16.08.2010
39.100 A number of stakeholders opposed the ALRC’s proposal to remove the small business exemption.[136] The main arguments for retaining the small business exemption are based on a view that it is necessary to achieve an appropriate balance between privacy protection and the ability of the small business sector to operate efficiently.[137] In particular, it was suggested that many small businesses pose a low risk to privacy because they do not: collect a significant amount of personal information; deal inappropriately with personal information; or handle much personal information that pose a high risk to privacy.[138]
39.101 Finally, there were concerns that removing the exemption would increase significantly the overall regulatory burden and compliance costs on small businesses.[139] Stakeholders had differing views on the extent and implications for small businesses of the costs of complying with the Privacy Act. Compliance costs are discussed later in this chapter.
Balancing privacy risks and compliance burden
39.102 The OPC stated that the small business exemption is ‘necessary to balance privacy protection against the need to avoid unnecessary cost on small business’.[140] The OPC submitted that requiring many small businesses to comply with the NPPs would be impractical and create an unnecessary compliance burden.[141]
39.103 The OPC cited research undertaken by the Regulation Taskforce, which showed that compliance matters generally can consume up to 25% of the time of large companies and that the impact would be even greater for small businesses that do not have the in-house capacity to keep abreast of large amounts of regulation.[142] It argued that the small business exemption should not be removed unless the benefit to individuals from the imposition of this compliance burden on small businesses can be demonstrated.[143]
Privacy risks
39.104 Some stakeholders highlighted the low risk to privacy posed by most small businesses. The Motor Trades Association of Australia submitted that small businesses generally only handle and retain personal information for purposes that are related to the transaction initiated on behalf of the consumer, ‘to comply with existing legal requirements or to further the relationship between the consumer and the small business operator’.[144]
39.105 The Council of Small Business of Australia (COSBOA) argued that, compared to larger businesses, small businesses have fewer customers, fewer outlets, fewer complementary business interests, smaller market share and fewer staff—all of which means that they handle a lower volume of personal information, have less reason or need to disseminate information, and that additional time spent on regulatory activities carries a high opportunity cost.[145] The REIA argued that, while exemptions are blunt instruments, regulating an entire sector of business, the majority of which pose low risks to privacy, was an even blunter approach.[146]
39.106 Some stakeholders submitted that there was no evidence that small business operators have handled personal information inappropriately.[147] For instance, the REIA argued that the level of privacy complaints relating to small businesses were proportionately lower than for larger businesses, given the sheer number of small businesses and their share of total sales and services.[148]
39.107 Similarly, Australian Business Industrial submitted that there was no evidence to suggest that small businesses are abusing the exemption, or that personal information held by small businesses was ‘exploited or mishandled in any significant, systematic or serious manner’. It argued, therefore, that the removal of the exemption was not a justified or proportional response to any perceived privacy risks.[149]
39.108 The Department of Employment and Workplace Relations (DEWR) (now the Department of Education, Employment and Workplace Relations) suggested that, even if small businesses were to misuse personal information, the consequences of such misuse generally would be less severe than those resulting from misuse of personal information by large organisations or the government.[150]
39.109 Other stakeholders expressed the view that additional privacy requirements on small businesses are unnecessary because small businesses already take steps to ensure that the personal information of customers is handled appropriately.[151] The Victorian Automobile Chamber of Commerce (VACC) suggested that ‘reputation and repeat business are essential for small businesses to survive. It is therefore in their best interests to handle information appropriately’.[152]
39.110 The Financial Planning Association of Australia submitted that imposing privacy requirements on small businesses would not increase significantly consumer protection or confidence in small businesses. It argued that such additional requirements could inhibit commercial activities in certain circumstances—for example, where customers have no privacy concerns about the relevant transactions and the risk to privacy is minimal.[153]
39.111 Some stakeholders submitted that the small business exemption should be retained because there are mechanisms in the Privacy Act that limit the application of the exemption in appropriate circumstances, by excluding those small businesses that:
