Report by Attorney Generals Department review into the Privacy Act: Chapter 6, Small business exemption. Analysis and comment. One of the most very disappointing parts of the Report. A failure of public policy.
April 30, 2023 |
Chapter 6 of the Attorney Generals’ Report into the Privacy Act 1988 considers the small business exemption of the Act. The small business exemption was considered at length by the Australian Law Reform Commission in its 2008 Report on the Privacy Act 1988 (Report 108, For your information). The Commission was quite explicit then about the small business exemption, that the small business exemption was not necessary or justifiable. The Information Commissioner and a majority of submitters called for the removal of the exemption.
The Report recommends against removing the small business exemption until a long and convoluted process of analysis and consultation with small business, who have been adamantly resistant to any removal of said exemption. All of this would happen after the other reforms proposed are implemented. So there will be a second act to this ongoing drama except it has no end date. It is hard to come to any other conclusion that this part of the Report is the product of poor analysis which may potentially result in a failure of public policy if it is implemented. How could the authors of this report get it so wrong given the previous analysis by the Law Reform Commission, the overwhelming weight of submissions and cold hard logic? It may be that there is more politics than law in the drafting of this Chapter and its recommendations.
Australian Law Reform Commission stated, absent footnotes:
39.181 After carefully reviewing stakeholder views, international experience, and the commissioned research, the ALRC concludes that the exemption for small business is neither necessary nor justifiable.
39.182 Associate Professor Moira Paterson has offered a counter to the argument that the requirement to comply with the Privacy Act constitutes a substantial compliance burden. She noted that the costs of compliance on businesses are likely to be significant only where businesses have poor record-keeping practices—citing evidence from Quebec that implementing data protection measures may in fact result in cost reduction or increased productivity due to improved information-handling practices. Furthermore, Paterson observed that, in New Zealand,
the limited information available to date does not suggest that the cost of implementation has been a major problem. For example, the New Zealand Real Estate Institute commented in 1994 that, while the passing of the Privacy Act 1993 (NZ) would have a considerable impact on the manner in which the industry might deal with personal information, it did not expect that there would be any significant cost of compliance; what was required was common sense and fair dealing.
39.183 While cost of compliance with the Privacy Act is an important consideration, this factor alone does not provide a sufficient policy basis to support the small business exemption. The fact that no comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—have an exemption for small businesses is indicative.
39.184 At present, potentially up to 94% of Australian businesses are exempt from the operation of the Privacy Act. Some stakeholders argued that exempting the majority of businesses from the operation of the Act is justified because small businesses pose a low risk to privacy. This assumption can be questioned on two grounds.
39.185 First, the risks to privacy posed by small businesses are determined by the amount and nature of personal information held, the nature of the business and the way personal information is handled by the business, rather than by their size alone. Some small businesses, such as ISPs and debt collectors, hold large amounts of personal information. In addition, given the increasing use of technology by small businesses, the risk posed to privacy may not necessarily be low. In this regard, it should be noted that the OPC received a significant number of inquiries that related to this exemption.
39.186 Secondly, the fact that there are a considerable number of conditions that qualify the application of the exemption also suggests that the assumption that small businesses present a low risk to privacy is no longer valid. Under existing law, there already are seven categories of small businesses to which the small business exemption does not apply. Some of these categories—namely, small businesses that operate or use residential tenancy databases, and those that are ‘reporting entities’ under the AML/CTF Act—were brought into the privacy regime after the enactment of the private sector provisions of the Privacy Act precisely because they raised significant privacy concerns.
39.187 The ALRC does not consider that further modifying the exemption is a sufficient response to the concerns raised in submissions and consultations. At whatever level the threshold for the exemption is set, the definition of ‘small business’ would be arbitrary, and consumers could not determine easily whether the exemption applies to a particular business. In some cases, small businesses themselves may have problems understanding whether the exemption applies to their operations due to the various conditions that qualify the application of the exemption.
