Personal Injury

Tort of Privacy

Since its inception, the Privacy Act 1988 (Cth) has done little to consolidate an actionable right to privacy despite being one of the longest-standing pieces of national data protection legislation. However, with the arrival of recent reform, all that has changed – representing a transformative moment for Australia’s privacy law. Under the Privacy Act, individuals now have access to a statutory cause of action for serious invasions of their privacy, denoting a significant expansion of individual privacy rights.

The development places Australia alongside its international counterparts, including the UK and New Zealand, where there is already a recognition of common law and statutory privacy torts. It also closes existing gaps in Australian law, to remove the reliance on indirect remedies such as breach of confidence, defamation, or regulatory complaints to the Office of the Australian Information Commissioner.

Given the significance of the reform for Australia’s privacy law, it is pertinent to elucidate its broader context and examine the tort‘s key elements, its legal implications, and practical considerations for businesses, government agencies and media organisations.

Background: Privacy Act

For decades, there has been long-standing deliberation over whether the right to privacy should exist within the law, and if so, how it should be recognised and protected. Whilst the courts decided in the 1937 case of Victoria Park that there is no such thing as lawful or unlawful interference of privacy in Australia, the 2001 decision in ABC v Lenah Game Meats highlighted that this does not explicitly prevent the development of an enforceable right to privacy.

Although the courts have never developed a common law tort dealing with privacy since then, the Australian Law Reform Commission has continued to push for reform. In 2008, they expressed concerns over the rapid advances in information, storage, surveillance and other relevant technologies. They considered the extent to which privacy should be protected by legislation in their report ‘For Your Information: Australian Privacy Law and Practice’.

Then again, in 2014, they released the report ‘Serious Invasions of Privacy in the Digital Era’, recognising the novel risks posed by emerging technologies such as mobile phones, surveillance devices, drones and online platforms and the inability of current privacy protections to safeguard against them. The main recommendation of the report was the introduction of a statutory cause of action for serious invasions of privacy for physical intrusions into a person’s private space and for the misuse of a person’s private information.

Over 10 years later, Parliament addressed these concerns when it passed the Privacy Amendment Bill on 10 December 2024. On 10 June 2025, a new statutory tort for serious invasions of privacy came into effect through Schedule 2 of the Privacy Act. This new tort provides a legal avenue for individuals affected by an invasion of privacy that falls outside the scope of the Privacy Act and is intended to be read and construed separately as a stand-alone provision.

What is Required to Make Out the Tort

Establishing a cause of action under this new tort requires five key elements to be satisfied, pursuant to section 7 of the schedule. Relevantly, the defendant does not need to be covered by the Australian Privacy Principles – they can be an individual, a corporation or other entity, and a successful claim does

1. Invasion of the Person’s Privacy

First, there needs to be a positive act constituting an actual invasion of the defendant’s privacy by the plaintiff.  This can either be through an intrusion upon the plaintiff’s seclusion and/or a misuse of information relating to the plaintiff.  The former is statutorily defined as any physical intrusion into a person’s private space, as well as watching, listening to or recording the person’s private activities or private affairs, whilst the latter is statutorily defined as collecting, using or disclosing information about the individual.

2. Reasonable Expectation of Privacy

Second, the person in the plaintiff’s position needs to have had a reasonable expectation of privacy. To assess whether there would have been a reasonable expectation of privacy, the court may consider a variety of factors set out in section 7(5).

3. Invasion was Intentional or Reckless

The third element introduces a degree of fault to the tort by requiring that the invasion of privacy was intentional or reckless rather than just negligent.

4. Seriousness

The fourth element introduces a minimum threshold to the tort by requiring that the invasion of privacy was serious and not merely trivial. Whilst the term ‘serious is not defined statutorily, some of the factors that the court should consider when assessing seriousness are:

• the degree of any offence, distress or harm to dignity that the invasion of privacy was likely to cause to a person of ordinary sensibilities in the position of the plaintiff;
• whether the defendant knew or ought to have known that the invasion of privacy was likely to offend, distress or harm the dignity of the plaintiff;
• if the invasion of privacy was intentional, whether the defendant was motivated by malice.

5. Countervailing Public Interest

Finally, the public interest in the plaintiff’s privacy must outweigh any countervailing public interest. When the court is deciding whether a countervailing public interest exists, they can consider a variety of factors against the nature and severity of the invasion, including;

• freedom of expression,
• freedom of the media,
• the proper administration of government,
• open justice,
• public health and safety,
• national security,
• the prevention
• and detection of crime and fraud.

If these five elements are satisfied by the plaintiff, then the defendant will be liable, unless any defence or exemption is applicable. For a claim to succeed, no proof of damage is required; however, the extent of the damage may be relevant to establishing the seriousness of the conduct.

It is also relevant to note that a reasonably short limitation period applies. For plaintiffs who are over the age of 18 years, proceedings must be commenced within one year of the plaintiff becoming aware of the invasion of privacy or 3 years after the invasion of privacy occurred.

