Small businesses with an annual turnover of $3 million or less — which are currently not required to protect your personal information or disclose how it is used — may soon have to comply with the Privacy Act.
A wideranging review of the Privacy Act by the Attorney-General's Department has laid out the case for scrapping the 20-year-old exemption, which was introduced prior to businesses' take-up of online platforms.
Australian Information and Privacy Commissioner Angelene Falk said the risk of small businesses falling victim to cybercrime was growing.
"While small businesses might be using their best efforts to protect personal information, there is no legal requirement to do so and therefore no recourse for individuals if their personal information is compromised," Ms Falk said.
"If they were to be brought into the act then they would need to tell their customers how they're handling personal information.
"They would have to have a privacy policy, they'd need to ensure that they kept personal information secure and delete it or de-identify it when it was no longer required for their purposes."
A majority of submitters to the review supported the reform, with business groups citing concerns the cost of compliance would severely damage the 2.5 million small businesses which had already suffered through the pandemic.
Change could be the end of some small businesses
Sydney travel agent Donna Meads-Barlow, who has 40 years of industry experience, said she might be forced to close her business if the exemption was removed.
"Pre-COVID, we were a very large business that was turning over in excess of $25 million," Ms Meads-Barlow said.
"Post-COVID, we are now a business that fits into that less than $3 million. We would be lucky if we have a gross revenue of $150,000.
"I understand cybersecurity and the Privacy Act, and I think it's very important, but for us to be able to report like big business does, that's a substantial cost that's required to a small business with very little income.
"If the exemption's scrapped, then there is an additional cost at my point. Having spent 40 years in the industry, that might be the end of me."
Deputy chair of the Council of Small Business Organisations Australia Elizabeth Skirving agreed the cost burden of removing the exemption was too high.
"We understand the concern people have with regard to privacy and data security, but we really believe there should be a scaled response as dealing with small businesses, they are resource and time poor," Ms Skirving said.
"Those businesses that are under $3 million that are currently exempt are made up of mum and dad families, are probably not the ones that are not going to be targeted for cyber acts, but also don't have the ability to buy really sophisticated software to cover off on that concern.
"The cost to business of putting that in place rather than having an impact from a cyber attack would certainly be best, but it's about a measured way of doing that so that it is a scaled response."
Small businesses no longer low risk
The Actuaries Institute has compiled evidence that hackers view smaller businesses as easier targets.
The Australian Cyber Security Centre last year found small businesses faced an average cost of $39,000 per cybercrime report.
RMIT cyber security expert Matt Warren said limited budgets left small businesses vulnerable.
"The government, from a cybersecurity perspective, sees small businesses as very much a weak link," Professor Warren said.
"They don't necessarily have the expertise or the systems in place to protect the information they hold, but yet they can hold credit card details, passport details — anything a cyber attacker would be interested in.
"With the Privacy Act, data about Australian citizens has to reside within Australia but, because small businesses have been exempt, if they use a cloud service provider to store their data and they've picked the cheapest system, there was never a requirement for them to ask the question."
The federal government has not made a decision on the proposal. Consultation is closing at the end of the month.