InfoRM Privacy Law Update – August 2015

Home Insights InfoRM Privacy Law Update – August 2015

In this edition of InfoRM:

Credit agencies in the news

Credit providers and debt recoverers have made a remarkable contribution to privacy law in recent times. Coupled with the Human Rights Review Tribunal’s (Tribunal) “recalibration” of the “spectrum of damages” in Hammond v Credit Union Baywide [2015] NZHRRT 6 (featured here in our March edition), recent cases provide a clear warning to those providing credit and recovering debts that other industries should also heed.

If you attended our recent “Privacy Trends” seminar or read our update last month, Taylor v Orcon [2015] NZHRRT 15 may sound familiar to you. There, the Tribunal found that Orcon had breached privacy principle 8 (which relates to whether information is accurate or misleading) because it could not show that it had taken reasonable steps to ensure the accuracy of a debt that it had referred to a collection agency. The Tribunal arguably expanded the test for causation, and ordered damages of $25,000 on the basis of Orcon’s conduct being a “more than minimal” cause of the harm. Mr Taylor was also awarded costs of $5,500.

A similar case arose in the United Kingdom last year. In Grace & Anor v Black Horse Ltd [2014] EWCA Civ 1411, a wrongly entered default caused Mr Grace and his partner difficulties with their accommodation. Mr Grace had a default lodged against him regarding a debt that was later declared unenforceable by the Court.  Despite that declaration, the default was registered a second time, before being withdrawn upon Mr Grace’s complaint. Prior to the second withdrawal, Mr Grace’s partner renewed the hire purchase agreement for her “static caravan”, and found herself being charged an increased rate of interest because she was cohabitating with Mr Grace. This situation was very similar to Mr Taylor’s (who had found it difficult to find rental accommodation for his family after Orcon wrongly referred his debt to a collection agency).

On appeal, Mr Grace and his partner were successful in an analogous claim to Mr Taylor’s. The Court of Appeal held that a direct link was required between the inaccurate information and the harm, and established such a link because it found that none of the debt was enforceable. Arguably Grace demonstrates a higher threshold to establish causation than is required in New Zealand following Taylor, and underlines how important Taylor could prove to be for future privacy cases.

Grace and Taylor show that organisations should be especially careful to ensure the accuracy of personal information when it is disclosed to a debt collection agency (because harm will often result if the information is inaccurate). However, other industries should not relax - that lesson may apply generally to any case where personal information is being disclosed to others.

At the other end of the information exchange, the Privacy Commissioner last year released a report into the charge that Veda Advantage (Veda) imposes on urgent requests for individuals’ own credit information. Although charging for the provision of such information is Veda’s core business, the Commissioner concluded that Veda’s charge was unlawful to the extent it exceeded actual costs. The Credit Reporting Privacy Code has since been amended to make clear that individuals are allowed free access to their credit history, or need only pay a maximum fee of $10 if they require the information within 10 days.

New Zealand developments

Anti trolling act protects privacy

Last month, the Harmful Digital Communications Act (HDCA) came into force. The Act was largely a response to several high profile instances of online bullying and trolling.

One of the key changes created by the HDCA is an amendment to the scope of the defence of information being publicly available. Public availability will no longer provide a defence for a harmful communication if it would be “unfair or unreasonable to disclose” it, meaning that it is no longer safe to assume that material already in the public domain can be republished (or, for example, retweeted) with impunity.

The HDCA sets out a series of communication principles for digital communications (broadly, anything communicated electronically). So far as those principles relate to privacy, they state that a communication:

  • should not disclose sensitive personal facts about an individual;
  • should not contain a matter that is published in breach of confidence; and
  • should not be used to harass an individual.

Where those principles are breached, the HDCA provides a three step approach for victims:

  • A victim may complain to the “online content host” (OCH), being the “person who has control over the part of the electronic retrieval system, such as a website or an online application, on which the communication is posted”. Responding to the complaint in accordance with the HDCA will provide the OCH with a safe harbour from prosecution.
  • Alternatively, a victim may make a complaint to the “approved agency”. Although that agency is yet to be appointed or its precise role spelt out, it is anticipated that it will receive, investigate, manage and facilitate the resolution of complaints. Despite this, it does not appear that the agency will have any enforcement powers.
  • After a complaint has been made to the approved agency, the agency or the victim may bring proceedings in the District Court. The Court’s powers include ordering a correction, removal, apology or right of reply. (The police may also bring such proceedings, but can do so at any time.)

