From 10 June 2025, Australian privacy law has taken a major step forward with the introduction of the statutory tort of invasions of privacy. This reform gives individuals new and direct rights to take legal action in court – something previously unavailable under Australia’s privacy regime.
In this blog, we break this change down into plain language.
What is a tort?
A tort is a wrongful action, that is not a breach of contract, which causes injury to another person and for which the law imposes liability on the person who committed the action. An example of tort law (which most people recognise) is defamation law.
The introduction of a statutory tort of privacy enhances individuals’ privacy rights and provides a flexible framework to address current and emerging privacy risks.[1] In other words, the reform strengthens privacy law and provides individuals whose privacy has been invaded with stronger legal options for recourse.
What This Means for Businesses
This reform has significant implications for small and medium businesses. The way businesses collect, store, and use customer and employee data now carries increased legal risk. A serious privacy breach could lead not just to regulatory complaints, but also to costly litigation.
The legal profession is watching closely to see how courts will interpret key terms such as “serious invasion” and “public interest.” Until then, the safest approach for businesses is to tighten privacy practices and ensure compliance with the Australian Privacy Principles.
Why This Reform Matters
Until now, individuals who believed their privacy had been breached had limited options. They could complain to the Office of the Australian Information Commissioner (OAIC), or in some cases seek an injunction. But they could not directly sue an organisation for breaches of the Australian Privacy Principles.
The new statutory tort changes that. Individuals now have a clear pathway to take matters straight to court when their privacy has been invaded.
What Counts as an Invasion of Privacy?
Under the new law, individuals can bring a claim where their privacy has been invaded through:
- Intrusion upon seclusion – for example, unauthorised surveillance or accessing private spaces.
- Misuse of private information – such as sharing or exploiting personal information without consent.
To succeed in a claim, the following elements must be proven:
- The defendant invaded the plaintiff’s privacy through intrusion or misuse of information.
- The plaintiff had a reasonable expectation of privacy.
- The invasion was intentional or reckless.
- The invasion was serious.
- The public interest in privacy outweighs any countervailing public interest.
What Remedies Are Available?
If all five elements are substantiated, courts may grant a wide range of remedies, including:
- Apology orders
- Correction orders
- Exemplary or punitive damages
Importantly, individuals will also benefit from the discovery process, which compels parties to share relevant evidence prior to matters being heard in court – a process not available in complaints to the OAIC.
If you have questions about the themes explored in this article, or need support with any aspect of privacy law, the team at Rankin Business Lawyers is here to help.
Ming Yip
Lawyer
[1] Office of the Australian Information Commissioner, 19 June 2025.
