New Privacy Act introduces statutory tort for serious invasion of privacy. Local councils not immune from action.

In December last year, almost two years after a review of the Privacy Act 1988 (Cth) (Privacy Act) by the Attorney-General, the Privacy and Other Legislation Amendment Act 2024 (the Act) was passed.

The Act amended the Privacy Act with its most controversial and significant amendment – the introduction of a statutory tort for serious invasion of privacy.

Tort for serious invasion of privacy

The new tort confers on individuals a cause of action directly against the party responsible for a serious invasion of privacy which will have implications for local councils.

Currently, an individual’s rights for alleged privacy breaches by a local council are limited to the frameworks set out in the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW). 

Individuals lodge a complaint with the NSW Information Privacy Commissioner which then conducts a review. A similar process is also in place at the Federal level under the Privacy Act.

These review processes have been viewed as inadequate remedies for individuals with the idea of a tort floated over a decade ago by the Australian Law Reform Commission. The 2016 New South Wales Legislative Council Standing Committee on Law and Justice also considered it, as did the Australian Competition and Consumer Commission in 2019. Now, after a decade of debate, the new tort is set to come into force on 10 June 2025.

Application to local councils

Although the tort sits under the Privacy Act, a person does not need to be an Australian Privacy Principles (APP) entity, as defined by that Act, for the tort to apply to them. This means any individual or organisation, such as a local council, can be directly sued under the tort.

In this article we look at how this might impact local councils.

Key concepts

Real persons

A plaintiff must be a natural person. Companies cannot sue under this tort.

No damage

Under most legislation, a person needs to show loss or damage if they bring an action, but they do not need to under this tort.

Misusing information

The tort covers more than just ‘personal information’, as defined in the Privacy Act. Instead, it uses this broader definition: 

“misusing information” that relates to an individual includes, but is not limited to, collecting, using or disclosing information about the individual.

There is no reference to a person being able to be identified from the information. This subtle but potentially substantial difference may increase the situations to which the tort can be applied.

When considering what information is captured by the tort, it may be useful to think in terms of ‘private information’. While such information may not be directly linked to an individual, it may arise in a context where the individual could reasonably expect that, having provided the information, it will not be made public.

This might sound like a confidentiality rather than a privacy issue. However, confidentiality is an ethical duty to keep information secret, while privacy is the right to freedom from intrusion into one’s personal matters or information. This means, even if a duty of confidentiality isn’t present, the requirement to maintain privacy can still apply. It also means both duties could apply with two causes of action arising from the same disclosure breach.

Timing

A claim must be brought by the earlier of:

• one year after the day on which the person became aware of the invasion of privacy, or

• three years after the invasion of privacy occurred.

In some situations, the period may be extended to up to six years after the day of the invasion of privacy. However, the individual must prove it was not reasonable in the circumstances for them to have commenced the claim earlier.

Minors

A person under 18 who suffers a serious invasion of privacy is not prevented from bringing a future claim if they do so before their 21st birthday. This has been included because young people are not expected to make the difficult decision to commence legal proceedings.

Elements

For a claim to succeed, an individual needs to prove:

