Privacy Law and Policy Reporter
Chris Connolly and Nawaz Isaji GALEXIA CONSULTING
This article surveys Australian and international privacy laws to assess the ability of courts and privacy regulators to consider ‘representative complaints’, and argues that privacy breaches are particularly suited to resolution through representative action. The article concludes that the benefits of representative complaints are yet to be fully realised in the privacy field. Two Australian case studies of representative complaints will be covered in a following issue of PLPR.
Versions of this article were presented at the Baker & McKenzie Cyberspace Law and Policy Centre’s Surveillance and Privacy 2003 conference (Sydney, September 2003) and its Making Privacy Laws Work conference (December 2003) by Chris Connolly. The paper is available from http://consult.galexia.com/ — General Editor.
In 1981, the West Australian newspaper published a photograph of a naked woman on the front page without the woman’s consent. Not surprisingly, this resulted in a privacy complaint to the Australian Press Council.
This may seem like a strange starting point for a discussion of representative privacy complaints, but the case is illustrative of one of the great pitfalls of privacy laws. The laws are only as good as the complaints, but the complaints process itself is not well suited to the protection of privacy.
To be fair to the West Australian, the woman was being carried down a ladder by a fire-fighter who had just rescued her from a burning building. The building was also in Sydney and the editor later explained that he doubted anyone in Perth would recognise her. The newspaper did not name her or provide any other identifying information.
Several people, including two members of parliament, complained that the photograph invaded the woman’s privacy. This resulted in the Australian Press Council Adjudication No 118 (November 1981), in which the Council dismissed the complaint in one sentence:
The council considers that in the absence of any evidence that the woman, herself, felt her privacy had been breached, it is unable to uphold the complaint.
It is an extraordinary decision because it places the onus for complaining on a privacy victim, who would surely exacerbate the privacy breach by identifying herself and pursuing the matter through the formal complaints process.
On the other hand, if there had been some capacity for the Council to consider a representative complaint, an obvious breach of privacy would have been found (subject to due consideration of whether some other public interest justified the publication of the photograph).
It is our view that representative complaints are particularly suited to privacy issues, and that they have been under-utilised to date.
The advantages of representative complaints in the privacy field are as follows.
Minimising further privacy intrusion — a third party can manage the formal complaints process in a way which limits any further invasion of the privacy of the person who has suffered the original breach.
Dealing with systemic issues — many privacy breaches may appear minor to an individual, but actually represent serious systemic issues for the wider community. Complaints which may not be worthwhile pursuing for one consumer may be easier to justify for a class.
Effective deterrence — solo privacy complaints do not represent an effective deterrent for privacy invasive practices. An individual complainant will probably settle at a lower threshold than a group. The company or agency responsible for the breach is unlikely to be named or receive any negative publicity. The higher profile of representative complaints and class actions provides a more effective deterrent.
Practical benefits — there are numerous practical benefits to proceeding via a representative complaint, although these will differ from case to case. One of the benefits we have seen in practice include the ability to utilise information from complainants who would otherwise be unavailable for a formal individual complaint (such as transient, low income populations). Other obvious benefits are costs and the ability to access legal advice. An important benefit in Australia is the ability to see out the interminably long time privacy complaints take to be resolved — something an established advocacy organisation is in a better position to do than an individual consumer.
Having stated that there are significant advantages for representative complaints in the privacy field, it should be noted that representative complaints are not always an available option in privacy laws. Many jurisdictions do not appear to allow third parties to lodge complaints on behalf of privacy victims. Also, in those jurisdictions where privacy representative complaints can be lodged, there is little consistency on issues such as whether the consent of the victims is required.
This article aims to serve as a discussion starter on this issue and lead to the wider acceptance of representative complaints and some consistency about the conditions which are placed on such complaints.
