Loading ...
  1. Home
  2. Insights
  3. Articles
  4. Serious invasion of privacy and small business
21 February 2025

Serious invasion of privacy and small business

Your LinkedIn connections with the authors

On 10 December 2024, federal parliament passed the Privacy and Other Legislation Amendment Act 2024 (Act). This move comes almost two years after a review of the Privacy Act 1988 (Cth) (Privacy Act) by the Attorney-General’s Department.

The reforms are designed to strengthen existing privacy protections in Australia. In this article, we highlight the changes that now allow individuals to take direct legal action if they experience serious invasions of their privacy. We also discuss how the reforms might affect small businesses, particularly those not currently covered by the Privacy Act, and what steps they should take.

The new rules relating to serious invasion of privacy are due to take effect on 10 June 2025 unless another date is fixed by federal parliament beforehand. Importantly, serious invasion of privacy covers more than just ‘personal information’, which is the phrase used in the Privacy Act that is narrower in scope than ‘private information’.

Background

Privacy continues to be a hot topic as technology changes the way we think about what is ‘public’ and what is ‘private’. Many small businesses have already leveraged data-led solutions to make better decisions, locate inefficiencies, and develop customer insights. 

For example, in 2017, with the help of a marketing services firm, Narellan Pools analysed seven terabytes of data including website traffic, consumer confidence figures and visit-to-enquiry ratios. This helped them develop a targeted marketing campaign that significantly boosted their sales and, in some months, realising an incredible 800% increase to the average sale conversion rate.

However, as businesses gather and handle more data, especially personal data, there is a greater chance that it could be mishandled. Small businesses tend to struggle more than large businesses to manage data due to a lack of resources or expertise. This increases the risk of disclosure of personal information. That disclosure can lead to serious consequences for businesses if their customers experience economic loss, identity theft, or significant emotional distress. 

Previously, an individual’s ability to claim for any loss they suffered resulting from an unauthorised disclosure of their personal information was basically limited to a complaint to the Office of the Australian Information Commissioner. This was perceived as an inadequate remedy for individuals. For over a decade there have been calls for a legislated tort for invasion of privacy. That has now become a reality and opens the way for individuals to bring a personal claim directly against an organisation who had disclosed their personal information in breach of the Privacy Act.

Key concepts

Let's look at the elements if a customer wants to bring a claim for a privacy breach using the new statutory tort for invasion of privacy.  

Timing

The customer needs to bring a claim by the earlier of:

  1. one year after the day on which they became aware of the invasion of privacy, or

  2. three years after the invasion of privacy occurred.

In some situations, this period may be extended to up to 6 years after the day on which the invasion of privacy occurred. The customer would need to prove that it was not reasonable in the circumstances for them to have commenced the claim earlier.

Additionally, if the customer was under 18 years of age when the invasion of privacy occurred, they can bring a claim before their 21st birthday. This has been included because young people are typically not expected to make the difficult personal and financial decision to commence legal proceedings.

Elements

For a claim to succeed, an individual needs to prove the following:

Element Comment

An invasion of privacy has occurred by either:

  1. intruding on their seclusion, or

  2. misusing information that relates to them

There are two types of serious invasions of privacy:

  1. Intrusion on seclusion: 

    This includes not just physical intrusions but also watching, listening to, or recording a person's private activities or affairs. For instance, placing cameras in stores could raise some privacy concerns if their use goes beyond what is necessary for security and safety.

  2. Misusing information: 

    Collecting, using, or disclosing information about an individual in a manner that is inappropriate. It also includes storing, changing or interfering with information. 

A person in the customer's position would have a reasonable expectation of privacy in all of the circumstances

This is assessed objectively on a case-by-case basis and will depend on the circumstances of the invasion. Factors to consider include:

  • the means used to invade the person's privacy, including the use of any device or technology

  • the purpose of the invasion of privacy

  • the person's attributes including their age, occupation, or cultural background

  • the person's conduct, including whether they invited publicity or manifested a desire for privacy

  • the nature of the information, including whether the information related to intimate or family matters, health or medical matters, or financial matters

  • how the information was held or communicated by the customer

  • whether and to what extent the information was already in the public domain

For example, data about children is generally viewed as requiring more protection than data about adults. The level of risk here is best illustrated by a 2020 report by VicHealth which reported that by the age of 13, an estimated 72 million data points will have been collected on each child.

