Background

Current law

39.3 Under s 6C of the Privacy Act, a small business operator is excluded specifically from the definition of ‘organisation’ and generally is exempt from the operation of the Act. A ‘small business operator’ is an individual, body corporate, partnership, unincorporated association or trust that carries on one or more small businesses, and does not carry on a business that is not a small business.[4]

39.4 A ‘small business’ is a business that had an annual turnover of $3 million or less in the previous financial year (or in the current financial year if it is a new business).[5] ‘Small businesses’ can include non-profit bodies and unincorporated associations,[6] even though the ordinary meaning of the term ‘business’ may not include such bodies.

39.5 There are a number of conditions that qualify the exemption for small businesses. A small business may be captured by the Privacy Act if it:

  • 39.6provides a health service and holds any health information except in an employee record;[7]

  • 39.7collects personal information about another individual from, or discloses such information to, anyone else for benefit, service or advantage (unless it always has the consent of the individuals concerned, or only does so when required or authorised by or under legislation);[8]

  • 39.8is or was contracted to provide services to the Australian Government or its agencies;

  • 39.9is related to a larger business;

  • 39.10is a ‘reporting entity’—that is, a person who provides a ‘designated service’—within the meaning of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act);[9]

  • 39.11is prescribed by regulation;[10] or

  • 39.12elects to ‘opt in’ to be treated as if it were an ‘organisation’ within the meaning of the Privacy Act.[11]

39.13 The minister responsible for administering the Privacy Act also may prescribe that certain small businesses or their activities be subject to the Act. The minister may do so if it is in the public interest and after consultation with the Privacy Commissioner.[12] This provision was intended to enable otherwise exempt small businesses to be brought within the federal privacy scheme if their activities are found to constitute a particular risk to individual privacy.[13]

39.14 The OPC keeps a register of those businesses that choose to ‘opt in’. Currently there are 184 small businesses that have opted to be covered by the Privacy Act.[14]

39.15 When the private sector amendments were enacted, small businesses were exempted on the basis that many do not pose a high risk to privacy.[15] The Australian Government took the view that many small businesses do not have significant holdings of personal information, and those that may have customer records do not sell or otherwise deal with customer information in a systematic way that poses a high risk to their customer’s privacy.[16]

39.16 It also was the policy of the Australian Government to minimise compliance costs on small businesses.[17] The specified conditions that qualify the application of the small business exemption were intended to acknowledge that some personal information and some activities pose a higher risk to privacy than others, and that small businesses within these categories (such as health service providers) ought to be covered by the Act.[18]

39.17 For the period from 21 December 2001 to 31 January 2005, 20% of all the National Privacy Principles (NPPs) complaints closed by the OPC as outside of its jurisdiction concerned the small business exemption.[19] In 2005–06, the OPC received 2,000 enquiries concerning exemptions, of which 21% related to the small business exemption.[20]

39.18 There are no provisions for an exemption for small businesses in any of the major international privacy instruments—namely, the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data issued by the Organisation for Economic Co-operation and Development (OECD), the European Union’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (EU Directive) or the Asia-Pacific Economic Cooperation (APEC) Privacy Framework.[21] Further, there are no similar exemptions in comparable jurisdictions, such as the United Kingdom, Canada and New Zealand.[22]

Previous inquiries

39.19 The small business exemption was introduced in the Privacy Amendment (Private Sector) Act 2000 (Cth). The Privacy Amendment (Private Sector) Bill was the subject of two parliamentary committee inquiries—the House of Representatives Standing Committee on Legal and Constitutional Affairs inquiry (2000 House of Representatives Committee inquiry)[23] and the Senate Legal and Constitutional Legislation Committee inquiry (2000 Senate Committee inquiry).[24]

39.20 Despite noting a number of criticisms of the small business exemption, the 2000 House of Representatives Committee inquiry took the view that an effective regulatory balance must be achieved in order to avoid overburdening small businesses that pose a low privacy risk, and that this could not be achieved without some form of exemption for small businesses.[25] The 2000 Senate Committee inquiry recommended the retention of the exemption, on the basis that it ‘achieve[s] an adequate balance between concerns about the coverage of the exemption and the intention not to impose too great a burden on small businesses’.[26]

