Australia: A New Statutory Tort for Privacy Invasion and Disclosure of Automated Decision-Making: Incoming Privacy Law Reforms in Australia

Authors: Gregory Robertson & Liav Benstock

 

In response to global developments around privacy law and ACCC recommendations, privacy legislation in Australia has been reformed to include an initial tranche of changes, including the introduction of a statutory tort for serious invasions of privacy and new requirements for privacy policies to include information about the involvement of computer programs in decisions that affect individuals and their personal information.

In October 2020, a review of the Privacy Act 1988 (Cth) commenced following recommendations made by the Australian Competition and Consumer Commission (ACCC) in 2019, which noted that a number of other jurisdictions (including the EU, Japan, and some US states) had reformed their privacy laws in response to the increased collection and use of personal information. Now, the Privacy and Other Legislation Amendment Act 2024 (which passed both houses of parliament on 29 November 2024 and received royal assent on 10 December 2024) will amend the Privacy Act 1988 (Cth) to implement an initial tranche of reforms, which the Government committed to in response to the review.

Some of the major reforms, which will come into force over 2025-2026, include the introduction of a statutory tort for serious invasions of privacy, which can result in damages, and a new requirement that privacy policies contain information about any automated decision-making system in use, which could reasonably be expected to significantly affect the rights or interests of an individual. Further privacy reforms are expected in a second tranche, which are likely to be progressed later this year or next year.

 

Statutory tort

Under the new reforms, a plaintiff will have a cause of action in tort against a defendant where:

a. the defendant invaded the plaintiff’s privacy by intruding upon the plaintiff’s seclusion and/or misusing information that relates to the plaintiff;

b. a person in the plaintiff’s position would have had a reasonable expectation of privacy in all of the circumstances;

c. the invasion of privacy was intentional or reckless;

d. the invasion of privacy was serious; and

e. the public interest in the plaintiff’s privacy outweighed any countervailing public interest.

 

‘Intruding upon the seclusion’ of the plaintiff is defined as including (but not limited to) a physical intrusion into a person’s private space and watching, listening to, or recording a person’s private activities or private affairs. Similarly, ‘misusing information’ is defined as including (but not limited to) collecting, using or disclosing information about a person.

There are some defences and exceptions, but under the new tort, courts may award damages for emotional distress as well as exemplary or punitive damages for invasions of privacy up to $478,550 (or the maximum amount of damages for non-economic loss under defamation law). Courts will also be able to grant a range of other remedies in addition to, or instead of damages as the court thinks appropriate in the circumstances.

Because the legislation introduces this as a new, statutory tort, it may be possible for plaintiffs to seek to take action against employers where the breach of privacy has been carried out by an employee, on the basis that the employer is vicariously liable for the tort. While we await decisions of the Courts on the extent to which ordinary tort law applies to this statutory tort, it would be prudent for employers to strengthen their internal policies to make it clear to employees that privacy is to be respected.

These requirements commence 6 months after Royal Assent (the final step in the law-making process), or 10 June 2025.

 

Automated decision-making in privacy policies

The reforms also introduce new requirements around the information that must be included in privacy policies, including the kinds of personal information used and the types of decisions made in automated decision-making. If an entity has arranged for a computer program to be involved in decisions that affect the rights or interests of individuals and their personal information, the entity must include information about:

a. the kinds of personal information used by the computer programs; and

b. the kinds of decisions made by the computer programs (and relevant information related to those decisions).

 

These requirements commence 24 months after Royal Assent, or 10 December 2026.

Key Action Points for Companies and In-House Counsel

Privacy policies should be reviewed to ensure they are as clear and transparent as possible with regard to information about automated decision-making and personal information collected. Mechanisms and policies around the protection of personal information should also be reviewed and improved if necessary to avoid liability under the statutory tort for breach of privacy.

If you require legal advice or assistance in relation to these new changes, please contact our Harmers Workplace Lawyers team on + 61 2 9267 4322.