Since 10 June 2025, Australians can directly sue under the statutory tort for serious invasions of privacy in court, without first lodging a complaint with the Office of the Australian Information Commissioner (OAIC), and without any minimum turnover threshold for potential defendants. Companies, small businesses, and individuals can all be defendants. Courts have already received claims and taken action. If your business handles personal information in any meaningful way, it is now part of your litigation risk profile.
The Previous Regime and Why It Was Insufficient
For years, privacy enforcement in practice ran through the OAIC complaints process. It was slow, outcomes were often non-binding at the early stages, and it applied only to entities caught by the Australian Privacy Principles. Businesses with an annual turnover under $3 million were commonly outside its scope pursuant to the small business exemption. Individuals were too.
The new tort changes the landscape. It appears in Schedule 2 of the Privacy Act 1988 (Cth) and gives a person a cause of action against any individual or organisation. The OAIC is not a prerequisite. Remedies have also changed. In addition to damages and injunctions, a court can order a defendant to make a public apology, which may be published in the courtâs judgment or in another manner the court specifies. This creates a different kind of exposure than a fine.
Elements of the Statutory Tort for Serious Invasions of Privacy
To establish a claim under the statutory tort for serious invasions of privacy, five elements must be proven:
1. Invasion of Privacy
The plaintiffâs privacy must have been invaded, either through intrusion on seclusion or misuse of personal information.
2. Reasonable Expectation of Privacy
The plaintiff must have had a reasonable expectation of privacy in the circumstances in which the invasion occurred.
3. Intentional or Reckless Conduct
The invasion must have been intentional or reckless; mere negligence is insufficient to establish liability under the tort.
4. Seriousness of the Invasion
The invasion must be serious.
This element is often the most contested. In journalism or whistleblower cases, it may prevent an otherwise strong claim. Conversely, in an employment setting where someone discloses medical or personal information without proper basis, this factor is unlikely to favour the defendant.
The concept of seriousness remains unsettled, with limited judicial guidance on what constitutes a âseriousâ invasion of privacy for the purposes of the tort. Early decisions will be highly influential, and plaintiffs and their lawyers may strategically choose cases to push the threshold as low as possible. Whether courts will resist this trend is uncertain. At this stage, any confident prediction about where the threshold will ultimately settle is speculative.
5. Public Interest
Finally, the public interest in protecting the plaintiffâs privacy must outweigh any competing interest, such as freedom of expression, fraud prevention, or public safety.
Limitation Periods
Limitation periods are tight. Proceedings must generally be commenced within one year of the plaintiff becoming aware of the invasion, or three years after it occurred, whichever is earlier. The outer limit is six years. For plaintiffs under 18 when the invasion occurred, the cut-off is their 21st birthday.
Remedies and the Priority of Injunctive Relief
Most disputes will not begin with a claim for damages. They will start with a plaintiff seeking to stop something: a publication, a disclosure, a continuing use of private material. Courts can move quickly when the facts justify it. Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396 was decided in October 2025, less than five months after the tort commenced. The defendant was a neighbour, not a corporation, and the court granted interlocutory relief. The speed at which that application moved is itself a signal.
On damages:
-
Non-economic loss and punitive damages are capped at the greater of $478,550 or the indexed defamation non-economic loss cap.
-
Courts award exemplary damages only in exceptional cases where the defendantâs conduct justifies punishment and deterrence beyond compensatory damages.
-
Aggravated damages are not available.
-
Proven economic loss is uncapped and sits outside the cap.
In class action proceedings, the cap does not mean low exposure. Multiple plaintiffs, each with a claim within the cap, against one defendant following one incident or one policy decision can produce substantial aggregate liability.
Early Proceedings Under the Statutory Tort for Serious Invasions of Privacy
Media Case
In August 2025, Sam Groth and his wife Brittany commenced Federal Court proceedings against the Herald Sun, claiming a serious invasion of privacy under the statutory tort for serious invasions of privacy. The publisher relied on the journalism exemption and moved to strike out the claim. The matter settled in November 2025 before the exemption was tested. The next case will address issues this one did not, and media defendants are closely watching developments under this new tort.
Private Case
The Kurraba case involved a company and its CEO suing a neighbour alleged to have misused private photographs as part of an extortion campaign connected to a development dispute. The facts are stark, which may limit how much the decision reveals about ordinary cases, but the ruling confirms that courts act quickly when the threshold for the statutory tort for serious invasions of privacy is met.
Regulatory Enforcement Example
In October 2025, the Federal Court ordered Australian Clinical Labs to pay $5.8 million in civil penalties for a 2022 data breach affecting more than 223,000 people. While this is regulatory enforcement under the Privacy Act and not a tort case, it highlights the serious consequences businesses can face when privacy is breached. The case underscores the importance of compliance and vigilance, particularly given the introduction of the statutory tort for serious invasions of privacy, which exposes organisations to direct civil claims.
