Small business will no longer be exempt from the Privacy Act
Following a review of the Privacy Act 1988 by the Attorney-General’s Department, the Australian Government issued its response in September 2023. The review suggested 116 reforms to the Privacy Act aimed at bringing the act into “the digital age”. The Government agreed to 38 reforms, agreed in-principle to 68 and noted the remaining 10.
Proposed changes to which the Government agreed include:
- Giving individuals greater control over their privacy by requiring entities to seek informed consent about the handling of personal information.
- Making entities accountable for handling individuals’ information and enhancing requirements to keep information secure, including destroying data when it is no longer needed.
- Providing entities with greater clarity on how to protect individuals’ privacy, and simplifying their obligations when handling personal information on behalf of another entity.
- Establishing stronger protections for children, including the introduction of a Children’s Online Privacy Code.
The Government also agreed that businesses will face a more extensive range of penalties for privacy breaches through the introduction of new civil penalty provisions. New tiers of civil penalty provisions will cover interferences without a “serious” element.
Other reforms include an expanded definition of personal information to include cookie identifiers and IP addresses where an individual may be “reasonably identifiable” even if they are not named.
The Government also agreed in-principle that further consultation should be undertaken with employer and employee representatives on how enhanced privacy protections for private sector employees may be enshrined in legislation. Currently, there is an employee records exemption.
Another recommendation is that businesses should nominate a senior employee as “having specific responsibility for privacy within the organisation”.
A statutory tort for serious invasions of privacy was also agreed to in-principle, as was the notion that individuals should have a right to take direct court action in respect of privacy breaches.
Small business exemption
Currently, most businesses with an annual turnover of $3 million or less are exempt from the Privacy Act and have no legislated obligation to keep personal information secure or to notify affected people if there is a data breach. This also means that small businesses are exempt from many of the penalties levelled against bigger businesses when they mishandle sensitive data.
In 2000, when the Act was extended to the private sector, it was considered that small business was a low-risk cohort for which privacy compliance costs were potentially unreasonable. As such, the legislation was updated to only include certain small businesses with a higher risk associated with data theft (for example, businesses in the healthcare sector, those with Commonwealth contracts, and those that do the bulk of their business trading in personal information).
A key proposal made by the review and agreed in-principle by Government, was that this small business exemption be removed.
Key drivers behind the change reflect the changes in the business environment since 2000. Chief among these is broad recognition that the use of digital technology in conducting business has increased privacy risks posed by businesses of all sizes. There is particular concern that, due to the small business exception, a large proportion of the Australian business community does not currently fall within the scope of the Privacy Act, limiting the protection to the community afforded by the legislation.
The Government said the exemption was being removed as “the community expects that if they provide their personal information to a small business, it will be kept safe and not used in harmful ways”.
It also said the move builds on legislation passed last year which significantly increased penalties for repeated or serious privacy breaches, and provided the Australian Information Commissioner with greater powers to address privacy breaches.
“Australians increasingly rely on digital technologies for work, education, health care and daily commercial transactions and to connect with loved ones”, Attorney-General Mark Dreyfus said.
“But when they are asked to hand over their personal data, they rightly expect it will be protected.”
Data breach landscape
There were 409 data breach notifications made in the first half of 2023, according to the Office of the Australian Information Commissioner’s (OAIC) Notifiable Data Breaches Report for the year to June 2023. Of course, these were only the data breaches that were required by law to be reported to the OAIC under the Notifiable Data Breaches (NDB) scheme.
Many more data breaches occur but go unreported.
In fact, only 27% of Australian businesses report cyberattacks, research from Cloudflare found. This was despite 76% of respondents saying they had suffered a cyberattack in the last year, and 37% saying they had suffered more than 10 security breaches or incidents.
According to research from VPN company Surfshark, in the second quarter of 2023, Australia ranked sixth globally for data breaches. Nearly two million Australian accounts were breached during the quarter – equating to around 15 user accounts breached every minute between April and June.
Research from password manager NordPass found Australia ranked 11th among the top 15 countries with the most data leaks between December 2019 and July 2023. Private businesses accounted for 60% of organisations that had their clients’ data stolen.
The revelations come at a time when consumers are increasingly concerned about cyber risks associated with their private information. The Real Digital Risk Report 2023 found 92% of respondents were concerned about the safety of their private information online, 69% were concerned about data hacking, 67% with identify theft, 54% with privacy violations, and 53% with company data breaches.
Impact of exemption removal
If the proposed change to the law is enacted, it will mean businesses of any size will be required to comply with the requirements of the Privacy Act and meet the Australian Privacy Principles (APPs), which outline how a business must handle, use and manage personal information.
In effect, 2.3 million small businesses – which represent 95% of all actively trading Australian businesses – will become subject to the Privacy Act and the compliance obligations that this entails. Small businesses will be obligated to secure any consumer information they may hold and to notify individuals of any breach that does occur.
They will become subject to the mandatory notifiable data breach regime which came into effect in February 2018 and requires businesses that comply with the Privacy Act to notify the Australian Information Commissioner if they experience an eligible data breach (in-principle changes to the regime were agreed by the Government). And small businesses will also be subject to the privacy enforcement provisions, which have been greatly increased since December 2022 to include fines of up to $50 million for serious or repeated privacy breaches.
Where to from here?
The Government has agreed in-principle to the small business exemption being removed, “in light of the privacy risks applicable in the digital environment”. However, it stated “this should not occur until further consultation has been undertaken with small businesses and their representatives on the impact that removing the small business exemption would have”.
To this end, the Government will perform an impact analysis review and provide a small business support package. It will work with the community, businesses, media organisations and government agencies to inform the development of legislation and guidance material in this term of Parliament.
The Attorney-General said there would be a transition period to ensure small businesses have reasonable time to prepare.
However, some small businesses will be included in the Privacy Act sooner. Special shorter-term rules will apply to small businesses handling biometric information (such as facial recognition and fingerprints), and for those that actively trade in personal information.
The changes to the Privacy Act are expected to be legislated in 2024.
Businesses should begin preparing for the increased privacy obligations. Now is the time for businesses, including small businesses, to consider their approaches to managing personal information and how much they will need to change to comply with these new obligations.
Business.gov.au recommends that businesses that are required to protect customers’ personal information under the Privacy Act:
- Decide what information is personal.
- Find out how to protect personal information (based on the APPs).
- Prepare a privacy policy.
- Report notifiable breaches.
Businesses should also budget for costs likely to be associated with needing to comply with the Privacy Act. The Australian Law Reform Commission identified likely costs including those associated with:
- familiarisation with the Privacy Act
- conducting privacy audits
- developing privacy plans
- amending business documentation
- training staff
- purchasing filing cabinets and shredders
- handling customer complaints
- record-keeping
- making the privacy policy available, and
- updating and reviewing the privacy policy.
Owners should also talk to their EBM Account Manager about appropriate liability insurances (such as cyber insurance, statutory liability, D&O or management liability) to protect the business in the event of a data breach occurring.
