Australia Finally Has a Privacy Tort

For most of Australia's legal history, if someone violated your privacy, the law largely shrugged. You could sue for defamation if the disclosure damaged your reputation. You could argue breach of confidence if the information was imparted in circumstances of trust. But a freestanding right to sue purely because someone invaded your privacy? That did not exist.

That has now changed, in two significant steps: a County Court judgment in 2024 and landmark legislation that came into force on 10 June 2025. Together they represent the most substantial reform to privacy law in Australia in decades.

This article analyses the key cases and the statutory framework, identifies what the law currently requires and examines where things are likely to go next.

Why It Took So Long

The short answer is Victoria Park. In 1937, the High Court decided Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479, which was widely read as shutting the door on any enforceable right to privacy in Australian law. For most of the twentieth century, that decision was treated as settled authority against recognising such a cause of action.

The door cracked open in 2001 when the High Court decided Australian Broadcasting Corporation v Lenah Game Meats Pty Ltd (2001) 208 CLR 199. The court did not recognise a tort of privacy, but crucially several judges left open the possibility that one might be recognised in future. That opening was enough for subsequent courts to begin exploring the issue.

Two first-instance decisions followed. In Grosse v Purvis [2003] QDC 151, a Queensland District Court recognised a cause of action for invasion of privacy. In Doe v Australian Broadcasting Corporation [2007] VCC 281, the Victorian County Court did the same in a case where the ABC had broadcast material identifying a sexual assault victim in contravention of a prohibition in the Judicial Proceedings Reports Act 1958 (Vic).

Neither decision was appealed to a superior court, leaving the common law position genuinely uncertain.

Then, for nearly two decades, nothing.

The Case That Changed Things: Waller v Barrett [2024] VCC 962

Facts

The facts of Waller v Barrett read like something out of a true crime documentary, because they essentially are.

In 2010, Romy Barrett and his wife Dianne were leaving a restaurant when a man leapt out and attacked Romy with a knife. Romy narrowly survived having his throat cut. Dianne was subsequently found guilty of attempted murder, having planned the attack with her long-term lover. Their daughter, Lynn Waller, was 13 at the time.

In the years following the attack, Lynn was placed in the care of relatives and became completely estranged from her father. In January 2014, Lynn and Romy attended counselling sessions in an attempt to reconcile. Lynn also sent her father a detailed private email explaining why she wanted to maintain contact with her younger siblings.

In August 2014, Romy's story was published in a book by an investigative journalist and in articles appearing in mainstream media outlets, including Channel 7's Sunday Night, The Age and the Sydney Morning Herald. Those publications included information Romy had disclosed about Lynn from their private counselling session and from her personal email to him.

Lynn sued Romy for breach of confidence, breach of statutory duty, negligence and invasion of privacy.

The Legal Reasoning

Judge Tran conducted what she herself described as a "whistlestop tour" through the history of privacy protection in Australia, the UK, the US and New Zealand before concluding that the Australian common law should now recognise a cause of action for serious invasion of privacy.

The court's key move was to characterise privacy protection as something fundamentally distinct from breach of confidence. Breach of confidence, as traditionally understood, protects material interests and property-adjacent rights. Privacy, the court found, protects human dignity and autonomy. These are not the same thing, and trying to force privacy claims into the breach of confidence framework mischaracterises what is actually at stake.

Judge Tran also drew on the existence of the tort in Queensland and Victoria in the earlier decisions, the clear trajectory of common law in New Zealand, the UK and Canada, and the obvious community expectation that serious violations of intimacy and personal information warrant legal redress.

Outcome

Lynn succeeded on breach of confidence and, more significantly, on invasion of privacy. She was awarded $30,000 in damages.

Importantly, the negligence claim failed. Judge Tran declined to find that Romy owed Lynn a duty of care in relation to the publicity, expressing reluctance to extend tortious liability to the point where a newspaper could be held liable for a true but harmful report about a person where psychiatric injury was foreseeable. This is a significant limitation on the reach of privacy-adjacent claims.

What Waller Did Not Resolve

Because this was a first-instance County Court decision, it is persuasive rather than binding. No superior court has yet endorsed the common law tort. The precise elements of the cause of action, the available defences and the relationship between the common law tort and the statutory cause of action (discussed below) remain unresolved. The decision has not been appealed, which means those questions remain open.

Full judgment available at: AustLII – Waller v Barrett [2024] VCC 962

The Statutory Framework: Schedule 2 of the Privacy Act 1988 (Cth)

How It Came About

The Privacy and Other Legislation Amendment Act 2024 (Cth) received royal assent on 10 December 2024 and introduced a new statutory tort for serious invasion of privacy as Schedule 2 to the Privacy Act 1988 (Cth). The new provisions commenced on 10 June 2025.