39.112engage in activities that pose a high risk to privacy, such as private sector health service providers and small businesses that trade in personal information;[154]
39.113enter into certain business relationships, for example, with government or larger organisations;[155]
39.114have been brought under the jurisdiction of the Privacy Act through an amendment of the Act, for instance, small businesses that are ‘reporting entities’ within the meaning of the AML/CTF Act;[156]
39.115have been prescribed as an ‘organisation’ by regulations made under s 6E of the Privacy Act, such as residential tenancy database operators;[157] and
39.116voluntarily opt in to coverage by the Privacy Act where there is a commercial or social benefit for the small business to do so.[158]
Compliance burden
39.117 Some stakeholders submitted that the proposed removal of the small business exemption is contrary to the stated policy intention of the Australian Government to reduce regulatory and compliance burdens on small businesses,[159] and would result in a more complex regulatory environment.[160]
39.118 On the other hand, while the OPC did not support removing the small business exemption, it conceded that the exemption ‘may not promote consistency and may lead to additional burdens for small businesses and individuals because of the uncertainty it creates about whether personal information is regulated by the Privacy Act’.[161] The OPC also noted that, given personal information held by small businesses is covered by the Act where it has been collected for the purposes of the AML/CTF Act,[162]
relevant small business will need to be able to distinguish between personal information that is regulated, and that which is not. The Office considers that many small business reporting entities may find that compliance is simplified by treating all personal information as though it is covered by the Privacy Act.[163]
39.119Several stakeholders suggested that removing the exemption also could have a number of adverse consequences, including: reduced ability of small businesses to compete with larger competitors;[164] price increases or decreased level of services for consumers;[165] reduced profitability, which could impact on employment levels;[166] and increased small business failure and economic inefficiency.[167]
39.120 Some stakeholders also raised concerns about the timing of the removal of the small business exemption.[168] The Australian Industry Group (AIG) and the Australian Electrical and Electronic Manufacturers’ Association (AEEMA) expressed concern that removing the small business exemption would extend the coverage of the Privacy Act in a very short time and result in a significant increase in the compliance burdens on both the small business sector and the OPC.[169] COSBOA submitted that removing exemption provisions under the Privacy Act should be considered in the context of the new simplified Act proposed by the ALRC, rather than concurrently.[170]
Issues involved in retaining the exemption
39.121 If the small business exemption is to be retained, a number of issues may require further consideration. These include: whether the existing definition of a ‘small business’ is appropriate; whether the consent provisions under s 6D(7) and (8) of the Privacy Act should be removed; and whether the voluntary opt-in mechanism should be preserved.
Definition of a ‘small business’
39.122 Many stakeholders identified the definition of ‘small business’ as problematic. In submissions and consultations, there was recognition—by both proponents and opponents of the small business exemption—that the threshold for the small business exemption of an annual turnover of $3 million or less is arbitrary.[171]
39.123 A number of stakeholders suggested that the current threshold of $3 million annual turnover is too low.[172] The VACC submitted that, in 2004:
small businesses within the automotive industry estimated an annual turnover of approximately $6–7 million despite recording minimum profit margins. Given the high cost of vehicles which are generally greater than $20,000, it is not difficult for small businesses to exceed the $3 million threshold.[173]
39.124 The REIA and COSBOA suggested that the threshold for the exemption should be raised to $5 million. This reflects the ongoing impact of inflation,[174] the recent period of economic prosperity that was likely to have lifted the annual turnover of many small businesses,[175] and the fact that there has been no change to the threshold for the exemption since the introduction of the Privacy Act.[176] The REIA submitted that raising the threshold for the exemption to $5 million would ensure that the threshold could be left unchanged over the short term.[177]
39.125 In contrast, other stakeholders expressed the view that the threshold for the small business exemption should be lowered.[178] The Arts Law Centre of Australia suggested that the threshold for the exemption should be reduced to an annual turnover of $500,000 or less in order better to achieve a balance between protecting the privacy interests of individuals and the needs of small businesses.[179]
