ALRC’s view

39.181 After carefully reviewing stakeholder views, international experience, and the commissioned research, the ALRC concludes that the exemption for small business is neither necessary nor justifiable.

39.182 Associate Professor Moira Paterson has offered a counter to the argument that the requirement to comply with the Privacy Act constitutes a substantial compliance burden. She noted that the costs of compliance on businesses are likely to be significant only where businesses have poor record-keeping practices—citing evidence from Quebec that implementing data protection measures may in fact result in cost reduction or increased productivity due to improved information-handling practices.[249] Furthermore, Paterson observed that, in New Zealand,

the limited information available to date does not suggest that the cost of implementation has been a major problem. For example, the New Zealand Real Estate Institute commented in 1994 that, while the passing of the Privacy Act 1993 (NZ) would have a considerable impact on the manner in which the industry might deal with personal information, it did not expect that there would be any significant cost of compliance; what was required was common sense and fair dealing.[250]

39.183 While cost of compliance with the Privacy Act is an important consideration, this factor alone does not provide a sufficient policy basis to support the small business exemption. The fact that no comparable overseas jurisdictions—including the United Kingdom, Canada and New Zealand—have an exemption for small businesses is indicative.

39.184 At present, potentially up to 94% of Australian businesses are exempt from the operation of the Privacy Act. Some stakeholders argued that exempting the majority of businesses from the operation of the Act is justified because small businesses pose a low risk to privacy. This assumption can be questioned on two grounds.

39.185 First, the risks to privacy posed by small businesses are determined by the amount and nature of personal information held, the nature of the business and the way personal information is handled by the business, rather than by their size alone. Some small businesses, such as ISPs and debt collectors, hold large amounts of personal information. In addition, given the increasing use of technology by small businesses, the risk posed to privacy may not necessarily be low. In this regard, it should be noted that the OPC received a significant number of inquiries that related to this exemption.

39.186 Secondly, the fact that there are a considerable number of conditions that qualify the application of the exemption also suggests that the assumption that small businesses present a low risk to privacy is no longer valid. Under existing law, there already are seven categories of small businesses to which the small business exemption does not apply.[251] Some of these categories—namely, small businesses that operate or use residential tenancy databases, and those that are ‘reporting entities’ under the AML/CTF Act—were brought into the privacy regime after the enactment of the private sector provisions of the Privacy Act precisely because they raised significant privacy concerns.

39.187 The ALRC does not consider that further modifying the exemption is a sufficient response to the concerns raised in submissions and consultations. At whatever level the threshold for the exemption is set, the definition of ‘small business’ would be arbitrary, and consumers could not determine easily whether the exemption applies to a particular business. In some cases, small businesses themselves may have problems understanding whether the exemption applies to their operations due to the various conditions that qualify the application of the exemption.

39.188 Further, the application of the small business exemption could have unintended consequences. For example, in the context of the Northern Territory Emergency Response, legislative provisions that were intended to protect Indigenous children in the Northern Territory from abuse raised concerns about the lack of safeguards against misuse of personal information, partly because small business operators are exempt from the operation of the Privacy Act.

39.189 The ALRC agrees with the 2005 Senate Committee privacy inquiry that regulating small businesses in some areas—such as telecommunications and debt collection—and not others, would add to the complexity of the privacy regime. The ALRC also notes that privacy concerns relating to small businesses are not confined to those that operate in particular industries. For example, given the highly sensitive nature of genetic information, small businesses that hold genetic information pose a particularly high risk to privacy, regardless of whether they provide a health service.[252] In 2006, the Privacy Legislation Amendment Act 2006 (Cth) was passed to amend the definitions of ‘health information’ and ‘sensitive information’ in the Privacy Act to include genetic information about an individual.[253] Consequently, small businesses that hold genetic information and provide a health service no longer qualify for the small business exemption. Other small business that hold genetic information, however, still may be exempt from the operation of the Privacy Act. This would be the case where a small business meets all the other conditions that qualify the exemption.

39.190 Further, as discussed above, the removal of the small business exemption would bring Australia in line with other comparable countries—and would assist in achieving EU ‘adequacy’ status and facilitate trade with EU organisations.

39.191 Finally, the ALRC notes the submissions arguing that compliance costs on small businesses may be reduced by modifying the application of the privacy principles to small businesses, either through a code, a public interest determination by the OPC or specific exceptions to certain privacy principles. Modifying the application of the privacy principles to small businesses, however, would result in uneven privacy protection and a more complex privacy regime without addressing adequately concerns about unnecessary costs of compliance to small businesses.

Recommendation 39-1 The Privacy Act should be amended to remove the small business exemption by:

(a) deleting the reference to ‘small business operator’ from the definition of ‘organisation’ in s 6C(1) of the Act; and

(b) repealing ss 6D–6EA of the Act.

[249] M Paterson, ‘Privacy Protection in Australia: The Need for an Effective Private Sector Regime’ (1998) 26 Federal Law Review 372, 383, 399.

[250] Ibid, 399.

[251] Generally speaking, as has been noted above, the exemption currently does not apply to health service providers; small businesses that trade in personal information; Australian Government contractors; small businesses that are related to larger businesses; persons who provide specified financial, gambling or bullion trading services; users and operators of residential tenancy databases; and small businesses that elect to ‘opt in’ to be covered by the Privacy Act.

[252] See Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003), [7.102].

[253] Privacy Legislation Amendment Act 2006 (Cth) sch 2 cl 2. This amendment followed recommendations in Australian Law Reform Commission and Australian Health Ethics Committee, Essentially Yours: The Protection of Human Genetic Information in Australia, ALRC 96 (2003). The Australian Democrats unsuccessfully sought to remove the small business exemption, the political party exemption and the exemption for political acts and practices during parliamentary debate on the legislation: Commonwealth, Parliamentary Debates, Senate, 7 September 2006, 42 (N Stott Despoja).