Privacy Reforms 2025: New statutory tort, policies under scrutiny, and what next

Recent changes to Australian privacy law have significantly raised the stakes for businesses holding personal information. With the introduction of a new statutory tort for serious invasions of privacy and increased scrutiny of privacy policies by the Privacy Commissioner, boards and executives cannot afford to be complacent.

A new statutory tort for serious invasions of privacy

For years, Australian privacy law lacked a way for individuals to seek redress for serious privacy harm. That changed on 10 June with the introduction of a new statutory tort for serious invasions of privacy (or an “intrusion upon seclusion) into the Privacy Act.

The tort draws on principles from defamation law. To establish a claim, an individual must demonstrate both a serious invasion of privacy and a misuse of personal information,

Although the new law is yet to be tested in Australia, UK case law around intrusions into seclusion may provide some useful guidance. Consider the 2022 Medibank breach: if the breach occurred today, could affected individuals claim that Medibank’s failure to take reasonable steps to secure their personal medical information was ‘reckless’? If so, they may be entitled to seek damages up to the current defamation cap of $459,000.

While this tort may not affect businesses in accidental data breaches, organisations holding sensitive information should ensure their security practices are not vulnerable to claims of being inadequate or ‘reckless’ in how that information is held.

Do I need to update my privacy policy?

On 10 December 2024, a new section 13K came into the Privacy Act, giving the Privacy Commissioner power to impose fines for technical breaches, including where a privacy policy fails to include all of the information required under Australian Privacy Principle (APP) 1.4.

Such information include:

1. the types of personal information the entity collects and holds;
2. how the entity collects and holds that information;
3. the purposes for which the entity collects, holds, uses and discloses personal information;
4. how an individual may access their personal information held by the entity and seek to correct that information;
5. how an individual can complain about a breach of the APPs, or a registered APP code (if any) that binds the entity, and how the entity will handle that complaint;
6. whether the entity is likely to disclose personal information to overseas recipients; and
7. if so, the countries where those recipients are likely to be located (if it is practicable to specify those countries in the policy).

Recent determinations, including those involving Bunnings’ use of facial recognition technology and  Property Lovers’ data scraping to target vulnerable individuals, demonstrate the Commissioner’s increased scrutiny of how organisations communicate their handling of personal information. Businesses should therefore invest time in reviewing and updating their privacy policies.

Last month’s Privacy Awareness Week saw the Privacy Commissioner release a new privacy assessment tool that organisations can use to evaluate their privacy maturity. This is a practical first step for businesses looking to uplift their processes.

What’s next?

The changes that came into effect in December 2024, along with the new statutory tort, mark the first round of privacy reforms. A second tranche of proposals remain under consideration. However, following the recent federal election and the appointment of a new Attorney-General, the future direction and priorities of privacy reform is uncertain.

At the same time, the ongoing Productivity Commission inquiry into harnessing technology to improve productivity may indicate little appetite for further reform, but rather, on streamlining regulation. Given some of the reforms in the second tranche relate to extending the Privacy Act to small businesses by removing the small business exemption, the timing of these changes remains an open question.

Conclusion

While there may not be further privacy law reform ahead, the Privacy Commissioner has made it clear she intends to use every enforcement tool she has to improve privacy compliance in Australia. Businesses cannot be complacent.