ARTICLE
1 July 2025

Protecting Your Business: The Implications Of Australia's New Privacy Tort

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
In 2014, the Australian Law Reform Commission released the ‘Serious Invasions of Privacy in the Digital Era' Report (ALRC Report), recognising that Australia's privacy protections...
Australia Privacy

Key Takeaways

  • On 10 June 2025, the new statutory tort for serious invasions of privacy came into force as part of a suite of privacy reforms passed last year, substantially enhancing privacy protections and signalling a material shift in Australia's privacy law regime. The statutory tort captures intrusions upon a person's seclusion and misuse of a person's information and provides remedies for plaintiffs, including damages and injunctions.
  • This represents a significant shift in the risk profile for organisations stemming from intentional and significant misuses of data. It provides a new route for class action plaintiffs to seek damages and other remedies in those contexts.
  • This is one of many privacy reforms,1 with the second part of Privacy Act reforms (Tranche Two Reforms) anticipated no earlier than later this year, and new regulation on automated decision-making and artificial intelligence (AI).
  • In light of this change, businesses should ensure they:
    • have robust policies and practices protecting data and personal information (including against misuse, interference, loss, unauthorised access, modification or disclosure) and ensure these comply with the Privacy Act reforms. This includes properly assessing the policies and practices of third parties which deal with data on their behalf. As part of its practices, companies should continually invest in testing, monitoring and uplifting these measures as cyber and privacy risks develop.
    • have established protocols in place to adequately respond to and report any cybersecurity incident or data breach – such as an incident response plan and privilege protocol.
    • consider whether their data collection and storage practices are reasonably necessary for their business – more information also means more risk of significant consequences if an incident does occur.
  • If you would like to discuss these reforms and what they mean for your business, please reach out to Cameron Whittfield, Peter Jones, Christine Wong, and Kaman Tsoi.

Background: Privacy Act

In 2014, the Australian Law Reform Commission released the 'Serious Invasions of Privacy in the Digital Era' Report (ALRC Report), recognising that Australia's privacy protections were unable to keep pace with the complex challenges created by emerging technologies such as mobile phones, surveillance devices, drones and online platforms. The ALRC Report recommended the introduction of a statutory cause of action for serious invasions of privacy for physical intrusions into a person's private space by watching, listening to, or recording a person's private affairs, and for the misuse of a person's private information.

Over 10 years later, Parliament has answered this call through the introduction of the statutory tort. This means that for the first time, Australian's have a personal cause of action to sue another who invades their privacy by intruding on their seclusion or misusing information relating to them.

Navigating the Statutory Privacy Tort

The new statutory tort strengthens privacy protections by creating a new cause of action for serious invasions of privacy. It empowers the Court to grant a range of remedies, including, importantly, damages for non-economic loss. This may increase your business' risk of litigation (including class action litigation) for privacy breaches, and may have flow on effects for insurance premiums and other compliance costs.

The tort does not require a breach of the APPs or other Privacy Act provisions to be triggered, or for the impacted interference with privacy to be personal information as otherwise defined in the Privacy Act. A separate proposal for a direct right of action for Privacy Act breaches has been deferred for further consideration as part of the Tranche Two Reforms.

What is needed to make out the Statutory Privacy Tort?

Claimants need to show that:

  • they suffered an invasion of their privacy which may be either:
    • an intrusion into their seclusion (eg physically intruding on a person's private space or watching, listening to or recording the person's private activities or affairs); or
    • a misuse of information that relates to that individual. This includes, but is not limited to, collecting, using or disclosing information;

Under the tort of misuse of private information in the UK, "misuse" requires a positive action (albeit it may be unintentional) and not merely a failure to have in place adequate systems for storing and protecting data.

Courts in that jurisdiction have found that circumstances where a company failed to keep data secure when it suffered a cyber-attack or failed to wipe data from a smart device before on-selling it were not misuse of information due to the lack of a positive act.2 Having said that, the UK tort was developed out of a need to give effect to Article 8 of the European Convention on Human Rights, and the meaning of "misuse" has been interpreted in light of the use of "interference" in that article.

