ARTICLE
2 November 2025

New ‘Serious invasions of privacy' Tort over a decade in the making

SF
Spruson & Ferguson

Contributor

Spruson & Ferguson logo
Established in 1887, Spruson & Ferguson is a leading intellectual property (IP) service provider in the Asia-Pacific region, with offices in Australia, China, Indonesia, Malaysia, Philippines, Singapore, and Thailand. They offer high-quality services to clients and are part of the IPH Limited group, which includes various professional service firms operating under different brands in multiple jurisdictions. Spruson & Ferguson is an incorporated entity owned by IPH Limited, with a strong presence in the industry.
Explore Firm Details
This landmark reform marks a significant expansion of individual privacy rights.
Australia Privacy
Sylvie Tso and Nadine Martino
Your Author LinkedIn Connections
Sylvie Tso’s articles from Spruson & Ferguson are most popular:
  • with Inhouse Counsel
  • with readers working within the Banking & Credit, Media & Information and Construction & Engineering industries

More than a decade after the Australian Law Reform Commission's Final Report on Serious Invasions of Privacy in the Digital Era was tabled in the Parliament, the new statutory tort for 'serious invasions of privacy' under the Privacy Act 1988 (Cth) (Privacy Act) came into effect on 10 June 2025.

This landmark reform marks a significant expansion of individual privacy rights. Individuals, even without proof of damage, may now sue for serious invasions of privacy without relying on the Office of the Australian Information Commissioner (OAIC) to take action. The financial stakes for defendants are high - if a business is found liable, it may face damages up to the greater of $478,550 and the maximum award of damages for non-economic loss in a defamation claim.

The tort has broader scope than the 'Australian Privacy Principle' (APP) obligations under the Privacy Act, which apply only to APP entities, and allows protection for certain invasions of privacy which the OAIC has acknowledged would not otherwise have been protected by the Privacy Act.

Against this backdrop, the privacy risk has increased once again, making it essential for organisations to review and update their privacy practices, train staff on new obligations, and maintain clear records to demonstrate compliance and manage potential litigation risks. Privacy is a core operational priority, and a proactive, privacy-by-design approach is crucial to avoid costly litigation and reputational harm.

Below we outline the key features of the new tort and the practical implications for organisations operating in Australia.

What constitutes serious invasions of privacy under the new tort?

Many concepts underpinning this new tort are drawn from privacy torts in overseas jurisdictions, including the UK and New Zealand. While decisions from these jurisdictions may offer some indication of future interpretations, the practical application in Australia will ultimately be determined by Australian courts.

The new tort is found in section 7 under Schedule 2 of the Privacy Act. An individual (i.e. the plaintiff) has a cause of action in tort against another person (i.e. the defendant) ifall of the five elements below are satisfied. Importantly, the plaintiff is not required to prove damages.

  1. Invasion of privacy: The defendant invaded the plaintiff's privacy by doing one or both of the following:
    • intruding upon the plaintiff's seclusion, and
    • misusing information that relates to the plaintiff.

The term 'information' is currently undefined so businesses should be wary that potentially any type of information relating to an individual can be subject to the cause of action, until further guidance of its interpretation is developed by the courts.

  1. Reasonable expectation of privacy: a person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances. The court may consider the following factors when determining whether a person in the position of the plaintiff would have had a reasonable expectation of privacy:
    • The means: Including the use of any device or technology, used to invade the plaintiff's privacy
    • The purpose: The purpose of the invasion of privacy
    • The conduct of the plaintiff: Including whether the plaintiff invited publicity or demonstrated a desire for privacy
    • Place of intrusion: Including whether the plaintiff is at home, in office premises or in a public place, and whether or not the place is open to public view from a place accessible to the public, or whether or not the conversation is audible to passers-by
    • If information was misused:
      • The nature of the information, including whether it related to intimate or family matters, health or medical issues, or financial matters
      • How the information was held or communicated by the plaintiff
      • Whether and to what extent the information was already in the public domain. In this regard, private information is often private because of its nature, it should be noted that private information may not automatically cease to be private once it is in the public domain.

This element highlights the need for companies, particularly those handling sensitive information, to be explicit and transparent in their privacy policies and contracts to ensure there is a clear understanding of how information relating to persons may be collected and used. Ambiguity or lack of clarity on privacy terms could heighten the risk of misuse where a business uses a person's information that was otherwise reasonably expected to remain private.

  1. Fault: Whether the invasion of privacy was intentional or reckless, the latter as defined in the Criminal Code Act 1995 - having regard to the substantial risks and proceeding to take the risk unjustifiably. Recklessness generally imposes a higher standard of fault compared to a civil standard of negligence.
  1. Seriousness: The court may consider the following:
    • The degree of any offence, distress, or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff
    • Whether the defendant knew, or ought to have known, that the invasion of privacy was likely to offend, distress, or harm the dignity of the plaintiff
    • If the invasion of privacy was intentional - whether the defendant was motivated by malice.
  1. Public Interest: Whether the public interest in the plaintiff's privacy was more important than other public interests, such as freedom of political or artistic expression, freedom of media, public health and safety, national security and prevention and detection of crime and fraud.

