Published on the 11/02/2021 | Written by Jonathan Cotton
What will the changes mean for your business’s data?…
The Federal Government is currently conducting a review of the Privacy Act 1988, as it seeks to establish whether Australia’s privacy regulation strikes the right balance between commercial interests and consumer protections for the digital age.
The Attorney-General announced the review of the 32 year old Act in December, saying it was now necessary to ‘ensure privacy settings empower consumers, protect their data and best serve the Australian economy’.
The digital economy has brought with it immense benefits including new, faster and better products and services, says the issues paper associated with the review. But with it, new challenges around privacy.
“Small businesses are increasingly handling personal information and may now pose a higher privacy risk than previously.”
“As Australians spend more of their time online, and new technologies emerge, such as artificial intelligence, more personal information about individuals is being captured and processed raising questions as to whether Australian privacy law is fit for purpose.
“At the same time, businesses that are trying to do the right thing are faced with an increasingly complex regulatory environment with respect to managing personal information… This is particularly true for businesses who work across international borders where complying with information protection standards can be a requirement for access to overseas markets.”
On the table are questions around the impact of the country’s notifiable data breach scheme, effectiveness of enforcement powers and mechanisms under the Privacy Act, as well as a discussion of Australia’s 20 year old Privacy Act exemptions for small businesses.
Passed in 2000, the small business exemption was introduced in recognition of the ‘potentially unreasonable compliance costs for certain small businesses’, which were considered to pose little or no risk to the privacy of individuals.
Since then however, several recommendations have called for the removal of the exclusion. In its 2005 report ‘The real Big Brother: Inquiry into the Privacy Act 1988’ the Senate Legal and Constitutional References Committee argued that the small business exemption should be removed, on the basis that ‘the exemption inconsistently regulates businesses and adds to the complexity of the Act’.
The Government did not agree with that point of view, and noted at the time that the exemption ‘struck the right balance between risk of privacy breaches and regulation’ of small businesses.
Similarly, the ALRC Report 108 from 2008 recommended the removal of the small business exemption too, concluding that its removal would have ‘substantial benefits for the protection of privacy’.
The ALRC also noted that no other comparable jurisdiction (the United Kingdom, New Zealand, Canada and the European Union) exempts small businesses from the general privacy law.
Now, the Privacy Act Review is examining the exemption anew.
“The exemption was based on the premise that not all private sector organisations pose the same risk to privacy,” says the review’s Issues Paper.
“Many small businesses did not have significant holdings of personal information [in 2000] – they may have held customer records that were used for their own business purposes; however they did not sell or otherwise deal with customer information in a way that posed a high risk to the privacy interests of those customers.
“In the 20 years since the small business exemption was introduced, technology has changed the way that small businesses operate. These advancements may mean that small businesses are increasingly handling personal information and may now pose a higher privacy risk than previously.”
What are the changes likely to be?
At this moment, it’s hard to say for sure, but among the questions posed in the 89-page review document is whether the $3 annual turnover threshold is appropriate for determining a ‘small’ business, and therefore, one exempt from Australia’s Privacy Act framework.
“Is the current threshold appropriately pitched or should the definition of small business be amended? If so, should it be amended by changing the annual turnover threshold from $3 million to another amount, replacing the threshold with another factor such as number of employees or value of assets or should the definition be amended in another way?
“If so, what obligations should be placed on small businesses? What would be the financial implications for small business? Would there be benefits to small business if they were required to comply with some or all of the [Australian Privacy Principles]? Should small businesses that trade in personal information continue to be exempt from the Act if they have the consent of individuals to collect or disclose their personal information?”
Following a consultation process and review of the submissions, a final report will be released later this year.