During the ICO’s annual Data Protection Practitioners’ Conference in July 2022, the Information Commissioner made a passing reference to there being scope for the UK data protection authority, the Information Commissioner’s Office (the “ICO”), to emulate the approach taken to privacy violation complaints in New Zealand.

Under the UK GDPR, individuals have the right to claim compensation from an organisation if they have suffered damage as a result of a breach of data protection law. However, even where the ICO decides that an organisation has broken data protection law, it cannot award compensation to impacted individuals.

To obtain compensation, individuals need to attempt to recover losses from the organisation direct or, failing that, to bring a claim in court. It is the court that would then decide whether compensation is due and not the Information Commissioner.

As part of our firm’s celebration of Legalign Global week this month, we asked our counterparts in Wotton+Kearney - New Zealand to provide insight into how the system in their jurisdiction works, noting that the UK Information Commissioner was previously the New Zealand Information Commissioner for eight years.

New Zealand Privacy Act 2020

The Privacy Act 2020 (NZ) (the “Act”) implements a framework for managing complaints and compensation claims. This involves pursuing a complaint through the Office of the Privacy Commissioner (“OPC”) in the first instance, then (if unresolved) a claim through the Human Rights Review Tribunal (“HRRT”) Office of the Privacy Commissioner (OPC).

Under section 70 of the Act, individuals can bring a complaint about any “interference with privacy” to the OPC. An “interference with privacy” is broadly defined in the Act to include a breach of any of the Information Privacy Principle, or a failure to comply with notification requirements.

An individual has an actionable claim for compensation where there is an “interference with privacy” resulting in a specified harm. “Harm” is defined broadly and includes:

  1. loss, detriment damage or injury;
  2. adversely affecting their rights, benefits, privileges, obligations or interests; or
  3. significant humiliation, loss of dignity or injury to feelings.

Upon receipt of a complaint and provided the complainant has undertaken reasonable efforts to resolve the complaint directly, the OPC will determine whether to open an investigation. Should an investigation be progressed the OPC will typically issue a preliminary opinion to the parties and explore options for resolution.

The OPC’s role in investigating complaints is limited to issuing findings and seeking to facilitate a resolution between the parties. It cannot order compensation, require a party accept particular findings, or compel a party to attend settlement discussions. The OPC can issue a compliance notice under section 123 of the Act to require an agency to take steps to remedy a breach. The OPC does have the power to facilitate conciliation conferences – without prejudice settlement conferences similar to mediation.

If the parties are unable to resolve the complaint, then the OPC will issue a final report and section 98 notice. Following issue of the notice, the complainant has six months to issue a claim in the HRRT for the full range of compensatory remedies. The HRRT is a specialist tribunal set up to deal with complaints under a range of legislation, including the Act. While the HRRT will be provided with a copy of the OPC’s section 98 notice, the Tribunal considers the merits of the case a fresh.

Pros and cons of the system in New Zealand

Like any system, the involvement of New Zealand’s privacy regulator in the complaints and compensation process has pros and cons.

Managing the early stages of a complaint via the regulator can be more cost effective and can avoid the need to engage lawyers where complaints are straight forward. The system also encourages the parties to consider settlement at a relatively early stage (which itself has obvious cost benefits) and ensures a consistency of approach and decision making.

While the system may be cost effective, it can be time consuming. Involvement of the OPC implements a natural buffer to parties being able to seek compensation. In our experience, it can take six months to get an investigator at the OPC appointed to a case, and then a further 6 months before a preliminary opinion is provided or conciliation conference set down. If a complaint is then taken to the HRRT there will often be a wait time of 12-18 months to get a hearing set down. It would not be unreasonable to expect the time between making a complaint to the OPC and getting a finding in the HRRT to be 2-3 years.

Conclusion

If the UK does decide to implement an equivalent system to New Zealand, affording the ICO the right to determine compensation awards, it is difficult to see how this would be resourced by an already-stretched regulator. In the UK, we have seen a significant increase in data breach compensation claims over the past two years, but these are typically handled by claimant law firms, in correspondence with data controllers or their lawyers.

If the ICO is engaged to handle these compensation claims, and the New Zealand approach is anything to go by, it seems likely that resolution of such claims would be even slower than the current system where delays are already caused by a backlog of cases in the County Courts.

One potential positive would be the move away from claimant law firms being engaged on data breach compensation claims with the high fees that result, which often act as a barrier to settlement.

With the government’s data reform agenda seemingly on pause for now, we will continue to keep a watching brief on this issue as we predict further reforms will be announced across the coming months.