Australia’s privacy landscape has entered a markedly more assertive enforcement phase. As explored in our recent Regulatory Radar update on privacy compliance, the Office of the Australian Information Commissioner (OAIC) has commenced targeted compliance activity focused on privacy policy transparency, signalling that regulatory expectations have shifted decisively from guidance to enforcement.

This article looks beyond frontline compliance obligations to examine the litigation and dispute risks that arise when privacy compliance fails. In particular, it considers how regulatory investigations can escalate into infringement notices, civil penalty proceedings and private litigation, including complaints to the Privacy Commissioner and emerging claims under the statutory tort for serious invasions of privacy.

Action by affected individuals – complaints to the Privacy Commissioner

Individuals are increasingly aware of and willing to enforce their rights when it comes to protecting their personal information and preventing its misuse by third parties.

Privacy obligations in Australia are centred around the 12 Australian Privacy Principles (APPs), which are set out in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act). Any act or practice by an APP entity that breaches an APP in relation to the personal information of one or more individuals constitutes an interference with the privacy of that individual (or those individuals).

An individual is entitled to make a complaint about such an interference directly to the APP entity responsible for the conduct. If their complaint is not adequately resolved, they may escalate their complaint to the Privacy Commissioner, who can exercise the Commissioner's powers under the Privacy Act.

In most circumstances, the Privacy Commissioner must investigate that complaint. Depending on the nature of the complaint, the Privacy Commissioner may attempt to conciliate the complaint.

The Privacy Commissioner has broad powers to compel the production of documents and information, examine witnesses and conduct conferences and hearings in relation to their investigations.

Section 52(1) of the Privacy Act provides that after investigating a complaint, the Commissioner may:

1. make a determination dismissing the complaint; or
2. find the complaint substantiated and make a determination that includes one or more of the following:
   (i) a declaration:
   (A) where the principal executive of an agency is the respondent—that the agency has engaged in conduct constituting an interference with the privacy of an individual and must not repeat or continue such conduct; or
   (B) in any other case—that the respondent has engaged in conduct constituting an interference with the privacy of an individual and must not repeat or continue such conduct;
   (ia) a declaration that the respondent must take specified steps within a specified period to ensure that such conduct is not repeated or continued;
   (ii) a declaration that the respondent must perform any reasonable act or course of conduct to redress any loss or damage suffered, or to prevent or reduce any reasonably foreseeable loss or damage that is likely to be suffered, by the complainant;
   (iia) a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct (see section 52A);
   (iii) a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;
   (iv) a declaration that it would be inappropriate for any further action to be taken in the matter.

The decision to make a determination is a reviewable decision, meaning that an application may be made by the complainant or the entity subject of the complaint to the Administrative Review Tribunal for a review of the Privacy Commissioner's decision (see section 96(1)(c) of the Privacy Act) – as recently seen in the Bunnings facial recognition matter.

As can be seen, the Commissioner has a broad range of remedies that may be deployed in the context of a determination (including directions to take specified steps to achieve compliance). It is important for entities that receive a complaint to take real steps to attempt to remedy the matter both at the time of receiving a direct complaint, and in circumstances where the complaint is escalated to the Privacy Commissioner. This may include considering whether compensation is appropriate in the circumstances.

Where necessary, the complainant or the Commissioner may commence proceedings in the Federal Court (or Federal Circuit Court) to enforce the determination.

Further, following on from an investigation, the Commissioner may determine that they wish to seek civil penalties in connection with a contravention of the Privacy Act. This is discussed further below.

Making a complaint to the Privacy Commissioner is a relatively low risk option for a complainant, however, once an entity is involved in the complaints process, it can take significant amounts of time and resources to arrive at a final resolution of the matter. This is in part due to the volume of complaints that the Commissioner receives.

Direct action by affected individuals – statutory tort

Separate from regulatory enforcement, privacy compliance failures may also expose organisations to private litigation risk under the statutory tort for serious invasions of privacy.

Section 7 of Schedule 2 of the Privacy Act provides that an individual may take action against a third party (being an entity, or another individual) where the individual had a reasonable expectation of privacy, and the third party has:

• invaded the person's privacy;
• the invasion of privacy was intentional or reckless;
• the invasion of privacy was serious; and
• the public interest in the individual's privacy outweighed any countervailing public interest.

