The Privacy and Other Legislation Amendment Act 2024 introduced a statutory tort of serious invasions of privacy, which commenced on 10 June 2025. It allows an individual to bring a direct civil action where another party has invaded their privacy — either by intruding on seclusion or by misusing personal information — in a manner that meets a defined threshold of seriousness.
The tort is structured with a high bar. The conduct must be intentional or reckless. The plaintiff's expectation of privacy must be reasonable. Public interest considerations apply. But where the bar is met, damages — including for emotional distress — are now directly recoverable.
For businesses, the implication is that data breach handling, employee monitoring, surveillance technology, and any practice involving personal information of customers or staff now carries a direct civil exposure on top of regulatory exposure. The privacy posture review you've been putting off is no longer just a compliance exercise.