The HDCA also makes it a criminal offence to post information with the intention of causing “serious emotional distress”, if the post causes such distress and would cause that distress to a reasonable person in the position of the victim. This raises questions whether some of the more egregious privacy breaches of recent times would now be a criminal offence. 

However, one of the difficulties with protecting against the harm of digital communications, is that it is very difficult to get the cat back in the bag. Once a photo is posted on Twitter (for example), it is often almost impossible to remove the post from the ether once it has been reproduced as a retweet, quoted tweet or screenshot. While the HDCA mandates a timeframe of 48 hours for an OCH to action a complaint, that is a long time in the modern world and, if the process fails, the HDCA remedies may be of little benefit to victims. 

As the Privacy Commissioner has pointed out, the HDCA closes a gap in the law for what has colloquially been termed “revenge porn” – where one estranged partner distributes intimate photos of the other. Previously, such actions have been considered to be within the carve out in the Privacy Act for information collected in the course of an “individual’s personal, family, or household affairs”. Such disclosures would often amount to a breach of confidence, but the simpler process offered by the HDCA will be welcomed by many.

Drone law: privacy on the wing

In March, infoRM identified the questions that the proliferation of privately owned and operated drones pose to privacy law. Some of those questions have now been addressed in part by the Civil Aviation Authority’s (CAA) Rules governing “unmanned aircraft operations” (ie drones), which came into force on 1 August 2015.

From a privacy perspective, the key elements of the rules include:

  • Drones must only be flown where they can be seen by the operator’s naked eye. This change mitigates some of the privacy concerns of drones capable of live streaming from onboard cameras (which is a standard feature of many off-the-shelf products). The rule limits the lawful use of drones, because it requires some connection between the operator’s line of sight and what a drone is able to film.  That said, homeowners might no longer rest easy behind tall hedges, knowing that curious eyes can simply hover ten feet off the ground.
  • Consent must be obtained from anyone a drone will be flown above. If your drone is going to fly over someone’s land, you must get consent from the landowner, regardless of whether it is a private or public place.  You must also get consent from any actual persons that you intend to fly above. While potentially onerous for some operators who will need to check flight paths carefully, the rule helps guard against some of the most obvious misuses of drone cameras.

However, these Rules are subject to a substantial carve out because drones may be operated outside of them if the operator applies for and receives an “unmanned aircraft operating certificate”. In applying for such a certificate, the operator must demonstrate how they will operate outside the Rules and why it is necessary for them to do so. 

Although the Rules are more concerned with safety than privacy, the CAA’s advisory circular notes that ”if you are using a camera or other similar technology you will likely be subject to the Privacy Act”.  Similarly, as part of its guidance surrounding the new Rules, the Authority has referred to the Office of the Privacy Commissioner’s statement that “organisations or individuals using such aircraft would have to have a very good reason for collecting personal information in the form of photographs and video”.  Even when they do have good reasons, privacy obligations mean that drone operators should be careful about what they do with that information.

The Privacy Commissioner recently considered drone operator’s privacy obligations in his case note of a complaint made regarding a Sky TV drone that flew past an apartment during a cricket broadcast (267458 [2015] NZ PrivCmr 6). There, the Commissioner accepted Sky’s response that the drone only recorded when it was asked to by the control room, and had not recorded footage of the complainant or his apartment. On that basis, the Commissioner found that there had been no breach of the Privacy Act because none of the complainant’s information had been collected. Sky also noted that where it had recorded footage of people on the balcony of a different apartment, that apartment was in the operator’s line of sight, and the occupants were able to gesticulate their consent to being filmed.

A breach of the new Rules could lead to the CAA pursuing the maverick operator through an infringement fine or even a conviction, though the exact penalty is yet to be determined by regulations. The Rules themselves form an interim measure, as the CAA is still formulating a coherent and complete set of guidelines for unmanned aerial vehicles.

There's an app for everything - including privacy

A common criticism of smart devices is that they allow for our privacy to be more easily intruded on. However, the Privacy Commissioner has turned that notion on its head with the introduction of the “Priv-o-matic”.

