Should small businesses be exempt from the Privacy Act?
In October 2021, the Australian Attorney-General’s Department issued a discussion paper seeking further submissions on proposed changes to the Privacy Act (Discussion Paper). One of the issues raised in that Discussion Paper is whether small businesses should continue to be exempt from the operation of the Privacy Act.
More than 95% of businesses trading in the Australian economy have an annual turnover of less than $3 million and are currently mostly outside its operation. So any tinkering with the exemption will have a significant impact on Australian businesses.
As discussed in more detail below, the Discussion Paper suggests that increased regulatory burden on small business resulting from the removal of the exemption is not justified. Questions posed for further consideration include :
- Whether there is any other high-risk processing by small business should be brought back into the operation of the Privacy Act; and
- What additional resources might support small businesses, including a voluntary domestic certification scheme.
But is this the right outcome and are these the only options?
The Discussion Paper clearly sees the inclusion of small businesses within the operation of the Privacy Act as a question of whether the risk posed by the continued exclusion outweighs the harm of imposing additional burden on small businesses. Bu is this an accurate lens to view the question?
The Discussion Paper comes nearly 12 months after the release of an issues paper in November 2020 outlining and seeking feedback on the Privacy Act, and the Government’s December 2019 announcement that it would conduct a review of the Act as part of its response to the Australian Competition and Consumer Commission’s Digital Platforms Inquiry report (ACCC Report).
One of the issues canvassed in the November 2020 Issues Paper was whether or not businesses with annual turnover of less than $3 million (subject to certain carve-ins) should be exempt from the operation of the Privacy Act. In particular, the Issues Paper sought feedback on whether the current scope of the Act strikes the right balance between protecting the privacy rights of individuals and imposing unnecessary regulation on small businesses.
Issues for small businesses
According to the Discussion Paper, there was a high level of interest in the issue, with submissions regarding the small business exemption received from a diverse range of stakeholders including government agencies, academics, research centres, private sector organisations and consumer advocates. Given that level of interest, it is a little surprising that no significant changes are proposed.
Support for removing the small business exemption
The Discussion Paper reports that submissions made supporting the removal of the small business exemption referred to the following:
- Advances in technology have shifted the way small businesses operate and increased the privacy risk they pose.
- With the move to online services, the size or turn-over of a business is not a good ‘potential proxy’ for privacy impacts.
- Similarly, the size of the business should not affect people’s expectations regarding the security measures that should be used to protect personal information
- COVID requirements have increased the risk by extending the information to be collected and retained by small businesses.
- The Australian approach is an anomaly and could be a barrier to international trade. Removal of the exemption will align Australia with international standards for small business.
- Extending privacy requirements will improve trust and reliance on small businesses (rather than reduce their competitiveness).
Support for retaining the small business exemptions
The only real argument put forward in support of the retaining exemption was the cost and burden on small business brought by compliance with the Act.
According to the Discussion Paper, small business representatives expressed concern about requiring businesses to learn a new set of principles and set up procedures to give individuals access to their personal information. Small business representatives noted that this could be particularly challenging for micro businesses.
The Paper does include counter arguments to the potential cost to small business including the following:
- the cost of compliance has gradually decreased since the introduction of the private sector provisions of the Act.
- compliance with the Act is a reasonable cost of doing business in the digital age.
- compliance with the Act could lead to commercial benefits for small businesses.
- the compliance burden for small businesses has not proven too onerous overseas.
- businesses can take a risk-based approach to compliance, based on their particular circumstances, including size, resources and business model, making compliance costs commensurate with their risk profile.
Despite the above, and even if the costs for small business to comply with the Act could be perceived to be low or proportionate and could improve business competitiveness, the Paper believes that the ‘challenges small business would face should not be ignored.’
This contention is supported by a reference to small business representatives raising concerns about the substantial impact COVID-19 has had on small businesses, suggesting it would be very challenging for small businesses to bear any additional cost of implementing privacy law changes at this time.
The other argument that gains some favour in the Discussion Paper is that there is no evidence that the exemption causes any harm. The Australian Small Business and Family Enterprise Ombudsman submitted that if there was evidence of a problem with the exemption, the best practice approach would be to address the problem directly, rather than removing the exemption completely. Prescribing further high-risk acts and practices, while retaining the small business exemption, would preserve the Act’s historical approach of balancing privacy risks against compliance costs on small businesses.
In short, small business representatives were of the view that if the exemption was removed, there would be an unjustified regulatory burden placed on small businesses that do not pose a significant privacy risk. And the Attorney General seems to agree.
