Human Rights Tribunal slams Cameron Slater

In what has been reported as a landmark decision he Human Rights Review Tribunal has found that Cameron Slater breached the privacy of Matthew Blomfield by obtaining and publishing Blomfield’s personal information in a series of posts at Whale Oil, cherry picking and embellishing data from a hard drive that the Court found that had been obtained illegally and given to Slater.

The tribunal found that Slater’s posts about Blomfield had caused genuine harm and humiliation through an interference in his privacy:

This blog can only be described as a calculated attack on Mr Blomfield and an extended assassination of his character.”

Even if Mr Slater was not party to any illegality, it seems likely the information was obtained illegally by Mr Slater’s sources.

In October last year Slater lost a five year defamation case brought against him by Blomfield. Damages and costs haven’t been awarded yet, but last month Slater filed for bankruptcy.

Slater’s defence in the Humaan Rights case was that he had been acting as a journalist so had legal protection (similar to his defamation defence), but the decision states that the attacks were sustained over six months and were extreme, well beyond the responsibilities of journalism.

Note the date of the hearings (over four years ago), and the date of the decision (yesterday).

Also note the name of Slater’s assistant. Nottingham and Slater have records of over the top attack blogging, and hopeless legal attacks and defences. They are both now bankrupt, and both suffer from health problems. Slater has been distanced and dumped from Whale Oil, and Nottingham is banned from using the Internet.

[171] On the facts there can be little doubt the humiliation, loss of dignity and injury to feelings described by Mr Blomfield were caused by Mr Slater. In legal terminology we are satisfied Mr Slater’s disclosure of Mr Blomfield’s personal information was a material cause of the harm suffered by Mr Blomfield. See Taylor v Orcon [2015] NZHRRT 15, (2015) 10 HRNZ 458 at [59] to [61].

[174] We do not propose making a training order. The events in question occurred some time ago and much has happened since then, particularly extensive litigation between Mr Slater and Mr Blomfield. We are confident that upon publication of the present decision Mr Slater will appreciate that the news medium exemption from the Privacy Act is but a limited exemption. Whether a blogger is exempt from application of the information privacy principles is a question to be determined blog by blog, item of personal information by item of personal information. Only if the particular item of personal information comes within the definition of news activity is exemption from the Privacy Act triggered in relation to that particular item.

[175.1] A declaration is made under s 85(1)(a) of the Privacy Act 1993 that Mr Slater interfered with the privacy of Mr Blomfield by disclosing personal information about Mr Blomfield contrary to IPP 11.

[175.2] An order is made under s 85(1)(b) of the Privacy Act 1993 restraining Mr Slater from continuing or repeating the interferences with Mr Blomfield’s privacy, or from engaging in, or causing or permitting others to engage in, conduct of the same kind as that constituting the interferences, or conduct of any similar kind.

[175.3] An order is made under s 85(1)(d) of the Privacy Act 1993 that Mr Slater erase, destroy, take down and disable any personal information about Mr Matthew John Blomfield as may be held on and on Mr Slater is to likewise erase, destroy, take down or disable any of Mr Blomfield’s personal information published by Mr Slater and which may be found on any other website or database which is within Mr Slater’s direction or control.

[175.4] Damages of $70,000 are awarded against Mr Slater under ss 85(1)(c) and 88(1)(c) of the Privacy Act 1993 for the humiliation, loss of dignity and injury to feelings experienced by Mr Blomfield.

A media release from Blomfield:

Human Rights Review Tribunal orders Cameron Slater to pay damages

The Human Rights Review Tribunal has today upheld a complaint against Cameron Slater. The Tribunal found that Slater had breached the privacy of Matthew Blomfield by obtaining and publishing Mr Blomfield’s personal information.

The Tribunal ordered Slater to pay $70,000 in damages for the “humiliation, loss of dignity, and injury to feelings experienced by Mr Blomfield”. That is one of the highest awards ever made by the HRRT. It also ordered Slater to destroy Mr Blomfield’s personal information and to cease publishing stories based on that information.

In reaching its decision, the Tribunal rejected an argument from Slater that he was protected by a privacy exemption for news media. The Tribunal accepted that the blog site Whale Oil could be a news medium. However, it found that all but one of the publications complained of could not properly be described as a news activity. Rather, they were “gratuitous allegations” as part of a “sustained campaign” against Mr Blomfield. The Tribunal described the blog as “a calculated attack on Mr Blomfield and an extended assassination of his character”.

