Proposed removal of the small business exemption: A significant change to scope and application of the Privacy Act

This article was initially published in the Lexis Nexis Privacy Law Bulletin, May 2023 (Vol 20 No 2&3).

Extract

The Attorney-General’s Department’s Report of the Review (Review) of the Privacy Act 1988 (C’th) contains two Proposals concerning the current exemption for small business. This article examines these Proposals and outlines how lawyers can support small business clients to get ready for likely changes to come.

Introduction

On 16 February 2023, the Attorney-General’s Department released its long-awaited Report of the Review (Review) of the Privacy Act 1988 (C’th) (Privacy Act).[i] The Report contained 116 proposals at a principles level, including two that address the current small business exemption. However, to the disappointment of many, the Report did not attach an exposure draft of privacy reform legislation. Rather, the Government sought further feedback before deciding what further steps to take.

Key Points

• The proposed removal of the small business exemption could mean that the approximately 95% of actively trading Australian businesses that are presently outside the scope of the Privacy Act will be required to meet compliance obligations.
• In recognition that removal of this exemption would impose significant costs on small businesses to achieve compliance, the Government proposes to consult with the sector ahead of the exemption removal, in order to develop appropriate support and facilitate compliance.
• Lawyers whose small-business clients either collect biometric information for use in facial recognition technology or obtain consent to trade in personal information should advise them that the Government has proposed near-term removal of the small business exemption in respect of these high-risk activities.

Background to the current provisions

In 2000, when the Privacy Act was extended to the private sector, small business was considered a low-risk cohort for which privacy compliance costs were potentially unreasonable. It was then decided that those small businesses that did pose a higher risk to individuals’ privacy should be covered by the Privacy Act through exceptions to the exemption.[ii] These limited exceptions include where the small business:

• is a health service provider
• provides services under a Commonwealth contract
• trades in personal information
• is a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 or
• is accredited under the Consumer Data Right system.[iii]

The proposed changes

The proposed changes to the small business provisions in the Privacy Act are driven by a range of policy factors that reflect the changes in the business environment since the year 2000.[iv] Key among these is broad recognition that the use of digital technology in conducting business has increased privacy risks posed by businesses of all sizes.

Moreover, there is concern that due to the small business exemption, a large proportion of the Australian business community does not currently fall within scope of the Privacy Act, because its annual turnover is less than $3 million. According to the Report:

As at June 2021, there were 2,288,441 Australian businesses with a turnover of $3 million or less. It is estimated that less than 5 per cent of businesses actively trading in the Australian economy had an annual turnover of more than $3 million.[v]

What then does the Report propose?

Proposal 6.1: Remove the small business exemption…

Proposal 6.1 Remove the small business exemption, but only after:

(a) an impact analysis has been undertaken to better understand the impact removal of the small business exemption will have on small business – this would inform what support small business would need to adjust their privacy practices to facilitate compliance with the Act

(b) appropriate support is developed in consultation with small business

(c) in consultation with small business, the most appropriate way for small business to meet their obligations proportionate to the risk, is determined (for example, through a code), and

(d) small businesses are in a position to comply with these obligations.

The detailed consultation provisions of Proposal 6.1 indicate that the government is well aware of the magnitude of the potential impact of removal of the exemption. Notably it refers back to the Australian Law Reform Commission (ALRC) which, in its Report 108 of 2008,[vi] had identified likely costs arising from the following:

• familiarisation with the Privacy Act
• conducting privacy audits
• developing privacy plans
• amending business documentation
• training staff
• purchasing filing cabinets and shredders
• handling customer complaints
• record keeping
• making their privacy policy available and
• updating and reviewing their privacy policy.

The ALRC also assigned a dollar value to the costs which the Report translates in 2021 terms as $292.87 at start up and $391.79 in ongoing annual costs.[vii]

These figures will likely need revision upwards when additional preparation components and costs are identified. And they probably go some way to explaining opposition to the proposed removal by influential business bodies such as CPA Australia, whose senior manager of business policy was quoted in early 2022 as stating ‘Now is not the time to impose new regulatory requirements. Small businesses have enough on their plates grappling with the diabolical trading conditions they’re facing’.[viii]

Cautious Proposal 6.1 therefore appears to suggest that legislated removal of the entire small business exemption is still far down a long road. If Proposal 6.1 is accepted, then only after the specified conditions are met could the existing exemption actually be removed. It may be possible to fast-track some aspects of a work program directed to giving effect to Proposal 6.1, such as preparation of a code (6.1(c)). However, it will be challenging to achieve agreement that key hurdles have been cleared – that is, that appropriate support has been developed (6.1(b)) and that small businesses are in a position to comply (6.1(d)).

