Australians now have a direct right of action under the Privacy Act. So what’s the catch?

The Privacy and Other Legislation Amendment Act (POLA Act) reforms have changed the privacy risk landscape under the Privacy Act.

For years, discussions about individual privacy rights of action have focused on two major reforms. Firstly, a statutory tort for serious invasions of privacy, which has now been legislated and will take effect on 10 June 2025. And secondly, a direct right of action under the Privacy Act, which has not been enacted… or has it? While the statutory tort has been widely anticipated, a significant new right under Section 80UA of the Privacy Act is already in force, introduced through POLA Act reforms. But here’s the catch — this isn’t a traditional, unrestricted right to sue.

Instead, what we have is a conditional right to take action. This right hinges on a key requirement: the OAIC must first establish a contravention through a civil penalty proceeding in the Federal Court. This means individuals cannot sue directly in the first instance – but once a contravention is established, they may be able to seek compensation.

So, do Australians now have a direct right of action under the Privacy Act? Not exactly. But in certain circumstances, this new right could operate like one, which is a big deal. It has significant implications for privacy risk, yet it remains largely overlooked in current legal discourse.

How does this work?

Under section 80UA of the Privacy Act, individuals can apply to the Federal Court for orders against an organisation if a civil penalty provision of the Act has been determined by the Federal Court as having been contravened.

If this condition is met, individuals can seek orders which include:

• Compensation – requiring the organisation to pay damages for any loss or harm suffered (or likely to be suffered).
• Corrective action – directing the organisation to take steps to mitigate harm caused by the contravention.
• Preventative orders – stopping the organisation from repeating or continuing the breach.
• Public disclosures – requiring the organisation to issue a statement acknowledging the breach.

A six-year limitation period applies, meaning individuals can pursue these claims long after the contravention has occurred — but only if successful regulatory court action has already taken place or is taking place.

The key point? This is not an independent right of action. Unlike other legal avenues where individuals can sue directly, this pathway is only available if the OAIC has brought proceedings and the Court has or will determine that a civil penalty contravention has occurred.

Why is this change so important?

Firstly, this is a completely new right. Secondly, previously this right would have been essentially redundant because no organisation had been found to have contravened a civil penalty provision under the Privacy Act. That is, it was found that:

• Civil penalty provisions were very narrow, mainly applying only to serious or repeated interferences with privacy.
• The OAIC simply did not pursue civil penalties. Until recently, the regulator was reluctant to pursue civil penalties (potentially due to the high threshold and its self described role as an educator), preferring enforceable undertakings over court action.

But the POLA Act and the OAIC’s approach to enforcement has changed the game. The POLA Act expanded the scope of civil penalty provisions to include:

• Serious or repeated interferences with privacy (still included).
• Interferences with privacy, meaning even less severe breaches could now trigger penalties.
• Failure to comply with compliance notices, including notices relating to APP breaches.
• Breaches of certain Australian Privacy Principles (APPs), significantly expanding enforcement risk.
• Providing incomplete or inaccurate Notifiable Data Breach (NDB) notifications to the OAIC, increasing the stakes for data breach reporting.

Further, the OAIC has clearly indicated a shift towards a more active enforcement approach – in talk and in walk. We have seen the OAIC take aggressive enforcement positions against ACL, Medibank and Meta, and Australian Privacy Commissioner Carly Kind highlighted that the enhanced civil penalty regime would significantly bolster the OAIC’s enforcement toolkit, allowing for greater discretion and flexibility to apply a risk-based approach to enforcement. As a result, civil penalty enforcement is now far more likely than before.

And once the OAIC has established a contravention, individuals can rely on those proceedings to apply under section 80UA for compensation or other remedies.

What does this new right mean?

This development has significant implications for individuals, organisations, and the OAIC.

For individuals

Individuals still have other rights under the Act to bring court proceedings like enforcing a determination of the OAIC or in relation to contravention of credit reporting obligations under Part IIIA. 

But they now have a potential pathway for privacy redress that has more value than either of these avenues. While they still cannot bring privacy cases directly without previous regulatory action, if the OAIC takes action and succeeds, affected individuals have a clearer path to compensation. Plaintiff law firms will be watching privacy enforcement cases closely, waiting for opportunities to pursue claims.

For organisations

The risk landscape has changed. Privacy non-compliance is no longer just about regulator fines—it now carries the added risk of direct claims from affected individuals. A regulatory penalty could be just the beginning of an organisation’s legal troubles. Once a civil penalty contravention has been determined by the Court, individual claims could follow, increasing financial and reputational risk.

For the OAIC

This new right of action puts a spotlight on the OAIC’s enforcement strategy. If the OAIC continues to resolve privacy breaches through enforceable undertakings or other settlements rather than court proceedings for civil penalties, individuals may rarely be able to use section 80UA.

