top of page

Privacy Pitfalls to Avoid When Buying or Selling a Business

Are you contemplating buying or selling a business? If so, you need to be aware of how Australia’s privacy laws affect this type of transaction.

The key piece of legislation is the Privacy Act 1988 (Cth) (Privacy Act). This Act regulates the handling of “personal information”, which is defined as “information or an opinion…about an identified individual, or an individual who is reasonably identifiable”. Common examples of personal information include: an individual’s name, contact details, date of birth, medical records and bank account details.

Buying or selling a business will usually involve the disclosure of personal information about individuals such as customers, employees, suppliers and business associates. There are two key stages in a business sale that will trigger privacy issues: the due diligence stage and the sale itself.

The main privacy rules regarding treatment of personal information, setting out obligations for business Purchasers and Vendors, are set out in Schedule 1 of the Privacy Act, which contains the thirteen Australian Privacy Principles (APPs). The sale of a business raises significant privacy concerns and failing to understand your legal obligations could be very costly. A “serious” breach of the APPs can attract a maximum fine of $2.1 million for a corporation.

This article focuses on the disclosure of customer information, as for many businesses, this a both an important asset and a significant part of the business’s value. The Office of the Australian Information Commissioner (OAIC) has published a FAQs list for selling customer databases, as well as an outdated (because it relates to the former National Privacy Principles) - but still relevant - Information Sheet 16 on due diligence and buying and selling a business.

But first, do these privacy rules apply to your business sale?

If you structure your business sale as a sale of shares, you will not trigger obligations under the Privacy Act because it does not involve the disclosure of personal information to a third party. The Purchaser will also have the benefit of s13B of the Privacy Act and APP 6.6 which permits disclosure of personal information to related bodies corporate and use of that information for the same purpose as permitted by the acquired business. However, the compliance benefit of a share sale only relates to the completion of the sale, and not to any disclosure of personal information that occurs during any due diligence.

On the other hand, an asset sale will involve the disclosure of personal information to a third party (the Purchaser) which requires compliance with the APPs.

Generally, small businesses (which are businesses who have had an annual turnover, or the annual turnover of a related company, in the previous financial year greater than $3 million) do not have to comply with the Privacy Act. This is the case in respect of any disclosure of personal information by an exempt small business during any business sale due diligence. However, a small business selling personal information to a third party as part of an asset sale will be ‘trading in personal information’ and will need to comply with the Privacy Act in respect of the disclosure that will occur on completion.

FAQ - Your Obligations as a Vendor:

1. Is selling your customer database, without sending any notice (opt-out) or receiving consent (opt-in), a breach of privacy laws?

As a Vendor in an asset sale, you must assess the Purchaser’s proposed use of your customer database. You will not be in breach of Australia’s privacy laws if you are providing customers’ personal information to the Purchaser without obtaining customer consent or sending an opt-out communication if you are satisfied:

  1. that the new business will continue to provide essentially the same goods or services as the business that it provided prior to the sale, on the basis that it is consistent with the primary purpose for which that information was collected; OR

  2. that the new business will use the customer information for a purpose related to the primary purpose for which it was originally collected, and your customers would reasonably expect their information to be disclosed for this purpose.

If you are relying on representations by the Purchaser about their proposed use of your customer information, it would be prudent to include this in the business sale contract.

Also, if the disclosure of your customer information is not part of a sale of a going concern (ie only some of the business’s assets are being sold), there may be additional requirements under the Privacy Act.

The OAIC warns that:

  1. where a business is not sold as a going concern, or the Purchaser contemplates significant changes to the character or operations of the business, the Vendor will need to give very close consideration to the question of whether a proposed disclosure is permitted. This will depend on the circumstances in which the vendor originally collected the personal information and an objective analysis of what the relevant individuals would 'reasonably expect'; and

  2. if the disclosure of customer information would fall outside what customers would reasonably expect, the vendor organisation must get customers' consent before disclosing the personal information.