39.21 In 2005, both the OPC and the Senate Legal and Constitutional References Committee reviewed the private sector provisions of the Privacy Act.[27] Submissions to the review by the OPC of the private sector provisions of the Privacy Act (OPC Review) were roughly divided between support for retention of the small business exemption and its repeal.[28] The OPC Review recommended that the Australian Government should retain but modify the small business exemption by amending the Privacy Act so that the definition of small business is expressed in terms of the Australian Bureau of Statistics (ABS) definition—20 employees or fewer— rather than annual turnover.[29]

39.22 The 2005 Senate Legal and Constitutional References Committee privacy inquiry (Senate Committee privacy inquiry) questioned the need to retain the small business exemption. It considered that privacy rights of individuals should be protected regardless of whether they were dealing with a small business, and that protecting these rights also made commercial sense for all businesses. Given that privacy regimes in overseas jurisdictions have operated effectively without the exemption, and that the existence of the exemption was one of the key outstanding issues preventing recognition of Australian privacy laws under the EU Directive,[30] the inquiry recommended that the small business exemption be removed from the Privacy Act.[31]

39.23 The Senate Committee privacy inquiry also recommended that the ALRC investigate possible measures that could assist Australia in achieving European Union (EU) adequacy.[32] The issue of EU adequacy is discussed in detail in Chapter 31. Briefly, the EU Directive restricts the export of personal data from an EU Member State to a recipient country that does not have an ‘adequate level of protection’.[33] Australian businesses that wish to trade with EU organisations must have contractual clauses in place to ensure the adequate protection of personal data transferred from the EU.[34] In March 2001, the Article 29 Data Protection Working Party of the European Commission released an opinion expressing concern about the sectors and activities excluded from the protection of the Privacy Act and mentioned, in particular, the small business and employee records exemptions.[35]

39.24 The OPC Review noted that negotiations with the European Commission on this issue were continuing, especially in relation to the small business and employee records exemptions,[36] and concluded that, although there was no evidence of a broad business push for EU adequacy, there may be long term benefits for Australia in achieving this status. The OPC Review, therefore, recommended that the Australian Government continue to work with the EU on this issue.[37] The Australian Government agreed with this recommendation.[38]

39.25 In addition, the OPC Review noted that the increasingly global flow of information makes the development of international privacy frameworks important. The OPC also recommended, therefore, that the Australian Government continue to work within APEC to implement the APEC Privacy Framework.[39]

39.26 In its response to the OPC Review and the Senate Committee privacy inquiry, the Australian Government has maintained its support for retaining the small business exemption,[40] stating that:

the small business exemption strikes an appropriate balance between the risk of privacy breaches and over regulation of small businesses. Removal of the exemption would be inconsistent with the Government’s commitment to workplace reform and cutting red tape.[41]

The scope of the exemption

39.27 As noted above, under the Privacy Act a ‘small business’ is a business that has an annual turnover of $3 million or less in the previous financial year (or in the current financial year if it is a new business).[42] There are no recent official data showing the number of small business operators in Australia with an annual turnover of $3 million or less.

39.28 The ABS, however, does publish data on the number of businesses with an annual turnover of less than $2 million. As at June 2007, there were 1,890,213 businesses with an annual turnover of $2 million or less, which represented 94% of all actively trading businesses in Australia.[43] Accordingly, the number of small businesses eligible for the exemption is likely to exceed 1.9 million. This figure, however, does not take into account the fact that not all small businesses qualify for the exemption—for example, those that trade in personal information without the consent of the individuals concerned.

39.29 In evidence before the 2000 House of Representatives Committee inquiry, the Department of Employment, Workplace Relations and Small Business stated that:

given the likelihood of the existence of high privacy risk low staff number businesses in, for example, the personal service sector or the online world, it was decided that an annual turnover figure that would capture the same number of businesses as the ABS measure should be used.[44]

39.30 The Department also advised the inquiry that:

based on the ABS Business Growth and Performance Survey 1997–98, approximately 94% of all Australian businesses fall under the $3 million threshold. The Department also noted that the survey indicated that the 95% of Australian businesses that are small businesses accounted for only 30% of total sales of goods and services. On this basis the Department estimated that the proportion of private sector business activity undertaken by small businesses was around 30%.[45]

