A passer-by peers through your front window with binoculars. A colleague accesses your medical history without cause. A company quietly logs your movements, purchases, or private messages without consent.
Until now, such intrusions – if they fell outside existing regulatory frameworks – often had no clear legal consequence. Soon, that all changes.
Australia’s new statutory tort for serious invasions of privacy gives individuals a direct path to sue, even without proving damage. It marks a shift from regulatory complaint-handling to rights-based redress, and it could reshape how institutions, employers, and even neighbours think about personal data.
A decade after first being proposed, a statutory tort for serious invasions of privacy will become law in Australia from 10 June 2025 and it will mark a structural shift in how privacy breaches can be contested and redressed. Unlike existing privacy protections enforced by regulators, the new tort enables individuals to take direct legal action through the courts, with no need to prove harm.
For regulators, especially those operating in sectors where data handling is incidental to core functions, the reform presents both a legal milestone and a cultural recalibration. Privacy obligations are no longer solely administrative matters of compliance but legal duties with direct personal consequences.
A cause of action at last
The statutory tort, which was introduced through the Privacy and Other Legislation Amendment Act 2024, has been a long time coming. First recommended by the Australian Law Reform Commission in 2014 and reiterated in multiple government inquiries since, it creates a clear legal route for individuals to sue others for two distinct types of privacy invasion: intrusion upon seclusion and misuse of private information.
To succeed, a plaintiff must show that the invasion was intentional or reckless (not merely negligent), that there was a reasonable expectation of privacy, that the invasion was serious, and that the public interest in privacy outweighs any competing public interest. Notably, there is no requirement to prove that harm occurred, making this one of the most accessible legal pathways for privacy claims in the common law world.
The scope of application is wide.
Individuals can sue organisations and other individuals, and businesses may be held directly or vicariously liable for the actions of employees or agents. Defendants under 18 are exempt, and certain actors, including law enforcement and state bodies acting in good faith, also receive carve-outs.
A broad definition, with narrow exemptions
‘Intrusion upon seclusion’ encompasses physical intrusions or surveillance, while ‘misuse of information’ includes the collection, use, or disclosure of information, regardless of its accuracy. In practice, this creates potential exposure for a wide range of conduct, particularly for organisations whose operations involve monitoring, recording, or processing personal information at scale.
The legislation includes a journalism exemption, shielding reporters, their employers, and those assisting them when collecting, preparing, or publishing journalistic material. Other exemptions include actions taken under lawful authority, those necessary to prevent serious harm, and those incidental to protecting people or property.
Defendants may also rely on express or implied consent as a defence, though the threshold for what qualifies may be contested in future case law.
Remedies beyond the symbolic
Courts will have access to a comprehensive suite of remedies. These include general damages (capped at the higher of $478,550 or the current maximum for defamation), injunctions, apology or correction orders, orders to destroy or return material, and even an accounting of profits.
Claims must be brought within a year of the claimant becoming aware of the breach, or within three years of the act itself, whichever occurs sooner. Minors may bring proceedings up to their 21st birthday.
This limitation framework aligns the tort more closely with defamation than traditional privacy law – a signal that reputational harms and digital dignity are increasingly being treated with similar seriousness.
From commissioner-led to claimant-led
Unlike existing privacy obligations enforced through complaint resolution mechanisms by the Office of the Australian Information Commissioner (OAIC), the new tort is court-based and adversarial. Regulators will not have direct enforcement authority, though it is expected that the OAIC and other bodies will issue guidance to help organisations understand their new exposure.
For entities already subject to the Privacy Act, this creates a parallel risk landscape: one set of rules monitored by regulators and another enforced through civil litigation. The latter introduces both strategic complexity and financial risk, especially for sectors where large volumes of personal data are routinely handled.
Next steps for compliance and culture
In the months ahead, industry groups are expected to publish practical guidance. Legal firms and consultants have begun advising clients to:
- Audit existing data collection, handling, and storage practices.
- Review and, if necessary, revise privacy policies.
- Deliver updated training on privacy responsibilities to all staff.
- Assess insurance coverage in light of potential litigation risks.
These are not minor adjustments. While the tort does not create new data governance obligations per se, it materially alters the risk calculus. A practice that was previously only reputationally damaging might now incur financial liability.
A shift in regulatory equilibrium
For regulators, the implications extend beyond organisational housekeeping.
The arrival of a statutory tort of privacy invasion elevates the individual’s role in privacy enforcement, reducing the exclusive gatekeeping function of public agencies. It introduces a model where privacy rights are not only codified, but judicially contestable on a private basis.
The shift also repositions privacy breaches within a broader matrix of legal risk. What was once a matter of administrative non-compliance may now be recast as a civil wrong, reshaping how agencies, boards and commissions think about incident response, liability exposure and public accountability.
If the uptake of this tort mirrors similar developments in other jurisdictions, regulators can expect a gradual emergence of case law that redefines the contours of what constitutes a ‘serious’ privacy invasion. In turn, this could influence policy, enforcement priorities and public expectations, not only for regulators in privacy-adjacent domains, but for all those managing sensitive personal information.
