Australia’s Privacy Act has regulated the handling of personal information for decades, undergoing major reforms in 2000 and 2014. The 2014 changes introduced the Australian Privacy Principles (APPs), establishing a foundation for data privacy standards. However, the Act hasn’t kept pace with rapid technological advancement, the growing digital economy, and the increasing prevalence of hacks, scams, and major data breaches.
Recognising this, the Federal Government launched a review in 2020 to modernise the legislation. After more than two years of analysis and consultation, the findings released in early 2023 recommended a sweeping overhaul. In late September 2023, the Government responded, agreeing (or agreeing in principle) to most of the 116 recommended reforms.
These reforms focus on:
Updating privacy laws for the digital age.
Strengthening protections like information security, cyber safety, and data destruction.
Simplifying privacy rules and obligations.
Increasing control and transparency with improved notice and consent practices.
Enhancing enforcement powers.
Small businesses that previously enjoyed broad exemptions will likely be among those most affected.
Removing the Small Business Exemption
Under current law, small businesses (with an annual turnover of $3 million or less) have generally been exempt from many personal information requirements. This exemption was introduced in 2000, assuming that small businesses posed minimal privacy risks and compliance costs would be burdensome.
Today’s digital landscape is much different. High-profile data breaches, sophisticated scams, and new technologies have shown that even small businesses can handle substantial amounts of sensitive information. As community expectations evolve, the Government has agreed to remove this exemption in principle.
While the Government hasn’t fully committed to the removal just yet, it aims to consult with small businesses about:
Modified privacy obligations to ease the compliance transition
Supporting resources, such as tailored guidance, e-learning modules, and tools
Reasonable transition periods to help small businesses adapt
In other words, small businesses could soon face the same data protection standards as larger entities.
High-Risk Activities Under Closer Scrutiny
Some small business activities inherently involve higher privacy risks, such as:
Using facial recognition technology
Collecting other biometric data
Trading in personal information
The Government has indicated that small businesses engaging in these practices may lose their exemption sooner. While the timeline and details remain unclear, this suggests that the Government may prioritise reforms for businesses handling more sensitive data.
What Do Potential Privacy Reforms Mean for Small Businesses?
If the small business exemption is removed, you must comply with the Australian Privacy Principles. The APPs govern everything from how you collect and store personal information to how you obtain consent and allow individuals to access and correct their data.
Many Australian small businesses that serve overseas customers may already be familiar with the European General Data Protection Regulation (GDPR). For these businesses, aligning with new Australian requirements might not be a huge leap. But for others, the changes will be more significant.
Expanding the Definition of Personal Information
Currently, personal information focuses on identifiable details like names and contact information. Under the proposed reforms, the definition may broaden to include technical and digital data—such as IP addresses, cookies, location data, and device identifiers. This shift would reflect how modern technology can identify individuals without traditional personal details, aligning Australian rules more closely with international standards like the GDPR.
How to Prepare Your Business Now
Although we don’t know precisely when (or if) these reforms will pass into law, now is a good time to review your data practices. Consider:
Data Handling Practices: Audit how you collect, store, use, and destroy personal information. Identify any gaps that might need addressing.
Privacy Policies: Update or prepare to update your policies to meet potential new requirements.
Consent Mechanisms: Review how you obtain consent and whether your current process is clear and effective.
Access Restrictions: Limit internal access to personal data on a need-to-know basis.
Cybersecurity Measures: Implement robust security measures, such as encryption and multi-factor authentication, to protect sensitive information.
Data Minimization: Destroy unnecessary data and ensure you only retain what’s needed.
Risk Assessments: Evaluate the privacy impacts of new products or services before launch.
Staff Training: Educate your team about the importance of data privacy and the potential upcoming changes.
Compliance Monitoring: Plan to monitor compliance, respond promptly to complaints, and mitigate risks if the reforms pass.
If you’re unsure about these steps, make notes of your concerns and consider seeking legal advice down the track.
What Happens Next?
At this stage, the Government’s support of the reforms is “in principle,” not a legal certainty. Further consultation with impacted sectors, including small businesses, will shape the final proposals. The Government aims to progress reforms in 2024, meaning any new laws might not take effect until at least 2025.
Use this lead time to review, plan, and enhance your privacy practices. Even if these reforms don’t become law, strengthening data protection within your business will earn trust, safeguard your customers, and reduce the risks associated with today’s data-driven marketplace.
Need Help Navigating Cybersecurity and Privacy Changes?
Navigating the complexities of cybersecurity and upcoming privacy reforms can be overwhelming. At Q10 Systems, we specialise in helping businesses like yours stay secure and compliant. Whether it’s auditing your current practices, updating your systems, or preparing for future regulations, we’ve got you covered. Contact us today to take the stress out of data protection and focus on what you do best!