Data Breach Class Actions in New Zealand: Do They Stand a Chance?
Data breaches and class actions are relatively recent phenomena in New Zealand. The increasing frequency of data collection and storage in modern society has led to the growing threat of cyber malfeasance. Reports suggest that New Zealand is increasingly becoming a target for cyber-attacks, highlighted by the recent Mercury IT and Latitude Financial data breaches affecting hundreds of thousands of New Zealanders. Data breaches exposing private information can cause harm to both individuals and organisations and often results in material or reputational damage or emotional distress.
Data breach class actions have been increasing globally but are yet to make an appearance in New Zealand. In the past year (and for the first time) data breach class actions have commenced in Australia in relation to the Optus and Medibank data breaches, but these proceedings are in their early stages. Class actions are legal proceedings that allow one or more plaintiffs to sue one or more defendants on behalf of a larger group, making them suitable for large data breaches. This legal update considers the challenges data breach class actions have faced internationally, and whether such proceedings could proceed (and succeed) in New Zealand. New Zealand’s privacy-based torts and laws offer promise for data breach class actions when compared to other common law jurisdictions.
Obstacles to Data Breach Class Actions
Class commonality
An issue that data breach class actions have faced in Canada is a perceived lack of sufficient ‘commonality’ across the members’ claims. In Kaplan v Casino Rama Services,[1] the Ontario Supreme Court denied certification of a data breach class action arising out of a criminal cyber-attack and data leak. The negligence and so-called ‘intrusion upon seclusion’ claims collapsed under the common issues criterion for certification because the scope and content of the standard of care in negligence were dependent on the sensitivity of the plaintiffs’ personal information held by the defendants. The Judge found there was no question about whether the defendants had breached an applicable duty of care that could be resolved in common across the class because individual assessments were required. Similarly, the Judge determined that individual inquiries would be needed for the ‘intrusion upon seclusion’ claim to determine whether each class member was in fact embarrassed or humiliated by the publication of their personal information.
No compensable loss, no class action
Class actions have also faced difficulty proving compensable loss resulting from data breaches, as the Alberta Court of Appeal considered in Setoguchi v Uber.[2] Uber experienced a cyber-attack where hackers accessed users’ personal information. Despite the data breach, no class member could demonstrate they suffered economic loss or psychological harm resulting from the incident. Consequently, the Certification Judge denied class certification, a decision that was unanimously upheld on appeal. The Court of Appeal found there was no claim in negligence as the Appellants failed to plead any specific injury that is compensable at law. The “unauthorized release, disclosure and use of their personal information” (as pleaded) was not sufficient to particularise the harm suffered as a result of the hack.
Intrusion upon seclusion
The intrusion upon seclusion tort is actionable without proof of compensable loss or harm. However, in Owsianik v Equifax Canada,[3] the Ontario Court of Appeal held the tort of intrusion upon seclusion could not be claimed against a defendant who had suffered a cyberattack because the hacker’s intrusive actions could not be attributed to the defendants. The Court was unwilling to extend the tort to include “database defendants”, even where the third-party hacker could not be located.
Loss of control?
In Lloyd v Google,[4] the UK Supreme Court considered an alternative form of privacy breach damages, namely the “loss of control” of personal information. The plaintiff class alleged Google had gathered user data for commercial purposes without their knowledge or consent in breach of the Data Protection Act 1998 (DPA). Rather than claiming material loss or harm, the plaintiffs sought damages for the “loss of control” of their data. The High Court dismissed the claim,[5] finding the extent and impact of the alleged unlawful processing of personal information would differ between class members. This decision was reversed by the Court of Appeal,[6] which recognised the economic value of personal data meaning that ‘loss of control’ damages were capable of being awarded to all class members. However, the UK Supreme Court ultimately rejected the loss of control claim, finding that proof of unlawful processing of personal information alone was insufficient as compensation for “damage” under the DPA required proof of material damage and it was necessary for the plaintiffs to establish the extent of unlawful processing of personal data in each individual case.
Privacy in New Zealand: the Legal Landscape
In New Zealand, group proceedings can be brought under High Court rule 4.24, which essentially acts as a class action regime. The Court of Appeal in Cridge v Studorp[7] found that to commence a class action, class members must have a significant common interest in the resolution of any question of law of fact. Commonality of interest in New Zealand is not a high threshold and requires a liberal and flexible approach. Further, New Zealand has a two-stage approach to class actions where common issues can be dealt with first, before proceeding to assessments of individual damages where the common issues are taken as read. Although New Zealand is yet to deal with a data breach class action, there are features of New Zealand’s privacy laws that may mitigate the obstacles experienced overseas.
Privacy torts
New Zealand courts have authoritatively recognised two privacy torts: publication given to private facts or ‘breach of privacy’ (see Hosking v Runting),[8] and intrusion upon seclusion (see C v Holland).[9] In Hosking, the majority of the Court of Appeal identified two elements of the tort of breach of privacy to be made out by a plaintiff:
The existence of facts in respect of which there is a reasonable expectation of privacy; and
Publicity given to those facts that would be considered highly offensive to an objective reasonable person.
The elements of a claim of intrusion upon seclusion as recognised in C v Holland are:
an intentional unauthorised intrusion;
into seclusion (namely intimate personal activity, space or affairs);
involving infringement of a reasonable expectation of privacy; and
that is highly offensive to a reasonable person.
The parameters of these torts and their elements remain unclear and evolving. For example, in Peters v Attorney General,[10] the Court of Appeal revisited the Hosking test for breach of privacy and expressed a preference for re-framing the first limb of the test to a “reasonable expectation of privacy protection”. The Court in Peters, although not required to determine the ‘highly offensive’ limb of the test, noted it has been “trenchantly criticised”.
These privacy torts may provide an avenue for data breach class actions. Importantly, material or emotional damage is not an element of either tort, implying they are actionable per se (i.e. without proof of damage) and could therefore be dealt with at the ‘common issue’ stage of a class action. While the plaintiff would still need to point to some form of harm arising out of any alleged privacy breach, this would not necessarily need to be done on an individual basis in the first instance. The tort of negligence may also be available to data breach victims if class members could point to specific injury compensable at law (e.g. damage to credit reputation or costs incurred in preventing identity theft). General damages may also be available in negligence/tort as they are in ‘leaky building’ claims (see below).
Privacy Act 2020
Another option for plaintiffs is to pursue data breach class actions under the Privacy Act 2020. The Act regulates the collection, use and disclosure of personal information and imposes obligations (underpinned by 13 information privacy principles) on organisations to ensure they handle personal information responsibly. The Act also provides a framework for bringing representative actions in relation to privacy breaches (see Part 5).
Where an agency or organisation has interfered with a person’s privacy, that person, or group of people, can make a complaint to the Privacy Commissioner. The Commissioner then decides whether or not to investigate. If the complaint is investigated and has substance, the Commissioner must try to secure a settlement. If no settlement is reached, the Commissioner may refer the complaint to the Director of Human Rights Proceedings, who can commence proceedings on behalf of an individual or group in the Human Rights Review Tribunal (HRRT) and seek a variety of damages, including damages for loss of dignity or injury of feeling. If an aggrieved individual or class of aggrieved individuals are not satisfied with the outcome of the Commissioner’s process (e.g. if a complaint is not investigated or not found to be substantial) those individual(s) or their representative(s) may commence proceedings in the HRRT. This framework explicitly provides for group proceedings arising from privacy breaches.
Loss and damage
A major obstacle for data breach class actions overseas has been the nature of the alleged loss or damage suffered by class members. In New Zealand, the Courts may be open to taking a general damages approach for intangible harm resulting from privacy breaches. In Hammond v Credit Union Baywide,[11] the HRRT awarded damages of $98,000 for humiliation, loss of dignity and injury to feeling to a claimant in a privacy breach case. That case had elements of deliberate abusive conduct. However, the Tribunal provided useful guidance on the HRRT’s banding approach to general damages awards for interference with privacy:
Cases at the less serious end of the spectrum will range up to $10,000.
More serious cases can range from $10,000 to $50,000.
The most serious cases will range from $50,000 upwards.
These bands are descriptive, not prescriptive. However, the HHRT’s approach to damages could be adopted or at least referenced by the Courts for privacy tort breaches. Given the ‘highly offensive’ element of the publicity given to private facts tort, one might expect that awards under a banding approach would be upwards of $50,000 per plaintiff.
Conclusion
We live in what author Shoshana Zuboff famously dubbed “The Age of Surveillance Capitalism” – the widespread collection and commodification of personal data by corporations.[12] In Zuboff’s view, this is an assault on human autonomy.[13] Be that as it may, as data breaches become more frequent and severe, organisations need to prioritise data security and take measures to protect personal information. In the event of a privacy breach, a group of affected individuals may be able to pursue a class action, using either common law torts or the Privacy Act. Those pursuing such a claim in New Zealand will likely face similar obstacles experienced overseas, particularly proving commonality between individual claims and compensable loss. However, recent cases in Australia suggest there is an appetite to take on those obstacles. Moreover, there is reason to be optimistic because of the New Zealand Court’s liberal approach to recognising a sufficiency of common interests and the development of per se torts and the Privacy Act, which do not require proof of actual or material harm.
If you have been the victim of a data breach, or want to discuss this legal update, please get in touch.
Thank you to Stuart Dalzell and Sam Smith for writing this Insight.
The information on this website is not intended as legal advice, and anyone receiving this information should not act on it without consulting professional legal counsel.
[1] Kaplan v Casino Rama Services Inc 143 O.R. (3d) 736, 2019 ONSC 2025
[2] Setoguchi v Uber BV 2023 ABCA 45 (CanLII).
[3] Owsianik v Equifax Canada Co 2022 ONCA 813, 25 November 2022.
[4] Lloyd v Google LLC [2021] UK SC 50.
[5] Lloyd v Google LLC [2018] EWHC 2599 (QB); [2019] 1 WLR 1265.
[6] Lloyd v Google LLC [2019] EWCA Civ 1599; [2020] QB 747.
[7] Cridge v Studorp Ltd [2017] NZCA 376.
[8] Hosking v Runting [2005] 1 NZLR 1 (CA).
[9] C v Holland [2012] NZHC 2155, [2012] 3 NZLR 672.
[10] Peters v Attorney General [2021] NZCA 355 at [111]-[115].
[11] Hammond v Credit Union Baywide [2015] NZHRRT 6.
[12] Zuboff, S, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (2019).
[13] The Guardian, “Shoshana Zuboff: ‘Surveillance capitalism is an assault on human autonomy’, 4 October 2019.