Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career

SME firms will no longer be exempt from Privacy Act

The federal government has revealed a raft of reforms to the Privacy Act aimed at bringing it into “the digital age”, including for small businesses such as boutique and SME legal practices.

user iconDavid Hollingworth 03 October 2023 Politics
expand image

Editor’s note: This story first appeared on Lawyers Weekly’s sister brand, Cyber Security Connect.

The reforms are based on a review of the act performed by the Attorney-General’s Department, with Attorney-General Mark Dreyfus (pictured) agreeing to 38 out of the 116 suggested reforms and agreeing in principle to another 68.

Another 10 have been “noted” by the government, which includes a proposal to change political exemptions to the act and another to allow individuals the unqualified ability to “opt out of receiving targeted advertising”.


One of the key reforms applies to small businesses that earn less than $3 million a year. Such businesses are currently exempt from the Privacy Act, but the government has agreed in principle to remove this exemption, meaning small businesses will be obliged to secure any consumer information they may hold and to notify individuals of any breach that does occur.

However, the government will perform an impact analysis review and provide a small-business support package, as well as establish a transition period before the exemption comes into effect.

The change is expected to impact 2.3 million small businesses in Australia.

Other proposed changes to the act include giving individuals more control over how their data is stored and used, greater protection for children alongside a new Children’s Online Privacy Code, stronger requirements for organisations to secure the data they hold and to effectively destroy when no longer needed, and simplifying data handling obligations.

“Australians increasingly rely on digital technologies for work, education, healthcare and daily commercial transactions and to connect with loved ones,” Dreyfus said, according to The Australian Financial Review.

“But when they are asked to hand over their personal data, they rightly expect it will be protected.”

The shadow attorney-general, Michaelia Cash, has weighed in on the reforms on the side of small businesses.

“It would be appalling but not surprising if Labor’s new privacy laws target small businesses by imposing more complexity and costs at a time when they are already struggling,” Cash said, as reported by The Guardian.

“We all want better protection for our information, but we’re talking about imposing a complex and difficult regulatory regime on hairdressers and mechanics, and potentially making them pay civil penalties if they make a mistake. This government has an ambivalent, bordering on hostile attitude to small businesses. They keep hitting small business[es] with complexity, confusion, and costs on multiple fronts – just look at the proposed industrial relations laws.”

However, the Australian Information Industry Association (AIIA) is lauding the reforms.

“The recommendations adopted by the government are welcomed by the AIIA,” the peak body said in a statement.

“Australian businesses, big and small, hold a great deal of data; it is right that they all are covered under the Privacy Act. [The] government now needs to provide appropriate support, training and a fair lead time to achieve the required capabilities for SMEs to ensure they comply with the obligations of the act. This will provide a significant lift in Australia’s overall cyber security baseline and improve privacy outcomes for Australian businesses and their customers.”

The changes to the Privacy Act are expected to be legislated in 2024.

You can read the full government response here.

You need to be a member to post comments. Become a member for free today!