Australia’s New Privacy Law

What You Need to Know About the Serious Invasion of Privacy Tort and Other Reforms

Australia’s privacy laws continue to undergo significant changes. In this article, we consider:

  1. The new statutory tort for serious invasion of privacy
  2. The other amendments to the Privacy Act passed by Parliament in late 2024
  3. Future reforms

The New Statutory Tort of Serious Invasion of Privacy

As of 10 June 2025, individuals in Australia now have a new legal avenue to protect their privacy: a statutory tory for serious invasion of privacy.

Why this Matters

Previously, individuals had to rely on other causes of action such as breach of confidence or breach of contract, negligence or misleading or deceptive conduct – as enforcement actions under the Privacy Act 1998 (Cth) (Privacy Act) are restricted to the Information Commissioner.

The new tort operates independently of the Australian Privacy Principles in the Privacy Act. This means that individuals can bring actions against a wide range of defendants, including those that are not regulated by the Privacy Act, such as individuals and most small businesses.

The tort is also separate to new enforcement procedures now available to the Information Commissioner for breaches of existing privacy laws.

Key Elements of The Tort

The new tort of serious invasion of privacy has five elements, which must all be met:

  1. There is an invasion of privacy, by means of:
    • intruding on a person’s seclusion (whether physically or otherwise); or
    • misusing information about that person;
  2. In circumstances in which there would be a reasonable expectation of privacy;
  3. The invasion of privacy is intentional or reckless (this is a higher threshold than negligence);
  4. The invasion of privacy is serious; and
  5. The public interest in that person’s privacy outweighs any countervailing public interest.

What the Courts Will Consider

The Privacy Act sets out some of the considerations a court may have regard to when evaluating whether these requirements have been met:

  • Was it reasonable to expect privacy?: Relevant factors include whether a device or other technology was used in the invasion of privacy; the age, occupation or cultural background of the plaintiff; whether the plaintiff invited publicity or the opposite; the physical location of the invasion; and if the privacy invasion relates to misuse of information about a person, the nature of that information, including whether it related to family, health, financial or intimate matters. There is no requirement that the misused information is true.
  • Was the invasion serious?: In assessing whether the invasion of privacy is serious, a court can take into account the likely degree of offence, distress or harm to dignity such an invasion would cause; whether the defendant knew that offence, distress or harm or dignity was likely; and whether the invasion of privacy was malicious.
  • What is in the public interest?: The court may consider public interests such as freedom of expression, media freedom, public health and safety, national security, and the prevention and detection of crime and fraud.

The Privacy Act provides a range of defences, including that the invasion of privacy was required by law, that the plaintiff consented to the invasion (expressly or by implication), and that the defendant reasonably believed the invasion was necessary to protect a person’s life, health or safety.

Damages for non-economic loss may amount to a maximum of $478,550 or amounts available in defamation proceedings. In making its calculations, a court may take into account actions the defendant has taken such as making an apology, publishing a correction or paying compensation.

Time limits apply for prospective plaintiffs: a person must commence proceedings within one year of becoming aware of the invasion of privacy, although this may be extended to 6 years by the court in some circumstances.

Finally, the Privacy Act provides exceptions for certain activities of professional journalists and their employers, government agencies, law enforcement bodies and intelligence agencies.  Proceedings may not be brought for an invasion of privacy carried out by someone under 18 years of age.

Other Key Privacy Reforms Passed by Parliament

The introduction of this tort came as part of a package of amendments to the Privacy Act passed by Parliament in late 2024.  The majority of those amendments came into effect in December 2024.  One final amendment in this package, which introduces new privacy policy disclosures for decision-making by AI, will come into effect in December 2026.

  1. New enforcement procedures and penalty provisions

The changes introduced a range of penalties for privacy breaches.

At the ‘lower’ end, the Information Commissioner may issue infringement notices for breaches such as the following:

  • breaches of the Australian Privacy Principles relating to:
    • the implementation of direct marketing opt-outs;
    • the contents of privacy policies;
    • the provision of notice to individuals about collection of personal information; and
    • responding to requests from individuals regarding their personal information; and
  • non-compliant notices to the Information Commissioner or affected individuals regarding certain data breaches within an organisation.

Infringement notices may be enforced by penalties of up to $66,000 per breach.

