Background

Current law

39.3 Under s 6C of the Privacy Act, a small business operator is excluded specifically from the definition of ‘organisation’ and generally is exempt from the operation of the Act. A ‘small business operator’ is an individual, body corporate, partnership, unincorporated association or trust that carries on one or more small businesses, and does not carry on a business that is not a small business.^[4]

39.4 A ‘small business’ is a business that had an annual turnover of $3 million or less in the previous financial year (or in the current financial year if it is a new business).^[5] ‘Small businesses’ can include non-profit bodies and unincorporated associations,^[6] even though the ordinary meaning of the term ‘business’ may not include such bodies.

39.5 There are a number of conditions that qualify the exemption for small businesses. A small business may be captured by the Privacy Act if it:

• 39.6provides a health service and holds any health information except in an employee record;^[7]

• 39.7collects personal information about another individual from, or discloses such information to, anyone else for benefit, service or advantage (unless it always has the consent of the individuals concerned, or only does so when required or authorised by or under legislation);^[8]

• 39.8is or was contracted to provide services to the Australian Government or its agencies;

• 39.9is related to a larger business;

• 39.10is a ‘reporting entity’—that is, a person who provides a ‘designated service’—within the meaning of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act);^[9]

• 39.11is prescribed by regulation;^[10] or

• 39.12elects to ‘opt in’ to be treated as if it were an ‘organisation’ within the meaning of the Privacy Act.^[11]

39.13 The minister responsible for administering the Privacy Act also may prescribe that certain small businesses or their activities be subject to the Act. The minister may do so if it is in the public interest and after consultation with the Privacy Commissioner.^[12] This provision was intended to enable otherwise exempt small businesses to be brought within the federal privacy scheme if their activities are found to constitute a particular risk to individual privacy.^[13]

39.14 The OPC keeps a register of those businesses that choose to ‘opt in’. Currently there are 184 small businesses that have opted to be covered by the Privacy Act.^[14]

39.15 When the private sector amendments were enacted, small businesses were exempted on the basis that many do not pose a high risk to privacy.^[15] The Australian Government took the view that many small businesses do not have significant holdings of personal information, and those that may have customer records do not sell or otherwise deal with customer information in a systematic way that poses a high risk to their customer’s privacy.^[16]

39.16 It also was the policy of the Australian Government to minimise compliance costs on small businesses.^[17] The specified conditions that qualify the application of the small business exemption were intended to acknowledge that some personal information and some activities pose a higher risk to privacy than others, and that small businesses within these categories (such as health service providers) ought to be covered by the Act.^[18]

39.17 For the period from 21 December 2001 to 31 January 2005, 20% of all the National Privacy Principles (NPPs) complaints closed by the OPC as outside of its jurisdiction concerned the small business exemption.^[19] In 2005–06, the OPC received 2,000 enquiries concerning exemptions, of which 21% related to the small business exemption.^[20]

39.18 There are no provisions for an exemption for small businesses in any of the major international privacy instruments—namely, the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD), the European Union’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) or the Asia-Pacific Economic Cooperation (APEC)Privacy Framework.^[21] Further, there are no similar exemptions in comparable jurisdictions, such as the United Kingdom, Canada and New Zealand.^[22]

Previous inquiries

39.19 The small business exemption was introduced in the Privacy Amendment (Private Sector) Act 2000 (Cth). The Privacy Amendment (Private Sector) Bill was the subject of two parliamentary committee inquiries—the House of Representatives Standing Committee on Legal and Constitutional Affairs inquiry (2000 House of Representatives Committee inquiry)^[23] and the Senate Legal and Constitutional Legislation Committee inquiry (2000 Senate Committee inquiry).^[24]

39.20 Despite noting a number of criticisms of the small business exemption, the 2000 House of Representatives Committee inquiry took the view that an effective regulatory balance must be achieved in order to avoid overburdening small businesses that pose a low privacy risk, and that this could not be achieved without some form of exemption for small businesses.^[25] The 2000 Senate Committee inquiry recommended the retention of the exemption, on the basis that it ‘achieve[s] an adequate balance between concerns about the coverage of the exemption and the intention not to impose too great a burden on small businesses’.^[26]

39.21 In 2005, both the OPC and the Senate Legal and Constitutional References Committee reviewed the private sector provisions of the Privacy Act.^[27] Submissions to the review by the OPC of the private sector provisions of the Privacy Act (OPC Review) were roughly divided between support for retention of the small business exemption and its repeal.^[28] The OPC Review recommended that the Australian Government should retain but modify the small business exemption by amending the Privacy Act so that the definition of small business is expressed in terms of the Australian Bureau of Statistics (ABS) definition—20 employees or fewer— rather than annual turnover.^[29]

39.22 The 2005 Senate Legal and Constitutional References Committee privacy inquiry (Senate Committee privacy inquiry) questioned the need to retain the small business exemption. It considered that privacy rights of individuals should be protected regardless of whether they were dealing with a small business, and that protecting these rights also made commercial sense for all businesses. Given that privacy regimes in overseas jurisdictions have operated effectively without the exemption, and that the existence of the exemption was one of the key outstanding issues preventing recognition of Australian privacy laws under the EU Directive,^[30] the inquiry recommended that the small business exemption be removed from the Privacy Act.^[31]