Limitation period

The tort applies to conduct occurring after 10 June 2025. Proceedings must be commenced the earlier of 12 months after the day the plaintiff became aware of the invasion of privacy and three years after the invasion of privacy occurred. Plaintiffs that are 18 at the time of the alleged invasion must commence proceedings before they turn 21.

Remedies

The court can award damages to the plaintiff, including for emotional distress, and may also grant exemplary or punitive damages in exceptional cases. However, aggravated damages cannot be awarded, and total damages for non-economic loss and punitive damages are capped at $478,550 or the maximum allowed in defamation cases, whichever is higher.

The court can consider factors such as apologies, corrections, compensation, settlement efforts, and any unreasonable conduct after the privacy invasion that subjected the plaintiff to particular or additional embarrassment, harm, distress or humiliation, when deciding how much to award in damages.

Courts have also been granted wider powers to order any remedy they consider most appropriate in the circumstances. These can include:

  • Ordering an account of profits
  • Issuing injunctions
  • Requiring apologies
  • Making correction orders
  • Mandating the destruction or delivery of materials obtained or misused during the invasion of privacy
  • Declaring that a serious invasion of privacy occurred

The law is clear that an apology made by or on behalf of the defendant in connection with the invasion of privacy does not constitute an express or implied admission of fault or liability by the defendant in connection with the invasion of privacy, andis not relevant to the determination of fault or liability in connection with the invasion of privacy.

Exemptions and defences

Not many businesses would be exempt from the new privacy tort. Exemptions only apply to government agencies in the performance of their functions, law enforcement and intelligence, professional journalists and persons under 18.

A cause of action for serious invasion of privacy may be defended if the plaintiff gave their express or implied consent to the invasion of privacy, the invasion of privacy was required or authorised under Australian law or court order, or the invasion of privacy was incidental to the exercise of a lawful right of defence of persons or property, provided they are proportionate, necessary and reasonable.

Notably, the use of information for employee management purposes is not a specific exemption or defence under the privacy tort. This provides some uncertainty for businesses with legitimate or reasonable uses of employee information to effectively manage their workforce.

It is also a defence to the privacy tort where:

  1. the defendant invaded the plaintiff's privacy by publishing (as defined within Australian defamation law) information that relates to the plaintiff
  2. that Australian defamation law includes a defence that could apply, such as absolute privilege or publication of public documents fair report of proceedings of public concern), and
  3. the defence would still apply if a reference in the Australian defamation law to the publication of defamatory matter were to include a reference to the invasion of privacy.

Why a statutory tort was needed

Australia now joins other jurisdictions, such as provinces in Canada and California in the US, that have also enacted statutory torts for privacy.

The introduction of a statutory tort for serious invasions of privacy responds directly to longstanding gaps in Australian law, as highlighted in the Attorney General's Privacy Act Review Report 2022, which has framed the basis of the ongoing privacy reform in Australia.

The OAIC supported the creation of a statutory tort, noting it would provide broader protection for individuals and better align with Australia's obligations under Article 17 of the International Covenant on Civil and Political Rights.

The Report identified that OAIC believed that Privacy Act did not protect against a range of serious privacy invasions, including:

  1. Filming or photographing someone in a private setting, such as their backyard or a public bathroom, without consent
  2. Secretly recording private conversations
  3. Interfering with or disclosing private correspondence or communications
  4. Publicly revealing sensitive facts about an individual's private life
  5. Misusing personal information obtained in breach of an employment contract for personal reasons (such as blackmail or family law disputes), where the employer is not liable
  6. Data breaches involving small businesses or individuals not covered by the Act.

The need for a statutory tort was further underscored by the slow development of the common law.

Since the High Court's decision in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd over 20 years ago, which raised but did not resolve the possibility of a common law tort of privacy, there has been little progress.

InSmethurst v Commissioner of Police, the High Court again left open the question of recognising a privacy tort, as the issue was not directly before the Court. This lack of legal development was acknowledged to have left individuals without a clear remedy for serious invasions of privacy. The new statutory tort is a direct response to these gaps.

Concurrent claims and relationship to other actions

It is possible that the new statutory tort for serious invasions of privacy could be concurrently with other causes of action, such as current laws (such as surveillance and family law statutes), breach of confidence or defamation, if they arise in relation to the same information or conduct. Importantly, unlike these other causes of action, the tort is not automatically defeated just because the information was already public (as compared to breach of confidence) or because the information in question was false (as compared to defamation).

Key takeaways and next steps

Australia's new statutory privacy tort changes increase the risk profile in relation to privacy compliance. With broad application and limited exemptions, businesses should:

  • diligently review their privacy practicesto ensure compliance with the new legal landscape
  • train their staff on the expanded privacy obligations and the seriousness of intentional or reckless invasions, and
  • keep thorough records to demonstrate compliance.

How we can help

As the courts begin to interpret and apply the new tort, further guidance will emerge, but the message is clear that privacy must be treated as a core operational priority. Adopting a privacy-by-design approach and documenting compliance efforts will be essential to minimise legal and reputational risks.

Please reach out to our privacy experts to assist with any queries you may have on how the Australian privacy reforms may impact your business. You can learn more about our Data Protection & Privacy services on the Intellectual Property Law page.

Contributor: Jesmine Medina, Lawyer – Spruson & Ferguson Lawyers

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Sylvie Tso
Sylvie Tso
Photo of Nadine Martino
Nadine Martino
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More