(Cth) Remove the Small Business Exemption from the Privacy Act

Author: Nicole Brideson, Maea Applegarth, Ben Kelly, Amber Nguyen, Connor Maloney, Felicity Mulhall | Publish date: 10/12/2025

• P: In Australia, most small businesses are exempt from privacy obligations. 

• S: The Attorney-General should amend section 6C(1) of the Privacy Act 1988 (Cth) to omit the words ‘that is not a small business operator’ and repeal section 6D, which defines a small business.

  
  

Problem Identification: 

Schedule 1 of the Privacy Act 1988 (Cth) requires ‘organisations’ to follow 13 privacy principles, including taking reasonable steps to protect personal information from unauthorised access. However, under section 6C(1) of the Act, most small business operators are excluded from the definition of ‘organisation’. Though some small businesses, such as health service providers, are still included. 

According to the Office of the Australian Information Commissioner (OAIC), this means that most Australian businesses are not covered by the Act despite often handling sensitive personal information. The OAIC has reported that this creates uneven regulatory coverage, complicates public expectations about privacy rights, and limits the Act’s capacity to provide a uniform, modernised privacy framework across the economy.

Context: 

The Act is Australia's primary legislation governing the handling of personal information. The stated purpose of the Act is to protect individuals whose personal information is handled by these organisations. The Act also requires entities to notify affected individuals and the OAIC about data breaches that are likely to result in harm. Complying with this could look like implementing safeguards such as encrypting customer data, secure systems with multi-factor authentication, and engaging in education and training.

Section 6D of the Act defines a small business as any business with an annual turnover of $3,000,000 or less (the threshold). The OAIC stated that ‘[m]ost small businesses are not covered by the Privacy Act 1988’. The Privacy Act Review Report 2022 noted that fewer than 5% of Australian businesses meet this threshold. ABS data indicated that in the financial year 2020-21, over 2 million Australian businesses were below the threshold.

As noted in the Explanatory Memorandum, the exemption for small businesses was introduced in 2000 to reduce the burden of compliance costs.

Arguments:

The OAIC has reported that the small business exemption is ‘no longer appropriate in light of the privacy risks posed by entities of all sizes’. This heightened exposure is reflected in international research. A report by Tech.co, a technology advisory firm, found that ‘71% of data breaches [occur] at businesses with fewer than 250 employees.' For example, a small business (an ICT provider) experienced a data breach and then refused to cooperate with an OAIC investigation. The OAIC then expressed that, due to the small business exemption, they were left ‘unable to address [the matter]’, or to enforce accountability or protections. 

The .au Domain Administration (auDA), a non-profit, has outlined that current privacy protections fall short of public expectations, leaving individuals exposed to risks they may not be aware of. A survey commissioned by the OAIC found that 85% of respondents were unaware that small businesses are exempt from the Privacy Act.

Although this amendment may increase compliance costs for small businesses, the auDA has indicated that this is likely to be beneficial for operators in the long term. They elaborated that this is because the amendment could make them more attractive partners for larger, cross-border organisations. Further, they stated that ‘...increased data privacy and security measures will “legitimise” [small business] operations in the digital economy… Removing the exemption will also ensure that [Australian small businesses] can become eligible for an adequacy finding under GDPR [the General Data Protection Regulation], ending the current lockout that [firms] face in offering services to European customers.’

Advice/Solution Identification:

The AGD, OAIC, auDA and the Australian Law Reform Commission have called for the small business exemption to be removed. These groups have emphasised that its removal could better regulate sensitive information, align protections with public expectations, and ensure all businesses are subject to baseline privacy obligations, regardless of size.

Precedent:

There is international precedent for extending legal privacy requirements to small businesses. Across the EU, UK, Canada and New Zealand, privacy laws apply to all businesses regardless of size. The OAIC has highlighted that ‘The small business exemption is also an anomaly amongst international privacy laws. No other comparable international jurisdiction exempts small businesses from the coverage of privacy legislation.’

