2025 Privacy Reform Explainer

Posted on June 9, 2025 by Digital Rights Watch

Today marks an important milestone, but there is still work to be done! Way back in December 2024, the government passed the Privacy and Other Legislation Amendment Bill 2024. The law comes into force today, 10 June 2025 and makes the following welcomed changes to our current privacy laws:

  • the introduction of the right to sue for invasion of privacy;
  • the formation of privacy standards for children; and
  • greater transparency requirements over how organisations handle your personal information if they use automated decision making (ADM).

This legislation is federal, meaning that it applies nationwide to federal departments, as well as some businesses operating in Australia. However, there are exemptions such as for journalists, small businesses, enforcement agencies and national security organisations.

This explainer will cover the key changes, and also what we think still needs to happen to make sure our privacy laws are up to date.

Privacy Tort

The reforms introduce a statutory tort for serious invasions of privacy, described as a “civil penalty provision for serious interference with privacy of an individual”. A statutory tort is a legal rule that lets someone sue another person if they’ve been wrongfully harmed — not through a crime, but in a way that the law says is unfair or hurtful and should be compensated. Other torts include negligence, trespass and defamation. A privacy tort is relatively new for Australia, it was first raised way back in 1969 and has seen some state level development.

Other countries such as the United Kingdom have had similar legislation for years. Australian courts are likely to look to UK courts for guidance in making it work. While a privacy tort is a step forward in privacy protection, it only covers certain kinds of personal privacy. Interestingly, it also is not actionable after the aggrieved individual dies, meaning that a deceased person’s estate cannot sue on behalf of the deceased.

What must a plaintiff (the person bringing the privacy tort) prove?

To succeed, a plaintiff must show:

  • the defendant intruded upon their seclusion or misused personal information;
  • it was reasonable to expect privacy in the circumstances;
  • the invasion was intentional or reckless;
  • the invasion was serious; and
  • the public interest in privacy outweighed the public interest in disclosure.

If a plaintiff succeeds, the breach is actionable even without proof of damages. This means you don’t have to prove harm in order to claim compensation.

What constitutes a serious breach of privacy?

Terms like ‘serious’ can mean different things to different people. To assist with consistent interpretation, the legislation sets out three factors that will be considered by judges:

  • did the invasion cause or risk harm?
  • was the harm foreseeable?
  • was the conduct intentional or malicious?

These are not fixed criteria. If a factor is relevant, it may weigh in favour of a finding that the breach was serious.

What does reasonable expectation of privacy mean?

Much like ‘serious’, you and I might have different ideas on what is a reasonable expectation of privacy. The legislation accounts for this and names some factors that may be considered when deciding if it was reasonable to expect privacy:

  • The means by which the privacy was invaded

  • What was the purpose of the breach of privacy

  • Characteristics of the plaintiff such as age

  • The plaintiff’s behaviour, such as clearly expressing desire for privacy

  • What was the location of the invasion of privacy

  • If the defendant misused the plaintiff’s private information, the court will consider:

    • What kind of information it was — for example, whether it related to intimate, family, health, or financial matters;
    • How the plaintiff stored or shared that information; and
    • Whether the information was already public or private.

Remedies:

Damages

If the defendant is found to be at fault, damages can be awarded by the court to the plaintiff to compensate for the harm caused. These damages must be paid by the defendant and include a few different types.

  • Aggravated damages cannot be awarded
  • Emotional distress damages are permitted
  • Exemplary or punitive damages are available only in exceptional cases

Injunctions

Once found liable the courts can compel the defendant to cease or begin certain actions. For example, the courts may compel the defendant to destroy all private photographs of the defendant or even issue a public apology if the disclosed personal information has already caused harm.

Exemptions

As mentioned above, some entities aren’t covered by the privacy laws. These entities remain exempt from these new changes as well, meaning they can’t be sued for breaches of privacy. Let’s see who is immune to the privacy tort:

  • Journalists and related persons, to the extent their conduct involves the collection, preparation, or publication of journalistic material.

    • Journalistic material includes content relating to news, current affairs, or documentaries, including commentary, opinion, analysis, or editorial content.

