IPMojo

BOOK AN APPOINTMENT

Privacy 2.0 Part 2

by

I Tort I Saw a Privacy Breach: Australia’s New Right to Sue

In barely a few weeks’ time, for the first time in Australian legal history, individuals will be able to sue for a serious invasion of privacy — with the new statutory tort coming into force on 10 June 2025.

It’s a landmark moment. While the Privacy Act has long offered regulatory protections (mainly enforced by the OAIC), this new law gives individuals a direct, personal legal remedy in court. If someone invades your privacy — by spying on you, hacking your data, or misusing personal information — you can now bring a tort claim for compensation, injunctions, apologies, or other relief.

But it’s not a free-for-all. Let’s unpack how it works.

What Exactly Do You Have to Prove?

To win a case under the new law, a plaintiff must establish five elements, all of which are based on ALRC recommendations:

  1. An invasion of privacy — either by intrusion upon seclusion (e.g. surveillance, unlawful entry, voyeurism) or misuse of private information (e.g. disclosing or using someone’s personal details without permission).

  2. A reasonable expectation of privacy — determined in context. This takes into account factors like place (e.g. home vs public), the sensitivity of the information, age or cultural background of the plaintiff, and whether they invited publicity.

  3. Intentional or reckless conduct — negligence isn’t enough. The defendant must have acted deliberately or with reckless disregard.

  4. A serious invasion — not just annoying or embarrassing. The harm must be objectively significant (e.g. likely to cause offence, distress or harm to dignity to a person of ordinary sensibilities).

  5. Public interest balancing — the court must be satisfied that the plaintiff’s right to privacy outweighs any public interest raised by the defendant (such as free expression, national security, or open justice).

You don’t need to prove economic loss or damage — it’s actionable without it. However, the nature and impact of the harm (e.g. emotional distress, reputational damage, or humiliation) will affect the seriousness of the invasion and any damages awarded.

Not Retrospective — and Watch the Clock

The new tort is not retrospective. That means you can’t sue for conduct that occurred before 10 June 2025, no matter how bad it was. The law only applies to invasions of privacy on or after the commencement date.

And there are strict time limits:

  • You must start proceedings within one year of becoming aware of the invasion, and in any event within three years of when it happened — whichever is earlier.

  • If the plaintiff was under 18 at the time, they can sue any time up until their 21st birthday.

  • In exceptional circumstances, the court can extend the period up to six years after the event — for instance, where trauma or lack of awareness delayed action.

What About Defences?

It’s not all a one-sided affair. There’s a structured list of statutory defences, including where:

  • The conduct was required or authorised by law

  • The plaintiff consented

  • It was necessary to prevent serious harm

  • The conduct was part of a lawful defence of person or property

There are also defamation-style defences for things like absolute privilege, publication of public documents, and fair reporting of public proceedings — and journalists enjoy an exemption when acting in a professional capacity under a recognised code of conduct.

Law enforcement and intelligence agencies are also exempt when acting within their lawful functions.

What Remedies Are Available?

The court can award compensation for emotional distress, injury to dignity, and reputational harm — capped at the same maximum as defamation damages (currently $478,550, indexed).

It can also award exemplary damages in egregious cases (like malicious distribution of private images), and make orders for apologies, corrections, injunctions, and destruction of material.

Importantly, apologies won’t count as admissions of guilt — so defendants can say sorry without conceding liability (though it might reduce damages).

What Now?

This is a big deal for Australian privacy law. The new statutory tort fills a long-standing gap between regulation and personal rights — and will likely open the door to more litigation, especially in areas like:

  • image-based abuse

  • unauthorised publication of intimate content

  • intrusive surveillance

  • data misuse or unethical tech deployment

For businesses, publishers, digital platforms and public institutions, now is the time to review policies, train staff, and sanity-check any borderline practices. Reckless handling of sensitive information — even without publication — could now be very costly.

Tune in next week for: a deep dive into the new Children’s Online Privacy Code. Because in 2025, even kids’ data isn’t child’s play.