Queensland University of Technology · S1 2026 · FACULTY OF LAW

AYB230 · Corporations Law

- one subject, every graph, every model, every mark
50% final exam · hurdle14 Chapters7-page Bible
Our own words - no uploaded lecturer files
Built to mirror S1 2026 · updated this semester
Chapter 7 of 11 · AYB230

Current Issues: Climate Risk & Privacy

This Topic 7 chapter treats two modern risk areas as extensions of the directors' duties already covered: climate-change risk (managing long-term risk, avoiding greenwashing under s1041H/E) and data obligations under the Privacy Act 1988 (Cth). It maps the 13 Australian Privacy Principles, the notifiable data breach scheme (s26WK–WL), the OAIC regulator, and the distinction between data protection and data privacy. It was a major source for Assessment 2 and is examined as ILAC and short-answer — identify the obligation, cite the principle or section, apply it to the facts.

In this chapter

What this chapter covers

  • 01Climate-change risk as an extension of directors' duties (Topics 4–6)
  • 02Greenwashing exposure: misleading or deceptive conduct (s1041H, s1041E; s12DA ASIC Act)
  • 03Privacy Act 1988: applies to organisations with annual turnover over $3 million
  • 04The 13 Australian Privacy Principles (APPs) and how they are grouped
  • 05The Office of the Australian Information Commissioner (OAIC) as regulator
  • 06Notifiable data breach scheme (s26WK–WL): notify the OAIC and affected individuals
  • 07Data protection vs data privacy; the Consumer Data Right (CDR)
  • 08Comparison with the EU's GDPR rights
Worked example · free

Privacy: APP breach & a notifiable data breach (ILAC, Privacy Act 1988)

Q [6 marks]. DataMint Pty Ltd (turnover $12m) suffers a hack exposing 50,000 customers' personal information. It had been using that data for direct marketing the customers never consented to, and it waits three weeks before telling anyone. Using ILAC, (a) did DataMint breach the APPs, and (b) what must it do after the breach?
  • +1Issue: (a) Did DataMint breach the Australian Privacy Principles, and (b) what are its obligations once the breach occurred?
  • +2Law: The Privacy Act 1988 applies because DataMint's turnover exceeds $3m. APP6 limits use of personal information to the purpose for which it was collected, and APP7 permits direct marketing only with consent. The notifiable data breach scheme (s26WK–WL) requires an entity to notify the OAIC and affected individuals as soon as practicable after an eligible data breach likely to cause serious harm.
  • +2Application: Using the personal information for unconsented direct marketing breaches APP7 (and APP6). The hack is an eligible data breach likely to cause serious harm, so the NDB scheme is triggered; a three-week silent delay before notifying is not 'as soon as practicable' and is non-compliant.
  • +1Conclusion: DataMint breached APP6/APP7 and the NDB scheme. It must promptly notify the OAIC and the affected individuals and remediate; the OAIC may investigate and impose penalties.
DataMint breached APP6/APP7 (using data for unconsented direct marketing) and the s26WK–WL notifiable data breach scheme (a three-week delay is not 'as soon as practicable'); it must promptly notify the OAIC and affected individuals and remediate.
Sia tip — Sia tip: start every privacy problem by checking the $3m turnover threshold (does the Act even apply?), then split the answer into the APP breach and the post-breach NDB notification — they are two distinct obligations that each earn marks.
Glossary

