By Angus Henderson
10 June 2025 – the day that the gap in Australia’s personal privacy protections was finally addressed through a new legislative tort.
Key Take-aways
- Direct Right of Action for Individuals
Individuals can now sue for serious invasions of privacy without needing to prove damage, provided the invasion was intentional or reckless and serious, and they had a reasonable expectation of privacy.
- Two-Pronged Tort Structure
The tort covers:
- Intrusion upon seclusion (e.g., unauthorised surveillance or recording); and
- Misuse of private information (e.g., unauthorised data disclosure)
- Broad Applicability and Remedies
Claims can be brought against natural persons, corporations, or government agencies (excluding exempt entities). Remedies include injunctions, declarations, and damages—including emotional distress and punitive damages.
- Alignment with International Jurisprudence
The framework draws heavily from privacy torts in New Zealand, the UK, and Canada, encouraging Australian courts to reference international jurisprudence for guidance on interpretation and application.
- Potential Significant Implications for Businesses
Common data practices like user tracking and profiling may now trigger litigation. The tort expands exposure beyond the Privacy Act, and does not require proof of damages, making privacy risk management essential for Australian organisations.
How did we get here?
The Privacy Amendment Bill 2024 (Bill) received royal assent on 10 December 2024, and brought the introduction of a new statutory tort for the serious invasion of privacy coming into effect on 10 June 2025. This marks a significant shift in Australian privacy law, privacy is no longer just a compliance issue – individuals now have a direct right of action in certain circumstances.
Minister Dreyfus, in the second reading speech of the Bill, emphasised that a statutory tort applying to breaches of privacy has been talked about in Australia for a very long time.[1] The Australian courts in the 1937 Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (Victoria Park) case confirmed that there is no such thing as a lawful or unlawful interference of privacy in Australia.[2] In 2001, Australian Broadcasting Corp v Lenah Game Meats Pty Ltd highlighted that the decision in the Victoria Park case does not prevent the development of an enforceable right to privacy.[3] However, over the next 20+ years, a common law tort dealing with privacy was never developed by the courts.
The creation of a legislated privacy tort was initially recommended by the Australian Law Reform Commission’s (ALRC) in its 2008 report titled ‘For Your Information: Australian Privacy Law and Practice’[4] and has been recommended in several other inquiries since, including the Attorney-General’s Privacy Act Review Report 2022.[5] The legislative framework for the statutory tort was heavily influenced by the ALRC’s 2014 report, Serious Invasions of Privacy in the Digital Era (the Report).[6] [7]
Today, the statutory tort for serious invasions of privacy sits separate to the main body of the Privacy Act 1988 (Cth) (Privacy Act) in Schedule 2, and is intended to be read and construed separately from the rest of the Act.[8] Any existing precedent that can be drawn from the broader Privacy Act may not apply to Schedule 2.[9]
Key elements of the tort for serious invasions of privacy
To establish a cause of action, the individual must prove that:
- a person invaded their privacy by either:
- intruding upon the plaintiff’s seclusion – including physical intrusion or unauthorised observation, listening to, or recording of private activities; and/or
- misusing private information – including the unauthorised collection, use, or disclosure of personal information, and
- intruding upon the plaintiff’s seclusion – including physical intrusion or unauthorised observation, listening to, or recording of private activities; and/or
- the individual had a reasonable expectation of privacy in the circumstances; and
- the invasion was intentional or reckless; and
- the invasion was serious; and
- public interest in privacy of the individual outweighs any countervailing public interest.
Schedule 2 of the Privacy Act provides guidance on what is considered ‘countervailing public interest’, a ‘reasonable expectation of privacy’ and ‘seriousness’ for the purpose of satisfying the cause of action.[10]
The Report, being a key influence on the legislative drafting, stipulated that courts should consider “all of the circumstances”, implying that no single factor, such as the purpose of the invasion of privacy, is determinative. [11] An example provided by the Australian Government’s response to the Privacy Act Review Report notes that a serious invasion of privacy includes an “individual taking a video of a person where they had a reasonable expectation of privacy (such as in a public bathroom) or an employee misusing sensitive facts about another employee obtained by virtue of their position”.[12]
Importantly, there is no requirement to establish any proof of damage was caused by the serious invasion of privacy, and where information was misused, it is immaterial whether that information that was true.[13]
Who is affected by this tort?
An individual may have a cause of action against another natural person, corporation or a government agency regardless of whether the defendant is caught by the Privacy Act (i.e., it does not matter if the defendant is an APP Entity). The statutory tort is not available for corporate entities nor government entities.
An individual may be awarded injunctive or declaratory relief, or damages (including general, non-economic loss (capped at the greater of $478,550 or the equivalent defamation cap), emotional distress, exemplary or punitive). Aggravated damages are not available under the statutory tort.
Exemptions, Defences and Limitations
There are limited exemptions that may apply to the new tort including for minors, government entities (including law enforcement and intelligence agencies) and journalist in relation to the collection, preparation and publication of journalistic material (as defined).
An individual has a maximum of 6 years from the date of the serious invasion of privacy (unless extended by the court) to begin a claim.[14]
There are limited defences available to defendants including where the:
- conduct was authorised by law;
- plaintiff consented;
- defendant reasonably believed the conduct was necessary to prevent a serious threat to life, health, or safety;
- conduct was incidental to lawful defence of persons or property; or
- conduct was proportionate, necessary, and reasonable.
Where the conduct involves publication of defamatory material, a defence available under defamation law may also apply.