The tool allows businesses to generate a privacy statement that explains how it will collect, use and disclose an individual’s private information. As well as being just plain nifty, the app also fulfils a legal function because organisations are required to be transparent regarding the way they use personal information.

Given that the app can generate a basic privacy statement in under 10 steps (and under 10 minutes), businesses have little excuse left not to have one.

Locked out of LinkedIn

There has been some discussion in the media recently surrounding employer’s rights (or otherwise) to the LinkedIn contacts that employees generate while employed. Disputes of this nature are nothing new. The law has long recognised that a balance must be struck between an employee’s right to network, and an employer’s right to keep a physical register of those business connections. The courts assessed the issue with respect to Outlook address books some time ago (see for example Penwell Publishing (UK) Ltd v Ornstein & Ors [2007] EWHC 1570) and it was only a matter of time before it arose in a social media context.

Employers do not have any general right to the connections that their employees generate on LinkedIn. There can be exceptions, such as in Whitmar Publications Ltd v Gamage [2013] EWHC 1881 (Ch). There, a marketing manager who was responsible for maintaining his employer’s LinkedIn groups as part of his employment refused to surrender control of those groups following the end of his employment. He was ordered to do so, but that is quite different to saying that an employer has rights in the connections that employees generate in the ordinary course of their professional life. Better guidance is provided by Hays Specialist Recruitment (Holdings) Limited v Ions [2008] All ER (D) 216, where the Court decided that an employee was entitled to add clients from his employer’s address book as connections on LinkedIn (and to retain those connections) so long as his harvesting did not become “widespread”.

Government announces Data Futures Partnership

Following on from the work of the Data Futures Forum, the Government last week announced the creation of a cross-sector working group tasked with building a Data Futures Partnership (DFP).  The Government states that the DFP “will lift aspirations and champion change, by actively co-ordinating with citizens, consumers, businesses, Māori, non-governmental organisations, and government to drive greater trusted data sharing and use”.  For more information click here.

Around the World of Privacy:

A right not to be identified as a criminal?

The United Kingdom Supreme Court has recently considered whether a 14 year old boy’s right to respect for his private life (under the European Convention for the Protection of Human Rights and Fundamental Freedoms) was breached by publication of photos of him rioting in an effort to identify him.

In re JR38 [2015] UKSC 42 the majority held that the boy’s right had not been breached, because he had no expectation of privacy. The fact the boy was a child was no reason to depart from the test of whether he had a reasonable, or legitimate, expectation of privacy, but was potentially a factor to consider in its application. 

The issue is not whether a child has a greater or lesser right to privacy, but whether the impact of making public a name or a face will affect the future of the child disproportionately. Such arguments were made in In re JR38, and have also been made in New Zealand in the context of name suppression cases (including in the recent case of a 14-year old on trial for murder).

Metadata is personal information...

The Australian Privacy Commissioner has ruled here that metadata including network data (such as IP addresses visited), is “personal information” after a journalist requested Telstra provide all metadata stored about his mobile phone service. Telstra argued that such information was not able to be linked to the individual (and hence was not personal information). However, the Commissioner noted that, although such information could be difficult to link without a lengthy and/or complex process (for example, by matching across various different data sets), Telstra’s ability as a large organisation to respond to law enforcement agencies’ and customers’ requests suggested that it could reasonably ascertain a person’s identity.

While the Commissioner’s determination indicates that an organisation’s resources will be relevant to whether information can readily be matched to an identifiable person, it has been criticised in some quarters on the basis that agencies may have to invest significant resources to retrieve such personal information.

It appears likely that a similar approach would be taken by New Zealand’s courts, notwithstanding that the Australian definition of personal information (information or opinion about an individual whose identity is apparent or can be reasonably ascertained) is slightly different from that found under the New Zealand Privacy Act (information about an identifiable individual).

...and police require a warrant to obtain it?

The latest decision out of the United States has held that police require a warrant to obtain historical cell phone records that reveal an individual’s location as “cell phone users have an objectively reasonable expectation of privacy in this information” (US v Graham, 4th U.S. Circuit Court of Appeals, No. 12-4659 and US v Jordan, 4th U.S. Circuit Court of Appeals, No. 12-4625). However, the US courts are divided on that issue.

In New Zealand, the Privacy Commissioner is trialling a project to identify how frequently personal information is requested without a warrant by law enforcement agencies; a practice we noted in the July edition of infoRM.

This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Related Expertise