39.126 One stakeholder noted that defining small business based on turnover was at odds with the definition adopted by both the ABS and the Australian Taxation Office. It was suggested that, if an exemption were to be retained, the definition should be based on the level of risk that an organisation poses to privacy. The exemption could apply on the basis of particular types of information held by the organisation or the number of individuals about whom personal information is held.[180]
39.127 The OPC reiterated its recommendation in the OPC Review that the definition of small business be expressed in terms of the ABS definition of small business.[181] There was some opposition to the OPC’s recommendation.[182] The Australian Chamber of Commerce and Industry (ACCI) argued that the test recommended by the OPC would capture many small businesses that are currently exempt from the operation of the Privacy Act, because casual or part-time employees would be counted as a single employee. The ACCI submitted that this would have a particularly serious impact on many service industries, as they rely heavily on casual labour.[183]
39.128 The Australian Privacy Foundation stated that it was impossible to envisage any sensible size or other criteria which would capture all information-handling activities that pose a high risk to privacy while excluding those activities that pose a low risk to privacy. It was argued that even businesses operated by a single individual, such as private investigators and operators of specialised websites, could be engaging in privacy-intrusive activities.[184]
39.129 Electronic Frontiers Australia opposed an exemption based on the number of employees because ‘this would still result in exemption for organisations that collect and disclose substantial amounts and types of personal information’.[185] In common with the Australian Privacy Foundation, Electronic Frontiers Australia argued that even a sole trader may handle large amounts of personal information.[186]
39.130 The Treasury noted that a single definition of a ‘small business entity’ was introduced on 1 July 2007 to align the definition across various pieces of tax legislation.[187] It suggested that the adoption of this definition in the Privacy Act would promote the alignment of all definitions of ‘small business’ in federal legislation and ensure that more businesses would fall within the purview of the Privacy Act. The Treasury also advised that, during the implementation of the Tax Laws Amendment (Small Business) Act 2007 (Cth), the ABS indicated its intention to adopt the definition of ‘small business’ under tax legislation, despite the fact that it would continue to collect data on businesses by classifying them on the basis of the number of people they employ.[188]
Consent provision
39.131 If the small business exemption were to be retained, another issue for consideration is whether the consent provisions under s 6D(7) and (8) of the Privacy Act should be removed. These subsections provide that a small business that trades in personal information may still be exempt if it has the consent of the individuals concerned to collect or disclose their personal information.[189]
39.132 The OPC Review recommended the removal of the consent provisions on the basis that the provisions were ‘clumsy and complicated’, and that there was a lack of certainty as to whether a single failure to gain consent would change the exempt status of the business.[190] In the OPC’s view, this also would ensure that all organisations that trade in personal information would be regulated by the Privacy Act, and that public number directory producers could not make use of the exemption.[191]
39.133 The Australian Government disagreed with the OPC Review’s recommendation, however, on the basis that ‘the Act currently provides a mechanism for dealing with situations in which the consent provisions should not operate’.[192]
Voluntary compliance and opting in
39.134 Retaining the small business exemption also raises the issue of whether the voluntary opt-in mechanism—which allows a small business operator to opt in to coverage by the Privacy Act[193]—should be preserved. In practice, some small businesses appear to have committed to comply voluntarily with the Privacy Act without using the opt-in mechanism, for example, by posting Privacy Policies on their websites, or by agreeing to contractual terms that require them to comply with the Privacy Act. In a number of case studies, it was observed that some small businesses have Privacy Policies that state that they are bound by the Privacy Act even though they have not opted in.[194] It has been argued that, since such small businesses have not opted in formally, this leaves consumers or the other contracting party with limited avenues of complaint.[195]
39.135 Some stakeholders supported retaining the opt-in procedure.[196] The OPC suggested that there are a number of benefits in retaining the opt-in provisions, in that the provisions allow small businesses to:
39.136show their commitment to privacy, which could enhance their brand and community trust in their operations;
39.137apply for a privacy code under s 18BA of the Privacy Act;
39.138fulfil a condition of signing up to a code that is not connected to the Act, such as the Credit Union Code of Conduct; and
39.139apply to the Privacy Commissioner for a Public Interest Determination (PID), as s 73 of the Privacy Act requires that an applicant for a PID must be an organisation.[197]
