to be rarely used or relied upon by corporations.

Government identifiers 9.68 APP 9 relates to government related identifiers. A government related identifier is defined in the Act to mean: … an identifier of the individual that has been assigned by: (a) an agency; or (b) a State or Territory authority; or (c) an agent of an agency, or a State or Territory authority, acting in its capacity as agent; or (d) a contracted service provider for a Commonwealth contract, or a State contract, acting in its capacity as contracted service provider for that contract.

9.69 APP 9.1 prohibits an organisation adopting a government related identifier of an individual as its own unless: required or authorised to do so at law or by order of a court or tribunal; or regulations permit certain adoption, use or disclosure. 9.70 APP 9.2 provides that an organisation must not use or disclose a government related identifier unless one of six exceptions set out in APP 9.2 applies. Other than were it is reasonably necessary for a corporation to use or disclose a government related identifier in order for the corporation to verify the identity of an individual for the purposes of its activities or functions (APP 9.2(a)), it will be rare for most corporations to be able to rely on one of the exceptions listed in APP 9.2.

Quality and security of personal information

9.71 Under APP 10 an organisation must take reasonable steps to ensure that the personal information that the entity collects is accurate, up-to-date and complete.57 It must also take reasonable steps to ensure that the personal information that its uses or discloses is accurate, up-to-date, complete and relevant having regard to the purpose of the use or disclosure.58 [page 253] 9.72 In terms of information security, under APP 11.1 an organisation must take reasonable steps to ensure that it protects personal information from: (a) misuse, interference and loss; (b) unauthorised access, modification or disclosure. In order to achieve this outcome, it will be necessary for organisations to implement and maintain effective information security controls. The definition of ‘reasonable steps’ in this context will be discussed in Chapter 11. 9.73 APP 11.2 requires that an organisation take reasonable steps to ensure that personal information is destroyed or de-identified if an organisation no longer needs it for any purpose for which it may use or disclose that information under the APPs, subject to the information not needing to be retained for legal reasons or because the information forms part of a Commonwealth record.59 The central test here is whether personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs. This is a very broad test and it would seem to confer a large amount of discretion on organisations as to when information would need to be destroyed or deidentified.60

Access to and correction of personal information 9.74 APP 12 provides a framework for individuals to seek access to their personal information. APP 12.1 outlines the primary access right. APP 12.3 then provides that organisations need not give individuals access to their personal information for a number of reasons, including to the extent that: providing access would have an unreasonable impact on the privacy of other individuals;61 the request is frivolous or vexatious;62

the information relates to anticipated legal proceedings between the organisation and the individual;63 giving the information would reveal the intentions of the entity in relation to negotiations between it and the individual;64 [page 254] giving access would prejudice investigations by the organisation into unlawful activity or misconduct of a serious nature or otherwise prejudice law enforcement activities;65 or granting access would reveal evaluative information generated internally relating to a commercially sensitive decision-making process.66 9.75 An entity must respond to a request for access within a reasonable period,67 and give access to an individual if it is reasonable and practicable to do so.68 If access is not granted due to the operation of an exemption or it is not otherwise granted in the manner requested by an individual, the organisation should take reasonable steps to give access in a way that meets the needs of the organisation and the individual. That is, the organisation is required to take reasonable steps to arrive at a compromise in this context.69 This may even require the use of an intermediary.70 Any charges levied for access must not be excessive and must not relate to the actual making of the request.71 If access is refused, an organisation must provide a written notice to the individual setting out two core matters, namely: the reasons for refusal except if it would be unreasonable to do so having regard to the reasons for the refusal; and the means by which an individual can complain about the refusal.72 Interestingly, APP 12.10 provides that if the ground for refusal was because the granting of access would reveal evaluative information generated internally relating to a commercially sensitive decision-making process, then the reasons for refusal may include an explanation for the commercially sensitive decision. It may difficult to apply APP 12.10 in some cases. For example, in some situations merely informing an individual that a commercially sensitive matter exists, may be enough to convey, taken together with other information that the individual knows, the gist of the commercially sensitive decision. In other cases,

it may be possible to provide a sufficiently anodyne statement without risk of disclosing commercially sensitive information. [page 255] 9.76 APP 13 provides a comprehensive framework for the correction of personal information. An organisation is required to correct information if it is satisfied that it is inaccurate, out-of-date, incomplete, irrelevant or misleading having regard for the purpose for which it is held, or if an individual requests it to do so. In those situations, the organisation is required to take reasonable steps to correct the information.73 APP 13.2 then provides that other organisations have to be notified of such correcting in certain circumstances. APP 13.3 provides that an organisation must provide written reasons for refusing to correct information and information to the individual concerned about making a complaint. APP 13.4 concerns the steps an organisation may need to take to associate statements with purportedly incorrect information where an individual requests such steps to be taken. APP 13.5 states that an organisation must respond to a request to access information or associate a statement with purportedly incorrect information within a reasonable period after the request is made. No charge can be made for making a request under APP 13, correcting information or requesting that a statement is associated with purportedly incorrect information.

PRIVACY AND CREDIT INFORMATION — THE OBLIGATIONS OF CREDIT PROVIDERS 9.77 Credit information is a form of personal information that is highly valuable to corporations which provide credit to individuals. Such information allows corporations to more effectively manage the risks associated with providing credit to individuals. The more effectively corporations can manage the risk associated with providing credit directly influences the profitability of their businesses. Credit information allows corporations to predict with some certainty credit risk (ie, the risk that an individual will default on their obligations under a credit contract) associated with a particular individual that they may be considering extending credit to. The amended Privacy Act contains new rules about the use of credit

information. The focus of this section will be on the new laws as they relate to corporations as credit providers. 9.78 Credit information about an individual is a category of personal information that is more highly regulated than ‘mere’ personal information under the amended Privacy Act. That position reflects the relative sensitivity that individuals generally have in terms of their credit information. However, the new legislation does strike a balance between [page 256] the heightened sensitivity of individuals in this context and the value of credit information to corporations that provide credit to individuals. 9.79 The changes to the credit reporting provisions move the Australian regime from a negative credit reporting system to a ‘more comprehensive’ credit reporting system. Under the negative reporting system the main types of personal information that could be used in the system were ‘information about a credit provider having sought a credit report in relation to an applicant for credit, the amount of credit sought in the application, the individual’s current credit providers (if any), and information about any credit defaults (a term that was specifically defined)’.74 Under the ‘more comprehensive’ approach the following categories of personal information can also be used within the credit reporting system: the date the credit account was opened; the type of credit account opened; the date the credit account was closed; the current limit of each open credit account; and repayment performance history about the individual. 9.80 It is important to note though that in order to reflect the lifecycle of credit information, Pt IIIA (Credit reporting) of the amended Act recognises four categories of credit-related information. The four categories are ‘credit information’, ‘credit reporting information’, ‘credit eligibility information’ and ‘regulated information’. The term credit information is used to define the personal information that credit providers collect about individuals and disclose to credit reporting bodies such as Veda and Dun & Bradstreet.

Credit reporting information is that information which is provided by credit reporting bodies to credit providers. It comprises all of the relevant credit information collected by a reporting body concerning an individual together with any credit worthiness (eg, credit scoring or credit assessment information) the body derives from the ‘raw’ credit information it holds. In turn, credit eligibility information comprises the credit reporting information that a credit provider receives from a reporting body plus any information about an individual’s credit worthiness that a credit provider derives from the credit reporting information that it receives. In some cases, credit providers disclose credit reporting information or credit eligibility information to other parties in the usual course of business. For example, a bank may disclose those types of information [page 257] to a mortgage insurer. In such cases, this information (while it has not changed form) is referred to as ‘regulated information’ for the purposes of the amended Act due to the fact that it is has been disclosed to a party that is not a credit reporting body or a credit provider (ie, the two primary participants in the credit reporting system). The parties described above and the information types that flow between them are depicted in the diagram below.

Source: Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012

The Act imposes differing obligations on the various parties mentioned above. For the reasons mentioned at 9.77, this section will focus on the obligations of credit providers.

Who is a credit provider? 9.81 The definition of the term ‘credit provider’ under the amended Act is a broad one. The definition is a composite one that is contained in ss 6G–6K. Examples of credit providers are: banks, other organisations where a substantial part of the organisation’s business is the provision of credit;75 and other organisations which provide credit to their clients in connection with the sale of goods and services where repayment (in full or part) of the amount of the credit is deferred for at least seven days.76 9.82 The term ‘credit’ is defined as ‘a contract, arrangement or understanding under which: (a) payment of a debt owed by one person to another person is deferred; or (b) one person incurs a debt to another person and defers the payment of the debt’.77 The term ‘credit information’ is a comprehensively defined to mean: Credit information about an individual is personal information (other than sensitive information) that is: (a) identification information about the individual; or

[page 258] (b) consumer credit liability information about the individual; or (c) repayment history information about the individual; or (d) a statement that an information request has been made in relation to the individual by a credit provider, mortgage insurer or trade insurer; or (e) the type of consumer credit or commercial credit, and the amount of credit, sought in an application: (i)

that has been made by the individual to a credit provider; and

(ii) in connection with which the provider has made an information request in relation to the individual; or (f)

default information about the individual; or

(g) payment information about the individual; or (h) new arrangement information about the individual; or (i)

court proceedings information about the individual; or

(j)

personal insolvency information about the individual; or

(k) publicly available information about the individual: (i)

that relates to the individual’s activities in Australia or the external Territories and the individual’s credit worthiness; and

(ii) (l)

that is not court proceedings information about the individual or information about the individual that is entered or recorded on the National Personal Insolvency Index; or

the opinion of a credit provider that the individual has committed, in circumstances specified by the provider, a serious credit infringement in relation to consumer credit provided by the provider to the individual.78

Additional obligations 9.83 Generally, Pt IIIA imposes obligations on credit providers that are additional to those set out in the APPs. However, there are exceptions and, where applicable, the provisions of Pt IIIA clarify the relationship between it and the APPs. For example, s 21Q(3) provides that APP 10 does not apply to ‘credit eligibility information’.79 The relationship is described in s 21A(2) as follows: If the credit provider is an APP entity, this Division may apply to the provider in relation to information referred to in subsection (1) in addition to, or instead of, the Australian Privacy Principles.

[page 259] The EM explains the relationship between the APPs and the credit reporting regime in the following terms: For credit providers, the credit reporting rules apply over the top of the APPs in relation to the kinds of personal information regulated in the credit reporting system. In relation to all other kinds of personal information the APPs will apply.80

Information governance 9.84 Section 21B imposes certain information governance obligations on credit providers. Credit providers have a broad obligation to ensure that they implement practices, procedures and systems that will ensure compliance with their legal obligations under Pt IIIA, Div 3 (credit providers) and which will enable the credit provider to deal with inquiries or complaints.81 Section 21B(3) then requires a credit provider to have a clearly expressed and up-to-date policy about its management of credit information and credit eligibility information. Without limiting the requirement set out in s 21B(3), s 21B(4) provides a long list of matters that must be addressed in that policy. A credit provider must take reasonable steps to make the policy available free of

charge and in such form as appropriate.82 A note to s 21B(5) states that ‘a credit provider will usually make the policy available on the provider’s website’. Where a credit provider is also bound by the APPs, s 21B(7) provides that APP 1.3 and APP 1.4 (regarding APP policies) do not apply to credit information and credit eligibility information.

Dealing with credit information 9.85 Clause 21C provides that in addition to the obligations set out in APP 5, a corporation which is a credit provider must comply with enhanced disclosure obligations. That is, the corporation must disclose: the details of any credit reporting bodies that it may disclose personal information to (eg, Veda or Dun & Bradstreet);83 in the corporation’s credit reporting policy information about how an individual may access their credit eligibility information, how they may seek to correct that information;84 and [page 260] in the corporation’s credit reporting policy information how an individual may make a complaint and how the credit provider will deal with the complaint.85 9.86 A key provision in the new legislation is s 21D. Interestingly, the prohibition is not an outright ban on use and disclosure of credit information unlike the prohibition on use and disclosure of credit eligibility information which is set out in s 21G. Section 21D merely prohibits a credit provider from disclosing credit information to a credit reporting body. The prohibition does not apply to other uses and disclosures, which would be governed by the less onerous APPs. A breach of this prohibition makes an organisation liable to a maximum fine of 2000 penalty units. However, there is an exception. If a credit provider is a member of a prescribed external dispute resolution body and knows or believes that an individual is at least 18 years old, then the credit provider can disclose credit information about the individual to a credit reporting body (eg, Veda or

Dun & Bradstreet) which has an Australian link,86 provided that the information meets certain requirements set out in s 21D(3). Importantly, only a credit provider that is a licensee under the National Consumer Credit Protection Act 2009 (Cth) (NCCP Act) can disclose ‘repayment history information’ to a credit reporting body.87 Where a disclosure is made, a credit provider must make a note of such disclosure: s 21D(6). A breach of the note-taking obligation in s 21D(6) is a civil penalty provision carrying a maximum fine of 500 penalty units. Where a credit provider would normally be subject to the APPs, s 21D(7) provides that APP 6 and 8 do not apply to the disclosure of credit information by the provider to a credit reporting body. 9.87 Section 21E provides that if a credit provider discloses default information to a credit reporting body and subsequently the relevant amount is paid, then the credit provider must, within a reasonable period, notify the body that the repayment has been made. A failure to do so attracts a civil penalty of 500 penalty units. 9.88 Subject to one exception, s 21F prohibits any credit provider from providing credit information to a credit reporting body in relation to an [page 261] individual if there is a ban period in place in respect of that individual. A ‘ban period’ relates to a period where a freeze is in place in relation to the use and disclosure of credit reporting information about an individual who has notified a reporting body about possible identify theft. The purpose of s 21F is to ensure that a credit provider which cannot access credit reporting information during a ban period but nevertheless proceeds to provide credit to an individual (or an individual purporting to be that individual), then the credit provider cannot provide any credit information to a reporting body concerning the applicable credit. The purpose of this provision is to prevent possible contamination or further contamination of an individual’s credit information during a period where identity theft may have occurred. A breach of the provision attracts a civil penalty of up to 2000 penalty units. There is one exception to this prohibition. A credit provider may contribute credit information in respect of an individual to a reporting body during a ban period provided it

has taken steps that are reasonable in the circumstances to verify the identity of the individual.88

Dealing with credit eligibility information 9.89 Consistent with s 21D in respect of credit information, s 21G sets out a general prohibition on the use and disclosure of credit eligibility information by a credit provider. However, unlike s 21D, s 21G prohibits the use or disclosure outright (ie, to any person). A breach of that provision attracts a civil penalty of up to 2000 penalty units. However, there are exceptions to the general rule. These exceptions are set out in ss 21G(2) and 21G(3). 9.90 Section 21G(2) provides a range of exceptions for use of credit eligibility information. The exceptions include use of credit eligibility information for consumer credit related purpose,89 certain permitted purposes (including in connection with commercial credit, securitisation and guarantees) and use required or authorised by law. However, in contrast to the position under APP 6 in relation to ‘mere’ personal information, the use of credit eligibility information for secondary purposes is not permitted. Section 21G(3) provides a range of exceptions to the disclosure of credit eligibility information. These exceptions include: certain permitted disclosures (including where an individual has consented to disclosure to another credit provider; disclosures to a principal where the credit provider is an agent in a credit context; disclosures in connection [page 262] with securitisation; disclosures to guarantors, mortgage insurers, debt collectors and in stations involving potential assignments of debt);90 disclosures to related bodies corporate which have an Australian link;91 disclosures to persons who manage credit arrangements for a credit provider;92 certain disclosures relating to suspected serious credit infringements;93 disclosures in connection with a dispute resolution scheme;94 or the disclosure is authorised by law.95 The disclosures of credit eligibility information made under s 21G cannot include any repayment history information:96 s 21G(4). A breach of this provision attracts a civil penalty of up to 2000 penalty units. There are some

exceptions to this prohibition. The prohibition does not apply to disclosures of credit eligibility information containing repayment history information: to a credit provider who is licensed under the NCCP Act; to mortgage insurers; to an enforcement body; authorised by law; or made under an external dispute resolution scheme: see combined effect of ss 21G(4) and 21G(5). This prohibition reflects the strict restrictions to the collection, use and disclosure of repayment history information under Pt IIIA of the Act. Credit reporting bodies are only permitted to collect credit information from credit providers where those providers are allowed to disclose such information under s 21D.97 Section 21D prohibits a credit provider from disclosing repayment history information to a credit reporting body unless the credit provider is a licensee under the NCCP Act.98 The aggregate effect of these provisions is to ensure that repayment history information only circulates between licensees under the NCCP Act and credit reporting bodies. A reason for the limitation in this context is that it was thought that it struck a better balance between the privacy of the individual in that the use of repayment history by entities other than the ones mentioned above was unnecessary. It was argued by some stakeholders that access to repayment history information (especially a good repayment history) may be used by some as a justification to [page 263] lend to individuals where new credit was clearly beyond their means.99 The prohibitions mentioned above were designed to offset this concern because licensees that are subject to the NCCP Act are under responsible lending obligations and therefore would not be legally able to misuse repayment history information in the manner described. 9.91 If a credit provider does make a disclosure under s 21G, it must make a note of such disclosure. A failure to do so attracts a civil penalty of up to 500 penalty units.100 In terms of the relationship between s 21G and the APPs, s 21G(7) provides that the APPs 6, 7 and 8 do not apply to credit providers in relation to credit eligibility information. Further, where any credit eligibility

information comprises a government related identifier, APP 9.2 does not apply to the credit provider in relation to the information.101 9.92 Section 21P deals with the obligations of a credit provider which refuses an application for credit from an individual in their own name or jointly. Essentially, the provision requires the credit provider to notify an individual that the application has been refused based wholly or partly on the credit eligibility information and also to notify the individual of the name and contract details of the credit reporting body that disclosed the credit reporting information that the credit eligibility information was based on.102

Integrity of credit eligibility information 9.93 Section 21Q requires a credit provider to take reasonable steps to ensure that the credit eligibility information that it collects is accurate, up-to-date and complete.103 The provision also requires a credit provider to take reasonable steps to ensure that the credit eligibility information that it uses or discloses is accurate, up-to-date, complete and relevant having regard to the purpose of such use or disclosure.104 APP 10 does not apply to credit eligibility information in this context.105

Use or disclosure of false or misleading information 9.94 Section 21R provides some general offences in relation to credit information and credit eligibility information. If a credit provider [page 264] discloses credit information to a credit reporting body under s 21D, or it otherwise uses or discloses credit eligibility information under Div 3 (Credit providers) of Pt IIIA and the applicable information is false or misleading in a material particular, the credit provider commits an offence which attracts a maximum penalty of up to 200 penalty units.106 9.95 Section 21R also contains some civil penalty provisions which mirror the offence provisions, but provide for higher financial penalties. If a credit provider discloses credit information under s 21D, or uses or discloses credit eligibility

information, which is false or misleading in a material particular, it will constitute a breach of a civil penalty provision and attract a penalty of up to 2000 penalty units.

