This week is Privacy Awareness Week in Australia, and I attended a webinar on AI, automated decision-making and privacy risk, presented by privacy law expert Anna Johnston from Helios Salinger. Over a thousand people registered for the webinar, an impressive effort.
The webinar covered a lot of ground. What it mostly did for me was reinforce a view I’ve held for a while: privacy risk in Australia is consistently underestimated, frequently treated as a compliance checkbox, and almost never given the same weight as financial or reputational risk, despite being directly connected to both.
These aren’t new problems
The conversation about AI and privacy is real and important. But the underlying issues predate AI considerably. Inappropriate collection of personal data, inadequate storage, unclear disclosure to the people whose data it is, data used for purposes beyond what people were told when they provided it – these have been problems since organisations first started collecting information digitally.
Australia has the Australian Privacy Principles which govern standards, rights and obligations around:
- the collection, use and disclosure of personal information
- an organisation or agency’s governance and accountability
- integrity and correction of personal information
- the rights of individuals to access their personal information
I maintain a privacy policy on my own websites, even though most SME businesses in Australia have no legal obligation to do so. Under the Privacy Act 1988, businesses with annual turnover of $3 million or less are generally exempt from the Act’s requirements, which covers the vast majority of Australian small businesses. It’s not a position I’ve ever been comfortable hiding behind when it comes to handling people’s information.
A problem nobody had noticed
Some years ago I was working with an organisation that had a range of forms on their website – the kind that members of the public fill in to submit personal information. A product owner raised a frustration: data wasn’t arriving at the right destination in a timely manner, and it had been a problem for a long time.
I looked into it. The timing issue turned out to be a configuration mismatch between servers – a red herring. What I found underneath was more significant.
The form data was being sent by email to recipients. Names, contact details and other personally identifying information, transmitted in clear text with no encryption and no secure portal. The system had been built years ago but the privacy implications had never been identified.
Risk management is about identifying what could go wrong before it does. This was a live example of a privacy exposure sitting quietly inside a system that everyone assumed was fine, because it had been working – in the sense that data was arriving – for years.
Privacy internationally
In 2018, Europe introduced the General Data Protection Regulation (GDPR), the most comprehensive data privacy legislation any major economy had introduced to that point, setting out clear rules about how organisations collect, store, use and share personal information about the people they deal with.
At the time I was volunteering in the Joomla community – an open source CMS with a large European user base and developer community – and there was a substantial amount of work that went into understanding what GDPR compliance meant for websites, forms, data handling and third-party integrations.
The GDPR forces organisations to think clearly about what data they collect, why they collect it, how long they keep it, and what they tell people about it. Unfortunately Australia has no equivalent legislation, and we’re not better off for that gap.
Legal compliance and social licence to operate
The concept of social licence to operate is best outlined by the Australian Institute of Company Directors:
Social licence refers to the ongoing acceptance and approval of an organisation’s activities by its stakeholders and the general public. Unlike legal or regulatory licences, social licence is intangible and must be continually earned through responsible practices and engagement.
An organisation can be legally compliant with Australian privacy law and still behave in ways that, if people knew about them, would damage trust significantly. This can take many forms – using data collected for one purpose to serve a different one, retaining information far longer than necessary, or deploying automated systems that make decisions affecting people without any transparency about how those decisions are made or any means of review.
Legal compliance is a necessary baseline, but asking whether the people whose data you hold would be comfortable with what you’re doing with it is a more useful ongoing test than checking whether a regulator requires you to do it.
Social license is where SME businesses in Australia could run into trouble right now.
What’s changing in Australia right now
The regulatory landscape is shifting faster than many SME businesses realise. From 1 July 2026, changes to anti-money laundering laws will bring more than 100,000 small businesses – across accounting, legal services, real estate, conveyancing and related sectors – under Privacy Act obligations for the first time. The $3 million turnover exemption won’t shield them from those requirements.
For other SME businesses, the broader exemption remains in place for now, but the government has confirmed it is progressing further reforms. The exemption that has insulated most Australian SME businesses from formal privacy obligations since 2001 is not permanent, and the direction of travel is clear.
If your business falls into one of the affected sectors, 1 July 2026 is close. If it doesn’t, it’s still worth considering what personal information you’re collecting, where it goes, and whether the people it belongs to would be comfortable with your answer.
If you’d like to think through how privacy considerations apply to your technology systems and data handling, get in touch. It’s a more practical conversation than most people expect.