39.31 The 2000 House of Representatives Committee inquiry accepted that the setting of any threshold figure would appear arbitrary.[46] It preferred, however, the use of an annual turnover threshold, arguing that the use of employee numbers to define small businesses could have the unintended consequence of exempting high-risk internet-based businesses.[47]

High-risk sectors

39.32 Since the introduction of the private sector provisions of the Privacy Act,[48] certain small business operators have been brought under the Privacy Act because their activities pose a particularly high risk to privacy. For example, significant privacy concerns about small business operators that operate residential tenancy databases were raised in four separate inquiries between 2000 and 2005.[49] As a result, the Privacy (Private Sector) Regulations 2001 (Cth) were amended to prescribe as ‘organisations’ all small business operators that operate residential tenancy databases, as well as those that collect, maintain, use and disclose personal information in connection with such databases.[50]

39.33 Other small business operators that have been identified as posing a high risk to privacy, however, have not been brought under the Privacy Act. Submissions to the OPC Review and the Senate Committee privacy inquiry identified a number of other small businesses with significant holdings of personal information that carry out some of the most privacy-intrusive activities, including: businesses that operate within the telecommunications industry, such as internet service providers (ISPs); debt collectors; private investigators;[51] and dating agencies.[52]

39.34 In addition, the passage of the Northern Territory National Emergency Response Act 2007 (Cth) and related legislation to deal with issues of drug abuse and child sexual assault in the Northern Territory has raised concerns among privacy and other human rights advocates about the handling of personal information by exempt small businesses.[53] This is discussed in detail below.

[4] Privacy Act 1988 (Cth) s 6D(3).

[5] Ibid s 6D(1). The annual turnover of a business for a financial year includes the proceeds of sales of goods and/or services; commission income; repair and service income; rent, leasing and hiring income; government bounties and subsidies; interest, royalties and dividends; and other operating income earned in the year in the course of business: Privacy Act 1988 (Cth) s 6DA. It does not include assets held by small businesses, capital gains or proceeds of capital sales: Office of the Privacy Commissioner, A Privacy Checklist for Small Business (Updated with Minor Amendments 27 November 2007) (2007), 4.

[6] Office of the Privacy Commissioner, A Snapshot of the Privacy Act for Small Business (Updated with Minor Amendments 27 November 2007) (2007), 1.

[7] Examples of health service providers holding health information which is not contained in an employee record include medical practices, pharmacies and health clubs: Australian Government Attorney-General’s Department, Small Business (2000) <www.ag.gov.au> at 23 April 2008. An ‘employee record’ is defined to mean a record of personal information relating to the employment of the employee: Privacy Act 1988 (Cth) s 6(1).

[8] Privacy Act 1988 (Cth) s 6D(7), (8). See also Office of the Privacy Commissioner, What Does ‘Trading in Personal Information’ Mean? <www.privacy.gov.au/faqs/sbf/q2.html> at 23 April 2008.

[9] Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 5. ‘Designated services’ include a number of specified financial, bullion trading or gambling services, as well as services prescribed by regulation: Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) s 6.

[10] Regulation 3AA of the Privacy (Private Sector) Regulations 2001 (Cth) provides that small business operators that operate residential tenancy databases, or those that collect, maintain, use and disclose personal information in connection with such databases, are to be treated as ‘organisations’ within the meaning of the Privacy Act 1988 (Cth).

[11] Privacy Act 1988 (Cth) ss 6D(4), (9), 6E, 6EA.

[12] Ibid s 6E(4). Currently the minister with responsibility for administering the Privacy Act is the Cabinet Secretary.

[13] Australian Government Attorney-General’s Department, Small Business (2000) <www.ag.gov.au> at 23 April 2008.

[14] Office of the Privacy Commissioner, Opting-In to Privacy Act Coverage <www.privacy.gov.au/business/
register> at 23 April 2008.

[15] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 6.

[16] Commonwealth, Parliamentary Debates, House of Representatives, 8 November 2000, 22370 (D Williams—Attorney-General), 22370–22371.

[17] Revised Explanatory Memorandum, Privacy Amendment (Private Sector) Bill 2000 (Cth), 6.

[18] Ibid, 6.

[19] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 328.