The claimant bears the onus of proving a number of complex elements and the new statutory tort is by no means a straightforward pathway to compensation. Commencing proceedings inevitably involves considerable legal and financial risks – which the affected individual may not otherwise face if they were to make a complaint to the Privacy Commissioner. However, if a number of individuals are affected by the same or similar conduct of a company this could give rise to the risk of a class action, which could limit the exposure for any one individual. As such, the potential threat of action under the statutory tort, including the possibility of a Court awarding exemplary or punitive damages is an important factor for entities to consider when seeking to resolve a privacy related complaint.

There has already been a reported decision concerning the new statutory tort in Kurraba Group Pty Ltd & Anor v Williams [2025] NSWDC 396. That case involved urgent interlocutory injunctive relief to restrain a defendant who had engaged in what the Court described as a "campaign of extortion". Significantly, the Court observed that the legislation was intended to provide "a flexible framework to address current and emerging privacy complaints and to provide individuals with the ability to protect themselves and seek compensation for a broader range of invasions of privacy than is the case under existing law".

It is possible that a Commissioner investigation and private action for serious invasion of privacy may occur concurrently, as there is nothing expressly in the Privacy Act that would prevent this from occurring. Further, section 22 of Schedule 2 of the Privacy Act provides that the Commissioner may, with leave of the court, intervene in proceedings or assist the court as amicus curiae. This means that there is a real risk that material disclosed by an entity to the Privacy Commissioner in connection with an investigation could be disclosed as part of the court process. In fact, section 33B(1) of the Privacy Act expressly provides that:

The Commissioner may disclose information acquired by the Commissioner in the course of exercising powers or performing functions or duties under this Act if the Commissioner is satisfied that it is in the public interest to do so.

Enforcement by the OAIC: civil penalties, infringement notices and compliance notices

The Privacy Act provides the Commissioner with a graduated suite of enforcement tools to address contraventions of varying severity. These range from infringement notices for relatively minor breaches, through to civil penalty proceedings in the Federal Court for serious interferences with privacy. Understanding the scope and application of each enforcement mechanism is critical for organisations seeking to assess and manage their regulatory risk exposure.

Civil penalty proceedings

Where the Privacy Commissioner forms the view that an entity has engaged in a serious or repeated interference with the privacy of an individual, the Commissioner may apply to the Federal Court for a civil penalty order. Civil penalty proceedings represent the most significant enforcement action available under the Privacy Act and are typically reserved for the most egregious contraventions.

Since 13 December 2022, the maximum penalty for a serious interference with the privacy of an individual is not more than the greater of:

1. $50 million;
2. if a court can determine the value of the benefit that the body corporate (and its related bodies corporate) directly or indirectly obtained from the contravention – three times the value of that benefit; and
   if a court cannot determine the value of that benefit – 30% of the adjusted turnover of the body corporate during the breach turnover period (being a minimum of 12 months) for the contravention.

The OAIC seeks penalties per breach – so for single events that result in the interference of privacy of multiple individuals, meaning that any one event could result in a penalty that is a multiple of the above i.e. significantly higher than $50 million.

The OAIC has demonstrated an increasing willingness to pursue civil penalty proceedings in high-profile matters. We recently wrote about the landmark civil penalty decision in Australian Information Commissioner v Australian Clinical Labs Limited [2025] FCA 1224, which confirmed the Court's approach to assessing penalty in privacy matters. Civil penalty proceedings have also been commenced against Optus and Medibank in respect of major data breach incidents.

Since 11 December 2024, the OAIC has also been empowered to seek a lesser civil penalty in respect of interferences with privacy that do not meet the threshold of "serious". The maximum penalty for such contraventions is 2,000 penalty units (currently $660,000). This tiered approach enables the OAIC to pursue enforcement action in respect of a broader range of contraventions, including those that may not warrant the significant resources required for proceedings seeking the maximum penalty, but which nonetheless warrant regulatory sanction.