The reform drew on a 2008 Australian Law Reform Commission report, "For Your Information: Australian Privacy Law and Practice", which had recommended a statutory cause of action in recommendation 74. The delay between that recommendation and the legislation being enacted was over fifteen years.

OAIC guidance on the tort is available at: OAIC – Statutory tort for serious invasions of privacy

The Five Elements

To succeed under the statutory tort, a plaintiff must establish all five of the following:

1. An invasion of privacy

The invasion can take two forms: intrusion upon the plaintiff's seclusion or misuse of information relating to the plaintiff. Intrusion upon seclusion includes physically intruding into a person's private space or watching, listening to or recording the person's private activities or affairs. Misuse of information includes collecting, using or disclosing information about the individual.

One notable feature: the misused information does not need to be true. This distinguishes the tort from defamation, which requires the relevant statement to be false.

2. A reasonable expectation of privacy

The court assesses whether a person in the plaintiff's position would have had a reasonable expectation of privacy in all the circumstances. Relevant factors include the nature of the information, the circumstances in which it was obtained and whether it was already in the public domain.

3. Intentional or reckless conduct

Negligent conduct alone is not enough. The defendant must have intentionally invaded the plaintiff's privacy or acted with recklessness as to whether their conduct would invade it. This is a significant departure from the New Zealand equivalent, which requires intention only. The inclusion of recklessness broadens the potential scope of liability considerably, particularly for organisations handling personal data.

4. Seriousness

The invasion must be serious. The court may consider the degree of offence, distress or harm to dignity that the invasion was likely to cause, whether the defendant knew or ought to have known it would cause such harm, and whether the defendant was motivated by malice.

5. Public interest balancing

The public interest in protecting the plaintiff's privacy must outweigh any countervailing public interest. The statute identifies freedom of expression, freedom of the media, national security and the prevention of crime as relevant countervailing interests, but the list is non-exhaustive.

Key Features of the Statutory Cause of Action

No proof of damage required. The tort is actionable per se, meaning a plaintiff can succeed without proving actual loss. This is a significant advantage over many other causes of action.

Who can sue and who can be sued. Only individuals can bring a claim. Corporations cannot sue. However, an individual can sue any person or organisation, including government agencies (subject to exemptions). The tort is expressly separated from the rest of the Privacy Act. Courts are directed to disregard the meaning of expressions used elsewhere in the Act when interpreting the tort provisions. The tort develops independently of the regulatory regime that governs APP entities.

Limitation period. Claims must be brought within one year of the plaintiff becoming aware of the invasion or three years after the invasion, whichever is sooner. Courts may extend this to six years in appropriate circumstances. For plaintiffs under 18, proceedings must commence before their 21st birthday.

Remedies

The court may award any remedy it considers appropriate, including:

• Injunctions restraining the defendant from continuing the invasion
• Damages for economic loss, non-economic loss and emotional distress
• Exemplary or punitive damages in exceptional circumstances (but not aggravated damages)
• A declaration that the plaintiff's privacy was seriously invaded
• An order requiring the defendant to apologise
• A correction order
• An order for destruction or return of private material

Damages for non-economic loss plus any exemplary or punitive damages are capped at the greater of $478,550 or the maximum non-economic loss available in a defamation claim. There is no cap on damages for economic loss where actual financial loss can be proven.

Exemptions and Defences

Journalists. The journalism exemption is the most significant and most controversial feature of the legislation. It applies where the invasion of privacy involves the collection, preparation for publication or publication of "journalist material" by a journalist, the journalist's employer or a person engaging or assisting a journalist.

Government entities. Commonwealth, State and Territory authorities and their staff are exempt to the extent the invasion occurs in good faith in the performance of their functions. Law enforcement bodies and intelligence agencies have their own separate exemptions.

Minors. Persons under 18 are exempt from liability.

Defences include consent, lawful authority, necessity, absolute privilege, publication of public documents and fair reporting of proceedings of public concern. Where a defamation defence would be available, it will also operate as a defence to the privacy tort.

The First Decision Under the Statute: Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396

On 7 October 2025, District Court Justice Gibson handed down the first published decision applying the new statutory tort.

Facts

Kurraba Group is a Sydney-based property development firm. Its CEO, Nicholas Smith, is the second plaintiff. Kurraba lodged a development application to redevelop 100 Botany Road, Alexandria. The defendant was a tenant at the site. With two months left on his lease, he demanded $50,000 from Kurraba to withdraw his objections to the development application, citing past success in disputes with large corporations. Smith refused.