[20] Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2005–30 June 2006 (2006), 27. The OPC’s most recent annual report does not contain statistics on enquiries concerning exemptions: see Office of the Privacy Commissioner, The Operation of the Privacy Act Annual Report: 1 July 2006–30 June 2007 (2007).

[21] Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980); European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995); Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005).

[22] Data Protection Act 1998 (UK); Personal Information Protection and Electronic Documents Act 2000 SC 2000, c 5 (Canada); Privacy Act 1993 (NZ).

[23] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000).

[24] Parliament of Australia—Senate Legal and Constitutional Legislation Committee, Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000 (2000).

[25] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), [2.16].

[26] Parliament of Australia—Senate Legal and Constitutional Legislation Committee, Inquiry into the Provisions of the Privacy Amendment (Private Sector) Bill 2000 (2000), [3.11]–[3.12].

[27] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005); Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005).

[28] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 180.

[29]Ibid, rec 51.

[30] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995).

[31] Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.32]­–[7.34], rec 12.

[32] Ibid, rec 16. The Australian Government disagreed with this recommendation, on the basis that ‘international negotiations are a matter for the Australian Government and negotiations with the European Union are ongoing’: Australian Government Attorney-General’s Department, Government Response to the Senate Legal and Constitutional References Committee Report: The Real Big Brother: Inquiry into the Privacy Act 1988 (2006), 5.

[33] European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), arts 25, 26.

[34] Ibid, art 26(2).

[35] European Union Article 29 Data Protection Working Party, Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000, 5095/00/EN WP40 Final (2001), 3.

[36] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 74.

[37] Ibid, Rec 17.

[38] Australian Government Attorney-General’s Department, Government Response to the Privacy Commissioner’s Report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2006), 4.

[39] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), rec 17.

[40] Australian Government Attorney-General’s Department, Government Response to the Privacy Commissioner’s Report: Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2006), 10.

[41] Australian Government Attorney-General’s Department, Government Response to the Senate Legal and Constitutional References Committee Report: The Real Big Brother: Inquiry into the Privacy Act 1988 (2006), 4.

[42] Privacy Act 1988 (Cth) s 6D(1).

[43] Australian Bureau of Statistics, Counts of Australian Businesses, 8165.0 (2007), 20.

[44] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), [2.19] (footnotes omitted).

[45] Ibid, [2.20] (footnotes omitted). The Australian Bureau of Statistics, Business Growth and Performance Survey, Financial Year 1997/1998 (1999) was conducted by the ABS from 1994–95 to 1997–98. It has been discontinued since then.

[46] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), [2.22].

[47] Ibid, [2.21].

[48] Privacy Amendment (Private Sector) Act 2000 (Cth).

[49] Parliament of Australia—House of Representatives Standing Committee on Legal and Constitutional Affairs, Advisory Report on the Privacy Amendment (Private Sector) Bill 2000 (2000), rec 19; Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), recs 9, 15, 16, 52; Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [7.32]; Ministerial Council on Consumer Affairs/Standing Committee of Attorneys-General Residential Tenancy Database Working Party, Report on Residential Tenancy Databases (2005), 48–50.

[50]Privacy (Private Sector) Amendment Regulations 2007 (No 3) (Cth). The amendment took effect on 1 December 2007. Privacy issues concerning residential tenancy databases are discussed further in Ch 17.

[51] The ALRC notes that the small business exemption generally does not apply to private investigators, as they trade in personal information without the consent of the individuals concerned: see Privacy Act 1988 (Cth) s 6D(4)(c), (d), (7), (8). Privacy issues relating to private investigators are discussed in detail in Ch 44.

[52] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 180; Parliament of Australia—Senate Legal and Constitutional References Committee, The Real Big Brother: Inquiry into the Privacy Act 1988 (2005), [4.48]–[4.49].

[53]Office of the Privacy Commissioner, Submission to the Senate Standing Committee on Legal and Constitutional Affairs, Inquiry into the Northern Territory National Emergency Response Bill 2007 and Related Bills, 1 August 2007; Office of the Victorian Privacy Commissioner, Submission to the Senate Standing Committee on Legal and Constitutional Affairs Inquiry into the Northern Territory National Emergency Response Bill 2007 and Related Bills, 10 August 2007; Aboriginal and Torres Strait Islander Social Justice Commissioner, Social Justice Report 2007 (2008), Ch 3.