While being elated at the result, Mr Blomfield was very disappointed that the decision had taken so long. “I feel like I have lived the maxim, “justice delayed is justice denied”” he said. The hearing of this complaint before the Tribunal occurred more than four years ago. A few weeks ago, Slater had himself declared bankrupt. Since the hearing, the private information has appeared on other blog sites including one run by the lay advocate who assisted Slater before the HRRT. “The Tribunal has sat on this case for so long that it will now be very difficult for me to enforce any of its orders” said Mr

“Mr Slater’s actions have been an extended nightmare for me and my family. He has boasted online about having my family’s private information including the photos of my kids growing up and our family home movies. This has been especially traumatic for my children and my partner.” said Mr Blomfield. “Every allegation he made about me was a fabrication. As has become clear in the defamation case, there was simply no basis for the allegations, he just made them up.”

I think it’s unlikely to get a statement from Slater or Whale Oil.

The full judgment [2019] NZHRRT 13 is here.

David Fisher at NZ Herald:  Bankrupt blogger Cameron Slater carried out ‘character assassination’ – ordered to pay $70,000 in landmark media ruling

Bankrupt ex-blogger Cameron Slater has been found to have carried out an “extended assassination” on the character of a businessman in a series of blog posts he attempted to defend as journalism.

The Human Rights Tribunal has found his six-month campaign against businessman Matt Blomfield on his Whaleoil blog in 2012 wasn’t news and Slater did not have a journalist’s protection from prosecution under the Privacy Act.

It has ordered Slater pay Blomfield $70,000 in damages and never write about him again.

The ruling from the Tribunal also sets a new rules for how the Privacy Act applies to journalism, saying media are bound to act “responsibly” if it wants to be exempt from the law.

That is an important point for bloggers as well as journalists. I operate as a journalist of sorts here at times, but it’s pretty obvious that doesn’t give me a license to over the top run paid for attacks on people. This decision makes this clear in legal terms.

The basis of the claim was the blogger’s sourcing information from a hard drive he had obtained on which Blomfield had stored personal information over 10 years.

The case was taken up by the office of the Director of Human Rights Proceedings which prosecuted Slater for breaching the Privacy Act.

The tribunal’s finding, like a previous High Court judgment, raised concerns about the legality of Slater obtaining the hard drive containing Blomfield’s information.

The tribunal ordered Slater be declared as having breached Blomfield’s privacy and to be barred by restraining order from ever doing so again. It also ordered Slater destroy any personal information he held or had published about Blomfield.

It also delivered one of the tribunal’s highest awards for hurt and humiliation, ordering Slater pay Blomfield $70,000.

It is possible the award would outlast Slater’s bankruptcy with findings of damages being exempt from creditor settlements in some cases.

I don’t know how that might work.

Blomfield is likely to remain significantly out of pocket with his legal actions against Slater, but he has done many others who have been attacked and famed and had vexatious litigation against them a favour of sorts.

Slater reached great heights with his blogging at Whale Oil, but power and money seem to have driven him way over the top. This is just one of a number of court rulings that have resulted in him being discredited and facing huge legal costs and awards made against him.

An associate of Slater’s, Marc Spring, tried to continue attacks against Blomfield here at YourNZ when a court agreement prevented Whale Oil from being used for that purpose. Spring, Slateose failures: NOTTINGHAM v APN NEWS & MEDIA LTD [2018] NZHC 596 [29 March 2018] (the charges against me were withdrawn before trial).

On Monday I received an anonymous letter which included court judgments involving Blomfield. I was aware of these judgments already and had little interest in them, they are business/legal matters of little or no public interest.

The letter falsely accused me of supporting Blomfield in those matters – they have absolutely nothing to do with me and I have nothing to do with them.

It also made a number of accusations against Blomfield that sound very similar to what Slater has just been slammed for by the Human Rights review Tribunal.

Whoever sent the letter must be nuts if they think I’m going to publish their anonymous unsubstantiated accusations.

NZ banks’ terms & conditions for handing customer data to the police

Nicky Hager’s lawyer Felix Geiringer  asks: What do New Zealand’s leading banks say in their terms and conditions about handing their customers’ data to Police and other Govt agencies?

They say they will hand over customer to data in breach of Privacy Act. Westpac have apologised to Hager and have promised to change their terms

But the other major banks have made vague assertions that they will not breach customer privacy but still have dodgy terms, and have not made a commitment to change their terms to comply with the law.

Regardless of views about Hager’s use of hacked data, this is an important issue for everyone.

