Qantas cyber attack: Kiwis cannot join Aussie legal complaint but can complain in NZ, expert says

A privacy law expert says Qantas is subject to local rules relevant to customer data. Photo / Brent Winstone

Qantas cyber attack victims in New Zealand aren’t eligible for a possible Australian class action but can take action locally, a legal expert says.

Australian law firm Maurice Blackburn made a representative complaint against Qantas over the data breach but said Kiwis weren’t eligible to join in.

But Andrew Shaw, managing partner at Lane Neave, said New Zealand’s Privacy Act 2020 applied to both the private and the public sectors.

“It would apply to an entity such as Qantas. It extends also to overseas agencies carrying out business in New Zealand.”

Data for about 5.7 million customers was compromised in the Qantas breach at the end of last month.

Shaw added: “In New Zealand if people were impacted by the breach by Qantas they would make a complaint to the Office of the Privacy Commissioner.”

He said the office would consider the complaint and ask: “Is this an actionable privacy breach in New Zealand?”

Shaw said a privacy breach in this context meant a person had access to or misused personal information without consent.

“Then the question from there is, if it’s a privacy breach, what has somebody suffered effectively?”

The Office of the Privacy Commissioner would try to resolve that issue and ask if mediation was possible.

“Ultimately the Human Rights Review Tribunal considers it.”

The New Zealand process for data breaches has generated some criticism.

Consumer NZ chief executive Jon Duffy earlier this month said Qantas would face much stiffer penalties under Australian privacy regulations than it would if it were a New Zealand company.

However, Shaw said the system in New Zealand could punish people or entities for data breaches.

“The system in New Zealand is good. The Privacy Commissioner and the act have real teeth. The criticism I would have is the delay, the delay in having the matter heard by the Human Rights Review Tribunal.”

He said the tribunal could award substantial damages.

Shaw said Lane Neave was not suing Qantas but New Zealand had some litigation funders and some no-win no-fee practitioners who might consider the case.

A spokesperson for the Privacy Commissioner said the office had received a very low level of complaints about Qantas.

“If someone wants to complain about a breach of privacy, they need to complain to Qantas first and give them a chance to resolve their concerns,” they added.

“If they are not satisfied with the response, then they can complain to us.”

Qantas said it was aware Maurice Blackburn in Australia had lodged a complaint on behalf of some affected customers in relation to the cyber incident.

“Our focus continues to be on supporting our customers and providing ongoing access to specialist identity protection advice and resources,” a Qantas spokesman said.

“In an effort to further protect our customers, Qantas has obtained an injunction in the New South Wales Supreme Court which prevents the stolen data from being accessed, viewed, released, used, transmitted or published by anyone, including by any third parties.”

Maurice Blackburn said the complaint was made to the Australian privacy commissioner, who did not have jurisdiction over New Zealanders’ personal information.

Some 1.3 million residential or business addresses were among the affected Qantas data, including hotels for misplaced baggage delivery.

Four million customer records stolen in the attack contained names, email addresses and Qantas Frequent Flyer numbers.

John Weekes is a business journalist mostly covering aviation and courts. He previously reported on courts, crime, politics and consumer affairs.