03 March 2021
Already a fast-moving area, the pace of change in the technology, media and telecommunications (TMT) sector increased further during the COVID-19 pandemic, with this trend likely to continue in 2021.
In this three-part series, the Corrs TMT team unpack some of the issues we think general counsel should be following closely this year.
In part three, we consider:
Access part one of TMT trends to watch in 2021 and part two of TMT trends to watch in 2021.
COVID-19 has challenged many businesses to re-think the way in which they engage with their customers and stakeholders. This has necessitated the prioritisation of technology projects which enable greater digital engagement and reduce the reliance on cumbersome manual processes.
In essence, organisations are being forced (by customers, shareholders and Boards) to accelerate key aspects of their digital transformations in order to compete and thrive in a post COVID-19 environment.
Activities like multi-sourcing, cloud migration, adoption of AI, disaster recovery planning and cyber resilience, which have traditionally been the domain of the CTO and CIO, are increasingly Board matters given their impact on revenue generation and supply chain resilience. GCs will need to be actively involved in understanding an organisation’s technology roadmap, key data flows, and in navigating the inherent risks associated with these business critical projects.
There is likely to be increased internal pressure for technology projects to be fast-tracked, and one way of managing this pressure is for the GC to take an active role in framing the governance model and control structures around the delivery of these projects.
We have commented on some of the other key practical tips for GCs when managing digital transformation during and after the pandemic in previous articles (the future of outsourcing in the aftermath of COVID-19 and the digital future of customer experience with managing key risks).
In July 2020, the Council of Attorneys-General approved the Model Defamation Amendment Provisions. New South Wales was the first state to enact the changes, with Victoria and South Australia following closely behind. It is expected that the same changes will be passed in all other states and territories and that the amendments will take effect later this year.
Some significant inclusions are:
These changes seek to improve the balance between protecting individual reputations and freedom of expression, decreasing the number of defamation cases ending up in court, and reducing the increasing damages payouts that have been seen in recent years.
The reforms also introduce a ‘single publication’ rule which means that the limitation periods for online publications no longer reset each time the publication is downloaded. Some other significant anomalies regarding publications in social media, particularly questions around the liability of content hosts for material published on their platforms, remain to be addressed.
The Australian Government is amending the Security of Critical Infrastructure Act 2018 (Act) to regulate cyber security risk management, and to provide a mechanism to allow the Australian Signals Directorate to directly monitor software on privately owned infrastructure.
Under the proposed amendments, the concept of ‘Critical Infrastructure Assets’ has been expanded to include infrastructure in a much broader range of sectors, including financial services, broadcasting, data storage, freight, public transport, aviation, defence, energy and electricity, hospitals, education and food. Notably, the rules may designate particular assets, or assets that meet certain requirements that are critical to the security and reliability of the sector or business, as ‘Critical Infrastructure Assets’.
The proposed amendments impose onerous cyber security and reporting obligations on owners and operators of critical infrastructure, including:
Where reporting obligations are not met, the Australian Signals Directorate has the power to install its own information monitoring software on the infrastructure. There are civil penalties for failing to comply with the provisions of the Act.
The proposed amendments also grant the Government powers of intervention that are unprecedented in Australia and the ‘5 eyes’ security alliance. For instance, where the Government believes that the owner or operator of a critical asset is unwilling or unable to deal with a cyber security incident, it may direct the owner or operator take action, or require the Australian Signals Directorate to ‘step-in’ and take action itself. This action may include accessing, modifying, adding, copying, deleting, connecting or removing computers, programs, devices and data. The Government has immunity from civil actions for any harm caused by such ‘step-in’.
The amendments will have significant consequences for participants in those newly regulated sectors, as well as the technology and software companies that supply services to those sectors.
Companies in Australia that regularly receive or process personal data from the EU should be aware of the changes arising from last year’s judgment of the Court of Justice of the European Union in Schrems II, and changes to the European Standard Contractual Clauses (SCCs) following the Court’s decision.
European data exporters are expected to undertake a case-by-case assessment before transferring personal data to an overseas country, to determine if the overseas country provides an adequate level of data protection. If it does not provide, then additional safeguards need to be implemented. Importantly, the Court emphasised that the assessment needs to consider the data protection laws of the overseas country as well as the rights of public authorities and law enforcement to access personal data held in that country.
Australian businesses can therefore expect to be subject to rigorous due diligence by European customers before they will transfer personal data to Australia for processing. This might involve:
Looking ahead, the European Commission is expected to update the SCCs soon. The new SCCs will contain more extensive obligations for data importers, which are similar to the requirements for processors under the EU’s General Data Protection Regulation (GDPR). Australian companies will have a short window to consider and implement any changes needed to comply with the stricter obligations under the new SCCs.
This article is part of our insight series Future Focus – Legal developments to watch in 2021 and beyond. Watch and read more here.
Authors
Tags
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.
Head of Technology, Media and Telecommunications