jacobThe Issues Paper flagged concerns with the so-called ‘Small Business Exemption’ in the Privacy Act (1988)(Cth)(‘Privacy Act’) which does not regulate Australian companies with annual turnover less than $3 million. The paper sought feedback as to whether the Privacy Act strikes the right balance between protecting privacy rights of individuals whose personal data is handled by small businesses and creating unnecessary regulatory burdens on small companies (Issues Paper, p 24).1 The suitability of the small business exemption and whether it remains appropriate was considered by the Issues Paper.
The Discussion Paper, released a year later in 2021, received submissions from small business representatives recognising the importance of protecting individuals privacy but were opposed to the small business exemption being removed (Discussion Paper, p 40).2 A number of submissions proposed increasing the annual turnover threshold to become an APP entity from $3 million to $10 million to make it consistent with a threshold used by the Australian Taxation Office.
The Privacy Act Review – Report (‘Report’), released in 2023, was the culmination of all the issues and discussions raised in the two previous papers. The Report analysed numerous submissions from industry suggesting small businesses are the ‘weakest link’ in supply chains and should comply with APP 11 on data security requirements as well as the Notifiable Data Breaches scheme (Report 6.2.1, p 54).3 This section on cyber security also noted that small businesses are increasingly vulnerable to data related crime and have become ‘easier targets’ or low hanging fruit for cyber criminals since larger companies already expend more resources on cyber security and compliance with APP 11. In contrast to the discussion paper, the majority of submissions recommended that the Small Business Exemption should in fact be removed while small business representatives, now in the minority, were still opposed (Report 6, p 52).4 The Report concluded that small businesses ‘should, in the future, be covered by the Act.’ (Report 1.1.1, p 2).5
Balance is the key word here. Technology now facilitates the ability of small businesses to fully engage in the digital economy with complex e-commerce software such as WooCommerce and Shopify. Furthermore, cloud infrastructure and Content Management Systems such as WordPress and Joomla have democratised web design. Nevertheless, regulation that is too stringent for small businesses can hurt the economy by stifling growth while regulation that is too lax can lead to data breaches which also has major ramifications for the economy. Small businesses often operate with scarce resources and are unaware of the compliance obligations that medium and large Australian companies are beholden to. However, small businesses are increasingly interconnected with larger companies in the complex digital ecosystem and a small business that has been compromised poses a risk to all companies that do business with it, irrespective of its size. The nature of hacking techniques such as ‘lateral escalation’ means a large business may spend considerable resources on cybersecurity but can still be compromised via a backdoor in its supply chain through a small company that knows it has been hacked but was not bound to comply with the Notifiable Data Breaches scheme.6
Larger businesses are particularly vulnerable to supply chain attacks since they work with outside providers and third parties (often small businesses) that access corporate resources such as API’s and logistics systems which can be used as attack vectors for privilege escalation. A small business with a compromised business email can increase the likelihood of success of an attacker’s social engineering and spear phishing attack that targets staff from a larger company because a level of trust has already been established between both parties. This increased attack surface for larger companies has led to the rise of security architectures such as Zero Trust, in which all areas of its network are treated as hostile, instead of traditional layered defence models whereby once an attacker crosses the so-called DMZ it can move with relative ease inside a large companies internal network.
The government must find the middle ground on this issue. The Report concluded that “further extensive consultation would need to occur with small businesses to determine the best way for small businesses to meet their obligations under the Act”. The Report also recommends that impact analyses should also be undertaken to understand the impact of removing the small business exemption, as well as offering support packages for small businesses. (Report 1.1.1, p2). This might come in the form of financial grants awarded to small businesses to facilitate their compliance with APP 11 on data security as well as Cyber Awareness Training.
- https://www.oaic.gov.au/__data/assets/pdf_file/0018/1773/privacy-act-review-issues-paper-submission.pdf ↩︎
- https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/user_uploads/privacy-act-review-discussion-paper.pdf ↩︎
- https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf ↩︎
- Ibid 52. ↩︎
- Ibid 2. ↩︎
- https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme ↩︎
