The Australian landscape of data protection and privacy could be on the brink of change as discussions intensify regarding whether small businesses with an annual turnover of $3 million or less should be required to comply with the Privacy Act. This alteration could potentially end a 20-year exemption that has left such businesses untouched by the Act’s provisions, including the need to safeguard personal information and divulge its usage.
At the heart of the debate are concerns that scraping the exemption could prove financially disastrous for small enterprises. Industry groups argue that the financial strain of compliance might cripple the already vulnerable 2.5 million small businesses that are still recuperating from the pandemic’s blows. This sentiment is echoed by Elizabeth Skirving, Deputy Chair of the Council of Small Business Organisations Australia, who emphasizes the resource and time limitations faced by small businesses in tackling the complex challenges of data security.
Australian Information and Privacy Commissioner Angelene Falk highlights the escalating risk of small businesses falling prey to cybercrime. Currently, small businesses are under no legal obligation to protect personal information, leaving individuals without recourse if their data gets compromised. Falk advocates for increased accountability, emphasizing that bringing small businesses under the Privacy Act would necessitate informing customers about data handling practices, maintaining secure information storage, and responsibly disposing of information when no longer required.
Despite the support for reform from a majority of submissions to the review, concerns about potential consequences persist. Sydney travel agent Donna Meads-Barlow, whose business experienced a drastic decline due to the pandemic, fears that her operation might not survive the added cost burden of compliance. She acknowledges the importance of data security and privacy but raises concerns about the affordability for small businesses already grappling with reduced incomes.
If they were to be brought into the act then they would need to tell their customers how they’re handling personal information…They would have to have a privacy policy, they’d need to ensure that they kept personal information secure and delete it or de-identify it when it was no longer required for their purposes.
As the consultation period comes to an end, the fate of the proposed Privacy Act changes hangs in the balance. The Actuaries Institute has stressed the vulnerability of smaller businesses to cyber threats, given limited budgets and expertise. Regardless of the outcome, the discourse underscores the intricate balance between enhancing data protection and ensuring the viability of small businesses in Australia’s ever-evolving digital landscape.
