Authored by Alison Cripps, Head of Workplace, In-House and Technology, Practical Guidance
Privacy Awareness Week 2025: Australia's Bold Leap into a New Era of Privacy Law
Australia has taken a bold step forward in Privacy Reform. This isn’t just a policy adjustment — it’s the most significant shift in Australian privacy law since the introduction of the Australian Privacy Principles over a decade ago.
The reforms (relatively speaking) are sweeping: a groundbreaking statutory tort for serious invasions of privacy, enhanced transparency obligations for automated decision-making, and a forthcoming Children’s Online Privacy Code that will fundamentally change how businesses interact with young users online.
How Did We Get Here? A Short History of Long-Awaited Reform
Let’s rewind:
- 2019: The Government kicks off a comprehensive review of the Privacy Act.
- 2020–2022: COVID-19. Lockdowns. Zoom fatigue. Headline-grabbing breaches (hello, Optus, Medibank)
- 2023: The review’s final report lands, with 116 recommendations.
- 2024: The Privacy and Other Legislation Amendment Bill 2024 (Cth) passes both houses. Two weeks later, the First Tranche Act receives Royal Assent.
Fast-forward to 10 June 2025, and the most headline-worthy change – a statutory tort for serious invasions of privacy – is now in full force.
What’s Already in Effect? What’s Next?
Already in force (since 10 December 2024)
- New criminal offence for doxxing
- Increased powers for the OAIC: new civil penalties, infringement notices, and tougher compliance tools
- Designated overseas jurisdictions: a whitelist for cross-border disclosures
Effective since 10 June 2025:
- Statutory tort for serious invasions of privacy
Coming 10 December 2026:
- Transparency rules for Automated decision-making (ADM)
- Children’s Online Privacy Code, led by the OAIC
Still to come: Second Tranche Privacy Reform
- “Fair and reasonable’ data handling
- Clearer guardrails for AI use
- Stronger enforcement tools
The New Statutory Tort: A New Era of Legal Accountability
As of 10 June 2025, Australians can now sue for serious invasions of privacy.
You’ve got a cause of action if:
- Someone intrudes on your seclusion or misuses private information
- You had a reasonable expectation of privacy
- The act was intentional or reckless
- The invasion was serious
- And your right to privacy outweighs the public interest
This tort is actionable even without proof of damage. No need to prove financial harm and emotional distress counts. Courts will be walking a tightrope between privacy rights and other public interests like freedom of expression, media freedom and open justice. It's a balancing act – and a legal battlefield waiting to unfold.
Expect hot legal debates over:
- What counts as “reasonable expectations of privacy”
- How “serious” an invasion must be
- The threshold for “recklessness”
Defences
If you are on the receiving end of a privacy tort claim, there are defences, including:
- Legal authority
- Consent
- Public interest exceptions (health, safety, national security)
- Media protections (aligned with defamation defences)
Also in play: the "ordinary person" test – more often seen in criminal law – makes a guest appearance in assessing the seriousness of harm. A curious import that will no doubt be tested soon.
Common Law’s Comeback?
The statutory tort isn’t evolving in isolation. Just last year, in Waller v Barrett [2024] VCC 962, the County Court of Victoria recognised a common law tort of privacy. That’s right – two torts, evolving side by side. While not binding nationwide, the County Court’s decision is a signal. A stepping stone. And it raises big questions:
- Will higher courts follow suit?
- Could statutory and common law torts evolve in parallel?
- Could we see a unified doctrine of privacy law emerge?
Australia might just be on the cusp of privacy jurisprudence shaped by both legislation and the courts.
What’s still coming?
Children's Online Privacy Code
By 10 December 2026, we’ll see a Children’s Online Privacy Code aimed at protecting children in the digital jungle. APP entities that target or serve children online will need to comply. Expect:
- Age-appropriate design requirements
- Clearer parental consent requirements, and
- Tighter controls on how data is collected and used.
The OAIC is currently developing this code, and it will set the tone for years of regulation in child-facing digital services.
Automated Decision-Making Transparency
Also taking effect on 10 December 2026, these reforms target the black box of algorithms. If you’re an APP entity using automated decision-making, you must disclose:
- The types of personal data you use
- The kinds of decisions made solely by algorithms
- And what actions are taken by computer programs in the decision-making process.
No more algorithmic curtain. Expect growing scrutiny on AI practices, especially in finance, insurance and government services.
Why This Matters
This isn’t just a technical reform. It’s a philosophical shift: privacy isn’t just policy setting – it’s a right. One that Australians can legally defend.
For legal practitioners, it’s time to:
- Audit your clients’ automated decision-making systems and processes
- Scrutinise their data practices involving children
- Watch carefully how the courts test the new privacy tort
Welcome to the new Privacy Frontier
Privacy Awareness Week 2025 isn’t just about awareness. It’s about action. We have entered a new era in Australian privacy law.
Happy Privacy Awareness Week – and welcome to the new privacy frontier.
If you need to provide quality, accurate legal advice fast, LexisNexis® Practical Guidance is an AI-powered solution that provides practically focused legal content and tools that Australian lawyers need to do business.
The Cybersecurity, Data Protection & Privacy module is an invaluable resource for practitioners who want to follow best practices when preparing to advise on data privacy matters. If you’d like to preview the time-saving resources covering this strategically important practice area, request a complimentary trial here.