Quality and security of information 9.96 All credit providers must take such steps that are reasonable in the circumstances to protect credit eligibility information from: misuse, interference and loss; and from unauthorised access, modification or disclosure.107 The concept of ‘reasonable steps’ in relation to the security of information will be dealt with in Chapter 11. 9.97 Further, any credit eligibility information that a credit provider no longer needs for any purpose for which the information may be used or disclosed, the provider must take reasonable steps to destroy the information or ensure that it is de-identified.108 This latter requirement does not apply unless the information is required to be retained by or under an Australian law or court/tribunal order.109 While it may not be necessary to retain credit eligibility information by law, it is certainly the case that such information would necessarily need to be retained on a consumer’s file to support credit decisions made in connection with that file (eg, as part of making reasonable enquiries as to a customer’s financial situation under s 117(1)(b) of the NCCP Act). For credit regulated by the NCCP Act , a customer can request a copy of a preliminary assessment conducted by a licensee into (among other things) their financial situation for up to seven years after an initial quote provided by a credit licensee to the customer.110 Some institutions may think it prudent to retain the credit assessment in case they need to use it to support, if challenged, their preliminary assessments of the relevant [page 265] customer’s financial situation. More broadly, they may want to retain it for the purposes of defending or asserting a claim in any external dispute resolution body or any other forum. Corporations that deal with credit eligibility information need to pay careful

attention to the destruction/de-identification obligation as a breach of the law attracts a civil penalty of up to 1000 penalty units.111 9.98 Section 21S provides that APP 11 does not apply to a credit provider in relation to credit eligibility information.

Access to and correction of information 9.99 Subdivision F of Pt IIIA imposes a range of obligations on credit providers in terms of: providing access to individuals (and persons authorised to assist individuals) to any credit eligibility information about that individual;112 correcting on its own volition any information where the credit provider is satisfied it is inaccurate, out-of-date, incomplete, irrelevant or misleading having regard to the purpose for which the information is held by the provider;113 correcting information on request from an individual where it subsequently forms the view that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading;114 consulting with other parties in relation to potentially inaccurate, outof-date, incomplete, irrelevant or misleading information;115 and providing notices of correction.116 Again, Subdiv F of Pt IIIA provides a number of exemptions to the application of the APPs.117 No specific civil penalties are set out in this subdivision. [page 266]

ENFORCEMENT Civil penalties 9.100 In relation to credit reporting obligations, the relevant offences and civil penalty provisions have been mentioned, where applicable, in the preceding

section. There is however a civil penalty provision of general application set out in s 13G. Section 13G provides that an organisation will contravene the Act if: (a) the entity does an act, or engages in a practice, that is a serious interference with the privacy of an individual; or (b) the entity repeatedly does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.

9.101 Among other things, if an act or practice of an organisation breaches an APP in relation to personal information about the individual or an act or practice breaches a provision of Pt IIIA in relation to personal information about the individual, then such an act or practice will amount to an interference with the privacy of an individual.118 Accordingly, if that interference is serious in relation to one individual or is a repeated interference affecting one or more individual, the organisation could be subject to a civil penalty of up to 2000 penalty units.119 An example of a serious breach of privacy in relation to an individual could be a breach that led to the individual being the subject of identity theft as a result of the unlawful disclosure. An example of a repeated breach would be the failure to ensure reasonable steps were taken to secure personal information on multiple occasions or in relation to a large number of individuals.

Complaints and investigations 9.102 An individual may complain to the Commonwealth Privacy Commissioner (Commissioner) about an act or practice that may be an interference with the privacy of the individual.120 There are also provisions which permit representative complaints.121 The Commissioner will investigate an act or practice if the act or practice ‘may be an interference with the privacy of an individual’ and the complaint has been made under s 36.122 [page 267] Section 41 provides a long list of circumstances when the Commissioner may decide not to investigate a matter. In addition, however, the Commissioner must not investigate a matter if a complaint has not first been made to the respondent, unless the Commissioner forms the view that it was not appropriate for the complainant to first complain to the respondent.123

The Commissioner may also, on his or her own initiative, investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1 and the Commissioner thinks that it is desirable that the investigation occurs.124 The Commissioner must make a reasonable attempt to conciliate the complaint in certain circumstances.125 A range of provisions in the Act deal with the progression of a complaint through the resolution framework set out in the Act, including provisions concerning: the investigation;126 hearings;127 power to obtain information and documents;128 power to examine witnesses;129 and conduct of compulsory conferences.130 9.103 After investigating a complaint, the Commissioner may, among other things: make a determination dismissing the complaint; declare that the respondent engaged in conduct constituting an interference with privacy of an individual; declare that the complaint should be compensated; or declare that a respondent must take specific steps within a specified period to ensure that certain conduct is not repeated or continued.131 After investigating a matter on the Commissioner’s own initiative under s 40(2), the Commissioner may also make declarations of a like kind.132 Interestingly, s 55 provides as follows: If the determination [made by the Commissioner] applies in relation to an organisation or small business operator, the organisation or operator: (a) must not repeat or continue conduct that is covered by a declaration included in the determination under sub subparagraph 52(1)(b)(i)(B) or paragraph 52(1A)(a) [declarations that the respondent must not repeat or continue conduct]; and

[page 268] (b) must take the steps that are specified in a declaration included in the determination under subparagraph 52(1)(b)(ia) or paragraph 52(1A) (b) within the specified period [declaration that the respondent must take specified steps to ensure that conduct is not repeated or continued]; and (c) must perform the act or course of conduct that is covered by a declaration included in the determination under subparagraph 52(1) (b)(ii) or paragraph 52(1A)(c) [declarations about redressing loss or damage].

9.104 Section 55A(1) provides that a determination may be enforced by the Federal Court of the Federal Magistrates Court on application by the complainant133 or the Commissioner. The court is to deal with the matter by way

of a hearing de novo or a full new hearing,134 although there is provision to receive evidentiary certificates135 and other information from the Commissioner.136 A court may make such orders as it thinks fit if it is satisfied that a person or entity to which the determination applies has engaged in conduct that constitutes an interference with the privacy of an individual.137

Other powers of the Commissioner 9.105 The Commissioner has powers to monitor the security and accuracy of information held by an entity that is information to which Pt IIIA applies.138 The Commissioner also has powers to examine the records of an entity to ensure that they are not using information to which Pt IIIA applies for unauthorised purposes and are taking reasonable steps to prevent the unlawful disclosure of such information. 139 The Commissioner has power to do all things necessary or convenient to be done for or in connection with such monitoring.140 9.106 The Commissioner also has the power to conduct an assessment of a range of matters relating to the APPs, including: whether personal information held by an organisation is being maintained and handled in accordance with the APPs or a related binding code;141 [page 269] whether information held by an organisation is being maintained and handled in accordance with the provisions of Pt IIIA or a related binding code.142 The Commissioner may conduct such assessments in such manner as he or she thinks fit.143 9.107 In addition to these powers, the Commissioner has the power to accept an enforceable undertaking given by an organisation in respect to compliance with the amended Act.144 If an enforceable undertaking is breached, the Commissioner has the ability to have the order enforced by a court.145

CONCLUSION 9.108

The amendments to the Privacy Act significantly change the landscape

of privacy regulation in Australia. Compliance with the new laws will be essential for corporations to maintain the trust of the individuals whose personal information they handle. Indeed, it will also be important, more broadly, in terms of the reputation that a corporation has in the broader community. However, complying with the new laws will not always be a straightforward task. There are a number of interpretation and other issues that will need to be addressed over time. In order to address these issues successfully, corporations subject to the Act will need to design and implement compliance programs which contemplate the new requirements. _________________________ 1.

World Economic Forum, Personal Data: The Emergence of a New Asset Class, January 2011, .

2.

For commentary concerning the law which applies up until the amendments contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) take effect, see generally: Privacy, Confidentiality and Data Security, LexisNexis online looseleaf; C Doyle and M Bagaric, Privacy Law in Australia, The Federation Press, Sydney, 2005.

3.

The Hon Nicola Roxon, Attorney-General and Minister for Emergency Management, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Second Reading, 23 May 2012.

4.

ALRC, For Your Information: Australian Privacy Law and Practice, Report 108, 2008, .

5.

Including registered political parties, agencies (as they are separately defined under the Act), state or territory authority and prescribed instrumentalities of a state or territory: s 6C. See also s 7B for other exemptions to the Act, including s 7B(3) (employee records) and s 7B(4) (journalism).

6.

See s 6D(1).

7.

See s 6D(4).

8.

The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (EM), 52.

9.

See fn 4, ALRC Report 108, [6.53].

10. At [6.3]. 11. This relates to whether one’s identity is fixed or changes over time (eg, change of name by deed poll). 12. Microsoft Asia Pacific, Submission PR 463, 12 December 2007. 13. See fn 8, EM, 53. 14. See fn 4, ALRC Report 108, p 301. 15. The introduction of the information governance obligations is a further development that the legislature is seeking to create a culture of privacy compliance within organisations. In this respect, see the comments of French J in Australian Securities and Investments Commission, in the matter of Chemeq Ltd (ACN 009 135 264) v Chemeq Ltd (ACN 009 135 264) [2006] FCA 936 at [84]–[89] concerning the need to create a culture of compliance with respect to continuous disclosure obligations. His Honour’s comments are just as apposite in the context of privacy law.

16. See fn 8, EM, 73. 17. NPP 5.1 and NPP 5.2, the current Act. 18. See fn 8, EM, 73–4. 19. ‘… if any material not forming part of the Act is capable of assisting in the ascertainment of the meaning of the provision, consideration may be given to that material: (a) to confirm that the meaning of the provision is the ordinary meaning conveyed by the text of the provision taking into account its context in the Act and the purpose or object underlying the Act; or (b) to determine the meaning of the provision when: (i) the provision is ambiguous or obscure; or (ii) the ordinary meaning conveyed by the text of the provision taking into account its context in the Act and the purpose or object underlying the Act leads to a result that is manifestly absurd or is unreasonable’ one can consider (among other things) ‘… any explanatory memorandum relating to the Bill containing the provision, or any other relevant document, that was laid before, or furnished to the members of, either House of the Parliament by a Minister before the time when the provision was enacted’ but when considering whether to rely on such material or the weight to be given to such material ‘… regard shall be had, in addition to any other relevant matters, to: (a) the desirability of persons being able to rely on the ordinary meaning conveyed by the text of the provision taking into account its context in the Act and the purpose or object underlying the Act; and (b) the need to avoid prolonging legal or other proceedings without compensating advantage’: see s 15AB, Acts Interpretation Act 1901 (Cth). 20. For example see T Pullar-Strecker, ‘Leaked, Stolen Data Leaps by 40%’, Sydney Morning Herald, 14 December 2012, . 21. G Wilkins, ‘NAB to Customers: You’re the Voice on Security’, Sydney Morning Herald, , 21 November 2012. 22. See s 6(1): ‘sensitive information’ means … (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or (e) biometric templates. 23. See fn 8, EM, 78. 24. For the purposes of the Act, personal information is ‘de-identified’ if the ‘information is no longer about an identifiable individual or an individual who is reasonably identifiable’: s 6(1). 25. This would need to be disclosed under APP 5.2(c). 26. See for example, s 24, Australian Consumer Law. 27. Note that s 3 and item 8 of Sch 7 of Act 103 of 2010 provides that the unfair contracts regime applies to ‘a contract entered into on or after the commencement’ of that law. Cf J Paterson, Unfair Contract Terms in Australia, Thomson Reuters, Australia, 2012, pp 59–65. 28. For an illustration of this protectionist approach, see J Bliech, ‘Cloud Agreement Can Bring Blue Skies’, Sydney Morning Herald, 11 December 2012, . 29. See further Chapter 11. 30. See fn 8, EM, 79. 31. See APP 6.2(a)(ii). 32. Australian Securities and Investments Commission v Narain [2008] FCAFC 120 at [9]. 33. Australian Direct Marketing Association, Direct Marketing Code of Practice, 2006, 8. 34. Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, 2005, 94.

35. See fn 8, EM, 81. 36. At 81. 37. See s 6(1). 38. Australian Communications and Media Authority v Clarity1 CK Pty Ltd [2006] FCA 410 at [75]. 39. At [76]. 40. At [77]. 41. At [78]. 42. At [79]. 43. At [80]–[83]. 44. At [84]. 45. At [85]. 46. Cawthorn v Cawthorn [1998] FamCA 37 at 43. 47. APP 7.3(d)(i), the amended Act. 48. APP 7.3(d)(ii). 49. See APP 7.8. 50. For the purposes of APP 8.1 an overseas person would include a natural person or a body corporate. See s 2C(1), Acts Interpretation Act 1901(Cth): ‘In any Act, expressions used to denote persons generally (such as “person”, “party”, “someone”, “anyone”, “no-one”, “one”, “another” and “whoever”), include a body politic or corporate as well as an individual.’ 51. See fn 8, EM, 83. 52. See further fn 8, EM, 70–1. 53. An example is by way of a collateral jurisdiction deed. 54. A ‘data subject’ is defined in s 1 of the Data Protection Act 1998 (UK) as ‘an individual who is the subject of personal data’. The term ‘personal data’ is also defined in that section as follows: “personal data” means data which relate to a living individual who can be identified — (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual’. 55. See, for example, ss 42 and 43, Data Protection Act 1998 (UK). 56. The combined effect of s 43A and rules contained in Gazette of India (Extraordinary), No 11(3)/2011CLFE. 57. APP 10.1. 58. APP 10.2. 59. The term ‘Commonwealth record’ is defined in s 6(1) to have the same meaning as in the Archives Act 1983 (Cth). 60. The term ‘de-identified’ is defined in s 6(1) to mean ‘personal information is de-identified if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’. 61. See APP 12.3(b). 62. APP 12.3(c).

63. APP 12.3(d). 64. APP 12.3(e). 65. APP 12.3(h) and APP 12.3(i). 66. APP 12.3(j). 67. APP 12.4(a)(i). 68. APP 12.4(b). 69. APP 12.5. 70. APP 12.6. 71. APP 12.8. 72. APP 12.9. Note also that Regulations may also prescribe other matters from time to time. 73. APP 13.1. 74. See fn 8, EM, 90. 75. See s 6G(1). 76. See s 6G(2) 77. See s 6M(1). 78. See s 6N. 79. The expression ‘credit eligibility information’ essentially means credit worthiness information contained in or derived from ‘credit reporting information’: see s 6(1). The expression ‘credit reporting information’ is essentially any credit information (whether primary information or derived by a credit reporting body, eg, Dun & Bradstreet and Veda) of a type listed in 9.82. 80. See fn 8, EM, 99. 81. See s 21B(2). 82. See s 21B(5). 83. See s 21C(1). 84. See ss 21C(3)(a) and 21C(3)(b). 85. See ss 21C(3)(c) and 21C(3)(d). 86. The term ‘Australian link’ is defined in s 5B. 87. See related discussion at 9.90ff. 88. See s 21F(3). 89. The term ‘consumer credit related purpose’ is defined in s 6(1). 90. See s 21G(3)(a). The relevant permitted disclosures are called ‘permitted CP disclosures’ and are set out in ss 21K–21N. 91. See s 21G(3)(b). 92. See s 21G(3)(c). 93. See s 21G(3)(d). 94. See s 21G(3)(e). 95. See ss 21G(3)(f) and 21G(3)(g). 96. The term ‘repayment history information’ is defined in s 6(1) to have the meaning set out in s 6V.

97. See s 20C(3)(a). 98. See s 21D(3)(c). 99. See fn 8, EM, 27. 100. See s 21G(6). 101. See s 21G(8). 102. See ss 21P(1) and 21P(2). 103. See s 21Q(1). 104. See s 21Q(2). 105. See s 21Q(3). 106. See ss 21R(1) and 21R(2). 107. See s 21S(1). 108. See s 21S(2). 109. See s 21S(2)(c). 110. See s 120(1) of the National Consumer Credit Protection Act 2009. 111. Other issues relating to the retention of corporate information are discussed in Chapter 10. The maximum financial penalty for a contravention can be increased by a multiple of five if the offender is a body corporate: s 1312. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 112. See s 21T. 113. See s 21U. Also note the obligations to notify others of corrections in certain case: s 21U(2) subject to the exception in s 21U(3). 114. See s 21V(2). 115. See s 21V(3). 116. See ss 21U(2) and 21W. 117. See ss 21T(8), 21U(4) and 21V(6). 118. See ss 13(1)(a) and 13G(2)(a). 119. See s 13G. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 120. See s 36. 121. See s 38. 122. See s 40(1). 123. See s 40(1A). 124. See s 40(2). 125. See s 40A. 126. See s 43. 127. See s 43A. 128. See s 44.

129. See s 45. 130. See ss 46 and 47. 131. See s 52(1) 132. See s 52(1A). 133. A determination may be enforced on application by the complainant if the determination was made under s 52(1). 134. See s 55A(5). 135. See s 55B. 136. See, for example, s 55B(6). 137. See s 55A(2). 138. See s 28A(1)(a). 139. See s 28A(1)(b). 140. See s 27(2). 141. See s 33C(1)(a). 142. See s 33C(1)(b). 143. See s 33C(2). 144. See s 33E. 145. See s 33F.

[page 271]

Part 4 Information Security and Management



[page 273]

Chapter 10 Digitising Corporate Records and the Law

INTRODUCTION 10.1 As the information economy continues to expand it seems incongruous that contemporary corporations do not maximise the amount of corporate information they hold in digital form. Indeed, much corporate information is kept in digital form largely because it is ‘born digital’. The focus of this chapter is not on such information.1 The particular focus of this chapter is on issues relating to corporations converting paper-based source documents and information that they obtain during the course of their operations into digital form. This process raises a number of legal issues, including issues arising under document retention laws, evidence laws and document integrity laws. However, what is clear is that moving a corporation from a paper-based operation to a digital operation can unlock significant economic benefits. And this can be achieved with no change to a corporation’s legal risk profile. The relevant issues will now be examined below.

