Did Whaleoil break law with Labour data grab? Snap legal opinions

At 2pm, Whaleoil – aka blogger Cameron Slater – is due to reveal the names of 452 Labour Party donors [update: Mr Slater balked].

He has pledged to reveal more information in coming days.

Mr Slater told NBR that data was left unprotected web server root directory – in layman’s terms, left lying around for the taking.

The Twitterati were split on whether Whaleoil had broken the law or not in first taking the data, and now in his plans to publish it.

So what does an expert make of it?

From an initial scan of today’s events, Chapman Tripp partner and intellectual property specialist Matt Sumpter thinks Mr Slater probably did not break the Privacy Act. The information had – if inadvertently – been placed in the public domain.

Individuals could sue for breach of privacy, but to mount a successful case they would have to prove that facts or details revealed were “highly offensive” (and although some NBR readers would deem Labour membership as such, the donors involved presumably hold an association with the party in higher regard).

Donors would be angry, but by the same token it was unlikely that had suffered financially.

More, Mr Slater could possibly mount a public interest defence, Mr Sumpter said.

In short, if Labour looks to the Privacy Act, it’s very likely out of luck in terms of court-enforced damage control.

“Once’s the cat’s out of the bag, courts are poorly placed to grab that cat and put it back in the bag,” the Chapman Tripp partner said.

So is all lost for Labour?

Not necessarily.

If Mr Slater’s escapade can be classed as “data scraping”, then Labour might be able to take action under copyright legislation, Mr Sumpter said.

Crimes Act in play
For Lowdnes Jordan partner Rick Shera, the Crimes Act comes into play.

Mr Shera told NBR,  "The test is contained in section 252(1) of the  Act." That is:

Everyone is liable to imprisonment for a term not exceeding two years who intentionally accesses, directly or indirectly, any computer system without authorisation, knowing that he or she is not authorised to access that computer system, or being reckless as to whether or not he or she is authorised to access that computer system.”

"There is then an exception created by subsection 252(2) where a person has been given authorisation to access a system for one purpose but then accesses it for another - so that is not a crime, although might still be a breach of the Privacy Act," Mr Shera said.

"According to some reports, the information was wide open on the Labour site. I don’t know if it was generally accessible or it required a little bit of ingenuity or even 'cracking'. However, that is not the issue. The issue is whether Cameron Slater was authorised to access the material for any purpose. If he wasn’t, or if there was doubt and he just did it anyway without caring - that is, recklessly, then he may be liable.

"In my view, authorisation carries with it the idea of an intention to allow access and not just an implicit authority through a lack of security, but the issue has never been tested," Mr Shera said.

He added: I’ll say one thing for Mr Slater though, he is certainly doing a service to internet legal precedent, whether he wins or loses this time."