Guidance from overseas
The tort for serious invasion of privacy aligns Australia more closely with international jurisdictions like the UK, Canada, and New Zealand, which have long recognised similar privacy torts. Australian courts are likely and explicitly encouraged by the Explanatory Memorandum of the Bill to draw on jurisprudence internationally in applying the statutory tort – especially where key ambiguities have been answered.[15]
The tort of privacy in New Zealand, being the “wrongful publication of facts” was confirmed in the 2004 case of Hosking v Runting.[16] There are two fundamental requirements: there must be both a reasonable expectation of privacy, and publicity given to those facts would be highly offensive to an objective reasonable person.[17] Further developing the tort of privacy, in 2012 the New Zealand High Court determined in the case of C v Holland, that the “intrusion upon seclusion” is a separate actionable tort.[18] The framework is substantially similar to the statutory approach taken in Australia, with two potential tort of action branches. It is likely that decisions from New Zealand are to provide early lessons to Australia on what is likely to be an acceptable cause of action.
The UK has developed its privacy tort in a similar timeline, with the first significant milestone in the 2004 case of Campbell v MGN Ltd, that expanded on the breach of confidence doctrine.[19] In that case, the House of Lords held that Naomi Campbell’s attendance at Narcotics Anonymous meetings was private, and its publication constituted a serious intrusion of privacy. The decision introduced a balancing test between the public’s right to know and the individual’s right to privacy, with the threshold of “highly offensive” conduct being central to the analysis.
In Canada, the Ontario Court of Appeal in Jones v Tsige formally recognised the tort of intrusion upon seclusion, requiring intentional intrusion into private affairs that would be “highly offensive” to a reasonable person.[20] This case involved the defendant accessing the plaintiff’s bank details, access which they had by virtue of their employment. Further examples provided by the Canadian case on what would be considered “highly offensive conduct” includes, intrusions into matters such as “one’s financial or health records, sexual practises and orientation, employment, diary or private correspondence.”[21]
While Australia’s statutory tort uses the term “serious” rather than “highly offensive” as used overseas, the “seriousness” threshold may allow for a broader interpretation, encompassing not only emotional harm but also significant impacts on autonomy, dignity, or personal security or where the defendant’s intentions were malicious.
Privacy Tort v Defamation Claim
Although familiar sounding, the tort for serious invasion of privacy complements, not replaces a defamation claim. Set out at a high level below are some of the similarities and differences, as there may be claims that can be established under both right of actions. Plaintiff’s should consider that under section 8(2) of Schedule 2 of the Privacy Act, a defence under a defamation claim, may also entitle a defendant to a defence under the statutory tort.
| Defamation Law | Tort for Serious Invasion of Privacy |
| Protects the reputation of an individual | Protects the right to be let alone |
| One year to begin a claim | Six years to begin a claim |
| Publication of material required | Publication of material is not required |
| Truth is a defence | No defence or requirement to truth |
| Defence of absolute privilege | Defence of absolute privilege |
| Single publication rule | Single publication rule |
The importance?
This new legislated tort marks a significant expansion in privacy risk exposure for clients. Common surveillance and data handling practices such as user tracking and behavioural profiling will need to be re-considered by business, as they may fall within the scope of a “serious invasion of privacy”.
Importantly, privacy breaches that previously triggered only regulatory notification obligations may now also give rise to private claims. The new statutory tort introduces a new avenue for litigation without proof of harm, particularly for mishandling personal data. The tort is broader than the requirements under the Privacy Act, and is not limited to personal information collected, used or disclosed under the Act. This significantly broadens the legal, financial, and reputational exposure for Australian organisations — particularly in an era of escalating data breaches — making robust data governance and internal oversight more critical than ever.
[1] Commonwealth, Parliamentary Debates, House, Privacy and Other Legislation Amendment Bill Second Reading, (Mark Alfred Dreyfus).
[2] Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479.
[3] Australian Broadcasting Corp v Lenah Game Meats Pty Ltd (2001) 185 ALR 1, 106-107 and 132.
[4] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice (Report No 108, August 2008).
[5] Attorney General’s Department, Privacy Act Review Report(16 February 2023).
[6] Australian Law Reform Commission, Serious Invasion of Privacy in the Digital Era(Report No 123, 3 September 2014).
[7] Explanatory Memorandum, Privacy and Other Legislation Amendment Bill 2024 (Cth) 13.
[8] Privacy Act 1988 (Cth), Sch 2 section 2.
[9] Australian Law Reform Commission, Serious Invasion of Privacy in the Digital Era(Report No 123, 3 September 2014).
[10] Privacy Act 1988 (Cth), Sch 2 section 7 (3) to (6).
[11] Privacy Act 1988 (Cth), Sch 2 section 7 (5).
[12] Attorney General’s Department, Government response to the Privacy Act Review Report (28 September 2023) 19.
[13] Privacy Act 1988 (Cth), Sch 2 section 7 (2) and (7).
[14] Privacy Act 1988 (Cth) Sch 2, section 14.
[15] Explanatory Memorandum, Privacy and Other Legislation Amendment Bill 2024 (Cth) 358.
[16] Hosking v Runting [2004] NZCA 34.
[17] Hosking v Runting [2004] NZCA 34.
[18] C v Holland [2012] NZHC 2155.
[19] Campbell v MGN Ltd [2004] UKHL 22.
[20] Jones v Tsige 2012 ONCA 32.
[21] Jones v Tsige 2012 ONCA 32, 72.