Privacy statutory tort (serious invasions of privacy)
From June 2025 — serious invasion of privacy actionable in tort.
Who must comply
All individuals + entities. Not limited to APP entities.
What triggers it
Alleged serious invasion of privacy (intrusion or misuse of info).
When due
1-year limitation period (extensions possible).
Evidence required
Plaintiff: evidence of seriousness + harm + defendant's conduct.
Max penalty
—
Effective from
10 June 2025
Summary
Privacy and Other Legislation Amendment Act 2024 introduced statutory tort for serious invasions of privacy from 10 June 2025. Defences include defamation, statutory authority, public interest. Federal Court + state courts hear.
Enforced by
Source legislation
Topics
Related obligations
- CWLTHNotifiable Data Breach (NDB) schemeUnder the NDB scheme, APP entities must notify the OAIC and affected individuals of an eligible data breach likely to cause serious harm — assessed within 30 days.
- CWLTHAutomated Decision-Making transparency under Privacy Act (phased)From a phased commencement, APP entities using ADM must disclose in Privacy Policy.
- CWLTHAPP 3 collection of sensitive informationAPP 3 bars collecting sensitive information — health, race, religion, sexual orientation and more — without consent. What counts as sensitive, the exceptions and penalties.
- CWLTHPrepare for the proposed removal of the small business exemptionRemoving the Privacy Act small business exemption (<$3M turnover) is proposed for a future reform tranche — agreed in principle, not yet law.
- CWLTHPrivacy Act Reform — information controllers regime (proposed Tranche 2)Tranche 2 reforms in scoping — information controllers + processors regime.
- CWLTHPublish a Privacy Policy compliant with APP 1Every APP entity needs a clearly-expressed Privacy Policy covering APP 1.4 requirements.
Frequently asked questions
- Who must comply with Privacy statutory tort (serious invasions of privacy)?
- All individuals + entities. Not limited to APP entities.
- What triggers Privacy statutory tort (serious invasions of privacy)?
- Alleged serious invasion of privacy (intrusion or misuse of info).
- When is Privacy statutory tort (serious invasions of privacy) due?
- 1-year limitation period (extensions possible).
- What evidence is required for Privacy statutory tort (serious invasions of privacy)?
- Plaintiff: evidence of seriousness + harm + defendant's conduct.
Source: https://oaic.gov.au/privacy/the-privacy-act/changes-to-the-privacy-act. Rules Mate is not a law firm. Always verify against the live regulator source before acting.