Converting paper documents to digital information — the main issues 10.2 Broadly speaking, in order for documents to be acceptable in digital form for retention and evidentiary purposes, in law, they must be: authentic — a corporation must be able to demonstrate that the documents are what they purport to be; reliable — a corporation must be able to show that the relevant documents have been unaltered; and

[page 274] accessible — a corporation must maintain controls to ensure that the documents can be accessed and read whenever the documents are required. 10.3 In order to satisfy these record-keeping requirements after conversion, most corporations have, historically, maintained copies of documents in hard copy form (even where they may use digital copies for workflow purposes). The law however does not require this to be the case. The law supports the use of imaged documents (ie, documents that have been converted from hard copy form to digital form). An effective conversion system will not only satisfy all relevant legal obligations, but has the very real potential to provide a superior solution to the mass storage of documents in paper form. For instance, an enterprise scale paper-based record management system is unwieldy and does not expand or scale efficiently. In addition, such a system cannot be: easily indexed; easily accessed or searched; accessed remotely; conveniently cross-referenced to show relationships between records; encrypted for security reasons; used in conjunction with hash algorithms to promote integrity; or used in conjunction with granular access controls/system logs/audit logs. 10.4 On the other hand, an effective conversion system is able to provide all of these features. What then would constitute an ‘effective conversion system’? An effective conversion system is an essential pre- condition to satisfying legal obligations in this context. Such a system needs to satisfy a range of requirements, including all of the following: (a) Design The process for conversion of hard copy documents to digital copies is managed in a system: the design of which is fully documented and which accords with applicable standards (eg, AS/ISO 15489) so as to ensure that converted records are captured in a manner that satisfies all essential operational

requirements, including those relating to integrity, authenticity and accessibility; that produces converted records in a format that is appropriate for longterm archival storage (eg, PDF/A — a file format and an ISO Standard for the long-term archiving of electronic documents); and which satisfies a corporation’s requirements, including any applicable policies. [page 275] (b) Conversion integrity A corporation takes steps to ensure that all converted records are complete and that such documents are accurate records of the applicable source documents (eg, no data is lost, all pages are scanned (front/back), necessary annotations are captured, all attachments are captured, resolution is appropriate, the imaging mode is appropriate (bitonal, greyscale or colour) and colour management is otherwise appropriate). (c) Date stamp The process captures the date on which the conversion of an imaged document occurs. (d) Quality assurance A quality assurance method should be implemented (eg, check of each image plus statistical sampling). Ad hoc imaging must be avoided. (e) Security A corporation should not dispose of superfluous hard copy source documents until a corporation is satisfied that the digital images of those documents which will form part of its system of record are complete and accurate copies of the hard copy source documents. (f)

Systems All necessary forms of hardware and software are retained by a corporation so that archived digital documents can be opened and read at all relevant times in the future.

(g) Technical staff Sufficiently qualified technical experts are engaged to design, implement and maintain the system. If all of these requirements are satisfied, the law will support the conversion of a document or other corporate information using such a system as the official business record of the corporation. Assuming that an effective conversion system

is implemented, the following sections of this chapter will identify the relevant legal obligations in this context and discuss why those legal obligations will be satisfied.

THE PRINCIPAL DOCUMENT RETENTION OBLIGATIONS 10.5 The primary document retention obligations of corporations arise under the following statutes: Corporations Act 2001 (Cth); and Income Tax Assessment Act 1936 (Cth) and other tax legislation, including Fringe Benefits Tax Assessment Act 1986 (Cth) and the Tax Administration Act 1953 (Cth). The key requirements that arise under each statute will be discussed in turn below. [page 276]

Obligations under the Corporations Act 10.6 The primary document retention obligations in the Corporations Act are contained in s 286, Ch 2M.2 (Financial records).2 Under s 286 a corporation has obligations to retain a range of documents. It must keep such records for at least seven years.3 A corporation must also keep written ‘financial records’, that correctly record and explain its transactions, financial position (eg, balance sheet), performance (ie, profit and loss, and cash flow) and enable the preparation of true and fair audited financial statements. The terms ‘financial record’ is defined in s 9 of the Act to include: (a) Invoices, receipts, orders for the payment of money, bills of exchange, cheques, promissory notes and vouchers (b) Documents of prime entry (ie, generally books where transactions are first recorded) (c) Working papers and other documents needed to explain: (i)

The methods by which financial statements are prepared

(ii) Adjustments made in preparing financial statements

10.7 The above definition creates certain issues for a corporation. First, the definition is inclusive, not exhaustive, so there is substantial scope for other documents to fall within the terms of the relevant provision. Second, in light of the nature of enterprise activity it is very difficult to safely quarantine ‘financial records’ and deal with them in a manner that complies with Ch 2M.2 and deal with all other documents in another manner. These twin issues generally lead to corporations collecting and storing more documents records than they need to at law, prompting the use of an efficient storage system. As mentioned above, traditionally corporations have used an inefficient paperbased system because of concerns associated with the use of converting these documents to digital form; using these converted documents as a single source of truth in the company’s operations; and destroying the redundant source documents. The virtue of the legal framework contained in the Ch 2M.2 and the rest of the Corporations Act, however, is that it permits corporations [page 277] to digitise hard copy documents in the manner described above. The next sections will explain why this is the case. 10.8 There are at least three grounds for arguing that any document required to be retained under s 286 be converted from paper form into a digital form. These grounds are summarised below: by applying the ordinary meaning of s 286, that requires such records to be in ‘writing’; by applying the facilitative provisions contained in s 1306 of the Corporations Act; and by applying the facilitative provisions contained of the Electronic Transactions Act 1999 (Cth) (ETA).

The first ground — applying the plain meaning of the word ‘writing’ 10.9

Section 286(1) requires that a corporation keeps ‘written’ financial

records. First, it is necessary to define them. 10.10 The definition of ‘financial records’ in s 9 of the Act relies in part on the definition of the word ‘document’. The word ‘document’ is not defined in the Corporations Act, however, it is defined in s 25 of the Acts Interpretation Act 1901 (Cth) to include: (a) any paper or other material on which there is writing; (b) any paper or other material on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them; and (c) any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device. 10.11 Again, the expression ‘writing’ is used in the context of s 25 of the Acts Interpretation Act. For the purposes of s 25, ‘writing’ is defined as including ‘any mode of representing or reproducing words, figures, drawings or symbols in a visible form’. Section 286 also uses the term ‘records’. While that term is not defined in the Corporations Act, it is again defined in s 25 of the Acts Interpretation Act as including: ‘information stored or recorded by means of a computer’. Parliament intended the terms set out in s 25 to have a very broad operation. The Explanatory Memorandum to the Acts Interpretation Amendment Bill 1984 (which ultimately inserted s 25 into the primary Act) states that: [page 278] Proposed section 25 defines what is meant by a document and is intended to cover all advances that have been made in the methods that are used for recording information. The new definitions of ‘document’ and ‘writing’ make reference to modern modes of storing and reproducing words. Figures, symbols etc.

10.12 Based on first principles, it is argued that documents converted using an effective conversion system (ie, which are complete and accurate copies of source documents), would clearly be ‘financial records’ (assuming they fall within the scope of that definition) kept for the purposes of s 286 of the Corporations Act. Such documents would relevantly: ‘… be other material on which there is writing’ ‘… be an article or material from which … writings are capable of being

reproduced with or without the aid of any other article or device’ ‘… be information stored or recorded by means of a computer’ and ‘… involve a mode of representing or reproducing words, figures, drawings or symbols in a visible form’. In line with the reasoning above, Austin and Ramsay observe that: … [the law] requires “written” financial records, but this does not preclude record keeping in electronic form since the definition of “writing”… extends to computerised records.4

10.13 If there is any doubt as to whether the term ‘writing’ includes digital documents, which would seem implausible to entertain in this age, it should also be noted that courts have expressed the view that ‘an ongoing statute [such as the Acts Interpretation Act] ought to be read to accommodate technological change’: Lockheed-Arabia v Owen [1993] 3 All ER 641; McGuren v Simpson [2004] NSWSC 35. Applying such an approach here would lend further support to the argument that a converted document could be a written financial record for the purposes of s 286. The views expressed above provide a strong basis for permitting any corporation that may wish to do so to proceed with a proposal to convert paper records to digital records using an effective conversion system. [page 279] There are also alternative grounds that a corporation may rely on in order to give effect to any digitisation strategy in this context.

The second ground — the facilitative provisions contained in s 1306 of the Corporations Act 10.14 In addition to the matters set out above, a corporation may rely on s 1306 in order to give effect to a digitisation initiative. Section 1306(1) of the Corporations Act expressly permits a corporation to maintain documents of the type covered by s 286 in electronic form. Section 1306(1)(b) relevantly provides that a book that is required by this Act to be kept or prepared may be kept or prepared ‘… by recording or storing the matters concerned by means of a mechanical, electronic or other device’. Section 1306(2)(a) relevantly goes on to provide that a book is not authorised by the law to be kept or prepared by a

mechanical, electronic or other device unless ‘the matters recorded or stored will be capable, at any time, of being reproduced in a written form’. As long as a corporation utilised an effective conversion system that is capable of reproducing documents in written form, it is clear that s 1306(1) would allow a corporation to proceed to implement a digitisation initiative.

The third ground — the facilitative provisions of the ETA 10.15 Further in the alternative, it is argued that the ETA applies to ‘financial records’ that are required to be kept under s 286. The main counter argument would be that the Electronic Transactions Regulations 2000 (Cth) (ETR) expressly excludes the application of the ETA to the Corporations Law and the now repealed Corporations Act 1989 (Cth).5 The ETR does not however exclude the application of the ETA to the Corporations Act 2001 and an intention to exclude it cannot be implied. In order to explain why this position is taken it is necessary to briefly consider the history of corporations legislation. 10.16 The former Corporations Law scheme commenced on 1 January 1991. Under that scheme, the Corporations Law was contained in an Act of the Commonwealth Parliament (the Corporations Act 1989) and was enacted for the Australian Capital Territory. Laws of each state and the Northern Territory applied the Corporations Law of the Australian Capital Territory as a law of the state or the Northern Territory. The scheme was designed to operate as a single national scheme even though it actually applied in each state and the Northern Territory as a law of the relevant state or territory. Given that the scheme was [page 280] actually given effect to by state and territory law, it was sensible for the ETR to exclude the application of the Commonwealth ETA to the ‘Corporations Law’ and the now repealed Corporations Act 1989 (Cth) (as they were state and territory laws). It is equally open to assume it was entirely deliberate for the ETR not to exclude the operation of the ETA to the Corporations Act 2001 when it became legislation enacted by Commonwealth Parliament. 10.17 In light of the history of the relevant schemes set out above, it is not plausible to argue that the Corporations Act 2001 constitutes the Corporations

Act 1989 ‘repealed and re-enacted’ as contemplated by the rules in ss 10 and 10A of the Acts Interpretation Act which allow references to repealed and reenacted Act to be read as references to the re-enacted Act. Accordingly, for the reasons set out above, the ETA does apply to the Corporations Act 2001. Accordingly, s 12 of the ETA would apply in this context. 10.18 Section 12 of the ETA provides that a corporation may satisfy its record-keeping obligations under a law of the Commonwealth (including the Corporations Act 2001) by retaining electronic copies of documents. In order to do so, a corporation must comply with two key requirements set out in s 12, namely: the means for generating the electronic form of the document is a reliable means of assuring the integrity of the information contained in the document (ie, at the point of imaging/conversion, storage and with all subsequent accesses); and it is reasonable to expect the electronic copy could be readily accessible for future reference. If a corporation maintains an effective conversion system which has the features described in 10.4, the requirements of the ETA will be satisfied. Accordingly, this would comprise the third legal ground on which a corporation could rely in order to implement a digitisation initiative. The next section will explore retention requirements under tax legislation.

Obligations under tax legislation 10.19 Under the Income Tax Assessment Act 1936 (Cth) (ITAA) a corporation must keep records that record and explain all transactions and other acts engaged in by a corporation that are relevant for any purpose under the ITAA. The records must be ‘readily accessible and [page 281] convertible into writing in the English language’.6 The analysis set out above in 10.9ff in terms of what constitutes ‘writing’ would enable a digitised document to satisfy the first limb of this provision. In addition, a digital document created

as a result of an effective conversion system would be one that would ‘… be readily accessible and readily converted into writing in the English language’. This position is taken as the word ‘converted’ is defined in the Macquarie Dictionary to mean ‘… change in character, form, or function’. The verb ‘convert’ is defined as ‘… to change into something of different form or properties; transmute; transform’. This indicates that s 262A of the ITAA contemplates the transformation of records or documents, including the transformation from electronic storage into hard copy form. 10.20 Alternatively, it is argued that electronic copies of digitised documents could be retained in accordance with s 12 of the ETA. Indeed, the ATO has confirmed this in TR2005/9 which provides as follows: 57. The Tax Office considers that where it is intended to convert original paper records onto an electronic storage medium by way of an imaging process that this represents a true and clear reproduction of the original documentation. The Tax Office accepts the imaging of paper records provided the conversion process produces electronic copies that are a complete, true and clear reproduction of the original paper records. For instance, Optical Character Recognition conversion processes that do not produce a 100% accurate reproduction of original documents are not acceptable to the Tax Office. 58. Scanned copies of paper records must: not be altered or manipulated once stored; be retained for the statutory period of 5 years; and be capable of being retrieved and read by Tax Office staff.

10.21 There is one further point that needs to be made in relation to ‘conversion’ in this context. In respect of conversion activities that the law permits in this context, it is sometimes argued that the law permits conversion from digital form to paper form, but does not contemplate conversions in the other direction (ie, paper to digital). The rationale for such an argument appears to be that the inherent nature of computerised records means it is impossible for the native form of the document to be in English or a form of writing that the human eye can read (ie, documents will be stored, at the lowest level, in bit or machine code [page 282] format). Accordingly, the argument goes, that it is essential to adopt the unidirectional approach to interpreting the relevant provisions. In the author’s view

such an argument adopts a very narrow approach to the concept of conversion. It is clear that the law places no express or implied ‘directional qualification’ in this context. As such, the term should be given its plain and ordinary meaning, and the interpretation set out in the preceding paragraphs adopted. 10.22 By maintaining an effective conversion system as described in 10.4, a corporation would satisfy its obligations in respect of the ITAA in this context. Similar document retention obligations apply under the Tax Administration Act 1953 (Cth) and the Fringe Benefits Tax Assessment Act 1986 (Cth), and those obligations can, at the very least, also be satisfied in accordance with s 12 of the ETA by maintaining an effective conversion system of the type described in 10.4.

DIGITISED DOCUMENTS AND THE LAWS OF EVIDENCE 10.23 Other issues that concern corporations seeking to implement digitisation initiatives are issues arising under the law of evidence. Since the mid-1900s, lawyers have been grappling with the evidentiary issues associated with books and records where they have been converted from one medium to another. For example, the Victorian Chief Justice’s Law Reform Commission made the following observations in 1962 when discussing a proposal to recognise imaged copies under the law of evidence: We recognise the possibility that our proposal [to allow imaged copies on micro fiche] may occasionally prove of assistance to a determined evil-doer bent on fraud or forgery. Cases may be supposed, and examples given, in which the fact of forgery can be detected only by examination of an original document. As against this, however, we believe that the good which the community will derive from our proposal will far outweigh any possible evil effects in an occasional isolated case. Indeed, we are by no means convinced that the present law provides much more in the way of safeguards than would be provided if our proposal is adopted. Moreover, if the original document has been lost or destroyed, inspection of it is no longer possible.7

10.24 Thankfully, developments in the law of evidence since 1962 suggest that we need not be as concerned about the evil effects that may arise in occasional isolated cases in this context. The current state of the [page 283] evidence law that governs the relevant issues will be discussed in terms of the

following laws and jurisdictions: the Corporations Act; the Uniform Evidence Acts; and the evidence legislation of Queensland, South Australia and Western Australia.

Corporations Act — ss 1305, 1306 Section 1305 of the Corporations Act provides that:

10.25

(1) A book kept by a body corporate under a requirement of this Act is admissible in evidence in any proceeding and is prima facie evidence of any matter stated or recorded in the book. (2) A document purporting to be a book kept by a body corporate is, unless the contrary is proved, taken to be a book kept as mentioned in subsection (1).

Relevantly, s 1306 further provides that:

10.26 (5) If:

(a) because of this Act, a book that this Act requires to be kept or prepared is prima facie evidence of a matter; and (b) the book, or a part of the book, is kept or prepared by recording or storing matters (including that matter) by means of a mechanical, electronic or other device; a written reproduction of that matter as so recorded or stored is prima facie evidence of that matter. (6) A writing that purports to reproduce a matter recorded or stored by means of a mechanical, electronic or other device is, unless the contrary is established, taken to be a reproduction of that matter.

10.27 As noted in Austin J’s judgment in ASIC v Rich [2005] NSWSC 417 (Rich), the ‘purpose of s 1305 is to expedite legal proceedings by obviating the need to call witnesses to prove that the [tendered] books are the books of the corporation or to prove the transactions recorded in the books’.8 The combined effect of s 1305 and sub-sections 1306(5) and (6) is to remove any doubt that reproductions of documents are admissible. As Austin J pointed out in Rich: … [w]here it applies, s 1305 allows a document properly tendered to become prima facie evidence of any matter stated in it, regardless of whether the stated matter offends an exclusionary rule of the Evidence

[page 284]

Act, such as the hearsay rule or the opinion rule. Subsection (2), where applicable, avoids the need to prove the authenticity of the document, unless the presumption is rebutted. Where information is recorded on a computer hard-drive, s 1306(5), if applicable, … [provides] a ‘fast track’ to admissibility of … tendered documents.9

10.28 There is the further requirement that the document must purport to be a book kept by a corporation. That is, there needs to be something on the face of the document to satisfy this requirement before s 1305(2) can operate. In most cases this will be evident from the document, but in other cases, affidavit evidence may be required. Also, if ‘the contrary is proved …’ or the ‘… contrary is established’ as contemplated by s 1305(2) and s 1306(6) respectively, then further evidence will need to be adduced by a corporation to address those circumstances. However, as a matter of fundamental principle, in summary, if a corporation can show in a given case that a converted document it seeks to tender is a book which it keeps as a body corporate under s 286 or some other requirement of the Corporations Act, it will be able to engage the ‘fast track’ to admissibility referred to in Rich. 10.29 In the event that a corporation cannot rely on the provision mentioned in the preceding section (due to jurisdictional issues or for other reasons), then depending on the jurisdiction a corporation may need to rely on either the Uniform Evidence Acts or other evidence statutes.

