Australia’s new privacy tort boosting work for law firms

Australia’s new statutory tort for serious invasions of privacy has sparked demand from businesses worried about litigation risk stemming from the new legislation, law firms say.

Privacy Act changes in June introduced a statutory tort for serious invasions of privacy, meaning that individuals now have an extra avenue to seek legal redress for privacy harms.

The change is part of a suite of privacy-related laws passed this year by the federal government aiming to deal with heightened privacy risks in the digital era flowing from the collection and storage of enormous amounts of personal data.

The overhaul, which gives more powers to the Office of the Australian Information Commissioner, includes criminal offences for doxxing, stiffer penalties for privacy breaches, a new Children’s Online Privacy Code and stricter overseas disclosure requirements.

Legal implications of new tort

Macpherson Kelley principal lawyer, commercial, Kelly Dickson says some businesses are in a state of panic about the potential legal implications of the new statutory tort.

“There’s been a little bit of an uptick in interest and activity from businesses in relation to the privacy law changes more generally because this statutory tort has also come in in a tranche along with a whole heap of other privacy amendments,” Dickson says.

“When we’re talking about that statutory tort of serious invasions of privacy, there’s a bit more panic about it, because I think people have heard about it, they’ve seen it in some news articles, they’ve seen lawyers writing about it.

“It’s so new, people are worried about how it’s going to impact their business and them, and the extent that it’s going to impact them as well.”

Businesses are spooked as the tort creates a litigation risk against the backdrop of pre-existing privacy laws which do not enable “this direct right of action for individuals”.

“It’s really exposed businesses and people,” the Melbourne-based lawyer says.

“There are a lot of hoops to jump through and it always will just turn on the facts, but it is broader and more robust than the previous regime we had generally.”

According to Dickson, the key change businesses must appreciate is that individuals now enjoy a right to take direct legal action on privacy. A big linked concern, she says, is the possibility of vicarious employer liability under the tort arising from staff conduct.

The law has yet to be clarified in court, but Dickson points to a potential scenario where staff members involved in their own family law matters, “a really messy divorce or a parenting dispute”, can access information about their partner then misuse it.

“It’s information that the business has about the family but the partners have used it for their own personal purposes.”

Dickson urges businesses worried about the new privacy landscape to review their privacy policies to make sure they are compliant with the legislation. Crucially, she says businesses need to do more than just update an official privacy policy.

“I think a lot of people still think ‘we’ve got a privacy policy we’re good to go’, but the privacy policy is that the external facing document, that has to be supported by privacy practices and other policies that are internal in the business,” she says.

“It’s a whole suite of policy documentation that they need to be looking at.”

Legal evolution

Nich Burch, principal of Burch&Co, a law firm that works with ASX-listed companies and Australian start-ups, says the new tort is working to improve the standard for organisations on collecting, monitoring and using information about their workers.

Burch sees the tort as an important legal evolution in Australia, especially for businesses that are using workplace surveillance or artificial intelligence tools.

“For the first time, employees have a clear right to take action if their privacy is intentionally or recklessly breached,” he says.

“With the explosion of accessible data, businesses must do all they can to protect personal data. That means any AI or monitoring tools should be transparent, purposeful, secure and only used for legitimate business needs.”

Like MacPherson Kelley’s Dickson, Burch says many businesses are currently on the lookout for legal guidance on how to curb risk related to the tort.

He says some smaller enterprises suffering from data security and privacy fatigue have pushed the issue onto the to-do list for 2026, but he is aware of large, listed companies with dedicated privacy teams that are keen to get across the change as a priority.

The big issue such corporates are grappling with, Burch says, is whether their current privacy policies are sufficient to cover them in relation to the new law.

“The main areas for update and change are in the disclosures to be made to employees about how their use of company equipment might be monitored,” Burch says.

He urges companies to take the attitude that “rather than seeing privacy as a barrier, leaders can treat strong governance as a competitive edge”.

“Companies that build privacy into their design, empower and train their people well and are open about their practices will earn trust, avoid costly breaches and stand out.”

Long wait for change

The statutory tort’s introduction in Australia has been a long time coming.

Although talked about for more than 50 years, there has until this year never been a tortious right of action for invasion of privacy under the Commonwealth Privacy Act or any other federal, state or territory statute.

The tort was recommended in a 2014 Australian Law Reform Commission inquiry on the basis that a person’s privacy was being invaded with increasing ease and frequency in the digital era, “when the mobile phones in our pockets are all potential surveillance devices, drones are becoming cheaper and more advanced, and personal information once put online seems impossible to destroy or forget”.

