Get in touch

Table of contents

10 June 2025 marked a big milestone in Australia’s developing privacy law framework, expanding the Privacy Act 1988 (Cth) to include a new statutory tort of “serious invasions of privacy”.

In this article, we explore what this new tort is, what it means for Australian businesses and what businesses can do to ensure they don’t breach it.

What is this new tort?

The new tort of “serious invasions of privacy” (found in Schedule 2 of the Privacy Act) enables individuals (the plaintiff) to commence legal proceedings against another legal person (for example, an individual, a company or a trust) (the defendant) if:  

  • the defendant invaded the plaintiff’s privacy by either intruding upon the plaintiff’s seclusion (for example, unauthorised surveillance) or misusing information that relates to the plaintiff; 
  • the person in the plaintiff’s position would have had a reasonable expectation of privacy in all the circumstances. Relevant considerations here may include the purpose of the invasion of privacy, the plaintiff’s attributes (eg age and cultural background) and the plaintiff’s conduct, including whether the plaintiff invited publicity or manifested a desire for privacy;  
  • the defendant’s invasion was intentional or reckless, not just negligent; 
  • the invasion was serious. In making this determination, the court may consider the degree of any offence, distress or harm to dignity that the invasion was likely to cause to a person of ordinary sensibilities in the position of the plaintiff and whether the defendant knew or ought to have known that the invasion was likely to offend, distress or harm the dignity of the plaintiff; and  
  • the public interest in protecting the plaintiff’s privacy outweighed any countervailing public interest. Depending on the circumstances, this may include things like freedom of expression, public health and safety and the prevention and detection of crime and fraud.  

A plaintiff is not required to prove actual loss or damage to bring the action.  

There are defences to this tort, including where the invasion of privacy was required or authorised by or under an Australian law or if the plaintiff expressly or impliedly consented to the invasion. 

How does this new tort differ from the existing protections under the Privacy Act?

Before this new tort was implemented, the Privacy Act did not apply to the majority of small businesses, and its enforcement was largely through regulatory action, not through claims by affected individuals. This new tort applies to all legal persons and gives individuals a potentially powerful tool to issue proceedings against any other legal person to protect their privacy or seek damages and other remedies (including an account of profits and even an apology) where their privacy has already been infringed.  

Another important aspect of this tort is that businesses are not exempt from complying with it with respect to their handling of employee records, unlike under the Privacy Act’s Australian Privacy Principles.  

What do we not know yet about the new tort?

As at the date of this article, there has been limited judicial application of this new tort. 

Businesses and lawyers wait with bated breath to see how the court will interpret and apply the various elements of the tort, including how it will balance competing privacy and public interest considerations, and the size and nature of the remedies awarded to plaintiffs.  

What we do expect is that while each case will turn on its own facts, which may limit the applicability of one case to the next, the early cases will undoubtedly provide valuable guidance for businesses.  

It will also be interesting to see whether the court places limitations on the scope of the information that is captured by the new tort, given it concerns “information that relates to the plaintiff” rather than “personal information”, which is the corresponding and well-considered term used throughout the rest of the Privacy Act.  

What can my business do to avoid breaching this new tort?

Businesses can and should act now to limit the risk of them breaching this new tort.  

We recommend the following:  

  1. Review and upgrade your privacy governance framework 
  • Routinely review, update and document your business’s privacy governance framework, including ensuring you have a clear and robust privacy policy, oversight mechanisms and incident-response plans. Pay particular attention to your business’s key risk areas.  
  • Confirm that your business’s monitoring, collection, use and disclosure of information relating to individuals is in accordance with the business’s privacy policy and the individuals’ instructions and informed consent.  
  • Ensure that monitoring, surveillance and other potentially intrusive activities are lawful and proportionate.  
  1. Training and culture 
  • Provide regular mandatory training to employees and, if feasible, contractors about the business’s and their own obligations regarding the monitoring, collection, use and disclosure of information relating to individuals, including their fellow employees’ information.  
  • Update your business’s training module to include guidance on the new tort.  
  • A key focus of all privacy training should be on the appropriate use of AI technology. 
  1. Audit your data 
  • Audit the data held by your business to ensure that it does not possess any information which may put the business in breach of the new tort.  
  • A good rule of thumb is that your business should limit the information it collects and handles to only the information it requires to carry out its business functions.  
  1. Insurance and contracts 
  • Make sure your business has adequate insurance coverage for privacy claims and regulatory action, including for claims for breach of the new tort.  
  • Consider having a lawyer review your business’s existing contracts and templates to ensure the business is protected against data mishandling by third parties.  

Concluding remarks

The new statutory tort for “serious invasions of privacy” will likely have a big impact to the way businesses are expected and required to collect and handle information relating to individuals.

Though most businesses already operate in compliance with their privacy obligations, including under this new tort, for those that don’t, now is the time to make the necessary changes.

Businesses need to be aware that the new tort does not replace their pre-existing obligations under the Privacy Act and other privacy laws, which may apply even if the new tort does not.

Insights

Stay informed of new careers and insights

Sign up to our newsletter to be the first to hear on important topics.

    By clicking on the “Subscribe” button, you agree to our Privacy Policy.

    A happy woman.
    A small business client working on her laptop.
    Two lawyers having a friendly casual conversation.
    A happy man poses for a casual headshot.
    A man using the phone, sitting at his desk.

    Continue reading...

    See all thought pieces

    Community10 Nov, 2025

    Why blanket NDAs aren’t always the answer: the evolving landscape of confidentiality

    Community29 Oct, 2025

    Our Current Community Support Focus: Challenge

    Community23 Jul, 2025

    AI Regulation is Coming to Australia: Burch & Co’s Guide to Getting Ahead of the Curve  

    Back to top