Australia’s Statutory Tort for Breach of Privacy: Not Just for APP-Covered Entities

Australia’s new statutory tort for breach of privacy came into effect on 10 June 2025 – and it doesn’t just apply to entities covered by the Australian Privacy Principles (even though it is included in Schedule 2 of the Privacy Act 1988 (Cth)). Nor does there have to be a breach of the Australian Privacy Principles. This extended application means it is relevant to the roughly 90% of businesses that are exempt from privacy regulation in Australia (for example, just say … real estate agents).

But while it casts a broad net for organisations who can be sued, the law is very limited and is drafted carefully  to offer remedies only to those who suffer a significant breach of privacy, which may severely limit its application. 

We delve into what that means in this post. 

What is the New Tort of Privacy in Australia? 

Before we dig in, in case you aren’t legally trained, a tort is essentially an act that causes harm and for which there’s a right of legal action (a lawsuit). A statutory tort is one that has been created through an act of parliament. In all cases, torts are civil wrongs —not a crime— that a court can address by making the wrongdoer pay money or other compensation to the person or person they harmed.

Australia’s privacy tort means that an individual (or group of individuals) can bring a lawsuit against another person or an organisation if their privacy is breached in certain ways. Before the tort was introduced, the only redress for anyone harmed by a privacy breach was to seek redress under the Privacy Act which gives that privacy regulator powers to make determinations and award compensation – but only for breaches of the Act.

Elements of the New Tort of Privacy in Australia

The new tort is included in Schedule 2 of the Privacy Act.

The legislation states that there are five requirements that must be met for an individual to have a cause of action: 

1. The defendant must have invaded the plaintiff’s privacy by intruding upon the plaintiff’s seclusion and/or misusing information that relates to the plaintiff; and
2. A person in the position of the plaintiff would have had a reasonable expectation of privacy in all of the circumstances; and 
3. The invasion of privacy was intentional or reckless; and
4. The invasion of privacy was serious.

There is also a  public interest element to the tort:  consideration may be given to whether the plaintiff’s right to privacy is outweighed by any countervailing public interest.  This means that Courts will weigh the public interest in preserving and upholding the right to privacy against competing interests like freedom of expression 

You can read the legislation for further details about what factors are considered by the court when determining whether the invasion of privacy was serious or what constitutes a reasonable expectation of privacy. 

Defences and exemptions

There are significant defences to the tort outlined in the legislation, including (but not limited to):

• express or implied consent (to the invasion of privacy – not the collection of the personal information), 
• If the conduct was required or authorised by law, including court or tribunal orders; or
•  if the invasion was incidental to the lawful defence of persons or property and was proportionate, necessary, and reasonable..  

There is also an exception for journalists and journalistic materials.  Although outside the scope of this post, this one has been quite contentious.  To have the benefit of the protection from liability, you must meet two requirements:

• You must be a journalist; and
• The breach must have occurred via Journalistic material that has “the character of news, current affairs or documentary.”

This means that if a journalist publishes material that fits this description, it may be exempt from liability under the new tort — even if the content involves serious invasions of privacy.

Can You Be Sued for Breach of Privacy in Australia? 

One of the biggest changes under the new privacy tort is that it increases the privacy risk for businesses and organisations that have otherwise not been subject to significant privacy risk in Australia. The fact that entities don’t need to be ‘covered’ by the APP obligations to fall under the statutory tort means that all organisations should review their privacy hygiene. 

That being said, the bar for an individual to prove that an organisation’s conduct was reckless or intentional is going to prevent many potential claims from proceeding. The more usual standard of proof in torts is ‘negligent’’ – or a failure to take reasonable care’. However, that’s not the language used here. 

It’s possible that for the claim to succeed, individuals will need to show that an organisation knew about the privacy invasion risk and took that risk anyway, uncaring as to the impact on individuals and where it is otherwise unjustified.  This has proved a challenging bar to meet in other cases of potential liability for reckless behaviour. 

It will be interesting to see if failures to secure data properly leading to significant data breaches will be sufficient to meet the threshold of recklessness or intentionally caused harm.

Scenarios That May Attract Breach of Privacy Lawsuits in Australia

While there haven’t been any cases brought under this legislation  to tell you exactly what common risk areas are (it is less than 4 months old!), we’d suggest taking a good look at the following as a starting point: 

1. Your internal practices around disclosing personal information about employees. We covered whether it’s a data breach if you disclose someone’s birthday without their consent in the office, but what about other information? What if a manager passes on that an employee is having a sick day for medical care for an illness? Or if that same manager asks everyone in the office to sign a Get Well Soon card and discloses the illness more broadly? We aren’t saying this would necessarily pass all the legal tests required for the hypothetical employee’s lawsuit to succeed. However, it is essential that your organisation really tidy up its practices around disclosures of employee personal information.
2. Whether you collect or use personal information for any unauthorised reasons. If you’re selling email addresses to marketers or otherwise collecting or using personal information without consent, it’s a good time to tidy up your practices. It could just be a matter of improving your privacy notices and consent collection procedures, which may be less effort than you think.
3. Access controls for personal information collected from your customers. Employees should not have broad access to customer information, and your practices should reflect this. We wrote about a widespread practice at Flight Centre years ago, where employees would record customer credit card and passport numbers in an insecure free text field in the company’s system. This is a poor privacy practice that carries risk of a breach in any event, but may carry additional risks now with the statutory tort for privacy. 

Again, it remains to be seen what claims succeed in Australia, but all organisations should watch with interest.  At the very least, it is worth making sure that your privacy practices could not be considered ‘reckless.’

Finally, we strongly recommend ensuring your team is regularly trained on privacy compliance and risks – including this new statutory tort. Privacy 108 offers tailored privacy awareness training to organisations to improve their privacy posture. We’d be happy to speak with you, obligation free, to discuss your training needs. You can reach us at hello@privacy108.com.au 

Oops! We could not locate your form.