The Australian government is steering towards extending the coverage of the Privacy Act to small businesses, which could signify a momentous shift in the regulatory landscape. Previously, small businesses with an annual turnover of AUD 3 million or less were exempt from the provisions of the Privacy Act. The proposed amendments aim to remove this exemption following a comprehensive review of the Act.

In September 2023, Attorney-General Mark Dreyfus announced that the government supports most of the Privacy Act review’s recommendations, which include enhancing individuals’ control over their personal information and simplifying entities’ obligations when managing personal information on behalf of another entity. A notable recommendation from the review is the removal of the small business exemption, aligning with community expectations that personal information shared with small businesses will be safeguarded against misuse.

The proposed reforms are seen as a response to the evolving digital landscape and the increasing importance of data privacy. The exemption removal is part of a broader initiative to ensure that all businesses, regardless of size, uphold stringent data privacy standards. However, the government acknowledges that this move could place a “disproportionate burden” on small businesses, and hence, it is committed to engaging in further consultations before implementing the new law. The reforms suggest an “appropriate” transition period to help small businesses adjust to the new regulatory requirements.

These reforms could be far-reaching, affecting approximately 2.3 million small businesses in Australia, constituting about 95% of all businesses in the country. The changes are not merely about compliance; they reflect a broader shift towards fostering a culture of privacy and accountability across all sectors of the economy.

In practical terms, small businesses must gear up for more stringent data security obligations. The proposed changes also entail an expanded definition of “personal information,” necessitating small businesses to secure user IP addresses and device identifiers. Additionally, the reforms offer more robust protections for children’s online privacy and introduce special rules for businesses handling biometric information, such as facial recognition and fingerprints.

The government also plans to conduct an impact analysis to assess the implications of the reforms and ensure a smooth transition for small businesses. This includes understanding the financial burden that compliance may entail, especially for smaller entities that might face thousands to tens of thousands of dollars in additional annual expenses.

In summary, the Privacy Act reforms mark a significant stride towards bolstering data privacy across the board, ensuring that the rights of individuals are upheld in the digital age, and fostering a more trustworthy business environment in Australia. You can learn more about your privacy obligations at the Office of the Australian Information Commissioner; this includes a handy Privacy Checklist.  You can also read the full media release from the Attorney General regarding these potential changes here.

Sign up for regular insights