Peter A Clarke

Last Friday, 28 May 2026, the New South Wales Parliamentary Research Service has released a Report, NSW privacy law and the new tort of serious invasion of privacy. It is authored by Barbara McDonald, Professor Emerita of the University of Sydney Law School. Professor McDonald conducted the Australian Law Reform Commission enquiry into digital privacy which was published as the Serious Invasions of Privacy and the Digital Era in 2014.

Key aspects of the Report are:

Concept of privacy

• It is generally used to refer to privacy of information, privacy of communications and personal privacy, with the last aspect being the most general and undefined in scope.
• The right to privacy is recognised in the Universal Declaration of Human Rights and the International Covenant of Civil and Political Rights 1966 (ICCPR), which was ratified by Australia in 1980.⁴ Article 17 of the ICCPR provides that:

1. 1. No one should be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
   2. Everyone has the right to the protection of the law against such interference or attacks.

• Ultimately, privacy underpins individuals’ ability to live fulfilled lives by allowing them to develop autonomy, forge family and other relationships, develop independent thoughts and opinions, obtain assistance when necessary, and communicate with others on matters of social, personal and democratic importance.
• Personal privacy encompasses bodily privacy and privacy in physical places.
  • Bodily privacy underpins physical safety, integrity and personal dignity.
  • Privacy in physical spaces underpins personal security and safety as well as freedom of movement and association.
  • Personal privacy may also be said to encompass the rights to a family life which are recognised in international covenants
• Informational privacy refers to privacy over information or data, in whatever form, about a person, including their relationships, their activities and their movements. It:
  • may or may not be classed as confidential information, depending on the circumstances. It includes health information and personal financial information.
  • overlaps with other aspects of privacy as disclosure of private information about a person can affect their relationships, dignity, security and freedoms.
• Communications privacy:
  • refers to all manners and forms in which a person or entity may communicate with others, and may include draft or unsent communications.
  • overlaps with informational and personal privacy due to the human interaction involved in, and the content of communications. Examples might relate to personal correspondence between people in a relationship or closed group, or between a professional advisor and patient or client. The digital revolution and technological advances providing new ways to communicate have also opened up new ways to invade communications and other aspects of privacy

Existing privacy laws

• the common law of Australia has not kept up with the law developed elsewhere. Further, the absence of Australia-wide human rights legislation such as in the United Kingdom or New Zealand has no doubt meant that the springboard for the courts to develop private remedies is also absent.

• Bodily privacy is protected in the common law by the torts of trespass to the person (which includes battery, involving non-consensual physical interference) and assault (which involves threats of imminent violence). These tort actions provide no protection against indirect interferences such as visual snooping or photography or filming of a person without consent, nor against the use or communication of such footage

• Any unlawful entry is a trespass to land. While there is implied permission to enter for a range of lawful purposes, an entry for a purpose outside those lawful purposes will be treated as trespass and a person in breach of the entry conditions may become a trespasser. Media crews have been sued for trespass in such cases
• A limitation of existing law is that only the occupier with exclusive possession could sue for trespass
• The tort of private nuisance protects an occupier’s quiet enjoyment of their land and premises from a substantial interference caused by the extraordinary activities of a neighbour or other person outside the land
• Confidential information–information imparted under an obligation to keep it confidential–has long been protected by the courts, ever since Prince Albert obtained an injunction to stop the publication of descriptions of Queen Victoria’s private etchings of their family life which had been entrusted just for personal copies to be made
• Where photography is taken in an intimate context it is an actionable breach of confidence, remedied by an injunction and/or damages, to communicate those images or recordings to third parties without consent
• the law on confidential information may not necessarily protect private information fully: it may not have been imparted under an obligation to keep it confidential; it may have become publicly or widely known (and yet still be private in nature); and the law on breach of confidence is usually more concerned with preventing misuse or disclosure than remedying injured feelings after the breach
• The Telecommunications Interception and Access Act 1979 (Cth) applies to communications using telecommunications. Section 7 prohibits the interception of a communication passing over a telecommunications system and makes it unlawful to authorise or permit or enable another person to intercept such a communication. It only applies to interceptions during the passage of communications over a network. It does not, for example, apply by placing a tape recorder beside the telephone receiver (although state legislation may then apply
• in NSW is the Surveillance Devices Act 2007 (NSW) which provides important, but not complete, protection for personal and communication privacy. This Act provides that a person must not knowingly install, use or maintain a listening device to overhear, record, monitor or listen to a private conversation. Among the exceptions is where all principal parties consent to the recording.  A private conversation is defined as a conversation carried on in circumstances that may reasonably be taken to indicate that any of the parties’ desire to be heard only by themselves or by someone to whom they have given consent. It does not include a conversation in which the parties ought reasonably to expect that it may be overheard by someone else
• With regard to optical devices, a person must not knowingly install, use or maintain an optical surveillance device on or within premises or a vehicle to record visually or observe the carrying on of an activity where that involves entry on the premises or a vehicle without the consent of the owner or occupier or interference with the vehicle
• The Privacy Act 1988 (Cth) regulates the use of personal information by Commonwealth and other government entities, commercial entities or corporations with an annual turnover of more than $3 million, and small business entities that deal in personal or health information. Other small business entities holding personal information are not regulated by the Act. Personal information is defined as ‘information or opinion about an identified individual, or an individual who is reasonably identifiable, whether or not true and whether or not in material form’. Information about an individual may come within the definition even though it is not, in fact, what would be considered to be private or confidential information.
• The Privacy Commissioner, as a member of the Office of the Australian Information Commissioner (OAIC), is charged with overseeing and enforcing the operation of the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs) contained in that Act
• The consequence of an entity not complying with, for example, the Australian Privacy Principles or other provisions of the Privacy Act 1988 may be an adverse determination by the Commissioner. The entity may seek a review of that determination by the Administrative Review Tribunal or commence judicial review proceedings. Orders to enforce the Commissioner’s determination may be made by the Federal Court of Australia
• The limitations of privacy legislation are that is the lack of a private or direct remedy in the courts for an individual who has been adversely affected by a breach of the legislation, rather than the indirect and time-taking route of seeking a determination to be enforced in federal courts. Importantly, this omission also reduces the availability of class actions which may be a more economical route than individual actions for a group of people adversely affected by a breach
• There is an exemption for media organisations for acts and practices carried out ‘in the course of journalism’; with the latter term not being defined. To be protected by this exemption, the media organisation must show itself to be bound by a code of practice, a form of self-regulation. It has been commented that the ‘level of protection [of personal privacy] that these codes provide in practice is questionable.’That will continue to be so, given that the exemption for journalists and media organisations under the new tort, as discussed in the next section, does not depend on their compliance with industry codes of conduct

