Privacy Awareness Week – increased regulatory and litigation risks for Australian businesses

Insights18 June 2025

Privacy risk for businesses has significantly changed over the past six months, with the Federal Government enacting legislative reform following the review of the Privacy Act 1988 (Cth). We discuss these changes in previous insights: 'Enhanced enforcement and litigation risk – stage one of the Privacy Act reforms' and 'Privacy Act changes on the horizon: Federal Government response to Privacy Act Review report'.

Privacy Awareness Week is an opportunity to raise awareness of privacy issues and how important it is for business to protect personal information. In this update, we focus on increased regulatory and litigation risks for Australian businesses and cyber insurers, including the:

  • enhanced enforcement powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC) and expanded penalty scheme; and
  • newly established statutory tort of privacy, which came into effect on 10 June 2025.   

Each of these changes present real litigation risk for Australian businesses and will likely result in increased litigation in the privacy space, both from a regulatory and third party risk perspective.

Key takeaways

  • The new enforcement powers of the OAIC create a greater risk for businesses that are not careful in how they collect, store, use, and disclose personal information. 

  • The penalties for non-compliance with privacy obligations can be severe. We expect businesses to be faced with a greater number of civil penalty proceedings following data breaches. 

  • The new statutory tort allows for private claims (and class actions) for intentional or reckless invasions of privacy, with remedies including potential injunctions, damages and punitive awards.

  • Businesses should carefully review their privacy and cyber security policies and procedures to ensure compliance going forward. 

Enhanced enforcement powers

Previous enforcement powers

Under the pre-reform section 13G of the Privacy Act, the OAIC could seek substantial penalties for ‘serious’ or ‘repeated’ interferences with privacy. The OAIC had the power to commence proceedings in the Federal Court of Australia seeking substantial penalties up to the greater of:

  • A$50 million;
  • three times the benefit gained from the interference, or
  • 30 per cent of the entity’s adjusted turnover during the breach period. 

If the interfering entity was not a body corporate, the maximum penalty was A$2.5 million. 

If the interference was not serious or repeated, the OAIC had powers to make only lower-level determinations, including to require entities to:

  • take steps to not repeat or continue an act or practice;
  • publish a statement about the conduct; or
  • pay compensation to an individual.  

The penalty regime had a gap in respect of medium-level breaches, where neither enforcement scheme discussed above was appropriate.

Expanded enforcement powers

The amendments to the Privacy Act have greatly expanded the OAIC’s powers.

Serious interferences 

‘Non-serious’ interferences

Infringement and compliance notices

New powers for the Federal Courts

How will this work in practice?

There has been relatively little litigation by the OAIC arising from alleged privacy interferences.  Notable exceptions are cases against Medibank Private Limited and Australian Clinical Labs Limited, both of which arose from high-profile data breaches in 2022 impacting a large number of individuals.

The previous threshold requiring a ‘serious’ or ‘repeated’ infringement may have discouraged the OAIC from commencing proceedings against any business not involved in the largest of data breaches. However, the OAIC’s new, and broader, powers (and, in particular, the new medium-severity threshold) may encourage the OAIC to take action against a wider variety of businesses. 

We recommend that all businesses review and, where necessary, update their privacy and information security related policies and procedures to ensure that APP obligations are met.  Proactively embedding these safeguards will help your business in the event of action by the OAIC. 

Statutory tort for serious invasions of privacy

The statutory tort for serious invasions of privacy is now active. It permits individuals to issue legal proceedings directly against others (including companies) for an intentional or reckless serious invasion into their privacy by intruding on their seclusion or misusing information that relates to them. 

This is sure to increase litigation risk, particularly class action risk, for any business that suffers a data breach.

A plaintiff can recover compensation if they prove that:

  • their privacy was invaded by the defendant;
  • they had a reasonable expectation of privacy in all the circumstances;
  • the invasion was serious;
  • the invasion was intentional or reckless; and
  • the public interest in the plaintiff’s privacy outweighs any countervailing public interest. Examples include freedom of expression, open justice, or national security.

There are limited exemptions, including for journalists, law-enforcement and state authorities (or their staff), for good-faith invasions carried out as part of their official functions. 

Remedies available under the tort include injunctions, damages for non-economic loss, and punitive damages, capped at A$478,550 or the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under an Australian law. The courts cannot award aggravated damages, but they may order apologies, corrections, or for the defendant to destroy private material.

The statutory tort will be informed and shaped by case law. With that being said, there are a number of elements a plaintiff needs to establish to prove one’s liability under this new cause of action. 

If you have any questions, please get in touch with Hall & Wilcox’s market-leading cyber and privacy teams to discuss how these changes are likely to impact you or your business.

This article was prepared with the assistance of Heidi Woolf, Law Graduate.

Contact

Hall & Wilcox acknowledges the Traditional Custodians of the land, sea and waters on which we work, live and engage. We pay our respects to Elders past, present and emerging.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of service apply.