As many will know, new reporting entities will be subject to the AML legislation from 1 July 2026. This is known as the ‘tranche 2’ reform. The new reporting entities include lawyers, conveyancers, accountants, and real estate professionals.
One little known side effect of the tranche 2 reform, is that these new reporting entities will, by virtue of being AML reporting entities, lose their small business exemption in the Privacy Act.
To step back a bit, the Privacy Act contains an exemption for ‘small businesses’ being businesses with a turnover of less than $3m. But there are a few exceptions to this. One such exception (in s6E(1A) of the Privacy Act) is where a small business is also a reporting entity under the AML legislation.
In essence, this means that new AML tranche 2 entities with a turnover of less than $3m will, from 1 July 2026, be subject to the Privacy Act.
These small business should now uplift existing compliance practices (or put in place new practices) to comply with the Privacy Act.
The Privacy Regulator has released some guidance about this:
Small business reporting entities should:
Ensure that their privacy policies are up to date, and uplift where required to comply with APP 1.4.
Ensure that collection notices meet the requirements in APP 1.5.
Audit and assess data flows.
Ensure data retention policies and procedures are up to date - it is critical not to over retain personal information.
Train staff in privacy compliance obligations.
Assess how privacy compliance ties in to AI compliance and cyber incident preparedness.