CPA Australia says removing small business exemption from the Privacy Act “would do more harm than good”

A federal government proposal to remove a small business exemption from the Privacy Act would place an undue burden on business owners during already challenging times, according to one of the country’s peak bodies representing accountants. 

While CPA Australia says it supports improving data privacy among small businesses, its senior manager of business policy Gavan Ord says applying the Privacy Act regulations to these businesses at this time “would do more harm than good”. 

“The government needs to read the room,” Ord tells SmartCompany. 

“Now is not the time to impose new regulatory requirements. Small businesses have enough on their plates grappling with the diabolical trading conditions they’re facing.”

The proposal forms part of a broader review of the Privacy Act, which is currently being considered by the office of Attorney-General Michaelia Cash. 

The government is proposing to remove the current small business exemption in the act, which would mean small businesses would face the same regulatory requirements as larger businesses. 

As it stands, Australian businesses with under $3 million in annual turnover are not subject to the requirements of the act and this exemption has been in place for more than 20 years. 

The federal government commenced the review of the Privacy Act in December 2019 and since October 2021 has been accepting submissions in response to a consultation discussion paper. Those submissions closed on January 10. 

The discussion paper covered a number of other options to completely removing the small business exemption, including altering the threshold and applying only some parts of the regulations to smaller businesses. It also discussed the need for additional tools and resources for small businesses to understand their privacy obligations. 

CPA Australia is calling for an “educate, not regulate” approach, with Ord saying educating businesses and their advisors about the importance of data privacy would likely lead to improvements “without the heavy hand of regulation”. 

“The value of keeping small business compliance burden low outweighs the potential value of extending this regulatory regime to small businesses,” he adds. 

Previous research by CPA Australia has shown Australian small businesses are slow to adopt new technologies and that more must be done to improve the digital capabilities of the sector.

However, Ord argues that imposing the requirements of the Privacy Act on small businesses “could have the perverse impact of discouraging small business owners from digitising, which is the last thing we want to see”. 

More information about the review of the Privacy Act is available here.