US privacy invasion decision has implications for Asian hotel operators and their insurers

Erin Andrews v Marriott International and Ors

A covert video made by another guest in a hotel in Nashville has led to a US sports reporter being awarded USD$55 million in damages - of which USD$27 million is payable by the hotel's management company and owner. Could a similar case of invasion of privacy in Australia or Asia produce the same result?

Earlier this year, US sports reporter Erin Andrews was awarded USD$55 million in a lawsuit over a nude video of her which was covertly made by another guest while she stayed at a hotel in Nashville.

The video was made by Michael Barrett, who has since been convicted and imprisoned for stalking Andrews. Barrett filmed the video from the room next to Andrews’, and manipulated the peephole on the door connecting the two rooms, so that he could film her covertly through the peephole.

Andrews alleged that hotel staff had confirmed the fact that she was staying at the hotel to Barrett, told Barrett which room she was staying in, and allowed Barrett to stay in the room next to hers. The hotel owner argued during the trial that the video was entirely Barrett's fault and that he had claimed sole responsibility for obtaining Andrews' name from hotel staff. However, the company’s lawyer said at a press conference after the verdict that the case has "changed" the US hotel industry, which has taken steps to prevent such incidents.

The jury ordered Barrett to pay USD$28 million and the hotel's management company and owner, Windsor Capital Group, to pay USD$27 million. Windsor Capital Group has indicated that it will appeal the decision, and there is the potential for the award to be reduced on appeal.

What does this case mean for Asian hotels and insurers?

A similar case in Asia would be unlikely to produce an award of this magnitude. The amount of the damages awarded in this case is largely a product of the US judicial system, which leaves juries to assess the amount of damages. This often leads to very large awards, particularly in cases such as this where the plaintiff has suffered emotional distress or trauma, the cost of which is difficult to assess. In Australia, Singapore, Hong Kong and most other Asian common law countries, damages are assessed by a judge and consequently large awards are much rarer.

Putting aside the amount of the award, it is entirely possible that an Asian court could hold a hotel operator liable for negligence in a case like this. Perhaps surprisingly, in Australia, it is less clear whether the perpetrator would also be liable.

Hotel operators have a duty of care to protect the safety and privacy of their guests. In this case, Andrews had a strong argument that hotel employees had negligently breached that request to stay in an adjoining room, and that it would have been much more difficult for Barrett to make the video had they withheld that information and/or denied that request.

If the incident had occurred in Australia the hotel’s actions would also be likely to breach the Privacy Act. By revealing to Barrett that Andrews was staying in the hotel and her room number, the hotel was disclosing her personal information to a third party, which in Australia would be a breach of Australian Privacy Principle 6. The Act allows an individual affected by a breach of the Act to apply for an injunction, but does not provide for damages. However, a plaintiff could rely on a breach of the Act as the basis for an action for breach of statutory duty.

The position would be the same in most countries with a comprehensive data privacy law: there are now ten such countries in the region, including Hong Kong, Singapore and Japan. The disclosure of personal data to a third party without the consent of the individual or other legitimate grounds would breach the “disclosure principle” in any of these countries. Further, some Asian data privacy laws allow an individual affected by a breach to apply for compensation, as well as injunctive relief.

Surprisingly, it is less clear whether Barrett would be liable for damages if he had committed the same act in Australia. The Privacy Act only applies to entities operating a business with revenue exceeding $3 million, which was not the case for Barrett. This exception is not common in other Asian countries, in which it is likely that Barrett’s actions would also constitute a breach of data privacy laws.

The US has a well-established cause of action which allow individuals to recover damages for invasion of privacy. An action is available if a person intentionally intrudes (whether by viewing, recording or physically entering) upon a space in which another person has a reasonable expectation of privacy (such as a hotel room), provided that the intrusion would be highly offensive to a reasonable person. However, few other countries have a similar cause of action.

The courts in the United Kingdom have extended the action for breach of confidence to cover certain kinds of invasion of privacy, as illustrated in 2004 when model Naomi Campbell successfully sued Mirror Newspapers over photographs taken outside a rehabilitation clinic.

Courts in Asian common law jurisdictions have yet to follow this approach. Several lower courts in Australia have upheld some form of action for invasion of privacy, however it has yet to be widely recognised. The Hong Kong courts have recognised a tort of harassment. The Australian Law Reform Commission and regulators in other countries have argued for a statutory cause of action for invasion of privacy.

In some circumstances, another cause of action may protect privacy rights. In a famous Australian case in the 1990s, rugby league player Andrew Ettinghausen successfully argued that a nude photo taken of him in the changing rooms after a match was defamatory. However, as these actions are not designed to protect privacy, they will often not apply to conduct that would generally be regarded as an invasion of privacy.

Lessons for hotels and hotel insurers in Asia

With hotels accommodating hundreds of random strangers in close proximity, there is clear potential for this kind of invasion of privacy in any hotel property. While damages of $55 million are unlikely to be awarded by an Australian or Asian court in a case such as this, there is clearly the potential for hoteliers to be liable for the actions of guests who attempt to view, photograph or film other guests in the hotel.

Generally public liability policies provide cover for breaches of duty of care and invasion of privacy, but insureds should be mindful of policy exclusions. Alternatively some management liability polices provide cover for privacy and cyber breaches. Most Insurers now provide some form of stand-alone privacy and cyber policy wording which may respond to cyber attacks and data breaches.

Australian and Asian hotels should ensure that staff are aware of their obligations to protect guest privacy, both as a part of their general duty of care to guests, but also under local data privacy laws. In particular, hotels should not disclose the identity, room number or other personal information of guests to anyone other than authorised third parties, such as hotel contractors. Hotels should also exercise caution in allowing guests to request a specific room number, and ensure there is a legitimate reason behind any such request (such as putting families or friends in adjacent rooms).