Under Australia's Privacy Act 1988 many small businesses in the country currently have no legal duties with respect to data privacy, as businesses with an annual turnover of AUD3 million or less — barring a few exceptions — qualify for an exemption. As Information and Privacy Commissioner Angelene Falk pointed out in an interview, "While small businesses might be using their best efforts to protect personal information, there is no legal requirement to do so, and therefore no recourse for individuals if their personal information is compromised." However, that is likely to change soon.

The small business exemption

Today, most small businesses are not considered organizations for purposes of falling within the coverage of the Privacy Act. Section 6C(1) of the act carves out small business operators, registered political parties, and agencies and instrumentalities of the state from the definition of an "organization." Section 6D, in turn, defines a small business as one that has an annual turnover for the previous financial year, or present year for new businesses, of AUD3 million or less. Annual turnover for such purposes includes all income from all sources. It does not include assets, capital gains or proceeds from capital sales.

Only small businesses with an "Australian link," as defined in Section 5B of the Privacy Act, are covered under the exemption. This link is largely determined by incorporation, formation or carrying on of business in the country and its territories, so it does not contemplate overseas businesses that hold Australian's personal data.

Under the current law, only small businesses engaged in activities identified as high-risk are subject to the act's requirements and the Australian Privacy Principles. These requirements mainly apply to small businesses that are health care providers or "trade" in personal information. Even still, Section 6D of the act permits small businesses to exempt themselves if they obtain consent of individuals to collect or disclose their personal information.

Proposal to scrap the small business exemption

The Australian Attorney-General's Department presented the case for eliminating the Privacy Act exemption for small businesses. Pursuant to the February 2023 Privacy Act Review Report, which included 116 recommendations from stakeholder input collected over the past two years, the Australian government proposed abolishing the exemption for small businesses and including them within the act's scope. This move would impact 2.3 million small businesses, representing a whopping 95% of all businesses in Australia. Undoubtedly, such a step would shake up the Australian and regional economy.

The Privacy Act's current exemption for small businesses has not been updated since it was first introduced in 2000. The initial version of the Privacy Act, passed in 1988, did not mention small businesses. In 2000, when the exemption was first introduced, the policy reason for carving out small businesses from the law's coverage was the burden of potentially unreasonable compliance costs on small businesses that, at the time, were not considered threats to privacy.

However, the increasing prevalence of online sales, web presence and cloud computing means small businesses may be a source of privacy risks for individuals, even if they do not engage in complex information handling per se. In fact, the Actuaries Institute found cybercrime in Australia increased 13%with evidence supporting a shift in focus of cyberattacks toward smaller firms, which are believed to be "easier targets." Further, the Australian Cyber Security Centre reported the average cost to small businesses per cybercrime attack is approximately AUD39,000. Beyond the monetary price tag of a cyberattack, the IAPP Consumer Trust Report 2023 found more than 80% of consumers indicate a likelihood to stop doing business with companies that have been the victim of an attack.

Globally, it appears no comparable jurisdiction exempts small businesses from their general privacy law. The California Consumer Privacy Act, EU General Data Protection Regulation, U.K. Data Protection Act and Canada's Personal Information Protection and Electronic Documents Act do not discriminate as to the size of an organization when considering whether it is subject to compliance obligations thereunder, as long as it is engaged in the type of conduct that would put it within the ambit of said laws. In fact, the Privacy Act Review Report noted several submissions expressing concern that the small businesses exemption could be a barrier to a GDPR adequacy decision, possibly leading to a loss of trade with the EU market. In view of these considerations, amendments to the Privacy Act aimed at eliminating the small business exemption have gained support.

Another reform to the Privacy Act that is expected to affect the operations of small businesses is the proposal to expand the definition of "personal information" to include user IP addresses and device identifiers, as is already the practice under the GDPR. These and other updated rules would create new rights in customer data subjects while correspondingly imposing new obligations on businesses. Small businesses will thus become duty-bound to adhere to the Australian Privacy Principles and, if applicable, Part IIIA of the Privacy Act, which regulates the handling of consumer credit information, as well as the Privacy (Tax File Number) Rule 2015, which regulates the handling of tax file number information. Nonetheless, imposing new legal responsibilities on small businesses would result in considerable costs, which would likely include expenses for things like training, conducting privacy audits, creating privacy and data retention policies, and secure disposing of documents.

Implications for small businesses

It is difficult to put a price tag on compliance costs, but hopefully the industry will gain more clarity as the proposed amendments firm up. For reference, For reference, the IAPP-EY Privacy Governance Report 2023 found the average mean privacy budget for organizations, regardless of size, was USD1,598,729. Deeper impact analyses are planned to understand the true effect of removing the small business exemption from the Privacy Act. Although the details may still depend on further stakeholder engagement and impact analyses, the expectations of small businesses in the amended law involve creating mechanisms for recourse by data subjects and instilling proactiveness within them. In line with this, it would be smart for Australian small businesses to gear up by:

• Conducting data inventories to assess what data is collected and for what purposes (Proposal 15.1 of the Privacy Act Review Report) and, correspondingly, establishing reasonable data retention periods in accordance with data use (Proposal 21.7).
• Strengthening informed consent in cases where consent is relied on as a legal basis for data collection (Proposal 11.2).
• Creating or revising privacy policies and notices to meet the new standards, such as by specifying personal information retention periods (Proposal 10.1).
• Answering queries by customers about how their data is used (Proposal 18.7).
• Implementing systems, procedures and operating practices that promote data privacy and information security (Proposal 21.2).
• In case of a qualifying data breach, alerting the OAIC within 72 hours and notifying affected individuals as soon as practicable (Proposal 28.2).

Moving forward together

All these new responsibilities may seem like a lot to expect from small businesses. Still, the reality is small businesses collect and process credit cards, passport details and other types of data that cyber attackers are interested in. Hence, it becomes a collective responsibility to ensure small businesses can build capacity to deliver on any new legal responsibilities. Some suggestions regarding support that the government could provide to small businesses from the Privacy Act Review Report include:

• Providing template customizable privacy policies.
• Providing free targeted education from the OAIC by industry and size, including webinars and roadshows.
• Assisting in the event of a cybersecurity incident.
• Opening communication channels such as a small business hotline and/or a live chat service.
• Publishing step-by-step guides as to proper practices throughout the different phases of the data life cycle.
• Issuing tax credits and government grants to incentivize and offset the cost of compliance.

Moreover, small businesses can take comfort in a delayed effective period for any new obligations, which are not likely to happen until some, if not all, of the above-mentioned support mechanisms by the Australian government are made available. As an exception to this, small businesses that deal with biometric information, such as information collected by facial recognition technology, may be expected to expedite their compliance capacity and may not benefit from the same transition period as other businesses, given the highly sensitive nature of such personal information.

Conclusion

While the elimination of the small business exemption under Australia's Privacy Act may be on the horizon, it will not happen overnight. Yet, small businesses would best be served by beginning to prepare their systems, budgets and, most importantly, their employees, vendors and customers, for this big change. One of the first steps toward this is proper privacy education. In line with its commitment to having a positive impact on consumer privacy on account of this amendment, the Australian government plans to take this time to closely engage with the local communities that would be expected to comply at the end of the day. Australians, and the rest of the world, will be waiting to see how this plays out.