Large-scale data breaches are on the rise in New Zealand.  Recent developments offshore indicate that it is only a matter of time before Kiwis whose personal information is affected turn to class actions to seek a remedy.

Key takeaways

  • Class-actions based on data breaches are becoming ever more frequent overseas.  Claimants are relying on a wide range of legal claims and targeting a variety of defendants.
  • This trend is likely to be mirrored in New Zealand, where a steady uptick in privacy breaches (whether through cyber-attack or simple human error) is matched by recent significant developments in class action and privacy law.
  • Businesses can limit their risk by ensuring that they are Privacy Act compliant, and regularly reviewing data holdings and security.  As hackers become ever more innovative and resourceful, it is essential to prepare for the worst.  A comprehensive cyber-attack response plan must also be part of every organisation’s tool-kit.

Class actions in New Zealand - a recap

In a class action, a group of people with similar claims against a common defendant join together to have their claims determined in a single court proceeding. New Zealand’s Supreme Court has recently confirmed that class actions can proceed on an opt-out basis, meaning that all eligible claimants are part of the class by default. This, coupled with the increasing availability and use of third-party litigation funding, seems set to make them a recurring feature of our legal landscape. See our updates:.  Simpson Grierson - Slowly but surely on class action reform and Simpson Grierson - High Court approves another opt-out class action and confirms jurisdiction to make common fund orders.

Class actions and privacy law

The Privacy Act 2020 introduced the right to bring “representative” actions in the Human Rights Review Tribunal in certain circumstances. However, to our knowledge the representative action provisions of the Act have yet to be used and their scope is relatively narrow.[1]

Regardless of the limits of the Privacy Act, which include the lack of a civil penalty regime, recent overseas cases reflect that privacy-related class actions in New Zealand can rely on numerous other legal grounds.

Australia: Breach of contract, consumer law and disclosure obligations

In 2022, the sensitive personal information of almost 10 million customers was posted on the dark web following a ransomware attack on Australian health insurer Medibank. To date, the largest data breach in Australia’s history has resulted in two class action proceedings against Medibank in the Australian courts, as well as a representative claim to the Office of the Australian Information Commissioner:

  • The first of the class actions alleges that Medibank breached its contracts with customers and its obligation of confidence to them as well as contravening Australian Consumer Law.
  • The second claims that ASX- listed Medibank breached its continuous disclosure obligations by failing to reveal to the market the alleged deficiencies in its cyber-security systems.
  • A trio of law firms is currently actively recruiting potential claimants to join the representative complaint to OAIC, which is still at the investigation phase. If the Commissioner finds that Medibank breached the obligation to adequately protect customer information, it faces potential orders to compensate affected customers for the resulting loss and damage, including distress and humiliation.

The Medibank actions are still at the early stages. Also recently launched is the class action against Optus, relating to the high profile hack of its customer records last year which affected around 9.8 million individuals. The lawsuit claims that Optus breached its contracts with consumers, as well as Australian consumer and privacy law, and failed in its duty of care to customers.

USA: negligence, breach of contract and duty of confidence

Further afield, in the USA, the American company ExecuPharm is facing a class action by its own employees. The lawsuit followed a cyber-attack in which sensitive employee data was stolen and posted on the dark web by a notorious collective of hackers.

The class action alleges that employees lost time and money in mitigating the losses potentially caused by the cyber-attack (for example through paying for credit monitoring services), suffered emotional distress and have an increased risk of future identity theft. It includes claims in negligence and breach of contract, confidence and fiduciary duty.

ExecuPharm initially succeeded in having the class action struck out at an early stage, on the basis that the risk of harm was speculative as actual identity theft had not yet occurred. However, this decision was overturned on appeal and the case has since been reinstated.

As with the Australian cases, this litigation remains before the courts.

United Kingdom: breach of statutory obligations

In the UK, two tech giants have recently been the subject of class actions based on alleged breaches of data processing obligations. The cases reflect that not all privacy-related claims are suitable for the class action procedure:

  • In 2021, the Supreme Court dismissed a representative action against Google brought on behalf of more than 4 million affected individuals. The lawsuit alleged that Google had breached its duty as a data controller under the Data Protection Act 1998 through use of a browser cookie that could be activated without user’s knowledge or consent on certain websites.

    The claims failed at the first hurdle, when the Supreme Court refused permission to serve the claim form on Google (a Delaware corporation) outside the UK. Key to its reasoning was that the claim had been brought on the basis that all users had suffered the same damage. However, as the damages payable to each individual claimant would need to be individually assessed, the Court held that this was not an appropriate case for a representative action.

  • In 2022, the former Children’s Commissioner for England brought a representative proceeding against TikTok on behalf of children holding TikTok accounts. The claim alleged that TikTok had violated the GDPR and the Data Protection Act 2018 in the way in which it processed the children’s data, including through a lack of transparency about the purposes of the data collection and the extent of the processing. The proceeding survived an initial procedural challenge on the grounds of jurisdiction. However, it was subsequently withdrawn, meaning that unresolved questions remain about the suitability of class actions in UK cases of this kind.

    At present, consumer class actions of these types - based on local data protection laws - are not possible in this country. Our Privacy Act 2020 lacks a civil penalty regime which could provide for a general right of the Courts to award damages for breaches of the Act. This is not lost on our own Privacy Commissioner, who has recently commented that legislative changes are needed to ensure that New Zealand’s privacy laws are fit for purpose in a digital age.


What does this mean for you?

Prevention is the best strategy when it comes to data protection and privacy. However, the growing sophistication of cyber attackers, and greater public awareness of privacy related rights and obligations, mean that it is also essential to prepare for the worst. Organisations should regularly conduct privacy health checks to ensure that:

  • They are fully compliant with the Privacy Act 2020 and its obligations around how to collect, use, store and disclose personal information;
  • They have adequate cyber-security systems, which are regularly reviewed to ensure that they remain fit for purpose;
  • They have well thought out data retention policies which ensure that they are not holding onto personal information for longer than is necessary and thus creating an unnecessary risk and compliance burden; and
  • They have a data breach response plan in place which addresses notification obligations and containment and mitigation measures. Organisations need to be aware that urgent injunctive relief may be available from the courts in the aftermath of a breach and that it is an important and highly effective method of mitigating damage and protecting individuals whose sensitive information is at issue.[2]

If you have any questions about your agency’s privacy and data protection obligations, please contact one of our experts.

[1]     Under s 97(6), the Director of Human Rights Proceedings may bring proceeding in the Human Rights Review Tribunal on behalf of a “class of aggrieved individuals”. Section 98 provides that, “a representative lawfully acting on behalf of a class of aggrieved individuals” may bring proceedings in certain circumstances involving decisions of the Commissioner or the Director.

[2]     Our firm has obtained a number of such injunctions, including in relation to the recent Mercury IT hack. The Privacy Commissioner called the injunction in that case “a valuable tool in the data breach toolkit”: Office of the Privacy Commissioner | Injunctions - a valuable tool in data breach toolkit.


Related Articles