Move over, corporate Goliaths. From 10 June 2025, everyday Australians got a brand-new power in their back pockets.
Thanks to long-awaited updates to the Privacy Act, individuals can now take legal action when their privacy is seriously invaded. Yep. Company Directors and business owners are on the hook for privacy practices. It’s called a statutory tort, and while the name isn’t exactly thrilling, the implications are huge. For companies and individuals alike.
Here’s everything you need to know, without the legalese-induced nap.
From Principles to Personal Power
For years, the Privacy Act has given Australians a framework of rights. But until now, individuals couldn’t take direct legal action for privacy breaches, unless the regulator (the Office of the Australian Information Commissioner) got involved.
That’s changed.
Now, if someone seriously invades your privacy—say, by sharing sensitive personal data without consent, or snooping through private communications—you can go to court to seek redress. That might mean financial compensation, an apology, or an order to stop the offending behaviour.
Is this a free-for-all?
Not quite. Like all good powers, this one comes with rules.
To make a case, individuals will need to show:
- That they had a reasonable expectation of privacy
- That the harm was serious, and
- That protecting their privacy outweighs any “but we had a good reason!” or public interest (like freedom of the press) arguments
Plus, there are some solid defences, including protections for law enforcement, intelligence agencies, and certain journalists. But for most organisations? This is a new risk, and a serious.
Why This Matters for Business
If your organisation handles personal information, you now face the possibility of legal action from individuals—not just regulators. This means your privacy posture can’t just be ‘good enough for compliance’. It has to be good enough to hold up in court.
Whether it’s an employee accessing customer data without authorisation, a poorly configured system that exposes sensitive information, or a failure to respond to a data breach appropriately, your risk exposure has just widened.
Even if you’re not technically bound by the Australian Privacy Principles (APPs), the tort could still apply. This is a broader legal tool with reach beyond APP entities. No business is automatically exempt.
What Should Companies Be Doing Now?
If you’re a de.iterate client (or thinking about becoming one), here’s what this means in practical terms:
1. Review and strengthen your privacy governance. Make sure you know where personal information lives in your business, who has access to it, and how it’s protected. If your policies are out of date—or worse, sitting in a folder untouched—it’s time for an upgrade.
2. Reassess your risk register. The introduction of this tort adds a new type of legal exposure. Update your risk assessments and mitigation strategies accordingly, especially around data access controls, surveillance technologies, and employee behaviour.
3. Invest in training. Make sure your team understands what constitutes an invasion of privacy and the importance of consent, authorisation, and transparency. Make sure your training makes data privacy personal. Not sure what that means? Check out our recent blog post.
4. Document your consent practices. Consent is a defence. If you’re relying on it, make sure you can prove it, clearly and consistently.
5. Stay alert to further reforms. As Privacy Commissioner Carly Kind noted, this is just the beginning:
“Last year’s reforms were the first step. We are looking forward to further reforms to make our privacy law fit for the digital age.”
Translation? More change is coming. Businesses that act now will be far better prepared than those who wait for the next legal headline.
The Takeaway
Australia’s privacy laws are no longer just about boxes ticked and statements published. They’re about people—real individuals—having the power to fight back when their privacy is invaded.
For organisations, that means more than compliance. It means accountability.
If you’re still thinking of privacy as a back-office function, it’s time to bring it front and centre. Because privacy breaches just got personal—and ignoring that could come at a cost.
Disclaimer: This blog is general in nature and does not constitute legal advice. If you believe you have experienced a serious invasion of privacy, or need guidance on your obligations, seek independent legal counsel.
Tags:
