I have just read over all 210 pages of the Law Commission’s (“LC”) latest report, which is a review of the Privacy Act (“PA”). The review is timely as the PA is entering the twilight of its teenage years. It came to life well before most people had even heard of the internet and certainly well before email and even Facebook were ordinary parts of most New Zealanders’ days. The LC has made 136 recommendations. Not a small number and enough to recommend a new PA be enacted. The three areas of the report that I was particularly interested in concerned the powers of the Privacy Commissioner (“PC”), the ability of agencies (collectors of private information) to refuse access to information and the effect of technology. At the moment the PC is somewhat of a toothless beast, reliant on the Director of Human Rights Proceedings making a decision to take a case to the Human Rights Review Tribunal (“HRRT”). The LC has recommended that the PC be given the power to take a case straight to the HRRT. I have a few problems with such a recommendation. The PC has wider and sometimes conflicting interests. I prefer the DHRP acting as a gate keeper on whether to tie up tax payers’ money in litigation. However, I might be persuaded to change my view if the PC was first required to take all reasonable steps to resolve any matter before launching the matter into a full scale fight. Another recommendation of the LC is to empower the PC to issue compliance notices which, if not complied with, will amount to an offence. That is certainly one way of giving the PC some teeth which have the potential to be very sharp ones for that matter. The final recommendation that interested me was giving the PC the power to require audits of agencies. I won’t ask how much this will cost each year as I know who will most likely end up paying for the privilege. The extent of the recommended audit powers is wide ranging and is backed up with recommendations for new offenses such as destroying personal information and misleading an agency through impersonation. I wonder how much impersonation actually does occur. I often receive questions from agencies about whether they can refuse a privacy request. I think the LC has correctly identified a couple of key problem areas. I agree entirely with the LC’s recommendation that agencies be entitled to refuse a request if there was a significant likelihood of serious harassment of an individual or if the request relates to a victim (or the victim’s family) of an alleged offence. The final area I wanted to comment on, which is of particular interest to me, is the effect of technology on maintaining privacy rights. I remember helping out a young engaged couple 10 years ago with what was a distasteful chain of events. Jane (not her real name) had a one night stand with a co-worker. Both participants were heavily inebriated and the co-worker decided to capture parts of the night on video and with a SLR camera. Jane vaguely remembers the use of the cameras. She caught up with the co-worker the following Monday over coffee and asked him for an assurance that any footage had been destroyed, which he gave. Jane left the company a few months later and went on her OE. Five years later Jane was happily engaged and having Sunday dinner with her fiancé and her father. Her father then tells them that he has received an anonymous letter in the mail which included several URLs which referred to Jane’s name in the URL string. Her fiancé happened to have his laptop with him and they all decided to have a look at the websites, which featured the video and photos from the night five years earlier. They were referred to me by a senior counsel who in his own words said “I do not know anything about the internet”. The current PA really did not provide Jane with any help whatsoever despite the fact that explicit photographs and footage of her were being displayed on the internet with the apparent intention to cause her humiliation and distress. Section 56 of the PA excludes the application of the privacy principles “in respect of the collection of personal information by an agency that is an individual or where that personal information is collected or held principally for the purposes of that individual’s personal or household affairs.” Professor Paul Roth has questioned the meaning of “personal affairs”. He is one of NZ’s leading experts on privacy matters and quite possibly the funniest academic I have ever met. Funny and academic do not usually go hand in hand but I think it would be unfair to call that an oxymoron. Unfortunately, the LC does not think that “personal affairs” needs any clarification. The LC’s answer, which I am ok about, is to propose an amendment to section 56 so that it does not apply where the agency has engaged in misleading conduct such as asserting directly or by implication that the individual has consented to the collection and use of the information and where the information has been unlawfully obtained. The LC thinks that the later will be helpful in providing a civil remedy “for intimate covert filming”. The LC commented on some of the technology issues by saying that “the issues concerning section 56 do not result only from the development of the internet, but the internet does create new problems when information about personal, family or household affairs is made available to a much wider audience. It could be argued that making the information more widely available via the internet takes it out of the domestic sphere. However, this is by no means clear: increasingly, websites are becoming the modern equivalents of diaries or family photo albums.” The LC’s preferred solution was an option “to amend section 56 so that it does not apply when the collection, use or disclosure of personal information results in identifiable harm to another individual.” Not a bad idea as far as I am concerned. The LC, on this topic, finally recommended the introduction of a “highly offensive test based on that used in the tort of invasion of privacy”. Some may remember the key facts of the Hosking v Runting case, where the Court of Appeal held that “highly offensive” publicity would involve “very personal and private matters”, and would be “determined objectively, by reference to its extent and nature, to be offensive by causing real hurt or harm.” My only concern is that it places the threshold at a very high level to overcome. Not too many people have the level of resources that were expended in the Hosking case. Ok so you might be wondering what happened to Jane. Well we obtained, without notice to the co-worker, an injunction requiring him to take the sites down and to allow us to search his house and work for evidence. He was dismissed by his employer. Jane, as far as I am aware, is happily married with children and hopefully never has to think about that part of her life. Perhaps the lesson is that the law can provide certain rules that should be followed but it does not stop someone using the internet to cause significant harm if they are committed to do so.
By Chris Patterson