Technology Law Insights: The Australian Privacy Act and Business Sales

This article is the first in a new series from Hamilton Locke’s IP and Technology team called “Technology Law Insights”. Stay tuned for regular updates and commentary on topical issues across the sector.

The Privacy Act and the sale of a business

For many businesses, one of their most valuable assets is their customer database. A database of customer contact details, and other information linked to that such as demographic data, purchase history, and online browsing habits, can be an incredibly powerful resource, adding huge value to a business and comprising a significant part of the business assets on offer in a sale event. However, the value of that personal information will significantly decrease if the vendor is unable sell and transfer that information to the purchaser as part of a business sale. 

This is the first of several articles examining the privacy risks that may arise during the sale and purchase of a business, particularly during the due diligence process and at completion.  It’s best to address these risks before commencing the sale process, rather than trying to deal with them in the middle of the sale (when they could be used by a purchaser to chip away at the sale price or terms).

What does the Privacy Act do?

The Privacy Act 1988 (Cth) (Privacy Act) regulates the collection, use and disclosure of personal information by private sector ‘organisations’.

What is an ‘organisation’ under the Privacy Act?

Despite what the name might suggest, an ‘organisation’ is defined under the Privacy Act to include individuals, bodies corporate, partnerships, unincorporated associations and trusts, if it has annual turnover of more than $3 million.

However, even if your business generates less than $3 million, it may still be an ‘organisation’ and caught by the Privacy Act, particularly if it provides a health service (a broad term which includes gyms and childcare centres) or trades in personal information. 

Is your organisation trading in personal information?

An organisation ‘trades in personal information’ if it provides a benefit in exchange for collecting personal information, or discloses personal information for a benefit.  Although it may not seem like your business is caught by this, consider what happens when you sell your business. It can be difficult to structure an asset sale in such a way that the vendor is not disclosing personal information to the purchaser ‘for a benefit’ (i.e. payment), which would could make your business an ‘organisation’ for the purposes of the Privacy Act.

What about foreign businesses?

The Privacy Act extends to organisations, and actions, outside Australia. It covers: 

  • uses and disclosures of personal information overseas by Australian organisations;
  • collection of personal information (even of foreigners) overseas by Australian organisations; and
  • the actions of foreign-based organisations if there is an ‘Australian link’, such as if it carries on business in Australia and collects or holds personal information in Australia.


Where a vendor or purchaser is caught by the Privacy Act, the vendor may be unable to disclose the required information to the purchaser, or the purchaser may be unable to use that information as desired.  This will depend on how the personal information was collected in the first place and its intended purpose.

Our next article will consider the particular privacy risks for the vendor in the sale process.

If you require any assistance relating to privacy, personal information and the sale of your business, contact Sarah Gilkes (Partner) or Ben Cameron (Senior Associate).