The invasion was either intentional or reckless

This sets a high threshold for this cause of action.  

Importantly, negligence has not been included here, which is generally considered to be a lower threshold. That is, a claim cannot be substantiated if the invasion of privacy resulted from negligence.

The term ‘recklessness’ has an established meaning which is found in the Criminal Code. In particular, a person is reckless with respect to a circumstance or result if:

  • they are aware of a substantial risk that the circumstance exists, will exist, or will occur, and

  • having regard to the circumstances known to them, it is unjustifiable to take the risk

This high threshold aims to strike a balance between protecting an individual’s privacy with other competing interests such as the need for clarity. A clear standard is helpful as it makes it easier to understand the boundaries of what is acceptable and what steps could be taken to deal with any intentional or reckless invasion of privacy.

The invasion was 'serious'

This requirement is meant to discourage people from making minor unimportant claims.

For instance, suppose a local business runs a loyalty program that sends out emails to customers. If they send out a promotional email without using the blind carbon copy (BCC) option, it could accidentally reveal every customer’s email address. While this is a privacy breach, it is not as serious as leaking sensitive information like financial details or health records, especially if it was an accident.

When deciding how serious a particular instance is, the court will look at several factors, including:

  • the degree of any offence, distress, or harm to dignity that the invasion of privacy was likely to have caused the average person in the same situation

  • whether the person knew, or should have known, that it would be likely to offend, distress or harm the dignity of the person

  • if the invasion of privacy was intentional, such as whether the person was motivated by malice.

The public interest in the person’s privacy outweighed any countervailing privacy interest

The court must also balance other important public interests, such as:

  • Freedom of expression, including political communication and artistic interest.

This is important if your business runs a blog or uses social media that publishes user-generated content which discusses important and topical issues.

  • Public health and safety.

  • The prevention and detection of crime and fraud.

Data breaches are on the rise, with 43% of all cyber-attacks in Australia targeting small to medium enterprises. Information may need to be shared with law enforcement to help them investigate a crime.  

Other public interests mentioned in the Act are:

  • freedom of the media

  • the proper administration of government

  • open justice, and

  • national security.

Defences

The Act provides a range of defences that can be used to respond to a serious privacy invasion claim:

  • Lawful authority: if the invasion was required or authorised by Australian law or court order. For small businesses, this can relate to following work health and safety laws or mandatory reporting rules.

  • Consent: if the customer (or someone who had the right to act on their behalf) agreed to it, either clearly or by implication. It is important to understand what this consent covers. For instance, if a gym collects health information from its members, it does not mean that they can use that information for marketing purposes, like sharing a member’s weight loss journey.

  • Necessity: if the invasion was necessary to prevent a serious threat to someone’s life, health, or safety. While this might be more relevant to healthcare professionals, it can also apply in emergencies at workplaces. For example, a safety issue that requires entering private areas such as bathrooms to assist persons requiring urgent medical attention.

  • Incidental to defence of persons or property: if the invasion was incidental to exercising a lawful right to defend someone or something, and it was proportionate, necessary, and reasonable.

  • Defamation defences: specific defences relating to defamation including absolute privilege, publication of public documents, and the fair reporting of proceedings of public concern. 

Remedies

If the customer is successful in their claim, the court can grant several remedies:

  • Injunction, including an interim injunction which restrains an invasion of privacy at any stage of proceedings

  • Damages up to $478,550, including exemplary damages which are awarded in situations where there is a flagrant disregard for following the law. This is to deter others from engaging in similar egregious behaviour.

  • Account of profits

  • Apology order

  • Correction order

  • Destruction or delivery-up of materials order

  • Declaration that the plaintiff has seriously invaded the plaintiff's privacy

These options are similar to those found in the consumer legislation that many small businesses might be familiar with. This allows the court to pick the best remedy or combination of remedies for each case. 

What next and what you can do

While the new legislation has commenced, the parts relating to serious invasion of privacy begin on 10 June 2025 unless a sooner date is fixed by federal parliament. We encourage you to review your policies and procedures regarding the handling of personal information and any activities which may ‘invade’ a person’s privacy and consider what changes may be necessary to reduce the chances of being subject to a claim for invasion of privacy. 

If you need help, we are available to discuss strategies with you and review your existing practices to ensure your business is prepared for the upcoming changes. 

 

Authors: Jason Sprague, Michael Cossetto and Juan Roldan

Our expertise