Expectations of Privacy – Anticipated Changes and an Immediate Lesson for Australian Small Businesses

By Ryan Doll, Lawyer

Following two years of consultation and review, the Commonwealth Attorney-General’s office has published its ‘Privacy Act Review’ Report, recommending changes to Australia’s privacy protection framework that will have significant consequences for small businesses.

Small Business Exemption from Privacy Act

Under the current privacy framework, most small businesses (being businesses with an annual turnover of $3 million or less) are exempt from the Privacy Act and the obligations that it imposes on larger businesses.

Businesses that are subject to the Privacy Act must comply with the 13 Australian Privacy Principles, which create and govern standards, rights, and obligations in respect of:

• The collection, use and disclosure of personal information;
• Governance and accountability;
• Integrity and the correction of personal information; and
• The rights of individuals to access their personal information.

Small businesses were exempted  from the Privacy Act in 2000. At that time, such businesses were not seen as posing a significant risk to customer privacy and the costs of complying with the Privacy Act were seen to outweigh the risk.

After taking submissions from more than 200 parties (including businesses, government bodies, industry groups, and individuals), the Attorney-General finds that this is no longer the prevailing view. Instead, the Report agrees that “advances in technology have shifted the way small businesses operate and increased the privacy risks they pose.”

With the increasing ‘digitisation’ of our everyday lives – and following a series of high-profile data leaks, hacks, and cyberattacks (such as those perpetrated on Optus, Medibank, Australian National University, and NAB) – the protection of sensitive and personal information has emerged as an increasing concern for Australian consumers.

Consequently, the Attorney-General concludes that “the Privacy Act has not kept pace with the changes in the digital world.” To address this, the Report recommends that (amongst other things) small business should no longer be exempt from the Privacy Act, meaning that all Australian businesses should be obliged to comply with the Privacy Act, regardless of turnover.

What this Means for your Business

While changes to Australia’s privacy framework are not yet certain, the Attorney-General’s findings send a clear message to businesses that customers value the safe treatment and responsible use of their personal information.

As businesses increasingly use technology to collect and hold customer information (such as identification documents, medical records, geolocation data, and payment information), the security and proper use of such information are increasingly decisive factors in consumer decision making.

Regardless of whether they are currently subject to the Privacy Act, business owners should consider their current practices as well as how their commitment to privacy protection is made clear to customers.

How MST Can Help

MST Lawyers can assist businesses by providing specialist advice and preparing documents, such as Privacy Policies, Privacy Statements, and Cookies Policies to appease your customers’ concerns, separate your business from its competitors, and ensure compliance with the Privacy Act (if it applies).

Please contact Ryan Doll from MST Lawyers’ commercial team on +613 8540 0214 or at ryan.doll@mst.com.au to discuss the assistance that you need.