Back to insights

Mind Your Own: Australia Gives You the Right to Sue for Serious Breaches

16 Nov 2025

Alerts
Corporate Advisory, Compliance & Governance

In a landmark development for Australian privacy law, recent amendments to the Privacy Act 1988 (Cth) (Privacy Act) introduced a new statutory cause of action for serious invasions of privacy.[1]

From 10 June 2025, individuals can take legal action against both other individuals and organisations if they have suffered a serious invasion of their privacy. This new cause of action provides a direct right to sue, without having to rely on existing privacy legislation, contract law, or negligence claims.

What amounts to an invasion of privacy for the purpose of this cause of action? 

An individual (plaintiff) may bring a claim for remedies (such as damages, an injunction or a court-ordered apology), where they have experienced:

In addition to evidence of invasion of privacy, a plaintiff looking to activate this shiny new tort must also prove: 

  • the plaintiff had a reasonable expectation of privacy in all of the circumstances;
  • the invasion of privacy was intentional or reckless (rather than just negligent);
  • the invasion of privacy was serious; and
  • the public interest in protecting their privacy outweighs any countervailing public interest (such as freedom of expression, national security, or journalistic integrity). 

Interestingly, there is no requirement for the plaintiff to prove that they have suffered damage and an action can be brought against any person. This means that the defendant does not need to be an organisation or government agency that is otherwise governed by the Privacy Act (i.e. an APP entity).

Perhaps it is unsurprising that the government saw merit in implementing this new tort, given the broader privacy protections relating to emerging technologies and online platforms. Some examples of conduct which may fall within the remit of an invasion of privacy are: 

  • unauthorised surveillance (e.g., hidden cameras, hacked devices);
  • online doxxing or harassment;
  • storing, interfering with or modifying information, in ways that are unjustified or harmful;
  • data breaches exposing sensitive personal information.

It may also apply where an employer has seriously interfered with the privacy of its employees. The statutory tort for serious invasions of privacy is designed to operate like other torts, developing over time through judicial interpretation. It should be noted, however, that the hurdles required to establish a claim are substantial and there are strict and short time frames within which to bring a claim. 

That said, as this new law significantly raises the stakes for compliance, it signals to individuals that privacy matters, and to organisations that compliance is not optional. There has never been a better time than now for businesses and government agencies to get their data handling practices in order. 

The first real test case?

Victorian MP Sam Groth and his wife, Brittany, are suing the publisher of the Herald Sun, reporter Stephen Drill and editor Sam Weirover over articles alleging their relationship began when she was a teenager and he was her tennis coach. Sam is claiming defamation; Brittany is claiming serious invasion of privacy. The publisher claims the stories, published in July 2025, were legitimate reporting about a public figure based and has indicated an intention to rely on the journalist exemption. The Groths argue the articles were gossip, not news. Importantly, for the journalist exemption to apply, the publisher will need to demonstrate that the articles had “the character of news”. 

The outcome of this test case will offer early guidance on the scope and application of the tort – including what counts as a “serious” invasion of privacy and to what extent media reporting on public figures will be protected.

Practical Steps for Compliance for Organisations 

  • Update privacy policies - revise policies to reflect new statutory requirements and ensure transparency in data collection and usage.
  • Breach response plan - develop a plan to respond to privacy breaches and notify affected parties within required timeframes.
  • Strengthen data security - implement robust data governance practices, conduct regular risk assessments, and appoint a Privacy Officer to manage compliance.
  • Employee training - conduct regular privacy training to ensure staff understand the implications of the new law and handle data appropriately.


 

[1] See Privacy and Other Legislation Amendment Act 2024 (Cth).

 

This article was written by Anna Kosterich Restricted Practitioner, Corporate Commercial and Karen Fong Associate, Corporate Commercial

Previous Next

Share Insight

Previous Next
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Stay up-to-date and subscribe to receive our latest news and insights