  • they had a reasonable expectation of privacy in the circumstances. Relevant factors can include use of devices or technology, the purpose of the invasion of privacy, personal attributes such as age, occupation or cultural background, and the individual's conduct, including whether they invited publicity and to what extent information was already in the public domain;
  • the invasion of privacy was intentional or reckless. Negligence is not sufficient. In the context of cyber attacks, this would make it difficult to successfully make out a claim where a company had appropriate information and data handling practices and policies;
  • the invasion of privacy was serious. Relevant factors include:
    • the degree of the offence, distress or harm to dignity likely caused to a person of ordinary sensibilities in the position of the plaintiff;
    • whether the defendant knew or ought to have known that the invasion was likely to cause this impact, harm or distress;
    • whether the invasion was intentional; and
    • whether the defendant was motivated by malice; and
  • the public interest in the individual's privacy outweighed any countervailing public interest (including freedom of expression, political communication, artistic expression, freedom of the media, proper administration of government, open justice, public health and safety, national security and prevention and detection of crime and fraud).

Importantly, no proof of damage is required for a claim to succeed, although the extent of damage may be relevant to establishing the seriousness of the conduct.

The limitation period for these claims is short. In all cases where the claimant is an adult when the invasion of privacy occurred, proceedings must be commenced before the earlier of: (a) 1 year after the day the plaintiff became aware of the invasion of privacy; or (b) 3 years after the invasion of privacy occurred

Remedies

The remedies for breach include damages (including for non-economic loss and emotional distress, although capped), an account of profits, an injunction, an apology, a declaration that the defendant has seriously invaded their privacy, and destruction or delivery up of material. Aggravated damages are not available, but the Court may award exemplary or punitive damages in exceptional circumstances.

Any non-economic damages award is capped at the maximum amount of a non-economic damages award for defamation proceedings, which is presently $478,5503.

Defences and Exemptions

Defences / exemptions to the invasion of privacy which apply include where:

  • required or authorised by law or a court;
  • the plaintiff expressly or impliedly consented;
  • the defendant reasonably believed it was necessary to prevent or lessen a serious threat to the life, health or safety of a person;
  • it was incidental to a lawful exercise of the defence of persons or property, and was proportionate, necessary and reasonable;
  • defences related to defamation law may apply;
  • journalists to the extent that the invasion of privacy involves the collection, preparation for publication or publication of journalistic material;
  • agencies and state and territory authorities, provided the invasion is in good faith to perform its functions or exercise its powers;
  • law enforcement bodies, and disclosures to and from the same, where the enforcement body believes it reasonably necessary for enforcement activities;
  • intelligence agencies, and disclosures to and from the same; and
  • an invasion of privacy by a person under the age of 18.

What sort of conduct would be captured?

Examples of conduct included in the Explanatory Memorandum (EM) which may amount to misuse of information are:

  • doxxing (ie maliciously releasing an individual's information online without their consent)
  • storing, interfering with or modifying information, although not every collection, use or disclosure of information will constitute an actionable invasion of privacy.

The EM also outlines examples where information handling is unlikely to give rise to an issue under the tort:

  • the proper activities of healthcare providers (given all the elements, high thresholds and defences) even where those involve inherently private information (such as intimate, health or family information). This is likely to extend to other companies dealing with private information in the proper course of their business activities.
  • Legitimate practices, such as medical care and research, would not attract liability on the basis of there not being a reasonable expectation of privacy by individuals and the balancing act against other public interests.

Developing common law tort?

Separate to the statutory tort above, last year, the Victorian County Court recognised a common law tort for the invasion of privacy in Waller (A Pseudonym) v Barrett (A Pseudonym) [2024] VCC 962. The plaintiff claimed against her estranged father for discussing her personal and intimate details with the media without her consent. While the factual matrix is not directly applicable to a commercial context and the decision is from a lower court, it underscores the growing judicial willingness to protect individuals' privacy rights and is notable for awarding damages for non-economic loss on that basis.