If any of the personal information that you propose to disclose in relation to a business sale is 'sensitive' it may attract additional protection under the Privacy Act (eg information about an individual’s health, race, politics, religion, sexual orientation or criminal record).

2. Is disclosing your customer database during any due diligence a breach of privacy laws?

An exempt small business will not need to comply with the Privacy Act during any due diligence process that may occur.

Disclosures of personal information are allowed if they are related to the reason the information was collected and within the reasonable expectations of the individuals concerned. The OAIC has stated that in most cases, disclosures of information about customers, trading partners, business associations, or contractors during due diligence investigations would be permitted (having regard to standard business practice).

The OAIC expects Vendors to impose restrictions on the handling of personal information by prospective Purchasers to protect the privacy of the relevant individuals, and encourages de-identified information to be provided where possible, which would normally mean only disclosing aggregated statistical customer information as part of any due diligence.

Privacy clauses should be included in confidentiality agreements with the prospective Purchasers. Where possible, prospective Purchasers should only inspect and not copy documents. Personal information collected by prospective Purchasers should be returned or destroyed after the completion of any due diligence.

3. Are there circumstances when you should inform your customers that you’re planning to disclose their personal information to a prospective Purchaser?

As a Vendor, provided that you form a view that the third party (the prospective Purchaser) would be using the information in one of the two ways outlined in the answer to question 1 above, then you do not have to send out a notice to your customers beforehand.

However, there may be circumstances in which best practice may include sending an opt-out email to the customers in your database, even when this is not strictly required. You would need to weigh up the commercial benefits and detriments of any such email.

The OAIC has stated its preference for this approach in relation to the sale of Dick Smith to Kogan, where Timothy Pilgrim, the Acting Information Commissioner stated:

“…the receivers have offered customers on the database the opportunity to opt out of the list prior to the sale, which I believe is an appropriate step.”

4. Do you have to get consent from employees to disclose their personal information to a prospective Purchaser?

No. If you disclose personal information about employees, the disclosure will fall within the employee record exemption under the Privacy Act if the information disclosed, and the disclosure itself, directly relates to a current or former employment relationship.

The OAIC considers that disclosure of information about employees either during due diligence or at the time of a sale would generally be directly related and so would be exempt from the Privacy Act. However, if information is provided about contractors or employees of other related organisations, it will not fall within this exemption.

Use of your employee records by a prospective purchaser will not fall within the employee record exemption (unless and until the prospective purchaser becomes the employer of the relevant individual). The OAIC encourages disclosure of aggregated, anonymised information relating to their employees for due diligence purposes where possible, regardless of whether the exemption might apply.

FAQ - Your Obligations as a Purchaser:

1. As a Purchaser, should you inform your new customers that you’ve received their personal information from the Vendor?

If you received the customer database in an asset sale, yes, you must send customers a notice explaining that you’ve received their personal information and outlining how you propose to use it. This must be an opt-in notice, not merely an opt-out notice. Customers must consent to your use of their personal information.

A similar form of consent may also be required if you bought the entire business by way of a share sale and you propose to use the customer information after making significant changes to the character or operations of the business (unless the Vendor has already done so).

2. Is the Privacy Act the only source of obligations for Purchasers?

Under the Privacy Act, you must comply with the APPs and take reasonable steps to protect the personal information you collect from unlawful access, modification, use or disclosure. However, the Privacy Act is not your only relevant source of legal obligations. Your use of customer information for direct marketing purposes is also governed by the Spam Act 2003 (Cth), which prohibits the sending of “unsolicited commercial electronic messages”.


When buying or selling a business, the customer database could be one of your most vital assets. Understanding your obligations under the Privacy Act could be the difference between having a valuable asset and a worthless asset. This goes beyond mere compliance – it directly impacts the commercial viability of the transaction.

If you are buying or selling a business, please contact Henry William Lawyers for comprehensive, expert advice. We can explain your legal obligations and assist you with practical compliance tips. We will thoroughly assess the risks of any proposed asset sale and recommend mitigating strategies.

Featured Posts
bottom of page