Current legal position in Australia
The Privacy Act 1988 (Cth) (the Act) is Australia’s principal source of legislation for dealing with privacy disputes. Personal information collected and handled by federal public sector organisations and by a significant part of the private sector is subject to the Act. In addition to establishing the Information Privacy Principles (for public sector agencies), the National Privacy Principles (for the private sector), and the capacity to register industry privacy codes of conduct, it sets out the role of the Federal Privacy Commissioner (the Commissioner).
The Act specifically allows representative complaints to be made to the Commissioner. Furthermore, the section on representative complaints is more detailed than the legislation of those Australian States which have privacy laws, and the laws of other countries.
The Act provides details of:
• conditions for complaint registration;
• how and when a Commissioner may refuse to pursue a complaint and what happens if the Commissioner makes such a determination; and
• how an individual complaint may become a representative one.
Under s 38 of the Act, representative complaints must be lodged in accordance with the ordinary complaints registration procedure (s 36) plus several additional procedures set out in following sections.
38 Conditions for making a representative complaint
(1) A representative complaint may be lodged under section 36 or accepted under subsection 40(1B) only if:
(a) the class members have complaints against the same person; and
(b) all the complaints are in respect of, or arise out of, the same, similar or related circumstances; and
(c) all the complaints give rise to a substantial common issue of law or fact.
(2) A representative complaint made under section 36 or accepted under subsection 40(1B) must:
(a) describe or otherwise identify the class members; and
(b) specify the nature of the complaints made on behalf of the class members; and
(c) specify the nature of the relief sought; and
(d) specify the questions of law or fact that are common to the complaints of the class members.
In describing or otherwise identifying the class members, under s 38 it is not necessary to name them or specify how many there are.
(3) A representative complaint may be lodged without the consent of class members.
Overall, the Commonwealth has one of the broadest approaches to accepting representative complaints, and two high profile privacy representative complaints have now been lodged (these will be presented as detailed case studies in a forthcoming issue of this publication).
New South Wales
In NSW, the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) provides a complaint handling system similar to the Commonwealth system. However, s 45, the key complaints provision, does not directly adduce any legislative support for the notion of representative complaints. There is no subsection of the PPIP Act which unequivocally deals with representative complaints. However it may be inferred by s 45(1) that another person may make the complaint. It states:
A complaint may be made to (or by) the [NSW] Privacy Commissioner about the alleged violation of, or interference with, the privacy of an individual.
It would seem from this wording that anyone may make the complaint, as long as it affects an individual.
Privacy NSW (the Office of the NSW Privacy Commissioner) has obviously considered this issue in some detail. On 22 July 2002 it issued a protocol for the handling of complaints by Privacy NSW. Section 2.2.2 deals with representative complaints:
2.2.2 Third party complaints
In January 2002 the Privacy Commissioner received legal advice to suggest that s 45 of the PPIP Act only contemplates that a complaint can be made by an individual whose privacy has been violated or interfered with. That is, it is arguable that a ‘third party’ whose privacy has not been affected, such as a ‘whistleblower’, cannot make a complaint under s 45.
Where a third party is acting on behalf of the person whose privacy has allegedly been violated or interfered with, Privacy NSW will treat that as a ‘first party’ complaint. (Examples here include a parent on behalf of their child, a lawyer on behalf of their client, or an MP on behalf of their constituent.)
Unrelated third party complaints will not be accepted as complaints under s 45. However they may be treated as requests for advice ...
However if a complaint about conduct potentially affects an individual as a member of a class (for example a person whose records are inadequately secured by an agency), the fact that the personal information of other persons may be equally affected by that conduct does not preclude Privacy NSW from investigating the matter.
This is not to suggest that the complainant must prove that they have suffered ‘harm’ in order for their privacy to have been ‘violated or interfered with’. Whether or not a person’s privacy has been ‘violated or interfered with’ is determined as against certain standards ...
In addition to his power to receive, investigate and conciliate complaints (s 36(2)(k)), the Privacy Commissioner also has power under s 36(2)(l) to ‘conduct such inquiries, and make such investigations, into privacy related matters as the Privacy Commissioner thinks appropriate’. On that basis, the Privacy Commissioner will consider seriously any third party ‘whistleblower’-type complaint, and may review the matter if it raises significant privacy concerns which may affect the public interest. On this basis the Privacy Commissioner may be able to issue a Special Report to Parliament about the matter under s 65.