Proposal 6.2

Proposal 6.2 contains no consultation provisions:

Proposal 6.2 In the short term:

(a) prescribe the collection of biometric information for use in facial recognition technology as an exception to the small business exemption, and

(b) remove the exemption from the Act for small businesses that obtain consent to trade in personal information.

That the two limbs of Proposal 6.2 are so narrowly specified reflects both recent data breach instances and the effectiveness of the case made by various submissions to government as to the demonstrable high privacy and other human rights risks of the particular activities addressed here, and the significant harms they can cause to individuals.[ix]

Proposal 6.2(a)

In view of the likely extended timeframe for removal of the small business exemption, the proposed addition of collection of biometric information for use in facial recognition to the list of exceptions to the small business exemption (6.2(a)) appears comparatively more likely to be implemented in the current term of government.

Small businesses that may be brought within the scope of the Privacy Act by this proposal should be advised to commence preparations to comply with the existing APPs and other relevant provisions of the Privacy Act including data breach notification as soon as possible. An initial privacy ‘health check’ is a good place to start. Lawyers advising these businesses should also draw attention to other proposals in the Report that will add further obligations if adopted. Chief among these is Proposal 13.1: APP entities must conduct a privacy impact assessment (PIA) for all activities with high privacy risks. Note that Proposal 13.2 indicates that the government will further examine this requirement specifically in respect of facial recognition technology.

Proposal 6.2(b)

Currently section 6D of the Privacy Act allows small businesses that trade in personal information to be exempt from the Privacy Act if they obtain the consent of individuals to collect or disclose their personal information. Proposal 6.2(b) may be seen as symptomatic of growing community unease about the validity of any consents individuals may give that reduce their privacy rights.

On this issue the submission of the Office of the Information Commissioner (OAIC) is paraphrased in the Report as stating:

…The effect of giving consent is to exempt the small business from all obligations under the [Privacy] Act, which unfairly places responsibility on an individual to understand the broad implications of their consent as giving up the protections of the Act in relation to their personal information, which could include sensitive information.[x]

Adoption of this proposal would help to redress the disadvantage individuals face where, for example, they have little real choice but to give their consent in order to access the online services they need; or where consent requests are vaguely worded or bundled together in confusing ways.

Therefore small businesses that currently trade in personal information in reliance on the consent of individuals should be advised that the viability of this business model is under threat not only from Proposal 6.2(b) but also as reflected in other indicators of a declining social licence to use consent as a mechanism to bypass otherwise applicable privacy obligations.[xi] These include Proposal 11.1, which is to amend the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous.

If small businesses affected by this proposal wish to continue to trade in personal information, they too should start their preparations to comply with the Privacy Act.

Conclusion

While the proposed removal of the small business exemption from the Privacy Act can be read as heralding a significant change to the scope and application of Australia’s primary privacy legislation, wholesale removal of the exemption may be slow in coming due to lengthy further consultation and preparation.

Meanwhile, the two specific incremental changes proposed for implementation in the shorter term will, if accepted, require affected businesses to review their existing practices as a matter of urgency in order to comply once amending legislation is passed and commences.

[i] The A-G’s Review was instigated following the Australian Competition and Consumer Commission’s (ACCC) 2019 Digital Platforms Inquiry final report (DPI Report), which made several privacy recommendations. The Review commenced in October 2020 with the release of an Issues Paper, followed by a Discussion Paper in 2021 which put forward proposals for consultation for reform of the Act.

[ii] Report p 52

[iii] See Privacy Act ss 6D(b)-(f), 6E(1A)-(1D), 6D(9); Privacy Regulation 2013 (C’th) s7.

[iv] A full account of the policy driving the proposed change is beyond the scope of this article. The Report notes that submissions raised particular concerns about the cyber security risks posed by small businesses, the impact of the exemption on the Consumer Data Right system and the exemption negatively impacting Australia’s international trade, noting that no comparable jurisdiction exempts small businesses from the general privacy law. See Report pp. 53-54 and following.

[v] Report p. 53. The OAIC notes that these estimates were prepared for the OAIC using ABS counts of Australian Businesses including exits and entries. However, ‘… this estimate does not reflect the number of businesses required to comply with the Act as it does not include exceptions to the small business exemption’ (Report FN 346).

[vi] P. 1351

[vii] Report p 61.

[viii] See https://www.smartcompany.com.au/business-advice/legal/small-business-exemption-privacy-act-cpa-australia/

[ix] See Report Chapter 13 and OAIC submission re businesses that trade in personal information; and OAIC, OAIC and ICO conclude joint investigation into Clearview AI (Web Page, 3 November 2021)

[x] Report p. 53.

[xi] See for example the discussion of consent and online privacy settings in Chapter 11 of the Report.