While the amount of damages ordered in this case is modest, the precedent that an individual can recover damages for this kind of claim is another step paving the way for class actions in Europe for claims relating to privacy breaches.
In this article we look at the facts of this European case and the future of privacy class actions in New Zealand. While the transfer of data that occurred in this case would likely not contravene New Zealand’s privacy law, it is also a reminder of the need for businesses to carefully consider whether the Privacy Act allows them to transfer personal information outside of New Zealand.
Bindl v European Commission
Thomas Bindl, of Germany, brought a case to the CJEU following his registration for a “Go Green” event managed by the European Commission. As part of the registration process for this event, he selected the option to sign in with his Facebook account.
Mr Bindl claimed that during his visits to the Commission’s website, his IP address and information about his browser and terminal were transferred to recipients in the United States. At the time of the transfers in 2021 and 2022, the European Commission did not recognise the United States as having adequate safeguards to protect personal information, and the Commission had not indicated any appropriate safeguards that would justify the transfers. Mr Bindl was particularly concerned that the data transferred to the United States could be accessed by US law enforcement, security, and intelligence services.
The CJEU held that, in respect of the Go Green event, by displaying a “sign in with Facebook” hyperlink on the log-in page, the Commission created the conditions for the transmission of Mr Bindl’s IP address. The Commission further held that the IP address constituted personal data that was transferred to Meta Platforms in the United States, and that that transfer must be imputed to the Commission.
The Commission awarded Mr Bindl the 400 euro he had sought for non-material damage, as a result of the uncertainty Mr Bindl faced regarding the processing of his personal data, in particular his IP address.
The Bindl decision does not change the law in respect of the transfer of personal data between the EU and US, as the transfer at issue occurred in the period of time before the EU-US Data Privacy Framework was introduced.1 It is however of material importance to the extent that it sets a precedent that individuals can obtain damages if their privacy is breached by way of a data transfer. While 400 euro may not be a large amount (particularly in light of GDPR fines that have been issued of up to 3 billion euro), the damages awards organisations may face could become dramatically larger if class actions are brought on the part of multiple aggrieved individuals. With 449.2 million people living in the EU, if even a fraction of these join a class claiming their rights have been infringed, the damages awarded could easily exceed one billion euro.
This decision comes in the wake of privacy campaign group NOYB (chaired by frequent GDPR litigant Max Schrems) being approved in October 2024 as a “Qualified Entity” to bring collective redress actions throughout the European Union. The EU system for collective redress only allows for approved non-profit organisations to bring representative actions. A maximum fee of 25 euro can be charged by a Qualified Entity to consumers wishing to be represented in a class action, and it remains to be seen how these class actions will be funded in practice. It is perhaps relevant to note that Mr Bindl is himself a founder of a German-based litigation funding firm focussed on EU data protection claims.
Contravention of New Zealand law
In the New Zealand context, offering the opportunity to login to a site using Facebook would not be likely to contravene information privacy principle 12 of the Privacy Act (relating to overseas data transfers), as it is permitted under that privacy principle to disclose information to a foreign person that carries on business in New Zealand and is subject to the Privacy Act. While this has not been tested by the New Zealand courts, it is likely that Meta would be found to be doing business in New Zealand (noting that it was found by Australian courts to be doing business in that jurisdiction).
However, in circumstances where personal information may be disclosed to persons outside New Zealand who are not doing business in New Zealand, it would be important to ensure one of the exceptions in information privacy principle 12 applied, e.g. that the person in question had consented to the overseas transfer of information after being told it would not be protected by similar safeguards to those in New Zealand.
It is more likely that if a class action for a breach of the Privacy Act is brought in New Zealand, it would relate to a breach of information privacy principle 5, i.e. that the business in question has not protected the information with such safeguards as are reasonable to take in the circumstances against loss, unauthorized access, or other misuse. New Zealand businesses will need to continue to prioritise cyber-security, appropriate document retention/deletion protocols, and breach response management in order to minimise the risk of becoming a defendant in this kind of case. In this respect it should be noted that cyber-security incidents and privacy breaches are becoming increasingly common, and class actions for such breaches are taking place in other jurisdictions, including Canada, the United Kingdom and Australia (where class actions have been initiated for the Optus and Medibank breaches).
Class actions for privacy breaches in New Zealand
The Privacy Act 2020 introduced a new bespoke regime for privacy class actions in New Zealand. After a matter is referred to the Privacy Commissioner and comes to an end (for example if the Commissioner decides not to investigate, does not make a determination, decides that the matter should not be proceeded with, or decides that a complaint does not have substance but declines to refer the complaint to the Director of Human Rights Proceedings), then an individual or a representative lawfully acting on behalf of a class of aggrieved individuals may commence proceedings in the Human Rights Review Tribunal. Where representative proceedings are brought before the Tribunal, it may award damages of up to NZ$350,000 for each individual in the class.
There are however several obstacles to bringing class actions for privacy breaches in New Zealand. These include:
- A large class action case may take considerable time to bring to a hearing and for a decision to be issued, especially given that the Human Rights Review Tribunal has a backlog of cases currently before it.
- There would likely be a need to show members of the class had suffered loss or damage in order to obtain a damages award.
- Litigation funders may be reluctant to become involved in this kind of novel class action, and the level of compensation each individual may be ordered may not be sufficient to justify a third party litigation funder becoming involved. Without the involvement of a funder, it may be difficult for these kinds of class actions to progress.
It is possible however that a class action relating to a privacy breach in New Zealand could be approached through other means, for example by way of a claim in the High Court for breach of contract (for example, if contractual terms providing that personal information would be protected in certain ways were not complied with) and/or consumer law (for example, if a business had made false or misleading representations about data security, or services were not provided with reasonable care and skill), or through torts such as breach of privacy, intrusion into seclusion, or negligence. These kinds of more established mechanisms for redress may be more attractive to litigation funders than the regime provided for by the Privacy Act 2020.
While New Zealand has not yet had any class actions filed relating to privacy breaches, this area remains one to watch going forward. Privacy compliance will remain a key area for businesses to manage going into 2025, including by aiming for full compliance with the Privacy Act 2020, ensuring adequate cyber-security procedures are in place, implementing comprehensive data retention and deletion policies, and having an adequate privacy breach response plan in the event something goes wrong.
Bell Gully has extensive experience advising on privacy law and compliance, and acting in class action proceedings. For more information, please get in touch with the contacts listed, or your usual Bell Gully adviser.
[1] The EU-U.S. Data Protection Framework was created under the previous Trump administration (although implemented by an executive order by Joseph Biden). It is not currently expected that this Framework would be overturned or modified by the United States, but a further challenge of the Framework in the CJEU is possible, which would impact the legality of transferring personal data between the EU and US.