NSW therefore appears to be willing to find a way to accept representative complaints, despite some technical difficulties with the Act. However, a complaint by an advocacy organisation on behalf of a broad class of unnamed consumers may struggle to meet the definition of a complaint (the Tenancy Database case study, to be published in a forthcoming issue, is an example of this type of complaint).
The Information Privacy Act 2000 (Vic) also gives some regard to representative complaints. The complaints section (s 25) states:
(3) In the case of an act or practice that may be an interference with the privacy of two or more individuals, any one of those individuals may make a complaint under subsection (1) on behalf of all of the individuals with their consent.
However, the complaint can only be made in a certain way here. The representative must be part of the group affected. That is, the representative must also face the same ‘interference’ with his or her privacy as the others in the group in order to make the complaint. This is in contrast to the NSW PPIP Act and the Federal Act, where anyone may represent the group. Also, in Victoria the representative must gain the consent of his or her fellow litigants to make the complaint. This is in direct contrast with the Federal law, which expressly states that representative complaints do not have to have the consent of their class members.
Current international legal position
This section provides a brief and partial survey of international approaches to privacy representative complaints and privacy class actions.
The Canadian Privacy Act 1985 does not provide a detailed description of representative complaints. Section 29(2) provides:
Complaints submitted on behalf of complainants
Nothing in this Act precludes the Privacy Commissioner from receiving and investigating complaints of a nature described in subsection (1) that are submitted by a person authorized by the complainant to act on behalf of the complainant, and a reference to a complainant in any other section includes a reference to a person so authorized.
The Canadian Act does not provide details of representative complaints, although it does acknowledge that they can be made, and that there is nothing within the Act to stop them being made.
The first privacy class action in Canada was brought in February 2003. Taylor v Saskatchewan was a class action suit filed against several private and government organisations for the loss of the financial and health information of more than 850,000 Canadians due to the theft of a computer hard drive from an information technology services provider. The information included names, addresses, bank account details, social insurance numbers and cheque information. The suit included claims for breach of fiduciary duty, breaches of contract and consumer confidence, and negligence in the custody of sensitive personal information. Class members sought damages for the ‘anguish and concern they have experienced since their information was placed at risk’.
The Hong Kong Personal Data (Privacy) Ordinance 1995 sets out complaint procedures in Pt 37. It states that:
(1) An individual, or a relevant person on behalf of an individual, may make a complaint to the Commissioner about an act or practice
(a) specified in the complaint; and
(i) has been done or engaged in, or is being done or engaged in, as the case may be, by a data user specified in the complaint;
(ii) relates to personal data of which the individual is or, in any case in which the data user is relying upon an exemption under Part VIII, may be, the data subject; and
(iii) may be a contravention of a requirement under this Ordinance (including s 28(4)).
(2) Where 2 or more individuals may each make a complaint about the same act or practice, then any of those individuals, or any relevant person on behalf of any of those individuals, may make such a complaint on behalf of all those individuals, and the provisions of this Ordinance (including subs (1)) shall be construed accordingly.
Note that the definition of ‘relevant person’ under the Ordinance does not shed any additional light on representative complaints, nor does the Commissioner’s Complaint Handling Policy. It seems clear that some form of limited representative complaint can be made under the Ordinance, and Pt 37(2) might imply that consent of additional affected parties is not required. However, there does not appear to be any scope for a third party representing the group.
The Privacy Act 1993 (NZ) contains a fairly broad definition of ‘complaint’. Section 67(1) states:
Any person may make a complaint to the Commissioner alleging that any action is or appears to be an interference with the privacy of an individual.
It seems clear that the ‘person’ referred to at the beginning of the clause, and the ‘individual’, do not necessarily have to be the same person. It is very much foreseeable that the ‘person’ could bring about the claim regarding any ‘individual’.
