Privacy
The Statutory Tort for Serious Invasions of Privacy: What It Means for Business
3 July 2026 · Updated 3 July 2026
Short answer: Australia’s statutory tort for serious invasions of privacy commenced on 10 June 2025. It lets an individual sue where they had a reasonable expectation of privacy, the invasion was intentional or reckless and serious, and the public interest in privacy outweighs competing interests. The plaintiff does not have to prove damage. It reaches beyond APP entities.
For the first time, an Australian can take a privacy harm straight to court and seek damages, without proving financial loss. That is a different kind of exposure to a regulator complaint.
What is the statutory tort for serious invasions of privacy?
The statutory tort for serious invasions of privacy is a cause of action that lets an individual sue another person or organisation for seriously invading their privacy. It was introduced into the Privacy Act 1988 by the Privacy and Other Legislation Amendment Act 2024, and the provisions are in Schedule 2 of the Act. The Office of the Australian Information Commissioner (OAIC) describes it as giving individuals an additional avenue to seek redress for privacy harms in the courts.
The invasion can take one of two forms: intruding upon the individual’s seclusion, for example by physically intruding into their private space or watching or listening to their private activities, or misusing information that relates to them. The OAIC does not administer the tort. It is enforced by individuals bringing proceedings in court, and the OAIC advises that anyone considering it should seek independent legal advice. This makes it structurally different from the rest of the Privacy Act, which the OAIC regulates.
When did the privacy tort commence in Australia?
The statutory tort commenced on 10 June 2025. This is later than the rest of the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024 with most measures commencing the following day. The tort was given a separate, later commencement, which is a common point of confusion when people date the reform as a single event.
The date matters for exposure. The tort applies to conduct on or after 10 June 2025, so it is live now, not a future obligation to prepare for. Any organisation that handles personal information or that could intrude on someone’s private affairs, through surveillance, data misuse or otherwise, has been within reach of a claim since that date. It stands alongside the other changes in the 2024 Privacy Act reform, but as a court based remedy rather than a regulatory one.
What are the elements of the statutory tort for privacy?
The elements of the statutory tort combine to set a deliberately high bar, so that only genuinely serious invasions succeed. A plaintiff must establish each of the following. The table sets them out.
| Element | What it requires |
|---|---|
| Reasonable expectation of privacy | A person in the plaintiff’s position would have expected privacy in all the circumstances |
| Type of invasion | The invasion was an intrusion upon seclusion or a misuse of information about the plaintiff |
| Fault | The invasion was committed intentionally or recklessly, not merely negligently |
| Seriousness | The invasion was serious |
| Public interest balance | The public interest in privacy outweighs any countervailing public interest, such as freedom of expression |
Two features stand out. The fault element is intention or recklessness, so accidental invasions generally fall outside the tort. And the plaintiff does not have to prove they suffered damage. Actionability without proof of damage is unusual and significant, because it means a claim can proceed on the seriousness of the invasion itself rather than a measurable loss.
Can a business be sued under the privacy tort?
Yes, a business can be sued under the privacy tort, and its reach is wider than most of the Privacy Act. The OAIC notes the tort is broader in application than the Act, extending to individuals and other entities that may not necessarily be an Australian Privacy Principle (APP) entity. That means the small business exemption, which keeps many organisations outside the APPs, does not shield a business from a tort claim.
There are defences and exemptions. It is a defence if the defendant acted with the plaintiff’s consent or under lawful authority. Exemptions apply to a number of bodies, including intelligence agencies, law enforcement bodies and, in certain circumstances, journalists. Proceedings are also time limited: generally the earlier of one year after the plaintiff became aware of the invasion and three years after it occurred, with a longer window for plaintiffs who were under 18 at the time. None of this removes the underlying point. Conduct that seriously and deliberately invades privacy now carries direct civil exposure to the affected individual. Where a privacy invasion also involves a data breach, the Notifiable Data Breaches scheme may run concurrently with its own notification obligations.
What remedies are available under the statutory tort?
The court may grant whatever remedies it considers appropriate, and the range is broad. The OAIC identifies damages, an injunction and an order requiring an apology among the possible outcomes. An injunction can stop an ongoing invasion or prevent a threatened one, which makes the tort useful for live situations such as surveillance or an imminent publication, not only after the fact.
For a business, the practical exposure is threefold. There is the financial risk of a damages award, the operational risk of an injunction that halts a system or a practice, and the reputational cost of a public finding and an ordered apology. Because the tort does not require proof of damage and reaches non APP entities, the population of potential defendants is larger than under the Privacy Act alone. Managing that exposure comes down to the basics: understand where your operations could intrude on private affairs or misuse personal information, build privacy into design through a privacy impact assessment, and get your own legal advice where a real risk exists. A virtual CISO can provide the ongoing privacy and security leadership that keeps these risks managed rather than discovered after the fact. This article describes the law and is not legal advice.
Frequently asked questions
What is the statutory tort for serious invasions of privacy?
The statutory tort for serious invasions of privacy is a cause of action introduced into the Privacy Act 1988 by the Privacy and Other Legislation Amendment Act 2024. It lets an individual sue a person or organisation that seriously invaded their privacy by intruding on their seclusion or misusing information about them, where the individual had a reasonable expectation of privacy. The provisions are in Schedule 2 of the Privacy Act.
When did the privacy tort commence in Australia?
The statutory tort for serious invasions of privacy commenced on 10 June 2025. It was created by the Privacy and Other Legislation Amendment Act 2024, which received Royal Assent on 10 December 2024, but the tort itself came into effect on the later date of 10 June 2025.
What are the elements of the statutory tort for privacy?
The plaintiff must have had a reasonable expectation of privacy in all the circumstances, the invasion must involve intrusion upon seclusion or misuse of information, the invasion must have been intentional or reckless, it must be serious, and the public interest in protecting privacy must outweigh any countervailing public interest. The plaintiff does not have to prove they suffered damage.
Can a business be sued under the privacy tort?
Yes. The tort is broader than the Privacy Act and extends to individuals and entities that may not be APP entities, so a business can be a defendant even if the small business exemption would otherwise apply. There are defences, including consent and lawful authority, and exemptions for certain bodies such as intelligence agencies, law enforcement and, in some circumstances, journalists.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Statutory tort for serious invasions of privacy, OAIC, 19 June 2025
- Passing of bill a significant step for Australia’s privacy law, OAIC, 29 November 2024
- Privacy and Other Legislation Amendment Act 2024, Federal Register of Legislation, assented 10 December 2024
Last updated: 3 July, 2026