From 10 June 2025, Australian privacy law has taken a major step forward with the introduction of the statutory tort of invasions of privacy. This reform gives individuals new and direct rights to take legal action in court—something previously unavailable under the privacy regime.

Why This Reform Matters

Until now, individuals who believed their privacy had been breached had limited options. They could complain to the Office of the Australian Information Commissioner (OAIC), or in some cases seek an injunction. But they could not directly sue an organisation for breaches of the Australian Privacy Principles.

The new statutory tort changes that. Individuals now have a clear pathway to take matters straight to court where their privacy has been invaded.

What Counts as an Invasion of Privacy?

Under the new law, individuals can bring a claim where their privacy has been invaded through:

  • Intrusion upon seclusion – for example, unauthorised surveillance or accessing private spaces.
  • Misuse of private information – such as sharing or exploiting personal information without consent.

To succeed in a claim, the following elements must be proven:

  1. The defendant invaded the plaintiff’s privacy through intrusion or misuse of information.
  2. The plaintiff had a reasonable expectation of privacy.
  3. The invasion was intentional or reckless.
  4. The invasion was serious.
  5. The public interest in privacy outweighs any countervailing public interest.

What Remedies Are Available?

If these elements are satisfied, courts may grant a wide range of remedies, including:

  • Apology orders
  • Correction orders
  • Exemplary or punitive damages

Importantly, individuals will also benefit from the discovery process, which compels parties to share relevant evidence—a tool not available in OAIC complaints.

What This Means for Businesses

This reform has significant implications for small and medium businesses. The way you collect, store, and use customer and employee data now carries increased legal risk. A serious privacy breach could lead not just to regulatory complaints, but also to costly litigation.

The legal profession is watching closely to see how courts will interpret key terms such as “serious invasion” and “public interest.” Until then, the safest approach for businesses is to tighten privacy practices and ensure compliance with the Australian Privacy Principles.

Ming Yip
Lawyer