Legal development

A new privacy right of action – how to avoid unexpected consequences

By Geoff McGrath, Robert Todd, Nick Perkins, Sashini Walpola and Andrew Hilton

13 June 2025

Share Share
car lights at night on road
Share

    What you need to know

    • A new statutory tort for a serious invasion of privacy applies from 10 June 2025 – part of Australia's first tranche of privacy law reforms.
    • While framed around "serious" invasions of privacy, its broad scope and flexible application may bring unexpected consequences.
    • This action brings greater exposure for existing risks such as data retention and potentially cyber incidents, as well as new risk frontiers, for employee grievances (with no employee records exemption), high profile individuals, activist litigation, and people experiencing vulnerability.
    • Expect plaintiffs to test boundaries, and creatively leverage court processes and remedies (such as interim injunctions and declarations) for tactical advantage.
    • In this article, we explain the new tort in a nutshell, share practical tips to manage risks, and discuss where it sits in the regulatory and enforcement toolkit and the ongoing privacy reform agenda.
    • Read more about broader privacy reforms at A generational change in privacy regulation in Australia.

    What you need to do

    • Review and update risk and compliance frameworks – traditional privacy compliance won't necessarily insulate businesses from liability. Consider employee data practices, consent mechanisms, high-risk data flows and updates to staff training. Update risk registers, and revisit insurance coverage.
    • Prioritise litigation readiness – ensure legal and compliance teams know what to look for and are prepared for litigious claimants.
    • Monitor developments – early cases and potentially international experience will shape how courts interpret key concepts like "serious" and "reasonable expectation of privacy".
    • Integrate across teams – privacy, cyber, HR, and legal functions must work together to manage exposure.

    Australia's new tort for serious invasions of privacy

    For the first time, individuals will be able to bring direct legal action for a serious invasion of privacy without relying on the regulator to act. 

    While the new right is framed to address "serious" privacy harms, its broad scope and flexible application mean that businesses must prepare for potential unintended consequences. The tort is not confined by the definitions, exemptions or thresholds of the Privacy Act, and has been welcomed by the regulator as a flexible tool to address gaps in the existing regime and respond to emerging harms. 

    The tort was the most controversial element of the first tranche of privacy reforms included in the Privacy and Other Legislation Amendment Act 2024, passed late 2024. The tort follows recommendations from the Government’s 2023 response to the Privacy Act Review Report (2022), which was triggered by the ACCC Digital Platforms Inquiry (2017-19). The tort has been a longer time coming – it is based on the model proposed by the Australian Law Reform Commission over a decade ago in its Report, Serious Invasions of Privacy in the Digital Era (Report No 123, 3 September 2014). It has been over 20 years since the High Court in Australian Broadcasting Corporation v Lenah Game Meats [2001] HCA 63 left the door open for a common law tort to deal with privacy – a possibility developed further but never confirmed in a superior court in a series of cases including Grosse v Purvis [2003] QDC 151, Giller v Procopets [2008] VSCA 236 and most recently in Lynn Waller v Romy Barrett [2024] VCC 962.

    With the introduction of the new right, the suite of remedies available to individuals is expanded and Australia inches closer to the suite of privacy protections available in other jurisdictions, such as the United Kingdom, Canada and New Zealand, as well as the United States. Given the lack of success in establishing a direct cause of action prior to the introduction of the new right, organisations in Australia should now be rethinking what this means for their privacy compliance programs and potential new risks that may arise. 

    The new tort in a nutshell

    Intrusion upon a seclusion or "misuse" of information relating to an individual (broad concepts). 

    In circumstances where:

    • a reasonable expectation of privacy
    • invasion was intentional or reckless
    • invasion was serious
    • public interest in privacy outweighs countervailing public interest

    "Serious" depends on: 

    • degree of offence, distress, or harm to dignity likely to be caused to a person of ordinary sensibilities in the plaintiff's position
    • whether the defendant knew or ought to have known actions likely to offend, distress, or harm the plaintiff's dignity
    • whether motivated by malice (if intentional)

    Defences

    • Consent
    • Necessary to protect life, health, or safety; incidental to lawful right of defence of persons/property; required or authorised by law or court order
    • Publication defences – Publication of public documents; fair report of proceedings of public concern; absolute privilege

    Exemptions include journalists, law enforcement, government, and persons under 18 years old

    Remedies

    • Damages cap of $478,500 for non-economic loss, exemplary or punitive damages – doesn't cover economic loss or legal costs
    • Account of profits – paying back any benefits
    • Injunction restraining the invasion
    • Orders for apologies, corrections, or destruction or delivery up of material
    • Declaration that privacy seriously invaded

    Not linked to Privacy Act compliance

    Action can be brought whether or not conduct is permitted under or subject to the Privacy Act.