39.140 The OPC suggested that, instead of removing the exemption, small businesses that do not handle large amounts of personal information should be encouraged to opt in to coverage by the Privacy Act. Further, the OPC could assist small businesses by promoting the benefits of embedding relevant privacy practices into their business operations and encouraging good privacy practice.[198]
39.141 DEWR submitted that the opt-in mechanism represents
a market solution to the question of which small businesses should monitor and control their handling of personal information …
there is a role for privacy-savvy customers and other organisations having business dealings with small business to alert small business to privacy concerns, and to use their market power to persuade small business to ‘opt in’ or otherwise incorporate privacy safeguards in their business practices.[199]
39.142 The ACCI stated that it would not oppose an opt-in mechanism, provided that it remains voluntary. It suggested, however, that given the low take-up of the opt-in procedure by small businesses, the procedure should be discontinued if the cost is disproportionate to the benefit of opting in.[200]
39.143 The ABA submitted that the opt-in mechanism would not be required if the Privacy Commissioner were to develop a PID modifying the application of the NPPs to small businesses.[201]
[136] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; CPA Australia, Submission PR 476, 14 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Australian Chamber of Commerce and Industry, Submission PR 452, 7 December 2007; Arts Law Centre of Australia, Submission PR 450, 7 December 2007 (endorsed by Contemporary Arts Organisations Australia, Submission PR 384, 6 December 2007); Australian Business Industrial, Submission PR 444, 10 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Retail Motor Industry, Submission PR 407, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[137] CPA Australia, Submission PR 476, 14 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[138] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; CPA Australia, Submission PR 476, 14 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[139] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007; Australian Institute of Company Directors, Submission PR 424, 7 December 2007; Avant Mutual Group Ltd, Submission PR 421, 7 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007.
[140] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007, referring to Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), ii.
[141] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[142] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007, referring to Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), ii.
[143] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[144] Motor Trades Association of Australia, Submission PR 470, 14 December 2007.
[145] Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[146] Real Estate Institute of Australia, Submission PR 400, 7 December 2007.
[147] Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Australian Institute of Company Directors, Submission PR 424, 7 December 2007.
[148] Real Estate Institute of Australia, Submission PR 400, 7 December 2007.
[149] Australian Business Industrial, Submission PR 444, 10 December 2007.
[150] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.
[151] Australian Retailers Association, Submission PR 131, 18 January 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.
[152] Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.
[153] Financial Planning Association of Australia, Submission PR 496, 19 December 2007.
[154] CPA Australia, Submission PR 476, 14 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[155] CPA Australia, Submission PR 476, 14 December 2007; Australian Business Industrial, Submission PR 444, 10 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[156] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. See also Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[157] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[158] Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[159] See, eg, Motor Trades Association of Australia, Submission PR 470, 14 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[160]Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[161] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007, referring to Regulation Taskforce 2006, Rethinking Regulation: Report of the Taskforce on Reducing Regulatory Burdens on Business, Report to the Prime Minister and the Treasurer (2006), ii.
[162]Privacy Act 1988 (Cth) s 6E(1A).
[163] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007.
[164]Motor Traders Association of NSW, Submission PR 429, 10 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.
[165]Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[166] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Motor Traders Association of NSW, Submission PR 429, 10 December 2007. See also Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.
[167] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[168]Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[169] Australian Industry Group and Australian Electrical and Electronic Manufacturers’ Association, Submission PR 494, 19 December 2007.