  • Enforcement bodies (like Australian federal and state Police)

  • National security organisations (Australian Security Intelligence Organisation and affiliates)

  • People under 18 years old

  • Small businesses, unless they do any of the following:

    • Handle health information;
    • Provide services under a Commonwealth contract;
    • Trade in personal information; or
    • Act as credit reporting bodies

Defences Available

A defendant may avoid liability by proving:

  • The aggrieved individual consented to the privacy intrusion; or

  • The act was carried out under lawful authority

  • Defendant reasonably believed that the invasion of privacy was necessary to lessen or prevent a serious risk to life, health or safety

  • The invasion of privacy occurred incidentally in the course of a proportionate and necessary exercise of the right to defend a person or property.

  • The defendant invaded the plaintiff’s privacy by publishing information about them (like in a news story or post);

    • The information was published in a way that would be covered by an Australian defamation law;
    • That defamation law includes a defence that would apply if the law treated privacy invasions the same way as defamatory material.

While these defences are new in the context of this statutory tort, many already exist in other parts of Australian law.

The Office of the Australian Information Commissioner (OAIC) has issued determinations involving similar concepts — like consent, lawful authority, and serious threats — when resolving privacy complaints under the Privacy Act. However, the OAIC is not a court or tribunal, and it deals with a different part of the Act (Schedule 1, not Schedule 2), so its rulings are not binding in tort cases, however, judges may look to them for guidance.

Judges are also likely to look to the UK’s privacy tort cases for guidance on how to apply this law. In the UK an individual can be said to have ‘consented’ to the privacy intrusion if they bring the matter to the public’s attention. What do we mean by this? Well, imagine there is someone who claims they don’t need food to survive and they get all the nutrients they require just by breathing. This person goes on talk shows, documentaries, and promotes themselves on social media. This person is then filmed eating a meal on the street and this is broadcast. It may not be considered reasonable for this person to expect privacy in the circumstances, given how they made their ‘diet’ the subject of public debate. Many of the privacy tort cases in the UK involve high profile celebrities suing tabloids and paparazzi, and while we don’t lend ourselves to tabloid gossip, it makes for interesting reading to learn how these cases were litigated (read about some here, here, and here).

Children’s Online Privacy Code

The reforms in November last year gave a job to the Privacy Commissioner (part of OAIC). Her office must develop a Children’s Online Privacy Code within 2 years. Australian Privacy Principle codes (APP Codes) such as this one, are legally binding privacy guidelines that help entities apply Australian Privacy Principles (APPs) in specific contexts. Importantly, entities that are usually exempt (eg. small businesses) can opt in to an APP Code and waive their exemption.

The Children’s Online Privacy Code (Code) will be in place from 10 December 2026 and is separate from the social media ban for kids under 16, however it will operate concurrently with the ban.

Work is already underway, with the Privacy Commissioner consulting on what the Code should look like. You can find out more about it here.

What will the Code do?

  • Set out how APPs are applied in the context of children’s privacy
  • Provide guidance on issues such as data destruction, consent, and collection practices relating to children

How will it be made?

  • The OAIC has promised it will consult with children, caregivers, experts in online safety, privacy, and child welfare. Keep up to date on consultations here.

Who will it regulate?

Entities who:

  • provide a social media, relevant electronic, or designated internet service; and
  • the service is likely to be accessed by children; and
  • the entity is not a health service; or
  • are specifically designated in the Code.

What is a social media service, a relevant electronic service and a designated internet service?

The OAIC have published a statement clarifying exactly who this applies to:

Social media services: these are platforms where people can connect, share content and interact with others. This includes social networks, public media-sharing sites, discussion forums and review platforms.

Relevant electronic services: these are online services that let people communicate with each other. This includes messaging apps, email services, video calling platforms and online games where players can chat.

Designated internet services: this covers websites and online platforms where people can store or share content. Examples include cloud storage services, as well as other websites that let users upload and access content.

Automated Decision-Making

ADM refers to decisions made by computer systems without human input. This may sound inconsequential, but ADMs can end up making impactful decisions. For example, a health insurance company may access your data regarding fitness and health related internet searches to decide your insurance eligibility without you ever knowing. One example of an ADM is Australia’s infamous Robodebt scheme, which was an Australian government program that used computerised data-matching to falsely accuse welfare recipients of owing debts, leading to widespread financial and psychological harm (find the full Royal Commission report here).