The County Court recognised that an action for invasion of privacy forms part of the common law of Australia, developing under the umbrella of an action for breach of confidence, but emerging as a separate and distinct category of cases. Rather than protecting specific information (as was the basis for actions for breach of confidence), the underlying principle in the developing class of privacy cases was the protection of human dignity that is associated with the maintenance of privacy.

Notably:

  • The County Court did not determine whether the cause of action was better viewed as an equitable or tortious cause of action, nor what the elements or defences were to such an action. However, it noted that relief would be available broadly where there is unauthorised public disclosure of private matters in circumstances that a reasonable person would deem highly offensive.
  • $30,000 in damages was awarded for emotional distress due to the invasion of privacy. The plaintiff was not required to prove a diagnosable psychiatric illness.

This judgment arose prior to the statutory tort coming into effect. It remains to be seen whether courts will develop a common law cause of action further, or more clearly distinguish it from the statutory tort. Claimants may elect to run both causes of action, including because the common law cause of action is not subject to damages caps or the threshold requirements for intention and seriousness (although it is still not widely recognised, and we would expect any elements to become more precisely defined over time if it were).

Ultimately, businesses may be exposed to both statutory and common law causes of action for serious invasions of privacy. The compliance suggestions above should be undertaken to minimise risks of breaches and non-compliance.

Further Privacy Reforms

AI and automated decision-making

Other changes enacted under the first tranche of privacy law reforms include the regulation of automated decision-making, affecting AI platforms and systems. This will take effect from 10 December 2026.

The reforms will require APP entities to include certain disclosures in their privacy policies if they use personal information in computer programs to make automated decisions on matters which are reasonably expected to significantly affect the rights or interests of the individual, and where that personal information is substantially and directly related to making that decision. Relevant decisions may include the refusal to grant a benefit to an individual, an individual's rights under a contract, and decisions that affect an individual's right to access a significant service or support.

Policies will need to include disclosures about the kinds of:

  • personal information used in the operation of the computer program;
  • decisions made solely by the operation of the computer program; and
  • decisions done by the operation of the computer program that are substantially and directly related to making the decision.4

These transparency requirements demonstrate the growing intersection of AI and privacy, as lawmakers and regulators seek to catch up to technological developments and introduce safeguards for individuals' rights in that context.

Privacy Act: Tranche Two Reforms

Tranche Two Reforms of the Privacy Act are not expected to land until at least late 2025 (the new Attorney General has declined to provide a timeline so far). However, this second wave of reform will likely include consent reforms, new fair and reasonableness requirements, individual rights, removal of the employee and small business exemptions, and assessing privacy impacts of high-risk activities. Further changes may include the right to be forgotten, stricter regulation of biometric data, greater consent requirements and the right to data portability.

Footnotes

1. Other changes implemented as part of these reforms include new doxxing offences with an ancillary penalty of 6 years imprisonment (which came into effect earlier on 11 December 2024) (Doxxing Reform). The Doxxing Reform prohibits people from using a carriage service (ie an email account or social media account) to publish, make available or distribute personal data of another individual (which would allow the individual to be identified, contacted or located) and engaging in what a reasonable person would consider menacing or harassing conduct towards the individual. A similar doxxing offence was also introduced in respect of doxxing offences against one or more members of certain groups distinguished by race, religion, sex, sexual orientation, gender, disability, nationality or ethnic origin (among others). The Doxxing Reform provides an example of conduct that would be captured, being where the name, image and telephone number of an individual is published on a website and others are encouraged to repeatedly contact the individual with violent or threatening messages.

2.Warren v DSG Retail Ltd [2021] EWHC 2168 and Stadler v Currys [2022] EWHC 160N.

3. Since 1 July 2024, maximum damages for non-economic loss in defamation proceedings is $478,500. This amount is indexed annually.

4. See clause 1 of Schedule 1 of the Privacy Bill.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More