Employees can now sue their employer for serious invasions of privacy: What you need to know

As of 10 June 2025, the statutory tort for serious invasions of privacy commenced under the Privacy Act 1988 (Cth) (Privacy Act). This marks a landmark shift in Australian privacy law, introducing a new legal pathway for individuals, including employees, to seek redress for serious breaches of their privacy.

The change forms part of the Federal Government’s broader push to modernise privacy protections in the digital age.

Who does the New Tort apply to?

The Privacy Act is federal legislation and applies to private sector organisations, as well as most Australian Government agencies (called ‘APP entities’). It does not apply to state government entities or local government.

However, the new tort is broader in application than the Privacy Act, extending to individuals and other entities that may not necessarily be an APP entity. Employers may therefore wish to seek advice as to whether the new tort will be applicable to them.

What Does the New Tort Cover?

An individual (which can include employees) may have a cause of action against another person or organisation (such as an employer) who has invaded their privacy by doing one or more of the following, in instances where the individual would have had a reasonable expectation of privacy in all the circumstances:

• intruding upon the individual’s seclusion – for example, by physically intruding into their private space;
• misusing information that relates to the individual.

Individuals bringing the claim are also required to establish a number of other factors, including that the public interest in protecting their privacy outweighs any competing public interest. The invasion of privacy must be also serious taking into account a number of factors including whether the invasion was motivated by malice.

Legal action must be commenced within one year of the individual becoming aware of the breach, or within three years of the date the breach occurred. Claims can also only be made in respect of conduct that occurs after 10 June 2025.

What Remedies and Defences Are Available?

If successful, a court can grant remedies it considers appropriate, which may include:

• Injunctions to restrain further privacy invasions
• Damages for emotional distress (non-economic loss), capped at the greater of $478,550 or the maximum amount in a defamation claim; and
• Correction orders, formal apologies, or a declaration that a serious invasion occurred.

Employers may rely on several defences in the event a claim of serious invasion of privacy arises, including:

• If the conduct was authorised by law or a court/tribunal;
• If the individual consented to the conduct that gave rise to the invasion of privacy (expressly or impliedly);
• If there was a reasonable belief the conduct was necessary to prevent a serious threat to safety; and
• If the conduct was incidental to lawful defence of persons/property, and reasonable and proportionate.

Exemptions also apply to journalists and media organisations, government bodies, law enforcement, and intelligence agencies, and minors under 18.

Powers of the Office of the Australian Information Commissioner (OAIC)

While the OAIC does not have a direct role in administering the tort, its powers under the Privacy Act have also been expanded to include the power to:

• Investigate privacy breaches in the workplace;
• Issue compliance or infringement notices; and
• Impose significant financial penalties, including:
  • $50 million for serious breaches by corporations.
  • $660,000 for serious individual breaches.
  • $66,000 for administrative non-compliance.

Implications for Employers

Employers can be held liable for breaches of the statutory tort either directly or potentially, through vicarious liability.

Therefore, these changes to the Privacy Act are likely to have wide-reaching implications for workplace operations, particularly in HR, IT, and compliance. Employers and individuals face liability for serious privacy breaches committed by staff, especially where surveillance, data access, or internal communications involve a serious invasion of an employee’s privacy.

Workplace practices that were once considered low risk, including informal data sharing or excessive monitoring, could now give rise to legal claims if they meet the threshold of a serious invasion of privacy.

Further, while the employee records exemption under the Privacy Act (which provides that employers are exempt from complying with the Australian Privacy Principles in respect of employee records) remains in place for now, the Federal Government has also signalled further reform to the Privacy Act. Employers may therefore wish to prepare for possible changes by reviewing how employee data is collected, stored, and used.

If you have any questions about your obligations under the new Privacy Act reforms or how they impact your workplace practices, please contact HR Legal for further information.

Share:

This article was produced by HR Legal. It is intended to provide general information only in summary format on legal issues. It does not constitute legal advice, and should not be relied on as such.