Remedies

Sections 12 and 13 of the schedule list a range of remedies that may be sought by plaintiffs for a serious invasion of their privacy. These are to be awarded at the discretion of the court and include injunctions, declarations and damages. Courts may also order the defendant to apologise to the plaintiff, to correct misinformation and to require the defendant to destroy or cover up copies of material.

As is the case in defamation law, damages for non-economic loss are capped at $478,550.  For economic loss, damages may exceed this cap, but only if there is proof of actual financial loss.

Defenses

If liability is established then a range of defenses may be raised by the defendant pursuant to section 8 of the Schedule including that the defendant’s conduct was required or authorised by law; the defendant reasonably believed the invasion of privacy was necessary to prevent or lessen a serious threat to the life, health or safety of a person; or the plaintiff consented to the invasion of privacy. Defences found in defamation law are also available, such as absolute privilege, publication of public documents, and fair reporting of public proceedings.

Exemptions

A number of significant exemptions apply to the new cause of action. The most significant exemption is for journalists – marking a significant win for freedom of press. Pursuant to section 15 of the Schedule, if an invasion of privacy involves the collection, preparation for publication, or publication of, journalistic material, then the tort does not apply to the journalists involved, the employers of journalists, persons engaging the journalists, or personal assisting the journalists.

A range of exemptions is also provided for law enforcement bodies, intelligence agencies, persons under the age of 18 and state and territory authorities, as long as the invasion of privacy occurs in the good faith performance of a function or exercise of the agency or authority.

Privacy Tort v Defamation Claim

Given some of the overlap between the new tort and existing defamation law, it is important to distinguish between the two and recognise that the new tort complements a defamation claim rather than replacing it. The primary difference is that defamation law protects a person’s reputation, whereas the new tort protects a person’s reputation. As such, publication is a key element in defamation. In comparison, the new tort does not necessitate the publication of information.

International Guidance

Much of the inspiration for Australia’s privacy tort was drawn from the privacy protections found in other jurisdictions such as New Zealand, Canada and the UK. To better understand how the tort will be interpreted and applied by the Australian courts, it is helpful to consider the jurisprudence from these jurisdictions.

The pertinence of overseas case law is particularly evident in the context of New Zealand and the UK, where the plaintiff is required to prove a reasonable expectation of privacy – analogous to the second element of the Australian tort.

The case of Murray v Express Newspapers [2008] EWCA Civ 446 (UK) specifically considered this element. A photographer took a photo of JK Rowling and her husband walking out in public, with their 18-month-old child in a pram, and sent it to Express Newspapers, where it was published. An action for breach of privacy was commenced, with the court finding that the child had a reasonable expectation of privacy.

Contrastingly, in the case of John v Associated Newspapers Ltd [2006] EWHC 1611 (UK), Elton John sought an injunction to prevent the publication of a photograph of himself on the street about to walk through the front gate to his property on the basis that it infringed his privacy. They found that there was no privacy infringement, as there was no reasonable expectation of privacy since he was simply walking through the street.

Like Australia, privacy torts in Canada, the US and New Zealand limit the tort to significant breaches of privacy to avoid trivial claims. While these jurisdictions require the invasion of privacy to be ‘highly offensive’ rather than ‘serious’ as in the Australian context, the two thresholds are ostensibly the same.

In New Zealand, in the case of C v Holland [2012] 3 NZLR 672, the court found that the defendant intruded into the plaintiff’s seclusion by secretly recording two videos of her while she was showering at a property owned by her boyfriend and the defendant. The plaintiff was found to have a reasonable expectation of privacy in showering alone at her boyfriend’s property, and the intrusion was serious enough to be deemed highly offensive to a reasonable person.

Australia’s new cause of action diverges slightly from the analogous action in New Zealand by expanding the fault element. In New Zealand, the tort is actionable only for intentional conduct, whereas in Australia it is actionable for both reckless and deliberate conduct – potentially broadening its scope.

With regard to the ‘balancing act’ required for the final element of the Australian action, the UK case of Campbell v MGN Ltd provides some guidance. Here, it was held that the publication of Naomi Campbell’s attendance at a Narcotics Anonymous meeting constituted a serious intrusion of privacy. At the centre of the decision was a balancing test between the public’s right to know and the individual’s right to privacy, based on the threshold of ‘’highly offensive’’.

Looking Ahead

Exactly how the tort will develop in Australia will become clearer as new cases inevitably test its boundaries in the courts and judicial interpretation elucidates its scope.  What is clear, however, is that the tort marks a significant expansion of privacy rights within Australia whilst establishing an entirely new avenue for litigation. Breaches of privacy that would have previously only triggered regulatory scrutiny may now be valid causes of civil action. In order to avoid legal liability, organisations and individuals may need to re-evaluate their practices as they may fall within the scope of a serious invasion of privacy.