24/7/365 First Response Hotline

If you have concerns about a potential cyber incident, contact us 24/7/365 to access our First Response team – we will guide you through a triage process and help you take decisive action on next steps.

response@atmosgroup.com.au
response@atmosgroup.co.nz

Australia

1800 737 667

New Zealand

0800 200 027
16:46

Auckland

14:46

Sydney/Melbourne

14:46

Brisbane

14:16

Adelaide

05:46

London

article

Statutory tort for serious invasions of privacy

13 June 2025

|

Authors: John Moran, Alec Christie, Jacky Li, and Lauren Wallace

From 10 June 2025, individuals in Australia now have a legally recognised right to sue for serious invasions of privacy.

Schedule 2 of the Privacy and Other Legislation Amendment Act 2024 is now in force, which introduces a statutory right of action.

In this article, we unpack the key elements of the new tort, who is affected, and what this means for your organisation.

What is the new statutory tort?

The statutory tort allows an individual to bring a legal action where another person invades their privacy by:

  • intruding on their seclusion; or
  • misusing information relating to them

provided all of the following conditions are met:

  • the individual had a reasonable expectation of privacy in all of the circumstances;
  • the invasion was intentional or reckless;
  • the invasion was serious; and
  • the public interest in the individual’s privacy outweighs any competing public interest.

Importantly, the tort is actionable without proof of damage. Individuals can claim damages for emotional distress alone – a head of loss that may not be available under traditional claims in negligence and contract.

Defences baked into the tort

The legislation also provides a range of statutory defences, including where:

  • the invasion of privacy was required or authorised by law;
  • the individual consented, expressly or impliedly;
  • the defendant reasonably believed that the invasion of privacy was necessary to prevent or lessen a serious threat to life, health or safety of a person;
  • the conduct was incidental to the lawful defence of persons or property; or
  • the invasion occurred via a publication protected by existing defamation defences (eg absolute privilege, public documents, fair reports).

Who is affected?

The tort can be brought against any “person”, which includes both individuals and corporate entities. Businesses may also face vicarious liability for the conduct of their employees.

There is no small business exemption, nor is there an exemption for employee records – a significant shift from the Privacy Act 1988.

However, some exclusions remain. The tort does not apply to:

  • certain government agencies, law enforcement, and intelligence bodies;
  • individuals disclosing information to such agencies;
  • persons under 18; and
  • journalists and others (in specific circumstances relating to “journalistic materials”).

What does it mean for your business?

The tort coming into force ends the long-running uncertainty about whether Australian law recognises a cause of action for invasion of privacy. Courts have flirted with this idea in several decisions since 2001. Now, the statutory tort removes all doubt.

While individuals now have that right of action, the thresholds, that must be met to establish liability, are high and likely difficult to prove. This means that, in practice, we expect the applicability of the tort to be fairly limited.

In the context of data privacy, organisations that have made genuine efforts to comply with their privacy obligations under the Privacy Act, are unlikely to be exposed to a significant risk of liability. The requirement that the breach be it intentional or reckless, means that mere negligence or compliance gaps – while potentially actionable under other laws – will be unlikely to satisfy the tort’s thresholds.

At an individual level, we also expect most claims to be economically unviable. Although damages for emotional distress are recoverable, in the absence of financial loss, potential payouts are likely to be modest. For many individuals, the cost of bringing proceedings will outweigh any likely award.

Class action risk?

The wider risk potentially lies with class actions, particularly following cyber incidents or data breaches.

The public awareness and intensifying regulatory activity around cybersecurity and data breaches means that such events are often catastrophised and an organisation’s data privacy and information security placed under public scrutiny. This will give plaintiff firms an opportunity to assess the extent of an organisation’s privacy compliance, and the sheer volume of affected individuals is likely to create a ‘ready-made’ class of potential participants.

One of the challenges such claims historically faced was uncertainty about the recoverability of damages for emotional distress (typically, the only loss suffered by an individual affected by a data breach) in traditional causes of action such as contract, tort etc. This meant that many plaintiff firms relied on the representative complaint mechanism under the Privacy Act to bring those claims. The tort removes that challenge.

The procedural hurdles for class actions in the Federal Court and Supreme Court of Victoria (where most class actions are commenced) are also relatively low. A minimum of seven group members is all that’s required, and the regime allows for sub-groups where not all issues are common. Once on foot, these proceedings can rapidly escalate, exposing organisations to costly and reputationally damaging litigation.

While the new tort does therefore carry with it some class action risk, that risk is limited by the high bars that a plaintiff must meet to establish liability. The focus in any defence should therefore be on scrutinising the threshold elements of the tort (seriousness, intention / recklessness, and privacy expectations) and applicability of any available statutory defences. In reality, the greatest risk faces those organisations whose privacy compliance is non-existent or significantly below par.

What should you do?

Organisations should act proactively. Those most at risk are ones that have either ignored (or paid lip service to) their privacy obligations or lack oversight at the governance level.

You should:

  • assess the status of your privacy and cybersecurity obligations and your current compliance with those obligations to identify and remediate any compliance gaps;
  • ensure that you have an up-to-date incident plan that is regularly tested and a plan in place for the rapid review of compromised datasets. Effective incident response play an important role in mitigating claims exposure;
  • review your data retention policies and delete personal information you no longer have a lawful basis for retaining. Continued retention beyond statutory time limits increases your liability exposure; and
  • if an incident occurs, where possible provide tailored notification statements to affected individuals. Avoid the use of generic ‘catch all’ notification statements which unnecessarily cause undue distress and alarm and increase your exposure to complaints, compensation requests and third party claims.

All the above steps ultimately reduce the risk of claims under the tort and wider complaints, compensation, and claims exposure. Atmos can provide a 1 hour privacy health check to help you talk through what you’ve currently got in place and how you could improve your data privacy and digital risk posture.

To hear more or to organise a chat, get in touch:

info@atmosgroup.com.au