The new tort

• the elements of the new tort are:

(a) The defendant invaded the plaintiff’s privacy by:

(i)intruding upon the plaintiff’s seclusion and/or

(ii)misusing information that relates to the plaintiff, and

 

b) a person in the position of the plaintiff would have had a reasonable expectation of privacy in all the circumstances, and

(c)the invasion of privacy was intentional or reckless, and

(d) the invasion of privacy was serious, and

(e) the public interest in the plaintiff’s privacy outweighed any countervailing public interest

• the plaintiff must have had a ‘reasonable expectation of privacy’. In assessing this, the court may consider a range of factors, including, for example, the means (including the use of any device or technology) used to invade the plaintiff’s privacy, the plaintiff’s age or cultural background, whether the plaintiff invited publicity or manifested a desire for privacy, and the place and nature of the intrusion
• the invasion of privacy must have been committed intentionally or recklessly.  Mere negligence on the part of the defendant, such as emailing the wrong recipient with private information about the plaintiff, losing private documents or failing to secure private information, will not be sufficient fault to base an action, although a high degree of negligence could potentially amount to recklessness
• When assessing whether the invasion of privacy was ‘serious’ the court may consider a number of factors, including the likely degree of distress or harm to a person of ordinary sensibilities and whether the defendant knew of the plaintiff’s particular sensitivity or was malicious
• the public interest in the plaintiff’s privacy outweighed any countervailing public interest. This requirement reflects 2 matters:
  • first, that protection of personal privacy is often important not just to the plaintiff personally but also to the proper functioning of society more generally, such as in the fields of law enforcement, medical and welfare systems, education, and information gathering by government.
  • secondly, it rests on the general acceptance that the right to privacy is not absolute in modern society and must be balanced against many other matters of countervailing public interest
• A number of defences to the action are provided:
  • that the invasion of privacy was required or authorised by law;
  • consent;
  • necessity to prevent serious threat to life, health or safety; self-defence; and
  • certain privileges (such as the absolute privilege that is provided to members of parliament against liability in defamation for statements made in parliamentary proceedings)
• The court is empowered to award a range of damages, including damages for emotional distress. No separate award for aggravated damages—for conduct involving special humiliation and aggravation of injury—is available because any such conduct and effect on the plaintiff will already have been taken into account by the court when assessing damages for emotional distress. A court may take into account a range of matters when determining the amount of damages, many of which encourage de-escalation and early settlement of a dispute out of court, including:
  • apologies or failure to apologise,
  • corrections,
  • settlement offers and aggravating conduct. 
  • Damages may include exemplary damages (also known as punitive damages) in exceptional circumstances. Exemplary damages may be awarded at common law where the defendant has acted deliberately in outrageous disregard of the plaintiff’s rights
• a key feature is an exemption for journalists and related persons or entities where the invasion of privacy involves the collection, preparation for publication or publication of ‘journalistic material’.
• ‘Journalistic material’ is material that ‘has the character of news, current affairs or a documentary’; commentary or opinion on or analysis of news, current affairs or a documentary; or editorial content relating to news, current affairs or a documentary.  The exemption protects only professional journalists who are subject to standards of professional conduct or a code of practice that applies to journalists.Yet, paradoxically, it is stated to be immaterial whether the invasion of privacy breaches the standards or the code of practice to which the journalist is subject.
• There is also a broad exemption in favour of a range of law enforcement and other public entities from liability for serious invasions of privacy. These exemptions apply to:
  • An agency or a state or territory authority to the extent that the agency or authority, or a staff member, invades an individual’s privacy in good faith in the performance of a function or exercise of a power
  • Law enforcement bodies and staff in the performance of duties or involving disclosures of information to or by a law enforcement body

