InfoRM Privacy Law Update – July 2015

Home Insights InfoRM Privacy Law Update – July 2015

In this edition of InfoRM:

Soldier's Orcon credit rating saga resolved at last

A soldier who claimed that his credit rating was damaged by ISP Orcon over a mistaken bill of $208.58 has had his claim upheld by the Human Rights Review Tribunal, winning $25,000 in damages – a timely reminder that companies must treat privacy complaints seriously.

The decision also clarifies (at the Tribunal level) that the test for establishing whether a privacy breach has caused loss only requires a material contribution to the loss, and need not be the primary cause. That may prove to be a significant ruling as it will arguably make it easier for plaintiffs to claim economic losses flowing from a privacy breach.

The background to Mr Taylor’s claim began in early 2012, when he ordered a modem and broadband package from Orcon for himself and his partner. He received the wrong modem as well as a defective phone and broadband connection. The Tribunal found that Orcon’s subsequent conduct, however, inflamed the matter:

  • Mr Taylor cancelled the package, receiving assurances that he would not be charged. Instead, Orcon sent the couple a bill for $138.90.  Despite repeated attempts by the couple to dispute the debt, Orcon did not investigate the dispute.
  • The Tribunal found that Orcon staff “ridiculed” Mr Taylor, laughing at him when he tried to speak to a manager about the issue. The bill grew to $208.58. Orcon then referred the debt to debt collectors Baycorp.
  • A year on, Orcon offered a “goodwill credit” to Mr Taylor, which reduced its claim to $50.10.  When he did not pay, Orcon advised Baycorp to register the “debt” as undisputed with credit report provider Veda Advantage. This negative credit report caused Mr Taylor enormous difficulty in obtaining credit and accommodation near Linton Army Camp for himself, his partner and their 12 month old daughter.
  • The Tribunal found that Orcon had breached Information Privacy Principle (IPP) 8 of the Privacy Act. It wrongly provided Mr Taylor’s personal information to Veda Advantage without taking reasonable steps to make sure it was accurate. Mr Taylor received $10,000 for the loss of a benefit and $15,000 for humiliation, loss of dignity and injury to feelings. The Tribunal ordered Orcon to provide Privacy Act training to its staff.

As demonstrated recently in Hammond v Credit Union Baywide (where an award of $168,000 was made), the Privacy Act is proving to be an inexpensive way for complainants to obtain significant awards of damages, in this case for loss as a result of a flawed credit report. It is a timely reminder to companies, particularly those that regularly use debt collectors, that they must take reasonable steps to investigate disputed debts before sending information to a credit reporter.

New Zealand developments

Police use of personal information sanctioned by the Privacy Act?

Police have faced criticism for invoking the Privacy Act to obtain personal information from agencies in order to avoid obtaining search warrants. The Privacy Act does not give the Police the right to obtain information and concerns have been raised regarding poor record keeping and the intrusive nature of the personal information potentially disclosed. While Police Assistant Commissioner Malcolm Burgess has stated that controls exist, the responsibility (and risk) for the disclosure of personal information lies with the disclosing agency, not the Police (or other agencies that may make the request).

IPP 11 prohibits agencies from disclosing personal information unless they believe, on reasonable grounds, that an exception applies. Before disclosing the information, the agency itself must (a) form the view that disclosure of the information requested is necessary for one of several purposes (or an exception) set out in IPP 11 (subjective limb), and (b) confirm this view is viable on objectively reasonable grounds (objective limb). The most relevant exceptions likely to be relied upon by the Police fall under IPP 11(e) (maintenance of the law and legal procedures) and 11(f) (preventing or lessening serious threats).

In 2011 the Law Commission recommended that the Privacy Commissioner provide guidance on responding to law enforcement requests for information and an explanation of the steps an agency should take to assure itself of the necessity for the disclosure. No such guidance has yet been provided.

Increased requests to agencies like utilities and banks (who can hold information relevant to offending), and the possibility for overbroad disclosure, means that clarification would be helpful. Meanwhile, the obligation to justify any disclosure remains on the disclosing agency, making it wise to err on the side of caution when responding to requests for the disclosure of personal information: failure to comply with the restrictions set out in IPP 11 could lead to a claim for breach of the Privacy Act, and also expose agencies to reputational damage.

The use of Facebook posts as evidence in Court

A recent case (Police v Peacock), which resulted in a conviction for aggravated careless driving causing death, has raised the issue of how social media may be used in evidence in criminal trials.

At trial, information from the defendant’s Facebook post of a speedometer accompanied by the text “F**k your 101 km/h law” was admitted in evidence against the defendant (despite the defendant denying that it was his post). Justice Allan held that, even if the defendant had not created the post, he must have expressed a liking for it (and it was therefore relevant to the matters before the Court). 

The question of when Police may access information from Facebook to use as evidence in court has received little attention. If a Facebook page is “public”, then its content is public information and the Police can access the information without a search warrant. If, on the other hand, a Facebook page is “private”, it is unclear whether a search warrant would be needed (arguably the right to be free from unreasonable search and seizure under s 21 of the New Zealand Bill of Rights Act 1990 would require one). Facebook’s policy is that it will disclose account records where it has good faith belief that it is necessary to detect, prevent and address fraud and other illegal activity or otherwise in response to a “legal request”. A Mutual Legal Assistance Treaty request or letter may be required to compel the disclosure the contents of a Facebook account. 

