The Albanese Labor government’s move to up privacy protections has been described as “right-sized” and “fit-for-purpose” by the Australian Small Business and Family Enterprise Ombudsman.
The move comes as part of a suite of measures to deal with strengthening privacy laws in the country with the Albanese government agreeing to implement 38 out of the 116 recommendations made by the Privacy Act Review Report while agreeing in principle to 68 recommendations, with 10 being noted.
The government’s new laws will be the biggest reshaping of the Privacy Act since the 1980s, affecting 2.3 million small businesses.
The new reforms will compel small businesses with a turnover under $3 million to protect the personal information of customers, and notify customers if there is a data breach.
Currently, these businesses are exempt from such obligations.
“Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff, and themselves and to fulfill their responsibilities. This may include procedural templates, information guides, and checklists explaining the clear steps required to meet their privacy obligations.”
At the same time, Attorney-General Mark Dreyfus said the Albanese government would remove the small business exemption only after an “impact analysis” has been undertaken.
“The government will also work with the small business sector, as well as employer and employee representatives, on enhanced privacy protections for private sector employees and for small businesses,” he said.
What Other Areas Are Being Looked At?
The Albanese government agreed in principle to the adoption of a “fair and reasonable” test for data collection. This will cover the common box-ticking requirements with a lengthy privacy statement.Personal information will also be expanded to include data that could identify customers, such as through cookies and IP addresses.
The Albanese government has also agreed in principle to Australians’ rights to have their data erased. However, any new laws would not override existing requirements, such as the retention of identification records or criminal records.
Additionally, the government is considering whether to ban targeted marketing based on sensitive information unless it is socially beneficial.
Entities will be prohibited from direct marketing to kids and trading their personal information.
The reforms will also expand on traditional protections that include keeping names and street addresses private.
There are also considerations for a right to be forgotten, where search engines remove certain results linked to a person’s name on limited grounds.
Australians will be able to sue small businesses for serious privacy breaches under the reforms.
“Australians increasingly rely on digital technologies for work, education, health care, and daily commercial transactions and to connect with loved ones,” Mr. Dreyfus said.
Over-Regulation for Small Business: Ai Group
Meanwhile, Innes Willox, chief executive of the national employer association Ai Group, said while he supports the protection of customer data, the reforms will add further costs to small businesses.Under the reforms, the government has also agreed in principle to “enhancing privacy protections” for private sector employees. Currently, employee records of current or former private sector employees are exempt from the Privacy Act.
“What may be seen as a modest and targeted modification to the employee exemption may still have profound adverse and unintended consequences on a range of matters, such as employee and community safety.
“Of particular concern is the introduction of a requirement of a Data Protection Officer and a Data Impact Statement and the risk of increasing the regulatory burden on Australian businesses, especially public-facing businesses. Again, we encourage lengthy consultation with a wide range of organisations to avoid regulatory overreach.”
Mr. Willox said that the Ai Group supports the need for businesses to provide the public with confidence that their privacy and data is being handled safely and responsibly.
“However, over-regulation has the potential to chill innovation and add costs to business.”
He added that compliance with new regulations is an “ongoing adaptive process” as technology and business practices change.
“Support cannot be regarded as a ’set and forget' proposition; rather government and industry must work in partnership for the long term to support privacy considerations without stifling innovation.”
The privacy reforms are set to be introduced into Parliament in 2024.
