12 April 2023

RELATED expertise


The EU’s General Data Protection Regulation (GDPR) currently represents the global gold standard in data protection and privacy legislation. The GDPR came into force in 2018, updating an older privacy regime which was considered to have fallen behind the risks and requirements of modern technology. The GDPR has since been used as a template by other jurisdictions around the world including California, Brazil and China. Is it now time for Australia to follow suit?

Australia’s own Privacy Act 1988 (Cth) is of a considerably older vintage and, while it has received regular patches and amendments over the decades, is looking increasingly well past its “best before” date. The Australian Government initiated a wide-ranging review in 2020, the latest stage of which saw the publication in early 2023 of the Attorney-General’s proposals for amending and updating the Privacy Act (discussed in our earlier article here).

The Small Business Exemption

Many of the Attorney-General’s proposals do indeed reflect a more GDPR-style approach. One example is the question of whether the Small Business Exemption should be retained or removed. Currently, the Privacy Act does not apply to most businesses with a turnover of under $3 million a year (although these businesses can voluntarily opt-in to the Act). The justification for this exemption has historically been that smaller businesses are less able to shoulder the financial and administrative costs of compliance with the Australian Privacy Principles (APPs), and most have posed a relatively low risk to individuals’ personal information. Consistent with this approach, certain small businesses in especially high-risk sectors are indeed required to comply with the APPs. Such businesses include:

  • health service providers;
  • businesses trading in personal information; and
  • credit reporting bodies.

However, these are no longer niche outliers. Businesses of all sizes and in all sectors now rely on technology and databases of personal information for their sales and marketing activities. At the same time, as cyber-attacks and data breaches are becoming both more common and more serious, it is no longer the case that small businesses are automatically less attractive to hackers than their larger counterparts. Indeed, the opposite is very often true: a small business with underfunded and under-resourced cyber defences can present a much tastier target to malicious actors.

The cost of cyber-security

The Small Business Exemption therefore seems increasingly harder to justify, and the Australian Law Reform Commission (ALRC) has suggested that cost and convenience to businesses should no longer be prioritised over privacy protection. There is clearly a balance to be struck, and some counter-proposals have been made to widen the categories of “high-risk” sectors which are subject to the APPs – the exemptions to the exemption, as it were.

However, other commentators have criticised this as tinkering around the edges and clouding the issue about the seriousness of data protection and privacy. In this context, it’s worth bearing in mind that one of the GDPR’s great successes has been to shift attitudes away from regarding data protection regulation as an unnecessary and unwelcome administrative burden, to seeing it as an essential attribute for a modern business. This has been achieved partly by ensuring that the rules apply to nearly all data processing activities, with only very limited exceptions for personal and domestic use.

Arguably, if the Privacy Act were to retain even a vestigial form of the Small Business Exemption, this might further the notion that cyber security is an optional extra for some businesses and an issue which they can choose not to address. By removing the Small Business Exemption completely, customers of all Australian businesses could feel reassured that their personal information is well protected. While there would certainly be associated costs for some businesses, proactively safeguarding personal information should be seen as a positive for any business genuinely interested in its customers’ wellbeing. In addition, the costs of implementing the necessary technological and operational measures are likely to be much less than the costs of even a single data breach. Such breaches can see individuals put at risk of scams and identity theft, with businesses facing significant fines, class actions and loss of customer confidence.

The Attorney-General’s Department is now considering the feedback received from individuals, businesses, and organisations before developing further proposals for reforming this increasingly important area of law.

Moulis Legal will continue to monitor and report on developments. If you have any questions or concerns in the meantime or would like any further information on data protection and cyber security, please contact our specialist team.  

This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.


© Moulis Legal 2023