Section 71(1)(e) of the Act gives the NZ Privacy Commissioner some discretion as to whether or not to accept a representative complaint:
(1) The Commissioner may in his or her discretion decide to take no action or, as the case may require, no further action, on any complaint if, in the Commissioner’s opinion ...
(e) The complainant does not have a sufficient personal interest in the subject-matter of the complaint.
In NZ, the Commissioner can only conciliate complaints. In order to obtain a determination, the complainant must approach the Human Rights Review Tribunal (HRRT). Section 82 of the Privacy Act includes a specific provision for class actions at this stage:
(4) The [Director of Human Rights Proceedings] may, under subsection (2) of this section, bring proceedings on behalf of a class of individuals, and may seek on behalf of individuals who belong to the class any of the remedies described in section 85 of this Act, where the [Director of Human Rights Proceedings] considers that a person to whom this section applies is carrying on a practice which affects that class and which is an interference with the privacy of an individual.
Note that s 82 deals with proceedings brought by the Director of Human Rights Proceedings. Individuals can potentially pursue a matter on their own behalf using s 83. However, it is ‘uncertain’ whether an aggrieved individual can bring a representative or class action under s 83:
In New Zealand Freedom from Discrimination Group v New Zealand Grand Lodge of Freemasons (1984) EOC 92-008, the Equal Opportunities Tribunal left unresolved the issue whether a group of aggrieved persons could pursue a class action where the Human Rights Commission or Race Relations Conciliator declined to proceed on their behalf. [Note: the Equal Opportunities Tribunal is the predecessor institution of the current Human Rights Review Tribunal, which has jurisdiction now over privacy cases.]
There have been numerous privacy class actions in the US, under a variety of State and federal laws. One of the first privacy class actions was Forrest v New York Telephone. In that case, a class of some 30,000 phone customers claimed that New York Telephone failed to deliver promised All Call Restrict services and published without permission ‘non-published numbers’ through Call ID terminals. The Forrest class charged NYT with breach of contract, violation of privacy rights, unjust enrichment, gross negligence and wilful misconduct. The Court certified the action finding that the breach of contract and privacy claims involved a course of conduct common to the class.
Some of the better known US privacy class actions are discussed briefly below.
Re DoubleClick was a class action seeking millions of dollars in damages. It was filed by web users for the advertising company’s use of personal information (for example, name, address, email address and web pages visited) gathered through internet cookies placed with the authorisation of affiliated websites. The Federal claims were dismissed on the merits in March 2001. Most State claims were dismissed for lack of jurisdiction or were the subject of a fairly weak settlement between the parties in 2002.
Re Trans Union Corp was a class action seeking $100 each for an estimated class of 130,000 individuals for a breach of the privacy provisions of the Fair Credit Reporting Act 1970 (US). Trans Union Corp was selling lists of names and addresses to commercial marketers. The company also sold so called ‘target marketing’ products that contain lists of individuals who meet certain criteria. Marketers purchased these lists and then contacted the individuals to sell them various goods and services.
In other proceedings the Federal Trade Commission determined that Trans Union’s target marketing was not an authorised use of ‘consumer reports’ under the Fair Credit Reporting Act. Trans Union has been permanently enjoined from further sale of target marketing lists. This decision was affirmed on appeal in Trans Union Corp v FTC.
This class action has been brought against TriWest Healthcare Alliance for failing to protect individuals’ personal information adequately. In December 2002, hard drives and laptops containing personal information were stolen from TriWest. The personal information of 500,000 military personnel was contained in the stolen equipment. It was ‘suspected’ that the thieves were targeting the personal information, as they left behind computer equipment that was more valuable. The lawsuit alleges violations of the Privacy Act 1974 (US), breach of contract, and negligence.
