Australia’s privacy regime is undergoing significant reform, aligning with global developments and responding to key recommendations from the Australian Competition and Consumer Commission (ACCC). These changes will affect how businesses collect, handle, and disclose personal information, and for the first time, will give individuals a direct legal avenue to seek damages for serious invasions of privacy.
With the first tranche of reforms set to take effect from 10 June 2025, and further obligations following in December 2026, it is essential for Australian companies to begin preparing now.
A New Statutory Tort for Serious Invasions of Privacy
Perhaps the most significant change is the introduction of a statutory tort for serious invasions of privacy. From 10 June 2025, individuals will have a right to bring legal proceedings against those who invade their privacy in a serious and deliberate manner.
To succeed in a claim, a plaintiff must establish that:
- The defendant invaded their privacy by either:
– Intruding upon their seclusion, or
– Misusing personal information about them;
- A reasonable expectation of privacy existed under the circumstances;
- The invasion was intentional or reckless; and
- The invasion was serious.
“Intrusion upon seclusion” is broadly defined to include actions such as physically entering someone’s private space or observing, recording, or listening to their private activities. “Misusing information” covers the collection, use, or disclosure of personal data.
Importantly, damages may be awarded for emotional distress, in addition to punitive or exemplary damages, up to a cap of $478,550, mirroring the current limit under defamation law. Courts will also have the discretion to grant other remedies as appropriate.
Transparency Obligations Around Automated Decision-Making
Another key reform will take effect in December 2026, requiring organisations to disclose how automated decision-making systems are used, particularly where such systems impact individuals’ rights or interests.
Under these changes, privacy policies must include:
- The types of personal information used by any automated system, and
- The kinds of decisions the system is making.
These provisions are aimed at increasing transparency around the use of AI and algorithm-driven processes in areas such as recruitment, performance evaluations, insurance underwriting, credit scoring, and customer service interactions.
For many organisations, especially those using AI tools or large-scale data analytics, this will require a thorough audit of existing technologies and the development of clear, accessible language to explain these systems in privacy documentation.
Key Considerations
To reduce exposure to liability and ensure compliance, organisations should take the following steps now:
– Review and update privacy policies to ensure they clearly outline how personal information is collected, used, and whether it is subject to automated decision-making.
– Assess existing HR technologies and platforms, particularly those using AI or algorithmic tools, to determine whether they are making or influencing decisions that significantly affect individuals.
– Implement or strengthen internal procedures for the handling of personal information, especially employee records, to avoid unintentional breaches.
– Train staff and managers, particularly those involved in hiring, performance management, and data handling, to understand and comply with the new privacy obligations.
Looking Ahead
While some of the more comprehensive reforms, such as new obligations around employee records, are expected to follow post-2025 federal election, the current reforms already signal a dramatic shift in how privacy is protected and enforced in Australia.
These changes place greater emphasis on individual rights and corporate accountability, mirroring developments in jurisdictions such as the EU and California. Australian organisations, large and small, will need to take proactive steps to adapt.
If your organisation needs help reviewing its privacy policies, assessing legal risk, or preparing for these reforms, Lynn and Brown are here to assist.
About the Author: This article has been authored by Steven Brown. Steven is a Perth lawyer and director and has over 20 years’ experience in legal practice and practices in commercial law, dispute resolution and estate planning.