Infringement notices

Infringement notices represent a further addition to the Commissioner's regulatory toolkit, introduced on 11 December 2024. An infringement notice may be issued where the OAIC has reasonable grounds to believe that an entity has contravened a civil penalty provision of the Privacy Act. The penalty payable under an infringement notice is 200 penalty units (currently $66,000 for a body corporate).

Infringement notices provide the OAIC with a potentially more efficient mechanism to address specific, discrete contraventions without the need to commence court proceedings. They are particularly suited to circumstances where the contravention is clear, the conduct is relatively contained, and the OAIC considers that the penalty amount is proportionate to the seriousness of the breach. An entity that receives an infringement notice may choose to pay the penalty specified in the notice, or may elect not to pay and instead have the matter determined by a court.

This enforcement model mirrors the approach that has been used effectively by the Australian Competition and Consumer Commission (ACCC) under the Competition and Consumer Act 2010 (Cth) (CCA) for many years. The ACCC routinely issues infringement notices for clear-cut breaches of the Australian Consumer Law, which is set out in Schedule 2 to the CCA, providing a swift resolution mechanism that avoids the cost and delay of court proceedings while still imposing meaningful consequences for non-compliance. The adoption of a similar framework by the OAIC signals a maturation of privacy enforcement in Australia and provides a useful reference point for organisations seeking to understand how the OAIC is likely to exercise these new powers in practice.

The first practical application of the OAIC's infringement notice powers is likely to arise from the recently announced compliance sweep, which we discuss in detail in our companion article.

We expect to see a number of infringement notices issued in the wake of the compliance sweep.

Compliance notices

The Commissioner may issue a compliance notice where satisfied that an APP entity has contravened a civil penalty provision of the Privacy Act. A compliance notice requires the entity to take specified steps within a specified period to ensure that the contravention is not repeated or continued. Failure to comply with a compliance notice is itself a contravention of the Privacy Act and may attract further enforcement action, including civil penalty proceedings.

Compliance notices serve a remedial rather than punitive function, directing entities to rectify deficiencies in their privacy practices. However, they carry significant practical implications: non-compliance with a notice may escalate regulatory scrutiny and expose the entity to more serious enforcement action. The OAIC may also publish details of compliance notices issued, which can have reputational consequences for the entity concerned.

Basis on which the OAIC will take action

With such a broad array of tools at its disposal, how does the OAIC determine what action to take in respect of any particular matter?

The OAIC's Privacy regulatory action policy sets out a lengthy list of factors that the OAIC will take into account in deciding when to take privacy regulatory action, and what action to take. The OAIC's recent enforcement actions in high-profile matters such as Optus and Medibank demonstrate an increasingly litigation-ready approach, with the regulator willing to bring cases that serve broader legal and deterrent purposes and clarify unsettled areas of privacy law. Those factors include the following:

• the objects of the Privacy Act (set out in s 2A)
• the seriousness of the incident or conduct to be investigated (or the potential impact of a proposal), including:
  • the number of persons potentially affected
  • whether the matter involves ‘sensitive information’ or other information of a sensitive nature, the adverse consequences caused or likely to be caused to one or more individuals arising from an incident or conduct
  • whether disadvantaged or vulnerable groups may have been or may be particularly adversely affected or targeted
  • whether conduct was deliberate or reckless
  • the seniority and level of experience of the person or persons responsible for the conduct
• the level of public interest or concern relating to the conduct, proposal or activity (with regulatory action more likely to be taken where significant public interest or concern exists)
• whether the burden on the entity likely to arise from the regulatory action is justified by the risk posed to the protection of personal information
• the specific and general educational, deterrent or precedential value of the particular privacy regulatory action, including whether pursuing court action (where applicable) would test or clarify the law
• whether the entity responsible for the incident or conduct has been the subject of prior compliance or regulatory enforcement action by the OAIC, and the outcome of that action
• the likelihood of the entity contravening the Privacy Act, or other legislation that confers functions relating to privacy on the Commissioner, in the future
• whether the conduct is an isolated instance, or whether it indicates a potential systemic issue (either within the entity concerned or within an industry) or an increasing issue which may pose ongoing compliance or enforcement issues
• action taken by the entity to remedy and address the consequences of the conduct, including whether the entity attempted to conceal a contravention or a data breach, and whether the entity cooperated with the OAIC and notified affected individuals if appropriate
• the time since the conduct occurred
• the cost and time to the OAIC in order to achieve an appropriate remedy through enforcement action
• whether there is adequate evidence available and admissible in a court to prove a contravention on the balance of probabilities
• that a new personal information handling activity or function or change to an existing personal information handling activity or function is planned, or a new personal information handling practice has been recently implemented or an existing practice changed
• any other factors which the OAIC considers relevant in the circumstances, including factors which are relevant to the specific regulatory power being used.

