Australia's Privacy Tort Turns One: The Civil Liability Most SMEs Still Don't See
Australia's statutory tort for serious invasions of privacy turns one on 10 June. The first court test confirms it has teeth β and SMEs are exposed.
In October 2025, just four months after a new statutory tort for serious invasions of privacy came into force, the District Court of New South Wales handed down the first published judgment under it. In Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396, Judge Gibson granted urgent injunctions after the defendant published the plaintiff's private wedding photographs as part of what the Court described as a "campaign of extortion". The application was heard ex parte. The injunctions were issued within days. The new tort works as designed.
That matters to small and medium businesses because the tort is not enforced by the OAIC. Any individual can sue in their own name in the Federal Court, the Federal Circuit and Family Court, or a state Supreme Court. The Privacy Commissioner has confirmed it has no role in administering it. For Australian SMEs that have spent the last two years focused on Notifiable Data Breach reporting and Australian Privacy Principle compliance, the tort opens a second front β civil litigation by the people whose data you hold.
A lower threshold than most businesses realise
The tort, contained in Schedule 2 of the Privacy Act 1988 (Cth), requires five elements. There must be an invasion of privacy by intrusion upon seclusion or misuse of information, the plaintiff must have had a reasonable expectation of privacy, the conduct must be intentional or reckless, the invasion must be serious, and the public interest in protecting privacy must outweigh any countervailing interest.
The recklessness threshold is the part that should pull SME attention. Negligence alone is not enough β but a business that disregards an obvious risk of disclosing personal data can be found reckless. That is a meaningfully lower bar than deliberate wrongdoing, and it puts ordinary failures of access control, supplier oversight, and email hygiene into the same legal frame as malicious conduct.
There is no requirement to prove financial loss. Damages are available for emotional distress alone, capped at $478,550 (the cap is shared with defamation and indexed annually). Courts can also order injunctions, public apologies, retrieval or destruction of material, and accounts of profits. Class actions are open where multiple individuals are affected β a real consideration for any business holding a customer or patient database.
The latest Notifiable Data Breaches report from the OAIC, published in November 2025 and covering January to June 2025, recorded 532 notified breaches. Malicious or criminal attacks accounted for 59 per cent. Human error caused another 37 per cent β 193 incidents from misaddressed emails, accidental disclosures, and lost devices. Each of those events is now a potential civil claim, not just a regulator notification.
The vicarious liability problem
For SMEs, the more uncomfortable feature of the tort is vicarious liability. A company can be held responsible for invasions of privacy committed by an employee or agent in the course of employment, particularly where the employer gave the employee the occasion to commit the act β not just the opportunity β or where the conduct furthered business interests. Law firm Corrs Chambers Westgarth has identified scenarios that fit a small business profile exactly: an employee using a company phone to record someone, sharing customer information picked up on the job, or an insider leaking data they accessed at work.
For a 30-person engineering consultancy or a regional medical practice, that means privacy exposure now flows from the conduct of every person on the payroll, every contractor with a login, and every supplier touching personal data. The duty to manage that risk has shifted from a paperwork obligation to a litigation exposure.
Three things to check this quarter
Audit who has access to personal data inside your business and remove anyone who no longer needs it. Update your employment and contractor agreements so they include explicit obligations on confidentiality, device use, and the handling of customer information. Review your incident response plan so it includes rapid containment steps that limit further disclosure β courts can issue injunctions within days, and the speed of your response will be evidence in any later proceedings.
What changes in year two
The first year of the tort produced its first published decision in October 2025. The next 12 months will produce more. Plaintiff firms are publicly noting the tort as a growth area of practice, and the Kurraba judgment confirms that courts are willing to grant urgent interlocutory relief without lengthy proceedings. The one-year limitation period running from the date a plaintiff becomes aware of an invasion means claims arising from incidents in 2025 are still well within time.
The exemption list is narrow. It covers journalists in the course of journalism, intelligence agencies, law enforcement bodies, government in the performance of its functions, and people under 18. Most Australian businesses sit outside every one of those categories.
A practical first step is to ask one question of your own data handling: if a customer or employee discovered tomorrow that information about them had been mishandled by your business β even by accident, even by a junior staff member acting outside instructions β what is the case that you took reasonable steps to prevent it? The answer determines your exposure. From 10 June, the new tort enters its second year of operation having already made that exposure private, individual, and litigable.