Data Breaches and Class Actions in New Zealand

As the prevalence and impact of cybersecurity incidents in New Zealand grow, we expect Kiwis will increasingly seek redress for data breaches. This follows the pattern of developments in the UK, US, Canada and, to some extent, Australia, where class actions are now a feature of the data protection landscape.

While there have been increased regulatory actions regarding data breaches in New Zealand, consumer actions have been less common. Below we consider the likelihood of data breach class actions being brought in New Zealand moving forward.

Right to privacy in New Zealand

There are two leading causes of action that individuals may use to bring an action in respect of a data breach in New Zealand.

1. Privacy Act – following a data breach, the Privacy Act facilitates an individual or class of individuals to submit their complaint directly to the privacy regulator, the Office of the Privacy Commissioner (OPC). Individuals may ask for an apology, a guarantee that the same thing won’t happen again, or financial compensation. The matter may then proceed to the Human Rights Review Tribunal. Where the Tribunal determines the individual has suffered financial loss or emotional damage, it can make an award of compensation up to a maximum of $350,000.
    
2. Common Law - there is a tort of invasion of privacy which provides a cause of action if publicity is given to private facts, where that publicity is highly offensive to a reasonable objective person.[1] It is not necessary for the publication of that private information to be widespread for an actionable invasion of privacy.[2]

New Zealand’s class action landscape

A data breach class action has not yet been filed in New Zealand. However, the number of class actions filed in New Zealand courts has steadily grown over recent years.

It is also becoming increasingly common for class actions to be run on an ‘opt-out’ basis, whereby individuals meeting the specified circumstances automatically form part of that class unless they actively take steps to remove themselves.[3] This distinction between ‘opt-in’ and ‘opt-out’ is important, as it significantly affects the class size and the possible damages or compensation.

Earlier this month, a multimillion dollar opt-out class action claim against ANZ and ASB was given the green light by the New Zealand High Court. As the action is ‘opt-out’, 150,000 borrowers whose interest and fees were allegedly failed to be refunded by the two banks following a breach of their disclosure obligations will automatically be included in the claim unless they take action to opt-out.

Coupled with this trend of opt-out claims, the New Zealand Law Commission has recently issued its report on class actions and litigation funding in New Zealand.[4] The report recommends the introduction of a new Class Actions Act designed to facilitate increased access to justice, including by way of ‘opt-out’ class actions.

While the report is not binding, it provides a clear insight into the future landscape of class actions and litigation funding in New Zealand. This also reflects a policy to balance the power between large companies and individuals (particularly those that collect large volumes of data). Individuals require the ability to enforce their rights directly against such companies in order to hold them accountable.

Are data breach class actions on the horizon in New Zealand?

The increasing number of class actions in New Zealand, together with the growing impact of cybersecurity incidents, means there is a real possibility of a data breach class action being brought in New Zealand in the near future.

However, there are specific considerations in respect of a data breach class action that indicate the likelihood of one being brought. These include:

1. Loss - whether or not there has been any misuse of personal information that is definitively linked back to the incident. If not, any claimed loss would be for future losses only which is often challenging to establish;
    
2. Volume - the number of individuals whose data was impacted in the incident;
    
3. Value - the level of possible compensation for each affected individual, as large group actions generally require the backing of a third-party litigation funder. Commercial consideration needs to be given to whether a funder would be able to generate an acceptable return on the class action. The reality is that very few class actions actually get off the ground for this reason;
    
4. Novelty - any data breach class action would, for now at least, be novel. Litigation funders are generally hesitant to fund novel actions due to it being difficult to predict the likelihood of success;
    
5. Alternatives - the OPC and Human Rights Review Tribunal remain the first port of call for privacy breaches rather than the courts; and
    
6. Compensation culture - monetary compensation for privacy losses is generally a tool of last resort to remediate the impact of a privacy breach.

How can we help?

Clyde & Co’s Technology & Media Team has unparalleled and specialised expertise across the privacy, cyber and broader technology and media practice areas. It also houses the largest dedicated and market leading privacy and cyber incident response practice across Australia and New Zealand.

The firm's tech, cyber, privacy and media practice provides an end-to-end risk solution for clients. From advice, strategy, transactions, innovations, cyber and privacy pre-incident readiness, incident response and post-incident remediation through to regulatory investigations, dispute resolution, recoveries and third-party claims, the team assists its clients, inclusive of corporate clients, insurers, insureds and brokers across the full spectrum of legal services within this core practice area.

For more information, please contact John Moran, Alec Christie, Reece Corbett- Wilkins, Richard Berkahn or Chris Mclaughlin.