Log in

Australian Cyber Law Map

You are here: Cyber Law » Australian Cyber Law Map » Torts

Torts

02 July 2025 - 14:32 | Version 19 |

Overview

Historically, Australian common law did not recognise a standalone tort for invasion of privacy. While actions in breach of confidence, defamation, or trespass could provide incidental protection, there was no direct cause of action for a serious invasion of a person's private life. This position was changed significantly in 2024 with the introduction of a new, targeted statutory tort.

For decades, Australian courts and law reform bodies debated the creation of a privacy tort. The High Court in Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd [2001] HCA 63 left the door open for the common law to develop such protection, but subsequent development was slow and inconsistent. Following several inquiries, including the Australian Law Reform Commission's 2014 report, Serious Invasions of Privacy in the Digital Era, the Australian Government acted. The Privacy and Other Legislation Amendment Act 2024 (Cth) inserted a new schedule into the Privacy Act 1988 (Cth), creating a statutory cause of action for serious invasions of privacy.

Statutory Tort for a Serious Invasion of Privacy (Privacy Act 1988 (Cth), Schedule 2)

(See also Privacy Law)

The new statutory tort, which commenced on 10 June 2025, provides a direct right of action for individuals whose privacy has been seriously invaded. It is intended to be read separately from the rest of the Privacy Act 1988 (Cth) and its Australian Privacy Principles.

Cause of Action (cl 7)

An individual (the plaintiff) has a cause of action against another person if five elements are met:
  • An invasion of privacy: The defendant must have invaded the plaintiff's privacy by either:
    • Intruding upon the plaintiff's seclusion: This includes physically intruding into a private space, or watching, listening to, or recording private activities.
    • Misusing information that relates to the plaintiff: This includes collecting, using, or disclosing information about the individual.
  • Reasonable Expectation of Privacy: A person in the plaintiff’s position would have had a reasonable expectation of privacy in the circumstances (cl 7(1)(b)). The court will consider factors like the means used, the purpose of the invasion, the nature of the information, and the plaintiff's own conduct (cl 7(5)).
  • Intentional or Reckless Fault: The invasion must have been intentional or reckless (cl 7(1)(c)). Negligent conduct is not sufficient to establish the tort.
  • Serious Invasion: The invasion of privacy must be "serious" (cl 7(1)(d)). The court may consider the degree of offence, distress, or harm to dignity likely to be caused (cl 7(6)). The action is actionable without proof of actual damage (cl 7(2)).
  • Public Interest Balancing Test: The plaintiff must establish that the public interest in their privacy outweighs any countervailing public interest (cl 7(1)(e)). Countervailing interests can include freedom of expression, freedom of the media, open justice, public health, and national security (cl 7(3)).

Defences (cl 8)

  • Defences are available where the invasion of privacy was:
    • Required or authorised by an Australian law or a court/tribunal order.
    • Done with the express or implied consent of the plaintiff.
    • Reasonably believed to be necessary to prevent or lessen a serious threat to life, health, or safety.
    • Incidental to the lawful defence of persons or property.
  • Defences that would ordinarily arise in defamation proceedings (e.g., absolute privilege, fair report of public proceedings) may also apply if the invasion involved publication (cl 8(2)).

Exemptions (Part 3)

  • The tort contains broad exemptions that were not recommended by the ALRC. It does not apply to:
    • Journalists: Invasions involving the collection or publication of "journalistic material" by a journalist subject to professional standards (cl 15).
    • Law Enforcement and Intelligence Agencies: Invasions by specified agencies or their staff members acting in good faith in the performance of their functions (cll 16-17).
    • Minors: Invasions of privacy committed by a person under the age of 18 (cl 18).

Remedies (Part 2, Division 3)

  • Courts may grant a range of remedies, including:
    • Damages (cl 11): This can include damages for emotional distress. Exemplary or punitive damages may be awarded in exceptional circumstances. Damages for non-economic loss are capped at the same level as damages in defamation law.
    • Injunctions (cl 9): To restrain an ongoing or anticipated invasion of privacy.
    • Other Orders (cl 12): Such as an order for an apology, a correction order, an account of profits, or the destruction of material obtained through the invasion.

Tort of Negligence

Negligence is the failure to take reasonable steps to prevent foreseeable risks of harm to another entity and may involve either acts or omissions. The key elements of negligence are: (1) the defendant owes the plaintiff a duty of care; (2) the defendant’s conduct breaches this duty by failing to meet the requisite standard of care; (3) the breach caused the harm suffered by the plaintiff; and (4) the harm was not too remote a consequence of the breach.
  • In the context of cybersecurity, an incorporated entity that collects and stores personal information may owe a duty of care to its customers to protect that data from foreseeable harm, such as a malicious cyberattack. A failure to implement adequate cybersecurity measures could therefore constitute a breach of this duty.
  • In both the McClure v Medibank Private Limited and the Robertson v Singtel Optus Pty Limited proceedings (see Litigation and Investigations), the plaintiffs allege that the companies were negligent in their handling of customer data, leading to the breaches. This litigation will be critical in establishing the scope and nature of the duty of care owed by corporations to their customers in the digital age.

Duty of Care

A duty of care exists where it is reasonably foreseeable that the defendant’s decisions or conduct may cause harm to the plaintiff. In a commercial context, this duty is often established through the relationship between the parties. For organisations handling data, these obligations are informed by federal and state laws (such as the Privacy Act 1988 (Cth)), government policies, and common law duties.

Breach of Duty

A person is found to have breached their duty of care if their conduct falls below the standard of reasonable care required in the circumstances. This is assessed by considering the probability and likely seriousness of the harm, and balancing it against the burden of taking precautions to avoid it (see, for example, Civil Liability Act 2002 (NSW), ss 5B, 5C). In a data breach case, a court would likely consider whether the organisation's security measures were reasonable in light of the known threats and industry standards at the time.

Causation and Remoteness

For a negligence claim to succeed, the plaintiff must prove that the defendant's breach of duty caused their loss or harm. Under the civil liability legislation (see, e.g., Civil Liability Act 2002 (NSW), s 5D), this involves establishing both factual causation ("but for" the breach, would the harm have occurred?) and that the harm was within the "scope of liability". The harm must also not be too remote, meaning it was a "reasonably foreseeable" consequence of the defendant's breach. In a data breach context, a key legal question is whether the criminal act of a third-party hacker constitutes an intervening act (novus actus interveniens) that breaks the chain of causation between the company's negligence and the customer's loss.

Resources

Related Topics

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding AustLII Communities? Send feedback
This website is using cookies. More info. That's Fine