National legal hotline

               

24 Hours, 7 Days

1300 636 846
1300 636 846
"Australia's Best Legal Service 2025"
"Australia's Best Legal Service 2025"
"Australia's Best Legal Service 2025"
1300 636 846

24 hours / 7 days

National Legal Hotline

Call us now for immediate legal assistance, 24 hours a day, 7 days a week. All areas of law, Australia-wide

National Legal Hotline

24 hours / 7 days

Call us now for immediate legal assistance, 24 hours a day, 7 days a week. All areas of law, Australia-wide

Call us now

Complying with Invasion of Privacy Laws

In June 2025, the Privacy Act 1988 was amended and one of the changes was the addition of a new statutory tort: invasion of privacy. This means that individuals now have a cause of action if their privacy is seriously infringed in circumstances where they have an expectation of privacy. This change will have a number of implications for businesses, which are outlined below.

What is invasion of privacy?

Under Schedule 2 of the Privacy Act 1988, individuals now have a cause of action if a person seriously infringes on their privacy in either of the following two ways:

  • Intruding upon their seclusion
  • Misusing their information

An intrusion upon a person’s seclusion is an intrusion into a space where a person has a reasonable expectation of privacy. This may occur online or in real life. It may involve filming or videoing the person or accessing their private correspondence.

A misuse of information involves collecting, communicating, using or publishing personal information about a person for a purpose that is not justified.

It is important to note that, unlike most of the Privacy Act 1988, the new tort of invasion of privacy applies to individuals as well as companies.

Understand when the tort applies

The first step that businesses need to take to ensure they comply with the new laws is to ensure that they understand when the tort of invasion of privacy applies.

The key triggers for liability under the new provisions are as follows:

  • Information is private
  • There is a reasonable expectation of privacy in the circumstances
  • The person has not consented to having their information used in the way complained of
  • The misuse or intrusion was intentional or reckless
  • The breach is serious.

Review privacy policies

Under the new privacy laws, there is potential for employees to take legal action against employers if their personal information is mishandled, or if their employer encroaches on their privacy unreasonably, either in physical space or online. 

Employers should ensure that their privacy policies and data handling procedures are compliant with the law and that all aspects of data handling are covered.

Privacy training

Regular privacy training should be provided to employees, with particular emphasis on ensuring that managers understand the risks of mishandling employee data, either intentionally or accidentally. 

Staff need to be aware that a serious invasion of privacy can lead to an order to pay a significant amount of damages (currently  $478,550 under the statutory cap, and subject to annual increases). 

A serious invasion of privacy can also lead to serious reputational harm.

Privacy impact assessment

It is good practice to conduct a privacy impact assessment (PIA) whenever introducing new systems, HR technologies, or third-party platforms, in order to ensure that best practice is maintained in relation to the handling of employees’ and clients’ personal information.

Maintain records

Companies should ensure that they maintain clear and complete records of their practices in relation to the handling of personal data. This will assist in demonstrating compliance with privacy laws and minimising risk.

Risk management

Under the 2025 changes to the Privacy Act 1988, privacy is now a key area of risk for businesses and employers and ensuring compliance with privacy laws should be a priority for executive leadership.

Businesses should ensure that staff report regularly to leadership on privacy policies and data-handling so that new and emerging risks can be identified and managed, and so that privacy policies are updated when appropriate.

Reasons for the changes

In 2022, the Privacy Act 1988 was reviewed and it was recommended that a statutory tort relating to invasion of privacy be introduced. This was suggested to rectify a number of deficiencies in Australia’s privacy protections, which as they then stood offered no remedy for the following privacy infringements:

  • Filming or photographing a person in a private setting without their consent
  • Disclosing private communications
  • Recording private conversations without consent
  • Misusing a person’s private information that was obtained through an employment contract for personal reasons

Comparable statutory and common law privacy causes of action exist in several Canadian provinces and in parts of the United States, including California.

If you require legal advice or representation in any legal matter, please contact Go To Court Lawyers.

Author Photo

Fernanda Dahlstrom

Content Editor

Fernanda Dahlstrom is a writer, editor and lawyer. She holds a Bachelor of Laws (Latrobe University), a Graduate Diploma in Legal Practice (College of Law), a Bachelor of Arts (The University of Melbourne) and a Master of Arts (Deakin University). Fernanda practised law for eight years, working in criminal law, child protection and domestic violence law in the Northern Territory, and in family law in Queensland.