    No need to establish damage

    … but harm or potential harm will be an important factor in determining whether the invasion was "serious".

     

    Practical tips to manage risk under the new tort

    1. Prioritise your biggest risks

    Don't silo your risk and legal expertise – take an integrated approach to fully understand how the law impacts risk, and how the organisational risks impact your legal obligations.

    Understand and address the harms and risks specific to your business, and new potential avenues for litigation. 

    What information could have serious consequences if misused, and can this information be deleted or have extra access controls? Don't forget unstructured data and ad hoc data flows – like email, shared drives, and internal chat systems. 

    Know your early warning systems – complaints processes may be your canary in the coal mine, but can you identify higher risk information as it is collected or generated? 

    2. Rethink your assumptions on the scope of privacy claims 

    The new tort is not limited to concepts that may have been used to scope compliance and risk management frameworks in the past. 

    For example, the Privacy Act is limited to "personal information" about an identified (or reasonably identifiable) individual, and has a range of exceptions (such as for employee records). The new tort applies to a wider concept of information that relates to an individual in which the individual has a reasonable expectation of privacy, as well scenarios not involving information but still amounting an intrusion upon seclusion (such as surveillance). 

    "Misuse" of information is a deliberately broad concept, including collecting, using or disclosing information. Storing, interfering with or modifying information could also be a “misuse”. Misuse could involve other concepts not identified in the legislation or explanatory materials – for example, we might see arguments that using information beyond the scope of a consent or permitted purposes is "misuse".

    In the right circumstances, where harm can be established, we could potentially see actions linked to information normally considered lower risk – such as de-identified, anonymised or pseudonymised information, aggregated data sets, and metadata.

    3. Adopt a demonstrably defensible, risk-informed approach

    Adopt a litigation-ready mindset. Adopting best practice practices is not enough – you need to demonstrate how they've been deployed. Implement and evidence controls to both prevent a potential misuse of information, as well as addressing claims that any misuse was intentional or reckless.

    A key part of this is understanding the risk environment – recklessness is likely to mean an individual was aware of a substantial risk, but continued to act regardless, did not address the risk, and that risk taking was unjustified. If a substantial risk is known at an industry level, then this may be sufficient to prove awareness. The recent explosion in advisories, guidance, and best practice is likely to support allegations that particular risks were known. Board or executive documents in particular will likely be scrutinised to establish awareness of risk at an organisational level.

    Allegations of recklessness may have many faces – from a decision to delay a software patch, to failing to act on recommendations from privacy or cyber security reviews, to whether key functions like privacy and cyber security teams are adequately funded. Data and security governance need to "close the loop" – proactively monitoring risks, acting promptly, and defensibly documenting decisions not to act. Organisations should have controls in place to direct and monitor the right behaviours. 

    4. Consents and transparency even more critical

    One of the key exceptions under the tort relies on consent.

    As a result, valid and reliable consents become an even more important risk management tool, particularly where more sensitive or confidential information is being handled. Even where consent may not be strictly required for certain activities under the Australian Privacy Principles, including express or implied consent within a workflow will help set an organisation up for a potential defence should there be a claim under the tort. 

    Ensure that customer and employee consents are valid, specific, and clearly cover all intended uses  including data handling, monitoring, storage and profiling. The more transparent and specific you are, the more reliable a consent will be. Express consent may also be easier to demonstrate in evidence. Generalised or vague consent will be less reliable.

    Where gaining consent is impractical, transparency and clear communication still helps set clear expectations, reducing the risk of a mismatch in expectations of privacy and litigation risk. 

    5. Understand your higher risk edge cases

    The high barriers to liability may give comfort when assessing data handling risk. But within any activity, we will see areas of heightened vulnerability. The same information or conduct might present limited risks for most individuals – but could have serious implications for a class of those individuals, particularly where there is knowledge of a specific vulnerability. 

    For example, there may be a heightened risk in contact details or addresses of survivors of domestic violence, even where the unauthorised sharing of contact details for other individuals may not reach the "serious" threshold. 

    Understand which cohorts of individuals are more at risk. Make sure responsible practices around safeguarding the information of vulnerable people are fully mapped into your data handling – children are a current focus, with the OAIC currently developing a new Children's Online Privacy Code.

