Where to from here? A realistic and practical balancing act for the small business exemption

6 April 2021
Dudley Kneller, Partner, Melbourne David Smith, Consultant, Melbourne

Protecting the privacy rights of individuals and avoiding the burden of unnecessary compliance costs on small business can be a delicate balancing act. Various exemptions are currently under consideration under the review of the Privacy Act 1988 (Cth) (Privacy Act) by the Attorney-General’s Department (Privacy Act Review).

In this article, we explore the small business exemption under the Privacy Act and outline suggested amendments which could allow for greater accountability, consistency and safety of personal information.

Current small business exemption framework

Proponents for the small business exemption maintain that its current form strikes the right balance between protecting the privacy rights of individuals whilst avoiding the imposition of unnecessary compliance costs on small businesses.

Whilst the current exemption works hard to balance competing interests we are of the view that:

  • the law has struggled to keep up with the rapid advancement of technology;
  • the law has not adequately responded to changing societal attitudes to privacy when considered from a domestic and international perspective; and
  • increased cyber security risks have resulted in the small business exemption no longer being fit for purpose.

According to a 2019 report prepared by 4iQ, there was a 424% increase in new data breaches affecting small businesses globally in 2018 when compared to 2017.[1]

Further, NortonLifeLock found in 2017 that one in four small businesses were subject to cybercrime (up from one in five small businesses in the previous year).[2]

We are of the opinion that there are significant gaps within the Privacy Act to adequately address the challenges and risks associated with technology to small businesses.

In support of this proposition, 79% of respondents to Gadens’ privacy survey to gauge businesses’ and organisations’ views in relation to the topics the subject of the Privacy Act review indicated that small businesses pose significant risks to the privacy of individuals, and that the small business exemption has fallen far behind the rapid advancement of technology.

Our recommendations

Although challenging, there are potential methods of balancing the privacy rights of individuals and imposing reasonable obligations and penalties upon small businesses for a breach of the Privacy Act.

Rather than a blanket small business exemption, these methods may include the introduction of civil penalties that are more aligned to the general size and means of small businesses in Australia. For example, civil penalties may be imposed:

  • on a reduced rate, if a business comes within the small business threshold; or
  • in line with the Privacy Act’s penalty units as it relates to breaches caused by individuals.

The imposition of these methods of applying civil penalties would reiterate the importance of privacy to Australians and protect their information at a greater scale whilst ensuring that small businesses are not penalised on the same basis as large and multi-national corporations.

Another potential method of assisting small businesses in complying with the Privacy Act could be to offer government grants, or providing them with pro-forma documents, to assist with compliance in a relatively simplified manner.

We are of the view that the amendment of the small business exemption to allow for the Privacy Act and the Australian Privacy Principles to fully apply to most, if not all, small businesses would allow for:

  • greater accountability and community confidence;
  • increased safety as it relates to employees’ personal information; and
  • greater consistency with other jurisdictions which in turn will reduce one of the key outstanding issues preventing Australia from achieving adequacy with the EU.

On this final point, whilst Australia needs to run its own race and to rightly have regard to local Australian context and requirements, it also needs to remain competitive more broadly. The pace of technology change and information transfer continues without regard to borders. Perhaps we should look beyond our own borders if we are to remain competitive and consistent with evolving privacy standards.

We are looking forward to the outcome of the Privacy Act Review and will share our findings and further recommendations in due course.


If you have any queries relating to the Privacy Act Review or to the small business exemption, please get in touch with our team.

If you found this publication useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Dudley Kneller, Partner
Raisa Blanco, Senior Associate



[1] 4iQ, Identity Breach Report 2019 “Identities in the Wild: The Long Tail of Small Breaches” (Report, February 2019) 6.

[2] NortonLifeLock, Norton SMB Cyber Security Survey: Australia 2017 (Survey, 2017) 3.  

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch