Sir Bruce Slane Memorial Lecture

Sir Bruce Slane Memorial Lecture

November 2018

Hon Justice Helen Winkelmann

Judge of the Court of Appeal of New Zealand

 

It is an honour to be invited to speak at this inaugural Sir Bruce Slane Privacy Lecture to mark the Privacy Act’s 25^th birthday.

It is New Zealand’s great fortune that Sir Bruce was the first Privacy Commissioner. Twenty-five years ago, he brought to bear all his skills as a lawyer, leader in the profession, broadcaster, newspaper columnist, regulator, social visionary and innovator to explain the importance of privacy to us all. Sir Bruce gave speech after speech throughout New Zealand, outlining the core concepts of the new Privacy Act and debunking fake news about how it would operate. It is therefore fitting that we remember his legacy, and this particular anniversary for the Act, with a lecture which aims to promote discussion about the law of privacy.

Sir Bruce’s biography provides good context for my talk today. Sir Bruce drew upon his multi-disciplinary experience when he came to explain why New Zealanders should value privacy. I argue that a multi-disciplinary approach to the law of privacy is a model for us all, and that the law should not be divided from behavioural, social and philosophical frameworks.

I have chosen to address this topic because, beyond upholding rights in individual cases, the common law does important work in explaining the standards and rules it applies. By this means it supports the rule of law and makes a fundamental contribution to the legal culture of a nation. It applies standards and values that run through different causes of action, across the criminal and civil divide, and which become embedded in the nation’s law mindedness (to borrow the Chief Justice’s expression) in a variety of ways. Privacy is one of those values or standards. I argue the courts could perform this task a little better were we to give privacy a fuller “back story” and that, in any case, we need to do that if we are going to meet some of the new challenges to the privacy of the individual.

The structure I follow in this paper is as follows. I outline conceptual frameworks for how we can view privacy and its value in our society. I describe particular challenges to the law of privacy brought about by the online economy and social media. I then review how the courts value privacy in a post New Zealand Bill of Rights Act world, observing that the omission of privacy from the New Zealand Bill of Rights Act 1990 as a standalone right has led to privacy being accorded a secondary status to the rights recorded in the Act. I describe arguments which support giving privacy equal status to those rights enshrined in the New Zealand Bill of Rights Act.

I then highlight issues in respect of some of the concepts employed by the courts. I argue that although doubted by some, the concept of a reasonable expectation of privacy is a useful standard, employed as it is both in the tort of invasion of privacy, and in the law in relation to search. However, I question whether, as presently applied, it is too unstable, because it requires judges to form impressionistic views of what disclosure of private facts is societally acceptable; a task undertaken against a backdrop of seismic shifts in norms as to the information we are prepared to share and the information about us that is collected.  I propose that courts would be assisted in defining a reasonable expectation in the individual case were they to use the public and private benefits that privacy brings as a cross check for what is “reasonable”.

Last, I raise for discussion the significance that consent has in the law of privacy. I highlight a need for caution in construing contractual terms with a waiver of privacy rights. 

Why is privacy important?

Some definition of privacy is necessary although the definition I attempt is of the most cursory nature. Whole books have been devoted to defining privacy, and whole other books to attacking those definitions. The most well-known exposition of privacy is the “right to be let alone” which comes from a famous article by Samuel Warren and Louis Brandeis.¹ Dr Nicole Moreham defines privacy as the state of “desired inaccess”.² Dr Kirsty Hughes characterises privacy as the space within barriers constructed by an individual to exclude the scrutiny of others.³ I adopt a very simple definition: the right to privacy consists of the right to control certain types of personal information, personal space and one’s own physical integrity, and the ability to develop intimate relationships and associations away from the gaze of others.⁴

I propose to outline two conceptual frameworks for the purposes of this lecture, dignity and liberty, whilst acknowledging the existence of other frameworks such as behavioural, economic, and feminist. In New Zealand, we can expect that in future tikanga will increasingly demand consideration and is potentially the most powerful alternative framework to those of liberty and dignity. I describe tikanga as an alternative framework because of the collectivist values that underpin tikanga. I anticipate that a tikanga framework will accommodate concepts we might recognise as connected to individual privacy, such as concepts of tapu and mana, within the collectivist concept of whanaungatanga. The issue of the place of privacy in tikanga, and vice versa, is worthy of further study, but it is not the topic I choose to address tonight. I leave that topic for someone better versed in tikanga.

The fundamental proposition of the human dignity framework is that the ability to keep private our bodies by maintaining control over them, and to keep private information about ourselves, is essential to human dignity and the related value, the autonomy of the person. An invasion of privacy which undermines or negates that dignity can be profoundly harmful for the individual. It can distress, humiliate and shame. In extreme cases, it can destroy the social and economic foundations of an individual’s life. We know this much from our own observations of the impact of some high-profile cases of breach of privacy.

But the concept of privacy does more work than protect the immediate wellbeing of an individual. It also lies at the heart of freedom of thought, freedom of religion, the right to refuse to forego medical treatment, to be free of unreasonable search and seizure, and in the United States, is the foundation of the right to an abortion, articulated for the first time in Roe v Wade.⁵

The social philosopher Stanley Benn described privacy as “respect for someone as a person, a chooser ... as one engaged on a kind of self-creative enterprise, which could be disrupted, distorted or frustrated even by so limited an intrusion as watching”.⁶

This “dignity” framework derives from the German philosophical school, drawing upon the work of Immanuel Kant and was most profoundly expressed following World War II by the German political philosopher, Hannah Arendt. She wrote of the fundamental value of privacy in our opinions, hopes, desires and intimate relationships:⁷

Everything that lives, not vegetative life alone, emerges from darkness and however strong its natural tendency to thrust itself into the light, it nevertheless needs the security of darkness to grow at all.

In her characteristic and very particular way, Hannah Arendt made the point that a loss of privacy for one’s thoughts and beliefs impinges upon freedom of thought, creativity and freedom of expression. Exposure of thinking to public scrutiny changes that thinking. It may kill its development if it is a thought which is unpopular. It encourages conformity in thought.

Privacy is therefore also a pre-condition for a society in which diversity and plurality flourish. This applies not just to plurality of thought but also to plurality of lifestyle, relationships and sexual orientation. It also contributes to a civil society. If intimate details are known and published about a person, then society engages with that in which it has no true interest. Not only may this tend to produce conformity, but it may also lead to conflict and civil disorder.

Privacy supports true autonomy of the individual and in so doing ensures each human is afforded dignity. If the individual is unknown and unknowable, then that naturally engenders respect. But where the individual is known and thus predictable, then they are vulnerable to control and manipulation; they are vulnerable to being treated as a mere instrumentality, a means to an end, rather than an end in themselves — thus violating the second expression of Immanuel Kant’s categorical imperative: “Act in such a way that you treat humanity, whether in your own person or in the person of any other, never merely as a means to an end, but always at the same time as the end.”⁸

This discussion of the dignity framework hints at another way in which privacy can be conceptualised. The value of privacy can be linked to liberty, the part of one’s life free of the interference of others, most particularly the state. The liberty framework tends to link the concept of privacy to concepts of property — defending the home against intruders, most particularly, again, the state.⁹

This intellectual framework can be traced back to John Locke’s theory of the social contract. Locke was a deeply private person, in part because he was involved in political intrigue in late 17^th Century England. He published anonymously and wrote in invisible ink to ensure that his correspondence remained private. According to Locke, man ceded freedom to government for the preservation of life, liberty and property, thus abandoning the “state of nature”. But the social contract required that the government refrain from taking away a person’s property,¹⁰ and also required that the individual’s mind should remain free to define the content of the individual’s character and to construct his or her own thoughts and beliefs free of the interference of the state. He advocated freedom of conscience, worship, speech and thought.¹¹

This particular intellectual framework, a framework of liberty, resonates for lawyers, as it is this framework we traditionally draw upon for the law of search and seizure. One of the first judicial decisions widely seen as asserting a right to privacy, whilst not using that language, was Entick v Carrington.¹² In that case, the King’s agents entered and wrecked the home of writer John Entick, looking for evidence he was the author of seditious pamphlets. The case is well known authority for the proposition that the powers of the Crown and Executive are subject to law. But it was a case about trespass, and in today’s terminology, unlawful search. Lord Camden CJ stated:

By the laws of England, every invasion of private property be it ever so minute, is a trespass…Papers are the owner’s goods and chattels; they are his dearest property; and though the eye cannot by the laws of England be guilty of trespass, yet where private papers are removed and carried away, the secret nature of those goods will be an aggravation of the trespass, and demand more considerable damages in that respect.

It has been convincingly argued that the dignity framework has affected the development of European privacy law, whilst the liberty framework holds sway in the United States.¹³ We have the benefit of being able to draw upon both schools of thought and other sources of jurisprudence as we develop our laws of privacy. In New Zealand, we have tikanga as a rich source of values and custom. With its emphasis upon customary values it is a useful counterpoint to the underlying individualistic ethos of the liberty framework. 

Status of privacy in human rights conventions and treaties

These two concepts, human dignity and liberty, certainly helped inform the great international settlements following World War II that in turn have helped to shape modern privacy law. It is not possible to attempt to place privacy in the legal firmament without mention of the international treaties and declarations that bear upon it.

On 10 December 1948, the General Assembly of the United Nations proclaimed the Universal Declaration of Human Rights. Article 12 of the Universal Declaration provided that “[n]o-one shall be subject to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation”. That right was later preserved in the International Covenant on Civil and Political Rights by which New Zealand is bound, and now is also reflected in the United Nations Convention on the Rights of the Child.

The right to privacy is preserved in other human rights treaties or declarations such as art 8 of the European Convention on Human Rights,¹⁴ and (more recently) art 7 (respect for private and family life) and art 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union. I note also art 11 of the American Convention on Human Rights, and art 18 of the Cairo Declaration on Human Rights in Islam.

Status of privacy in domestic law

A right to privacy did not however make the grade for inclusion in the New Zealand Bill of Rights Act 1990 (Bill of Rights). In the White Paper, “A Bill of Rights for New Zealand”, the omission was attributed to the absence of a general right to privacy in New Zealand law (although specific law and legislation protected some aspects of it).¹⁵ The authors said it would be inappropriate to entrench a right that was not by any means fully recognised, which was developing, and whose boundaries would be uncertain and contentious.¹⁶

The lessening of the status of the proposed Bill from an entrenched to an interpretative measure did not lead to the right of privacy being introduced. That does not mean however that we have a privacy free Bill of Rights Act. Section 21 of the New Zealand Bill of Rights Act provides a right to be secure against unreasonable search and seizure. Privacy lies at the heart of this right, mixed inextricably with property notions of trespass to land and goods.¹⁷

Although this section does not provide a right to privacy it undoubtedly has potential to develop to protect privacy interests against the State. In Hosking v Runting Tipping J considered the s 21 right “not very far from an entitlement to be free from unreasonable intrusions into personal privacy which may not strictly amount to search or seizure”.¹⁸ In Canada, the right to be secure against unreasonable search and seizure contained in s 8 of the Canadian Charter of Rights has been interpreted by the Supreme Court of Canada to include a right of a reasonable expectation of privacy in relation to governmental acts.¹⁹

Privacy values as I have characterised them also underpin, at least in part, the s 13 right to freedom of thought, conscience and religion; the s 17 right to freedom of association; the s 10 right not to be subjected to medical or scientific experimentation; and the s 11 right to refuse to undergo medical treatment. Moreover, s 28 provides that other rights and freedoms are not affected, abrogated or restricted merely because they are not included in the New Zealand Bill of Rights Act.

The omission of a right of privacy from the New Zealand Bill of Rights can be contrasted with the status of privacy in the United Kingdom. The art 8 (of the European Convention) right has been incorporated into the domestic law of the United Kingdom by ss 3 and 6 of the Human Rights Act 1998. The effect of those provisions is that legislation must be given effect to, and courts must act in a way that is compatible with the rights contained in the Convention.

In New Zealand, the principal protection for the privacy of the individual comes from legislation. There are many Acts which operate to protect privacy interests including Part 9A of the Crimes Act 1961 (Crimes Against Personal Privacy), the Official Information Act 1982, the Broadcasting Act 1989, the Harassment Act 1997 and the Harmful Digital Communications Act 2015.

But it is the Privacy Act that has done most in our society to bring privacy into the public consciousness. It controls how agencies, both public and private, collect, use, disclose, store and give access to personal information. There is currently a new Privacy Act before Parliament, but it is not proposed to change this basic framework.²⁰

The common law has also long recognised and protected privacy interests through the law of trespass of person, property and goods, in the common law rule against general (overly broad) search warrants and in the action for breach of confidence, to name but a few. Concepts of privacy are not, however, front and centre to how these claims or principles are formulated. But that cannot be said of one of the most recent fruits of the common law method, the tort of  invasion of privacy authoritatively recognised in Hosking v Runting (2004),²¹ and the further development of that tort with the addition of intrusion into seclusion in C v Holland (2012).²² 

New challenges to privacy

My hypothesis is that the conceptual frameworks I have outlined can assist us in conceptualising the law’s response to the very many pressing challenges to the privacy of individuals. What each society regards as private may differ and may evolve over time. In the village of the 17^th century, the greatest threat to privacy was probably gossip. In the modern day, few would quibble with the idea that the internet provides a substantial challenge to privacy. The internet gives us many wonderful things, fostering communication and creativity. It is also the greatest information collector, curator, and disseminator the world has seen. It presents threats to privacy in a startling variety of ways. It is also re-shaping our concept of what is private.

The internet’s ability to collect and curate information has enabled the growth of a new type of business which uses information collected about us to target services and goods, to campaign for our votes and, in its more sophisticated applications, manipulate our desires for those goods.

People enjoy the provision of free social network services such as Facebook and free search engines such as Google. The service seems free, but the price paid for these services is bits of personal information. We give away, in exchange for the social utility of social media, search engines and on-line retail therapy, not only information we would traditionally regard as personal information but so much more. Our ordinary, everyday, mundane activity on the computer — clicking on news items, making minor purchases, searching for restaurants — can be and is leveraged by those same service providers, or those they sell that information to, to reliably predict our intelligence, personality traits, politics, and “likes and don’t likes” for services and goods. This business model, which trades in information about us as consumers, is sometimes referred to as surveillance capitalism.

The growth of the mobile phone offers similar insights into our lives for those whose apps we host on them. The new consumer inevitabilities coming our way, such as the “Internet of Things” and health devices such as the Apple iPhone, will transmit even more information about us, providing a path for app-operators of our movement through the house as lights turn on and off, and heating turns on and off, of the goods we are using a lot of and not using, what we are eating, our heart rate, blood pressure etc. Most of us will have several apps operating on our phones which allow the app-operator to trace our location. It is an increasingly standard business model to use that information to target services to the individual (you may, for example, have noticed that your map app will often direct you to a nearby café).

Information can be gathered together to create a picture of our behaviours and our beliefs. In many cases, we have consented to the information being harvested and used by the agency collecting the information for a variety of purposes, and by others to whom that agency passes that information. We agree to this when we agree to the privacy policy of the site we visit, thus placing ourselves beyond the protection of the Privacy Act 1993. We agree happily, usually without reading those terms and conditions. And even if we did read them, can we truly foresee just what it is that we are giving away, given the complexity of the internet-driven economy and the very substantial imbalance of knowledge that exists between the consumer and service providers?

The creation of behavioural and psychological profiles enable an individual’s decision-making process to be manipulated. This information is valuable, not just in the market for goods, but also in the market for votes. This concept of the autonomous private self is under threat from the surveillance economy. As Yuval Harrari puts it:²³

Even though neuroscience shows us that there is no such thing as free will, in practical terms it made sense because nobody could understand and manipulate your innermost feelings. But now the merger of biotech and InfoTech in neuroscience and the ability to gather enormous amounts of data on each individual and process them effectively means we are very close to the point where an external system can understand your feelings better than you. We’ve already seen a glimpse of it in the latest epidemic of fake news.

What does this mean for the law of privacy? What does it do to societal concepts of privacy, that people “share” so much on social media and consent to the collection of so much information. Will the courts take that consent at face value?

I do not see these developments as heralding the end of privacy as we know it. I have confidence in the common law method to tell the legal story as to why privacy interests are fundamental to a liberal democracy and to vindicate those interests appropriately in areas where the current regulatory framework does not reach.

The status of privacy in a “Bill of Rights” world?

The first issue arising out of the case law I wish to discuss is the status of privacy alongside the rights expressly preserved in the New Zealand Bill of Rights. Has the omission of a general right to privacy relegated privacy to a lesser status than those values or interests expressly recognised in the New Zealand Bill of Rights Act and, in particular, the right to freedom of expression?

In Hosking v Runting, the majority of the Court of Appeal, Gault P, Blanchard and Tipping JJ, did not use the language of rights when describing the privacy interest, even while acknowledging that this interest or value should be vindicated in appropriate circumstances.

Gault P, writing for himself and Blanchard J, identified but did not resolve an issue as to the extent to which the courts must give effect to the rights and freedoms affirmed in the New Zealand Bill of Rights in disputes between private litigants. He reasoned that even if the Bill of Rights’ standards applied in disputes between private citizens, since privacy was a right declared in art 17 of the ICCPR and art 16 of UNCROC, it must, in appropriate circumstances, be a limit on the right to freedom of expression that can be justified in a free and democratic society.²⁴

Tipping J, writing as part of the majority, considered that the values preserved in the Bill of Rights, although designed to operate as between citizen and state, were to be given appropriate weight by the judicial branch of government when regulating relationships between citizen and citizen.²⁵

He gave a full exposition of the three theoretical bases on which the right to freedom of expression is founded. One of those is the liberty theory; that it is for the ultimate good of society for citizens to be able to say and publish to others what they want. Acknowledging that this must on occasion give way to other interests, such as privacy, he said that any such interest had to pass the threefold test in s 5, namely reasonableness, justification and prescription by law, noting that the liberty theory “has a head start”. He said:

[234] … When the expression in issue provides little public benefit, except in theory, but significant individual or public harm in concrete terms, the theory must give way. Thus, in the particular instance society’s pragmatic needs or the welfare of its individual members can outweigh the general benefits supported by the theory of liberty. The theory, however, has a head-start. Any pragmatic or concrete benefit must pass the threefold test in s5 of the Bill of Rights, namely reasonableness, justification and prescription by law.

The status of privacy in a Bill of Rights context was again considered, on this occasion by the Supreme Court in Brooker v Police.²⁶ That was a case concerned with what constituted disorderly conduct for the purposes of the Summary Offences Act 1990. Mr Brooker had been convicted of disorderly conduct for his actions when making a protest outside the house of a police constable. His protest involved knocking on the door of a female police constable he knew to have just come off night duty and singing loudly outside her house. The case engaged the competing issues of freedom of expression and privacy — the constable’s right to privacy in her own home and Mr Brooker’s right to protest. It therefore contains interesting discussion as to the weight to be accorded to each of these rights or values.

The Chief Justice described privacy as “interests and values” ²⁷ and had misgivings:

[40]  … about whether it is open to the courts (which are bound by s 3 of the New Zealand Bill of Rights Act) to adjust the rights enacted by Parliament by balancing them against values not contained in the New Zealand Bill of Rights Act, such as privacy, unless the particular enactment being applied unmistakably identifies the value as relevant. If “disorderly behaviour” is not anchored to protection of order in and near public places and can be used to protect other values identified by the judge, the register of rights and freedoms contained in the New Zealand Bill of Rights Act may well be distorted.

In his dissenting judgment in Brooker, Thomas J set out the case for recognition of privacy as an existing right, which included that it has been recognised as a right in various international covenants, some of which bind New Zealand; that it has been judicially recognised as a right in other jurisdictions (citing Scarman LJ in Morris v Beardmore and Sedley LJ in Douglas v Hello! Ltd); and the fundamental value of privacy to the individual.²⁸ He said:

[164] I favour regarding privacy as an existing right which has not been abrogated or restricted by reason only that it has not been expressly referred to in the New Zealand Bill of Rights Act 1990. At the very least, I believe that it should be regarded as a “fundamental value”. As privacy has not yet been judicially accorded the status of a right, however, I proceed on the basis that what is to be evaluated is the fundamental value underlying the right to freedom of expression against the fundamental value of privacy. Two fundamental values compete for ascendancy.

Just how privacy interests are to be weighed against rights expressly recognised in the New Zealand Bill of Rights Act remains unresolved. The approach to date of treating the privacy interests of individuals as a “limitation” for the purposes of s 5 might be thought to diminish their status. Requiring that an individual’s privacy interest be reasonably and demonstrably justified as a limit on a Bill of Rights Act right, tends to award dominant status to those rights preserved in the Bill of Rights. That was certainly the approach of Tipping J in Hosking v Runting who described freedom of expression as having a “head start”.

It may be that s 28 of the New Zealand Bill of Rights Act is key to securing privacy’s place in the hierarchy of rights. Section 28 provides that “any existing right or freedom shall not be held to be abrogated or restricted by reason only that the right or freedom is not included” in the Bill of Rights. The argument that privacy is a right for these purposes is not a difficult one to construct — that is evident from the judgment of Thomas J in Brooker. And even if it is not a right, then it is the source of rights which the courts have been prepared to vindicate. There is therefore an issue to be explored as to whether it is consistent with the provisions of s 28 of the Bill of Rights to treat privacy as a limitation which takes second place to the rights preserved in the Bill of Rights rather than a free-standing right or set of freedoms, to be balanced alongside those rights that are recorded within the Bill of Rights Act?

This question raises the difficult issue as to the apparent tension between ss 5 and 28 of the New Zealand Bill of Rights Act. The learned authors of The New Zealand Bill of Rights Act: A Commentary, Andrew and Petra Butler, suggest a mechanism for this which reconciles the apparent tension between ss 5 and 28:²⁹

It is simply that rights are not absolutes but rather, and more positively, very many limitations placed on rights are also fundamental. Indeed when it is recalled that s 5 of BORA — properly interpreted- is the vehicle through which “competing rights” come to be considered, such a position should not be all that surprising.

This was the approach favoured by Thomas J in his dissenting judgment in Brooker.

There is some reassurance to be had from international jurisprudence that it is not a radical notion to balance a privacy right against the right to freedom of expression, with neither right having a head start. It will be recalled that the right to privacy is preserved in art 8 of the European Convention on Human Rights.³⁰ On a number of occasions, the European Court of Human Rights has held that as a matter of principle, freedom of expression and the right to privacy deserve equal respect. The “in principle” result of this approach is said to be that, where the outcome requires the balancing of the right to privacy against freedom of expression, it should not matter whether the claim was brought under arts 8 or 10 (freedom of expression).³¹

But even if we apply ss 5 and 28 in this way, we need to conceptualise each of those values or rights with equal care. In the area of privacy law, the courts have more work to do in this regard. In the judgments of Hosking and Brooker, privacy’s value is discussed but it is articulated as an interest or value, rather than right; and one which operates for the benefit of the individual, rather than a right with broader societal value. In Hosking Tipping J said “it is the essence of dignity and personal autonomy and well-being of all human beings that some aspects of their lives should be able to remain private if they so wish.”³² In Brooker Thomas J explained the value of privacy for the individual. He also tied the right to privacy to that of human dignity itself, to the freedom of the individual to shape an individual identity, to the autonomy of the individual will and to freedom of choice.³³

Privacy is also cast in these judgments as a value antithetical to freedom of expression, without any consideration of the fact that privacy is a necessary precondition to freedom of expression. (It will be remembered that I describe it as a pre-condition because it is only when there is a private space in which thoughts can develop and flourish, that freedom of expression can fulfil the public good customarily ascribed to it.) Which is not to say that the tension between privacy rights and freedom of expression does not exist in the individual case, or that it does not require weighing in the case law. And I also do not suggest giving privacy a “head start” over freedom of expression. But I do suggest that we need to become more eloquent and thoughtful in our discussion of the value of privacy when we undertake that weighing exercise, and that we have ready to hand the conceptual frameworks I have identified to help us with this task.

The proper valuing of privacy will not only arise for consideration when it comes to be weighed against freedom of expression. Courts are often called upon to weigh privacy interests under s 21 of the New Zealand Bill of Rights Act against law enforcement considerations. The admissibility of evidence is sometimes challenged on the basis that the evidence has been collected in breach of s 21, without proper authorisation and involving, in some form or another, a breach of privacy. How a breach of privacy is characterised will impact upon how it is weighed in the balancing exercise undertaken under s 30 of the Evidence Act 2006 to determine the admissibility of that evidence.³⁴

I suggest that the jurisprudence in connection with s 21 of the New Zealand Bill of Rights Act, and s 30 of the Evidence Act would be usefully enhanced with due consideration of the broader societal interests served when privacy interests are breached. In this area also, the courts have done some work. In R v Jefferies, Thomas J said the s 21 right to be free against unreasonable search and seizure was concerned to protect those values or interests which make up the concept of privacy. He said:³⁵

… Privacy connotes a variety of related values; the protection of one’s property against uninvited trespass; the security of one’s person and property, particularly against the might and power of the state; the preservation of personal liberty; freedom of conscience; the right of self-determination and control over knowledge about oneself and when, how and to what extent it will be imparted; and recognition of the dignity and intrinsic importance of the individual. While necessarily phrased in terms of individual values, the community has a direct interest in the recognition and protection of this broad right to privacy. It is a valued right which is esteemed in modern democratic societies. 

Reasonable expectation of privacy

A full articulation of the societal value of privacy is important not only in how the privacy interest is valued in our post Bill of Rights Act world. I suggest that the conceptual frameworks which explain the work privacy does in our society, could also be used to bring some needed stability to the concept of what is a reasonable expectation of privacy — whether that concept is employed in the tort of invasion of privacy, or in the law of search and seizure.

The tort of invasion of privacy, it will be remembered, is made out where it is established that there are private facts in respect of which there is a reasonable expectation of privacy, and publicity given to those private facts would be considered highly offensive to an objective, reasonable person. The latter element, requiring the publicity to be highly offensive, was added by Gault P to ensure that the tort did not overreach by capturing the inoffensive spread of inconsequential information (Tipping J doubted the need for the second element).³⁶ The Court also acknowledged a defence enabling publication to be justified by a legitimate public concern in the information, with Blanchard J and Gault P noting that “the scope of privacy protection should not exceed such limits on the freedom of expression as is justified in a free and democratic society”.³⁷

In the search and surveillance context, a search is said to have taken place, to which s 21 of the New Zealand Bill of Rights Act applies, in circumstances in which the subject of the search has a reasonable expectation of privacy which is impinged upon by the activity in question.³⁸

The courts decide when and where there is a reasonable expectation of privacy. In Hosking, Tipping J said that the test of reasonable expectation of privacy introduces an objective element, upon which, “as with all questions of reasonableness the Court has to make a value judgment.” ³⁹ As to the standard to be applied, he said:⁴⁰

What expectations of privacy are reasonable will be a reflection of contemporary societal values and the content of the law will in this respect be capable of accommodating changes in those values.

We could expect this analysis to draw upon New Zealand’s existing legal framework — case law, obligations under international law, in the field of data protection, the OECD Privacy Guidelines (2013) and the updated General Data Protection Regulation.⁴¹ And of course the Privacy Act, which has done so much to shape expectations of privacy in our community.

But as is made clear in Hosking, the courts must also search for contemporary societal values outside of statute and case law, reflecting what is occurring in the social environment. This overall exercise by the courts, this scanning of the regulatory and social environment, can be conceptualised as an empirical analysis, and that is the tag I adopt for the purposes of this discussion.

As Tipping J said, this analysis enables the law to accommodate changes in societal values, as the law must. But it also carries with it a risk that a retrograde development in society may be incorporated into that standard, thus feeding what some commentators have characterised as a spiralling downward of the zone of privacy. This risk is real, not merely theoretical, given the increasing every day surveillance we are all subject to (of the public and private camera kind, and on the various phones, watches and apps we use) the modern media world (some would say, intrusive media), the culture of sharing of intimate detail on social media, and the growth of a business model in which we are the product.

In her 2018 Law Quarterly Review article, “Unpacking the reasonable expectation of privacy test”, Dr Moreham argues that a problem for the development of the tort of invasion of privacy is the misapplication of the test by the courts. She points out that the test involves a normative element; the courts ask, given societal standards what privacy can the claimant expect in the circumstances of the case? However, in some cases, rather than ask themselves that question, judges have addressed a factual question: “what potential privacy infringers can or usually do in the situation in question?”⁴² She cites as an example the case of Shulman v Group W Productions Ltd, in which the Californian Supreme Court held that the claimant could not have had a reasonable expectation that members of the media would be excluded or prevented from photographing her as she was attended to by paramedics at the scene of a serious road accident because “for journalists to attend and record the scenes at accidents and rescues is in no way unusual or unexpected”.⁴³ As Dr Moreham puts it:⁴⁴

In other words, whether the claimant had an objectively reasonable expectation of privacy was dependent not on whether the defendant’s conduct was acceptable but on whether the media usually respected an individual’s privacy in the situations in question.

Instead, she argues, the Court should have asked itself what protection a person should be entitled to expect in the circumstances in question or, to put it another way, whether the claimant had a reasonable expectation of privacy protection.

This reformulation does bring focus to the normative nature of the test employed by the courts but it does not meet the difficulty I have identified. The situation in the case of Schulman provides a useful example. If it is indeed the case that accident victims are regularly filmed, and that film is regularly played on national television, then it may also be the case within the not too distant future that a judge searching for the content for the test will conclude that society does not expect privacy to be afforded in that circumstance.

I agree with Dr Moreham that a component of the inquiry “what is the reasonable expectation of privacy in the circumstances of this case?” is the question “should society protect privacy in the circumstances of this case?” But I would add to her analysis that to answer that second question it is necessary to reflect upon the extent of the zone of privacy needed to secure its public and private benefits. For the purposes of this talk, I call this analysis the purposive check, as it uses the underlying purposes privacy serve as a steadying influence on the development of the law — ensuring that privacy zones are not eroded because of contemporary behaviours, in a way which is damaging to the fabric of our civil society. Such an approach could ensure that the reasonable expectation standard does not fall below the bare minimum standards needed to secure the community and individual benefits of privacy, thereby going some way to meeting the challenges to privacy I outlined earlier. But this purposive analysis is not a replacement for the broader empirical analysis described above. It merely supplements or cross checks it.

As it happens, these two approaches to formulating the reasonable expectation of privacy have been used in case law. Although, I concede, not conceptualised as I have done, they can be seen at work in the two judgments of the Supreme Court in R v Alsford.⁴⁵

One of the issues for the Court in that case was whether police had conducted a search when they accessed power supply information direct from the power company, in reliance upon privacy principles in the Privacy Act. The majority accepted the Privacy Commissioner’s submission that the Privacy Act did not confer a power of search upon police. Rather, whether the accessing of the material was a search for the purposes of s 21 turned upon whether there was a reasonable expectation of privacy in the information accessed by the police.

The majority did not however accept that the mere fact the information in question fell within the definition of “personal information” for the purposes of the Act meant there was a reasonable expectation of privacy in it. In seeking the standard for that in which there is a reasonable expectation of privacy, Arnold J, writing for the majority said:⁴⁶

The reasonable expectation of privacy is directed at protecting “a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination by the state” and includes information “which tends to reveal intimate details of the lifestyle and personal choices of the individual”.

Arguably then, the majority adopted a purposive analysis when attempting to define a reasonable expectation of privacy. They turned their minds to the notions of dignity, and even the community values that privacy can secure, and used that framework to make the judgment call. But it is also arguable that in adopting this attractively simple measure, the majority did not attach weight to societal expectations of privacy in “personal information” as defined by the Privacy Act, and created by over 20 years of the operation of the Act; that they failed to undertake the empirical analysis.

That was certainly the view of the Chief Justice. In her dissenting judgment in Alsford, the Chief Justice said that the approach of the majority insufficiently recognised the legislative policies contained in the Privacy Act in relation to personal information.⁴⁷ Although on her approach to the issue she did not have to decide the issue, she expressed the provisional view that the request by the police to the electricity providers constituted unreasonable search and seizure. This was based on her assessment that the consumer had a reasonable expectation of privacy in the information because of the Privacy Act’s prohibition on the disclosure and collection of personal information, and given the broader context of the Search and Surveillance Act.

I suggest these two contrasting approaches can be analysed as follows. The majority asked what privacy zones society needs (the purposive inquiry) and set the reasonable expectation of privacy accordingly. But it did not undertake the broader inquiry into what privacy zones currently operate in society (the empirical inquiry). The Chief Justice, it seems to me, undertook both of the inquiries I have described.

Consent

The last point I address relates to the issue of consent in privacy law. I predict this issue will loom large for the courts in the near future.

The prevailing online business model depends upon people being prepared to give away their private information in exchange for free and easy access to services. To date the answer of policy makers to the risk to privacy this model brings has been to place more emphasis upon authorisation and consent. The Privacy Act model is to require advice if the information is collected direct from the individual concerned, and authorisation if it is collected from a third party. The new GDPR came into force in May of this year. It standardises data protection law across the EU. It sets high standards, requiring consent to be obtained for the collection and use of information. Individuals must agree to their information being collected, and that agreement must be secured in response to clear advice about how the data will be used.

In the tort of invasion of privacy, evidence of consent is taken into account in determining whether the claimant had a reasonable expectation of privacy. If someone consents to the publication or release of information it may be difficult for them to argue that they meet the subjective element of the test, that they had an expectation of privacy. Consent is one of the “privacy signals” as Dr Moreham puts it, which Courts have regard to in determining whether the claimant did in fact have an expectation of privacy.⁴⁸

In search and surveillance law, the fact that an individual has consented to the provision of information can negate the reasonable expectation of privacy. In Alsford it was argued that Mr Alsford could not have a reasonable expectation of privacy because the terms and conditions of trade included that the information held would not be disclosed to third parties except in accordance with the Privacy Act. Arnold J accepted that contractual terms of supply may be relevant when deciding whether or not there is a reasonable expectation of privacy but noted the need for caution in attaching significance to customer contracts in the search and surveillance context.⁴⁹ On the facts of that case, the terms were of unclear effect.⁵⁰

There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy, or had waived it. These are standard contracts people must agree to if they are to access services, sometimes essential services. Most do not read the full content of any such contract. That is especially so with online service providers. Although the privacy policy must be agreed to before services can be accessed, acceptance is easy — simply click on the accept button. Often the consequential authorised collection of data will occur in the course of a very low to no value transaction. Few would spend time reading a privacy policy before using a search engine or purchasing food to go. And yet by clicking accept, we are agreeing to all of the terms and conditions, if expressed in suitably plain English, contained in the privacy policy of the service provider. Even if we do read the privacy policy, it is doubtful we will have a full understanding of the implications of what we have agreed to. There is a very substantial asymmetry in technical understanding between the customer and most who operate business in an online world.

Part of the solution to this issue may be found in contractual interpretation. There are surely arguments to be made, particularly in the search and surveillance area, that very clear consent is required before a person is to be taken to have consented to a release of personal information to law enforcement agencies.

As to the tort of invasion of privacy, arguments might be advanced that the answer lies in removing from the first part of the test the inquiry as to whether the individual subjectively did expect privacy in respect of the published fact or image. The test would simply be whether the information was the type that society expects to be kept private, leaving the significance of any relevant prior disclosure or consent to be taken into account at the stage at which the privacy interest is balanced against other interests (and in particular the right to freedom of expression) and again, when the issue of damages falls to be determined.

Another approach would be to adopt the analysis I suggested earlier, of working out what private zones society needs to protect in the given situation. Arguments might be formulated that in a world of surveillance capitalism a reasonable expectation of privacy must reflect the societal need for consumer protection. A consumer protection approach might justify incorporating notions of fairness and proportionality when assessing the significance of consent to the reasonable expectation of privacy.

Conclusion

The area of privacy law has been the focus of the common law’s most recent period of creativity in New Zealand. Through the common law method, the courts have developed principles that have enabled privacy interests to be vindicated outside of the present legislative framework. This is an area in which the concepts are under active debate. It is also an area in which further development is inevitable given the changing landscape for collection and distribution of personal information I have outlined. I have suggested some ways in which the common law can draw on the work done in other disciplines, to assist it in this difficult and important work in threading the privacy interest or right into the legal story of New Zealand. There are many other areas worthy of further thought and debate, such as “when is a fact no longer private?”, “can a public fact recover its private nature?”, and “should it be necessary to show loss or injury to make out the tort of invasion of privacy, or is proof of breach enough, as it is with other some other torts?” This simply makes the case that privacy law is an area worthy of study and debate. I hope therefore that this lecture becomes an annual fixture on the legal landscape.

 

Footnotes

¹     Samuel D Warren and Louis D Brandeis “The Right to Privacy” (1890) 4 Harv L Rev 193.

²     N A Moreham “Privacy in the Common Law: a doctrinal and theoretical analysis” (2005) 121 LQR 628 at 636.

³     Kirsty Hughes “A Behavioural Understanding of Privacy and its Implications for Privacy Law” (2012) MLR 806.

⁴     As to the latter, privacy in terms of intimacy, see Julie C Inness Privacy, Intimacy and Isolation (Oxford University Press, New York, 1992).

⁵     Roe v Wade (1973) 410 US 113.

⁶     Stanley Benn “Privacy, Freedom and Respect for Persons” in J Pennock and J Chapman (eds) Privacy, NOMOS vol XIII (New York, Atherton Press, 1971) 1 at 26.

⁷     Hannah Arendt “The Crisis in Education” in Between Past and Future: Six Exercises in Political Thought (Meridian Books, Cleveland, 1963).

⁸     I Kant Grounding for the Metaphysics of the Morals: with On a Supposed Right to Lie because of Philanthropic Concerns (J Ellington (translator), 3rd ed, Hackett Publishing Company, Indianapolis, 1993) at 428.

⁹     James Q Whitman “The Two Western Cultures of Privacy: Dignity versus Liberty” (2004) 113 Yale LJ 1151.

¹⁰   John Locke Two Treatises of Government (A Millar, London, 1763).

¹¹   John Locke A Letter Concerning Toleration (London, 1689).

¹²   Entick v Carrington (1765) 95 ER 807.

¹³   James Q Whitman, above n 9.

¹⁴   Incorporated into United Kingdom domestic law by the Human Rights Act 1998 (UK). Section 3 and 6 of the Human Rights Act state that legislation must be given effect to, and courts must act in a way that is compatible with the rights contained in the Convention.

¹⁵   Geoffrey Palmer “A Bill of Rights for New Zealand: A White Paper” [1984—1985] 1 AJHR A6.

¹⁶   At [10.144].

¹⁷   R v Jefferies [1994] 1 NZLR 290 (CA) at 319, per Thomas J.

¹⁸   Hosking v Runting [2005] 1 NZLR 1 (CA) at [224]–[226]. See also Elias CJ in Hamed v R [2011] NZSC 101, [2012] 2 NZLR 305 at [10].

¹⁹   R v Dyment [1988] 2 SCR 417 at 426.

²⁰   There is currently a new Privacy Act before Parliament. The current Privacy Bill does not take the approach of the new European Union regulation, a revised GDPR, which requires consent for the collection of data. It maintains the current “primary purpose” requirement, with a right to withdraw authorisation. The proposed changes to the Bill include mandatory data breach notification — an agency must notify the office of the Privacy Commissioner of any privacy breaches which are defined as unauthorised or accidental access to or disclosure of personal information, if those disclosures pose the risk of harm to people and to affected individuals. The new Bill gives the Privacy Commissioner power to issue compliance notices requiring an agency to do something, or to stop doing something, in order to comply with the law. It also empowers the Privacy Commissioner to issue binding decisions on access requests.

²¹   Hosking v Runting, above n 18.

²²   C v Holland [2012] NZHC 2155, [2012] 3 NZLR 672.

²³   Yuval Harrari “The idea of free information is extremely dangerous” The Guardian (London, 5 August 2018).

²⁴   Hosking v Runting, above n 18, at [114].

²⁵   At [229].

²⁶   Brooker v Police [2007] NZSC 30.

²⁷   At [37].

²⁸   At [219]–[222]; citing Morris v Beardmore [1981] AC 446; and Douglas v Hello! Ltd [2001] 2 WLR 992.

²⁹   Andrew Butler and Petra Butler The New Zealand Bill of Rights Act: A Commentary (2nd ed, LexisNexis, Wellington, 2015) at [6.9.8]–[6.9.10].

³⁰   The right to freedom of expression in art 10. Articles 7 and 8 rights have been held to cover the physical and psychological integrity of a person, the right to control of one’s image, and the right to live privately, away from unwanted attention.

³¹   Delfi AS v Estonia ECHR 64569/09, 16 June 2015 (Grand Chamber) at [139]; and Satakunnan v Finland ECHR 931/13, 27 June 2017 (Grand Chamber) at [163].

³²   Hosking v Runting, above n 18, at [239].

³³   At [178].

³⁴   R v Wilson [1994] 3 NZLR 257 (CA) at 258.

³⁵   R v Jefferies, above n 17, at 319.

³⁶   At [125] and [256]–[259]. The requirement of that second element remains an issue. In Rogers v Television New Zealand Ltd [2007] NZSC 91, [2007] 2 NZLR 277 at [25], the judges of the Supreme Court either declined to approve the highly offensive test, or expressly reserved their position in respect of it. The “highly offensive test” was not approved by the House of Lords in Campbell v MGN Ltd [2004] UKHL 22. See also N A Moreham “Abandoning the “High Offensiveness” Privacy Test” (2018) 4 CJCCL 161.

³⁷   At [130].

³⁸   Hamed v R [2011] NZSC 101, [2012] 2 NZLR 305 from [163] per Blanchard J.

³⁹   Hosking v Runting, above n 18, at [250].

⁴⁰   At [250].

⁴¹   The updated GDPR came into force in May of this year. It standardizes data protection law across the European Union, but also has extraterritorial reach, because of its application to businesses that collect the data of EU citizens.

⁴²   N A Moreham “Unpacking the reasonable expectation of privacy test” (2018) 134 LQR 651.

⁴³   Shulman v Group W Productions Ltd 955 P.2d 469 (Cal.1998) at 490.

⁴⁴   N A Moreham, above n 42, at 654.

⁴⁵   R v Alsford [2017] NZSC 42, [2017] 1 NZLR 710.

⁴⁶   At [63]; quoting Sopinka J in R v Plant [1993] 3 SCR 281.

⁴⁷   At [188].

⁴⁸   Eric Barendt argues that the requirement for a subjective expectation of privacy should be removed from the threshold test and only taken into account when the privacy interest comes to be weighed alongside other interests. See Eric Barendt “‘A reasonable expectation of privacy’: a coherent or redundant concept?” In Andrew Kenyon (ed) Comparative Defamation and Privacy Law (Cambridge University Press, New York, 2016).

⁴⁹   There is a logical difficulty in the argument that Mr Alsford’s consent to terms which authorised release to third parties in accordance with the Privacy Act rendered the search lawful. This is because the Court had earlier held that the Privacy Act could not provide lawful authority for a search.

⁵⁰   cf PG v R [2016] NZCA 390, in which the Court treated a clause in Trade Me’s privacy policy as consent to release of information to police without a warrant in response to police requests where necessary to assist the police in the investigation of crime.