Accordingly, the questions posed in the Discussion Paper about the exemption are largely limited to the following
- Are there further high privacy risk acts and practices that should be prescribed as exceptions to the small business exemption?
- What regulatory impact would this have on small businesses who engage in these acts and practices?
Some high-risk areas already identified in submissions include:
- collecting, using or disclosing the personal information of children under 15
- supplying products or services to children under 15,
- handling financial or sensitive information,
- buy now, pay later businesses,
- offering products and services that use the Internet of Things (IoT), AI and data analytics and
- IT businesses which provide services to healthcare providers.
What are the options in the Discussion Paper?
Assuming that removing the exemption is not an option, what are some of the alternatives?
The options canvassed include:
- Reduce the annual turnover requirement, although this would have to be quite substantial to be effective and was not a preferred option in any submissions;
- Amend the threshold to 15 employees (consistent with the Fair Work Act 2009 (Cth) (Fair Work Act) definition of a small business). However, number of employees was not thought to be any more accurate than annual turnover in terms of a proxy for privacy risk;
- Limit the application to only some of the APPS. The Paper accepts the contention that requiring businesses to comply with some but not all of the APPs would likely increase the complexity of the Act as selected APPs would need to be modified for small business so they could be understood outside the context of the other APPs;
- Provide more support for small business (which the OAIC has indicated it is prepared to do).
Having dismissed the first three of the above options, more support for small business becomes the preferred direction, coupled with identification of potentially high-risk businesses that should be brought within scope.
The provision of additional support is to be explored further with the Discussion Paper asking:
- What support for small business would assist with adopting the privacy standards in the Act and realising the benefits of improved privacy practices?
- How can small businesses be encouraged to adopt best practice information collection and handling?
- Would a voluntary domestic privacy certification scheme be useful to small businesses that wish to differentiate themselves based on their privacy practices?
The OAIC’s submission stated that the office would be well placed to support small businesses to meet their compliance obligations and that this could be one of its prescribed functions, was noted.
Is this a good outcome for Australians?
Other than identifying other high risk businesses that should be subject to the Act plus providing more support, what other options might be available to address the issue of balancing the perceived cost for small business versus the potential impact on the privacy of individuals?
One option might be reducing the impact by removing the following from the operation of the Privacy Act:
- Business contact details
- Information that is made public by the individual.
For many small businesses particularly those operating in the Business to Business (and not consumer) space, removing contact details and public information from the operation of the Act would significantly limit their responsibilities and liabilities under the Act and thus the cost of compliance.
An additional option might be to introduce a more limited role for business intermediaries or processors as opposed to controllers (as contemplated by Chapter 21), which would again reduce the compliance burden on small businesses that fell within that group.
Lastly, this is an area that could benefit from further research. Other than one overseas academic paper that has marginal relevance to Australia, there is no evidence produced of the cost of compliance with the Privacy Act for Australian small businesses.
Rather than assuming that the exemption is required because of the untenable regulatory burden, it would be useful to understand what exactly that burden might be and why Australian small businesses, unlike those in the UK and EU, need to be protected.
Some more work for the review?
 Submissions to the Issues Paper: New South Wales Information and Privacy Commission, 2; Salinger Privacy, 10; elevenM, 2; Calabash Solutions, 5; Centre for Media Transition, University of Technology Sydney, 10; Consumer Policy Research Centre, 4; Australian Communications Consumer Action Network, 9; Institute for Cyber Investigations and Forensics, University of the Sunshine Coast, 2; Office of the Victorian Information Commissioner, 4; Minderoo Tech and Policy Lab, University of Western Australia Law School, 29; Association for Data-driven Marketing and Advertising, 13; Superchoice, 2; Queensland Law Society, 2; OAIC, 59; Gadens, 1; Australian Privacy Foundation, 14; Australian Information Security Association, 10; CrowdStrike, 3; Data Republic, 5; Privacy108, 4; Queensland Council for Civil Liberties,4; Shogun Cybersecurity, 2.
 Australian Small Business and Family Enterprise Ombudsman, Council of Small Business Organisations Australia, Australian Chamber of Commerce and Industry, Meeting of small business representatives (n 158).
 Submissions to the Issues Paper: Salinger Privacy, 11; Calabash Solutions, 5; Financial Rights Legal Centre, Consumer Action Law Centre and Financial Counselling Australia (joint submission), 13; ID Exchange, 9.
 Submissions to the Issues Paper: Institute for Cyber Investigations and Forensics, University of the Sunshine Coast, 2; OAIC, 61; Privacy108, 5; AGL Energy Limited, 2; Financial Services Council, 10.
 Submission to the Issues Paper: Australian Small Business and Family Enterprise Ombudsman, 1.