What is the new statutory tort for serious invasions of privacy?

The Privacy and Other Legislation Amendment Act 2024 (Cth) introduced a landmark civil liability for Australian businesses. From 10 June 2025, individuals can directly sue an organisation in court for a serious invasion of privacy.

1. Direct Litigation Avenue

Before the statutory tort, an individual’s primary path for a privacy invasion was to file a complaint with the OAIC and wait for a regulatory investigation. Now, a plaintiff can initiate court proceedings directly for damages, an injunction, or other remedies.

2. Elements of the Tort

For a claim to succeed, the plaintiff must establish four elements:

• Invasion: There was an intrusion upon the plaintiff’s seclusion or a misuse of their private information.
• Intentional or Reckless: The defendant’s conduct was intentional or reckless, not merely negligent.
• Highly Offensive: A reasonable person in the plaintiff’s position would regard the privacy invasion as highly offensive.
• Public Interest: The public interest in privacy outweighs any competing public interest.

3. High Risk for Data Breaches

A data breach that occurs because a business chooses not to implement standard security measures, despite being aware of the risk, may satisfy the “reckless” requirement. This exposes the business to direct lawsuits from large groups of affected clients.

4. No turnover threshold

The statutory tort applies to all entities, not only those covered by the Privacy Act 1988 (Cth). This means small businesses that fall below the $3 million turnover threshold can still be sued under this tort if a serious privacy invasion occurs.

Related Topics

• What is an Eligible Data Breach?
• NDB Scheme Checklist for QLD Business
• Commercial Law Practice Area

Is your business exposed to a direct privacy lawsuit? Bell & Senior Lawyers provides litigation defence and risk management for Queensland businesses. Call (07) 5532 8777.

Read our Complete Startup Legal Guide for Queensland