Already a fast-moving area, the pace of change in the technology, media and telecommunications (TMT) sector increased further during the COVID-19 pandemic, with this trend likely to continue in 2021.
In this three-part series, the Corrs TMT team unpack some of the issues we think general counsel should be following closely this year.
In part three, we consider:
- digital transformation post COVID-19;
- national defamation reforms;
- cyber security regulations for critical infrastructure;
- the implications of the EU Schrems II decision for cross-border data flows.
Acceleration of digital transformation post COVID-19 - Arvind Dixit
COVID-19 has challenged many businesses to re-think the way in which they engage with their customers and stakeholders. This has necessitated the prioritisation of technology projects which enable greater digital engagement and reduce the reliance on cumbersome manual processes.
In essence, organisations are being forced (by customers, shareholders and Boards) to accelerate key aspects of their digital transformations in order to compete and thrive in a post COVID-19 environment.
Activities like multi-sourcing, cloud migration, adoption of AI, disaster recovery planning and cyber resilience, which have traditionally been the domain of the CTO and CIO, are increasingly Board matters given their impact on revenue generation and supply chain resilience. GCs will need to be actively involved in understanding an organisation's technology roadmap, key data flows, and in navigating the inherent risks associated with these business critical projects.
There is likely to be increased internal pressure for technology projects to be fast-tracked, and one way of managing this pressure is for the GC to take an active role in framing the governance model and control structures around the delivery of these projects.
National defamation reforms - Richard Leder
In July 2020, the Council of Attorneys-General approved the Model Defamation Amendment Provisions. New South Wales was the first state to enact the changes, with Victoria and South Australia following closely behind. It is expected that the same changes will be passed in all other states and territories and that the amendments will take effect later this year.
Some significant inclusions are:
- the requirement that a plaintiff must give a concerns notice to
a defendant prior to commencing court action and is limited to
suing on those imputations;
- a 'serious harm' element to weed out trivial
- a new defence for publications made in the public interest;
- provisions aimed at clarifying the statutory cap for damages for non-economic loss.
These changes seek to improve the balance between protecting individual reputations and freedom of expression, decreasing the number of defamation cases ending up in court, and reducing the increasing damages payouts that have been seen in recent years.
The reforms also introduce a 'single publication' rule which means that the limitation periods for online publications no longer reset each time the publication is downloaded. Some other significant anomalies regarding publications in social media, particularly questions around the liability of content hosts for material published on their platforms, remain to be addressed.
Critical infrastructure to be subject to tough cyber security regulations - Michael do Rozario
The Australian Government is amending the Security of Critical Infrastructure Act 2018 (Act) to regulate cyber security risk management, and to provide a mechanism to allow the Australian Signals Directorate to directly monitor software on privately owned infrastructure.
Under the proposed amendments, the concept of 'Critical Infrastructure Assets' has been expanded to include infrastructure in a much broader range of sectors, including financial services, broadcasting, data storage, freight, public transport, aviation, defence, energy and electricity, hospitals, education and food. Notably, the rules may designate particular assets, or assets that meet certain requirements that are critical to the security and reliability of the sector or business, as 'Critical Infrastructure Assets'.
The proposed amendments impose onerous cyber security and reporting obligations on owners and operators of critical infrastructure, including:
- maintaining a risk management program, which will be specified
on a sector-specific basis in the rules; and
- an obligation to report certain incidents to the Australian Cyber Security Centre within 12-24 hours.
Where reporting obligations are not met, the Australian Signals Directorate has the power to install its own information monitoring software on the infrastructure. There are civil penalties for failing to comply with the provisions of the Act.
The proposed amendments also grant the Government powers of intervention that are unprecedented in Australia and the '5 eyes' security alliance. For instance, where the Government believes that the owner or operator of a critical asset is unwilling or unable to deal with a cyber security incident, it may direct the owner or operator take action, or require the Australian Signals Directorate to 'step-in' and take action itself. This action may include accessing, modifying, adding, copying, deleting, connecting or removing computers, programs, devices and data. The Government has immunity from civil actions for any harm caused by such 'step-in'.
The amendments will have significant consequences for participants in those newly regulated sectors, as well as the technology and software companies that supply services to those sectors.
EU Schrems II decision: implications for cross-border data flows - Philip Catania
Companies in Australia that regularly receive or process personal data from the EU should be aware of the changes arising from last year's judgment of the Court of Justice of the European Union in Schrems II, and changes to the European Standard Contractual Clauses (SCCs) following the Court's decision.
European data exporters are expected to undertake a case-by-case assessment before transferring personal data to an overseas country, to determine if the overseas country provides an adequate level of data protection. If it does not provide, then additional safeguards need to be implemented. Importantly, the Court emphasised that the assessment needs to consider the data protection laws of the overseas country as well as the rights of public authorities and law enforcement to access personal data held in that country.
Australian businesses can therefore expect to be subject to rigorous due diligence by European customers before they will transfer personal data to Australia for processing. This might involve:
- completing detailed data security questionnaires;
- providing information about the Australian business' data
processing systems for assessment; and
- developing policies for responding to requests for access to personal data by public authorities and law enforcement.
Looking ahead, the European Commission is expected to update the SCCs soon. The new SCCs will contain more extensive obligations for data importers, which are similar to the requirements for processors under the EU's General Data Protection Regulation (GDPR). Australian companies will have a short window to consider and implement any changes needed to comply with the stricter obligations under the new SCCs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
|Chambers Asia Pacific Awards 2016 Winner
Client Service Award
|Employer of Choice for Gender Equality