The Privacy Act Trap — Why AML Also Triggers Privacy Obligations
If you're a reporting entity under the AML/CTF Act, you also lose the small business exemption under the Privacy Act. Here's what that means and how to prepare.
Here's something many small practices don't realise: if you become a reporting entity under the AML/CTF Act, you also lose your small business exemption under the Privacy Act. That means you're suddenly navigating two new regulatory regimes at once.
Key date: Privacy obligations commence from 31 March 2026 — the same date AUSTRAC enrolment opens. Not 1 July. This is weeks away.
How the two regimes connect
Most small law practices in Australia currently operate outside the Privacy Act thanks to the small business exemption — it applies to businesses with annual turnover under $3 million. But there's a catch: the exemption does not apply to businesses that are reporting entities under the AML/CTF Act.
In plain terms: if you're caught by AML, you're caught by privacy too. You become what's called an "APP entity" — meaning you must comply with all 13 Australian Privacy Principles.
Bobbie Wan from the Law Society of NSW raised this concern directly at the February 2026 panel event: "Many small practices are likely to find themselves needing to be compliant with not just one but two new regulatory regimes in a very short space of time."
Three things you need to do
1. Only collect what's reasonably necessary
The Privacy Act doesn't prevent you from collecting personal information for AML compliance — but it's not a blank cheque. You must determine whether collecting information is "reasonably necessary." That's an objective test: would a reasonable, properly informed person agree the collection is appropriate for the purpose? You don't need photos of your client's children and their family goldfish.
2. Have a privacy policy and collection notices
You must tell clients why you're collecting their personal information (to fulfil your obligations as a reporting entity under the AML/CTF Act), how it will be held, used, and disclosed. The OAIC has a handy guide and checklist for developing a privacy policy. It should be plainly written and available on request.
3. Have a data breach response plan
As an APP entity, you're subject to the Notifiable Data Breaches scheme. If there's an unauthorised access or disclosure of personal information that's likely to result in serious harm, you must notify affected persons and the OAIC. The OAIC has a guide for preparing a data breach response plan. You should also have retention policies — once you no longer need the information (e.g., 7 years after the designated service), you should delete or destroy it.
The CDD–privacy balancing act
The most obvious point where AML and privacy intersect is when you conduct customer due diligence. You'll be collecting names, addresses, phone numbers, identity documents, and potentially photographs. All of this is personal information under the Privacy Act.
The question of whether you should CDD every new client or only those seeking a designated service depends on your practice:
Small / solo practice
It probably makes sense to assess on an individual basis — CDD only the clients seeking designated services. This keeps your collection proportionate.
Larger firm
It might make sense to CDD all clients — but you'd need to balance the likelihood of a designated service being provided against the individual's privacy interests and the nature of the information collected.
Good news: AUSTRAC and the Office of the Australian Information Commissioner (OAIC) have agreed to produce joint guidance specifically to help practitioners navigate their interweaving AML and privacy obligations. Watch for it on both the AUSTRAC and OAIC websites, and check the NSW Law Society's AML hub regularly for updates.
Resources
This article draws on public statements by AUSTRAC's CEO Brendan Thomas and industry experts across multiple events. Key sources:
Disclaimer: This article is published by GetPost Labs Pty Ltd, a technology company building compliance software. All content is for educational purposes only and does not constitute legal, financial, or compliance advice. While we make every effort to ensure accuracy, this article may contain errors or omissions. Always refer to the authoritative text on legislation.gov.au and seek professional advice for your specific circumstances. If you spot an error or have a suggestion, please reach out to sumit@getpostlabs.io.