Organisations should be reviewing their privacy policy and practices to ensure they have addressed the new statutory tort for serious invasion of privacy which came into effect on 10 June 2025. The tort allows individuals (including children) to seek legal remedies for either of the following types of conduct:
- an intrusion on their seclusion; or
- misuse of their personal information.
A successful complaint will need to show:
- That there has been an invasion of privacy by intrusion (including into a private space and/or activities) and/or misuse of personal information in an inappropriate manner;
- In circumstances where an expectation of privacy exists – to be assessed on a case by case basis, considering the purpose of the invasion/misuse, nature of the information used, use of technology and attributes of the person (including whether they are a child);
- Intentional or reckless conduct – not merely inadvertent or negligent;
- The invasion being regarded as ‘serious’ (or ‘highly offensive’ per similar legislation in NZ, USA and Canada) which is intended to discourage trivial claims;
- There was no greater public interest which required disclosure of the information, such as public health and safety, freedom of the media, open justice and similar considerations.
Relevantly, claims can be brought against both organisations and individuals, providing a notable difference from the Privacy Act which makes only organisations liable for breaches of privacy. Organisations which are not currently subject to the Privacy Act will also be liable for any breach.
Claims must be brought within 12 months of a person becoming aware of the invasion of privacy, or 3 years after it occurred, whichever is earlier. Children (under 18) have a further period and can bring a claim at any time prior to their 21st birthday.
Courts can order a range of remedies, including injunctions, declarations, apologies and/or damages. Â An award of damages for exemplary or punitive damages or for non-economic loss is capped at $48,550 or the maximum available for non-economic loss in defamation (whichever is greater).
Defences are available. Those include where a person acted under legal authority (the behaviour was authorised by law), where action was necessary to prevent or lessen a serious threat to the health or safety of people or property and in situations where consent was provided.Â
Some exceptions also apply for the publication of journalistic or editorial content, to the sharing of information with (and use of information provided by) law enforcement agencies, and individuals under the age of 18.
The reforms also require entities to indicate (in their privacy policies) where a computer program, including an AI program, has been used by an organisation to make a decision which affects the rights of an individual, using their personal information. That is the case even if the organisation still has a ‘human in the loop’.
Organisations should act now to review their privacy practices and policies to take account of those changes, if they haven’t done so already.
