Can you sue for a privacy breach in Australia?
Many organisations cut corners when it comes to cybersecurity and privacy. If your private information has been accessed without permission, shared without your consent, or exposed in a data breach, you may be able to sue for compensation.
Recent changes to Australian privacy law have made it easier for you to hold organisations accountable when they mishandle your personal information.
Australia’s new privacy laws
Since 10 July 2025, Australia has had a statutory cause of action for serious invasions of privacy. This landmark reform means you can now seek compensation when your privacy has been breached.
Before this change, you could complain to the Office of the Australian Information Commissioner (OAIC), but this didn’t result in financial compensation. Now, if you’ve suffered a serious invasion of privacy, and the legal requirements for a claim are met, you can take legal action and claim damages.
What counts as a serious invasion of privacy?
Not every privacy breach qualifies as “serious” under the new laws. For a successful claim, you need to show that the invasion of privacy was objectively serious, considering the nature of the information and the circumstances.
Examples of serious privacy invasions include unauthorised access to, or disclosure of your medical records, sharing intimate or sensitive personal information without consent, data breaches exposing financial or identity information, surveillance without proper authorisation, and publication of private photographs or information.
The more sensitive the information and the greater the impact on you, the more likely it is to be considered serious.
Who can you sue?
You seek compensation from individuals or organisations whose conduct seriously invaded your privacy. This includes employers who mishandle your personal information, healthcare providers who breach medical confidentiality, companies that fail to protect your data, government agencies that improperly access or disclose your information, and individuals who share your private information without consent.
The defendant’s conduct must have been intentional or reckless, in that they knew or should have known their actions would invade your privacy.
What do you need to prove?
To succeed in a privacy breach claim, you need to establish several elements. First, the invasion of your privacy was serious. Second, you had a reasonable expectation of privacy in the circumstances. Third, the defendant’s conduct was intentional or reckless. Fourth, there was no lawful justification for the invasion (such as your consent or a legal requirement).
If you can prove these elements, you may be entitled to compensation for distress and hurt to feelings, harm to your reputation, financial losses resulting from the breach, and in some cases, aggravated or exemplary damages.
Time limits for privacy claims
You generally have one year from when you became aware of the serious invasion of privacy, or three years from when it occurred (whichever is earlier), to start legal action. These are strict deadlines, so it’s important to seek legal advice quickly if you believe your privacy has been seriously invaded.
How MEJ can help
At Maliganis Edwards Johnson, we represent people whose privacy has been seriously invaded. We understand that privacy breaches aren’t just about data, they’re about dignity, trust, and the profound impact of having your most private information exposed or misused.
If your privacy has been seriously invaded, you don’t have to accept it. Australia’s new privacy laws give you real rights to seek compensation and accountability. For a free, confidential consultation about your privacy breach, contact Maliganis Edwards Johnson today.
Call us on 1800 570 778 or contact us online.