7 crucial questions on privacy rules


The sale and purchase of a small business or franchise often includes the vendor’s client list and client personal information acquired over many years and forms part of its confidential information

This information has value to the business and represents to some extent a part of the goodwill that the purchaser is acquiring.

So how do the Privacy Laws impact on the parties in a transaction of a small business?

The Act is a minefield and a business owner, whether a vendor or purchaser, can be in breach of the Privacy Act 1988 and the Australian Privacy Principles (APP) without knowing.

7 things to know about privacy laws 

1. What are the penalties for breaching privacy laws?

The penalties and fines have been increased and are severe, and complex.

Each contravention has its own penalty, expressed in multiples of penalty units (each one worth $210):

  • a serious or repeated interference with privacy is 2000 penalty units, that is a penalty of $420,000
  • credit reporting has penalties of either 500 ($105,000),1000 ($210,000) or 2000 penalty units ($420,000)

2. What are the rules for selling a business with a customer database?

Both a vendor and a purchaser must take care to protect the client’s individual privacy rights.

Initially it appears that if you are a small business with turnover under $3m you are not regulated by the Act but this is a dangerous assumption.

A small business is not covered by the Privacy Act unless the business is involved in trading in personal information.

3. What are the rules for a business trading in personal information?

This generally means buying, selling or bartering personal information by buying or selling a mailing list without first obtaining the consent of all the individuals on that list, or disclosing customer details to someone else for some commercial gain.

A business which sells assets, including personal information held in its customer database, is ’trading in personal information’ and the Act therefore applies to it as the vendor.

A business is ’trading’ in personal information if it collects or discloses an individual’s personal information to someone else for a benefit, service or advantage.

This can be for monetary value or any other benefit or concession, subsidy or other advantage.

A business is not trading in personal information if it gives or receives personal information for a benefit, service or advantage and it:

  • has the consent of all the individuals concerned, or
  • only does so when authorised or required by law.

4. As the vendor, how do I protect personal information?

A vendor must comply with the Australian Privacy Principles during any diligence period. However, you can reveal personal information during due diligence, if it is related to the reason the information was collected.

For this reason alone, it is recommended that the vendor have the purchaser sign a confidentiality or non-disclosure document before providing information to the purchaser.

It is the vendor, not the purchaser, who may be liable for a breach of the Privacy Laws if theyyou fail to meet theiryour obligations under the Act.

There are any number of reasons why a business sale might not go through: the purchaser may decide not to proceed after completing due diligence or the contract may be conditional on the purchaser’s finance, the franchisor’s approval and or the  landlord’s approval if there is a lease.

This leaves the vendor in a risky position because some personal and maybe some commercially sensitive information has been shared and released to the purchaser.

Ideally a vendor should pre-empt this by giving a prospective purchaser de-identified information, if possible, in the due diligence phase and disclose only personal information of clients and customers necessary to assess the business.

5. As a vendor, what information will I have to provide? 

The initial information usually requested by a purchaser and provided by a vendor is:

  • financial information trading history and supporting management accounts 
  • contracts with trading partners, suppliers and contractors
  • information about key employees 
  • employee entitlements (such as long service leave)
  • aggregated statistical customer data.

 A vendor should take reasonable steps to protect the personal information of clients and customers by:

  • including privacy clauses in the confidentiality agreement with a prospective purchaser
  • allowing, if possible, a prospective purchaser to inspect and not copy documents.
  • setting up a due diligence data room that securely stores important documents and files for an M&A transaction. Data rooms also provide a single space for multiple parties to access and request information.

6. What about privacy rules when buying the whole business?

The sale of a whole business is not trading in personal information and the Act does not apply if the sale involves a change of ownership whether by a sale of the whole business assets or sale of shares of the company and the personal information is kept within the business sold.

If there is a sale of shares, there may be new shareholders, but they haven’t given personal information to anyone outside the business.

A business that is buying or selling personal information which does not want to be subject to the Privacy Act, will need the consent of every individual concerned before the sale is complete.       

7. What do I need to do as a buyer to protect privacy? 

A purchaser must take care to protect individuals’ privacy rights during the due diligence process and comply with privacy clauses included in any NDA, confidentiality agreement or terms in the contract for sale.

The purchaser must follow the Australian Privacy Principles if it collects or receives personal information.

This includes taking notes which include personal information or taking a copy of a document, with personal information in it as that is ‘collecting personal information’.

A prospective purchaser may review personal information necessary to assess the business and will be able to review all of the documents to make an assessment of the business.

After completing due diligence, if a purchaser elects not to proceed it should either destroy or return the personal information collected or received from the vendor during the process to avoid any risk of breach of the Privacy laws and also avoid any claim of misuse of that information by the vendor.