39.188 Further, the application of the small business exemption could have unintended consequences. For example, in the context of the Northern Territory Emergency Response, legislative provisions that were intended to protect Indigenous children in the Northern Territory from abuse raised concerns about the lack of safeguards against misuse of personal information, partly because small business operators are exempt from the operation of the Privacy Act.
39.189 The ALRC agrees with the 2005 Senate Committee privacy inquiry that regulating small businesses in some areas—such as telecommunications and debt collection—and not others, would add to the complexity of the privacy regime. The ALRC also notes that privacy concerns relating to small businesses are not confined to those that operate in particular industries. For example, given the highly sensitive nature of genetic information, small businesses that hold genetic information pose a particularly high risk to privacy, regardless of whether they provide a health service. In 2006, the Privacy Legislation Amendment Act 2006 (Cth) was passed to amend the definitions of ‘health information’ and ‘sensitive information’ in the Privacy Act to include genetic information about an individual. Consequently, small businesses that hold genetic information and provide a health service no longer qualify for the small business exemption. Other small business that hold genetic information, however, still may be exempt from the operation of the Privacy Act. This would be the case where a small business meets all the other conditions that qualify the exemption.
39.190 Further, as discussed above, the removal of the small business exemption would bring Australia in line with other comparable countries—and would assist in achieving EU ‘adequacy’ status and facilitate trade with EU organisations.
39.191 Finally, the ALRC notes the submissions arguing that compliance costs on small businesses may be reduced by modifying the application of the privacy principles to small businesses, either through a code, a public interest determination by the OPC or specific exceptions to certain privacy principles. Modifying the application of the privacy principles to small businesses, however, would result in uneven privacy protection and a more complex privacy regime without addressing adequately concerns about unnecessary costs of compliance to small businesses.
Recommendation 39-1 The Privacy Act should be amended to remove the small business exemption by:
(a) deleting the reference to ‘small business operator’ from the definition of ‘organisation’ in s 6C(1) of the Act; and
(b) repealing ss 6D–6EA of the Act.
Nothing has materially changed. If anything small business operators collect more information and are as likely to suffer a cyber attack as any organisation covered by the Act.
In light of that unequivocal recommendation by the Australian Law Reform Commission in the most comprehensive analysis of the Privacy Act ever undertaken it might be expected that the Attorney General’s Department would give considerable weight to this position. Further the Information Commissioner recommended removing the exemption as did many other submitters. Rather the Report downplays the Commissions’ analysis and casts doubt on the expert evidence it obtained.
Instead the Attorney General’s made a non recommendation, not proposing to remove the exemption but not endorsing it. In effect it has kicked the can down the road. Even so, the Report goes into quite some detail with justifications for doing nothing. The justifications are threadbare.
At the outset the Report noted that the majority of submitters that addressed the small business exemption recommended the exemption should be removed. Those who made such submisions to the Issues paper were Salinger Privacy, elevenM, Calabash Solutions, Centre for Media Transition, University of Technology Sydney, Consumer Policy Research Centre, Australian Communications Consumer Action Network, Institute for Cyber Investigations and Forensics, University of the Sunshine Coast, Office of the Victorian Information Commissioner, Minderoo Tech and Policy Lab, University of Western Australia Law School, Association for data-driven marking and advertising, Superchoice, Queensland Law Society, OAIC, Gadens, Australian Privacy Foundation, Australian Information Security Association, CrowdStrike, Data Republic, Privacy 108, Queensland Council for Civil Liberties,Shogun Cybersecurity, Professor Kimberlee Weatherill, Financial Rights Legal Centre, Consumer Action Law Centre and Financial Counselling Australia, Centre for Cyber Security Research and Innovation – Deakin University, Office of the Information Commissioner Queensland, Reset Australia, Shaun Chung and Rohan Shukla, Dr Kate Mathews Hunt, Karen Meohas, and Electronic Frontiers Australia. Those making such submissions to the Discussion Paper were Australian Data and Insights Association, OAIC, Calabash Solutions, Salinger Privacy, Electronic Frontiers Australia, Privacy 108, Consumer Policy Research Centre; Australian Information Security Association, Australian Communications Consumer Action Network, UNSW Allens Hub, Deakin CSRI and IEEE SSIT, Graham Greenleaf, NSW Council for Civil Liberties, Professor John V Swinson, IIS Partners and Ground Up Consulting, Professor David Lindsay, Shopping Centre Council of Australia, FinTech Australia, Emin Hasic and Minderoo Tech & Policy Lab, UWA Law School.
