Corporate governance law reforms include changes to residential address publicat...
Reform of the Companies Act and removing the requirement to publish directors’ addresses are things we have long lobbied for.
What happens when the pendulum on self-regulation starts to swing back in?
The market reforms of the 1980s brought into fashion a lighter hand of government. Into fashion, too, came the concept of self-regulation. Industry would no longer have to feel the weight of government bureaucracy. They would instead be empowered – as those with the best understanding of their field – to be the regulator of first instance, with an enforcement body standing by with a hose.
To support that philosophy, successive governments have favoured regulating by educating, rather than enforcement. But that approach has not altogether played out in the way it was fondly hoped. Businesses, left to absorb the lessons of an educative approach, have often failed to complete the assignment.
Inevitably, failings have become evident, harm has been done, and so the pendulum has begun to move. Which is why we now find ourselves in a landscape where light-handed regulation is less in fashion and consumers are calling out for stronger, tougher regulation.
Those businesses who now find themselves targeted had plenty of notice that the pendulum was about to swing back. Boards in other sectors would be wise to also take note of the shift in mood – from consumers, policymakers and regulators. Regulators who come knocking are the new black.
Two facets of the information age offer useful examples of the change in regulatory heft. In one case, parliament has already legislated to increase the pressure; in the other, it is only a matter of time before it will.
At its inception, the Privacy Act established principles relating to collection, use, disclosure and destruction of personal information, which are not insignificant considerations.
However, it gave the Privacy Commissioner only light levers to pull and few teeth to bare. The commissioner could only act after someone’s privacy had been breached and a complaint filed. In many cases, individuals will never have known their privacy was breached and, for others, the process of making a complaint (with the burden initially on the individual to do so) would have seemed like more effort than was worthwhile.
But 2020 brought the new Privacy Act and altogether more substantial expectations on organisations to ensure their house is in order. The Act introduced a privacy breach notification regime; it is an offence to fail to inform the Office of the Privacy Commissioner and the individuals concerned when there has been a notifiable privacy breach. Liability for breach notifications sits with the organisation or business, not with individual employees. The Privacy Commissioner can also now issue compliance notices requiring a business to do something or stop.
The first notice was issued in September 2021 to the Reserve Bank, following a major cyberattack. The full details of the notice have never been published out of concerns for security, but the notice was related to the Reserve Bank’s breach of Privacy Principle 5, under which agencies that hold personal information must have reasonable security safeguards in place to protect personal privacy. Businesses that do not comply with compliance notices will be fined.
The 2020 Act introduces other new criminal offences, too – for misleading an agency to access someone else’s information (e.g. impersonating someone else in order to access information you are not entitled to) or for destroying documents if a request has been made to see them. The penalty for these offences is a fine of up to $10,000.
The ‘more active’ new setting also puts all boards on notice that privacy requires vigilance, proper resourcing and closer attention than was required under the previous Act. Significantly, the advent of the new regime has seen complaints increase four-and-a-half times from the previous year.
“The ‘more active’ new setting also puts all boards on notice that privacy requires vigilance, proper resourcing and closer attention than was required under the previous Act.”
In another sphere, there is a sense of waiting for the other boot to fall. The Harmful Digital Communication Act 2015 aims to deter, prevent and lessen harmful digital communications. We can all see how poorly that’s going.
Online harm has exploded and the iceberg reaches far below the waterline. Many citizens are victims we never hear of. Just a short time online will find transgressions identified by the HDC Act as harmful, ranging from breaches of confidences and false allegations to harassment, intimidation, threats and incitement of grave harm.
Regulating this behaviour has proved to be impossible. One contributing factor has been parliament’s decision to allow the ‘regulating’ of online harm to be managed by Netsafe. It is the wrong vehicle with the wrong tools.
Netsafe’s role is to ‘advise, negotiate, mediate and persuade’. It might have seemed constructive in 2015, but it is woefully inadequate in 2022 and beyond. Netsafe can offer advice to a victim of trolling, but its biggest weapon is a mere ‘summary’ that you have tried to resolve the incident and there are no more options available.
At which time the individual must file proceedings in the District Court, which in turn can order the material be taken down, issue cease and desist orders, order a correction or apology be published and release the name of the person behind any anonymous communication (though, increasingly, they can be difficult to identify).
What is evident is public support for a swing of the pendulum back towards a more active role for the regulator, and less readiness to entrust the poacher with the gamekeeping. For directors, this shift in tolerance for risk means more attention will be required, not just because the regulator may come knocking but because your clients, customers and stakeholders may be calling on the regulator to do so.