39.23 The Senate Committee privacy inquiry also recommended that the ALRC investigate possible measures that could assist Australia in achieving European Union (EU) adequacy.^[32] The issue of EU adequacy is discussed in detail in Chapter 31. Briefly, the EU Directive restricts the export of personal data from an EU Member State to a recipient country that does not have an ‘adequate level of protection’.^[33] Australian businesses that wish to trade with EU organisations must have contractual clauses in place to ensure the adequate protection of personal data transferred from the EU.^[34] In March 2001, the Article 29 Data Protection Working Party of the European Commission released an opinion expressing concern about the sectors and activities excluded from the protection of the Privacy Act and mentioned, in particular, the small business and employee records exemptions.^[35]

39.24 The OPC Review noted that negotiations with the European Commission on this issue were continuing, especially in relation to the small business and employee records exemptions,^[36] and concluded that, although there was no evidence of a broad business push for EU adequacy, there may be long term benefits for Australia in achieving this status. The OPC Review, therefore, recommended that the Australian Government continue to work with the EU on this issue.^[37] The Australian Government agreed with this recommendation.^[38]

39.25 In addition, the OPC Review noted that the increasingly global flow of information makes the development of international privacy frameworks important. The OPC also recommended, therefore, that the Australian Government continue to work within APEC to implement the APEC Privacy Framework.^[39]

39.26 In its response to the OPC Review and the Senate Committee privacy inquiry, the Australian Government has maintained its support for retaining the small business exemption,^[40] stating that:

the small business exemption strikes an appropriate balance between the risk of privacy breaches and over regulation of small businesses. Removal of the exemption would be inconsistent with the Government’s commitment to workplace reform and cutting red tape.^[41]

The scope of the exemption

39.27 As noted above, under the Privacy Act a ‘small business’ is a business that has an annual turnover of $3 million or less in the previous financial year (or in the current financial year if it is a new business).^[42] There are no recent official data showing the number of small business operators in Australia with an annual turnover of $3 million or less.

39.28 The ABS, however, does publish data on the number of businesses with an annual turnover of less than $2 million. As at June 2007, there were 1,890,213 businesses with an annual turnover of $2 million or less, which represented 94% of all actively trading businesses in Australia.^[43] Accordingly, the number of small businesses eligible for the exemption is likely to exceed 1.9 million. This figure, however, does not take into account the fact that not all small businesses qualify for the exemption—for example, those that trade in personal information without the consent of the individuals concerned.

39.29 In evidence before the 2000 House of Representatives Committee inquiry, the Department of Employment, Workplace Relations and Small Business stated that:

given the likelihood of the existence of high privacy risk low staff number businesses in, for example, the personal service sector or the online world, it was decided that an annual turnover figure that would capture the same number of businesses as the ABS measure should be used.^[44]

39.30 The Department also advised the inquiry that:

based on the ABS Business Growth and Performance Survey 1997–98, approximately 94% of all Australian businesses fall under the $3 million threshold. The Department also noted that the survey indicated that the 95% of Australian businesses that are small businesses accounted for only 30% of total sales of goods and services. On this basis the Department estimated that the proportion of private sector business activity undertaken by small businesses was around 30%.^[45]

39.31 The 2000 House of Representatives Committee inquiry accepted that the setting of any threshold figure would appear arbitrary.^[46] It preferred, however, the use of an annual turnover threshold, arguing that the use of employee numbers to define small businesses could have the unintended consequence of exempting high-risk internet-based businesses.^[47]

High-risk sectors

39.32 Since the introduction of the private sector provisions of the Privacy Act,^[48] certain small business operators have been brought under the Privacy Act because their activities pose a particularly high risk to privacy. For example, significant privacy concerns about small business operators that operate residential tenancy databases were raised in four separate inquiries between 2000 and 2005.^[49] As a result, the Privacy (Private Sector) Regulations 2001 (Cth) were amended to prescribe as ‘organisations’ all small business operators that operate residential tenancy databases, as well as those that collect, maintain, use and disclose personal information in connection with such databases.^[50]

39.33 Other small business operators that have been identified as posing a high risk to privacy, however, have not been brought under the Privacy Act. Submissions to the OPC Review and the Senate Committee privacy inquiry identified a number of other small businesses with significant holdings of personal information that carry out some of the most privacy-intrusive activities, including: businesses that operate within the telecommunications industry, such as internet service providers (ISPs); debt collectors; private investigators;^[51] and dating agencies.^[52]

39.34 In addition, the passage of the Northern Territory National Emergency Response Act 2007 (Cth) and related legislation to deal with issues of drug abuse and child sexual assault in the Northern Territory has raised concerns among privacy and other human rights advocates about the handling of personal information by exempt small businesses.^[53] This is discussed in detail below.