Uniform Evidence Acts 10.30 Under the Commonwealth (including the Australian Captital Territory), New South Wales, Northern Territory, Victorian and Tasmanian evidence legislation (Uniform Evidence Acts), there is broad scope to prove and admit copy documents into evidence. When introducing the Victorian version of the Act into state Parliament, the then Attorney-General Rob Hulls said that: The new Act will cut red tape for Victorian businesses, government and the not-for-profit sector … The legislation removes the original document rule which, when combined with current statute law, is complex and unwieldy … The rule has resulted in businesses, Government and not-for-profit organisations retaining documents in their original form as part of a prudent risk-management strategy for potential litigation. This places an unnecessary record-keeping burden on businesses.10

[page 285] 10.31 In order to consider whether an organisation can take advantage of these benefits under the Uniform Evidence Acts (ie, by using copy or converted

documents in evidence), the following issues need to be considered (in the order set out below): (1) What constitutes a ‘document’ for the purposes of the Uniform Evidence Acts? (2) What are the authentication requirements in relation to secondary evidence (ie, copies of documents)? (3) What is the requirement to tender or adduce documentary evidence? (4) What are the exclusionary rules?

What constitutes a document? 10.32

A document under the Uniform Evidence Acts is defined to mean:

… any record of information, and includes: (a) anything on which there is writing; or (b) anything on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them; or (c) anything from which sounds, images or writings can be reproduced with or without the aid of anything else; or (d) a map, plan, drawing or photograph.11

10.33 The legislation further provides that any reference to a ‘document’ includes a reference to: (a) any part of the document; or (b) any copy, reproduction or duplicate of the document or of any part of the document; or (c) any part of such a copy, reproduction or duplicate.12

10.34 Any converted document which is a complete and accurate copy of a source document will fall within the scope of these definitions. The next step in this process is to authenticate the document under the Uniform Evidence Acts.

What are the authentication requirements in relation to secondary evidence? 10.35 The Uniform Evidence Acts swept away the common law rules relating to best evidence and replaced them with a more flexible approach

[page 286] to the use of secondary evidence concerning the contents of documents. However, it is arguable that the abolition has not significantly diminished the need to prove that a document to be tendered is what it purports to be. This is referred to as the ‘authentication’ requirement. Again, the courts are reluctant to allow documents to speak for or prove themselves.13 10.36 A simple way of authenticating a document is by ‘evidence from its creator, or someone who superintends the maintenance of business records that include it’,14 however the law does not require that authentication by such means is necessary. Although inferences can be drawn from documents, where the act of tendering the document is contested, the law requires that there must be something more than the mere tender of the document itself. In such cases a short affidavit should be sufficient to prove (on the balance of probabilities) that a converted document is what it purports to be.

Tendering/adducing documentary evidence 10.37 The next issue to be considered is whether a converted copy of a document could be adduced under the Uniform Evidence Acts. Section 48 permits evidence of the contents of a ‘document in question’ (defined in s 47(1)) to be adduced by various independent methods, which include tendering a copy (s 48(1)(b)); tendering a document produced from electronically-stored information (s 48(1)(d)); and tendering a document that forms part of the records kept by a business and purports to be a copy of the document in question (s 48(1) (e)). 10.38 In National Australia Bank Ltd v Rusu [1999] NSWSC 539 Bryson J observed that the effect of s 48(1), when a copy of a document is tendered to prove its contents, is that admissibility is in the same position as if the tendering party had tendered the original document in question, subject to the need to authenticate the document as discussed above. Accordingly, a converted document produced by using an effective conversion system would in the normal course be able to be adduced as evidence under these Uniform Evidence Acts.

Exclusionary rules 10.39 Many of the converted documents that a corporation would seek to tender as evidence would be subject to the rules of hearsay evidence: s 59. This is because a corporation would be using such documents to prove the [page 287] existence of a fact or representation in the document. In these cases, a corporation would be able to rely on the business records exception to the hearsay rule contained in s 69 of the Uniform Evidence Acts. It is important to note in this context that this issue would apply whether a corporation maintains paper-based copies or converted copies of documents.

Queensland, South Australian and Western Australian Evidence Acts 10.40 Under the Queensland, South Australian and Western Australian evidence statutes, the approaches required to tender and admit copy documents vary significantly both from the approach contained in the Uniform Evidence Acts and also among themselves. In this section the key provisions that enable copy documents to be admitted into evidence in each of the relevant jurisdictions will be discussed.

Queensland — Evidence Act 1977 10.41 Section 97 of the Evidence Act 1977 (Qld) (Qld Act) contains a general proposition that allows copy documents to be admissible as evidence. Section 97 states: Where in any proceeding a statement contained in a document is proposed to be given in evidence by virtue of this part, it may be proved by the production of that document or (whether or not that document is still in existence) by the production of a copy of that document, or the material part thereof, authenticated in such manner as the court may approve.

10.42 Generally, authentication under the Qld Act may be carried out by an employee of a corporation, swearing an affidavit and confirming that the copy document is an accurate copy of an original. An employee could confidently

swear such an affidavit in relation to copy documents which are the product of an effective conversion system; such copies would be accurate copies of the original source documents. 10.43 Section 106 of the Qld Act specifically relates to reproductions of business documents that are destroyed, lost or unavailable. Section 106 provides that: … a document that purports to be a copy of an original document made or used in the course of a business shall, upon proof that it is a reproduction made in good faith and that the original document has been destroyed or lost, whether wholly or in part, or that it is not reasonably practicable to produce the original document or to secure its production, be admissible in evidence in any proceeding to the extent to which the contents of the original document of which it purports to be

[page 288] a copy would have been admissible and it shall, subject to proof of the same matters, be a sufficient answer to legal process issued by a court, requiring production of a document to the court, for the person required by that process to produce the document to produce such a reproduction of the document.

10.44 In other words, a copy of a business document is admissible in evidence as long as it is accompanied by proof of the matters referred to in that section (which will ordinarily be by way of affidavit sworn by an employee of a corporation). Relevantly, any affidavit will need to state the date upon which the document was copied. Accordingly, a corporation’s conversion system will need to reflect the date on which the document was converted or otherwise imaged to facilitate this process. The affidavit will also need to describe the process by which the copy document was made and confirm that the process or functions used to store and retrieve the digitised document was in good working condition. 10.45 As long as these requirements are met, it would be difficult to anticipate any difficulty in satisfying the requirements of s 106 in respect of digital copy documents produced by an effective conversion system. 10.46 The Qld Act also makes specific provision for copy documents to be admissible if they are generated by computer. Under that Act, the term ‘computer’ is defined to mean: … any device for storing and processing information, and any reference to information being derived from other information is a reference to its being derived therefrom by calculation, comparison or any other process.

It is arguable that this provision is intended to apply to the production of

documents that are originally created in digital form (ie, they had no prior existence in physical form) as opposed to documents that are digital copies of paper documents. However, putting entrenched conservatism to one side, it is submitted that the better view is that ‘an ongoing statute [such as the Qld Act] ought to be read to accommodate technological change’: Lockheed-Arabia v Owen [1993] 3 All ER 641; McGuren v Simpson [2004] NSWSC 35. Such an approach would overwhelm the somewhat specious argument set out above.

South Australia — Evidence Act 1929 10.47 Section 45C of the Evidence Act 1929 (SA) formally modifies the best evidence rule by broadening the types of copy documents which are admissible in evidence, so that a copy that ‘accurately reproduces the contents of another document’ is admissible to the same extent as the original, whether or not the original still exists. Section 45C(2) provides [page 289] that, in determining whether a copy accurately reproduces the contents of another document, the court is not bound by the rules of evidence, and in particular may: rely on its own knowledge of the nature and reliability of the processes by the which the reproduction was made (s 45C(2)(a)); or make findings based on the certificate of a person with knowledge and experience of the processes by which the reproduction was made, or who has compared the contents of both documents and found them to be identical (s 45C(2)(b) and (c)), or act on ‘any other basis it considers appropriate in the circumstances’ (s 45C(2)(d)). There should be no issues with a digital copy of a paper source document satisfying the requirements of s 45C provided it was created using an effective conversion system.

Western Australia — Evidence Act 1906 10.48

Section 73A of the Evidence Act 1906 (WA) modifies the best evidence

rule in that jurisdiction. The provision largely mirrors s 45C of the South Australian legislation. Subsection 73A(1) provides that a ‘document that accurately reproduces the contents of another document is admissible in evidence before a court in the same circumstances, and for the same purposes, as that other document, whether or not that other document still exists’. 10.49 The court is granted a wide discretion and is not bound by the rules of evidence in determining whether a copy accurately reproduces the contents of an original document. As with the South Australian legislation, the court may: rely on its own knowledge of the nature and reliability of the processes by which the reproduction was made; make findings based on a certificate in the prescribed form, either by a person with knowledge and experience of the processes by which the reproduction was made, or who has compared the contents of both documents and found them to be identical; or act on any other basis that is considers appropriate in the circumstances. 10.50 By virtue of s 73A(3), the above provisions clearly apply to a reproduction made by a process in which the contents of a document are recorded by electronic or other means. The Court of Appeal in Western Australia has recently considered s 73A and commented that it is not sufficient that a document is ‘highly likely’ to reproduce the contents of an original document. Therefore, if a challenge is made to [page 290] the authenticity of a document it may be necessary to persuade the court that the relevant ‘copy document does in fact accurately reproduce the contents of an original [document]’: Smith v Queen [2008] WASCA 128 at [243] per Buss JA. Such a task would require a corporation to provide specific technical evidence that the document is a precise copy of the original. This requirement could be satisfied by an appropriate employee of the corporation preparing an affidavit attesting to the process utilised to produce, maintain and retrieve such records. 10.51 In addition, s 79C of the Evidence Act 1906 allows a statement in a document to be admitted into evidence in spite of the rule against hearsay and

other potential legal impediments. This section and in particular the business records provision set out in s 79C(2a) could assist a corporation in circumstances where the original document has not been maintained and potentially where such documents may not be admissible under s 73A. Section 79C(2a) provides as follows: Notwithstanding subsections (1) and (2), in any proceedings where direct oral evidence of a fact or opinion would be admissible, any statement in a document and tending to establish the fact or opinion shall, on production of the document, be admissible as evidence of that fact or opinion if – the statement is, or directly or indirectly reproduces, or is derived from, a business record; and the court is satisfied that the business record is a genuine business record.

10.52 Business record means a book of account or other ‘document’ prepared or used in the ordinary course of a business for the purpose of recording any matter relating to the business. The term ‘document’ is further defined so as to include a visual image. That definition would therefore capture the images contemplated by the conversion process discussed above.

PRODUCTION AND INSPECTION OF DOCUMENTS BY REGULATORS 10.53 In preceding sections it was concluded that it is entirely possible for a digital copy document to satisfy legal record-keeping obligations and evidential requirements associated with use of such documents in court proceedings. In this section we will, for completeness, discuss whether a digital copy document can be produced or inspected in a manner that will satisfy certain other regulatory requirements. The discussion in this section is relevant as some practitioners express concern that while record-keeping [page 291] and evidential issues may be satisfactorily addressed in this context, it may be that a regulator may not accept that digital copies of hard copy source documents satisfy other specific regulatory requirements. Some examples of the relevant legislative requirements are set out below: A book that the Corporations Act or the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act) requires a person to keep must be

open for inspection by a person authorised in writing by ASIC: s 29, ASIC Act. ASIC may provide a written notice requiring the production of specified books relating to the affairs of a body corporate: s 30, ASIC Act. A shareholder may apply in certain circumstances to the court to inspect a book of a company or a scheme: s 247A, Corporations Act. A person must keep certain books open for inspection by a person authorised in writing by ASIC: s 29, ASIC Act. 10.54 Relevantly, ‘books’ for the purposes of the example requirements set out above include: financial reports or financial records, however compiled, recorded or stored; a document (which includes ‘… any paper or other material on which there is writing’ or ‘… any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device’: s 25, Acts Interpretation Act); and any other record of information (a record ‘includes information stored or recorded by means of a computer’: s 25, Acts Interpretation Act). 10.55 There are a number of alternative grounds on which the applicable requirements could be satisfied in a manner that would address the concerns mentioned in 10.53. First, if the law permits a ‘book’ or any other form of record to be stored in electronic form, it would follow as a matter of logic that making reproductions of the relevant book (or part of the relevant book) or allowing inspection in a visible form would also be legally compliant. If the law permits the storage of digital copies, then it must implicitly permit the reproduction of those documents in the manner ordinarily associated with retrieval from computer storage. 10.56 Second, in circumstances where the Corporations Act or the ASIC Act applies, s 1306(6) of the Corporations Act would support the proposition that if the law permits a document or other record to be retained in digital form (including copy documents), then it must follow that the law allows those same documents to be produced in [page 292]

order to satisfy regulatory requirements. In this connection, s 1306(6) of that Corporations Act provides: A writing that purports to reproduce a matter recorded or stored by means of a mechanical, electronic or other device is, unless the contrary is established, taken to be a reproduction of that matter.

Accordingly, the reproduction of a digital copy document in hard copy print out (or printed to screen in an inspection context) would satisfy a production or an inspection obligation generally where s 1306(6) is engaged. 10.57 Thirdly, in terms of satisfying a production or inspection requirement by way of a hard copy print out (or making it available in a visible form) more generally, s 25A of the Acts Interpretation Act 1901 provides as follows: Where a person who keeps a record of information by means of a mechanical, electronic or other device is required by or under an Act to produce the information or a document containing the information to, or make a document containing the information available for inspection by, a court, tribunal or person, then, unless the court, tribunal or person otherwise directs, the requirement shall be deemed to oblige the person to produce or make available for inspection, as the case may be, a writing that reproduces the information in a form capable of being understood by the court, tribunal or person, and the production of such a writing to the court, tribunal or person constitutes compliance with the requirement.

The Explanatory Memorandum to the Acts Interpretation Amendment Bill 1984 stated that: Proposed section 25A provides for the production of records kept in a computer etc where an Act requires a person to produce the information in question.

10.58 Given that s 25A is a facilitative provision (ie, to facilitate the production of documents stored in a computer) it should be given a broad interpretation. It is also important to note the phrase ‘… unless the court, tribunal or person otherwise directs’ contained in s 25A, it is submitted that the relevant phrase was included in the provision in order to ensure that if the relevant entity (ie, court, tribunal or person) wanted direct access to the physical medium that the relevant record was stored on (eg, for forensic testing purposes) or meta data stored on the same medium which related to the document, then it may order production or inspection otherwise than by a paper print out. The author does not believe that the phrase was intended to have a broader ambit. If there were concerns around authenticity and these were proved to be valid, then the relevant book would not be a ‘book’ [page 293]

for the purposes of the law in any event. The phrase was merely intended to allow the relevant tribunal to act on any concerns it may have in this context. However, if there were no concerns about the book then, by definition, it would be the applicable ‘book’, and the court, tribunal or person would have no reason to look behind or beyond it. 10.59 Before leaving this point, it is also worth noting provisions such as s 29 of the ASIC Act. That provision mandates that certain books must be ‘open for inspection’. There are no grounds for suggesting that the phrase ‘open for inspection’ requires corporate books to be maintained in hard copy so that they can ‘open’. That would be taking a far too literal approach to the issue. The relevant term used in s 25A of the Acts Interpretation Act is ‘make a document containing the information available for inspection’. That phrase captures the very essence of what is intended by the use of the term ‘open for inspection’. If books are kept in digital form, all that is required is for one to allow access to the relevant technology to allow inspectors to view the relevant digital material. The expression used in s 25A contemplates the term used in s 29 of the ASIC Act, as they both describe the same activity, ie, one person allowing another to inspect a document in a visible form. 10.60 Finally, where the Electronic Transaction Acts of the various jurisdictions apply, it would also be possible to satisfy the production requirement by relying alternatively on provisions such as s 11 (production of documents) of the ETA. However, it would not seem to be necessary in the normal course to have to resort to this legislation in order to satisfy the applicable legislative requirements. 10.61 In summary, there are no grounds for accepting that the production of books that may, in part or in whole, be comprised of digital copy documents would not satisfy the relevant legal requirements of the law.

REDUNDANT SOURCE DOCUMENTS 10.62 Earlier parts of this chapter outlined the reasons why digital copy documents created using an effective conversion system would satisfy applicable legal requirements. It is now appropriate to consider whether the disposal or destruction of a hard copy source document is permitted once a complete and accurate digital copy has been created. The concern that is most frequently raised in this context is whether the disposal of documents will breach laws that prevent the concealment, destruction or alteration of corporate records.

[page 294]

Concealment, destruction, mutilation or alteration of books 10.63 Section 1307 of the Corporations Act provides that an ‘officer, former officer, employee, former employee, member or former member of a company who engages in conduct that results in the concealment, destruction, mutilation or falsification of any securities of or belonging to the company or any books affecting or relating to affairs of the company is guilty of an offence’. Section 9 provides that a ‘book’ includes: a register; any other record of information; financial reports or financial records, however compiled, recorded or stored; and a document. The penalty for breaching the provision is a maximum fine of 100 penalty units and/or imprisonment for up to two years. 10.64 Some practitioners argue that the use of a conversion system may constitute an offence under this provision. For this to be true, the relevant person would have to intend for the concealment, destruction, mutilation or falsification of books to occur. If a person has a bona fide belief that the corporation is using an effective conversion system, it cannot follow that an offence will be committed under s 1307. In the author’s view, there is an argument that this provision may prevent the destruction of hard copy source documents once conversion has occurred. There is a dearth of cases on this point. However, there are a number of arguments why a corporation would not be committing an offence under these types of provisions if it disposed of hard copy source documents post-conversion. Further, if a complete and accurate copy of the hard copy source document is made and accessible, then no concealment, destruction, mutilation or alteration has occurred in any meaningful sense. If all relevant information is accessible at all relevant times to regulators, to potential or actual litigants or any other person, then no prejudice in the form of

the loss of access to information has occurred. The document has merely been converted from one medium to another. Accordingly, if no concealment, destruction, mutilation or alteration has occurred, an essential element of the offence cannot be made out. 10.65 Assuming (without accepting) that the above arguments are misplaced, then a defence would be available to a person in this context. In relation to a prosecution under s 1307(1), it is a complete defence if a person acted honestly and that in all the circumstances the act or [page 295] omission constituting the offence should be excused: s 1307(3). It must be the case that a person who uses a system or designs a system in good faith must have acted honestly and have grounds for establishing the defence.

CONCLUSION 10.66 The discussion in this chapter has demonstrated the range and depth of legal issues associated with what may, at first blush, seem like a fairly straightforward endeavour from a commercial perspective. There is an array of legitimate concerns that need to be addressed in this context. However, these concerns do not prevent the implementation of initiatives that support the digitisation of corporate information provided an effective conversion system is the linchpin of such an initiative. _________________________ 1.

Although the discussion in Chapter 11 (Cyber Security and the Law) will be relevant to such information.

2.

Other document retention obligations are imposed on holders of financial services licences, although those obligations will not be discussed in this chapter. See s 988A, Corporations Act. While they differ from the requirements under Ch 2M.2 the outcomes that can be achieved under those laws differ little from those discussed in the above section.

