Peter A Clarke

Privacy reform is no easy task in Australia. Even when the need is clear. The Australian in Privacy relief set for small business reports that the small business exemption will likely be retained in any amendments to the Privacy Act. The Government says it will introduce a Bill in the August session of Parliament. The story relies on “sources” informing the reporter. The story is a classic informal signalling of intention by the Government without it making any announcement. It is a tried and true way method of setting the agenda and dealing with possible unwelcome commentary prior to the bill being introduced. It is all about politics, nothing about policy.

The retention of the small business exemption is a retrograde step. It makes little legal and policy sense.  The collection of data and the impact of a data breach or other interferences with privacy is not related to the size of an organsiation.  An arbitrary cut off of a $3 million dollar turnover determining whether an an organisation is required to comply with the Privacy Act or not never made much sense when introduced.  It makes less sense now given that a “small business” can collect and use more  data than an organisation covered by the Act.  It is more dependent on the type of business and its emphasis on data collection. 

In its massive 3 volume report, For your Information, the Australian Law Reform Commission specifically recommended removing the small business exemption.  In its executive report it stated:

The ALRC recommends that the number of exemptions be reduced—in particular, the existing exemptions for small business, employee records and registered political parties should be removed.

and

The small business exemption

When the provisions of the Privacy Act were extended to cover the private sector in December 2000, an exemption was granted to small businesses (including not-for-profit organisations) with an annual turnover of $3 million or less.^[11] The exemption was explained, at that time, by the desire to achieve widespread acceptance for privacy regulation from the private sector, and a reluctance to impose additional compliance burdens on small businesses.

No other comparable jurisdiction in the world exempts small businesses from the general privacy law—and the European Union specifically has cited this unusual exemption as a major obstacle to Australia being granted ‘adequacy’ status under the European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the EU Directive).^[12]

The business community argued strongly for the retention of the exemption, primarily on the basis of the cost of compliance. However, almost all other stakeholders supported removal of the exemption arguing that there is no compelling justification for a blanket exemption for small businesses, as consumers have the right to expect that their personal information will be treated in accordance with the privacy principles.

The ALRC recommends that this exemption be removed. This would bring Australian privacy laws into line with laws in similar jurisdictions, such as the United Kingdom (UK), Canada and New Zealand, and could facilitate trade by helping to ensure that Australia’s privacy laws are recognised as ‘adequate’ by the European Union. The removal of the small business exemption would have the additional benefits of simplifying the law and removing uncertainty for many small businesses that have difficulty establishing whether they are required to comply with the Privacy Act.

The ALRC appreciates that the removal of the small business exemption will have cost implications for the sector—although nowhere near as great as is sometimes predicted.^[13] An independent research study commissioned by the ALRC indicated that a lower proportion of organisations will be affected—since not all small businesses collect personal information from customers—and the costs should be considerably more modest—about $225 in start-up costs and $301 per year thereafter for each small business—than the predicted $842 and $924 per year respectively cited in the Office of Small Business costing.^[14] Further, the ALRC is confident that additional savings will be achieved by the substantial simplification and harmonisation of privacy laws recommended in this Report.

Nevertheless, the ALRC remains attentive to the economic concerns of small business owners, and recommends a number of other initiatives aimed at supporting small businesses and minimising the compliance burden. Before the exemption is removed, the OPC should provide support to small businesses to assist them in understanding and fulfilling their obligations under the Privacy Act. This should include a national hotline for small businesses, education materials and templates to assist in preparing privacy policies.

If anything the need to remove the exemption now is greater than it was 16 years ago.

The Australian article provides:

Attorney-General Mark Dreyfus recently flagged that under instruction from the Prime Minister he would bring forward legislation in August to overhaul the Privacy Act and “protect Australians from doxxing – the malicious use of personal and private information”.

After Mr Dreyfus last year announced the most significant reshaping of the privacy regime since the 1980s, small and large industry groups urged the government to not remove exemptions for up to 2.5 million small businesses.

The Australian understands while the government has not landed on a final position, sources close to discussions believe the final legislation will take into account the cost and resources impact on small businesses.

Business leaders have warned of economy-wide implications and the need for significant investment if privacy exemptions for small businesses with turnovers under $3m were removed.

Under current rules, small businesses are not obligated to keep personal information secure or notify customers of data breaches.

The government last year flagged an impact analysis of the proposed privacy shake-up, consideration of a support package, and a transition period giving small businesses time to prepare.

In September last year, Mr Dreyfus said the government would “work with the small business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses”.

He pledged his department would consult with community and business groups, media organisations and government agencies to “inform the development of legislation … in this term of parliament”.

A spokesman for Mr Dreyfus on Monday would not confirm exemptions for small businesses but said the government was “committed to stronger privacy protections for Australians”.

“The government’s privacy reforms are being finalised,” the spokesman said.

“The reforms will build on legislation passed in 2022, which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.”

Industry leaders have not been officially informed about whether small businesses will or won’t be captured under the shake-up of privacy laws. Modernising the privacy regime is considered crucial in protecting personal information following a series of high-profile cyber breaches and hacking events.

Council of Small Business Organisations Australia chief executive Luke Achterstraat said with “10-year highs in business insolvencies, it is the worst possible time to introduce more compliance costs onto a sector largely in survival mode”.

“Small businesses seek to do the right thing in regards to privacy and data obligations. However, we need to make sure small and particularly micro businesses are not lassoed with more red tape because of a few high-profile cases (like Medibank),” Mr Achterstraat said.