New Tort for Privacy Breaches: Vicarious Liability Risks for Employers

May 30, 2025

Major Privacy Law Reforms Signal New Compliance Era for Employers

On 29 November 2024, the Australian Parliament passed the Privacy and Other Legislation Amendment Bill 2024 (Cth) (POLA Bill 2024), ushering in the most significant overhaul of the Privacy Act 1988 (Cth) in decades. These reforms are the first legislative response to the extensive Privacy Act Review initiated in 2020 and finalised in 2023.

For employers, these reforms are not merely technical, they introduce a new statutory tort for serious invasions of privacy, two new criminal offences targeting doxing, stronger enforcement powers by the Office of the Australian Information Commissioner (OAIC), and new transparency obligations around employee information. Importantly, the reforms lay the groundwork for future changes to the employee records exemption, meaning businesses must act now to remain mitigate risk.

Increased Risk of Legal Action from Employees

One of the most consequential changes for employers is the introduction of a statutory tort for serious invasions of privacy. This allows individuals (including employees) to sue in court for intentional or reckless misuse of their personal information or unjustified intrusions into their seclusion. If an employee accesses, shares, or misuses another employee’s personal data using work systems, the employer may be vicariously liable.

Elements of the Tort:

Type of invasion: the plaintiff must prove that the invasion was through intrusion intro seclusion (e.g., unauthorised surveillance)

Reasonable Expectation of Privacy: Factors in determining this include the nature of the information, context of the intrusion or misuse, and the individual affected aged, culture or expressed desire for privacy.

Intent or Recklessness: the act must have been intentional or reckless (negligence is not sufficient)

Seriousness of the invasion: the consideration include the level of offence/harm, whether the perpetrator knew the likely impact and motivation.

Balancing Public Interest: courts will weigh the public interest in privacy against any countervailing public interest (e.g., law enforcement or freedom of expression)

Available Defences:

  • Consent (express or implied)
  • Public interest activity (e.g. journalism or law enforcement)
  • Legitimate government functions

Remedies:

  • Monetary compensation
  • Injunctive relief
  • Declarations
  • Courts may issue summary judgement (OAIC may intervene with leave)

What Has Changed?

1. Privacy Act 1988 (Cth) – Amended by the POLA Bill 2024

  • The amendments to the privacy Act in relation to the tort include damages with a cap of $478,550
  • The OAIC can now issue compliance and infringement notices, conduct public inquiries, and pursue civil penalties with enhanced authority.
  • Civil penalty For Breach of the Tort
    • Up to $3.3 million for non-serious breaches.
    • Penalties also now apply to lower-tier breaches.
  • Entities must disclose ADM practices that significantly impact individuals.
  • Expanded powers for the Attorney-General and OAIC to respond to crises or declare significant breaches.

2. Criminal Code Act 1995 (Cth)

Two new criminal offences were inserted into Part 10.6 of the Criminal Code Act 1995 (Cth) to specifically address the malicious release of personal information, commonly referred to as doxxing.

  1. Malicious Disclosure of Personal Information Using a Carriage Service

This offence criminalises the act of intentionally disclosing another person’s personal information via a carriage service (e.g., phone, internet, email) with the intent to cause harm, such as:

  • Harassment
  • Threats or intimidation
  • Emotional or reputational damage

The offence targets situations where information (such as home addresses, phone numbers, or private photographs) is shared online or by electronic means to cause distress or facilitate abuse.

  1. Threatening to Disclose Personal Information Using a Carriage Service

This offence covers situations where a person threatens to disclose someone’s personal information, again via a carriage service, and does so:

  • With the intention to coerce, intimidate, or harass; or
  • Recklessly, knowing that harm may result.

These offences are punishable by criminal sanctions, though specific maximum penalties (e.g., imprisonment terms or fines) are subject to further legislative specification or judicial discretion upon conviction.

What This Means for Your Business

1. Vicarious Liability for Employee Misconduct

Employers are now at risk of being held liable if employees misuse private data during the course of their work. This includes:

  • Sharing sensitive employee or client information acquired at work.
  • Using work-issued devices to spy, record, or disclose private information.
  • Mishandling automated decision-making tools impacting employees (e.g. automated termination or performance assessments).

2. Review and Revise Employment Contracts

Employment agreements should now:

  • Explicitly define employee obligations regarding privacy, data use, and disclosure.
  • Address the consequences of privacy breaches or misuse of information.
  • Incorporate clear terms around the use of ADM and employee monitoring tools.

3. Policy Overhaul and Privacy Training

Employers must:

  • Update privacy policies to reflect new obligations.
  • Include ADM practices and data breach reporting procedures.
  • Conduct regular privacy training for all staff, especially those handling employee records or sensitive data.

Further Reform and the Employee Records Exemption

Currently, section 7B(3) of the Privacy Act exempts private sector employers from certain privacy obligations when handling employee records related to current or former employment.

However, this exemption is under review. The Privacy Act Review Report and the Government’s in-principle support indicate that:

  • The exemption will not be removed entirely, but may be limited to uplift employee privacy protections.
  • Further consultation with employers and unions will shape how privacy and workplace relations laws interact in the future.

Employers should not assume the exemption will remain unchanged. Now is the time to future-proof workplace privacy practices.

Immediate Action for Employers

To reduce exposure to liability under the reformed Privacy Act, employers should:

  1. Conduct a full privacy compliance audit: Assess current data handling practices, especially regarding employee records.
  2. Update employee contracts and workplace policies: Include robust privacy obligations, breach reporting duties, and ADM transparency.
  3. Limit unnecessary data collection: Retain only data necessary for employment and operational purposes.
  4. Train staff: Educate managers and employees on their responsibilities under the new laws.
  5. Monitor reform developments: Stay informed about the proposed changes to the employee records exemption and broader privacy reforms.

Compliance Is No Longer Optional

The passage of the Privacy and Other Legislation Amendment Bill 2024 (Cth) is a wake-up call for Australian businesses. Employers can no longer afford to treat privacy as a peripheral concern. With expanded avenues for legal action, regulatory scrutiny, and potential liability, proactive risk mitigation is critical.

For further information on how these changes impact you and your business, contact Maguire Legal here

Sign up to our newsletter and get all the latest news and industry insights

Name(Required)