39.35 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC considered whether the small business exemption should be removed. The ALRC expressed the preliminary view that the exemption is neither necessary nor justifiable, and that the cost of compliance with the Privacy Act alone does not provide a sufficient policy reason to support the exemption. The ALRC noted that privacy legislation in overseas jurisdictions does not contain an equivalent exemption.
39.36 The ALRC stated that the risks to privacy posed by small businesses are determined primarily by the nature of personal information held, the nature of the business, and the way personal information is handled, rather than by size. The ALRC noted that modifying the exemption would not resolve the concerns raised by stakeholders that any definition of ‘small business’ would be arbitrary and that consumers cannot determine easily whether the exemption applies to a particular business. In addition, regulating small businesses in some areas and not others would add to the complexity of the privacy regime, and modifying the application of the privacy principles to small businesses would result in uneven privacy protection. Accordingly, the ALRC proposed that the small business exemption be removed.
 Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 35–1.