While the Human Rights Review Tribunal has considered the Privacy Act in the context of social media (for example, Hammond v Credit Union Baywide - see commentary here), there remains little guidance as to the Police’s ability to access “private” Facebook material for investigative purposes. This is an issue which the courts will no doubt have to decide in the future.

Electronic Data Safety Bill defeated

A Private Members Bill designed to improve government data safety mechanisms has recently been defeated by 61 votes to 59.
The Bill arose out of a number of high profile privacy breaches by government departments in 2012, including a major flaw in the Ministry of Social Development’s (MSD) Work and Income self-service kiosks. That failure resulted in two members of the public downloading 7000 documents, some highly sensitive, relating to children in Child, Youth, and Family care, and beneficiaries’ personal details. In the investigation which followed, a report by Deloitte found that insufficient work by the MSD during the installation of the kiosks had caused the failure and MSD had grossly under-estimated the risk of a malicious attack.
The Bill would have established a Commission of Inquiry to investigate the MSD and other breaches across a number of government agencies, and report to Parliament on the capacity of government agencies to manage, hold and prevent misuse of personal information (ie, data breaches). The Bill’s sponsor Clare Curran claimed that without the Commission, holes in the system would remain, leading to a likelihood of further serious data and privacy breaches. However, ACT, National and United Future voted the bill down on the basis that new, non-legislative mechanisms (such as the Government’s National Cyber Security Centre, the expanded role of the Government Chief Information Officer, and the new Government Chief Privacy Officer) provide sufficient protection.

With the defeat of this Bill, it remains to be seen how successful the Government’s new privacy apparatuses will be in increasing transparency, accountability, and public trust in government agencies’ use of personal information.

Newmarket CCTV usage questioned

The Newmarket Business Association (NBA) has decided to increase the number of video surveillance cameras in Newmarket’s shopping district following a recent car robbery in Newmarket, spending $250,000 this year as a means of preventing crime in the area. New surveillance cameras will be installed on transport routes, major shopping areas, back streets and commercial areas. The decision will almost double existing CCTV used in the area, which will have the ability to zoom in on very small details over a wide area, and can deliver clear pictures in both day and night.

The New Zealand Council for Civil Liberties has, however, raised concerns over the installation. It has called for evidence to demonstrate that an increase in surveillance cameras reduces crime in the area. 

CCTV engages the Privacy Act by collecting and storing personal information. Recognising that camera surveillance can play an important role in detecting and prosecuting crime, the Privacy Commissioner has stated previously that this does not need to be at the expense of privacy. In 2009 the Privacy Commissioner released guidelines (viewable here) on the use of CCTV surveillance.

Overseas developments

English Court affirms right to sue Google for breach of internet privacy

The Court of Appeal in England and Wales has recently dismissed an appeal by Google which would have prevented British claimants from suing the US-based company for misuse of personal information while aggregating and disseminating information about their internet usage.

The claimants brought an action against Google in the UK for misuse of personal information and breach of the Data Protection Act 1998 (DPA), based on the allegation that Google had used cookies (strings of text saved on a user’s device) to access and aggregate the claimants’ browser-generation information (BGI). BGI contains information about the claimants’ internet usage, including which sites they have visited. The claimants allege Google passed the aggregated BGI to its advertisers, who subsequently could provide advertisements tailored to the claimants’ interests.

Three key matters of interest were recognised in the judgment:

  • Misuse of personal information is a tort in the UK. Procedural rules determining whether Google could be sued outside of the UK required the action to be in tort. In New Zealand, misuse of personal information is an established tort, but in the UK it has been treated as an equitable claim. The Court of Appeal held that misuse of personal information could be recognised as a tort (at least for procedural purposes). 
  • The UK’s Data Protection Act allows damages solely for distress suffered. The DPA’s provisions had to be applied in accordance with EU law, which was clear that distress on its own was damage for the purposes of data protection and privacy legislation. In New Zealand, the DPA’s equivalent (the Privacy Act) states explicitly that damages can be recovered for distress only, so that there is no need to prove pecuniary loss.
  • BGI may be “personal data”. The Court considered whether it was arguable that BGI was “personal data” for DPA purposes (if not, there would be no case to answer). The DPA defines “personal data” in much the same way as the Privacy Act defines “personal information”: any information relating to an identified or identifiable natural person. The Court of Appeal rejected arguments that personal data had to have the capacity of identifying the data subject, and accepted that there was an argument that BGI on its own was personal data. 

It is unclear whether Google will appeal this decision to the Supreme Court. As it stands, the decision confirms the English Courts’ appetite for recognising at least the right to sue for invasion of privacy in the cyber-space context, regardless of whether the defendant is based in another jurisdiction. In doing so, the Courts have moved closer to aligning UK privacy law, in tort and statute, with New Zealand privacy law.

This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Related Expertise