Similar protections exist in New Zealand, Canada, and the UK where breach of privacy has been argued in high-profile cases involving author JK Rowling and singer Elton John.

Griffith University’s Joanne Stagg says the cases invoking the tort are unlikely often to relate to a “breach of a person’s seclusion which would generally be something like someone taking pictures of someone in a private place”.

Under the law, an individual has a cause of action for serious privacy invasions, either by an intrusion on someone’s seclusion or by misusing their information, in circumstances where the individual had a reasonable expectation of privacy.

For a claim to succeed, a plaintiff must show the public interest in protecting their privacy outweighs a competing public interest raised by the defendant.

There are a range of defences where the defendant’s conduct was required or authorised by law or was necessary because of a serious threat to life, health or safety.

Journalism, enforcement bodies and intelligence agencies are exempt from liability.

Stagg says it’s little surprise businesses are wary of the changes given they significantly strengthen Australia’s privacy laws.

The law school lecturer says businesses need to be especially aware that the tort covers information handling across a broader range of areas than prior laws.

“It’s not limited by the type of information the way it used to be. You could tell under the previous legislation are you in the type of industry or is it the type of information that definitely has to be kept private,” Stagg says.

Now it’s any information that’s “serious by looking at the degree of offence, distress or harm to dignity that it’s likely to cause for an ordinary person – then that person has that potential to sue for the disclosure of it”.

She warns that “any accidental disclosure could potentially be a serious breach”, enlivening a cause of action under the tort.

She cites as risky conduct keeping records in a place the public, or unauthorised users, could access them, or keeping them in a system where IT security has not been considered.

Curbing litigation risk will likely be “a bit more of an issue for small businesses. So think about getting some advice on protecting data because if it’s kept completely unsecured or in a place that’s open to the public that would probably start to look like recklessness.”

It’s in the interests of businesses to get compliant given the high financial stakes, she adds. Damages for non-economic loss – plus any exemplary and punitive damages a court decides to award in exceptional circumstances – can reach at $478,550 under the legislation.

Testing the limits

Looking ahead, Law firm MinterEllison expects court cases will soon test the boundaries of this new cause of action and give a more definite shape to the tort and its scope.

Until then, “courts are likely to draw on jurisprudence from other common law jurisdictions where privacy torts have been established – in some cases for decades,” the firm says in a recent note that described the tort as a “significant milestone for privacy law in Australia”.

“While the scope of this tort is uncertain, entities that collect, manage, and otherwise deal with personal data should take appropriate mitigation measures sooner rather than later, to avoid costly lessons learnt through the litigation process.”

Morris Misel, a business futurist and strategist, says the new tort signals a “genuine shift in the social contract” in Australia with huge implications for the legal sector.

In Misel’s view, the legislation shows the nation has “crossed a threshold” on privacy after 20 years of under regulation in the area.

“Organisations harvested data faster than they built the wisdom to hold it. Now the public mood has changed. People are tired of feeling watched, analysed, nudged and occasionally exposed,” he says.

“Now for the first time we’re treating privacy as something with real weight, not a polite aspiration buried in a policy document. Businesses are feeling it because they sense the cultural tide turning.

“We’re stepping into a world where people expect their private lives to remain private, regardless of how easy it is to collect, store or monetise their data.”

According to the futurist, law firms have the chance to win business in coming years as organisations start to see privacy as a commercial differentiator.

Operators in fields that work with large amounts personal data are those likely to be in big need of help adjusting to altered community and legal expectations.

He points to industries such as health, financial services, education, childcare, aged care, and energy as key targets.

“Privacy is becoming a commercial differentiator. Those who protect it win customers. Those who breach it lose the social licence to operate,” Misel says.

“Small and mid-sized organisations are now just as exposed as large ones. A single reckless employee with access to sensitive information can create consequences that were unthinkable five years ago.”

He predicts the tort will be looked back on as a starting point by legislators to catch up with technology in the realm of privacy. In the years ahead, he expects new laws to clamp down on “more pervasive” AI and those that clarify the meaning of reasonable expectations of privacy in a contemporary era “where half our life is online”.

Maintaining a social licence

For businesses, he suggests their social licence to operate will increasingly depend on this issue.

“Privacy, psychological safety and digital dignity are being rewritten as essential human rights for the modern age and these reforms are part of a much broader cultural shift,” he says. “Australia is quietly rebuilding dignity, trust and psychological wellbeing into the foundations of law.”

He sees the tort for serious invasions of privacy as “one piece of a larger pattern”.

“It’s a recognition that people feel increasingly exposed, and that businesses hold far more power over personal information and wellbeing than at any point in history.”