3.

See s 286(2), Corporations Act.

4.

R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 15th ed, LexisNexis Butterworths, Australia, 2013, [11.120]. Note that the definition of ‘writing’ in the now repealed Corporations Law required companies to keep written ‘financial records’. The observation remains correct despite the omission of the definition of ‘writing’ from s 9 of the Corporations Act, as the definition of ‘writing’

contained in s 25 of the Acts Interpretation Act achieves the same outcome. 5.

See items 28 and 30, Sch 1, Electronic Transactions Regulations 2000 (Cth).

6.

See s 262A, Income Tax Assessment Act 1936 (Cth).

7.

Chief Justice’s Law Reform Committee, Victoria, Annual Report, 1962.

8.

ASIC v Rich [2005] NSWSC 417 (Rich) at [280].

9.

At [227].

10. The Hon R Hulls, press release, ‘New Evidence Laws to Save Costs for Businesses’, 24 June 2008, . 11. See definition of ‘document’ in Pt 1, Dictionary, Evidence Act 1995 (NSW). 12. See cl 8 of Pt 2, Dictionary, Evidence Act 1995 (NSW). 13. See fn 8, Rich at [98] per Austin J. 14. At [119] per Austin J.

[page 296]

Chapter 11 Cyber Security and the Law

INTRODUCTION 11.1 As the term suggests, information security or cyber security relates to the steps that individuals and corporations take in order to protect the security, integrity and availability of information and information systems. This chapter will discuss laws relating to information or cyber security in a corporate context. The laws that feature prominently in respect of security issues are certain provisions of the Privacy Act 1988 (Cth); laws concerning directors’ duties; contract law; and consumer protection laws. Other laws play cameo roles, but they do not routinely feature in this area. For example, both the law of copyright1 and the law relating to continuous disclosure2 may on occasion apply to circumstances or events that arise in the security environment. Prior to discussing the application of the laws mentioned above, it is necessary to outline the context in which these laws will be interpreted and applied. In many cases, the threat environment in which most corporations operate will have a bearing on legal outcomes. That is, the nature and substance of a corporation’s legal rights and obligations in a cyber security context will frequently be conditioned by the risk or threat environment within which they are developed, interpreted or otherwise applied. [page 297] 11.2 The criminal laws that apply to cybercrime will not be discussed in any detail in this chapter. A criminal prosecution involves a corporation making a complaint to police concerning an alleged cybercrime. The police will then investigate that matter if resources permit. If the investigation confirms that a

cybercrime may have been committed, the police then may prepare a brief for prosecutors to consider. A trial may or may not follow; much will depend on the strength of the available evidence and also whether or not the alleged perpetrator can actually be identified. Even if this is possible, the perpetrator may not be subject to the laws of Australia. For example, the alleged perpetrator may reside in a foreign jurisdiction that has no extradition treaty with Australia. Even where a treaty exists, complex rules regarding dual criminality and other issues usually arise.3 In any event, the corporation is effectively a passive actor in this process. Once a complaint is lodged with police, the matter is out of the corporation’s hands. In addition to having an interest in seeing that cybercriminals are brought to justice, the main concern of corporations and directors in this context will be whether the cyber security event has implications under civil laws. 11.3

This chapter will examine the following topics:

the threat environment within which corporations operate; cyber security and the law; and evidence.

THE THREAT ENVIRONMENT WITHIN WHICH CORPORATIONS OPERATE 11.4 There are many threats to cyber security.4 Reports of cyber attacks against major global corporations are a regular occurrence.5 Broadly speaking, the threats arise due to vulnerabilities associated with humans6 and/or machines.7 While the category of threats may not have changed [page 298] much over the last decade or so,8 there are a number of reasons why the level of risk in this context has increased significantly: We are producing much more data than ever before.9 The increased levels of data mean more resources need to be utilised to store it and secure it. Put simply, the size of the target (or the attack surface) is constantly increasing.

Not only are information systems growing in number and size, they are also being opened up to end users at an increasing rate. This is a result of the ‘mobile’ revolution. As a consequence of the explosion in mobile computing, we are witnessing a shift from more homogenous technology environments within corporations to diverse technology ecosystems, which presents additional cyber security challenges. This development is also being exacerbated by the trend toward allowing users to bring their own device to work and permit those users to interconnect to the corporate environment. In this context, any lack of security at ‘the node’ (ie, the user and the user’s device) becomes an issue that the corporation needs to manage. Finally, both the number and sophistication of cyber attacks are increasing.10 It is worth developing this last point further. 11.5 Research conducted over ten years ago indicated that the overwhelming majority of cyber attacks originated from inside an organisation with only 25 per cent originating externally.11 It is unclear whether that is still the case today, but what is clear is that the sophistication of the contemporary tools that external attackers have access to have increased markedly over the last few years.12 This can only put upward pressure on the number of cyber attacks that endanger any given corporation. Such attacks can fall into two categories: commodity attacks and noncommodity (or targeted) cyber attacks.13 The term ‘commodity attacks’ is [page 299] an expression used to describe the commoditisation of tools used to attack cyber targets. These can be characterised as ‘off-the-shelf’ tools that people with very little technology skill could use to launch a cyber attack. In the main, though, such attacks are easier to defend against, when compared to the steps needed to protect against or prevent targeted attacks. Non-commodity or targeted attacks have a very different profile. They involve highly skilled people or teams of people working collaboratively toward a common purpose. These persons are sometimes referred to as hacktivists. A hacktivist is a person who uses computers and computer networks as a means of protest to promote social or political agendas.14

Some hacktivist groups can cause significant disruption to any corporation’s operations if targeted. However, by far the greatest security challenge facing a corporation is how to manage risk associated with cyber attacks launched by, or with the support of, organised crime groups or nation states.15 11.6 This brief discussion only touches on some of the threats to cyber security, but the point is they are highly diverse, real and increasing. It is against this backdrop that we will examine the laws relating to cyber security.

CYBER SECURITY AND THE LAW 11.7 As mentioned in the introduction, there are four main laws that will be discussed in this context, namely: privacy law; directors’ duties; data breach laws; contract law; and consumer protection laws. These laws are discussed in turn below.

Privacy law 11.8 The Privacy Act 1988 (Cth) imposes one key security-related obligation on corporations. For the purposes of this section, the laws that will be discussed are the applicable provisions of the Act, as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), [page 300] which will commence on 12 March 2014. The relevant provisions in this context are APP11.1 (security of personal information) and s 21S(1) (security of credit eligibility information). Where a corporation holds personal information, APP11.1 provides that corporation must:

… take such steps as reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; (b) from unauthorised access, modification or disclosure.

Similarly, s 21S(1) provides that if a corporation holds certain credit-related information, it must: … take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; (b) from unauthorised access, modification or disclosure.16

The ‘reasonable steps’ test 11.9 What then is required in order to discharge the obligation to take ‘such steps as reasonable in the circumstances to protect the information’? As we saw elsewhere in this book, the approach taken in relation to assessing what is required under a ‘reasonable steps’ test is to refer to the particular circumstances of the case with the assessment being made by reference to the circumstances as they were at the relevant time a step was taken, rather than with the benefit of hindsight.17 At a minimum, the circumstances that should be considered in determining the applicable standard should include: the threat environment within which the corporation operates; the scale and complexity of the business and its operations; the corporation’s resources, including the expertise it has available to it; prevailing industry standards; the relevant risks that need to be addressed and the probability that adverse events may occur; the gravity of the harm an individual (ie, a data subject) could suffer if a step was not taken; and the cost associated with addressing those risks. It is essential to recognise that the applicable test is anchored by the concept of ‘reasonableness’. [page 301]

As we saw in relation to the investor protection laws in Chapter 5, a ‘reasonable steps’ test does not impose strict liability. The focus is on process. If the correct process is in place, it should follow that the correct (or reasonable) step was taken in relation to the secure management of personal information. What is required is an effective privacy governance and due diligence regime. At the highest level, this means accountability and ownership of privacy issues must reside in one executive or an appropriately constituted committee of executives. That executive or committee would be responsible for ensuring that the corporation understood all relevant risks associated with the security of personal information, so that appropriate steps could be taken to manage those risks. Other functions would include the oversight of the development of an appropriate governance and organisational structure (including human resources) for managing security issues. The responsible executive would also be responsible for ensuring the development and ongoing maintenance of effective policies, procedures, controls and training. It would also need to ensure that compliance and audit processes were put in place and that periodic reviews of privacy issues were conducted. The review process would assist in identifying any weaknesses in the compliance or control framework so that those issues could be addressed. The process would also enable the corporation to consider the extent to which they require engaging the assistance of external experts to assist in addressing the matters set out above. Assuming all the relevant governance and organisational structures are in place and appropriately qualified persons are employed to manage operational aspects of security, then effective decisions will be able to be made about the plethora of security issues that need to be managed at an operational level, including whether all the resources, systems, processes and technologies used within the corporation are fit for the purpose, given the risk profile of the corporation. 11.10 In summary, what is required in this context is an approach that gives paramountcy to strategic issues and organisational process so that, through an effective governance and due diligence process, a corporation will be wellplaced to ensure that tactical steps that are taken every day with respect to the management of personal information are ‘reasonable’. In this sense, the approach advocated is a top-down approach.

Of course, the nature of the steps that will need to be taken by any given corporation will depend on the factors mentioned in 11.9. If a corporation takes the steps advocated above, then the prospects of a breach of the law occurring will be significantly diminished. It is [page 302] acknowledged that the approach discussed above would need to be adjusted to suit the circumstances of the given corporation. Nevertheless, the general approach would hold true regardless of the nature and scale of the organisation.

Consequence of a breach 11.11 If a corporation breaches its obligations under APP11.1 or s 21S, there could be a number of consequences, including the Privacy Commissioner making an adverse finding against the corporation or the imposition of a maximum fine of 2,000 penalty units.18 See 9.100ff in Chapter 9 for more details. 11.12 In addition, if a breach or an allegation of a breach were to receive media attention, the corporation would also need to manage the associated reputational issues.19

Directors’ duties 11.13 To the extent that a corporation relies in any material way on information systems to support its commercial endeavours, directors have a key role to play in ensuring effective oversight of security-related matters. This section will explain how this obligation arises at law. Among other things, a director must comply with s 180(1) of the Corporations Act 2001 (Cth). That section provides as follows: A director or other officer of a corporation must exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would exercise if they: (a) were a director or officer of a corporation in the corporation’s circumstances; and (b) occupied the office held by, and had the same responsibilities within the corporation as, the director or officer.

11.14

There is much case law regarding the scope of a director’s duty under

this provision, but for present purposes it is convenient to refer [page 303] to the decision of Australian Securities and Investments Commission v Healey [2011] FCA 717. In that case, Middleton J observed that: Directors are required to take reasonable steps to place themselves in a position to guide and monitor the management of the company. A director must become familiar with the fundamentals of the business in which the corporation is engaged; a director is under a continuing obligation to keep informed about the activities of the corporation; directorial management requires a general monitoring of corporate affairs and policies …20

11.15 The use of the term ‘fundamentals’ in the passage cited above, clearly indicates matters that are ‘essential’ or ‘primary’. In circumstances where data is a new asset class and corporations rely heavily on information systems to support their commercial endeavours, it is arguable that cyber security is a ‘fundamental’ of any business in the sense referred to above. The next issue of relevance that Middleton J refers to is that ‘a director is under a continuing obligation to keep informed about the activities of the corporation’. Again, this reinforces the view that directors should ensure that they keep informed about cyber security matters, being one ‘fundamental’ of a modern corporation. This obligation could be discharged, for example, by the directors ensuring that the security governance and due diligence processes are implemented, as discussed in 11.9 and 11.10. Further, directors should ensure they receive a periodic report on cyber security matters. Where appropriate, directors should ensure that executive management prepare and present briefings on cyber security issues impacting the corporation to the full board and/or the board risk committee on a periodic basis. Such steps would also enable directors to establish that they satisfy the last element mentioned in the passage cited above. That is, that ‘directorial management requires a general monitoring of corporate affairs and policies’. This process would allow the board to challenge and test executives regarding the principal security issues impacting the corporation.

Consequence of a breach 11.16

A breach of s 180(1) is a civil penalty provision for the purposes of the

Corporations Act 2001 (Cth).21 A breach of a civil penalty provision attracts a maximum penalty of $200,000 for individuals.22 It may also lead to compensation orders under s 1317H or injunctions and other orders under s 1324. Disqualification orders could also be imposed under s 206C. [page 304]

Data breach laws 11.17 A number of foreign jurisdictions have enacted data breach laws. That is, if a person or corporation suffers a data breach, the relevant person or corporation must make a disclosure regarding that breach.23 To date, Australia has not enacted comparable laws although recommendations to this effect were made by the Australian Law Reform Commission in its recent report concerning privacy law.24 11.18 There are, however, a number of instances where a corporation may need to disclose a data breach under Australian law. The first is under the continuous disclosure regime set out in Ch 6CA of the Corporations Act. Under that regime, if an entity suffers a cyber event such as Sony did in 2011,25 then it may have to make a disclosure of that event if information concerning that event is not generally available and a reasonable person would consider it to be price sensitive.26 A corporation may also be under a contractual obligation to another party to disclose any breaches of cyber security. Such provisions are common in many types of contractual arrangements. A further obligation to disclose may arise under s 912D of the Corporations Act which imposes an obligation on financial services organisations to disclose to the Australian Securities and Investments Commission any significant breaches of certain provisions of the Corporations Act.27 Again, if a financial services licensee was the victim of a cyber attack and this was significant for the purposes of s 912D of the Corporations Act, the entity would need to disclose that matter to the regulator.

Contract law

11.19 Contract law plays a significant risk allocation role in the implementation of any corporation’s security strategy or program. However, there are a number of issues that need to be effectively managed in this context. These issues are discussed below. [page 305] 11.20 First, in negotiations concerning security issues, parties often debate at length the appropriate contractual standard to be adopted in the applicable contract. The options available in this context include the adoption of a ‘reasonable steps’ obligation or a strict or absolute liability obligation. Another frequently adopted option is to impose strict liability on one party, but make that obligation subject to specific exceptions (such as a force majeure provision). 11.21 Second, in addition to the contractual standard issue mentioned above, parties to a contract need to determine the content of the obligation. That is, the parties need to specify the steps that the relevant party is required to take in accordance with a reasonable steps standard, strict liability standard or otherwise. Obviously, the nature of the contract and the cyber security risks that relate to the contract will necessarily condition the content of the obligations set out in a contract. However, good starting points for drafting purposes do exist. Two examples of documents that can be used as a basis for, or a reference for developing bespoke contractual specifications, are the ISO/IEC 27001 (Information Security Management)28 and the PCI Data Security Standards.29 However, care needs to be taken in this context. In some cases the documents are not an ideal fit for the circumstances of the particular transaction. Care needs to be taken to adapt, tailor or supplement them so that they are appropriate for the relevant transaction. 11.22 A further issue that arises in contract settings relates to apportionment legislation. Under that legislation the liability under a contractual provision of one party to another can, in certain circumstances, be reduced (including to zero per cent) if a third party was the actual cause of the loss. This may be the case even if a contract seeks to impose strict liability on a party. This is relevant in this connection as in cyber security cases it inevitably follows that the primary harm was caused by an unknown hacker.

In such cases, the liability of the actual counterparty can be significantly discounted leaving a party who suffers loss out of pocket. Some apportionment legislation allows parties to contract out of the regime,30 but it is often difficult to persuade a party upon whom obligations are imposed (eg, the party who assumes security-related obligations) to agree to exclude the operation of apportionment legislation by contractual agreement. [page 306]

Consumer protection laws 11.23 The potential role that consumer protection laws can play in relation to cyber security should not be underestimated. Broadly speaking, the operation of the laws cannot be excluded by contract. The key provision that is relevant in this context is s 18, Australian Consumer Law. That section provides as follows: A person must not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive.

11.24 The operation of this provision, and related provisions,31 was discussed in Chapter 6. The salient points to recall are that if a corporation makes a statement and it is misleading as a matter of fact and a person suffers loss in reliance on that statement, then that party may recover that loss from the entity that made the applicable statement (and anyone involved in the contravention).32 The provision above is relevant for present purposes due to the fact that during the course of a commercial relationship between parties it is foreseeable that representations will be made from time to time regarding the quality, features or benefits of certain security measures that a party has in place or is able to put in place for the benefit of a counterparty or other parties (eg, a counterparty’s customers). This may occur in a business-to-business context, where for example one party makes statements to the other regarding how secure its information systems are. Such a statement may induce the counterparty to enter an agreement with the maker of the statement. In a business-to-consumer context, a corporation may make statements in its marketing material or even in its privacy policy about the security measures it has in place to protect any personal information it collects. If any of these

statements are misleading or false, either the responsible regulator (which will generally be the Australian Competition and Consumer Commission) or an affected consumer may take action under the legislation mentioned above. In addition, a further issue that arises under consumer protection laws relates to warranties. If a corporation provides a warranty in a contract concerning security (or any other thing for that matter) and that warranty [page 307] is found to be misleading (ie, incorrect as a matter of fact), then that could constitute misleading conduct for the purposes of s 18 of the ACL.33 11.25 It is also important to note in this context, that any liability under the relevant provisions may also be moderated by the operation of applicable proportionate liability regimes.34 The operation of this apportionment regime cannot be excluded by contract.

EVIDENCE 11.26 If a corporation is subject to a cyber attack, it is critical to gather all reliable evidence. Reliable evidence will be necessary for a number of reasons. As discussed in the introduction, a corporation may have grounds for making a complaint to the police. It is very unlikely that the police will investigate an incident unless the information provided to them or available to them is of sufficient weight to make out a case. This is particularly important in criminal cases as the standard of proof is extremely high (ie, beyond all reasonable doubt). The collection of reliable evidence will also be important if the cyber event originated internally. It would be difficult to take appropriate disciplinary action against a staff member if the evidence that was collected was not reliable or sufficiently complete to be compelling. Another reason for identifying reliable evidence would be to put the corporation in a position to understand whether it had breached any obligations that it may owe to others, or conversely, allow it to identify whether the event indicates an obligation owed to the corporation may have been breached by another party. 11.27

The process of identify, preserving, analyzing and presenting digital

evidence in a forensically acceptable manner is a task that often requires expert assistance.35 A corporation should ensure that it understands the issues in this context and is able to respond appropriately should digital evidence need to be collected. [page 308]

CONCLUSION 11.28 Cyber security is a fundamental issue that contemporary corporations need to manage. Appropriate steps need to be taken to ensure that corporations comply with the requirements set out in the Privacy Act and to ensure that directors can demonstrate that they have complied with their duties. Corporations will often rely on contracts in assisting them manage the legal, commercial and technical risks associated with cyber security issues. However, as discussed above, care needs to be taken to ensure that these contracts are drafted in a manner which suits the applicable purpose. Corporations also need to be mindful of the role that misleading conduct laws play in this context to ensure that legal risk is appropriately managed. Finally, corporations need to ensure that they have policies and processes in place to identify and quarantine electronic evidence which can be used to support legal analysis of what may have occurred in the context of a cyber event. _________________________ 1.