Via Twitter @BarristerNZ:

There has been significant publicity over Westpac’s decision to hand Nicky Hager’s data to Police. But this issue was never limited to Westpac.

A study conducted by the OPC in 2015 suggested that our financial institutions might have been releasing to Govt the data of close to 10,000 customers per annum without a warrant / production order.

Possibly close to 10,000 customers each year! And this appears to have been happening for over a decade.

Plus, all our banks, not just Westpac, had entered into a written agreement with NZ Police to give over customers data without warrants or productions orders.

Basically, all our banks promised Police that they would breach the Privacy Act if Police asked them to. And it looks like Police may have made many thousands of such requests.

Westpac said to Hager that its terms permitted the release. The OPC rejected the argument that those terms could be relied upon. However, Westpac terms, on their face, did set a much lower bar for releasing data than our Privacy or Search and Surveillance legislation.

Westpac have apologised for its breach, and it has also promised to change its terms. There will now be an enforceable contractual promise from that bank to customers that it will not do this again.

What about other banks?

I am told that in answer to journalists’ questions some other banks have made vague assertions that they will not breach customer privacy. But what do their terms actually say?

Kiwibank’s terms are very similar to the ones Westpac had at the time of the Hager release.

Kiwibank’s terms assert that, by banking with it, you authorise it to release your data to Police whenever Kiwibank thinks it will help Police with an investigation.

That test bypasses the protections that parliament has put in place which limit releases to circumstances where Police can objectively establish reasonable grounds to believe the data is evidence of a crime.

ANZ’s terms are almost the same again, arguably even looser. It says that by banking with it you agree that it can give your data to Police if it believes that doing so will help prevent crime.

ASB’s terms are more open to interpretation. It can release data to Police when required to by law. There can be no objection to that. But it can also release data in a variety of other circumstances.

ASB’s terms define the purposes for which it is holding your data to include to “investigate illegal activity”. The terms allow release to 3rd parties for this purpose. However, the Govt isn’t expressly listed as one of those 3rd parties.

If the list of 3rd parties in ASB’s terms is read as a closed list, it arguably has the best terms. If it is not read as a closed list, then it has one of the worst terms.

BNZ’s terms are clear, and are clearly the worst of those discussed here. Its terms claim that you have authorised it to share your data with Police or other Govt agencies for the purpose of detecting any crime.

The circumstances of release permitted by BNZ’s terms are astoundingly broad. Those terms have little regard for the duty to protect the secrecy of BNZ’s customers’ information.

I haven”t analysed TSB’s terms.

So, there you have it, and I think that this raises serious questions. We know the NZ banks were doing a very bad job of protecting our private data. They say they are doing better now, but are they?

And, if these banks are now not handing over data to Police without a warrant or production order, why is this still not reflected in their terms?

Principle 11, Privacy Act 1993 – 6 Information privacy principles: Limits on disclosure of personal information


Obtaining Hager’s Westpac data, David Fisher, the Privacy Act

As posted in Hager raid court documents published by Scoop included are two affidavits by Herald senior reporter David Fisher.

And this morning the herald have an item written by Fisher on aspects of the court details in Police got Hager data without court order. Did Fisher write that headline? It may sound worse than what happened, Westpac bank may have complied with the Privacy Act giving the police data they requested.

Scoop published the documents early on the first day they could legally do this – ‘Saturday, 24 October 2015, 12:05 am’.

Fisher could have happened be up just after midnight and noticed the Scoop scoop, and then written up his article after reading through the documents. But that’s implausible if it made the print edition of the Herald this morning.

The online Herald article is shown as published at ‘5:00 AM Saturday Oct 24, 2015’. Fisher could have read the documents and written his article in that time frame.

But Fisher writes:

The details are revealed in documents obtained from the High Court by the Scoop news site, which intends to publish the full material today.

If Fisher had read the documents after being published just after midnight he would know they had already been published. It sounds like he knew in advance about the intended publication but didn’t know what time they would be published.

So Fisher must have been given the court documents in advance and had been in communication with Scoop about it.

Why does the Herald assign Fisher this topic when Fisher is so closely involved? Obviously his knowledge of the issue helps, but he may be too close to aspects of the story to give impartial and balanced coverage.

Fishers article starts with an implication that the handing over of data to the Police by Westpac not legal and has a Government connection.

Westpac handed over private details without judicial authorisation, though other firms declined, court documents show.

Detectives investigating the Dirty Politics hacker Rawshark sought the banking, telephone and travel records of author and journalist Nicky Hager without any search order or other legal power.

