NZ privacy commissioner has pulled up Facebook for breach of privacy laws

Privacy Commissioner John Edwards says Facebook users should examine their use of the social media platform after it failed to comply with New Zealand law.

Facebook says a request for information that triggered a telling off by the Privacy Commissioner was too "broad and intrusive" for it to comply.

On Wednesday morning commissioner John Edwards came out swinging against Facebook, saying the social media giant breached the Privacy Act. The finding came after Facebook refused a complainant access to personal information held on the accounts of several Facebook users.

Edwards said the company's position that the Act did not apply to it was surprising and contrary to Facebook's own data policy in regards to responding to legal requests for any personal information it held.

Want to know what data Facebook holds on you? Stuff shows you how.

After being notified of the complaint Edwards said Facebook claimed it did not have to comply with the statutory demand for the information.

But according to Facebook Edward's request required delving into numerous users' posts and private conversations, which may prove defamatory of the complainant.

Facebook CEO Mark Zuckerberg has made international headlines for refusing to appear in front of a parliamentary inquiry into fake news in the United Kingdom.

A Facebook spokeswoman said the company was disappointed the commissioner asked the company to provide access to a year's worth of private data belonging to several people and then criticised them over privacy protection.

"We scrutinise all requests to disclose personal data, particularly the contents of private messages, and will challenge those that are overly broad," she said.

"We have investigated the complaint from the person who contacted the commissioner's office but we haven't been provided enough detail to fully resolve it. Instead, the commissioner has made a broad and intrusive request for private data. We have a long history of working with the commissioner, and we will continue to request information that will help us investigate this complaint further."

Privacy Commissioner John Edwards has taken Facebook to task over infringements on Kiwi privacy laws.

The refusal meant Edwards was unable to review the material, and therefore unable to judge whether Facebook was justified in withholding the information.

Edwards said Facebook was subject to the Act because it operated in New Zealand and provided services to New Zealanders, regardless of the fact its data processing took place overseas.

Facebook had neither properly responded to the complainant's request for information, acknowledge it was subject to the Privacy Act, or co-operated with the investigation and statutory demand for information, Edwards said.

NetSafe chief executive Martin Cocker said there was a time to fight with giants like Facebook, and a time to work with them over issues.

He said he went public with his findings to highlight Facebook's demonstrated unwillingness to comply with the law, and inform the public of the company's position.

"[Facebook] does not believe when it operates in New Zealand, with the personal information of 2.5 million New Zealanders, that it needs to pay any attention to the regulatory regime."

Edwards said he had no power to prosecute Facebook and there was nothing else he could do to hold the company to account.

Dylan McKay downloaded his Facebook data as a ZIP file and was astonished.

Last year, Facebook made US$30.6 billion (NZ$42.1b) in revenue from selling advertising space on its website, its 2017 financial results revealed. It is unknown how much of that revenue was made in New Zealand.

The social media giant has been facing increased scrutiny internationally after revelations that data mining firm Cambridge Analytica, working for the Trump campaign, improperly obtained data on 50 million Facebook users.

NetSafe chief executive Martin Cocker said the commissioner may have his heart in the right place, but taking on a multinational like Facebook alone was futile.

"There's only two possible outcomes: he could be legally right and then Facebook will make adjustments to ensure that he is not, they are not going to accept the jurisdiction of every country they operate in," he said.

"They simply can't accept that as a multinational. It's just too much exposure."

The second outcome was finding common ground with Facebook.

"Facebook doesn't want its users to have a negative experience. It doesn't want people to think they are at risk."

Cocker's understanding of how the privacy law interacted with Facebook was that while the company had a local advertising and sales foothold, it was distinct and separate from the component that ran the network and handled content.

"Where we want to apply the law around harmful digital communications, or privacy, or data control, that stuff all applies to the half of the business which is the content part, and the content part is registered in two countries – one in Ireland and the other in California."

All Kiwi services were run out of Ireland, meaning the privacy commissioner there could hold sway over the rules Facebook played by.

It was an Irish ruling, Cocker said, that forced Facebook enabled users to download and look at all content held on them.

It was via this tool that Dylan McKay, a Wellingtonian software developer, was able to discover Facebook was recording the metadata from his phone calls and texts.

To effect change, Cocker said the commissioner could lobby his Irish counterpart, or seem signatures from other foreign governments, in order to increase pressure on the social network.

"There have been times when the privacy commissioners from a dozen different countries have joined together and written a joint letter and said as a group they didn't approve of behaviour, and that has gotten some traction.

Some countries, like China and Turkey, had in the past banned non-compliant websites, but Cocker said this only happened where the internet was far more policed.

THE PRIVACY BILL

A new Privacy bill, tabled by Justice Minister Andrew Little last week, could give the privacy commissioner the power to hand a compliance notice to companies like Facebook who are found to not be complying with New Zealand's privacy law.



If companies refuse to abide, Edwards wants to slap them with fines up to $1 million. Little's bill did not include that measure.

Other proposed new protections for consumer information included mandatory notification of privacy breaches that could cause serious harm, and enabling the commissioner to make binding determinations that agencies should provide people with access to their information.

Edwards said he would use this case as an example of why the law reform was needed if the bill passed to select committee.

Under the new Bill the privacy commissioner will also be able to issue enforceable orders requiring agencies to fix their processes to comply with the privacy principles.

There would also be added requirements for Information being send offshore, with agencies required to check it was properly protected there.

Privacy Foundation chair Marie Shroff said traditionally New Zealands privacy laws were strong and practical, but over recent years it had become increasingly urgent to update them to keep pace with technology.

"So it's excellent to see a new version of the legislation introduced to Parliament, that includes some internationally accepted features to enhance consumer protection."

"The changes bring us closer into line with many of our trading partners, particularly Australia, which has introduced mandatory breach notification a few weeks ago, and Europe, with its new privacy laws coming into force in late May."

"This allows us to demonstrate that New Zealand businesses can be trusted to handle personal information appropriately."

The maximum fine attached to breaches - $10,000 - has been slated by the Foundation however, with Deputy Chair Gehan Gunasekara saying this was too low, especially given where corporate defendants were concerned.

