While small businesses with an annual turnover of $3 million or less make up more than 95% of Australian businesses, except for in very limited cases, they are exempt from the Privacy Act. However, as Australians now live most of their lives online, it has been called into question whether the small businesses exemption is appropriate and whether it accurately reflects the community’s expectations of businesses who hold and store their personal and sensitive information.
On 16 February 2023, the Attorney-General’s Department (ADG) released the Privacy Act Review Report, recommending that the exemption for small businesses under the Privacy Act be scrapped.
The review commenced in 2021 and, more recently, incorporated a response to the Optus and Medibank data breaches, noting that there is a heightened risk that small businesses will fall victim to a cyber-attack. The ADG considers that the exemption poses a grave risk to consumers who deal with small businesses.
The small business exemption came into effect some two decades ago, when it was considered that small businesses posed little risk to privacy of individuals.
Current framework
Under section 6D the Privacy Act (the Act), small businesses and not-for-profit organisations who fit in to the following categories are exempt from the Act:
1. If they have an annual turnover of $3 million or less;
2. If they do not provide health services; and
3. If they do not disclose personal information for benefit, service or advantage.
More recently, small businesses have the option to ‘opt-in’ to the Act and the Australian Privacy Principles by submitting an opt-in application form to the Office of the Australian Information Commissioner (OAIC). By opting-in, small businesses will be treated as an organisation for the purposes of the Act, and may be sanctioned for breaches.
While it is not a legal requirement for small businesses to operate according to the Act, opting into the Act shows a public commitment to good privacy practice which is attractive to many small businesses who enjoy the benefits of increased consumer confidence and trust.
Whether small businesses should be exempt
In light of recent high-profile data breaches of Optus and Medibank, the operation of the small business exemption has been called into question. By not falling under the Act, Australians have little recourse if their privacy is breached by a small business.
In 2020, findings of the OAIC’s Australian Community Attitudes to Privacy Survey (ACAPS) showed that 85% of respondents believed that small businesses were covered by the Act or were unsure whether they were covered. 71% of respondents believed that small businesses should be covered. Notably, this survey was conducted years before the high-profile data breaches that have occurred in the past few months. It is now likely that the exemption is completely contrary to community expectations about privacy.
The Attorney-General’s Report is open for public comment until 31 March 2023, at which time it will be considered by the legislature and may become law. We will continue to track the progress of the review and report on any legislative amendments to follow.