Court records show Westpac – the government’s banker for 26 years – handed over “almost 10 months of transactions from Mr Hager’s three accounts” at the request of detectives investigating the hacking of Whale Oil blogger Cameron Slater’s email and social media accounts.

Why did Fisher point out that “the government’s banker for 26 years”? He should be aware that that will feed the conspiracy theorists who claim that the Government are directing the Police to harass Hager.

Fisher appears to me to be deliberately seeding conspiracy by using an irrelevant reference.

Other companies that were asked for Hager’s private details told police to come back with a court order, which would have legally obliged them to surrender the information.

As they have the right to do.

Hager’s legal teams used police documents to detail how detectives sought information on him in late September last year – just after the election – from 16 “bank contacts”, Air NZ, Jetstar, Spark, Trade Me and Vodafone. The request to Air NZ also sought information about anyone Hager might have been travelling with, the documents show.

Detectives told the companies they needed the information for an inquiry into “suspected criminal offending, namely fraud, dishonest access of a computer system”, telling the bank the information would help avoid “prejudice to the maintenance of the law through the detection of serious offending”.

Have you read this far? How does it sound so far about Westpac providing Hager’s banking details?

The Privacy Act allows those holding personal information to waive the law if there are “reasonable grounds” to believe it would assist “maintenance of the law”.

That puts Westpac’s supply of data in a different light. Now I knew this, because I have sought clarification from the Privacy Commission on exactly the same issue of what I can and can’t do under the Privacy Act.

But readers who weren’t aware of this may have built a different picture. Did Fisher deliberately construct his article to mislead?

There is no sign in the High Court documents of Westpac – or any of the agencies – being supplied with additional information that might assist with the “reasonable grounds” test.

The documents do show the other companies rejected the request without a legal order.

Back to an apparent portrayal of Westpac bad, others good.

I would be very surprised if Westpac didn’t already have knowledge of the Privacy Act that enabled them to make an informed decision on whether they should provide the Police with data on request without a court order, or as Fisher repeated “without judicial authorisation” or “without any search order or other legal power”.

Westpac sent detectives transaction details from December 2013 until September last year, with other personal details.

The police decision to seek detailed information without a legal order appears contrary to the position stated by Assistant Commissioner Malcolm Burgess to the Weekend Herald last March.

He said there were “controls around how information is both requested and provided … While the Privacy Act provisions can be used to access low-level information, such as basic account details, higher-level data must be obtained through a production order,” he said.

It’s fair to ask whether Westpac should have provided the amount of detail they did “without a legal order” but this can be read as implying that what they did was illegal.

Hager’s lawyers told the court there were no reasonable grounds for police to seek information without a legal order and questioned whether such an order would have been granted were it applied for.

Fisher has written how there are legal grounds for the Police to seek information without an order, but goes back to suggest there are no reasonable grounds.

Here are quotes from Wriiten submissions for the applicant Redacted in an application for judicial review.



5.1. As set out above in paragraphs 1.30-1.32, during September and October 2014 the Police made information requests to 16 bank contacts as well as Trade Me, Spark, Vodafone, Air New Zealand, and Jetstar. The information requests sought the disclosure of Mr Hager’s private information. In response to some, the Police obtained Mr Hager’s private information.

5.2. This was done without obtaining any production orders and in circumstances where production orders would not have been available. Mr Hager says that the information requests were unlawful and constituted unreasonable searches and seizures in breach of his rights under s 21. Detail of the information requests General bank request

5.3. On 24 September 2014, the Police sent information request sent to 16 bank contacts relied on an accusation of “suspected criminal offending, namely Fraud, Dishonest access of a computer system”.506 It claimed the information sought would “allow for a preliminary investigation to determine the scale of suspected offending (if any), thereby avoiding prejudice to the maintenance of the law through the detection of serious criminal offending, in respect of; HAGER/Nicky DOB: 04 384 5074 [sic] 73B Grafton Road, Roseneath, Wellington”.507 It asserted that it fell within the exception to the Privacy Act 1993 set out in Principle 11(e)(i) in s 6.

5.4. That request sought information about any accounts in his name, or for which he was a signatory, the date they were opened, current balances and account numbers, details of any signatories, details of all transactions on each account for the last 3 months, the dates, times and locations of the last week of transactions, and any past accounts, including the reasons they were closed.

