Small businesses should not be excluded from data privacy laws, but those exemptions should only be removed once independent businesses are capable of meeting their new cyber security obligations, according to an influential report destined to reshape and modernise Australia’s data privacy legislation.
On Thursday, the Attorney-General’s Department released its long-awaited review of the Privacy Act, levelling 116 recommendations it says will protect businesses and consumers from worsening cyber security threats.
This comes in the wake of major cyber security breaches at Optus and Medibank in 2022, which exposed the personal data of millions of Australians.
But the report gives special attention to Australia’s small business sector, which is estimated to draw 43% of all cyber crime attacks.
Businesses with an annual turnover of $3 million or less are currently shielded from the strictest compliance measures prescribed by the act.
As of June 2021, nearly 2.3 million of Australia’s estimated 2.5 million businesses were exempt due to their annual turnover, the report says.
As a result, most businesses are not currently subject to the rules covering larger firms, including new fines of up to $50 million for businesses which face serious data breaches.
After lengthy consultations with small business advocates, cyber security experts, and academics, the Attorney-General’s found those carve-outs should be removed.
“In recognition of the increasing privacy risks posed by small businesses and the benefits of improved privacy protection for Australians and the economy, the small business exemption should be removed,” the report says.
“This would require all Australian businesses to comply with the act, regardless of annual turnover.”
It found small businesses increase their risk profile merely by processing orders online, maintaining a digital presence, or using cloud computing services, the report found — even if those businesses don’t handle complex information.
Decreasing the annual turnover threshold is not a viable solution either, the report adds: small businesses with minuscule turnover, like tech startups which hold the personal data of app users, can expose customers to profound harm if their data is hacked, it claims.
Small businesses should be shielded from obligations until they can stand on their own: report
Not only should small businesses be covered by the act, it should be expanded, the report argues.
It calls for individuals to have far greater control over how their data is used by companies, including “a right to seek erasure of personal information.”
Proposed changes would improve the quality and variety of information granted to consumers about the use of their data, mirroring aspects of the European Union’s General Data Protection Regulation.
Rules around when businesses should destroy or de-identify personal information should also be bolstered.
However, in a significant reprieve for small businesses, the Attorney-General’s office says it will be essential for newly-covered businesses to bolster their digital capabilities and cyber security defences before they are subject to any regulatory crackdown.
“Given the unique challenges faced by small businesses and the potential regulatory burden associated with complying with the act, it is proposed that the exemption be removed only after such steps have been implemented to facilitate small business compliance,” the report says.
Understanding the needs of small businesses could be achieved through a specialised impact analysis, and those findings could be used to build “appropriate support… in consultation with small business.”
The report also reflected on the financial cost of such compliance, given the likelihood small businesses will need to invest in everything from staff training and document shredders to updated privacy policies.
“To support small businesses to comply with the act, there would need to be a comprehensive package of assistance developed and implemented,” the report says, after a separate impact analysis delving into the costs of compliance in the SME sector.
While those measures are developed, the federal government should remove the exemption for small businesses which receive user consent to trade their personal information, and ensure the collection of biometric data across businesses of all sizes is covered by the act, the report says.
Tough new penalties recommended
Bringing small businesses up to speed with their obligations under the act will be essential if the report’s recommended enforcement activities are brought into effect.
Among other recommendations, the Attorney-General’s office states the courts should be granted enhanced powers to make orders against businesses which breach their privacy obligations.
In addition, it recommends “new pathways” for individuals to seek redress against businesses after a data breach, “including through a new tort for serious invasions of privacy,” a move which would effectively allow victims to sue companies which failed to protect their sensitive information.
Interested parties have until March 31 to submit their views to the Attorney-General’s office as the federal government considers its response to the report.