Why does ADM require regulation?

ADM systems can:

  • reflect bias that may be present in the data;
  • lack transparency - what is the algorithm actually doing?;
  • impact individuals without their knowledge;
  • disproportionately affect vulnerable groups (fantastic article here); and
  • raise accountability questions - who is responsible when an ADM harms someone?

What does the new ADM APP require?

APP entities must (before 11 December 2026) update their privacy policies to include a statement explaining when they employ ADM to use personal information and make a decision that can be reasonably expected to significantly affect that individual’s rights or interests.

This places a lot of trust in APP entities. It is up to them to decide if their ADM can be expected to significantly affect an individual’s rights or interests. What qualifies an impact as significant? The legislation provides three examples of ADM systems that could be said to have a significant impact on a person’s rights or interests, but this still leaves a lot of room for entities to decide for themselves if an impact is significant. Hopefully, the OAIC will release guidance on what constitutes a “significant impact” on a person’s rights or interests. While the Explanatory Memorandum to the law offers some direction, the EU’s privacy laws provide far more detailed and well-established criteria. Importantly, the legislation does not mention punishment for failure to disclose this information, so it will be up to individuals to explore and police through pursuing privacy complaints.

Doxxing

The reforms also introduced new doxxing offences. These weren’t really privacy related, but ended up passing together. However, we believe much of this conduct was already prohibited under existing privacy laws. The reform reinforces legal clarity but may overlap with pre-existing provisions.

What’s next?

We think these reforms are a great first step. But there is still loads to be done to improve our privacy, and bring us in line with similar countries. The previous government committed to pushing through about 100 further reforms. It’s our job to make sure they follow through on this promise!

Some amendments we would like to see in particular include:

The removal of exemption for small business. Around 95% of Australian businesses are exempt from the Privacy Act. This was supposed to be temporary to allow small businesses time to get up to speed on their privacy requirements - but that was way back when the act passed in 1988! We believe that if you can’t securely keep, dispose or collect personal information in today’s age, then you should not hold it. Also small businesses end up getting sold off-the-shelf products and services that are lower quality and have poor cybersecurity. Removal of this exemption would address this.

End Tick-A-Box consent. Businesses should no longer be able to rely on so-called “consent” buried in pages of legal jargon that no one reads. In today’s digital environment, consent is often meaningless, users are forced to accept intrusive data practices or lose access to essential services. True transparency and accountability means shifting the burden from individuals to organisations. Instead of relying on checkbox consent, we need stronger standards like the fair and reasonable test or clearly defined purposes for data use, ensuring organisations only collect and use personal information lawfully and responsibly.

Individuals should have Direct Right of Action. Broadly, a direct right of action means having the ability to take someone to court directly, as opposed to waiting for a regulator to act on your behalf. In the context of privacy law, a direct right of action would allow individuals to bring legal proceedings against organisations or agencies they believe have interfered with their privacy, even if the Privacy Commissioner chooses not to investigate or take enforcement steps. What we are talking about here is different to the tort for serious invasion of privacy, we’re talking about reforming the current privacy complaint system.

Introduction of the Fair and Reasonable Test. The fair and reasonable test considers whether a reasonable person would consider a collection, use, or disclosure of personal information to be fair or reasonable in the circumstances. We need this test because it’s not enough to rely on consent alone, entities ought to be under an obligation about whether they are using the personal information fairly and reasonably, even when a person has consented.

Political parties should be within the scope of the Privacy Act. Political parties should have to abide by the privacy rules that they set. When the Privacy Act was first enacted it only applied to federal agencies but in 2001 political parties were made exempt and despite numerous attempts to change this, it remains the case today. Three quarters of the Australian public is unaware that political parties and representatives do not have to abide by the Privacy Act and 82% of Australians believe that they should (read the full report).

Be a part of our campaign and stay up to date

Hopefully there will be more tranches and more reforms to come! If you want to stay up to date please sign up to our newsletter and we will provide you with all of the updates and developments. We will also let you know the different ways you can get involved, through petitions, events and more.