Privacy Law Reform: The New Statutory Privacy Tort & What It Means for Australian Businesses

A major change to Australian privacy law came into effect on 10 June 2025. Individuals now have the legal right to sue for serious invasions of privacy, creating direct legal consequences for businesses that collect or use personal information.

If your organisation holds data on customers or clients—from CRM records to marketing lists—this reform significantly increases your legal exposure.

What Is the Statutory Privacy Tort?

The new law introduces a statutory cause of action for serious privacy breaches. An individual can make a successful claim if they can prove:

• Their privacy was invaded through intrusion or misuse of personal data
• They had a reasonable expectation of privacy
• The invasion was serious and not accidental
• The act was intentional or reckless
• The public interest does not justify the breach

This reform elevates the potential ramifications for a privacy breach to a new level. Australian law now enables individuals to seek compensation directly from businesses that fail to handle personal data responsibly.

Who Is at Risk?

Any business with an annual turnover of more than $3million that collects, stores, processes or shares personal information is affected. This includes:

• Online retailers and service providers.
• Real estate agents managing tenant or buyer details.
• Marketing and advertising firms using contact databases.
• Professional services firms holding confidential files.
• Health, financial and education providers storing sensitive information.

Businesses with an annual turnover of less than $3million might still be captured if the business:

• provides a health service to another individual and holds any health information except in an employee record;
• discloses personal information about another individual to anyone else for a benefit, service or advantage;
• provides a benefit, service or advantage to collect personal information about another individual from anyone else;
• is a contracted service provider for a Commonwealth contract (whether or not a party to the contract);
• is a credit reporting body.

Even if a business outsources its data storage or marketing, liability may still apply. Therefore, relying on third parties does not eliminate your legal risk.

Legal Exposure for Businesses

The statutory tort significantly increases the legal risks associated with poor data practices. Claims may arise in situations where:

• A business collects excessive personal information.
• Personal information is used without proper consent.
• Personal information is shared or sold without safeguards.
• Security systems are inadequate or out of date.
• Employees mishandle personal information through lack of training.

These scenarios are increasingly common, especially as more organisations rely on digital platforms to engage with customers. As a result, businesses must review and tighten their data handling procedures.

How Businesses Can Respond

To reduce your risk of privacy claims, consider the following actions:

1. Review and Update Your Privacy Policy

A clear, transparent privacy policy is essential. It should explain how personal information is collected, how it is used, and who it is shared with. Regular updates are critical as regulations evolve.

2. Limit Data Collection

Only gather personal information that is necessary for your operations. Collecting more data than required not only increases risk, but may also be unlawful.

3. Train Your Employees

Staff must understand what personal information includes and how to handle it appropriately. Ongoing privacy training is a compliance essential.

4. Assess Third-Party Providers

Review contracts and data-sharing arrangements with third parties. Ensure they meet legal standards and are held accountable for any privacy breaches.

Already Facing a Privacy Claim?

If your business is responding to a legal threat or has received a privacy tort claim, timely legal advice is crucial. Our team at Madison Marcus has extensive experience assisting businesses with:

• Defending claims.
• Responding to data breach investigations.
• Mitigating reputational damage.
• Resolving disputes efficiently†.

Why Work With Us?

Our privacy and compliance practice is led by Christopher Frankish, Partner, who sits on the Law Society of NSW’s Privacy and Data Law Committee for 2025.

We understand how to protect your business from both litigation and regulatory scrutiny. Whether you need guidance on compliance or urgent defence in a legal claim, we are here to help.

Act Now to Stay Ahead

Privacy is no longer just a regulatory box to tick, it is now a potential litigation trigger. By strengthening your data practices and improving transparency, your business can avoid costly claims and build greater trust with clients.

Book an appointment with our privacy and compliance lawyers today to assess your risk and strengthen your legal position.

Enquire Today

This article is provided for general informational purposes only and does not constitute legal advice. While every effort is made to ensure the accuracy of the information provided, Madison Marcus Law Firm makes no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the content. Readers are advised to seek professional legal advice tailored to their specific circumstances before taking any action based on this information. Madison Marcus Law Firm accepts no liability for any loss or damage incurred as a result of reliance on the information presented herein.†In some circumstances, such as a privacy breach, mandatory disclosure obligations under applicable privacy laws may apply, and confidentiality cannot be guaranteed.