For example, s 47F of the Copyright Act 1968 (Cth) permits reproduction of computer programs for security testing purposes.

2.

A particularly serious breach of security adversely affecting the data of a large number of customers could require a disclosing entity to disclose that fact to the market if it were price-sensitive information and no exclusion applied: see 5.59 for more information about continuous disclosure laws.

3.

See the Extradition Act 1988 (Cth) for the requirements that must be met before Australia can make or accept an extradition request.

4.

Shelde Pty Ltd, ‘The Changing Role of Information Security in the Large Enterprise’, unpublished report, Sydney, Australia, 2013.

5.

See, for example, L B Baker and J Finkle, ‘Sony PlayStation Suffers Massive Data Breach’, 26 April 2011, ; and B Krebs, ‘Phishers Spoof Google’, Sydney Morning Herald, 4 January 2013, .

6.

For example, phishing or social engineering attacks on end users.

7.

Including the usual suspects, such as exploits at the application level (eg, SQL injection or attacks exploiting Java vulnerabilities) or attacks against machines using IP or SMS spoofing.

8.

See, for example, ‘Part B — Risk Areas’ in L Gamertsfelder, R McMillan, A Handelsmann and P Hourigan, E-Security, Lawbook Co, Australia, 2002.

9.

See Chapter 1 of this book, ‘Introduction to Corporate Information and the Law’.

10. See, for example, Sophos, ‘Security Threat Report 2013’, . See T PullarStrecker, ‘Leaked, Stolen Data Leaps by 40%’, Sydney Morning Herald, 14 December 2012, and L Timson, ‘One Data Breach a Week: Australia’, Sydney Morning Herald, 30 April 2012, . 11. See L Gamertsfelder, R McMillan, A Handelsmann and P Hourigan, E-Security, Lawbook Co, Australia, 2002, p 7. 12. See, for example, the discussion concerning the use of attack tools Sophos, see fn 10. 13. See L Timson, ‘Dell Beefs Up Security’, Sydney Morning Herald, 14 December 2012, . 14. See Wikipedia, ‘Hactivism’, . 15. See, for example, E Chan, ‘Cyber Gang Busted for Infecting 11m PCs and Stealing $US850m’, Sydney Morning Herald, 12 December 2012, . See also Sophos, ‘Security Threat Report 2013’, at 28–9. 16. Note where s 21S of the amended Privacy Act 1988 (Cth) applies (ie, in relation to credit eligibility information), it excludes the operation of APP11.1: s 21S(3). 17. See for example, 5.17, Chapter 5. 18. The maximum financial penalty for a contravention can be increased by a multiple of five if the offender is a body corporate: s 1312. Section 4AA of the Crimes Act 1914 (Cth) provides that a penalty unit means $170 (NB: this was increased from $110 by the Crimes Legislation Amendment (Serious Drugs, Identity Crime and Other Measures) Act 2012 (Cth)). 19. For an example of a data breach which had clear adverse reputational implications, see L B Baker and J Finkle, ‘Sony PlayStation Suffers Massive Data Breach’, Sydney Morning Herald, 26 April 2011. See also the discussion of the incident involving TJX Companies Inc in M Jackson and M Shelly, Electronic Information and the Law, Thomson Reuters, Australia, 2012, [6.30]. 20. Australian Securities and Investments Commission v Healey [2011] FCA 717 at [166]. 21. See s 1317E, Corporations Act. 22. However, the contravention would need to be, among other things, serious: s 1317G. 23. See M Jackson and M Shelly, Electronic Information and the Law, Thomson Reuters, Australia, [6.150]. 24. See ALRC, For Your Information: Australian Privacy Law and Practice, ALRC Report 108, 2008, Recommendation 51-1. 25. L B Baker and J Finkle, ‘Sony PlayStation Suffers Massive Data Breach’, Sydney Morning Herald, 26 April 2011. 26. See Chapter 5 for a discussion about the continuous disclosure regime. 27. See s 912D, Corporations Act. 28. Wikipedia, ‘ISO/IEC 27001’, .

29. To access the PCI DSS standards visit . 30. See, for example, s 3A(2), Civil Liability Act 2002 (NSW). 31. Comparable provisions are contained in s 1041H, Corporations Act and s 12DA, Australian Securities and Investments Commission Act 2001 (Cth). 32. See, for example, ss 236 and 237, Competition and Consumer Act 2010 (Cth). 33. See Accounting Systems 2000 (Developments) Pty Ltd v CCH Australia Ltd [1993] FCA 265. 34. See s 87CB, Competition and Consumer Act 2010 (Cth). 35. For an overview of the relevant issues see: A Stanfield, Computer Forensics, Electronic Discovery & Electronic Evidence, LexisNexis, Australia, 2009; S Nelson, B Olson and J Simek, The Electronic Evidence and Discovery Handbook, American Bar Association, Chicago, 2006; P Rice, Electronic Evidence: Law and Practice, American Bar Association, Chicago, 2005; R McKemmish, ‘What is Forensic Computing?’, Trends and Issues in Crime and Criminal Justice, Australian Institute of Criminology, No 188, June 1999; and A Gahtan, Electronic Evidence, Carswell, Ontario, 1999.

Bibliography ACCC, ‘Information policy — The collection, use and disclosure of information’, 2008, ACCC, ‘Social media’, ACMA, ‘Regulatory Guide — No 4 Remedial Directions’, August 2011,

J Adams, ‘Originality in Copyright: A Solution to the Database Problem?’ in P Torremans (ed), Copyright Law: A Handbook of Contemporary Research, Edward Elger Publishing Inc, Great Britain, 2007 L Aitken, ‘Unforgiven: Some Thoughts on Farah Constructions Pty Ltd v SayDee Pty Ltd’ (2007) 29 Aust Bar Rev 195 ALRC, For Your Information: Australian Privacy Law and Practice, Report 108, 2008, ASIC, Enforceable undertakings register, 2012, ASIC, RG 170 — Prospective

financial

information,

2011,

R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 13th ed, LexisNexis Butterworths, Australia, 2007 R P Austin and I M Ramsay, Ford’s Principles of Corporations Law, 15th ed, LexisNexis Butterworths, Australia, 2013 Australian Corporation Law — Principles and Practice, LexisNexis online looseleaf Australian Direct Marketing Association, Direct Marketing Code of Practice, 2006 L B Baker and J Finkle, ‘Sony PlayStation Suffers Massive Data Breach’, 26 April 2011, J Barrett, ‘Copyright and Commercial Slogans’, 3 Web JCLI (2009),

R Baxt, Duties and Responsibilities of Directors and Officers, 19th ed, LexisNexis Butterworths, Australia, 2009 R Baxt, A Black and P Hanrahan, Securities and Financial Services Law, 7th ed, LexisNexis Butterworths, Australia, 2008 R Baxt, A Black and P Hanrahan, Securities and Financial Services Law, 8th ed, LexisNexis Butterworths, Australia, 2012 J Bliech, ‘Cloud Agreement Can Bring Blue Skies’, Sydney Morning Herald, 11 December 2012, A Bruce, Consumer Protection Law in Australia, LexisNexis Butterworths, Australia, 2011 CAMAC, Insider Trading

Discussion

Paper,

June

2001,

CAMAC, Insider Trading Report, November 2003 J W Carter, E Peden and G J Tolhurst, Contract Law in Australia, 5th ed, LexisNexis Butterworths, Australia, 2007 E Chan, ‘Cyber Gang Busted for Infecting 11m PCs and Stealing $US850m’, Sydney Morning Herald, 12 December 2012, D Clapperton and S Corones, ‘Unfair Terms in “Clickwrap” and Other Electronic Contracts’ (2007) 35 ABLR 152 E E Clark, G Cho, A Hoyle and P Hynes, Cyber Law in Australia, Kluwer International, The Hague, Netherlands, 2010 B Clarke, B Sweeney and M Bender, Marketing and the Law, 4th ed, LexisNexis Butterworths, Australia, 2010 Cohen Committee Report, 1945 (CMD 6649) R Cohen, ‘It’s Not The Size of Your Data, It’s How You Use It’, 5 June 2012,

Copyright Law Review Committee, Simplification of the Copyright Act 1968: Part 2 — Categorisation of Subject Matter and Exclusive Rights, and Other Issues, Commonwealth of Australia, 1999 S Cumming and M Crompton, Independent Review of ACC’s Privacy and Security of Information, the Accident Compensation Corporation of New

Zealand and Office of the Privacy Commissioner of New Zealand, 22 August 2012 T Damian and A Rich, Schemes, Takeovers and Himalayan Peaks, 3rd ed, the Ross Parsons Centre of Commercial, Corporate and Taxation Law Monograph Series, Sydney, 2013 S Danckert, ‘Lawyers Flock to Centro Class Actions Worth $600m’, The Australian, 5 March 2012, M Davison, The Legal Protection of Databases, Cambridge University Press, Australia, 2003 C Doyle and M Bagaric, Privacy Law in Australia, The Federation Press, Sydney, 2005 ‘Companies and Information — the Leaky Corporation’, The Economist, 24 February 2011, R Evenden, Copyright Protection of Computer Programs in Australia, NSW Society for Computers and the Law, March 2001 J Farrar, Corporate Governance: Theories, Principles and Practice, Oxford University Press, Melbourne, 2008 A Fitzgerald, B Fitzgerald, P Cook and C Cifuentes (eds), Going Digital 2000: Legal Issues for E-commerce, Software, and the Internet, Prospect Media, St Leonards, 2000 A Fitzgerald and B Fitzgerald, Intellectual Property: In Principle, Thomson Law Book Co, Australia, 2004 A Fitzgerald and D Eliades, Intellectual Property, 3rd ed, Thomson Reuters, Australia, 2008 B Fitzgerald and A Fitzgerald, Cyberlaw: Cases and Materials on the Internet, Digital Intellectual Property and Electronic Commerce, LexisNexis Butterworths, Australia, 2002 B Fitzgerald, A Fitzgerald, E Clark, G Middleton and Y F Lim, Internet and Ecommerce Law, Business and Policy, Lawbook Co, Sydney, 2011 B Fitzgerald and L Gamertsfelder, ‘A Conceptual Framework for Protecting the Value of Informational Products Through Unjust Enrichment Law’ (1997) 16 Aust Bar Rev 257 Ford, Austin and Ramsay, Ford’s Principles of Corporations Law, LexisNexis

online looseleaf A Gahtan, Electronic Evidence, Carswell, Ontario, 1999 L Gamertsfelder, R McMillan, A Handelsman and P Hourigan, E-Security, Lawbook Co, Sydney, 2002 Google Inc, ‘Google Data Centers’, 2012, M Gething, ‘Insider Trading Enforcement: Where are We Now and Where do We Go From Here?’ (1998) 16 Company and Securities Law Journal 607 Halsbury’s Laws of Australia, LexisNexis online looseleaf A P Herbert, Uncommon Law, 3rd ed, Methuen & Co, London, 1937 House of Representatives Standing Committee on Legal and Constitutional Affairs, Fair Shares for All — Insider Trading in Australia, AGPS, Canberra, October 1990 The Hon R Hulls, press release, ‘New Evidence Laws to Save Costs for Businesses’, 24 June 2008, J Hunter, C Cameron and T Henning, Litigation, 7th ed, LexisNexis Butterworths, Australia, 2005 J Hutchinson, ‘Small Business Suffer from Theft of Data’, Australian Financial Review, 11 December 2012, 23 J Hutchinson and D Ramli, ‘Banks Dig for Data “Oil” in Online World’, Sydney Morning Herald, 6 November 2012, International Data Corporation (IDC), press release, ‘IDC Predicts 2012 Will Be the Year of Mobile and Cloud Platform Wars as IT Vendors Vie for Leadership While the Industry Redefines Itself’, 1 Dec 2011, M Jackson and M Shelly, Electronic Information and the Law, Thomson Reuters, Australia, 2012 B Krebs, ‘Phishers Spoof Google’, Sydney Morning Herald, 4 January 2013,

Mr Justice Laddie, P Prescott, M Vitoria, A Speck and L Lane, The Modern Law of Copyright and Design, 3rd ed, LexisNexis Butterworths, London, 2000

J Lee, ‘Watchdog Clamps Down on Facebook’, Sydney Morning Herald, 6 August 2012, Y F Lim Cyberspace Law: Commentaries and Materials, Oxford University Press, Melbourne, 2002 C Lockhart, The Law of Misleading and Deceptive Conduct, 2nd ed, LexisNexis Butterworths, Australia, 2011 G Lyon and J J du Plessis, The Law of Insider Trading in Australia, The Federation Press, Sydney, 2005 A Maggs and B Trimmer, ‘Are You Creating Data? Then the Database Directive is (probably) Not for You!’, Wragge & Co, 21 March 2012,

Maurice Blackburn Lawyers, press release, ‘Record $200m Centro Class Action Settlement Approved’, 19 June 2012,

J McKeough, ‘Horses and the Law: The Enduring Legacy of Victoria Park Racing’ in A T Kenyon, M Richardson and S Ricketson (eds), Landmarks in Australian Intellectual Property Law, Cambridge University Press, Melbourne, 2009 J McKeough, A Stewart and P Griffith, ‘The Concept of Rights in Information’, Intellectual Property in Australia, 3rd ed, LexisNexis Butterworths, Australia, 2004 A McAfee and E Brynolfsson, ‘Data Drives Better Decisions’, Boss — Harvard Business Review, 12 November 2012 R McKemmish, ‘What is Forensic Computing?’, Trends and Issues in Crime and Criminal Justice, Australian Institute of Criminology, No 188, June 1999 McKinsey Global Institute and McKinsey’s Business Technology Office ‘Big Data: The next Frontier for Innovation, Competition, and Productivity’, June 2011, Microsoft Asia Pacific, Submission PR 463, 12 December 2007 R V Miller, Miller’s Australian Competition and Consumer Law Annotated, 34th ed, Lawbook Co, Australia, 2012 S Nelson, B Olson and J Simek, The Electronic Evidence and Discovery

Handbook, American Bar Association, Chicago, 2006 Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988, 2005 P Parkinson (ed), The Principles of Equity, Lawbook Co, Australia, 1996 J Paterson, Unfair Contract Terms in Australia, Thomson Reuters, Australia, 2012 J M Paterson, ‘Consumer Contracting in the Age of the Digital Natives’ (2011) 27 JCL 152 Privacy, Confidentiality and Data Security, LexisNexis online looseleaf T Pullar-Strecker, ‘Leaked, Stolen Data Leaps by 40%’, Sydney Morning Herald, 14 December 2012, P Quirk and J Forder, Electronic Commerce and the Law, 2nd ed, John Wiley & Sons, Australia, 2003 P Radan and C Stewart, Principles of Australian Equity and Trusts, LexisNexis Butterworths, Australia, 2009 P J Rajapakse, ‘Issuance of Residential Mortgage-Backed Securities in Australia — Legal and Regulatory Aspects’ (2006) UNSWLawJl 42 P Rice, Electronic Evidence: Law and Practice, American Bar Association, Chicago, 2005 L J Richards and M J Bransgrove, ‘Examinations under the Corporations Act and the ASIC Act’, paper presented at College of Law, 5 March 2012 S Ricketson and C Creswell, The Law of Intellectual Property: Copyright, Designs & Confidential Information (looseleaf service), 2nd ed (rev), Lawbook Co, Sydney, 2002 C Rome-Sievers, ‘Developments in Insolvency and Corporations Law’, 19 June 2012, H B Sales, ‘Standard Form Contracts’ (1953) 16(3) Modern Law Review 318 Shelde Pty Ltd, ‘The Changing Role of Information Security in the Large Enterprise’, unpublished report, Sydney, Australia, 2013 M G Siegler, ‘Eric Schmidt: Every 2 Days We Create As Much Information As

We Did Up To 2003’, TechCrunch, 2010, Sophos, ‘Security Threat Report 2013’, A Stanfield, Computer Forensics, Electronic Discovery & Electronic Evidence, LexisNexis, Australia, 2009 A Stewart, P Griffith and J Bannister, Intellectual Property in Australia, 4th ed, LexisNexis Butterworths, Australia, 2010 P Svensson, ‘HP Says Fraud Prompted $5 billion Overpayment’, Sydney Morning Herald, 21 November 2012, L Timson, ‘Dell Beefs Up Security’, Sydney Morning Herald, 14 December 2012, L Timson, ‘One Data Breach a Week: Australia’, Sydney Morning Herald, 30 April 2012, R G Toulson and C M Phipps, Confidentiality, 2nd ed, Sweet & Maxwell, United Kingdom, 2006 D Vaver, ‘Rejuvenating Copyright’ (1996) 75 Can Bar Review 69 C Waelde, ‘Database Copyright: The Story of BHB’ in P Torremans (ed), Copyright Law: A Handbook of Contemporary Research, Edward Elger Publishing Inc, Great Britain, 2007 L Webb, ‘Humans Generated More Data in 2009 than in Previous 5000 Years’, FutureLab, 2010, Wikipedia, ‘Hactivism’, Wikipedia, ‘ISO/IEC 27001’, G Wilkins, ‘NAB to customers: You’re the Voice On Security’, Sydney Morning Herald, 21 November 2012, R Wray, ‘Internet Data Heads for 500bn Gigabytes’, The Guardian, 18 May 2009, B Ziff, Principles of Property Law, Carswell, Toronto, 1994