This raises an important question: Will the OAIC take a more aggressive enforcement approach given that a failure to do so effectively limits individuals’ ability to seek redress?

It is important to note that, under Section 80UA, the OAIC also has standing to request these orders of the Court, so an answer to this issue might also be that the OAIC pursues both civil penalties and compensation orders in many cases. However, the OAIC will be comforted knowing that simply obtaining a civil penalty will be sufficient to allow individuals to fight their own fight.

Uncertainty remains: Application of Section 80UA

While this new right is now law, there is still uncertainty about how it will work in practice.

One key ambiguity is when an individual can apply for orders under section 80UA; the Act states that an order can be made if a court “has determined, or will determine” that a civil penalty contravention has occurred.

The POLA Act also makes it clear that the civil penalty does not need to be issued — only that a contravention of a civil penalty provision has been or will be determined. But what does “will determine” mean, and at what stage does that arise?

For example, if proceedings are still ongoing but the court has indicated that a contravention is likely, does that satisfy the requirement? Could an individual apply for relief before final orders have been made? These are critical procedural questions that will need to be tested.

Other open questions to consider:

• How will individual claims be structured? Section 80UA(1) suggests they must be brought within an existing OAIC penalty proceeding, but section 80UA(4) does not impose this limitation, leaving room for separate proceedings – which one is right?
• What types of harm will be covered? Unlike section 25 of the Privacy Act, which explicitly includes injury to feelings and humiliation, section 80UA only refers to “loss or damage”. Will emotional distress be compensable?

Unfortunately, the Explanatory Memorandum provides limited guidance.

Additionally, from a practical perspective:

• How often will the OAIC take cases to court? If it continues to favour settlements & undertakings, this new right of action may rarely be used.
• How will courts assess compensation? Australia has limited precedent for privacy damages—will courts follow UK/EU approaches, or take a more cautious stance?
• Will this lead to class actions? If civil penalty findings become more common, plaintiff law firms may start using section 80UA to launch privacy class actions.

Why wouldn’t an individual just use the tort?

You might wonder how Section 80UA differs from the statutory tort of serious invasion of privacy and why an individual wouldn’t simply rely on the tort instead. Firstly, they might try both. But while a detailed discussion of the tort’s application is best left for another article, there are several reasons why it may not be a suitable avenue for redress:

1. Burden of proof – The tort requires an individual to establish and prove the cause of action (on the balance of probabilities), including a fault element of reckless or intentional interference with privacy. In contrast, under Section 80UA, an individual only needs to demonstrate that they would, or are likely to, suffer loss or damage due to a contravention of the civil penalty provision, which has already been determined by the Court.
2. Damages cap – Damages under the tort are capped in line with defamation laws, whereas Section 80UA does not impose a cap on orders that may be made.
3. Legal uncertainty – The interpretation of the tort is separate from the Privacy Act, creating greater uncertainty in its application and outcomes. In contrast, Section 80UA applies directly to a determined contravention of the Privacy Act, providing clearer legal guidance and interpretation.
4. Application to data breaches – While the tort may theoretically apply to third-party data breaches, there is significant legal uncertainty because:
   1. The tort requires that information be “misused,” raising questions about whether a data breach would meet this threshold.
   1. The fault element requires reckless or intentional conduct, which could be difficult to establish in many data breach scenarios.

Ultimately, while the tort remains an option, Section 80UA could provide a more accessible and predictable avenue for individuals seeking redress for privacy breaches. In any case, it’s something that forms part of the ever-growing ramifications of a privacy failure.

How should organisations respond?

With privacy compliance now carrying higher stakes, we believe that organisations should act before they become the subject of regulatory enforcement.

Key suggested steps:

• Review privacy compliance to ensure alignment with the Privacy Act.
• Conduct data mapping (know your data) to understand what, how and why it is collected, where and how it is stored, how it is used and who it is shared with.
• Assess privacy maturity, identifying gaps and areas for improvement.
• Strengthen risk management through robust and efficient privacy management frameworks which include appropriate Privacy Impact Assessment processes and data breach response plans, procedures and preparations.
• Train employees in an ongoing, engaging, meaningful and demonstrable way, as human error remains one of the biggest privacy risks and the OAIC has made it very clear that staff are expected to be trained to ensure compliance with the Privacy Act.
• Prepare for potential claims by updating incident response and legal strategies to account for potential individual compensation claims under section 80UA.

Privacy compliance is no longer just about avoiding regulator fines—it’s about managing real legal exposure from multiple angles.

If you would like more guidance on anything outlined in this article, or privacy, data and AI governance more broadly, please contact us.