Privacy Awareness Week – increased regulatory and litigation risks for Australian businesses
Privacy risk for businesses has significantly changed over the past six months, with the Federal Government enacting legislative reform following the review of the Privacy Act 1988 (Cth). We discuss these changes in previous insights: 'Enhanced enforcement and litigation risk – stage one of the Privacy Act reforms' and 'Privacy Act changes on the horizon: Federal Government response to Privacy Act Review report'.
Privacy Awareness Week is an opportunity to raise awareness of privacy issues and how important it is for business to protect personal information. In this update, we focus on increased regulatory and litigation risks for Australian businesses and cyber insurers, including the:
- enhanced enforcement powers for Australia’s privacy regulator, the Office of the Australian Information Commissioner (OAIC) and expanded penalty scheme; and
- newly established statutory tort of privacy, which came into effect on 10 June 2025.
Each of these changes present real litigation risk for Australian businesses and will likely result in increased litigation in the privacy space, both from a regulatory and third party risk perspective.
Key takeaways
The new enforcement powers of the OAIC create a greater risk for businesses that are not careful in how they collect, store, use, and disclose personal information.
The penalties for non-compliance with privacy obligations can be severe. We expect businesses to be faced with a greater number of civil penalty proceedings following data breaches.
The new statutory tort allows for private claims (and class actions) for intentional or reckless invasions of privacy, with remedies including potential injunctions, damages and punitive awards.
Businesses should carefully review their privacy and cyber security policies and procedures to ensure compliance going forward.
Enhanced enforcement powers
Previous enforcement powers
Under the pre-reform section 13G of the Privacy Act, the OAIC could seek substantial penalties for ‘serious’ or ‘repeated’ interferences with privacy. The OAIC had the power to commence proceedings in the Federal Court of Australia seeking substantial penalties up to the greater of:
- A$50 million;
- three times the benefit gained from the interference, or
- 30 per cent of the entity’s adjusted turnover during the breach period.
If the interfering entity was not a body corporate, the maximum penalty was A$2.5 million.
If the interference was not serious or repeated, the OAIC had powers to make only lower-level determinations, including to require entities to:
- take steps to not repeat or continue an act or practice;
- publish a statement about the conduct; or
- pay compensation to an individual.
The penalty regime had a gap in respect of medium-level breaches, where neither enforcement scheme discussed above was appropriate.
Expanded enforcement powers
The amendments to the Privacy Act have greatly expanded the OAIC’s powers.
Serious interferences
The wording of section 13G of the Privacy Act has been changed, with an entity now in breach of the Privacy Act if it engages in conduct that ‘seriously’ interferes with an individual's privacy. The maximum penalties in this regard have not changed and are those set out above.
The criterion of ‘repeated’ interference remains as part of a non-exhaustive list of factors that may be considered by the court in determining whether a breach is serious. Other relevant factors include:
- the particular kind or kinds of information involved in the interference with privacy;
- the sensitivity of the personal information;
- the number of individuals affected; and
the consequences, both potential or actual, of the interference with privacy.
‘Non-serious’ interferences
The new section 13H of the Privacy Act introduces a ‘medium level’ category civil penalty provision. This is for an interference with privacy that is not ‘serious’, but is still an interference with privacy.
The maximum penalty for this kind of interference is:
- for a body corporate: A$3.3 million; or
- for an individual: A$660,000.
This expands the OAIC’s enforcement power to pursue civil penalties for a broader range of privacy infringements, rather than ‘serious’ interferences only.
Infringement and compliance notices
The new section 13K of the Privacy Act introduces a scheme for the OAIC to issue infringement notices and compliance notices for specific breaches of the Australian Privacy Principles (APPs) or for a non-compliant statement regarding an eligible data breach.
An infringement notice requires an entity to pay a fine as a result of the interference. Alternatively, the OAIC may issue a compliance notice, which requires an organisation to take specified remedial steps, to any organisation it reasonably believes has contravened one of the listed legislative obligations.
These notices generally relate to administrative breaches, such as not having an APP-compliant privacy policy (APP 1.3) or unreasonably requiring individuals to identify themselves when dealing with that entity (APP 2.1).
The maximum amount payable under an infringement notice, or for non-compliance with a compliance notice, is A$330,000 for a body corporate, or A$66,000 for an individual.
New powers for the Federal Courts
If the OAIC commences proceedings against an infringing entity, in addition to the financial penalties, the Federal Court of Australia or the Federal Circuit and Family Court of Australia are also empowered to order that the entity:
- perform a reasonable act to redress the loss or damage suffered following the contravention;
- pay damages to an impacted individual;
- do or not do an act to avoid repeating or continuing the contravention; and
- publish a statement regarding the contravention.
We expect the OAIC will routinely seek such orders, along with the high or medium-level pecuniary penalties, as part of any future regulatory enforcement action.
How will this work in practice?
There has been relatively little litigation by the OAIC arising from alleged privacy interferences. Notable exceptions are cases against Medibank Private Limited and Australian Clinical Labs Limited, both of which arose from high-profile data breaches in 2022 impacting a large number of individuals.
The previous threshold requiring a ‘serious’ or ‘repeated’ infringement may have discouraged the OAIC from commencing proceedings against any business not involved in the largest of data breaches. However, the OAIC’s new, and broader, powers (and, in particular, the new medium-severity threshold) may encourage the OAIC to take action against a wider variety of businesses.
We recommend that all businesses review and, where necessary, update their privacy and information security related policies and procedures to ensure that APP obligations are met. Proactively embedding these safeguards will help your business in the event of action by the OAIC.
Statutory tort for serious invasions of privacy
The statutory tort for serious invasions of privacy is now active. It permits individuals to issue legal proceedings directly against others (including companies) for an intentional or reckless serious invasion into their privacy by intruding on their seclusion or misusing information that relates to them.
This is sure to increase litigation risk, particularly class action risk, for any business that suffers a data breach.
A plaintiff can recover compensation if they prove that:
- their privacy was invaded by the defendant;
- they had a reasonable expectation of privacy in all the circumstances;
- the invasion was serious;
- the invasion was intentional or reckless; and
- the public interest in the plaintiff’s privacy outweighs any countervailing public interest. Examples include freedom of expression, open justice, or national security.
There are limited exemptions, including for journalists, law-enforcement and state authorities (or their staff), for good-faith invasions carried out as part of their official functions.
Remedies available under the tort include injunctions, damages for non-economic loss, and punitive damages, capped at A$478,550 or the maximum amount of damages for non-economic loss that may be awarded in defamation proceedings under an Australian law. The courts cannot award aggravated damages, but they may order apologies, corrections, or for the defendant to destroy private material.
The statutory tort will be informed and shaped by case law. With that being said, there are a number of elements a plaintiff needs to establish to prove one’s liability under this new cause of action.
If you have any questions, please get in touch with Hall & Wilcox’s market-leading cyber and privacy teams to discuss how these changes are likely to impact you or your business.
This article was prepared with the assistance of Heidi Woolf, Law Graduate.
Contact