Westpac bank request

5.5. On 29 September 2014, the Police sent an information request to Westpac Bank. It relied on the same accusation of suspected Fraud and Dishonest Access of a Computer System. It claimed the information would “provide evidential material to identify suspects for the alledged [sic] offending, thereby avoiding prejudice to the maintenance of the law through the detection of serious criminal offending, in respect of; HAGER/Nicky DOB: 04 3845074 [sic] 73B Grafton Road, Roseneath, Wellington”. It sought the details of all transactions for Mr Hager between December 2013 and May 2014.

requests to other companies are detailed.


5.14. Police received a range of responses to these requests.516 Private information was disclosed in response to some of those requests. In particular, two information requests resulted in the Police receiving the details of almost 10 months’ worth of transactions from Mr Hager’s three accounts.

5.15. On 25 September 2014, Police received detailed information about Mr Hager’s bank account from Westpac Bank including some of Mr Hager’s bank statements.517 On 30 September 2014, the Police received the requested further transaction information from Westpac on almost exactly the same basis as the 24 September 2014 request.

Information requests were unlawful

5.16. The Privacy Act 1993 prohibited these third parties from disclosing Mr Hager’s information except within limited exceptions.519 As set out above, the Police asserted that their requests fell variously within the exceptions set out in Principles 11(e)(i) and 11(e)(ii) in s 6 of that Act. The principle and claimed exceptions state that:

An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds,… (e) that non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences; or

(ii) for the enforcement of a law imposing a pecuniary penalty

5.17. Under the SSA, the Police can obtain a production order to force companies, such as those listed above, to produce copies of documents they hold.520 In order to obtain such a production order the Police must have reasonable grounds:

(a) to suspect that an offence has been committed, or is being committed, or will be committed (being an offence in respect of which this Act or any enactment specified in column 2 of the Schedule authorises an enforcement officer to apply for a search warrant); and

(b) to believe that the documents sought by the proposed order—

(i) constitute evidential material in respect of the offence; and

(ii) are in the possession or under the control of the person against whom the order is sought, or will come into his or her possession or under his or her control while the order is in force.

5.18. The Police did not obtain such production orders.

5.19. The Police had reasonable grounds to believe that an offence had been committed by the Source. However, the Police did not have reasonable grounds to believe that the documents they were seeking in relation to Mr Hager would constitute evidential material in respect of that offence. The Police also lacked any reasonable grounds to believe that Mr Hager had committed any offence. And, in particular, the Police have discovered no documents to support any suggestion of fraud.

5.20. This is denied by the Police. However, the Police have failed to assert any such reasonable grounds in their evidence. Nor have any reasonable grounds been disclosed by the documents provided by the Police in discovery.

More paragraphs with details.Then:

5.27. The Police therefore lacked any lawful authority for these information requests.

A breach of s 21

5.28. Further, the information requests constituted unreasonable searches and seizures in breaches of s 21 of the Bill of Rights

Fisher chose to imply Westpac were wrong to have supplied Hager’s banking data without an order, and imply that it was illegal based on the document, but doesn’t say whether there has been a ruling on this so it’s unknown (to me anyway) whether he is correct or not.

Scoop states that this is all of the “files which have been released so far”.

Here is the advice I received from the Privacy Commissioner:

Principle 11 generally requires agencies not to disclose personal information, unless exception set out in principle 11 applies.  In other words, although you are not obliged to disclose personal information to a third party (in this instance, the New Zealand Police), you have the discretion to disclose personal information in certain circumstances, provided you can rely upon one of the exceptions set out in principle 11 to do so.

One of the exceptions for disclosure is principle 11(e)(i), where non-compliance is necessary for the maintenance of the law function.  So, if you believe it is necessary for the Police to have this information for their maintenance of the law function, this is one of those exceptions that permits disclosure in those circumstances.  Also, principle 11(e)(i) applies irrespective of whether the Police have asked you to make such a disclosure, or whether you make the disclosure of your own volition to the Police.

However, it is a good idea to only disclose personal information to the extent necessary.

Of course, if the Police were to produce a search warrant or court order for the information, you would need to comply with that search warrant or court order.

(This was advice from he Privacy Commissioner’s Office, not legal advice)

Fisher appears to have taken sides on this in his article, or at least strongly leant towards one side.

I’m genuinely interested in legal clarification on this, because as a blogger/publisher I can be requested to provide private information and I need to be sure under which circumstances I can or should do this.

The Privacy Act:

UPDATE: there’s been a lot about this on Twitter, with predictable outrage at Westpac handing over data without a court order.

@PeteDGeorge @paulbrislen @nzherald the judgement is expected out fairly soon.