Over the past few years, and particularly in the wake of significant data breaches impacting high-profile Australian corporates such as Optus and Medibank, several privacy and data security reforms have been enacted at a Commonwealth level in Australia. 

Most recently, significant amendments to the Commonwealth Privacy Act 1988 (Cth) (Commonwealth Privacy Act) have been enacted by the Privacy and Other Legislation Amendment Act 2024 (Cth). Many of these amendments came into effect in June 2025. 

In summary, this most recent round of amendments to the Commonwealth Privacy Act:

• introduce a new statutory tort for serious invasions of privacy
• impose new transparency obligations in relation to automated-decision making
• introduce a doxxing offence
• require the Office of the Australian Information Commissioner to develop a code addressing online privacy for children
• confer powers to ‘whitelist countries’ that provide substantially similar privacy protections, to assist entities to comply with their APP obligations when disclosing personal information overseas
• enhance the OAIC’s enforcement powers, including through the introduction of new and increased penalties. 

Although the Commonwealth Privacy Act generally does not apply to local councils in NSW, some of the most recent changes to the Commonwealth Privacy Act do have application more broadly. These laws are far-reaching and will have implications for individuals and entities which are not otherwise bound by the Commonwealth Privacy Act or the Australian Privacy Principles (APPs).

In this alert we take a look at some of the most recent changes, and consider their implications for local councils in NSW.

A new right of action for serious invasions of privacy

Unlike other jurisdictions which have highly protective privacy laws or laws which protect privacy as a fundamental human right, to date Australians have had very limited rights in relation to protection of their own privacy. Although a tort of privacy has long been debated, until now it has not been legislated. This is despite the fact that legislating such a right was a key recommendation of the Australian Law Reform Commission in 2008, following a 28-month inquiry into the ways in which existing legal frameworks, including common law rights, provided an effective framework for the protection of privacy in Australia.

Generally, until now, such rights have been the subject of protection only in relation to criminal activity, or the right to sue for disclosure of confidential information (and even these rights have generally only been exercised in relation to commercially-sensitive information and trade secrets).

By way of a recent example, in the Victorian Supreme Court case of Giller v Procopets [2004] VSC 113, the court found that a man who shared sexually-explicit images of an ex-partner was found to have breached her confidence, but also found that she had no right to recover damages. 

What has changed?

Following amendments to the Commonwealth Privacy Act, a new statutory tort for serious invasions of privacy now allows any individual (the plaintiff) to sue another individual or organisation (the defendant) where:

• the plaintiff has a reasonable expectation of privacy;
• the defendant either intruded on their seclusion or misused information relating to them;
• the invasion of privacy was serious, and also intentional or reckless; and
• the public interest in the plaintiff’s privacy outweighed any countervailing public interest.

Defences to the new tort include circumstances where the invasion of privacy was required or authorised by law, or was necessary to protect a person’s life, health or safety. The court may respond to the invasion of privacy by issuing an injunction restraining the defendant or awarding damages to the plaintiff.

While we are yet to see how Australian courts will interpret and apply this new tort, there is existing UK case law dealing with questions of reasonable expectation of privacy and public interest which is likely to be relevant. 

What are the implications for local councils in NSW?

The statutory tort for serious invasion of privacy is not limited in application to those agencies and organisations which are otherwise subject to the Commonwealth Privacy Act. In theory, an individual may sue any other individual or organisation for a breach, including NSW public authority or its employees. 

However, there are some protections built in under sections 16 and 16A of Schedule 2 of the Commonwealth Privacy Act. These exemptions provide that an individual will not have a cause of action against a State or Territory authority (as defined) or its employees for an invasion of privacy where this occurs in good faith when performing or purporting to perform an official function or exercising or purporting to exercise a power. 

Of course, local councils in NSW are already subject to PPIP Act which requires, among other things, that they must only collect, hold, use and disclose personal information as permitted by the Information Privacy Principles (IPPs). 