    6. Prepare for big risks and small 

    Expect high net worth or high-profile individuals to explore the boundaries of the tort, and exploratory use of the statutory tort for high-stakes litigation (including potentially activist litigation). We expect that the first examples of the tort being used in court will be helpful to determine the boundaries and special risk areas that may arise under Australia's specific formulation of the right. 

    We may also see unresolved privacy complaints escalated to claims – potentially speculative and made by unrepresented litigants. Privacy and legal teams will need to consider how they can reduce the additional complexity and risk of managing these claims, where in the past a privacy issue may have been managed through complaints to the Office of the Australian Information Commissioner, there is now a significant new risk of claims being asserted in court, potentially at a very early stage of the complaints process.

    "Serious" - not what you might think

    While “serious” will be a relatively high threshold, limiting the scope of successful claims to avoid spurious allegations – it is important to think through how it might be applied and whether or not there is an argument that the invasion is "serious". 

    A court may consider the degree of offence, distress, or harm to dignity likely caused by the invasion, whether the defendant knew or should have known about the potential harm, and if the invasion was motivated by malice. 

    However, the provisions do not limit what the court could consider. In explanatory materials, the Parliament has made it clear that courts could, for example, consider the actual effect the offence, distress or harm had on an individual, or the number of individuals affected. This may mean that an incident that would not otherwise be considered serious might be considered serious (and within scope for the tort) if it impacts a large number of individuals – creating particular risks for large-scale misuses of information or data breach incidents where recklessness might be alleged.

    Similarly, foreseeability of harm might tip the balance – emphasising the need to properly risk assess activities.

    An invasion may also be considered serious because of malicious intent. In Peters v Attorney-General on behalf of Ministry of Social Development [2021] NZCA 355, New Zealand Member of Parliament Winston Peters brought proceedings alleging a tort of invasion of privacy when details of an inadvertent overpayment of superannuation was leaked to the media. The High Court found a reasonable expectation that a payment irregularity would not be disclosed to the media, and that a deliberate leak would be “highly offensive” – the leak was considered a serious invasion of privacy under the New Zealand equivalent. 

    Employee data, monitoring, and surveillance

    The new tort creates new exposures for employers. Employers need to revisit practices and policies around IT, and all forms of monitoring and surveillance to put in place safety controls, security, transparency, and consent.

    While employee records are (for now) generally excluded from Privacy Act obligations, the statutory tort is not limited to Privacy Act compliance. Depending on the precise scenario, employee data breaches as well as misuse of employee information or employee surveillance (in circumstances where the employee might otherwise have a reasonable expectation of privacy) might be subject to the new tort.

    In addition to financial exposure, the tort brings the potential for new tactics like injunctions or declarations that can block projects, harm an employer’s reputation or serve as a strategic element as a part of broader negotiations or campaign not otherwise related to the privacy issues in question.

    This new right may form part of a broader vision of protections available to employees in light of new technologies. The Parliament's January 2025 The Future of Work report recommended wide-ranging employee protections around technology-driven employee monitoring and surveillance, including to progress employee data privacy protections expected in the second tranche of privacy reforms. The Victorian Parliament’s May 2025 Inquiry into workplace surveillance similarly called for extensive reform.

    New litigation tactics

    Plaintiff and class action lawyers will be looking to test the limits of the new tort.

    Applications for injunctive relief (particularly in some data breach scenarios if recklessness is established) will add complexity to management of incidents. Declarations will also be available to claimants, which act as a shortcut to help establish whether elements of the tort are met, but could also be used strategically as part of broader negotiations or campaign (eg in activist ligitation). 

    The new tort overcomes some challenges for plaintiffs in potential privacy and data breach class actions, but also presents new challenges. There is no requirement to prove damage (lowering the evidentiary bar for prospective plaintiffs). However, the high barriers to liability may be difficult to establish for each individual in a proposed group. 

    The flexibility of a new and untested tort will be particularly attractive for actions involving new and innovative technologies – particularly where existing laws are struggling to keep pace.

    Where the tort fits in the regulatory toolkit

    The new tort is part of a larger generational change in privacy law in Australia. Because the tort is not tied to existing Privacy Act concepts, it will be a flexible tool that can address gaps in the existing regime and address emerging risks (such as doxxing). Importantly, litigants will not be reliant on the OAIC to bring legal action.

    The OAIC is building enforcement capabilities. It has completed its organisational restructure to support an enforcement-based approach, and to pro-actively deal with emerging harms, with the 2025 budget delivering $8.7 million over three years to support enforcement. Last year's reforms included important new regulatory levers, such as broader investigation powers, tiered penalties and a compliance notice regime.

