The Privacy Act statutory tort for serious invasions of privacy

What the tort is

The Privacy and Other Legislation Amendment Act 2024 introduced a new statutory tort for serious invasions of privacy. This new cause of action is contained within Schedule 2 of the Act. Privacy Act 2026 readiness

The tort commenced on 10 June 2025, six months after the Act received Royal Assent on 10 December 2024. This means the tort is applicable to conduct occurring on or after that date.

Importantly, the tort is not restricted to organisations subject to the Australian Privacy Principles (APP entities). Any individual can bring an action against a defendant whose conduct satisfies the elements of the tort.

The two limbs

The statutory tort for serious invasions of privacy arises in two distinct ways. A defendant may invade an individual’s privacy through intrusion upon seclusion, which involves unauthorised physical or technological access to a private space or activities. Alternatively, an invasion can occur through misuse of private information, encompassing actions such as the collection, use, or disclosure of private information without authority.

To establish the tort, the invasion must be serious. This represents a high threshold, designed to prevent claims based on trivial or minor incidents. The seriousness of the invasion is assessed objectively, considering the nature of the conduct and its impact on the individual.

A key element in determining whether an invasion of privacy has occurred is whether the plaintiff had a reasonable expectation of privacy in the circumstances. This expectation is also assessed objectively, considering all relevant factors.

Defences and public interest

The Privacy Act provides several defences to a claim for serious invasion of privacy. These include instances where conduct is undertaken pursuant to lawful authority, where the plaintiff has consented to the conduct, and where a public-interest defence applies. The public-interest defence allows conduct that would otherwise constitute a serious invasion of privacy if the public interest in the conduct outweighs the public interest in protecting the plaintiff’s privacy.

The public-interest defence considers a range of factors when determining whether it applies. These factors include, but are not limited to, the public interest in freedom of expression, public health and safety, national security, and the administration of justice. The relevance of journalism is specifically recognised when considering this defence.

It is crucial to understand that the public-interest defence is not absolute. While journalism is a relevant consideration, the court will balance the competing interests to determine whether the defence operates in a particular case.

Remedies and interaction with the Privacy Act

Remedies available to a successful plaintiff in a serious invasion of privacy tort include damages, declarations, injunctions, and other orders as the court deems suitable. Damages may cover non-economic loss, and in specific circumstances, aggravated or exemplary damages may be awarded. The potential for these remedies highlights the need for organisations to carefully consider their privacy practices. NDB notification timer

The tort is distinct from the Office of the Australian Information Commissioner (OAIC) complaints regime established under the Privacy Act. Individuals retain the right to pursue both avenues of redress concurrently; however, the principle of *res judicata* prevents double recovery – that is, an individual cannot recover the same loss twice.

Organisations must recognise that the introduction of this tort elevates the risk profile associated with privacy incidents. Compliance and incident-response programs should now account for potential litigation risk, in addition to the risk of regulatory action by the OAIC.