The A$3 million Privacy Act exemption is on the way out. What Australian small businesses should do now.

What is changing.

The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024. It was the first tranche of the federal government's response to the Attorney-General Department's Privacy Act Review Report. The first tranche did several things that already apply: it introduced a new statutory tort for serious invasions of privacy (commenced in 2025), it materially uplifted the maximum civil penalty for serious or repeated interferences with privacy (up to A$50 million, three times the benefit, or 30 per cent of adjusted turnover during the breach period, whichever is greater), and it gave the OAIC new infringement-notice and determination powers.

None of the changes that commenced in the first tranche removed the small business exemption in section 6D of the Privacy Act. That carve-out is still in force as of the date at the top of this article.

The second tranche has been signalled, in public statements from the Attorney-General and the Cabinet response to the Privacy Act Review Report. The small business exemption was listed as one of the items under active consideration. The direction of travel is clear; the timing is not. We are deliberately not citing a specific commencement date here because none has been set in legislation that has been introduced and passed. Expect movement during the current and next parliamentary terms.

Two practical points to anchor against. First, the OAIC has been increasingly explicit in its guidance about what reasonable steps under Australian Privacy Principle 11 looks like in 2026: active technical measures, not just a written policy. Second, sectors and entity types already covered (more on those below) are not seeing the reform pressure ease; regulator expectations on those organisations have only tightened.

Who is affected.

In rough order of who feels the impact first:

Health service providers. Already covered. Section 6D has always carved out organisations that provide a health service and hold health information, regardless of turnover. That includes GPs, allied-health clinics, dentists, physiotherapists, psychologists, gyms that hold health information, and several child-care, education, and complementary-therapy categories. If you handle health information, the Privacy Act already applies to you, and the reform conversation is mostly about how strictly it applies, not whether it does.

Registered tax agents and BAS agents. Already additionally regulated by the Tax Practitioners Board under the Code of Professional Conduct, which has its own client-information-protection obligations. If the small business exemption is removed, tax agents would also fall under the Privacy Act in their own right; the practical effect is that the cyber controls TPB already expects start to align with what the OAIC expects.

Australian small businesses processing personal information. The largest population by count. Cafes with loyalty programs, agencies with client CRMs, real-estate agencies with vendor and tenant records, professional service firms with client files. These businesses have been outside the Privacy Act because of turnover and have, in many cases, been outside other compliance regimes too. The signalled second tranche is mostly aimed here. The change of state for these businesses is the largest.

MSPs, IT providers, and managed services acting on behalf of clients.Already affected, even without reform. If you process personal information as a contracted service to a covered entity, you are subject to that entity's obligations under contract. The reform widens the population of clients who need to ask their MSPs for evidence; MSPs that currently have nothing to hand to a client when asked will feel that first.

Trustees, charities, and not-for-profits.The current small business exemption applies broadly, with its own carve-outs (Commonwealth contracts, AML/CTF reporting entities, trading in personal information). Boards of small charities and not-for-profits are already getting questions about cyber controls from their D&O insurers and major donors. The reform brings the Privacy Act question into the same room.

The carve-outs that already apply (Commonwealth contractors, AML/CTF reporting entities, residential tenancy database operators, credit reporting bodies and credit providers, private-sector health insurance funds, businesses that trade in personal information) all remain. If you fit one of those, you are covered today.

What "reasonable steps" looks like.

Australian Privacy Principle 11 requires entities to take "reasonable steps" to protect personal information from misuse, loss, unauthorised access, modification, and disclosure. The OAIC publishes guidance on what reasonable-steps measures can look like, drawn from regulator decisions, the Notifiable Data Breaches statistics report, and consultations with industry. The OAIC's consistent line is that reasonable steps must match the sensitivity of the information, the size of the entity, and the risk of harm if data were exposed, and that the bar moves upward over time as technical controls become cheaper and better.

In practice, across OAIC guidance, regulator decisions, and the questions cyber and PI insurers ask at renewal, reasonable steps tends to include the following technical and organisational measures:

Active technical measures. Multi-factor authentication on staff accounts, particularly email and admin access. Access governance with the principle of least privilege. Recurring vulnerability assessment of internet-facing services with a dated evidence trail. Email authentication (SPF, DKIM, DMARC) configured and enforced. TLS hygiene on all customer-facing endpoints. Backups that are tested. Endpoint protection on staff devices.

Organisational measures. A written privacy policy that reflects what the business actually does, not a template. A documented breach response process with named roles. Awareness training for staff who handle personal information. A process for handling individual access and correction requests. A vendor due-diligence step before connecting third-party processors.

Dated evidence. Reasonable steps is partly about having the controls and partly about being able to show, on the relevant dates, that the controls were running. Documented assessments, scan reports, training completion logs, and access-review minutes all serve this function. The OAIC has been increasingly explicit that a policy on its own is not what reasonable steps means.

AttackEdge sits in one slice of that list: external attack-surface monitoring with a dated evidence trail. It is not a privacy program. It is one of the technical inputs to one of the controls. The rest of the program sits with you and whoever does your IT.

What you can do this week.

Three steps, in order of how much leverage they give you.

Step one: work out what side of the exemption you sit on today, and what you would hold if the exemption is narrowed. If you already process health information, AML/CTF reporting-entity data, credit information, or hold a Commonwealth contract, you are already covered. If you are none of those, list the personal information your business actually holds (customer email addresses, payroll data, client files) and ask whether removal of the A$3M exemption would put you in scope. That is the change of state you should plan for.

Step two: get a baseline on what is exposed externally. The external surface (the website, the domain, email authentication, TLS posture, any portals and forms) is the part anyone on the internet can already see. It is also the easiest control to demonstrate as recurring evidence. Run a free check to see the headline issues on your domain. The longer Privacy Act page on this site goes into more detail on how external monitoring fits into APP 11.

Step three: write the boring parts. A privacy policy that reflects what your business actually does, a one-page breach-response plan with named roles and contact details, a short note on who handles individual access requests. None of these need a lawyer to start, and a lawyer review on a one-page draft is far cheaper than a lawyer-drafted document from scratch. The point at this stage is to have something that is true and dated, not something that is comprehensive.

None of these steps assume the small business exemption is gone. They each pay off whether it goes, gets narrowed, or stays. They also each appear on the standard cyber and PI insurance questionnaires Australian small businesses already fill in every year. The reform conversation is one reason to do them; the insurer conversation is another; a major customer's procurement review is a third. They tend to ask the same questions.

Caveats.

This piece is general information, not legal advice. The specific question of whether the Privacy Act applies to your business today, and what reasonable steps means for your specific data, is a question for a lawyer or the OAIC. The article will be updated if and when a bill removing or narrowing the small business exemption is introduced and passed.

AttackEdge is not a privacy lawyer and we do not certify compliance with the Privacy Act, the Australian Privacy Principles, or any sectoral regulator's requirements. What we do is dated external monitoring of your public surface, which is one input to one control in the larger picture.