Public Support: 

1. Australian Law Reform Commission (ALRC)

2. Office of the Australian Information Commissioner (OAIC)

3. .au Domain Administration (auDA)

4. Castan Centre for Human Rights Law, Monash University

News Coverage:

• ABC News - “Small businesses could be forced to protect customers’ personal information, under government changes to Privacy Act”. The article reported that small businesses in Australia are largely exempt from the Privacy Act 1988, which leaves them vulnerable to cyber attacks and data breaches. Potential reforms to remove the exemption were discussed to improve protections for consumers. By: Nicole Hegarty | 2 Mar 2023 - Read the article here.

• The Guardian - “From location to keystrokes, Australian workers’ data is being gathered by employers - with little privacy protection”. The article highlighted concerns about workplace surveillance, including tracking of location, keystrokes, and emails, with little transparency for employees. It underscored the risks for all workers, including those at small businesses exempt from privacy protections. By: Josh Taylor | 14 Sep 2025 - Read the article here.

• InDaily - “Small businesses should ready for incoming privacy laws”. The article discussed how upcoming changes to the Privacy Act could remove the small business exemption, requiring smaller firms to comply with baseline privacy obligations. Businesses were advised to prepare policies and systems for personal data protection. By: InDaily | 13 Jun 2024 - Read the article here.

• News.com.au - “Aussie firm defends remote work surveillance claims”. The article reported on a Melbourne company using monitoring software to track employees’ webcams, microphones and keystrokes. The case highlighted the privacy risks in small businesses currently exempt from the Privacy Act. By: Heath Parkes-Hupton | 25 Aug 2025 - Read the article here.

Where to go to learn more: 

1. Attorney-General Department’s Privacy Act Review Report 2022 - Their report focused on the removal of the small business exemption, highlighting the increasing privacy risks posed by small businesses and the benefits of improved privacy protection for Australians and the economy. Read their 2022 report here. 

2. Office of the Australian Information Commissioner (OAIC) Submission to the Privacy Act Discussion Paper - Their submission provided analysis on how the small business exemption created regulatory uncertainty and left privacy risks unaddressed, offering context for why reform was needed. Read the December 2021 submission here.

3. Australian Law Reform Commission (ALRC) Report - Their report analysed compliance costs and practical implications for small businesses if the exemption was removed, providing context for implementation considerations and supporting evidence for reform. Read the report here.

4. International Association of Privacy Professionals Report on Current Business Exemptions - Their report analysed the challenges of the small business exemption and explored international best practice for expanding privacy obligations to all businesses. Read the report here.

5. Keypoint Law Article in the Lexis Nexis Privacy Law Bulletin, May 2023 (Vol 20 No 2&3) - The article discussed the proposed removal of the small business exemption, explaining the change’s impact on the scope and application of the Privacy Act and its significance for practitioners. Read the article here.

6. The Privacy Act 1988 (Cth) - Read the full act here.

Human Perspective: 

Holly loves supporting small businesses and regularly buys pre-prepared meals from her local cafe. After breaking her foot, she can’t visit in person, so she gives the business her name, phone number, address and credit card details for home delivery. The business stores its customers' data on an unencrypted server, which is protected with a generic password. When the business is hacked, Holly’s personal and financial details are stolen. Her bank account is drained, and she starts receiving threatening messages from people who now know where she lives. Holly is scared and confused about how these hackers have gained her personal information, as she takes stringent measures in her everyday life to protect her data. When Holly finds out the source of the breach, she feels betrayed that her information was not protected well enough to prevent this, and is frustrated she has no legal recourse for the mishandling of her information. 

To protect the anonymity of those involved, this is a fictionalised account drawn from an amalgamation of real-life stories, experiences and testimonials gathered during the research process for this brief. Any resemblance to actual individuals is purely coincidental.

Conflict of interest/acknowledgment statement: 

N/A

Support 

If your organisation would like to add your support to this paper or suggest amendments, please email Info@foreaustralia.com.