  • Intelligence agencies, agents, staff and affiliates, (including invasions of privacy involving disclosures of information to or by an intelligence agency

Some current privacy issues and the role of the new tort

Data breaches

• A data breach occurs when personal information is accessed or disclosed without authority, usually by untraceable hackers, often based offshore. Personal information may include financial information and passport information.
• Mandatory reporting of certain ‘notifiable data breaches’—those that are likely to cause serious harm—is now in force to encourage swift remediation and prevention of further problems. The Office of the Australian Information Commission (OAIC), has limited resources and so pays particular attention to systemic problems or repeated incidents, serious non-compliance by entities, and an organisation’s response to a data breach. Reforms to the Privacy Act 1988 in 2024 included enhanced enforcement powers for the OAIC.
• the Australian government has not, as yet, introduced the second tranche of reforms to the Privacy Act 1988 (Cth) to give a direct right of action to individuals and groups whose privacy has been interfered with by an entity subject to the Australian Privacy Principles. In the meantime, individuals may apply to the Federal Court for injunctive relief against an entity or complain to the OAIC and have a determination awarding compensation or other remedies enforced in the federal courts.
• As to the organisations which collect, store and secure the individual’s personal information in databases in the course of their business or operations, liability under the new tort would be unlikely. The new tort requires the privacy invading conduct to be intentional or reckless. A one-off data breach caused by malicious actors may have occurred without fault on the organisation’s part. Even if the organisation had been negligent in its security of data, this may fall short of the level of recklessness required for liability under the new tort. However, the prospect of liability under the new tort may encourage organisations to adopt enhanced security protocols to avoid being judged reckless in their collection, care and use of individual’s information

Facial recognition software

• A person’s facial image and other biometric data is classed as sensitive information under the Privacy Act 1988 (Cth) and generally can only be collected with the consent of the person. Collecting sensitive information without consent would be a breach of the Australian Privacy Principles
• Whether or not the collection of a person’s image and whereabouts by the use of facial recognition software would amount to an actionable invasion of privacy under the new tort would depend very much on the context, but may well amount to an actionable invasion of privacy in some situations. One of the proscribed ways of invading privacy, ‘misusing information’, is defined for the purposes of the tort as including, but not being limited to ‘collecting, using or disclosing information about an individual’.
• It would seem obvious that a person’s image is information about an individual. Whether or not the person had a reasonable expectation of privacy in the circumstances would depend on the location, purpose and proposed use of the collection of the person’s image, and whether the person was taken to have consented to the collection and use, for example, by having been given notice and having a choice as to whether to proceed in the light of that notice. The disclosure of that information could be a separate form of invasion of privacy, not necessarily covered by the consent given. However, to claim under the new tort the person’s expectation of privacy would need to be balanced against any public interest in the proposed use and disclosure of the information—for example, public safety and law enforcement

AI deepfakes and other uses of a person’s image

• new technologies, including AI programs, enabling the creation of ‘deepfake’ imagery for a range of nefarious purposes, including humiliation and bullying, defamation, harassment, pornography, identity theft and fraud, and misinformation about political figures.
• Creating and disseminating a deepfake using a person’s image could amount to ‘misuse of information that relates to the plaintiff’ and thus within the actionable conduct under the new tort for a claim by a private individual against the perpetrator for serious invasion of privacy.
• the result of the fake image will be humiliation of the person and serious distress, rather than damage to reputation, so that invasion of privacy is the more appropriate action. The fact that a professed intimate or sexualised image is fake and not true will not prevent it being held an invasion of privacy: the new tort specifically provides that it is immaterial whether the information that relates to the plaintiff was untrue.
• Fake images of celebrities, experts or other well-known business and political leaders, deployed for fraudulent purposes such as soliciting money or investments into a sham fund, raise different issues. While a highly objectionable use of a person’s image and unlawful on many other grounds, it may be problematic to see this sort of conduct as an invasion of the figure’s privacy, when their image is already highly publicised.
• Whether or not the new tort should extend to appropriations or uses of a person’s image, and whether Australian law should generally be more protective of image rights is an issue ripe for consideration in the light of technological advances and practices.