Australia just got a new privacy law and it's a game changer

In a highly anticipated and long-awaited move, the Federal Parliament has introduced a new statutory tort for serious invasions of privacy, fundamentally reshaping the privacy law landscape across Australia.

For some time, there has been worldwide discussion about developing such a tort.  This new law provides individuals with a clear and direct pathway to seek redress for privacy breaches, and importantly they do not need to prove damage to initiate a lawsuit.

What’s new?

The new tort addresses two types of conduct:

1. Intrusions upon a person’s seclusion—this includes physical or digital snooping and stalking.
2. Misuse of private information—for example, leaking sensitive personal data.

Importantly, to succeed in a claim, a person must prove four key elements:

1. There was an invasion of privacy.
2. They had a reasonable expectation of privacy.
3. The conduct was intentional or reckless (not merely careless).
4. The invasion was serious.

A long time coming

The move brings to life long-standing recommendations from the Australian Law Reform Commission (ALRC). The ALRC’s 2014 report, Serious Invasions of Privacy in the Digital Era, laid the groundwork by urging the Federal Government to create a statutory tort that reflects international privacy norms and modern technological risks.

Until now, Australia has lagged behind countries such as the UK, New Zealand, and Canada in providing a clear recourse for privacy invasions. Although the courts have considered the concept of a tort of privacy, notably in the High Court’s 2001 decision of ABC v Lenah Game Meats, they have stopped short of recognising a standalone tort.

This new law fills that gap.

Serious invasion? Here’s what that means

The threshold for a successful claim is high; the invasion must be serious, meaning it is more than just inconvenient or mildly offensive. Courts are likely to ask, 'Would a reasonable person find this conduct highly offensive? Did it cause emotional or psychological harm, or interfere with a person’s ability to go about their life?'

This aligns with earlier decisions, like that of Grosse v Purvis, which emphasised the need for genuine distress or detriment—not just technical violations.

It’s not just about hackers

You don’t need to be a cybercriminal to fall foul of this law. The tort also targets misuse of personal information, meaning businesses, health providers, and even government departments must be cautious. A breach of the APPs— those extra obligations that prompt businesses to make you read a privacy policy before signing— could form the basis for a privacy tort claim.

Expectation of privacy: context is key

Not everything private is protected. Courts will examine whether a reasonable person in the affected party’s position would expect privacy in that situation. Factors such as age, profession, public exposure, and the context of the intrusion are all relevant. For example, a celebrity might expect less privacy in public but could still have a case if their private medical data is leaked.

Recklessness isn’t a loophole

This law isn’t just about punishing deliberate acts. If someone recklessly disregards another’s privacy—such as sharing data without verifying consent—they could be held liable. Courts are likely to apply an objective standard: would a reasonable person in the same position have acted differently?

While negligent acts alone might not be enough, reckless disregard definitely is.

Public interest vs personal privacy

A unique feature of a new tort is a built-in public interest balancing test. Defendants can argue that their conduct served a greater good, such as protecting national security, public health, or freedom of expression. This defence is modelled on international standards and partly borrowed from defamation law.

However, it is not a free pass. Courts are expected to weigh the public benefit of the intrusion against the harm caused to the individual. When this balance tips in favour of the individual, then so will the public interest.

So what’s the price of privacy?

The courts now have substantial power to award remedies, including:

1. damages for emotional harm
2. punitive damages in exceptional cases (damages for when businesses and individuals significantly misstep)
3. apologies or corrections
4. injunctions to stop or prevent further breaches, and
5. accounts of profits (forcing businesses and individuals to relinquish money made from the breach).

However, there’s a catch: damages for non-economic loss (when privacy interference causes emotional harm) must remain within the damages limit, currently capped at $478,500.00 or the equivalent amount for general damages in defamation cases.

This raises the question; how much is your privacy worth?

Time for businesses to step up

For businesses in this new established age of technology and privacy, this tort is a wake-up call. It adds another layer of legal risk, particularly regarding data security, storage, and disclosure. In short: the stakes have just gotten a lot higher.

Therefore, it’s a good time to take a fresh look at your approach to privacy and ensure it remains a priority when reviewing systems and processes.

A new era for privacy in Australia

Australia’s new privacy tort marks a major leap forward in protecting individuals in the digital age. It seeks to strike a balance between personal rights and public interest, emphasising that privacy is not just a courtesy but a fundamental right.

As the digital world becomes increasingly complex and intrusive, this reform arrives at a crucial moment when the law and lawmakers are working hard to keep pace.