In Kim Dotcom v Attorney-General  NZCA 551, the Court of Appeal has issued a rare judgment on the Privacy Act 1993 (Act), dealing with access requests and the correct approach to interpreting the Act. Although the Act will shortly be replaced, the judgment is an important one and its approach to transferring access requests and declining requests because they are vexatious remain relevant to the new Privacy Act, and to the Official Information Act 1982 as well.
In July 2015, Mr Dotcom made information access requests to 52 government agencies under the Act, requesting all personal information held. Mr Dotcom asked these requests to be treated with urgency (under s 37) because the information was needed for "pending legal action", which he did not specify but was understood to be his extradition hearing scheduled for September 2015. No further grounds for urgency were provided.
Nearly all of the requests were transferred to the Attorney-General, on the basis that the requests were "more closely connected with the functions or activities" of the Attorney-General.
All those requests were declined on the ground that the request for urgency was vexatious and that insufficient reasons for urgency had been provided.
Mr Dotcom sought damages to the Human Rights Review Tribunal (HRRT), which held that the requests should not have been declined and awarded damages of $90,000. The High Court overturned the decision, and concluded that damages should have been reduced, even if an interference with privacy were established. For more detail on the High Court decision, see our earlier update here.
Court of Appeal judgment
On 10 November 2020, the Court of Appeal delivered its judgment, which was confined to two questions of law:
- whether a request for personal information under the Act can be transferred to another agency where the request seeks urgency and the agency where the request is to be transferred is the only agency able to properly evaluate; and
- whether a request for urgency under s 37 of the Act can be a relevant factor in determining whether to refuse a request for personal information under s 29(1)(j).
Interpreting the Act and the Privacy Act 2020
Perhaps the most significant aspect of the decision is the Court's guidance on interpretation. Applying Taylor v Chief Executive, Department of Corrections  NZHRRT 35, the Crown argued that the Act should be interpreted in an "open-textured" way, ie flexibly and non-technically. The Privacy Commissioner agreed with that approach in general, but argued that the grounds for refusing access to information engaged legal thresholds and involved a rigorous legal standard. The Court of Appeal agreed, holding that a conventional approach to statutory interpretation was required for information privacy principle 6 (access) and Part 4 and Part 5 of the Act (concerning access to, and correction of, personal information).
Generally, therefore, a non-technical and purposive interpretation of the information privacy principles will be appropriate, including under the new Privacy Act 2020. That may work to the advantage of some agencies where there are minor technical non-compliances, but it will also mean that the Privacy Commissioner and HRRT are likely to be even less tolerant of agencies who seek to rely on technicalities.
Transferring access requests
The Crown argued that the transfer to the Attorney-General was appropriate because the Attorney-General, as the party to the litigation with Mr Dotcom, was best placed to assess the validity of Mr Dotcom's request for urgency.
The Court clarified that two requirements must be satisfied to facilitate an information request transfer under s 39(b)(ii):
- the "information" sought (rather than the "request") must be "more closely connected" with the functions or activities of another agency; and
- the person dealing with the request must believe that the information is more closely connected to the functions or activities of the other agency. The Court observed that an objective basis is also required – ie there must be a reasonable basis for the belief.
The Court concluded that a request for urgency does not comprise a part of the "information" to which the request relates. As such, a request for urgency does not provide a proper basis for the transfer of the information request to another agency. The agency can, of course, seek advice from another agency, but it cannot transfer the request merely because urgency is sought.
It was held that the transfer of Mr Dotcom's information requests to the Attorney-General were invalid and an interference with Mr Dotcom's privacy.
The Crown argued that the request for urgency, coupled with such expansive requests, rendered the requests vexatious. The High Court had held that the requests were vexatious but only because they sought urgent compliance.
In contrast, the Court of Appeal held that a request for urgency may provide a relevant consideration for the decision-maker when determining whether an information request is vexatious. However, the mere fact of a request for urgency would not be a proper basis for a refusal, although it might support an inference, such as where a grossly excessive number of requests for urgency, or where the reasons for urgency provided are not credible.
What this means for Agencies
It can sometimes be easy for agencies to conclude that access requests are vexatious. Dotcom is a reminder that the test for rejecting an access request is high and a request for urgency, even if unjustified, does not in itself render the request vexatious. Similarly, a decision to transfer a request must be carefully considered by reference to the information in question. That guidance will apply equally under the Privacy Act 2020, which has very similar provisions to those analysed in Dotcom.
The Court of Appeal did not address the question of damages, instead remitting the matter to the HRRT for further consideration. Given that the High Court had found that the HRRT's approach in this case had been "wholly erroneous", it is perhaps a shame that a rare opportunity for appellant guidance was not taken.