[170] Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[171] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Council of Small Business Organisations of Australia Ltd, Submission PR 203, 21 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[172] Council of Small Business of Australia, Submission PR 389, 6 December 2007; Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007; Real Estate Institute of Australia, Submission PR 84, 12 January 2007.
[173] Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007.
[174] Real Estate Institute of Australia, Submission PR 84, 12 January 2007.
[175] Ibid.
[176] Real Estate Institute of Australia, Submission PR 400, 7 December 2007; Council of Small Business of Australia, Submission PR 389, 6 December 2007.
[177] Real Estate Institute of Australia, Submission PR 84, 12 January 2007.
[178] Arts Law Centre of Australia, Submission PR 450, 7 December 2007 (endorsed by Contemporary Arts Organisations Australia, Submission PR 384, 6 December 2007); S Hawkins, Submission PR 382, 6 December 2007.
[179] Arts Law Centre of Australia, Submission PR 450, 7 December 2007 (endorsed by Contemporary Arts Organisations Australia, Submission PR 384, 6 December 2007). See also S Hawkins, Submission PR 382, 6 December 2007.
[180] Association of Market and Social Research Organisations and Australian Market and Social Research Society, Submission PR 502, 20 December 2007.
[181] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[182] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[183] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.
[184] Australian Privacy Foundation, Submission PR 167, 2 February 2007.
[185] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.
[186] Ibid.
[187] Before the introduction of the Tax Laws Amendment (Small Business) Act 2007 (Cth), there were separate criteria for small business entities to determine their eligibility for a number of different tax concessions, including concessions related to the goods and services tax, the capital gains tax and the fringe benefits tax. In 2007, the Tax Laws Amendment (Small Business) Act was passed to standardise the eligibility criteria for small business to access concessions for all taxation purposes: see Tax Laws Amendment (Small Business) Act 2007 (Cth) s 328-10. This was achieved by the creation of a single definition of a ‘small business entity’ based on an aggregated annual turnover of less than $2 million: Tax Laws Amendment (Small Business) Act 2007 (Cth) sch 1.
[188]Australian Government Treasury, Submission PR 581, 20 March 2008.
[189] Privacy Act 1988 (Cth) s 6D(7), (8).
[190] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 185, rec 53.
[191] Ibid, 62, 185. Public number directory producers are authorised to access data concerning listed telephone numbers from the Integrated Public Number Database, a database of all listed and unlisted public telephone numbers in Australia: Australian Government Department of Broadband‚ Communications and the Digital Economy, Integrated Public Number Database (IPND) <www.dbcde.gov.au/communications
_and_technology/policy_and_legislation/numbering> at 23 April 2008. Public number directory producers are persons who: (i) compile, publish, maintain or produce directories of public numbers; (ii) provide directory assistance services; or (iii) supply goods or services which are a combination of (i) and (ii): Australian Communications Authority, Telecommunications (Section of the Telecommunications Industry) Determination, 25 September 1998.
[192] Australian Government Attorney-General’s Department, Government Response to the Privacy Commissioner’s Report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2006), 10.
[193]Privacy Act 1988 (Cth) s 6EA.
[194] M Jackson and others, Small Business: Issues of Identity Management, Privacy and Security (2006), 9–10.
[195] Ibid, 9–10.
[196] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Australian Government Department of Health and Ageing, Submission PR 273, 30 March 2007; Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007; Australian Retailers Association, Submission PR 131, 18 January 2007; Victorian Automobile Chamber of Commerce, Submission PR 100, 15 January 2007. The OPC submitted that the opt-in mechanism also should be extended so that other entities, such as registered political parties, have the ability to opt-in to coverage of the NPPs: Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[197] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[198] Ibid.
[199] Australian Government Department of Employment and Workplace Relations, Submission PR 211, 27 February 2007.
[200] Australian Chamber of Commerce and Industry, Submission PR 219, 7 March 2007.
[201] Australian Bankers’ Association Inc, Submission PR 259, 19 March 2007.