Over the following months, the defendant lodged 64 pages of submissions opposing the application, made oral submissions to the planning committee and created a website called "Kurraba Group Exposed" publishing allegations against the plaintiffs including failed ventures, deceptive rebranding, questionable qualifications, financial desperation and legal intimidation of critics.

Among the material on the website were private wedding photographs of Smith that had never been intended for public circulation.

The Decision

The plaintiffs applied on an ex parte basis for interlocutory injunctive relief in relation to the torts of defamation, serious invasion of privacy and intimidation.

Justice Gibson granted the application. In relation to the privacy tort, her Honour found there was a serious question to be tried regarding the misuse of Smith's private wedding photographs. The court noted the particular difficulty that arises in privacy proceedings: merely describing the offending conduct in a judgment can itself increase the harm to the plaintiff.

Justice Gibson also flagged, drawing on the UK authority of Douglas v Hello!, that weddings are occasions intended to be as private as reasonably possible and that private wedding photographs attract a clear reasonable expectation of privacy.

It is important to understand what this decision actually is and is not. The plaintiffs filed proceedings and immediately applied on an ex parte basis, meaning the defendant was not present or notified, for interlocutory injunctions to stop the website and the associated conduct. The legal test for an interlocutory injunction is deliberately low. The court only needs to be satisfied that there is a serious question to be tried (not that the plaintiff will win, just that the claim is arguable) and that the balance of convenience favours granting the injunction.

When Justice Gibson said there was "a serious question to be tried" in relation to the privacy tort, she was not deciding whether the tort was actually made out. She was saying the claim was not hopeless and deserved to proceed to a full hearing. That is a very different thing to a judge weighing all five elements, hearing from both sides and making findings of fact.

It is also worth noting that the proceedings were filed in the Defamation List of the District Court, not as a standalone privacy proceeding. The privacy claim was tagged onto what was primarily a defamation and intimidation application. So even the procedural context was not a clean test of the new tort on its own terms.

The first full merits decision under the statutory tort, with both parties represented and all five elements squarely argued, is still awaited.

What the Common Law Tort and the Statute Mean Side by Side

One of the more interesting unresolved questions is whether the common law tort recognised in Waller continues to operate alongside Schedule 2 of the Privacy Act. The statute does not purport to replace the common law, and there are practical reasons why the common law route may remain attractive to plaintiffs.

Most obviously, the journalism exemption does not apply at common law. A plaintiff whose privacy was invaded by a media organisation would have no claim under the statute but might still have a claim at common law.

The interaction between the two causes of action in terms of remedies, elements and limitation periods has not been judicially considered. It is a live issue that will require resolution when a suitable case reaches a superior court.

Comparing Australia to Other Jurisdictions

Australian courts will inevitably look abroad when developing the boundaries of the new tort. The statute itself encourages this by drawing its framework from existing common law privacy torts.

New Zealand is the most directly relevant jurisdiction. New Zealand recognises torts of intrusion upon seclusion and wrongful publication of private facts, and the Australian statutory framework closely mirrors those causes of action. The key difference is that Australia extends liability to reckless as well as intentional conduct.

United Kingdom. The UK developed its privacy jurisprudence through the misuse of private information doctrine, building on the European Convention on Human Rights. The leading case is Campbell v MGN Ltd [2004] (UK House of Lords), in which Naomi Campbell successfully sued after photographs of her attending Narcotics Anonymous meetings were published. That decision introduced a balancing test between the public's right to know and the individual's right to privacy.

Canada. The Ontario Court of Appeal in Jones v Tsige [2012] formally recognised the tort of intrusion upon seclusion, requiring intentional intrusion into private affairs that would be highly offensive to a reasonable person. The case involved a bank employee who repeatedly accessed the plaintiff's financial records using her employment access.

United States. The US has long recognised a suite of privacy torts under the Restatement (Second) of Torts, but the landscape is fragmented across state and federal law and the First Amendment creates significant constraints on privacy claims involving public figures.

Australia's "serious" threshold is conceptually similar to the "highly offensive" standard applied in these other jurisdictions, though the precise calibration will be for Australian courts to work out over time.

Critical Analysis: Five Things Your Lawyer Is Not Telling You

1. The Journalism Exemption Is a Very Large Hole

The statutory tort cannot be used to sue journalists or their employers for invasions of privacy that arise in the course of gathering or publishing journalistic material. This exempts precisely the category of defendant that has given rise to the most significant privacy claims in the UK, Canada and New Zealand.

In Waller itself, the defendant was the father, not the media organisations that published the material. If the claim had been brought against Channel 7, The Age or the Sydney Morning Herald, it would have been barred under the statute. The common law tort recognised in Waller carries no such exemption, which is why the parallel development of common law privacy remains important.

