Alongside the legislation, the courts have taken a strong stance against the un-consensual use of private information following a privacy breach. The court’s willingness to grant injunctions against the media and unknown defendants is illustrated in the recent case of Waikato District Health Board v Radio New Zealand  NZHC 2002.
In May 2021, Waikato District Health Board (WDHB) was the victim of a cyber-attack in which private and confidential information was illegally obtained by unknown criminals (Stolen Dataset). Following a failed ransom demand, a link to the Stolen Dataset was sent to media organisations and uploaded to the dark web to further pressure the WDHB to give in to the extortionists’ demands.
Upon receiving the Stolen Dataset, Radio New Zealand (RNZ) learnt certain information about a patient of WDHB and decided to do a story involving that information. RNZ contacted WDHB for comment in advance. There were various communications between RNZ and WDHB, with the last communication being WDHB requesting RNZ to hold off on publishing its story to allow WDHB to take steps to protect its patients. RNZ then published the story at 7am the next day.
WDHB sought interim injunctions against RNZ and persons described as “unknown defendants” a couple of days later. The unknown defendants comprised the persons responsible for the illegally obtained data and anyone who obtained the Stolen Dataset.
The Court noted that, as this was an application for an interim injunction, it must determine whether there is a serious question to be tried, where the balance of convenience lies, and where the overall justice of the case lies. Before considering those points, Churchman J noted that the “New Zealand Courts have recognised the appropriateness of granting injunctions against ‘unknown defendants’ in a variety of circumstances, and in particular where confidential information has been stolen”.
In considering those matters the Court held that:
(a) There was a serious question to be tried. The Stolen Dataset was unlawfully obtained by hackers trying to extort a ransom from WDHB. In addition, in endeavouring to facilitate the extortion by causing maximum embarrassment and distress to WDHB and its staff and patients, the Stolen Dataset was made available on the dark web and media outlets were encouraged to publicise it.
(b) The balance of convenience was in favour of an injunction. Any inconvenience persons wishing to publicise the Stolen Dataset for commercial gain would suffer was “significantly outweighed by the distress caused to those whose privacy rights in their personal and sensitive information is breached if the Court does not grant the interim relief sought”.
(c) The overall justice of the case was also in favour of an injunction. In this regard, the Court considered that:
- “there are strong arguments to the effect that it is not in the public interest that the confidentiality of the private, personal and sensitive information in the Stolen Dataset be breached” and
- “there are public policy arguments against permitting unknown defendants to attempt to profit in a way which assists extortionists to inflict maximum pressure on their victim to comply with their ransom demands and/or to intimidate other potential victims by demonstrating to them the willingness of media organisations in particular to utilise stolen confidential data for their own ends.”
This decision sends a strong signal that Courts will not tolerate the actions of cyber criminals and will step in to prevent any unauthorised use of illegally acquired personal information. In our view, it adds a further layer of protection for personal information under New Zealand’s privacy regime.
How we can help
With the new Privacy Act 2020 having been in force for a year now, if you have not already done so, we recommend undertaking a privacy audit to ensure your agreements, policies and processes are up to date. If you would like to understand more about your obligations under the Act, please get in touch with us.