    It will direct its enforcement efforts where it can change market practices – to reshape products, services, and platforms. A key part of this is pursuing "benchmark" and test cases to both clarify the law and set behavioural expectations. 

    Added to this expanded toolkit is the ability to leave some issues to be dealt with by private litigators – or to support litigants in bringing actions not constrained by the previous privacy framework.

    The Privacy Commissioner can also intervene in tort proceedings or appear as amicus curiae (“friend of the court”) where a case raises significant legal or public interest issues. This allows the Commissioner to make submissions to the court, ensuring the regulator’s expertise can be brought to bear on how the new privacy standards are applied. 

    The Privacy Commissioner has stated that this power will be selectively used, intervening only in strategically important cases.

    More reforms on the agenda

    Last year, law reform recommendations from the Privacy Act Review Report were split into two tranches – an initial tranche passed late last year (including the statutory tort), with a further tranche deferred.

    Of the first tranche of reforms, only two parts remain. The OAIC is already working on the Children’s Online Privacy Code, and business and government are busy building transparency for automated decisions. Read more at A generational change in privacy regulation in Australia.

    Ashurst looks into Australian Privacy Reforms Dates

    Similarly, last year’s cyber security and critical infrastructure reforms are coming into play – with the last pieces of the Cyber Security Act commencing 29 May (on ransom reporting and the Cyber Incident Review Board). Read more about Redefining Cyber Readiness.

    Privacy under productivity review

    The deferred second tranche reforms included those requiring further consultation. In "accepting in principle" the bulk of the reforms, the Government said it would conduct a comprehensive impact analysis to ensure the right balance can be struck between privacy benefits for Australians and other impacts on regulated entities.

    The Government's impact assessment of the privacy reforms has not been published. But the Productivity Commission is considering an "outcomes-based" approach to privacy – looking at whether Australia’s privacy regime (including second tranche reforms) strike the right balance between consumer protection, enabling business innovation, and productivity growth, and whether they achieve their objectives in the most efficient and effective manner. An interim report is expected in July or August 2025, a call for submissions is expected August to September 2025, and a final report is due December 2025.

    A further direct right of action for Privacy Act breaches is still on the agenda

    As part of the deferred second tranche of privacy reforms, the Government agreed in principle to introduce a direct right of action for individuals to litigate Privacy Act breaches. This direct right of action would be separate to the statutory tort for serious invasion of privacy.

    Under the proposed mechanism, individuals would need to first lodge a complaint with the OAIC and attempt conciliation before being able to take the matter to the Federal Court. This “gateway” process is intended to filter out minor complaints, so that only more serious or unresolved cases proceed to litigation.

    This additional tool would allow individuals to pursue non-compliance with the Privacy Act themselves, potentially further freeing the resources of the OAIC to pursue strategic enforcement. However, whether or not it eventuates, in light of the introduction of the statutory tort for serious invasion of privacy and the Productivity Commission’s review, remains to be seen.

    A global perspective

    A range of jurisdictions now have a statutory or common law tort for invasion of privacy or intrusion on seclusion, and have had these rights available for some time – such as the United Kingdom, Canada and New Zealand, as well as the United States.

    Australian courts, regulators, and potential litigants will look to their counterparts overseas – paying careful attention to the litigation strategies and reasoning deployed. Increasingly, allegations and revelations about data handling practices in one jurisdiction will trigger litigation across similar jurisdictions. However, while there are similarities between the positions of some of the jurisdictions, they are not all the same, and certain nuances will potentially result in differing approaches being taken in Australian courts.  

    Similarly, prospective defendants can understand potential exposure by examining overseas experiences. Hot button issues have included workplace surveillance technologies, data breaches and cases involving consumer tracking.

    Additional authors: Emma Hallab, Graduate and Ragul Sivaram, Paralegal.

    Want to know more?

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    Ashurst Risk Advisory LLP is a limited liability partnership registered in England and Wales under number OC442883 and is part of the Ashurst Group. Ashurst Risk Advisory LLP services do not constitute legal services or legal advice, and are not provided by qualified legal practitioners acting in that capacity. Ashurst Risk Advisory LLP is not regulated by the Solicitors Regulation Authority of England and Wales. The laws and regulations which govern the provision of legal services in other jurisdictions do not apply to the provision of risk advisory services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com.

    This material is current as at 13 June 2025 but does not take into account any developments after that date. It is not intended to be a comprehensive review of all developments in the law or in practice, or to cover all aspects of those referred to, and does not constitute professional advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    Key Contacts