2. Recklessness Changes the Calculus for Data Custodians

The inclusion of recklessness as a fault element is a quiet but significant innovation. Businesses and organisations that handle personal data are now exposed to privacy tort liability not only if they deliberately disclose or misuse that data but also if they disregard an obvious risk of doing so.

This means that poor data governance practices, inadequate security controls and negligent handling of customer information could constitute a serious invasion of privacy where the resulting exposure was the kind of thing a reasonable organisation would have recognised as likely. This is a material change in the risk profile of data custodians.

3. The Absence of a Damage Requirement Invites Litigation

Because the tort is actionable per se, a plaintiff can succeed and claim damages including for emotional distress without needing to demonstrate actual financial loss. This lowers the threshold for litigation significantly, particularly in cases of doxxing, revenge pornography, covert surveillance and other forms of privacy invasion that cause real harm but are difficult to quantify in economic terms.

4. The OAIC Has No Role

Unlike breaches of the Australian Privacy Principles, the statutory tort does not involve the Office of the Australian Information Commissioner. Individuals sue directly in court. This bypasses the regulatory pathway entirely, which has both advantages (no waiting for a regulator to investigate) and disadvantages (litigation is expensive and uncertain).

5. The First Instance Only Problem

Both Waller and Kurraba are County Court and District Court decisions. Neither is binding on superior courts. The common law tort in particular is a single first-instance decision that has not been tested on appeal. It is entirely possible that an appellate court rejects the reasoning in Waller and declines to recognise a common law tort, leaving the statutory cause of action as the only avenue.

Until the High Court or a Court of Appeal addresses these issues, practitioners should be cautious about the reach of the common law tort.

Practical Implications

For Individuals

If someone has posted your private information online without consent, recorded you without permission, disclosed details of your medical history, sexual relationships or financial situation or otherwise invaded your privacy in a serious way, you now have a direct cause of action that does not require proof of damage. The one-year limitation period from when you became aware of the invasion is the key practical constraint. Getting advice promptly matters.

For Businesses

Review how your organisation collects, stores, uses and discloses personal information. Recklessness is sufficient to establish liability, which means internal processes and data governance frameworks are now directly relevant to litigation risk. Privacy impact assessments are no longer a compliance nicety; they are a form of legal risk management.

For Lawyers

The tort creates genuine pleading opportunities that did not previously exist. In cases involving disclosure of private information, consider whether the facts support a privacy claim alongside or instead of breach of confidence, defamation or harassment. The absence of a damage requirement is a significant advantage in cases where harm is real but hard to quantify.

The one-year limitation period is short and runs from awareness, so early advice to clients matters. Where the defendant is a media organisation, the statutory tort is likely unavailable and the common law cause of action from Waller becomes the primary vehicle, though its appellate durability remains untested.

In cases with a recklessness element, particularly data breaches or negligent disclosures by employers, the tort may run alongside actions under the Australian Privacy Principles and the Privacy Act generally, giving courts multiple hooks for relief. The cap on non-economic loss mirrors defamation, so practitioners experienced in that field will find the remedies landscape familiar.

For Media Organisations

The journalism exemption provides broad protection for the collection and publication of journalistic material, but the boundary of that exemption is undefined. Conduct that goes beyond legitimate journalistic activity will not be protected. The parallel common law cause of action from Waller also remains live.

Conclusion

Australia spent the better part of ninety years without an enforceable right to privacy. The Waller decision in 2024 and the statutory tort that commenced in June 2025 represent a genuine turning point.

The statutory tort is carefully constructed but contains significant limitations, particularly the journalism exemption and the complex five-element test with a public interest balancing requirement. The common law cause of action from Waller potentially fills some of those gaps but rests on uncertain foundations pending appellate consideration.

The first full merits decision under the statutory tort has not yet been handed down. When it arrives, it will provide the first real guidance on how courts will apply the elements in practice. That decision and whatever follows it will shape the practical reach of privacy law in Australia for years to come.

Key Sources and Further Reading

• Waller (A Pseudonym) v Barrett (A Pseudonym) [2024] VCC 962
• Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396
• Schedule 2, Privacy Act 1988 (Cth)
• OAIC guidance on the statutory tort
• Norton Rose Fulbright analysis of the statutory tort
• MinterEllison overview
• Clayton Utz analysis of Waller v Barrett
• Tom Carmody case note on Waller

This article is for general information purposes only and does not constitute legal advice. You should seek professional advice tailored to your specific circumstances before acting on any information in this article. Liability limited by a scheme approved under Professional Standards Legislation.