Where Liability Arises in Practice
Many privacy problems do not originate with sophisticated external breaches. They start internally:
-
The email sent to the wrong group
-
A manager disclosing something they had no authority to share
-
A grievance letter forwarded without consideration
-
A monitoring system deployed years ago and never revisited
Employee Records Gap
The Australian Privacy Principles carry an employee records exemption. The tort does not. An employer who deliberately circulates performance material, discloses a health condition without proper basis, or uses surveillance outputs for an improper purpose is directly exposed. The employer’s size is irrelevant. Businesses that assumed they sat outside the privacy regime because of the turnover threshold or the employee records exemption should reconsider that assumption.
Workplace Monitoring
Workplace monitoring remains unsettled, and the analysis below is necessarily provisional because courts have litigated very few cases under the tort. CCTV, access-card logs, email monitoring, and productivity tracking for remote workers can all constitute intrusion on seclusion, depending on the context. Courts determine whether an employee has a reasonable expectation of privacy based on what the employer told them, what they agreed to, and how the employer deployed monitoring. Employees who are informed about monitoring and agree to it as a condition of employment may have a reduced expectation of privacy in that context. However, courts may not accept that argument in employment settings, where the power imbalance between employer and employee is evident. The first case to test this properly will attract close attention.
Unauthorised Disclosure
Unauthorised disclosure is probably where the volume of claims will concentrate over the coming years. The disclosure that generates the claim is rarely deliberate. In most matters I have seen, it is a manager who thought they were being transparent, or an administrative error that nobody noticed for three weeks. It is the everyday decisions that produce liability: who is copied on a letter, what a reference check discloses, whether health information follows someone through a corporate restructure, and whether need-to-know access controls are actually enforced rather than merely documented.
The Critical Importance of the Initial Response
When a complaint arrives, or a threatened publication or data incident comes to light, the first two days tend to determine the shape of what follows.
Questions include:
-
Who speaks for the organisation?
-
What goes into writing?
-
Are lawyers engaged early enough to establish privilege over the investigation and any internal review?
Communications produced under pressure routinely become exhibits. I have seen matters where the substantive legal position was entirely manageable and the organisation’s own communications created the real difficulty.
There is no formula that substitutes for judgment in those circumstances. But having considered these questions before they arise, and having identified in advance who holds authority to make decisions and communicate externally, reduces the risk of compounding an incident through the response to it.
Assessing Exposure
Three questions tend to locate the real risk quickly, though they are harder to answer well than they appear:
-
What personal information does the organisation hold that, if misused or disclosed without authority, could cause genuine distress or harm to the individuals it concerns? That is where the exposure sits, and if the answer is unclear, there is a data mapping problem that precedes any legal question.
-
Who within the organisation has the practical ability to access and disclose that information, and what controls govern that ability? A single person acting without authority, in the genuine belief they are doing the right thing, is a recurring origin point for claims of this kind.
-
If proceedings commence tomorrow, the organisation faces immediate questions. Most businesses discover that no one clearly knows the answers. Two people may believe they have authority to speak externally, while a manager may have already conducted half of an investigation via email, potentially jeopardising privilege. Organisations must decide in advance who will be called, what must be preserved, where privilege applies, and who is authorised to communicate with the other side and the publicâbefore the situation arises, not during it.
Insurance Coverage
Many cyber and professional indemnity policies were drafted before this tort existed. Some will not respond to privacy tort claims or will exclude defence costs from coverage. Insureds should confirm their position against the specific terms of the new cause of action before any claim arrives. Assumptions formed at the last renewal may not hold.
Concluding Observations
The OAIC complaint process remains available, but it is no longer the only route, and it will not always be the route plaintiffs choose. The seriousness threshold, the scope of the journalism exemption, and the application of the tort in employment contexts are all unresolved questions that will be worked through in the courts over the next two to three years. For more on AI and data privacy laws, read this.
Businesses that believed they sat outside the previous privacy regime because of the turnover threshold or the employee records exemption should not assume the same position applies to the tort. The exposure is broader, the process is faster, and the consequences of an inadequate initial response are more difficult to repair than most organisations anticipate.
If a specific concern arises, for example a recent incident, a threatened claim, a monitoring practice that has not been reviewed, or a transaction involving sensitive personal information, obtain legal advice before taking any action.
Privilege, evidence preservation, and controlled communications are materially easier to establish at the outset than to reconstruct after proceedings have commenced.
This article is general information only and does not constitute legal advice. If you require guidance or further information, including compliance, risk management, or responding to potential claims, please contact Allied Legal.
