A legal expert outlines what these new privacy invasion laws mean for business and how HR can help leaders remain compliant.

On 10 June 2025, the new statutory tort for serious invasions of privacy came into effect, which establishes a legal right of action for individuals who have had their privacy violated through intrusion into their private affairs or through the misuse of their personal information.

From a workplace perspective, this means employees could seek legal recourse if their employer improperly accesses or mishandles their personal data or invades their privacy in the course of employment.

This marks a significant step for privacy protection in Australia, bringing Australia in line with other jurisdictions around the world. 

How does this new law impact businesses?

Under the new tort, a plaintiff will have a cause of action against a defendant where: 

1. the defendant invaded the plaintiff’s privacy by intruding upon the plaintiff’s seclusion and/or misusing information that relates to the plaintiff
2. a person in the plaintiff’s position would have had a reasonable expectation of privacy in all of the circumstances 
3. the invasion of privacy was intentional or reckless 
4. the invasion of privacy was serious
5. the public interest in the plaintiff’s privacy outweighed any countervailing public interest.  

‘Intruding upon the seclusion’ of the plaintiff is defined as including, but not limited to, a physical intrusion into a person’s private space, or watching, listening to or recording a person’s private activities or affairs. 

In a work context, this may cover things like surveillance or authorising surveillance of employees who are on workers compensation or long-term sick leave, or listening in on private and sensitive meetings, or viewing sensitive and personal medical information.      

‘Misusing information’ is defined as including, but not limited to, collecting, using or disclosing information about a person. While lack of consent is not part of the definition of ‘misusing information’, consent will be a defence to any claim of misuse of information and invasion of privacy.   

In the employment context, the tort could arguably capture situations where employers seek, without knowledge and consent, highly sensitive medical or other personal information from third parties, or where highly sensitive employee information is misused or recklessly disclosed. 

Even though the Australian Privacy Principles (APPs) contain an employee records exemption, which means that in many cases employers aren’t strictly bound by privacy laws when handling employee records, employers still need to be very careful about how they collect, use, and manage employee data.

The availability of the APP exemption won’t fully protect employers from liability if they seriously mishandle employee data in ways that could be seen as an invasion of privacy.

Reforms are also proposed to be introduced potentially later this year to remove the employee records exemption.

The types of activity that could fall under this law are broad. However, any invasion of privacy would need to be serious to warrant legal action – something that would depend on the specific circumstances, including the nature and extent of the intrusion.

Whether there was consent to the activity will also be a critical consideration, and will act as a defence to any claim of invasion of privacy.

There are some defences and exceptions to the new tort, such as for law enforcement, media and news agencies and where there are public interest considerations (such as sharing information with journalists or regulators).      

The defences and exceptions that will be most relevant to businesses include: consent, where the invasion is required by law or incidental to the exercise of another lawful right or defence (for example, if information is required to be produced by a regulator), or where it is necessary to protect health and safety, whether that be employees or third parties.     

Potentially hefty fines for non-compliance with privacy laws

It’s important that employers take this new statutory tort seriously, as non-compliance could lead to a costly outcome.     

Compensation will be available to those who can prove that their privacy has been compromised, including for emotional distress. Punitive damages may also be ordered for particularly serious contraventions of the law. 

Non-economic loss (such as for emotional or mental harm, or damage to reputation) and punitive damages are capped at $478,550, however the amount of economic loss that can be awarded is uncapped.      

“Boards and executive leadership should recognise that privacy governance is now a material risk area.”

If deemed appropriate, the courts will also be able to grant a range of other remedies in addition to, or instead of, damages, such as: ordering an apology and requiring remedial steps to be taken to remedy the invasion of privacy, including correcting misinformation, and to require the defendant to destroy, quarantine or deliver up copies of material relevant to the privacy breach. 

Employers may also face the risk of vicarious liability (where one party is held responsible for the actions or omissions of another person, even though the first party did not directly commit the act) for the conduct of its employees or agents. For example, vicarious liability may arise where an employee uses their employment to obtain sensitive information or breach another’s privacy. 

How should employers protect themselves?

Given the potentially serious legal and reputational consequences of a breach of the statutory tort for invasions of privacy, employers should take proactive steps to mitigate the risk of liability.

A strong starting point is to ensure that privacy policies and data-handling practices are both compliant with Australian law and robust in their design and implementation. 

It is critical that employers review and update their privacy policies to cover all aspects of employee data handling, not just those covered under the APPs. 

This should include transparent communication with employees about what data is collected, how it is used, who it is shared with and how it is protected. Privacy policies should also make clear the importance of respecting an employee’s privacy, and the consequences of breach of the policy. 

Investing in regular privacy training for employees is equally important. This should go beyond generic compliance training to ensure employees fully understand their responsibilities when handling personal and sensitive information. 

Particular attention should be given to educating managers and employees about the risks of misusing access to employee data – whether deliberately or inadvertently – as this is where employers could be exposed to significant risk.

Employers must also ensure that their systems and processes are designed to minimise the risk of privacy breaches. This includes implementing access controls, encryption, regular audits and prompt breach notification procedures. 

It’s also wise to conduct a privacy impact assessment (PIA) whenever introducing new HR technologies, data analytics tools or third-party platforms that process employee data to ensure compliance.

Finally, boards and executive leadership should recognise that privacy governance is now a material risk area. Regular reporting to leadership on privacy compliance and emerging risks can help ensure that privacy remains a board-level priority. 

This will be crucial as Australian privacy law evolves in coming years, bringing new expectations for employers to safeguard the privacy of their workforce.

Amy Zhang is an Executive Counsel and Team Leader at Harmers Workplace Lawyers.

Looking for a training program to sharpen your employment law knowledge? Check out AHRI’s Advanced HR Law short course.