Individuals who believe that a local council has improperly collected, held, used or disclosed their personal information may make a complaint to the NSW Information and Privacy Commissioner (IPC). However, they may now also have the ability to sue for a serious invasion of privacy under the Commonwealth Privacy Act. Previously, individuals did not have this express right. 

In light of this additional right of action, some key considerations for NSW local councils may include:

• Use of CCTV: many councils maintain Closed Circuit TV (CCTV) systems for safety and security on sites and in public areas. CCTV systems are a useful tool, but also raise privacy risks, particularly if the footage is compromised or misused. Councils should be mindful of their existing obligations under the NSW privacy and surveillance laws, as well as relevant NSW Government guidance on the use of CCTV.
  
  Action: review the use of surveillance devices, including CCTV, to ensure compliance with relevant laws. Develop and implement effective surveillance policies and internal policy guidance on the use and handling of footage, supported by regular staff training.
   
• Use of social media: where councils maintain social media sites or websites which allow users to comment, they may be considered a publisher of comments and other content posted to these sites. As such, they could find themselves as a defendant if information constituting a serious invasion of privacy is posted on their own platform. 
  
  Action: Develop appropriate internal guidance, such as a social media policy.  Monitor and enforce compliance with internal policies, supported by regular staff training. 
   
• Planning for and responding to data breaches: data breaches can occur in a range of ways, including through inadvertent or accidental use or disclosure of personal information.  It is essential to implement appropriate internal policies and procedures to manage and respond to data breaches, in accordance with the requirements of Part 6A of the PPIP Act. Councils facing a cyber security or data breach should follow the steps set out in their own internal data breach policies and comply with their obligations under the PPIP Act. This may include reporting obligations to affected individuals and the NSW Information and Privacy Commissioner.
  
  Action: Review and refresh (or implement) existing policies and ensure these comply with PPIP act requirements and IPC guidance regarding the NSW mandatory notification of data breach scheme.  Undertake staff training to ensure there is sound understanding of the privacy risks associated with data breaches and that key stakeholders are familiar with (and able to action) data breach response plans in practice.   

Doxxing Offence

Alongside the tort of serious invasion of privacy, the latest round of amendments to the Commonwealth Privacy Act have made doxxing an offence under the Commonwealth Criminal Code. 

It is now an offence in Australia to release personal data of individuals in a way which is “in all the circumstances, menacing or harassing towards those individuals”. 

What are the implications for NSW local councils?

NSW local councils are already bound by the IPPs regarding the use and disclosure of personal information, but this change could make individuals, including Councillors, criminally liable for releasing personal information online if they do so in a menacing or harassing manner. 

It will also mean that Councillors and officers who are subject doxxing, something which is becoming increasingly common, will have recourse to these new offence provisions, although they will be reliant on the Australian Federal Police being prepared to take up their cause.

Offshore disclosure of personal information 

The Commonwealth Privacy Act generally restricts organisations and entities bound by that Act from disclosing personal information to overseas recipients. However, an exemption to Australian Privacy Principle (APP) 8, enables entities bound by the Commonwealth Privacy Act to send personal information offshore where the recipient is in a jurisdiction subject to a substantially similar law or binding scheme. Prior to this year, it was up to entities to make this assessment themselves and bear the risk of being incorrect. 

What has changed?

The recent privacy reforms allow the Governor-General to make regulations which prescribe a pre-approved “white list” of jurisdictions for overseas disclosure of personal information for the purposes of APP 8. 

What are the implications for NSW local councils?

Under the PPIP Act, local councils must not disclose personal information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency.  One exemption to this prohibition is that the council reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the IPPs.

Although no jurisdictions have been nominated to date under the new Commonwealth laws, it is likely that councils will be able to similarly treat any jurisdictions which are prescribed as ‘safe’ for the purposes of their own compliance with the PPIP Act. 

Conclusion

While the recent reforms to the Commonwealth Privacy Act only apply to NSW local councils in limited circumstances, you should be aware of these reforms, the continued regulatory focus on privacy and data security, and the potential impacts of non-compliance.