LEGAL UPDATE

A NEW STATUTORY TORT FOR PRIVACY INVASION AND DISCLOSURE OF AUTOMATED DECISION-MAKING: INCOMING PRIVACY LAW REFORMS IN AUSTRALIA

Authors: Greg Robertson and Liav Benstock

In October 2020, a review of the Privacy Act 1988 (Cth) commenced following recommendations made by the Australian Competition and Consumer Commission (ACCC) in 2019, which noted that a number of other jurisdictions (including the EU, Japan and some US states) had reformed their privacy laws in response to the increased collection and use of personal information. Now, the Privacy and Other Legislation Amendment Act 2024 (which passed both houses of parliament on 29 November 2024 and received royal assent on 10 December 2024) will amend the Privacy Act 1988 (Cth) to implement an initial tranche of reforms which the Government committed to in response to the review.

Some of the major reforms, which will come into force over 2025-2026, include the introduction of a statutory tort for serious invasions of privacy, which can result in damages, and a new requirement that privacy policies contain information about any automated decision-making system in use, which could reasonably be expected to significantly affect the rights or interests of an individual. Further privacy reforms are expected in a second tranche, which are likely to be progressed later this year or next year.

Statutory tort
Under the new reforms, a plaintiff will have a cause of action in tort against a defendant where:

1. the defendant invaded the plaintiff’s privacy by intruding upon the plaintiff’s seclusion and/or misusing information that relates to the plaintiff; and
2. a person in the plaintiff’s position would have had a reasonable expectation of privacy in all of the circumstances; and
3. the invasion of privacy was intentional or reckless; and
4. the invasion of privacy was serious; and
5. the public interest in the plaintiff’s privacy outweighed any countervailing public interest.

‘Intruding upon the seclusion’ of the plaintiff is defined as including (but not limited to) a physical intrusion into a person’s private space and watching, listening to or recording a person’s private activities or private affairs. Similarly, ‘misusing information’ is defined as including (but not limited to) collecting, using or disclosing information about a person.

There are some defences and exceptions, but under the new tort, courts may award damages for emotional distress as well as exemplary or punitive damages for invasions of privacy up to $478,550 (or the maximum amount of damages for non-economic loss under defamation law). Courts will also be able to grant a range of other remedies in addition to, or instead of damages as the court thinks appropriate in the circumstances.

Because the legislation introduces this as a new, statutory tort, it may be possible for plaintiffs to seek to take action against employers where the breach of privacy has been carried out by an employee, on the basis that the employer is vicariously liable for the tort. While we await decisions of the Courts on the extent to which ordinary tort law applies to this statutory tort, it would be prudent for employers to strengthen their internal policies to make it clear to employees that privacy is to be respected.

These requirements commence 6 months after Royal Assent (the final step in the law-making process), or 10 June 2025.

Automated decision-making in privacy policies
The reforms also introduce new requirements around the information that must be included in privacy policies, including the kinds of personal information used and the types of decisions made in automated decision-making. If an entity has arranged for a computer program to be involved in decisions that affect the rights or interests of individuals and their personal information, the entity must include information about:

1. the kinds of personal information used by the computer programs; and
2. the kinds of decisions made by the computer programs (and relevant information related to those decisions).

These requirements commence 24 months after Royal Assent, or 10 December 2026.

Key Action Points for companies and In-House Counsel
Privacy policies should be reviewed to ensure they are as clear and transparent as possible with regard to information about automated decision-making and personal information collected. Mechanisms and policies around the protection of personal information should also be reviewed and improved, if necessary, to avoid liability under the statutory tort for breach of privacy.

If you require legal advice or assistance in relation to these new changes, please contact our Harmers Workplace Lawyers team on + 61 2 9267 4322.

© Copyright Harmers Workplace Lawyers 2025. All rights reserved. No part of this alert may be reproduced, in whole or in part, by any means whatsoever, without the prior written consent of Harmers Workplace Lawyers.

Disclaimer: This news alert provides a summary only of the subject matter covered without the assumption of a duty of care by the firm. No person should rely on the contents as a substitute for legal or other professional advice.