New privacy laws being tested through the courts show people who have joined social media groups have greater legal liability than first thought
Top privacy lawyers say people who are part of some online groups will be unaware they hold legal liability under new Privacy Act powers.
Access directions, introduced in 2020 with the overhaul of the Privacy Act, are a tool the Privacy Commissioner can use if someone has refused to provide an individual with their own personal information without a good reason.
If the direction is not complied with, the Human Rights Review Tribunal can issue an access order, and failure to comply can result in a fine of up to $10,000.
So far no successful access orders have been granted.
However, a recent case before the Tribunal found there was no way to enforce the direction handed to a landlord’s Facebook group that was sharing information about prospective tenants, because there was no legal entity it could be applied to. This was because the Facebook group was not an entity in and of itself.
When organisations are formally set up, for example as an incorporated society or company, it removes individual liabilities from those involved.
But in this case, those protections are not there.
Simpson Grierson litigation partner Jania Baigent said the Tribunal raised a number of issues.
“I do think that that's one of the take home messages without being too alarmist. But people involved in social media groups, potentially face liability."
“So what the Tribunal said in this case is that this group was just a loose group of individuals and in fact, all of the individuals collectively were jointly responsible, and should all be named," Baigent said.
The fact the access direction was aimed at the group and not at any individuals, appears so-far to have protected the group, Bad Tenants, from being held responsible under the Privacy Act, but the case is far from closed.
The Tribunal did confirm it would continue the case on different grounds, but this time may target the correct entity to fall under the law.
"The application for an access order was only one part of Mr Sheehan’s claim. Mr Sheehan has also brought proceedings under s98 of the Act that allege Bad Tenants Facebook Group interfered with his privacy by not responding to his request for information.
"It is noted that in proceedings under s 98 of the Act the Tribunal may amend or substitute the named defendant if it is appropriate in all the circumstances. The Tribunal will now convene a case management teleconference to discuss those proceedings," the decision said.
"A lot of people will be participating in that not realising they could be creating legal liability." – Kathryn Dalziel, privacy lawyer.
Adam Sheehan first made the request to the administrator of the group, via Facebook messenger. But after receiving no response, went to the Privacy Commissioner who issued a direction to the Facebook group itself.
“Certainly, if they had the right legal entity named I think the access order would have been made,” Baigent said.
“One of the real difficulties that this case highlights is how do you attach liability to people in Facebook groups? Who are they? And they can range from really formal legal companies and partnerships operating their Facebook pages to individuals operating very personal pages.”
Whether an attempt is made to name all members of the now-deleted groups, or if the aim will come to the administrator of the group remains to be seen.
Baigent admits naming every member was probably impractical, especially with the group now deleted.
“If you have to name all of the individuals in a group how would you necessarily know who they are?”
“We work in the Harmful Digital Communications Act space a bit and there are mechanisms in that Act to try and find out who's behind communications, which is understandable, because they're often bullying allegations and defamatory allegations and all that sort of thing.
“So there are quite strong powers to try and find out who's behind Facebook communications but that's not provided in relation to Privacy Act requests, so it's not necessarily easy for people.”
She said the direction handed out by the Privacy Commissioner was inconsistent with the law the Tribunal had to try and uphold - something the Commissioner would likely consider the next time a direction was given.
The Office of the Privacy Commissioner confirmed it would be reviewing its processes “to reflect the Tribunal’s guidance about naming responsible individuals in an access direction”.
“I do think this is an example of the new enforcement powers in action, which have, in fact, throwing up this inconsistency between the approach by the Privacy Commissioner and the Tribunal and needing to tighten up who these legal entities are," Baigent said.
Privacy lawyer Kathryn Dalziel said people gathering for a specific purpose, should consider whether they need to protect themselves by becoming a formal entity.
“You might do that in a community and say, right, we're going to form a residents’ association, and we're going to get together and we're going to have meetings.
“It actually removes personal liability away from members. Something that people should always think about is that when they are gathering together to organise, particularly if they are collecting resource.”
"One of the things that you've always got to be careful with is not many people know that you can be deemed to be an unincorporated society. And so a lot of people will be participating in that not realising they could be creating legal liability."
She said this case did not tease out whether the Bad Tenants group should be deemed an unincorporated society, and would like to see it tested further in the courts.
"They're saying there is no legally responsible entity named against which the access can be directed, but they don't tell us how they have determined that.
"I'd love to see this some more in the civil courts and I'd certainly like to see the High Court and Court of Appeal having a look at this and I don't know if they're thinking of appealing but it would be really good to get some information about how the High Court or Court of Appeal view groups or LinkedIn groups, people gathering together, because this is where the line between what we knew in the common law before technology arrived... and now we're dealing in social media."
