Serious Invasions of Privacy: Understanding Australia’s Newest Privacy Tort

Serious invasions of privacy: Understanding Australia’s newest privacy tort On 10 June 2025, Australia’s statutory tort for serious invasions of privacy came into effect, providing individuals with a direct legal avenue to pursue organisations for serious breaches of their privacy rights. This significant milestone represents another step toward strengthening Australia’s overall privacy framework.

Further details on the key reforms introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) are available in the Q4 2024 edition of Regulatory Radar.

The statutory cause of action is set out in Schedule 2 of the Privacy Act 1988 (Cth) (Privacy Act). To establish a claim, a plaintiff must establish that:

• there was an invasion of privacy by either intruding upon their seclusion or misusing information relating to them • there was a reasonable expectation of privacy in the circumstances
• the invasion was either intentional or reckless
• the invasion was serious in nature, and
• the public interest in protecting the plaintiff’s privacy outweighs any competing public interest.

Notably, the cause of action does not require proof that any actual loss or damage was suffered. However, we expect that the substantiation of loss or damage will nonetheless be an important factor for many plaintiffs who bring breach of statutory tort claims.

Reasonable expectation of privacy

When assessing whether a plaintiff had a reasonable expectation of privacy, courts may consider a range of contextual factors, including:

• the nature of the intrusion
• the plaintiff’s personal circumstances, and
• how the information was handled or disclosed.

The misuse of false information is treated the same as misuse of true information, provided the other elements of the tort are met.

Seriousness

In determining whether an invasion of privacy is sufficiently serious, courts may consider factors such as:

• the likely impact on a person of ordinary sensibilities
• the defendant’s awareness of that impact, and
• where the conduct was intentional, whether it was motivated by malice.

There are several carve-outs to ensure the regime does not unduly interfere with public interest functions or professional activities. Specifically, the tort does not apply to:

• Journalists and media organisations, where the invasion involves the collection or publication of journalistic material
• Government agencies and authorities, provided the conduct was in good faith and in the course of performing official functions (excluding intelligence and law enforcement bodies)
• Law enforcement and intelligence agencies, including their staff and affiliates, in connection with their official duties or disclosures
• Individuals under the age of 18, recognising the distinct legal treatment of minors

These exemptions reflect a balance between privacy protection and broader societal interests including press freedom, public administration, and national security.

Several defences are available where:

• the conduct was authorised by law or a court/tribunal order
• the plaintiff consented, either expressly or impliedly
• the defendant reasonably believed the conduct was necessary to prevent a serious threat to life, health or safety, or
• the invasion was incidental to lawful self-defence and was proportionate and reasonable.

Additionally, defences available under defamation law, including absolute privilege, publication of public documents, and fair reporting, may also apply where the invasion involves the publication of information. These defences aim to preserve legitimate conduct while ensuring the tort remains focused on unjustified and harmful intrusions.

Courts have a broad discretion to award remedies under the new statutory tort. These include:

• Injunctions, which may be granted at any stage to restrain further invasions of privacy, with special consideration given to the public interest in publication where relevant
• Summary judgment, where the plaintiff has no reasonable prospect of success
• Damages, including compensation for emotional distress and, in exceptional cases, exemplary or punitive damages, subject to a statutory cap aligned with defamation law of $478,550, and
• Other remedies, being apologies, correction orders, destruction or return of misused material, and declarations of wrongdoing.

Importantly, while apologies do not constitute admissions of liability, they may be considered when assessing damages.

The tort applies to conduct that occurs after 10 June 2025. Proceedings under the new statutory tort must be commenced within strict timeframes. Generally, plaintiffs must file before the earlier of:

• one year from the day after becoming aware of the invasion of privacy, or
• three years from the day after the invasion occurred.

For individuals who were under 18 at the time of the invasion, the deadline is extended to their 21st birthday.

Courts may grant extensions, up to six years from the date of the invasion, if it was unreasonable for the plaintiff to have commenced proceedings earlier. These provisions aim to balance timely access to justice with fairness in exceptional circumstances.

The introduction of Australia’s statutory tort for serious invasions of privacy potentially marks a pivotal shift in our privacy landscape. Individuals now have a direct legal avenue to pursue organisations for serious breaches of their privacy rights. While organisations themselves cannot bring claims under the tort, they must navigate an evolving and largely untested legal landscape. It is likely that courts will draw guidance from overseas jurisdictions, including New Zealand, the United Kingdom, the United States, and Canada, when interpreting and applying the new provisions.

Given the uncertainty surrounding how the tort will be enforced, and the potential for costly litigation, organisations should take proactive steps to mitigate risk. This includes reviewing data handling practices, updating privacy policies, and conducting privacy impact assessments. The time limitations built into the regime offer a window for businesses to act now, before disputes arise, to ensure compliance and demonstrate a commitment to privacy protection.

If you need help to gauge your compliance with privacy, data security and cyber obligations, improve your cyber resilience or deal with a cyber incident, Gilchrist Connell can assist with a range of services and expertise.