However, a penalty of up to $660,000 per breach may apply if an entity does an act or engages in a practice that is an interference with the privacy of an individual.  It is possible therefore that, rather than an infringement notice, a breach in (a) or (b) above may result in this higher penalty.

At the highest level, interferences with privacy that are determined by a court to be serious could attract penalties of up to $2.5 million per breach by an individual, and up to $50 million per breach by a body corporate (and potentially higher if calculated by reference to the organisation’s turnover or the benefit it received from the breach).

Factors a court may take into account in determining the seriousness of the breach include:

  • the sensitivity of the information;
  • the number of individuals affected and the consequences of the breach;
  • whether breaches are repeated or continuous; and
  • whether the entity failed to take steps to implement privacy practices in a way that contributed to the breach.
  1. Additional data security requirements

APP entities must take reasonable steps to protect personal information they hold, and to destroy or de-identify it once no longer required for a permitted purpose.  The recent amendments make it clear that such steps include technical and organisational measures.  This approach clearly elevates what is now considered to be reasonable in terms of organisational privacy practices.

The wording ‘technical and organisational measures’ reflects requirements of the European General Data Protection Regulation (GDPR).  Guidance on the GDPR states that technical measures may range from requiring employees to use two-factor authentication for access to systems where personal data is stored, to imposing contractual requirements on cloud providers to use end-to-end encryption.  Examples of organisational measures include staff training, data privacy policies, and limiting data access to staff on a need-to-know basis.  However, it is not yet known how this wording will be interpreted by the Information Commissioner in Australia.

However, it is likely that this new standard will require significant attention and investment.  Organisations should design, document and implement practices and infrastructure that are customised to the organisation’s operations and the kinds of personal information it collects.

  1. ‘Whitelist’ of countries deemed to have equivalent privacy protections to Australia

The government may now prescribe countries which have laws or schemes equivalent to the Australian Privacy Principles in the Privacy Act, and which also have enforcement mechanisms available to individuals.

Once such a whitelist is established, this would remove the requirement for organisations to carry out their own assessment of the adequacy of a listed foreign regimes when considering overseas data transfer.

  1. Children’s online privacy code

The Information Commissioner must develop an ‘APP code’ about online privacy for children, setting out how one or more of the Australian Privacy Principles are to be applied in relation to children’s privacy.  (APP codes contain provisions that apply to certain organisation types or sectors in addition to the Australian Privacy Principles).

  1. Criminal offences (‘doxxing’)

New criminal offences have been introduced relating to the publication or distribution of personal data in a way that would be reasonably regarded as menacing or harassing.

  1. Disclosures about automated decision-making

This will be the last of the 2024 amendments to come into force.  From December 2026, organisations must disclose in their privacy policies what types of decisions are made by automated decision-making technology using personal information.

What Reforms Are Expected in Future?

In December 2022, the Attorney-General’s Department proposed 116 recommendations to reform the Privacy Act.  The Australian government accepted approximately one third of these, of which only some were included in the 2024 amendments.  The remainder, likely together with other proposals with which the government agreed ‘in principle’, are expected to form part of future reforms.

Apart from the statutory tort for serious invasion of privacy, the 2024 amendments did not introduce any new rights of individuals.  However outstanding proposals included a number of protections similar to those under the GDPR:

  • a new right to erasure, as well as greater transparency requirements regarding information collected about individuals,

Other reforms expected in future include:

  • removing the small business exemption to compliance with the Privacy Act and, in the short term, prescribing the collection of biometric data for use in facial recognition technology as an exception to the small business exemption;
  • defining geolocation tracking data as personal information;
  • introducing requirements for enhanced transparency over the use of personal information in employee records;
  • introducing enhanced requirements for collection notices and privacy policies;
  • introducing enhanced requirements for direct marketing and opt-out mechanisms;
  • introducing a broad consent for research; and
  • prescribing standard contractual clauses for use when transferring personal information overseas.

 

 

Final Thoughts

The recent privacy reforms in Australia significantly expand individuals’ rights and raise the expectations on businesses and other organisations. The new tort provides individuals with a specific cause of action for serious invasions of privacy for the first time, while broader reforms are expected to follow. We’ll continue to monitor and report on further changes as they unfold.

Should you require any further information about this topic please do not hesitate to contact the authors below:

 

Wrays MarketingIndustry Insights, Insights