Small businesses no longer exempt under planned Privacy Act overhaul

The news: Millions of small businesses would need to invest more in data privacy and citizens would have better privacy protections under proposed laws that follow a government review of the Privacy Act.

Businesses with annual turnover of less than $3 million would no longer be exempt from the act. Other changes include requiring informed consent rather than box-ticking to handle personal information, and making entities responsible for handling information, destroying data when required and providing information to individuals on how to protect their privacy.

The numbers: The federal government has agreed to 38 of the 116 recommendations of the Privacy Act review, and in principle to a further 68 pending further engagement. The changes to the small business exemption would affect 2.3 million companies, the Australian Financial Review reported, and they would be given time to implement the requirements, Attorney General Mark Dreyfus said.

The context: Today's response follows Dreyfus' Privacy Act Review Report, which aimed to strengthen and modernise privacy protections for Australians. The federal government broadened powers of the Office of the Australian Information Commissioner (OAIC) in response to widespread ransomware attacks in recent years, including the Optus data breach.