Small business privacy laws in parliamentary crosshairs

Powered by SC Magazine

Parliamentary Committee calls for abolition of Privacy Act exemptions.

The Australian Parliamentary Cyber-Safety Committee has called for the scrapping of an exemption that exempted small businesses from Australia’s Privacy Act.

In a report tabled yesterday, the committee said it was concerned that small businesses with annual turnovers of $3 million or less were exempt from the Privacy Act 1988.

It recommended that the Government consider dropping small business exemptions and undertake a review of categories of businesses with “significant personal data holdings”.

“A large proportion of the Australian private sector is not subject to any privacy laws,” the committee wrote.

“Such legislation may be insufficient to protect young people from cyber-safety risks occurring as a result of individuals acting in private capacities.”

According to the Office of the Information Commissioner, businesses subject to the Privacy Act are required to:

  • Inform users about the collection of personal information and how the information will be used;
  • Not share personal information without notifying users, and only use personal information in ways users might expect;
  • Allow users to see any information that the business holds about them, if they ask;
  • Keep personal information safe; and
  • Inform users, if they ask, about how the business handles personal information.

Internet Industry Association CEO Peter Coroneos expected a majority of online businesses to comply with most of those requirements – whether or not they were legally obliged to.

“To the end user, the size of a business is not the critical determinant of their propensity to interact with the business; the critical determinant is whether they feel safe,” he said.

“Certainly in the internet space, small businesses have as much to gain from complying, because it speaks to the issue of trust.”

Outside of the online environment, however, the cost of complying with the Privacy Act may be less attractive to small businesses.

Robert Mallett, general manager of the Council of Small Businesses of Australia (COSBOA), said many small businesses lacked both knowledge of privacy regulations and the skills required to comply.

“Added compliance is just making it burdensome for small businesses,” he told iTnews.

Compared to large organisations like Telstra, Apple and Woolworths, small businesses had a “far smaller capacity” to harvest personal information, and thus posed less risk, Mallett said.

Instead of introducing new laws, he urged the Government to focus on “high-risk” areas and policing, noting that existing, unenforced laws made it “grossly uncompetitive” for businesses that chose to comply.

Additionally, Mallett said there was “no empirical evidence” to support the introduction of privacy laws for small businesses.

“I’ve not heard of any complaints of a small business using customer data for the wrong reasons,” he said.

The Office of the Information Commissioner told iTnews that it was unable to provide data about privacy breaches by small businesses, as that did not come under its jurisdiction.

Mandatory or voluntary compliance?

Yesterday’s small business recommendations by the 12-person Joint Select Committee on Cyber-Safety echoed those in an April 2011 report on online privacy by a separate committee that shared two of its members.

The Australian Law Reform Commission (ALRC) also raised the issue in 2008, which found the exemptions “neither necessary nor justifiable” despite the burden compliance would place on businesses.

The Government has not yet formulated a response to that ALRC recommendation.

Although he welcomed parliamentary debate on small business privacy practices, the IIA’s Coroneos said black letter law might not be the solution.

Instead of introducing new legislation, Coroneos recommended that the Government get behind more flexible industry codes of practice.

In 2003, the IIA approached the Privacy Commissioner to register a voluntary Privacy Code of Practice (pdf), designed to target personal information protection and spam.

Those efforts were discontinued due to technical, legal hurdles within the Privacy Act, as well as the introduction of the Spam Act 2003.

“In the internet industry in particular, the environment is always changing. Legislation is not very good at adapting to technological changes,” Coroneos told iTnews.

“I wouldn’t necessarily be arguing for new laws for small businesses; where we need to look is changing the Act to permit the registration of the kind of codes that we were trying to introduce.

“Maybe there’s a middle ground where you might incorporate some of those elements [of the Privacy Act] and not others, and take a granular approach.”

Copyright © . All rights reserved.

Small business privacy laws in parliamentary crosshairs
Top Stories
IAG hands digital chief his own ‘Labs’ division
Enterprise ops chief squeezed out in restructure.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
The 5 Windows 10 privacy issues you should be aware of
Jul 31, 2015
There are a few unsettling details when it comes to Windows 10 privacy
Windows 10 is here! (For some)
Jul 29, 2015
Delivery of the free upgrade versions of Windows 10 began today - have you got yours yet?
Microsoft reveals Microsoft Send, a new enterprise chat app to rival Slack
Jul 27, 2015
Microsoft Send is MSN Messenger for grownups, and you could be using it at work very soon
Developers offered $500,000 grants to find HoloLens uses
Jul 8, 2015
Can augmented-reality end up in business?
Microsoft Tossup: The planning app for unorganised groups of friends
Jul 8, 2015
App allows friends to research venues, vote on plans and chat. And depending on how you run your ...
Latest Comments
Should law enforcement be able to buy and use exploits?

   |   View results
Only in special circumstances
Yes, but with more transparency