While there are some gaps and inconsistencies in privacy laws in relation to representative complaints, the main issue seems to be that (outside the US) representative complaints have been under-utilised by consumers. Many individual complainants have taken formal ‘solo’ complaints to Privacy Commissioners, yet this has resulted in very little in the form of publicity, determinations, the naming of defendants or any form of effective deterrence. Many other potential complainants will not have taken any formal action because of concerns about exacerbating the original privacy breach, or because of a lack of confidence in formulating a complaint, or for practical reasons such as a lack of time, resources and access to legal advice.
It is useful to note that there is some opposition to the growth in privacy class actions in the US. The leading article on the debate to date is ‘Limiting private rights of action in privacy legislation’ by Ronald Plesser and Stuart Inglis.
Enforcement of privacy law is a significant issue in the debate about privacy legislation. Generally, enforcement alternatives include a private right of action, Federal Trade Commission (or other federal agency) enforcement, and state attorney general enforcement of a federally-enacted standard. Although there may be narrow circumstances in which a private cause of action is appropriate, the potential negatives that result from frivolous class action lawsuits in the privacy context should be limited. Private causes of action in privacy laws have been used to attempt to recover significant monetary awards in situations where there is no injury to consumers. Private causes of action in privacy statutes offer incentives for class action lawyers, and result in the spending of significant amounts of money to defend lawsuits raising technical claims.
This article was rebutted (somewhat) by Seth Richard Lesser’s companion piece — ‘Internet privacy litigation and the current normative rules of internet privacy protection’ (March 2003).
What is made clear by the litigation of the cases ... is the importance of a private right of action to protect whatever privacy interests exist. Although no company likes to receive inquiries from government investigators, the reality is that it is often the threat of private litigation that prompts corporations to take notice. Most certainly, the class actions did so here.
While the US debate is of interest, there will be additional benefits for pursuing privacy representative complaints in other jurisdictions, especially those (like Australia) where little or no effect is achieved by individual complaints.
The following case studies point to a more positive future for privacy law, where committed individuals or experienced advocacy organisations will have the patience and determination to ensure that privacy breaches are dealt with in a high profile, systematic way, without risking further harm to those individuals who have already suffered privacy breaches. l
Chris Connolly and Nawaz Isaji are consultants with Galexia Consulting.
. Chris Connolly is a Director of Galexia Consulting, a specialist consulting firm which focuses on electronic commerce, privacy, authentication and identity management. Chris is also a Visiting Fellow in the Law Faculty at the University of New South Wales, where he teaches Electronic Commerce Law and Practice (amongst other courses) in the Masters Program and is a Director of the Financial Services Consumer Policy Centre, a research centre affiliated with the UNSW.
. The authors plan to update this article with information from other jurisdictions. Input is welcome — <firstname.lastname@example.org>.
. Taylor v Saskatchewan, Sask QB, No 243, filed 2/3/03; 2 PVLR 114, 2/10/03.
. WGM Internet Law Bulletin, 17 March 2003.
. Roth P Privacy Law and Practice Looseleaf LexisNexis NZ 2003 p 535.
. A list of privacy class actions is maintained at: <www.bna.com/current/ cla/topp.htm>.
. Supreme Court of New York, Albany County, Kegan J, 6 December 1996.
. Some additional US privacy class actions include: Wilson v American Cablevision of Kansas City Inc 133 FRD 573 (WD Mo 1990); Parker v Time Warner Entertainment Co LP 1999 US Dist LEXIS 18883 (EDNY 1999); and In re Intuit Privacy Litig, 138 F Supp 2d 1272 (CD Cal 2001).
. Re DoubleClick Inc Privacy Litig, 154 F Supp 2d 497 (SDNY 2001).
. Re Trans Union Corp Privacy Litigation, 200 US Dist LEXIS 17209 (September 2002).
. Trans Union Corp v FTC  USCADC 52; 345 US App DC 301, 245 F 3d 809 (DC Cir 2001).
. <www.triwest.com/ announcement/>.
. <www.privacy.org/archives/ 001086.html>.
. <www.cdt.org/privacy/ccp/ privaterightofaction1.shtml>.
. <www.cdt.org/privacy/ccp/ privaterightofaction2.shtml>.