Publication
Horizon Scanning: Investigations and Enforcement
In this horizon scan, we focus on key developments affecting companies operating in the UK, including in light of the recent change in UK government.
Global | Publication | January 2017
Authors Tricia Hobson, John Moran, Reece Corbett-Wilkins
After much anticipation, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) (Bill) was introduced into the Australian Parliament on 19 October 2016. If passed, organizations and Commonwealth government agencies subject to the Privacy Act 1988 (Cth) will be required to notify affected individuals and the Australian Privacy Commissioner of ‘eligible data breaches’. This affects Commonwealth government agencies and organisations that have a turnover of more than A$3 million annually, as well as some small businesses such as private health service providers.
As outlined in the Bill’s accompanying explanatory memorandum, there have been a number of changes to the Bill since last year’s exposure draft circulated by the Attorney-General’s Department. Some of the key changes include:
While some of the more objectionable elements of the exposure draft have been removed or pared back, the essence of the Bill remains the same. Organisations and Commonwealth Government agencies will have an obligation to notify the Australian Privacy Commissioner and affected or at risk individuals if an eligible data breach occurs. A failure to do so will be deemed to be an interference with the privacy of the individual(s). Civil penalties of up to A$360,000 for individuals and A$1,800,000 for bodies corporate may apply for serious or repeated interferences of privacy.
As the introduction of a mandatory data breach notification scheme has previously received bipartisan support, it is possible that the Bill could pass relatively quickly through the Parliament. Although the Government has previously committed to passing the Bill in the Spring 2016 Parliamentary session, it remains to be seen whether this occurs.
If passed, the Bill will likely commence 12 months after receiving Royal Assent (if not sooner). While this may seem like a long time away, entities should start preparing for the proposed notification requirements now.
In its current form, the Bill will require entities to act quickly in assessing whether notifications need to be made. Upon becoming aware of a suspected eligible data breach, entities will have 30 days to confirm whether an eligible data breach has occurred and if it has, entities will be required to notify as soon as practicable thereafter.
Given the fast paced and constantly evolving nature of data breaches (and other cyber-incidents), there is little opportunity for ‘learning as you go’. Please contact us should your organization require any assistance in preparing for, or responding to, a cyber incident.
The August 2016 first-of-its-kind judgment against South African Airways (SAA) in favour of Nationwide Airlines, for damages arising from conduct that was held to be an anti-competitive exclusionary act preventing Nationwide from entering into or expanding within the travel market, raises the interesting question whether the loss is insurable by the company and the directors.
SAA paid bonuses and gave free air tickets as incentives to travel agents to direct more flight bookings to it. The Competition Act enables a person to sue anyone found by the competition authorities to have engaged in prohibited anti-competitive conduct for damages.
The principle is that an insurer is not bound to indemnify deliberate unlawful behavior. This includes indirect intent.
The company sued would claim under its public liability policy. Standard policy wordings exclude fines, penalties, punitive, exemplary or vindictive damages but not all damages arising from unlawful conduct. Policies often cover negligence for instance. Every case will have to be looked at on its facts to see whether there was intentional unlawful activity.
In the competition setting, cartel behaviour is normally deliberate unlawful conduct. In the case like the SAA case the incentives may have been given in the bona fide belief after taking legal advice that they were lawful and insurers could be exposed if those are the facts. The competition authorities do not have to find a subjective intention so further evidence may be needed to consider the insurance claim.
Cover under a directors and officers (D&O) policy is for unlawful acts. The Companies Act prohibits a company, and its insurers, from indemnifying a director for wilful misconduct or wilful breach of trust and for carrying on business with gross negligence or with intent to defraud or for any fraudulent purpose. Once again it will be a question of fact whether the director or prescribed officer was guilty of the kind of conduct that is excluded as a deliberately dishonest or fraudulent act under the policy.