Index References are to paragraphs

A Advertiser Code of Ethics .… 6.28 Advertising misleading or deceptive conduct .… 6.25–6.27 comparative advertising .… 6.27 Telecommunications Consumer Protections Code .… 6.45–6.48 Advertising Standards Board (ASB) .… 6.28 Auditor liability for incorrect periodic reports .… 5.24 report .… 5.8 Australian Competition and Consumer Commission (ACCC) information-gathering powers .… 7.9 Australian Direct Marketing Association (ADMA) Code of Practice, definition of direct marketing .… 9.42 Australian Law Reform Commission (ALRC) For Your Information: Australian Privacy Law and Practice .… 9.2 Australian Privacy Principles (APPs) .… 9.5–9.6 see also Personal information; Privacy cross-border disclosure .… 9.60–9.61 accountability .… 9.62–9.63 application of principles .… 9.64–9.67 government related identifiers .… 9.68–9.70 direct marketing .… 9.41, 9.43, 9.45–9.50, 9.58–9.59 Australian Securities and Investments Commission (ASIC) information-gathering powers .… 7.4–7.8 Australian Securities Exchange (ASX) Listing Rules broad disclosure obligation .… 5.63 awareness of information .… 5.65, 5.66–5.67

concerning entity .… 5.68–5.69 meaning of information .… 5.68 obligation to tell ASX immediately .… 5.75 confidentiality issues .… 5.83 corrective disclosure .… 5.85–5.86 effect of information on price or value .… 5.65 ASX Guidance Note .… 5.71 context .… 5.72 evaluation of materiality .… 5.73 investor’s investment decision .… 5.71 material effect .… 5.70–5.73 price or value .… 5.74 exceptions under Listing Rule 3.1A .… 5.76–5.77 breach of law .… 5.78 confidentiality issues .… 5.83 incomplete proposal or negotiation .… 5.79 information generated for internal management purposes .… 5.81 reasonable person would not expect disclosure .… 5.84 supposition or insufficiently definite information .… 5.80 trade secrets .… 5.82 false markets .… 5.85–5.86 Listing Rule 3.1 .… 5.63 case law .… 5.64 interpretation .… 5.65 continuous disclosure regime .… 5.62 Authorship databases .… 2.39–2.53

B Bidder’s statement disclosure under .… 5.41–5.44 Big data .… 1.4, 2.31, 8.16, 9.15 British Horseracing Board case (BHB case) .… 3.6–3.7

C Chinese wall arrangements .… 8.37–8.39 Compilations copyright protection .… 2.34, 2.65 literary work .… 2.7, 2.11, 2.13–2.15 Phone Directories cases .… 2.48–2.53, 2.65 Computer programs copyright protection .… 2.16–2.18 corporate database system .… 2.17 literary work .… 2.7, 2.16–2.18 Confidentiality breach of confidence .… 3.1, 4.1–4.2, 4.41 circumstances importing obligation of confidence .… 4.18–4.21 compulsory, solicited and unsolicited communications .… 4.20–4.21 relationship .… 4.19 corporate information .… 4.15–4.17 trade secrecy, determination of .… 4.16, 4.29, 4.30 defences .… 4.33–4.37 detriment requirement .… 4.27 elements .… 4.7–4.8 circumstances importing obligation of confidence .… 4.18–4.21 detriment to party communicating information .… 4.28 necessary quality of confidence .… 4.9–4.17 unauthorised use .… 4.22–4.26 identification of information in suit .… 4.4 information in public domain .… 4.10–4.14 speculation and gossip on social media sites .… 4.13, 4.14 transitory disclosures of information .… 4.12 issues peculiar to corporate information .… 4.15–4.17 relation to developed idea or matter .… 4.10 requirements .… 4.4 standing .… 4.5–4.6 unauthorised use .… 4.22–4.26 modification of information .… 4.27

scope of authorisation .… 4.23–4.25 defences to breach of confidence just cause or excuse .… 4.33–4.34 iniquity rule .… 4.33 legal compulsion .… 4.37 whistleblowers, disclosure by .… 4.35–4.36 legislation .… 4.35 employees, use and disclosure of information by .… 4.28–4.30 employee obligations .… 4.29 duty of good faith and fidelity .… 4.29 employment contract .… 4.29 express confidentiality terms .… 4.31–4.32 implied terms .… 4.29 post-employment .… 4.29 restraint of trade .… 4.32 trade secrets .… 4.30 liability and remedies .… 4.38–4.40 contract and equity, distinction .… 4.38 injunctions .… 4.41 springboard doctrine .… 4.41 management of confidential information .… 4.17 protection of corporate information .… 1.15, 1.24, 2.1, 4.1–4.3 traditional forms .… 4.1 Consumer protection law application of laws to corporations .… 6.2 credit regulation .… 6.49–6.51 disclosure requirements .… 6.49 Key Facts Sheet .… 6.49 standard home loan .… 6.50 cyber security .… 1.11, 11.23–11.25 misleading or deceptive conduct .… 11.23–11.24 proportionate liability .… 11.25 misleading or deceptive conduct see also Misleading or deceptive conduct financial products or services .… 6.4

limitations .… 6.4 statutory provisions .… 6.3–6.4 outcomes, focus on .… 6.1 principle of .… 6.1, 6.52 Telecommunications Consumer Protections (TCP) Code .… 6.44–6.48 advertising by telecommunication suppliers .… 6.47 Australian Communications and Media Authority (ACMA), role of .… 6.48 breach .… 6.48 critical information summaries .… 6.46 disclosure object .… 6.45 registration under law .… 6.44, 6.45 unfair contract terms .… 6.34–6.43 see also Unfair contract terms Contract law database protection .… 3.1 security of information .… 11.19 apportionment legislation .… 11.22 appropriate standard .… 11.20 content of obligation .… 11.20–11.21 Copyright see also Literary works authorship .… 2.39–53 corporate information, protection of .… 2.1 advertising copy .… 2.32 criteria .… 2.6 databases .… 2.37–2.38 evidence of authorship .… 2.39–2.53 duration of copyright law .… 2.62 individual words and slogans .… 2.32 literary works .… 2.7–2.18 material form .… 2.19–2.23 definitions .… 2.20 original works .… 2.24 compilations and databases .… 2.34 originality in context of infringement .… 2.33–2.34 originality in context of subsistence .… 2.31–2.32

technology .… 2.31, 2.33 relevant circumstances .… 2.1 scope of .… 2.37–2.38 databases .… 2.31, 2.34, 2.37–2.38 copyright protection .… 2.31, 2.34, 2.37–2.38 evidence of authorship .… 2.39–2.53 defences and remedies .… 2.63–2.64 fair dealing defences .… 2.63 Hollinrake principle .… 2.8, 2.11–2.12, 2.32 idea/expression distinction .… 2.3, 2.4 injunction .… 2.64 law of .… 2.2–2.5 application of legislation .… 2.5 balancing theme .… 2.2, 2.3 competing interests and policy considerations .… 2.2 duration .… 2.62 expression in material form .… 2.19–2.23 idea/expression distinction .… 2.3–2.4, 2.19 literary works .… 2.7–2.18 material form .… 2.19–2.23 originality .… 2.24–2.34 relevant connections with Australia .… 2.35–2.36 material form application of requirement to corporate information .… 2.21 definition .… 2.20 digital storage .… 2.21 cases .… 2.22 original works .… 2.24 context infringement .… 2.26–2.27 subsistence .… 2.25 establishment of originality .… 2.24 inherent originality .… 2.26 qualitative perspective .… 2.28–2.29

substantiality .… 2.28 two-step approach .… 2.24, 2.30 reform .… 2.54–2.61 amendment of author requirement .… 2.57–2.60 archaic legal framework .… 2.54–2.56 collaboration .… 2.60 Copyright Law Review Committee (CLRC) .… 2.56, 2.57 copyright protection for computer-generated material review .… 2.56 European Union Database Directive .… 2.61 New Zealand approach .… 2.58, 2.59 United Kingdom law .… 2.58, 2.59 relevant connection with Australia .… 2.35–2.36 author as qualified person .… 2.36 published work .… 2.35 unpublished work .… 2.35 technological developments, discrimination against .… 2.65 writing application of requirement to corporate information .… 2.21 definition .… 2.20 Corporate information see also Information confidential see Confidentiality copyright see Copyright creators or owners .… 1.15 disclosure see Disclosure domain .… 1.13 exploitation of .… 8.52 governance framework .… 1.1, 1.12 insider trading see Insider trading meaning .… 1.13 nature .… 1.2 obligations .… 1.1, 1.2 overview .… 1.1–1.2, 1.24 price signalling laws see Price signalling laws rights .… 1.1, 1.2, 1.15–1.16

security see Cyber security stakeholders .… 1.5 traditional forms .… 1.6, 2.31, 2.33, 2.37 converting to digital form see Corporate records types .… 1.13, 1.16 use of .… 1.1 constraints .… 8.1, 8.2, 8.50, 8.72 fiduciary duties .… 8.51–8.53 prohibitions .… 8.54–8.58 liability .… 8.59–8.60 Corporate records digital form acceptability for legal purposes .… 10.2 date .… 10.4 design .… 10.4 effective conversion system .… 10.4, 10.12, 10.22 integrity .… 10.4 laws of evidence and .… 10.23–10.52 authentication .… 10.35–10.36 Corporations Act .… 10.25–10.29 document, what constitutes .… 10.32–10.34 exclusionary rules .… 10.39 Queensland .… 10.40, 10.41–10.46 South Australia .… 10.47 tendering/adducing documentary evidence .… 10.38–10.38 Uniform Evidence Acts .… 10.30–10.31 Western Australia .… 10.48–10.52 production to and inspection of documents by regulators .… 10.53–10.61 quality assurance .… 10.4 requirements for retention and evidentiary purposes .… 10.2–10.4 security .… 10.4 systems .… 10.4 technical support/staff .… 10.4 document retention obligations .… 10.5

Corporations Act, under .… 10.6–10.18 digital conversion, arguments for .… 10.8 facilitative provisions in Corporations Act .… 10.14 facilitative provisions in Electronic Transactions Act .… 10.15–10.18 written requirement .… 10.9–10.13 financial records .… 10.6 tax legislation, under .… 10.19–10.22 electronic copies of digitised documents .… 10.20 evidence laws and digitised documents .… 10.23–10.24 authentication requirements .… 10.35–10.36 Corporations Act provisions .… 10.25–10.29 hearsay rules .… 10.39 Queensland .… 10.41–10.46 reproduction of documents .… 10.27 South Australia .… 10.47 tendering/adducing documentary evidence .… 10.37–10.38 Uniform Evidence Acts .… 10.30–10.31 document, what constitutes .… 10.32–10.34 Western Australia .… 10.48–10.52 financial records .… 10.6 definition .… 10.6, 10.10 quarantining, difficulties in .… 10.7 written .… 10.9–10.13 definition of writing .… 10.11 digital documents .… 10.13 paper-based source documents .… 10.1, 10.3 concealment, destruction, mutilation or alteration of books .… 10.63–10.65 conversion to digital form, legal impact .… 10.1, 10.66 disadvantages .… 10.3, 10.7 disposal or destruction after conversion to digital form .… 10.62 production and inspection of documents, regulatory requirements .… 10.53 books, definition .… 10.54 electronic form .… 10.55–10.57 Electronic Transaction Acts .… 10.60

hard copy print out .… 10.57 interpretation .… 10.58 open for inspection .… 10.59 record-keeping requirements .… 10.3 redundant source documents .… 10.62–10.65 Corporations digital business models .… 1.6 directors and officers see Directors and officers disclosure, enforcement of see Enforcement and litigation fiduciary duty, assumption of .… 8.53 financial records see Corporate records information security and management .… 1.11, 1.23 periodic and continuous disclosure regimes .… 1.5, 1.11 social media sites .… 6.28–6.29 storage and maintenance of information .… 1.6 see also Corporate records use of information .… 1.1 competitive advantage .… 1.1, 1.4 Corporations and Markets Advisory Committee (CAMAC) Insider Trading Discussion Paper .… 8.3 Credit information access to and correction of .… 9.96–9.99 ban period .… 9.88 categories .… 9.80 civil penalties .… 9.100–9.101 credit, definition .… 9.82 credit eligibility information .… 9.89–9.92 access to and correction of .… 9.96–9.98 dealing with .… 9.89–9.92 definition .… 9.80 integrity .… 9.93 credit providers access to and correction of information .… 9.96–9.99 credit, definition .… 9.82 credit eligibility information .… 9.89–9.92

exceptions for use .… 9.90 integrity .… 9.93 penalties .… 9.91 repayment history information .… 9.90 credit reporting system .… 9.79 enforcement .… 9.100–9.101 definition .… 9.81 disclosure obligations .… 9.85, 9.86 default information .… 9.87 false or misleading information .… 9.94–9.95 information governance .… 9.84 obligations .… 9.77–9.80 additional .… 9.83 refusal of credit, where .… 9.92 who is .… 9.81 credit reporting information definition .… 9.80 credit reporting system .… 9.79 enforcement .… 9.100–9.101 negative .… 9.79 dealing with .… 9.85–9.88 enhanced disclosure obligations .… 9.85–9.88 definition .… 9.80, 9.82 disclosure to credit reporting body .… 9.86–9.88 enforcement .… 9.100–9.101 false or misleading information .… 9.94–9.95 personal information .… 9.77, 9.82 regulation of .… 9.78 regulated information, definition .… 9.80 Cyber security attacks, origins of .… 11.5 criminal investigations .… 11.2 cybercrimes .… 11.2 data breach laws .… 11.17–11.18

continuous disclosure regime .… 11.18 evidence .… 11.3, 11.26–11.27 law in corporate context .… 11.1, 11.3, 11.7–11.25 consumer protection laws .… 11.23–11.25 contract law .… 11.19–11.22 data breach laws .… 11.17–11.18 directors’ duties .… 11.13–11.15 breach, consequence of .… 11.16 privacy law .… 11.8 breach, consequence of .… 11.11–11.12 reasonable steps test .… 11.9–11.10 risk management .… 11.28 security controls, adequacy .… 1.11, 11.4 threat environment .… 11.1, 11.3, 11.4–11.6 categories of attacks .… 11.5 commodity attacks .… 11.5 level of risk .… 11.4 targeted attacks .… 11.5

D Databases breach of confidence .… 3.1 contract law protection .… 3.1 copyright protection .… 2.31, 2.34, 2.37–2.38, 2.65 compilation of data .… 2.46 dynamic nature of .… 2.40 evidence of authorship .… 2.39–2.53 human .… 2.39, 2.42–2.45 IceTV .… 2.39–2.47 non-relational databases .… 2.45 operational databases .… 2.45 Phone Directories cases .… 2.48–2.53, 2.65 relational databases .… 2.45

technical nature of .… 2.41 unstructured data .… 2.45 creation .… 3.1 financial investment .… 3.1 definition in Database Directive .… 3.4 European Union Database Directive .… 2.61, 3.1, 3.2–3.3, 3.37 see also European Union Database Directive definition of database .… 3.4 duration and remedies .… 3.34–3.36 European Court of Justice (ECJ) interpretation .… 3.6–3.7 application of ECJ ruling to recent Australian cases .… 3.23–3.33 British Horseracing Board (BHB) case .… 3.6–3.7 creation doctrine .… 3.9–3.10 direct or indirect copying .… 3.16 ‘extraction’ .… 3.16–3.21 IceTV case .… 3.24–3.32 impact of ECJ approach .… 3.22 implications of BHB ruling .… 3.11–3.12 ‘obtaining’ requirement .… 3.8 Phone Directories case and .… 3.10, 3.33 ‘presentation’ requirement .… 3.15 qualitative evaluation of substantial part .… 3.19–3.21 quantitative evaluation of substantial part .… 3.18 ‘re-utilization’ .… 3.16–3.21 substantial part .… 3.17 ‘verification’ requirement .… 3.13–3.14 extraction and utilisation, prevention of .… 3.4 purpose of .… 3.4–3.5 scope of protection .… 3.5 sui generis right .… 3.5 human authorship .… 2.39, 2.42–2.47 protection of investment in .… 3.1 unjust enrichment .… 3.1, 3.38–3.44, 3.45–3.47 see also Unjust enrichment law of .… 3.38

mistaken payments .… 3.42 application to database protection .… 3.44 ‘recognised categories’ of case .… 3.41–3.42 US tort of misappropriation .… 3.40 Victoria Park Racing case .… 3.39 vitiated intention cases .… 3.43 application to database protection .… 3.44 Direct marketing communication at distance .… 9.44 consent .… 9.48, 9.50 balance of interests .… 9.57 definition .… 9.50 express or implied .… 9.50, 9.54 failure to opt out as consent .… 9.51 implied .… 9.50 impracticable to obtain .… 9.55–9.57 inference of .… 9.50, 9.52 ‘unsolicited electronic commercial email .… 9.53 definition .… 9.41 Code of Practice of Australian Direct Marketing Association (ADMA) .… 9.42 Macquarie Dictionary .… 9.43 Office of the Privacy Commissioner (OPC) .… 9.43 exceptions to prohibition .… 9.45, 9.48 source of information .… 9.46 mass-marketing/indirect marketing, distinction .… 9.43 methods of communication .… 9.44 opting out .… 9.47, 9.49 failure to opt out as consent .… 9.51 means of .… 9.58 prohibition exceptions .… 9.45–9.59 sensitive information .… 9.59 spam .… 9.50, 9.51–9.54

unsubscribe facility .… 9.51 Directors and officers civil liability for failure to comply with periodic reporting requirements .… 5.9–5.10 class action liability .… 5.23 criminal liability where .… 5.11 cyber security, duties and .… 11.13–11.15 breach, consequence of .… 11.16 directors’ report .… 5.6–5.7 disclosure of director’s interests .… 8.47–8.49 duty of good faith .… 8.52 fiduciary duties .… 8.51–8.53 use of corporate information, prohibitions .… 8.54–8.58 liability .… 8.59–8.60 penalties .… 8.59–8.60 periodic reports liability for failure to disclose .… 5.12–5.15 reasonable steps in preparing and approving information .… 5.16–5.17 duty of care and diligence of reasonable person .… 5.18–5.20 security duties .… 11.13–11.15 breach, consequence .… 11.16 due diligence .… 11.15 scope .… 11.14 use of corporate information, prohibitions .… 8.54–8.58 Disclosure class action liability failure to comply with periodic disclosure laws .… 5.21–5.24 consumer protection .… 1.19 see also Consumer protection law continuous .… 1.5, 1.11, 5.59–5.61, 5.99–5.100 Australian Securities Exchange (ASX) Listing Rules .… 5.62–5.86 see also Australian Securities Exchange (ASX) Listing Rules contravention .… 5.61 data breach .… 11.18 due diligence defence .… 5.96–5.97

enhanced disclosure .… 5.59 liability under other laws .… 5.98 listed disclosing entities .… 5.60, 5.61 offences .… 5.92–5.95 civil .… 5.92–5.93 criminal .… 5.94–5.95 statutory rules .… 5.87 due diligence defence .… 5.96–5.97 generally available information .… 5.88–5.89 offences .… 5.92–5.95 person involved in contravention .… 5.90–5.91 unlisted disclosing entities .… 5.60 corporate information .… 1.17 employees .… 4.29–4.31 limits or controls on use .… 1.21 credit regulation see Consumer protection law defence for all disclosure documents .… 5.37–5.38 reasonable reliance on information given by others .… 5.37 what constitutes .… 5.38 director’s interests .… 8.47–8.49 enforcement/litigation context .… 1.20 see also Enforcement and litigation financial report .… 5.5 fundraising .… 5.26–5.36 see also Prospectus information asymmetry .… 5.2, 7.1 investor protection .… 1.5, 5.1, 5.2 legal compulsion .… 4.38 liability of directors and officers .… 5.12–5.15 civil .… 5.9–5.10 criminal .… 5.11 duty to take reasonable steps .… 5.16–5.17 duty of care and diligence .… 5.18–5.20 mandatory disclosure regimes .… 1.5, 1.24, 5.1, 5.101 due diligence to compliance .… 5.3 periodic disclosure .… 5.4–5.25

purpose of mandatory disclosure laws .… 5.2 ‘reasonable steps’ defence .… 5.2, 5.5 strict liability for breaches .… 5.2, 5.5 type of information .… 5.3 periodic disclosure .… 5.4, 5.25 auditor’s report .… 5.8 civil liability .… 5.9–5.10 class action liability .… 5.21 auditors .… 5.24 company .… 5.22 directors .… 5.23 criminal liability .… 5.11 directors’ report .… 5.6–5.7 contents, general .… 5.6 contents, specific .… 5.7 listed entity requirements .… 5.6, 5.7 disqualification orders .… 5.9 failure to disclose .… 5.12–5.15 duty of care and diligence .… 5.18–5.20 reasonable steps duty .… 5.16–5.17 financial report .… 5.5 accounting standards .… 5.5 directors’ declarations .… 5.5 reasonableness, concept of .… 5.5 standard of proof .… 5.10 personal information .… 1.5, 1.22 product disclosure documents see Product disclosure documents prospectus see Prospectus takeovers see Takeovers whistleblowers, by .… 4.36–4.37