The role of other regulators and complaint bodies

Entities should also be aware that the OAIC is not the only body to play a role in enforcing privacy obligations, and of the OAIC's relationships with other enforcement and complaint bodies.

Australian Competition and Consumer Commission (ACCC)

If any statements in a privacy policy are misleading or deceptive, there is a risk that the ACCC may take enforcement action under the Australian Consumer Law. For example, in 2022 Google LLC paid $60 million in pecuniary penalties following action by the ACCC in connection with misleading statements about Google's use of individual's location data on Android mobile devices. See: Australian Competition and Consumer Commission v Google LLC (No 4) [2022] FCA 942.

Fair Work Commission

The Fair Work Commission has also had cause to consider the scope of the employee record exemption under the Privacy Act in the case of Lee v Superior Wood [2019] FWCFB 2946, finding that the exemption is limited to information already contained in the employee record, and does not extend to information or records not yet in existence, such that employers must comply with the Privacy Act when they collect their employee's personal information.

Australian Communications and Media Authority (ACMA)

ACMA regulates telecommunications providers under the Telecommunications Act 1997 (Cth) and related instruments. While the OAIC's regulatory focus is on privacy and data protection failures under the Privacy Act, ACMA's role concerns whether telecommunications carriers and service providers meet their obligations under the telecommunications regulatory framework, particularly in relation to safeguarding customer information and complying with industry rules and codes.

ACMA has commenced its own proceedings against Optus, separate from the OAIC's civil penalty action, arising from the September 2022 data breach. This demonstrates that a single data breach incident can give rise to concurrent regulatory action by multiple regulators, each exercising jurisdiction under different legislative frameworks. Entities operating in regulated industries should be aware that privacy-related incidents may attract scrutiny not only from the OAIC, but also from sector-specific regulators with overlapping but distinct enforcement mandates.

The Australian Securities and Investments Commission (ASIC)

ASIC has also played a role in requiring financial services licensees to maintain adequate levels of cyber resilience. In 2022, the Federal Court delivered judgment in ASIC v RI Advice Group Pty Ltd [2022] FCA 496, where ASIC took action in connection with breaches of the Corporations Act 2001 (Cth) relating to failures to have adequate risk management systems to address cyber security risks.

Regulator co-ordination and co-operation

The OAIC has a broad remit to interact with other enforcement and complaint bodies, and is specifically empowered under the Privacy Act to:

• share information with an enforcement body (e.g. the Australian Federal Police, National Anti-Corruption Commission or ASIC), alternative complaint body (e.g. the Australian Human Rights Commission or eSafety Commissioner), or a State, Territory or international authority that has the function to protect the privacy of individuals; and/or
• refer an investigation to a number of alternative complaint bodies, such as the Australian Human Rights Commission or the eSafety Commissioner, where the Privacy Commissioner forms the view that a matter could be more conveniently or effectively deal with by that alternative complaint body.

The potential for information sharing, for matters to be referred to alternative bodies and the risk of enforcement of privacy obligations by bodies other than the OAIC means that entities subject of a privacy complaint and investigation need to seriously consider the potential broader impacts of such an investigation (including outside of Australia).

As the OAIC continues to pursue a more assertive enforcement agenda, organisations should expect increased regulatory scrutiny to be accompanied by heightened litigation and dispute risk. Complaints, investigations and enforcement action can quickly escalate into complex, time‑consuming and costly proceedings.

Our intellectual property, privacy, disputes and regulatory teams regularly assist organisations navigating investigations, responding to complaints, managing litigation risk and resolving privacy‑related disputes. Early engagement and strategic decision‑making are critical to limiting exposure and achieving optimal outcomes.