Australia is entering a new era of privacy protection.
In 2024, sweeping reforms to the nation’s privacy framework culminated in one of the most significant legal shifts in recent decades — the introduction of a statutory tort for serious invasions of privacy.
Effective from June 10, 2025, this landmark legislation will allow individuals to take legal action directly through the courts for serious breaches of privacy without relying solely on the Office of the Australian Information Commissioner (OAIC) or other regulatory bodies.
This change not only empowers individuals to take control of their personal information but also compels businesses and organisations to take a far more proactive approach to managing data responsibly. It brings Australia’s laws closer to global privacy standards seen in the UK, New Zealand, Canada and the European Union, where privacy is recognised as a fundamental human right.
What the new Privacy Law means
The Privacy and Other Legislation Amendment Act 2024 introduces the right for individuals to sue for serious invasions of privacy, a significant development in Australian law.
Under this new framework, people can bring legal claims for two main types of privacy invasions:
- Intrusion upon seclusion where someone intentionally or recklessly intrudes into another person’s private space or affairs, such as through unjustified surveillance, hidden cameras or eavesdropping.
- Misuse of private information where someone uses, shares or discloses personal information without authorisation, such as posting private photos online or leaking confidential data.
To succeed in a claim, the individual must prove:
- They had a reasonable expectation of privacy in the situation;
- The invasion was intentional or reckless; and
- The invasion was serious in nature.
Importantly, the law does not require proof of actual financial loss or damage meaning that, even if no money is lost, the emotional and reputational harm caused by a serious invasion of privacy can still justify legal action. Courts will be able to award damages for distress, humiliation and emotional harm, as well as order injunctions or require apologies and corrections.
Why this change is headline-making
The introduction of a statutory right to privacy is a major step forward for Australian law. Until now, privacy protections were largely handled through regulatory complaint processes under the Privacy Act 1988, overseen by the OAIC. While effective in some cases, these mechanisms were often slow, limited in scope and focused on systemic issues rather than individual harm.
This new law changes that dynamic entirely. It’s headline-making because it:
- Empowers individuals allowing them to take their own cases directly to court without waiting for a regulator to act.
- Increases accountability as organisations that handle personal data must now answer not just to regulators but to individuals themselves.
- Aligns Australia with global standards in line with countries such as the UK and New Zealand that already recognise a right to sue for serious invasions of privacy.
- Encourages better business practices as companies will need to strengthen their data protection systems to avoid litigation and reputational damage.
In essence, privacy is no longer a secondary compliance issue — it’s becoming a core business risk and a matter of public trust.
Recent Australian cases highlighting privacy concerns
1. Bunnings’ use of facial recognition technology
Between 2018 and 2021, Bunnings deployed facial recognition systems across its stores in an attempt to identify banned individuals and prevent theft.
However, an investigation by the Office of the Australian Information Commissioner (OAIC) found that Bunnings had collected sensitive biometric data without obtaining adequate consent or providing clear notice to customers.
The OAIC ruled that this practice breached the Australian Privacy Principles and ordered Bunnings to stop using facial recognition technology and destroy the data collected. This case serves as a stark reminder that even well‑intentioned uses of technology can lead to serious privacy breaches if not implemented transparently and lawfully.
2. Optus privacy breach — major data incident
The telecommunications provider Optus faced a major data breach in September 2022 which exposed the personal information of approximately 9.5 million Australians. The OAIC has since commenced civil penalty proceedings in the Federal Court, alleging that Optus ‘seriously interfered with the privacy’ of affected customers by failing to take reasonable steps to protect their personal information from misuse, interference and loss.
While this action under the existing Privacy Act is regulatory, it signals the heightened risk of serious claims and illustrates the type of large‑scale data failures that the new tort may address directly, especially where individuals decide to take their own legal action.
3. Victorian woman awarded $30,000 for privacy invasion
In another landmark case, a Victorian court awarded $30,000 in damages to a woman whose private counselling information was disclosed to the media by her father, without her consent.
The court found that this disclosure amounted to a serious invasion of privacy, treating it as a standalone tort independent of traditional breach of confidence claims.
This decision not only demonstrated the judiciary’s willingness to recognise privacy as a distinct legal right but also foreshadowed the national reforms that have now been enacted.
4. Post‑enactment case: media privacy threat under new tort
Since the new law came into effect, another important matter has emerged where a public figure and his spouse have threatened action under the new tort against a major media company.
Here, the claim is that the publication of articles constituted a serious invasion of the spouse’s privacy, potentially the first instance of the statutory tort being leveraged in this way. While not yet resolved, the case illustrates how the new legislative framework is already influencing behaviour and signalling the kinds of claims that may become more common.
Implications for businesses
For businesses across Australia, the message is clear: privacy compliance can no longer be an afterthought. The introduction of a direct cause of action for serious invasions of privacy raises both the legal and reputational stakes for all organisations handling personal information.
To prepare, businesses should take the following proactive steps:
- Review data handling practices - conduct a comprehensive audit of how your organisation collects, stores, uses and shares personal information. Identify potential risks and ensure compliance with both the existing Privacy Act and the new tort framework.
- Implement robust consent mechanisms - ensure that individuals provide informed, explicit consent before any sensitive or biometric information is collected. This includes updating forms, online interactions and surveillance systems to make consent clear and transparent.
- Update privacy policies and procedures - your organisation’s privacy policy should clearly explain what data is collected, why it’s needed, how it’s used and who it’s shared with. Review it regularly to reflect evolving technologies and legal requirements.
- Train and educate staff - every employee should understand their privacy obligations. Regular training can reduce the risk of human error, data leaks and mishandling of information.
- Strengthen cybersecurity and data protection - privacy and security go hand-in-hand. Implement strong data encryption, access controls and breach response protocols to prevent unauthorised access or disclosure of sensitive information.
- Develop a crisis management plan - if a privacy breach does occur, a timely and transparent response is essential. Establish a protocol for notifying affected individuals and regulators, and prepare communications strategies to manage reputational impact. Failure to meet these standards could expose businesses to lawsuits, fines and serious damage to consumer trust.
Implications for individuals
For individuals, this new law represents a major advancement in personal rights and protections.
Under the new framework, people will have:
- Direct recourse for privacy breaches - no longer limited to filing complaints through regulators, individuals can take their cases directly to court.
- Stronger control over personal data - enhanced power over how their information is collected, used and shared.
- Potential for compensation - damages can be awarded not only for financial loss but also for emotional distress, humiliation and reputational harm.
This shift acknowledges that privacy invasions often cause deep personal harm even when they don’t result in tangible financial damage. It also signals a growing recognition that privacy is a core element of human dignity and digital safety in the modern world.
A cultural shift toward accountability
Australia’s new privacy law signals more than just a legal change — it highlights a broader shift in societal expectations around data and personal information.
In an increasingly digital world, from smart devices and social media to workplace monitoring, people expect their information to be handled with care, transparency and respect. Organisations that approach privacy as an opportunity to build trust rather than just meet regulatory requirements will strengthen their reputation, foster customer loyalty and gain a meaningful competitive advantage.
At Aubrey Brown Lawyers, we understand the complexities of Australia’s evolving privacy framework and the significant risks that come with non-compliance. Our experienced legal team can help your organisation navigate these changes, from reviewing privacy policies and data handling procedures to advising on consent mechanisms, risk management and responding to potential breaches. We also provide expert guidance and representation for individuals seeking to exercise their new rights under the law.
Please call us on (02) 4350 3333 to arrange an appointment.