E Employees

confidential corporate information, use and disclosure by .… 4.29–4.31 use of corporate information, prohibitions .… 8.54–8.58 liability .… 8.59–8.60 penalties .… 8.59–8.60 Enforcement and litigation ACCC, information-gathering powers .… 7.9 ASIC, information-gathering powers .… 7.4–7.8 legal professional privilege .… 7.5–7.7 privilege, forms of .… 7.5 disclosure in litigation .… 7.10–7.11 discovery .… 7.10 use of information .… 7.11 information asymmetry .… 7.1 legal professional privilege .… 7.5, 7.13 communications .… 7.16 third parties, to .… 7.18 elements .… 7.14 legal adviser .… 7.15 loss of .… 7.19–7.23 onus .… 7.17 power to refuse disclosure .… 7.12–7.13 regulators .… 7.1 refusal to provide information or documents to .… 7.2 self-incrimination, privilege against .… 7.5 European Union Database Directive .… 2.61, 3.1, 3.2–3.3, 3.37 definition of database .… 3.4 duration and remedies .… 3.34–3.36 European Court of Justice (ECJ) interpretation .… 3.6–3.7 application of ECJ ruling to recent Australian cases .… 3.23–3.33 British Horseracing Board (BHB) case .… 3.6–3.7 creation doctrine .… 3.9–3.10 direct or indirect copying .… 3.16 ‘extraction’ .… 3.16–3.21 IceTV case .… 3.24–3.32

impact of ECJ approach .… 3.22 implications of BHB ruling .… 3.11–3.12 ‘obtaining’ requirement .… 3.8 Phone Directories case and .… 3.10, 3.33 ‘presentation’ requirement .… 3.15 qualitative evaluation of substantial part .… 3.19–3.21 quantitative evaluation of substantial part .… 3.18 ‘re-utilization’ .… 3.16–3.21 substantial part .… 3.17 ‘verification’ requirement .… 3.13–3.14 extraction and utilisation, prevention of .… 3.4 extraction, meaning of .… 3.4, 3.16–3.21 purpose of .… 3.4–3.5 re-utilisation, interpretation .… 3.16–3.21 scope of protection .… 3.5 sui generis right .… 3.4, 3.5 laws analogous to .… 3.2 purpose of .… 3.4–3.5

F False information Corporations Act .… 8.61 offences under Pt 9.4 .… 8.62 penalties .… 8.63 market misconduct offences .… 8.64 penalties .… 8.64 Fiduciary duties director and company relationship .… 8.51 duty of good faith .… 8.52 use of corporate information .… 8.50–8.53 prohibition for directors, officers and employees .… 8.54–8.58 liability .… 8.59–8.60 penalties .… 8.59–8.60

Financial products or services insider trading see Insider trading misleading or deceptive conduct see Misleading or deceptive conduct Financial records see Corporate records Financial report contents .… 5.5 periodic disclosure requirements .… 5.5 Fundraising disclosure obligations under prospectuses .… 5.26 specific information .… 5.27

I Information see also Corporate information context and disclosure .… 1.24 corporate sovereignty .… 1.2, 1.15 impact of mandatory disclosure see Disclosure limits .… 1.17–1.22 corporate use of .… 1.1 defective .… 1.5 digital .… 1.3, 1.4, 1.6 disclosure see Disclosure exponential growth in .… 1.3, 11.4 information security and management .… 1.12 laws governing .… 1.2, 1.18 court approaches to .… 1.2 reasonableness, concept of .… 1.2, 1.24 study of .… 1.8–1.12 single framework, value of .… 1.2, 1.9–1.12 personal see Personal information proprietary nature .… 1.15 security see Cyber security value .… 1.4–1.7 Information economy .… 1.2, 1.4, 1.8

Information technology .… 1.8, 1.10 Insider trading breach .… 8.44–8.46 character of provisions .… 8.3 Chinese wall exception .… 8.37–8.39 civil liability, relief from .… 8.43 Cohen Committee Report .… 8.47–8.49 communication pursuant to legal requirement .… 8.36 continuous disclosure regime and .… 8.3, 8.4 distinctions .… 8.3, 8.4 exemptions .… 8.3 negative mirror .… 8.3 defences and exceptions .… 8.30 Chinese wall exception .… 8.37–8.39 communication pursuant to legal requirement .… 8.36 criminal offences .… 8.42 penalties .… 8.45 legal requirement exception .… 8.34–8.35 own intentions/activities defence .… 8.40–8.41 underwriter defence .… 8.32–8.33 withdrawal from registered scheme .… 8.31 director’s interests, disclosure of .… 8.47–8.49 equal information defence .… 8.42 financial products definition .… 8.7 able to be traded on financial market .… 8.8 information .… 8.3, 8.9 definition .… 8.9–8.10 inside .… 8.11–8.18 false .… 8.10 generally available .… 8.3, 8.12–8.16 big data .… 8.16 cases .… 8.13–8.14 springboard doctrine .… 8.15

inside information, what constitutes .… 8.11 materiality .… 8.3, 8.17–8.18 objective assessment .… 8.18 reasonable person .… 8.3, 8.18 possession of .… 8.19–8.20 actual or constructive knowledge .… 8.19 price or value, material effect on .… 8.17–8.18 purposes of insider trading provisions, for .… 8.10 relevant Div 3 financial products, about .… 8.7–8.8 inside information .… 8.11 generally available .… 8.12–8.16 material effect on price or value .… 8.17–8.18 legal requirement exception .… 8.34–8.35 own intentions/activities defence .… 8.40–8.41 penalties .… 8.44–8.46 civil .… 8.44 court orders .… 8.46 criminal .… 8.45 policy justifications .… 8.4 prohibitions .… 8.5 publication defence .… 8.42 registered scheme, withdrawal from .… 8.31 springboard doctrine .… 8.15 territorial connection requirements .… 8.21–8.23 tipping/communication offence .… 8.6, 8.24–8.29 trading and procuring offences .… 8.5, 8.24–8.29 brokers .… 8.25 fixed transaction price .… 8.28–8.29 interpretation of terms .… 8.24 ‘acquired’ .… 8.24, 8.25 ‘enter into an agreement’ .… 8.26 no contravention where .… 8.27 underwriter defence .… 8.32–8.33 Intellectual property law

information law issues .… 1.10

L Legal professional privilege communications .… 7.16 third parties, to .… 7.18 elements of .… 7.14 legal adviser .… 7.15 loss of .… 7.19 cases .… 7.22 common law .… 7.20 disclosure from one corporate officer to another .… 7.21 inadvertent or accidental disclosure .… 7.23 onus .… 7.17 rule of substantive law .… 7.6 use of .… 7.5, 7.13 Literary works see also Copyright compilation .… 2.13–2.15 meaning .… 2.13 selection or arrangement of data .… 2.15 Trade-Related Aspects of Intellectual Property Rights (TRIPS agreement) . … 2.14 computer program .… 2.16–2.18 corporate database system .… 2.17 definition .… 2.16 copyright protection of corporate information .… 2.6 compilation as literary work .… 2.13–2.15 computer program as literary work .… 2.16–2.18 purpose of corporate information .… 2.10 table as literary work .… 2.11–2.12 definition .… 2.7 case law .… 2.8–2.9 Hollinrake principle .… 2.8, 2.11–2.12, 2.32 purpose of corporate information .… 2.10

tables .… 2.11– 2.12

M Market misconduct offences .… 8.64 Misleading or deceptive conduct advertising .… 6.25–6.27 assessment by court .… 6.13 careless conduct .… 6.19 class of persons to whom conduct is directed .… 6.20–6.21 failure to disclose .… 6.22–6.23 financial product or service, in relation to .… 6.3–6.4 in relation to, interpretation of .… 6.5–6.7 opinions and forward-looking statements .… 6.24 silence .… 6.22–6.23 social/digital media cases .… 6.28–6.29 Google Adwords .… 6.29 state of mind, relevance of .… 6.15–6.16 statements that are literally true .… 6.14 statutory provisions .… 6.3–6.4, 6.32 advertising .… 6.25–6.27 assessment, objective test for .… 6.13 careless conduct .… 6.19 class of persons to whom conduct is directed .… 6.20–6.21 contravention .… 6.30–6.31 exclusions .… 6.4 interpretation and application .… 6.10 ‘deceptive’, meaning of .… 6.11 ‘likely to’, meaning of .… 6.12 state of mind .… 6.15–6.16 statements that are literally true .… 6.14 transitory effect and disclaimers .… 6.17–6.18 opinions and forward-looking statements .… 6.24 silence amounting to misleading conduct .… 6.22–6.23

social/digital media .… 6.28–6.29 trade or commerce, in .… 6.3 financial services, in relation to .… 6.3, 6.9 definition of financial services .… 6.8 examples .… 6.9 transitory effect and disclaimers .… 6.17–6.18

N National Privacy Principles .… 9.4, 9.51

P Personal information see also Privacy access to .… 9.74 no access where .… 9.74 primary access right .… 9.74 refusal of access and reasons .… 9.75 request for access and response .… 9.75 accountability approach .… 9.62–9.63 adequacy approach, distinction .… 9.62 Australian Privacy Principles (APPs) .… 9.5–9.6 information governance .… 9.16–9.21 biometric information .… 9.26, 9.38 collection, use and disclosure .… 1.5, 1.12, 9.1–9.3, 9.108 Australian Privacy Principles (APPs) .… 9.5–9.6 consent .… 9.27 consequences of not providing personal information .… 9.32–9.33 direct marketing .… 9.41–9.59 key disclosures by corporations in collection .… 9.22–9.35 biometric information .… 9.26–9.27 exceptions .… 9.26 objective test .… 9.24 reasonably necessary requirement .… 9.23 lawful and fair means .… 9.28

notification to individual .… 9.30 disclosure of information to overseas recipients .… 9.35, 9.60–9.67 Privacy Act .… 9.4 purposes of information collection .… 9.31, 9.36 biometric information .… 9.38 deeming provision .… 9.40 direct marketing .… 9.41–9.59 exceptions to secondary purpose use .… 9.37–9.39 primary purpose .… 9.36, 9.40 secondary purpose .… 9.37, 9.38 unfair terms .… 9.33, 9.34 unsolicited personal information .… 9.29 use and disclosure .… 9.36–9.40 Commonwealth Privacy Commissioner complaints and investigations .… 9.102–9.104 powers .… 9.105–9.107 complaints and investigations .… 9.102–104 correction of .… 9.76 credit eligibility information .… 9.89–9.92 credit information .… 9.77 see also Credit information access to and correction of .… 9.96–9.99 ban period .… 9.88 categories .… 9.80 credit reporting system .… 9.79 enforcement .… 9.100–9.101 dealing with .… 9.85–9.88 definition .… 9.82 disclosure to credit reporting body .… 9.86–9.88 false or misleading information .… 9.94–9.95 credit providers access to and correction of information .… 9.96–9.99 credit, definition .… 9.82 credit eligibility information .… 9.89–9.92 exceptions for use .… 9.90

integrity .… 9.93 penalties .… 9.91 repayment history information .… 9.90 credit reporting system .… 9.79 enforcement .… 9.100–9.101 disclosure obligations .… 9.85, 9.86 default information .… 9.87 false or misleading information .… 9.94–9.95 information governance .… 9.84 obligations .… 9.77–9.80 additional .… 9.83 refusal of credit, where .… 9.92 who is .… 9.81 cross-border disclosure .… 9.60–9.61 accountability approach .… 9.62–9.63 application of APPs .… 9.64–9.67 electronic method .… 9.61 government related identifiers .… 9.68–9.70 direct marketing .… 9.41–9.59 communication at distance .… 9.44 consent .… 9.48, 9.50 balance of interests .… 9.57 definition .… 9.50 express or implied .… 9.50, 9.54 failure to opt out as consent .… 9.51 impracticable to obtain .… 9.55–9.56 inference of .… 9.52 unsolicited electronic commercial email .… 9.53 definition .… 9.41 Code of Practice of Australian Direct Marketing Association (ADMA) . … 9.42 Macquarie Dictionary .… 9.43 exceptions to prohibition .… 9.45, 9.48 source of information .… 9.46

mass-marketing/indirect marketing, distinction .… 9.43 opting out .… 9.47, 9.49 failure to opt out as consent .… 9.51 means of .… 9.58 sensitive information .… 9.59 government related identifiers .… 9.68–9.70 information governance .… 9.16–9.21 Australian Privacy Principles (APPs) .… 9.16 policies and practices .… 9.17, 9.59 privacy policy requirement .… 9.18 contents .… 9.20–9.21 up-to-date .… 9.19 integrity and security of .… 9.71–9.73 accuracy .… 9.71 destruction of information .… 9.73 reasonable steps to ensure protection .… 9.72 retention of information .… 9.73 obligations .… 1.5 Privacy Act application .… 1.24, 9.2, 9.4 amending legislation .… 9.2, 9.3 impact on corporations .… 9.2 organisations and agencies .… 9.4 sensitive information .… 9.25, 9.26, 9.38 unsolicited .… 9.29 what constitutes .… 1.24, 9.7, 9.8–9.15 accretion of information .… 9.14–9.15 amending legislation .… 9.7, 9.8–9.15 assessment of information collection and management practices .… 9.14 data matching and linking .… 9.9–9.12 ‘reasonably identifiable’ .… 9.12–9.14 Price signalling laws application of .… 8.66 general prohibition .… 8.69 penalties .… 8.70–8.71

policy justification .… 8.65 price fixing character .… 8.65 private disclosure prohibition .… 8.67 deposits and credits .… 8.68 Privacy Australian Privacy Principles (APPs) .… 9.5–9.6 Commonwealth Privacy Commissioner complaints and investigations .… 9.102–9.104 powers .… 9.105–9.107 complaints and investigations .… 9.102–9.104 credit information see Credit information legislative amendments .… 9.2, 9.3 security of information .… 11.8 breach, consequence of .… 11.11–11.12 ‘reasonable steps’ test .… 11.9–11.10 Product disclosure documents (PDS) contents .… 5.50 defective disclosure liability .… 5.55–5.57 civil liability .… 5.55 criminal liability .… 5.56 defences .… 5.57 general disclosure requirement .… 5.52 influence test .… 5.52 information .… 5.51 limits on disclosure .… 5.53–5.54 due diligence requirement, omission of .… 5.53 knowledge requirements .… 5.53 unreasonable to include information .… 5.54 overview .… 5.58 specific requirements .… 5.51 subjectivity and over-disclosure .… 5.51, 5.58 statements .… 5.51 Property alienation and information .… 1.15

Prospectus defects in .… 5.32–5.33 defences .… 5.34 due diligence .… 5.35–5.36 general disclosure document defence .… 5.37–5.38 misleading statements .… 5.32 penalties .… 5.33 disclosure obligations .… 5.26, 5.39 general information .… 5.28 reasonable investor standard .… 5.28 case law .… 5.29–5.31 specific information .… 5.27 reasonable investor test .… 5.28 case law .… 5.29–5.31 forward-looking statements or profit forecasts .… 5.30 limitations .… 5.28 over-disclosure .… 5.28

R Restraint of trade .… 4.31

S Self-incrimination privilege against .… 7.5 Springboard doctrine .… 8.15

T Takeovers bidder’s statement, disclosure obligations .… 5.41–5.44 defects in documents .… 5.48 key disclosures .… 5.40, 5.49 bidder’s statement .… 5.41–5.44

principles .… 5.43 scope of requirements .… 5.42 competing obligations .… 5.47 other relationship laws, relationship .… 5.47 target’s statement .… 5.45–5.46 target’s statement .… 5.45–5.46 Target’s statement disclosure obligations .… 5.45–5.46 duty of care .… 5.46 statutory .… 5.45 Technology see Information technology Telecommunications Consumer Protection Code .… 6.45–6.48 Trade-Related Aspects of Intellectual Property Rights (TRIPS agreement) compilation, definition .… 2.14 Trade secrets .… 1.4, 4.16, 4.21, 4.29, 4.30 exemption from continuous disclosure provisions .… 8.3 loss of confidentiality .… 5.83 what constitutes .… 4.30

U Unfair contract terms Australian Consumer Law (ACL) .… 6.35 application .… 6.36 consumer contracts .… 6.36 standard form .… 6.37 reviews by corporations .… 6.43 court considerations .… 6.39 prominence of disclosure .… 6.42 transparency requirement .… 6.40–6.41 disclosure provision .… 6.34 meaning .… 6.38 Unjust enrichment common law .… 3.38

database protection .… 3.1, 3.38–3.44, 3.45–3.47 law of .… 3.38 development of, case for .… 3.45–3.46 mistaken payments .… 3.42 application to database protection .… 3.44 principle of law .… 3.38 protection of information, need for .… 3.38 economic value .… 3.38, 3.39 ‘recognised categories’ of case .… 3.41–3.42 US tort of misappropriation .… 3.40 Victoria Park Racing case .… 3.39 vitiated intention cases .… 3.43 application to database protection .… 3.44

W Whistleblowers disclosure by .… 4.36–4.37