Privacy laws – the small business exemption

One of the most controversial parts of the Privacy Act 1988 (Cth) (the Privacy Act) and the proposed reforms to that legislation is the small business exemption, as it allows small businesses what some may call a ‘free pass’ to not comply with privacy obligations when dealing with an individual’s personal information. 

In this article, we will discuss the Privacy Act, the small business exemption, and why some small businesses may still choose to comply with the requirements of the Privacy Act, even where they are exempt.

The Privacy Act

The Privacy Act is the main piece of legislation in Australia that governs the way businesses should deal with personal information of the individuals that it deals with, or that it comes into possession of. 

One of the purposes of the Privacy Act is to establish 13 Australian Privacy Principles (APPs), which set out some principles that applicable businesses should apply in their dealings. This includes a requirement to have a Privacy Policy and apply proper protections to ensure that any personal information that a business holds is not inappropriately disclosed to third parties. 

If you would like some more information about each of the APPs, please refer to our article “What are the Australian Privacy Principles and why are they important for my business?”

Small business exemption threshold

In general, businesses that have a turnover of $3 million or less do not have to comply with the requirements set out in the Privacy Act. It is important to note, here, that turnover is not the revenue of business (i.e. the balance of its income once the expenses have been removed). It is all income of the business from all sources.

The small business exemption does not apply to some businesses

Notably, the small business exemption does not apply to small businesses that are:

• health care provider;
• a business that trades personal information;
• a contractor that provides services under a Commonwealth contract;
• an operator of a residential tenancy database;
• a credit reporting body;
• a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 - external site;
• employee associations pursuant to the Fair Work (Registered Organisations) Act 2009 (Cth);
• a business that conducts protection action ballots;
• a business accredited under the Consumer Data Right system;
• a related entity to a business that the Privacy Act applies to;
• a business prescribed by the Privacy Regulation 2013 (e.g. Aussie Farms Inc).

Why some small businesses choose to comply with the Privacy Act when exempt

In many cases, even where a small business is exempt from complying with the Privacy Act, it still chooses to do so. This could be for a variety of reasons, some of which are discussed further below.

Expected growth

When a business grows its turnover to the point that it no longer falls under the small business exemption, there is no grace period for it to then start complying with the Privacy Act. Businesses must be ready for compliance right from the point that they hit that turnover milestone.

Given some of the complexities of the Privacy Act requirements, and that complying with these requirements may take some time to achieve, some businesses choose to make sure that they are already doing so before they hit the $3 million turnover threshold. This way, they are ready, even if they are lucky enough to hit that target even earlier than they expected.

Contractual requirements

If a small business is dealing contractually with a bigger business in such a way that will likely include the exchange of personal information, then the bigger business (who is required to comply with the Privacy Act) will often want assurances from the small business that it will handle that personal information in accordance with the Privacy Act. This is generally included in a contract, so that the bigger business can meet its own obligations pursuant to the Privacy Act.

If smaller businesses are not able to provide those assurances, it is possible they could risk breaching their contractual obligations, or they simply might have to decide not to take on those contracts in the first place. Early compliance with the Privacy Act allows small businesses flexibility to take up these opportunities that they might otherwise have missed.

This all depends on the wording of the contract in question. It is important that you seek expert legal advice to understand your contractual obligations and, if appropriate, help you with the negotiation of the contract right from the start.

FREE ADVICE FROM A COMMERCIAL LAWYER: 1800 001 339

Goodwill and best practice

In today’s world, privacy is very important to consumers, and they may not be pleased when businesses don’t place that same level of importance on their information, simply because they are not legally obliged to. Therefore, many businesses choose to comply with the Privacy Act anyway to make sure that they are doing the right thing by the individuals they interact with. 

The Office of the Australian Information Commissioner maintains a list of businesses that:

1. 1. are exempt from complying with the Privacy Act (e.g. applicable small businesses); but
   2. have recognised the importance of good privacy practices and specifically opted in to commit to compliance with that Act anyway.

Businesses can choose to make this commitment and opt in by reviewing the information provided by the Office of the Australian Information Commissioner and filling in the opt-in application form. Businesses that choose to opt in can choose to opt out in the future if they wish.

Preparation for law reform

Another reason some small businesses may be considering starting to take steps to comply with the Privacy Act is because of recent discussions about future changes to the Privacy Act, including discussions about the removal or limitation of the small business exemptions. 

The Australian Government has agreed in principle to a review by the Federal Attorney-General of the Privacy Act although they have highlighted that there should be more consultation on the impact of this change before any changes are decided and made. 

Choose an expert commercial lawyer to help you

There are several legal considerations for businesses that may be considering taking up compliance with the Privacy Act. This could include contractual considerations or understanding how the APPs may apply to the business. 

If you are unsure of what steps your business should take, including whether or not your business is currently exempt, contact us for advice and assistance.