Key terms

Privacy Act 1988 (Cth)
The federal statute governing how organisations handle personal information. It applies to organisations with an annual turnover over $3 million (and to certain smaller health and data-handling businesses), and is administered by the OAIC.
Australian Privacy Principles (APPs)
The 13 principles at the core of the Privacy Act, running from APP1 (open and transparent management of personal information) to APP13 (correction). They are grouped around collection, use and disclosure (including APP6 use and APP7 direct marketing), data quality and security, and access and correction.
Notifiable data breach scheme (s26WK–WL)
The regime requiring an entity to notify both the OAIC and the affected individuals as soon as practicable after an eligible data breach — unauthorised access to or loss of personal information that is likely to result in serious harm.
OAIC
The Office of the Australian Information Commissioner — the regulator that administers the Privacy Act, oversees the APPs and the notifiable data breach scheme, investigates complaints, and can impose penalties for non-compliance.
Greenwashing
Making misleading or false environmental claims about a company's products or conduct. There is no specific AU statute on it, so it is pursued through the general misleading-and-deceptive-conduct provisions (s1041H and s1041E of the Corporations Act, s12DA of the ASIC Act), and treated as an extension of directors' risk-management duties.
Data protection vs data privacy
Data protection is about safeguarding information from corruption or loss (backups, recovery, security). Data privacy is about controlling what data may be shared and with whom — ensuring authorised access and preventing unauthorised access. The Privacy Act and APPs are mainly about privacy, while security obligations support it.
FAQ

Current Issues: Climate Risk & Privacy FAQ

Does the Privacy Act apply to every business?

No. The Privacy Act 1988 applies to organisations with an annual turnover of more than $3 million, plus certain smaller businesses that handle health records or trade in personal information. Always check the turnover threshold first — if the entity is below $3m and no special category applies, the Act (and the APPs) generally does not bind it. This threshold is a common exam discriminator.

What must a company do after a data breach?

If the breach is an 'eligible data breach' — unauthorised access to or loss of personal information likely to result in serious harm — the notifiable data breach scheme (s26WK–WL) requires the entity to notify the OAIC and the affected individuals as soon as practicable. A delay (such as waiting weeks) is non-compliant, and the OAIC can investigate and impose penalties. The APP breach that caused or accompanied the breach is a separate issue from the notification obligation.

How does climate-change risk connect to directors' duties?

It is taught as an extension of the duties in Topics 4–6 rather than a standalone law. Directors must manage long-term and foreseeable risks — including climate risk — in the company's interests, balance present and future members' interests, and disclose truthfully. Misleading environmental claims (greenwashing) expose the company and directors to the misleading-and-deceptive-conduct provisions (s1041H/E, s12DA ASIC Act). There is no direct Australian case on director liability for climate risk, so you argue by analogy to climate and greenwashing litigation.

How do the APPs compare with the GDPR?

The EU's General Data Protection Regulation (2018) confers seven individual rights — to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, and to object. The Australian APPs cover similar ground (transparency, collection limits, use and disclosure, security, access and correction) but are framed as principles binding organisations rather than as a catalogue of individual rights, and apply only above the $3m turnover threshold.

Study strategy

Exam move

Treat this chapter as two separate exam tools. For climate risk, frame it as an application of the directors' duties you already know (manage foreseeable long-term risk, disclose truthfully) and keep the greenwashing provisions ready (s1041H/E, s12DA ASIC Act) — there is no direct case, so argue by analogy. For privacy, build a checklist: (1) does the Act apply (turnover >$3m)? (2) which APP is engaged (APP6 use, APP7 direct marketing, etc.)? (3) is there an eligible data breach triggering the s26WK–WL notification to the OAIC and individuals? Keep the data-protection vs data-privacy distinction and the CDR/GDPR comparison ready for short-answer. Cite the principle number or section and apply it to the specific facts.

A+Everything unlocked
Unlocks this Bible + all 12 of your Queensland University of Technology subjects - and 1,000+ Bibles across every Australian university.
Sia - your AYB230 tutor, unlimited, worked the way the exam marks it
The full 7-page Bible + practice bank with worked solutions
Chrome extension - sync your LMS so Sia knows your deadlines
Bilingual EN / Chinese on every Bible and every Sia answer
$25/ month
30-day money-back · cancel in one tap · how it works
Unlock the full AYB230 Bible + 12 Queensland University of Technology subjects解锁完整 AYB230 Bible + Queensland University of Technology 12 门科目
$25/mo