Protecting the privacy rights of individuals and avoiding the burden of unnecessary compliance costs on small business can be a delicate balancing act. Various exemptions are currently under consideration under the review of the Privacy Act 1988 (Cth) (Privacy Act) by the Attorney-General’s Department (Privacy Act Review).
In this article, we explore the small business exemption under the Privacy Act and outline suggested amendments which could allow for greater accountability, consistency and safety of personal information.
Proponents for the small business exemption maintain that its current form strikes the right balance between protecting the privacy rights of individuals whilst avoiding the imposition of unnecessary compliance costs on small businesses.
Whilst the current exemption works hard to balance competing interests we are of the view that:
According to a 2019 report prepared by 4iQ, there was a 424% increase in new data breaches affecting small businesses globally in 2018 when compared to 2017.
Further, NortonLifeLock found in 2017 that one in four small businesses were subject to cybercrime (up from one in five small businesses in the previous year).
We are of the opinion that there are significant gaps within the Privacy Act to adequately address the challenges and risks associated with technology to small businesses.
In support of this proposition, 79% of respondents to Gadens’ privacy survey to gauge businesses’ and organisations’ views in relation to the topics the subject of the Privacy Act review indicated that small businesses pose significant risks to the privacy of individuals, and that the small business exemption has fallen far behind the rapid advancement of technology.
Although challenging, there are potential methods of balancing the privacy rights of individuals and imposing reasonable obligations and penalties upon small businesses for a breach of the Privacy Act.
Rather than a blanket small business exemption, these methods may include the introduction of civil penalties that are more aligned to the general size and means of small businesses in Australia. For example, civil penalties may be imposed:
The imposition of these methods of applying civil penalties would reiterate the importance of privacy to Australians and protect their information at a greater scale whilst ensuring that small businesses are not penalised on the same basis as large and multi-national corporations.
Another potential method of assisting small businesses in complying with the Privacy Act could be to offer government grants, or providing them with pro-forma documents, to assist with compliance in a relatively simplified manner.
We are of the view that the amendment of the small business exemption to allow for the Privacy Act and the Australian Privacy Principles to fully apply to most, if not all, small businesses would allow for:
On this final point, whilst Australia needs to run its own race and to rightly have regard to local Australian context and requirements, it also needs to remain competitive more broadly. The pace of technology change and information transfer continues without regard to borders. Perhaps we should look beyond our own borders if we are to remain competitive and consistent with evolving privacy standards.
We are looking forward to the outcome of the Privacy Act Review and will share our findings and further recommendations in due course.
If you have any queries relating to the Privacy Act Review or to the small business exemption, please get in touch with our team.
If you found this publication useful and you would like to subscribe to Gadens’ updates, click here.
Dudley Kneller, Partner
Raisa Blanco, Senior Associate
 4iQ, Identity Breach Report 2019 “Identities in the Wild: The Long Tail of Small Breaches” (Report, February 2019) 6.
 NortonLifeLock, Norton SMB Cyber Security Survey: Australia 2017 (Survey, 2017) 3.