The Report explains the rationale for the small business exemption being included when the Act was extended to the private sector in 2000 as being “..in recognition of the potentially unreasonable compliance costs for small businesses, which were considered to pose little or no risk to the privacy of individuals” and “..some small businesses, or acts and practices of small businesses that posed a higher risk to privacy should be covered by the Act through an exception to the exemption”.
The exceptions operate in three ways:
- exception by regulation. The regulation-making power allows small businesses by name or type, or which engage in certain practices to be brought within the scope of the Act if the Attorney-General is satisfied that it is in the public interest to do so. Exceptions currently prescribed in this manner are small businesses that operate a residential tenancy database and Aussie Farms Inc.
- small businesses that opt in. As of November 2022 there are 697 businesses that currently on the register of organisations that have opted in.
- exceptions that are prescribed by statute, being businesses:
-
- is a health service provider
- trades in personal information
- provides services under a Commonwealth contract
- is a credit reporting body
- operates a residential tenancy database
- is a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006
- is an employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009
- conducts protection action ballots
- is accredited under the Consumer Data Right system
- is related to a business that is an APP entity.
Even the exceptions are less exceptional than the provisions seem to suggest. Regarding small businesses that trade in personal information section 6D allows small businesses that trade in personal information to be exempt from the Act if they obtain the consent of individuals to collect or disclose their personal information (sub section 6D(7). Not surprisingly this provision has attracted severe criticism. The Information Commissioner made the obvious point that the effect of giving consent is to exempt the small business from all obligations under the Act. This puts responsibility on an individual to understand the impact of their consent as giving up the protections of the Act in relation to their personal information, which could include sensitive information. That is if the individual providing consent is made aware of the significant impact of providing consent.
There wasn’t support for options involving:
- amending the threshold,
- requiring small businesses to comply with some but not all of the APPs. Those few submitters in favour of this option suggested that APPs 1, 3, 4, 5, 6, 7, 8, 10, 11, 12 and 13 be complied with
- using an employee number threshold to determine whether an organisation was a small business.
Those supporting the retention of the small business exemption ran the usual argument that compliance costs was beyond the resources of many smaller businesses. Those organisations are ACCI, Australian Small Business and Family Enterprise Ombudsman, Clubs Australia, Internet Association of Australia, Communications Alliance, Australian Collectors and Debt Buyers Association and the Housing Industry Association. Many of these organsiations maintain dogged resistance to many other reforms to the Privacy Act. And they have consistently done so. They can easily and accurately be described as the usual suspects.
The other argument is that while small businesses should adhere to best practice when handling personal information, but were concerned about requiring businesses to learn a new set of principles and set up procedures to give individuals access to their personal information. the cure to that problem is the provision of tailored support and recommended that small businesses could be provided with additional support and free tools to assist them in complying with the Act.
The Report diligently went through the arguments in favour of removing the small business exemption including:
-
small businesses are often the ‘weakest link’ in supply chains & that requiring small businesses to comply with the Act (in particular the APP 11 security requirements and the NDB scheme) could mitigate this risk. Small businesses are increasingly vulnerable to data related crime the evidence pointed to a shift in focus of cyber attackers towards smaller firms ‘as easier targets’. In 2021?22 the average cost per cybercrime report was $39,000 for small businesses.
- under the Consumer Data Rules consumers can consent to the disclosure of their data to ‘trusted advisers’ who are not required to obtain CDR accreditation. Trusted advisers covered by the small business exemption may not meet the same standards as other entities that handle CDR data.
-
No comparable jurisdiction exempts small businesses from the general privacy law. The exemption may be a barrier to a GDPR ‘adequacy decision’ .
- regarding compliance costs the flexibility of the APPs allow businesses to take a risk-based approach to compliance, based on their particular circumstances, including size, resources and business model. As a result small businesses would have compliance costs commensurate with their risk profile and a small business that poses a low privacy risk would have low compliance costs. Obligations under the Act are proportionate to the potential risk to privacy.
- compliance costs should not be a determining factor when considering the protection of personal information and that removing the exemption would be on par with other regulations that aim to protect consumers from the risk of harm, such as product safety mandatory standards which do not exempt small businesses from the expectation to keep.
- creating more exceptions to the exemption would create confusion.
- template privacy policies
- tailored advice and targeted education by the Information Commissioner’s Office
- assistance in the event of experiencing a cybersecurity incident
- a small business hotline
- a live chat service
- free webinars
- step-by-step guides
- tax offsets commensurate to the cost of compliance, and
- government grants.small businesses should be supported through the provision of tailored resources to encourage compliance, and
- that the Information Commissioner should be resourced to provide this support and handle additional complaints.
Yet despite these convincing arguments the Report then does a 180 on a dollar coin and digs deep to find arguments, more accurately excuses, tomake no proposal beyond push a decision off for years. It\ argued that:
- because of the unique challenges faced by small businesses and the potential regulatory burden associated with complying with the Act, ithe exemption should be removed only after such steps have been implemented to facilitate small business compliance. Whatever that means. The Report moves into full publicserviceese stating that “to support small businesses to comply with the Act, there would need to be a comprehensive package of assistance developed and implemented. This could include the OAIC developing tailored resources for small businesses that address the needs of different industries and business sectors. These resources should be developed with input from small business representatives and industry associations.” What terrible waffle. Given the Information Commissioner has already offered to assist small business there is nothing new from that angle. Developing anything with small business representatives and business sectors is a recipe for disaster. They want to delay the implementation for as long as possible. That is terribly naive. It is not a trap that the Australian Law Reform Commission fell into.
- “the small business exemption should not be removed until support and resources are developed and available to small businesses”. What on earth does that mean and how does that advance a comprehensive reform of the Privacy Act. The Report recommends that the resources “..should be designed to minimise the cost of complying with the Act for small businesses.” It then complains that it is difficult “..to quantify the potential compliance costs for small business, given the diversity of industries captured by the exemption and the various proposals put forward in this Report that would alter an entity’s obligations under the Act.” It then critisizes the ALRC’s exercise in engaging an external consultant to provide an independent assessment of the likely costs of compliance that would result from the removal of the small business exemption as part of its Report 108 saying that since that took place 14 years ago “…it cannot be relied upon as an accurate indicator of the costs that small businesses would incur when complying with the Act.” That begs the question as to why the Department of Justice did not engage experts to undertake that exercise. This Report was years in the making.
- there should be a two stage reform process, implementing other proposals and only then develop “..a support package for small business, an impact analysis…to estimate the compliance costs for different types of small businesses. An updated impact analysis will take into account technological developments and updated obligations under the Act which have changed since the ALRC estimate.” What a terrible way to undertake reform. More waffle, delay, commissioning of reports, production of reports and then maybe just maybe deciding how to support small business before amending the Act. This is a total failure of process and frankly an exercise in intellectual cowardice.
The Report does propose removing the exception for small businesses that obtain consent to trade in personal information. That is a minor plus to this otherwise extremely disappointing chapter.
The Recommendation is:
6.1 Remove the small business exemption, but only after: · an impact analysis has been undertaken to better understand the impact removal of the small business exemption will have on small business – this would inform what support small business would need to adjust their privacy practices to facilitate compliance with the Act · appropriate support is developed in consultation with small business · in consultation with small business, the most appropriate way for small business to meet their obligations proportionate to the risk, is determined (for example, through a code), and · small businesses are in a position to comply with these obligations. 6.2 In the short-term: · prescribe the collection of biometric information for use in facial recognition technology as an exception to the small business exemption, and · remove the exemption from the Act for small businesses that obtain consent to trade in personal information. |