From 10 June 2025, individuals will, for the first time, be able to sue for serious invasions of privacy under a new statutory tort introduced by the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA). This development marks a turning point in Australia’s privacy regime, signaling a broader shift towards stronger enforcement, higher business accountability, and alignment with international privacy standards.
A New Cause of Action: Serious Invasion of Privacy
Schedule 2 of POLA introduces a statutory tort for serious invasions of privacy, actionable where an individual’s privacy is intentionally or recklessly infringed through:
intrusion upon seclusion (e.g. surveillance); or
misuse of private information.
To succeed, a claimant must show they had a reasonable expectation of privacy, that the invasion was serious, and that the harm to their privacy outweighs any countervailing public interest. Notably, individuals do not need to prove financial loss. Courts may award damages for emotional distress, issue injunctions, or order apologies, destruction of materials, or exemplary damages.
This new civil avenue complements the existing regulatory regime and substantially expands potential exposure for businesses. Small businesses that were previously exempt from the Privacy Act due to the $3 million turnover threshold may still be captured by the tort, significantly raising the compliance stakes.
Strengthened Regulatory Enforcement under POLA
POLA also expands the enforcement powers of the Office of the Australian Information Commissioner (OAIC). Under the updated Privacy Act:
A single serious privacy breach can now attract penalties of up to $50 million for corporations, a major departure from the previous requirement for serious and repeated breaches.
Breaches not classified as ‘serious’ may now constitute interferences with privacy, attracting penalties up to $660,000.
The OAIC can now issue notices (up to $66,000) for discrete failures, such as not having a compliant privacy policy.
Together with the new tort, these reforms allow for both regulatory action through the OAIC (which now carries significantly higher penalties and broader scope) and individuals to independently pursue civil claims for serious privacy breaches. As a result, businesses face concurrent exposure from both regulatory investigations and potential private litigation.
Expanding Regulatory Landscape
In addition to enhanced penalty powers, the OAIC now has the authority to develop and enforce industry-specific privacy codes. This marks a shift towards more tailored regulatory standards, recognising that privacy risks vary significantly across sectors. The most anticipated of these is the Children’s Online Privacy Code (COP Code), which must be developed by 10 December 2026.
Changes to Australia’s Privacy Principles (APP’s)
Alongside enforcement reform, the amendments to the Australian Privacy Principles (APPs) aim to increase transparency, accountability and international alignment. The table below outlines the key changes.
APP | Change |
APP 1 (Open and Transparent Management of Personal Information) | APP entities must now explicitly disclose when they use automated decision-making that has a significant impact on individuals. |
APP 8 (Cross-Border Disclosure of Personal Information) | The reform introduces a whitelist mechanism, enabling the Attorney-General to designate jurisdictions with privacy protections substantially similar to Australia’s. Where applicable, this relieves businesses of the obligation to conduct their own assessment of the recipient’s privacy framework. |
APP 11 (Security of Personal Information) | The updated APP 11 clarifies that businesses must implement technical and organisational measures to protect personal information. These include encryption, access controls, and staff training. |
The APP reforms clearly reflect a policy shift toward international consistency, particularly with the European Union’s General Data Protection Regulation (GDPR) (and its UK equivalent). Transparency around automated decision-making (APP 1) and the requirement for technical and organisational measures to secure data (APP 11) are directly modelled on GDPR obligations. The new whitelist mechanism (APP 8) similarly reflects the EU’s “adequacy decision” framework for cross-border data transfers.
However, these reforms do not go as far as the GDPR in either scope or enforceability. Key data subject rights under the GDPR include the right to be forgotten (to request deletion of data), data portability (to transfer data to another provider), and the right to object to certain types of processing, such as direct marketing or profiling. No direct equivalents exist under the Australian framework. The APP framework also lacks the GDPR’s overarching principles of fairness, necessity and proportionality, which govern all personal data processing.
Australia remains outside the list of jurisdictions deemed “adequate” by the EU and UK for data export purposes. While the recent reforms are a clear step toward international alignment, they form only the first tranche of broader privacy reform. As such, they do not appear, on their own, to be sufficient to shift Australia’s adequacy status at this stage.
What Should Businesses Be Doing Now?
These amendments are only the first stage of the government’s privacy reforms. Expect more reforms in the future, especially as the digital economy continues to evolve.
For now, businesses should:
Review privacy policies, notices, cross border data sharing agreements and arrangements to ensure they comply with the new APP requirements.
Consider whether effective technical and organisational measures are in place to meet privacy and data security obligations, including ensuring that staff are adequately trained to comply with the Privacy Act and other relevant data protection laws and best practices.
Ensure that its privacy framework is otherwise compliant with the Privacy Act.
Monitor upcoming developments to the Privacy Act.
For further information, please contact Julian Courtney-Stubbs or Sandra Bejo of our Corporate Team.
.jpg)