Element	Comment
An invasion of privacy has occurred by either: (a) intruding on their seclusion, or (b) misusing information that relates to them	There are two types of serious invasion of privacy: 1. Intrusion on seclusion:  This includes not just physical intrusions but also watching, listening to, or recording a person's private activities or affairs. For instance, security cameras could raise privacy issues if their use goes beyond what is necessary for security and safety. 2. Misusing information:  This includes collecting, using, or disclosing information about an individual in a manner that is inappropriate. It also includes storing, changing or interfering with information.
The individual would have a reasonable expectation of privacy in all of the circumstances	This is assessed case by case and will depend on the circumstances of the invasion. Factors to consider include: the means used to invade the person's privacy, including the use of any device or technology the purpose of the invasion of privacy the person's attributes including their age, occupation, or cultural background the person's conduct, including whether they invited publicity or manifested a desire for privacy the nature of the information, including whether the information related to intimate or family matters, health or medical matters, or financial matters how the information was held or communicated by the individual whether and to what extent the information was already in the public domain Data about children is generally viewed as requiring more protection than data about adults. The level of risk is best illustrated by a 2020 report by VicHealth which reported that by the age of 13, an estimated 72 million data points will have been collected on each child.
The invasion was either intentional or reckless, rather than merely negligent	A claim cannot be substantiated if the invasion of privacy resulted only from negligence. Excluding negligence as a trigger sets a high threshold before a person can bring this cause of action. However, it does not mean that an individual could not bring a negligence action as an alternative remedy. The term ‘recklessness’ has an established meaning found in the Criminal Code. A person is reckless with respect to a circumstance or result if: they are aware of a substantial risk that the circumstance exists, will exist, or will occur, and having regard to the circumstances known to them, it is unjustifiable to take the risk.
The invasion was 'serious'	This requirement is meant to discourage trivial claims. For example, imagine a council sends an e-mail to ratepayers regarding changes to waste management and ratepayers’ emails are disclosed in the email. While this is a privacy breach, it is not as serious as leaking financial details or health records, even if it is reckless. When deciding how serious an instance is, the court will look at several factors, including: the degree of any offence, distress, or harm to dignity that the invasion of privacy was likely to have caused the average person in the same situation whether the person knew, or should have known, that it would be likely to offend, distress or harm the dignity of the person if the invasion of privacy was intentional, such as whether the person was motivated by malice.
The public interest in the person’s privacy outweighs any countervailing privacy interest	The court must also balance other important public interests, such as: freedom of expression, including political communication and artistic interest public health and safety the prevention and detection of crime and fraud. Data breaches are on the rise and information may need to be shared with law enforcement to help them investigate a crime. Other public interests mentioned in the Act are: freedom of the media the proper administration of government open justice national security. An important aspect of the public interest test is that the defendant is not required to provide evidence in this regard. Instead, the onus of proof lies on the plaintiff. In addition, courts will be able to take judicial notice of public interest matters.

Defences

The Act provides a range of defences against a serious invasion of privacy claim:

• Performance in good faith: Commonwealth agencies and State and Territory authorities and their staff are exempt if the invasion of privacy occurs in the good faith performance or purported performance of a function, or exercise or purported exercise of a power, of the agency or authority. The definition of ‘State and Territory authority’ is in section 6C of the Privacy Act and covers local councils.

• Lawful authority: If the invasion was required or authorised by Australian law or court order. This can relate to following work health and safety laws or mandatory reporting rules.

• Consent: If the individual (or someone who had the right to act on their behalf) agreed to it, either clearly or by implication. The implied consent principle is analogous to that under applicable privacy laws. However, it remains to be seen if this will be construed in a similar way or more narrowly.

• Necessity: If the invasion was necessary to prevent a serious threat to someone’s life, health, or safety. While this might be more relevant to healthcare professionals, it can also apply in emergencies at workplaces. For example, entering a bathroom to assist someone needing urgent medical attention.

• Incidental to defence of persons or property: If the invasion was incidental to exercising a lawful right to defend someone or something, and it was proportionate, necessary, and reasonable.

• Defamation defences: Defences relating to defamation include absolute privilege, publication of public documents, and the fair reporting of proceedings of public concern.

Remedies

If a claim is successful, the court can grant several remedies:

• Injunctions, including an interim injunction which restrains an invasion of privacy at any stage of proceedings

• Damages up to $478,550, including exemplary damages when there is a flagrant disregard for the law. This is to deter others from engaging in similar egregious behaviour

• Account of profits

• Apology order

• Correction order

• Destruction or delivery-up of materials order

• Declaration that the plaintiff has seriously invaded the plaintiff’s privacy.

What next and what you can do

While the new tort may cause alarm, the requirements for a claim show significant hurdles an individual must overcome. Additionally, the defences and exemptions available to government agencies make a tsunami of successful claims unlikely.

In addition, the Act contains a mechanism to determine early if an exemption applies. This will allow courts to deal with the threshold issue of exemption before the parties spend significant time and resources preparing for trial.

However, this may not deter some individuals from ‘having a go’ and it remains to be seen how the courts will approach the new tort and if their decisions will make it easier to bring claims.

With the tort set to apply from 10 June 2025, local councils should be reviewing their policies and procedures for handling personal information and any activities which may ‘invade’ a person’s privacy. Consideration should be given to changes that may reduce the chances of being subject to a claim. Councils should also review their privacy complaint handling procedures and incorporate strategies and approaches for the handling of claims made under the new tort which will inevitably come. 

We are available to discuss strategies with you and review your existing practices.

Authors: Jason Sprague & Juan Roldan

Read Council Connect April 2025 issue

 

This publication is intended as a source of information only. No reader should act on any matter without first obtaining professional advice.