Are you planning to buy or sell a business this year? 2023 is home to a raft of regulatory changes that could materially affect your business sale or acquisition. Recent amendments to the unfair contracts terms regime (UCT Regime) and the Privacy Act 1988 (Cth) (Privacy Act) are exposing businesses to increased regulatory scrutiny and requiring entities to review and update their internal processes.
In this article, we discuss the key regulatory areas which are shifting and should be further considered by stakeholders when conducting legal due diligence on a target entity or business.
A five-fold increase in penalties and a strengthening of the legislation surrounding unfair contract terms raises a looming risk that buyers need to consider when approaching legal due diligence.
On and from 9 November 2023, a standard form contract will fall under the UCT Regime if one party employed fewer than 100 persons or had a turnover in the last income year of less than $10 million.
The changes will affect:
- any new standard form contracts entered into on or after 9 November 2023
- any standard form contracts which are renewed on or after 9 November 2023.
See our summary of the changes to the unfair contracts regime, including penalties.
Due diligence considerations
There is an increasing shift to review standard form contracts through the lens of the upcoming UCT Regime, and compliance reviews can be substantial if a business uses a wide range of standard form contracts.
For each contract that a buyer is hoping to renew after 9 November 2023, a buyer should consider:
- if the proposed renewal is even permitted under the unfair contracts regime (as unilateral renewal clauses may be deemed unfair)
- if any amendments need to be made to the contract for the renewal term in order to comply with the new UCT Regime
- if the counterparty is, or should be, entitled to terminate as a result of any changes to the contract (as unilateral variations can also be deemed unfair).
Sellers should review their standard form contracts or terms and conditions to ensure they comply with the UCT Regime. Not only is this good as a matter of best practice, but a compliant set of standard form contracts will provide buyers with comfort that the business complies (and will continue to comply after 9 November 2023) with its obligations under the UCT Regime.
Privacy and data security
Buyer scrutiny on privacy and data security continues an upwards trajectory. Large-scale data breaches were rampant during 2022 and this threat is not showing any signs of slowing down in 2023.
In response to this concerning trend, the government has taken steps to discourage businesses from overlooking their data security obligations. The Privacy Act saw a refurbishment in late 2022 when maximum penalties were significantly increased and the OAIC was granted new investigatory and enforcement powers.
These changes substantially increase risk exposure to privacy and data security issues, particularly given that the OAIC is already making use of its new powers and has been proactively reviewing data handling practices. Loss of goodwill and customer retention, combined with substantial regulatory penalties, can be a significant risk for a buyer.
In addition to stringent technical due diligence on a target, a prudent buyer should:
- review the target’s data retention policies and procedures to ensure that data is not retained for longer than required (and check that the target has actually complied with these policies and procedures)
- consider which third parties may have access to the data, and confirm if there are appropriate measures in place to control and protect such access.
The government is also considering the recommendations of the recent Privacy Act Review Report (read our summary here). Stakeholders should carefully watch this space, particularly in relation to a potential new right for individuals to take direct action in courts.
Other regulatory considerations
The above changes are only the tip of the iceberg for shifts in regulatory matters in the remainder of this year. Stakeholders will also need to consider changing views and increased regulatory action in relation to matters such as:
- whistleblowing: ASIC has recently released a new Report 758 Good practices for handling whistleblower disclosures to assist entities in improving their whistleblower arrangements. While ASIC had previously granted entities with a ‘grace period’ to comply with the strengthened protections for eligible whistleblowers, ASIC has now launched proceedings against TerraCom and this could be the first of many examples. Buyers should be reviewing a target’s whistleblower policies and procedures, particularly with reference to the recommendations in ASIC’s Report 758, to ensure compliance
- greenwashing: Greenwashing has become a key enforcement priority for ASIC and the ACCC in 2023, and both organisations have been proactive in this area. ASIC has issued over $150,000 in infringement notices since October 2022 and launched its first court action against alleged greenwashing conduct in February 2023. ACCC’s internet sweep found that over half of the 247 businesses reviewed made concerning claims about their credentials and these entities now face further investigation. These investigations are not likely to slow down, and sensible buyers should be considering the accuracy of any ESG claims made by a target.