Under a liability policy the insured must be ‘legally liable to pay’ which could be when the final damages judgment of the high court comes out. The anticipated loss should of course be reported or disclosed earlier. Under the D&O policy it will usually be claims-made cover.
Is this a threat or an opportunity? Insurers should decide whether they want to create specific liability under their policies or to exclude liability under their policies to deal with claims relating to anti-competitive behavior. Many liability policies already have exclusions for liability arising from breach of the Competition Act.
A Consultation Paper on the Introduction of an Inward Redomiciliation Regime was jointly issued by the Ministry of Finance (MOF) and the Accounting and Corporate Regulatory Authority of Singapore (ACRAS) on 26 October 2016.
The consultation proposes to introduce a new set of re-domiciliation provisions to the Singapore Companies Act (SCA) to allow foreign corporations to transfer their corporate registration to Singapore.
The authorities have made it clear that re-domiciliation will only be allowed for foreign entities where there are likely prospects for a positive commercial contribution to Singapore.
Furthermore, it is proposed that redomiciliation will only be available to foreign corporations that meet a minimum criteria, which is based on the existing criteria for the assessment of a small company under the SCA. This means that a foreign corporation will need to meet minimum requirements relating to a minimum of S$10 million in revenue and/or assets with more than 50 employees for the past two financial years.
By using this proposed re-domiciliation registration process, the foreign corporation will be able to retain its identity and history and minimise operational disruptions.
Such an inbound corporation that is re-domiciled to Singapore will become a Singaporean company and will be required to comply with the requirements under the SCA like any other Singapore company.
The public consultation will run until 16 November 2016. The proposed redomiciliation provisions will form part of a larger Companies (Amendment) Bill to be confirmed sometime in the next two years.
The Prudential Regulation Authority (PRA) has published a consultation paper on Cyber Insurance Underwriting Risk (CP39/16), proposing a new supervisory statement setting out its expectations for the prudent management of cyber underwriting risk.
For the purposes of the draft statement, cyber underwriting risk is defined as the set of prudential risks emanating from underwriting insurance contracts that are exposed to losses resulting from a cyber-attack.
To assess these risks, the PRA carried out thematic work involving a variety of stakeholders from October 2015 to June 2016. The PRA’s work focused on the underwriting risks emanating from both affirmative cyber insurance policies as well as implicit cyber exposure within all-risks and other liability insurance policies that do not explicitly exclude cyber risk, referred to as ‘silent’ cyber risk.
The results of this work are summarized in an accompanying ‘Dear CEO’ letter, which highlights the following:
In light of the above, action is required across the non-life sector to mitigate the risks identified. In its consultation paper, the PRA sets out its expectations in relation to three main areas:
Written by Amy Teece, London
The European Commission (the Commission) has published the results of a public ‘Call for Evidence’ which sought feedback on the cumulative effect of recent financial sector rules brought in since the financial crisis. The results of the Call for Evidence will be used to feed into the development of future legislative initiatives within the European Union. In this exercise the Commission has looked across all policy areas to see where existing measures are still fit for purpose and whether there is a need for improvement.
Since 2009 over 40 pieces of financial services legislation have been introduced with the aim of stabilizing markets and better protecting consumers.
Following a review of the evidence on how these reforms have worked so far, the Commission has concluded that overall there is no need to change the existing framework. However, some amendments are needed in the following areas:
The aspects of Solvency II that require revision will be addressed in the forthcoming review of the regime. Going forward, the Commission will monitor progress in the implementation of the respective policy commitments and will publish its findings and next steps before the end of 2017.
Publication
In this horizon scan, we focus on key developments affecting companies operating in the UK, including in light of the recent change in UK government.
Publication
On 3 September 2024, the ECJ delivered its judgment in Illumina’s appeal against the General Court’s (GC) judgment confirming the European Commission’s (EC) powers to review concentrations under the EU Merger Regulation (EUMR) in circumstances where no Member State has jurisdiction under national law.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023