AYB230 · Corporations Law
Current Issues: Climate Risk & Privacy
This Topic 7 chapter treats two modern risk areas as extensions of the directors' duties already covered: climate-change risk (managing long-term risk, avoiding greenwashing under s1041H/E) and data obligations under the Privacy Act 1988 (Cth). It maps the 13 Australian Privacy Principles, the notifiable data breach scheme (s26WK–WL), the OAIC regulator, and the distinction between data protection and data privacy. It was a major source for Assessment 2 and is examined as ILAC and short-answer — identify the obligation, cite the principle or section, apply it to the facts.
What this chapter covers
- 01Climate-change risk as an extension of directors' duties (Topics 4–6)
- 02Greenwashing exposure: misleading or deceptive conduct (s1041H, s1041E; s12DA ASIC Act)
- 03Privacy Act 1988: applies to organisations with annual turnover over $3 million
- 04The 13 Australian Privacy Principles (APPs) and how they are grouped
- 05The Office of the Australian Information Commissioner (OAIC) as regulator
- 06Notifiable data breach scheme (s26WK–WL): notify the OAIC and affected individuals
- 07Data protection vs data privacy; the Consumer Data Right (CDR)
- 08Comparison with the EU's GDPR rights
Privacy: APP breach & a notifiable data breach (ILAC, Privacy Act 1988)
- +1Issue: (a) Did DataMint breach the Australian Privacy Principles, and (b) what are its obligations once the breach occurred?
- +2Law: The Privacy Act 1988 applies because DataMint's turnover exceeds $3m. APP6 limits use of personal information to the purpose for which it was collected, and APP7 permits direct marketing only with consent. The notifiable data breach scheme (s26WK–WL) requires an entity to notify the OAIC and affected individuals as soon as practicable after an eligible data breach likely to cause serious harm.
- +2Application: Using the personal information for unconsented direct marketing breaches APP7 (and APP6). The hack is an eligible data breach likely to cause serious harm, so the NDB scheme is triggered; a three-week silent delay before notifying is not 'as soon as practicable' and is non-compliant.
- +1Conclusion: DataMint breached APP6/APP7 and the NDB scheme. It must promptly notify the OAIC and the affected individuals and remediate; the OAIC may investigate and impose penalties.
Key terms
- Privacy Act 1988 (Cth)
- The federal statute governing how organisations handle personal information. It applies to organisations with an annual turnover over $3 million (and to certain smaller health and data-handling businesses), and is administered by the OAIC.
- Australian Privacy Principles (APPs)
- The 13 principles at the core of the Privacy Act, running from APP1 (open and transparent management of personal information) to APP13 (correction). They are grouped around collection, use and disclosure (including APP6 use and APP7 direct marketing), data quality and security, and access and correction.
- Notifiable data breach scheme (s26WK–WL)
- The regime requiring an entity to notify both the OAIC and the affected individuals as soon as practicable after an eligible data breach — unauthorised access to or loss of personal information that is likely to result in serious harm.
- OAIC
- The Office of the Australian Information Commissioner — the regulator that administers the Privacy Act, oversees the APPs and the notifiable data breach scheme, investigates complaints, and can impose penalties for non-compliance.
- Greenwashing
- Making misleading or false environmental claims about a company's products or conduct. There is no specific AU statute on it, so it is pursued through the general misleading-and-deceptive-conduct provisions (s1041H and s1041E of the Corporations Act, s12DA of the ASIC Act), and treated as an extension of directors' risk-management duties.
- Data protection vs data privacy
- Data protection is about safeguarding information from corruption or loss (backups, recovery, security). Data privacy is about controlling what data may be shared and with whom — ensuring authorised access and preventing unauthorised access. The Privacy Act and APPs are mainly about privacy, while security obligations support it.
Current Issues: Climate Risk & Privacy FAQ
Does the Privacy Act apply to every business?
No. The Privacy Act 1988 applies to organisations with an annual turnover of more than $3 million, plus certain smaller businesses that handle health records or trade in personal information. Always check the turnover threshold first — if the entity is below $3m and no special category applies, the Act (and the APPs) generally does not bind it. This threshold is a common exam discriminator.
What must a company do after a data breach?
If the breach is an 'eligible data breach' — unauthorised access to or loss of personal information likely to result in serious harm — the notifiable data breach scheme (s26WK–WL) requires the entity to notify the OAIC and the affected individuals as soon as practicable. A delay (such as waiting weeks) is non-compliant, and the OAIC can investigate and impose penalties. The APP breach that caused or accompanied the breach is a separate issue from the notification obligation.
How does climate-change risk connect to directors' duties?
It is taught as an extension of the duties in Topics 4–6 rather than a standalone law. Directors must manage long-term and foreseeable risks — including climate risk — in the company's interests, balance present and future members' interests, and disclose truthfully. Misleading environmental claims (greenwashing) expose the company and directors to the misleading-and-deceptive-conduct provisions (s1041H/E, s12DA ASIC Act). There is no direct Australian case on director liability for climate risk, so you argue by analogy to climate and greenwashing litigation.
How do the APPs compare with the GDPR?
The EU's General Data Protection Regulation (2018) confers seven individual rights — to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, and to object. The Australian APPs cover similar ground (transparency, collection limits, use and disclosure, security, access and correction) but are framed as principles binding organisations rather than as a catalogue of individual rights, and apply only above the $3m turnover threshold.
Exam move
Treat this chapter as two separate exam tools. For climate risk, frame it as an application of the directors' duties you already know (manage foreseeable long-term risk, disclose truthfully) and keep the greenwashing provisions ready (s1041H/E, s12DA ASIC Act) — there is no direct case, so argue by analogy. For privacy, build a checklist: (1) does the Act apply (turnover >$3m)? (2) which APP is engaged (APP6 use, APP7 direct marketing, etc.)? (3) is there an eligible data breach triggering the s26WK–WL notification to the OAIC and individuals? Keep the data-protection vs data-privacy distinction and the CDR/GDPR comparison ready for short-answer. Cite the principle number or section and apply it to the specific facts.