Below is a statement issued by Privacy Commissioner John Edwards on Wednesday.
Privacy Commissioner: Facebook must comply with NZ Privacy Act
The Privacy Commissioner says Facebook has breached the Privacy Act 1993.
The Commissioner’s finding comes after Facebook refused a complainant access to personal information held on the accounts of several other Facebook users.
The social media company said the Privacy Act did not apply to it and it did not have to comply with the Commissioner’s request to review the information requested by the complainant.
The Commissioner found Facebook was subject to the Privacy Act and had fundamentally failed to engage with the Act. He said Facebook’s position that the Privacy Act did not apply to it was surprising and contrary to its own Data Policy in regards to responding to legal requests for any personal information it held.
Privacy Act process
The Commissioner identified that there were several options for engagement under the Privacy Act available to Facebook. Facebook failed to engage with the Privacy Act.
Failure to process the request
Upon receiving the request for personal information from an individual Facebook should have:
- made a decision on the request within 20 working days and communicated this to the individual (section 40)
- provided a reason for withholding/transferring it (section 44)
- told the individual that they had a right to complain to the Commissioner about the decision (section 44)
- generally assisted the individual in making their request for their personal information (section 38).
Facebook could have found that:
- providing the information requested would constitute an unwarranted disclosure of the affairs of another person (section 29(1)(a))
- the information requested was not readily retrievable (section 29(2)(a)).
Facebook could have also potentially:
- Found that it was not the holder of the information requested (section 3)
- Found that it was only facilitating conversations between individuals (section 55(a))
- Transferred the request to another agency (section 39).
Failure to respond appropriately to notification of complaint
Once notified by the Commissioner of a complaint, Facebook should have:
- Provided reasons for withholding the requested information (section 44)
- Provided the information requested by the complainant to the Commissioner for his review (section 91 and 92).
Privacy Commissioner’s powers
Sections 91 and 92 require agencies to comply with requests from the Commissioner for information withheld by those agencies from individuals. These are some of only a limited number of powers the Commissioner has.
After being notified of the complaint Facebook said it did not have to comply with the Commissioner’s statutory demand for the information.
Due to Facebook ignoring a statutory demand the Commissioner was unable to review the material requested by the complainant and unable to arrive at a view that Facebook was justified in properly withholding information from the complainant.
This prevented the Commissioner from being able to address the complaint under the statutory process.
Applicability of the Privacy Act
The Commissioner’s view is that Facebook is subject to the Privacy Act because it operates in New Zealand and provides services to New Zealanders. Facebook is an agency for the purposes of section 2 of the Act, despite its data processing taking place overseas.
Section 10 of the Privacy Act expressly states that, for the purposes of access rights in principle 6, information held by an agency includes information held by that agency outside New Zealand.
Facebook did not comply with the Privacy Act as it failed to:
- properly respond to the complainant’s request for information,
- acknowledge it was subject to the Privacy Act, and
- cooperate with the Commissioner’s investigation and statutory demand for information.
The Commissioner has publicly named Facebook in accordance with his office’s naming policy after first providing Facebook with an opportunity to comment on this finding. The Commissioner’s investigations are almost always confidential, but he considers it necessary to publicly identify Facebook in order to highlight its demonstrated unwillingness to comply with the law, and to inform the New Zealand public of Facebook’s position.
Below is a response from Facebook, which was posted on Facebook.
As Facebook's Global Deputy Chief Privacy Officer, I wanted to take a moment to provide some background about the recent comments made in the media by the Office of the Privacy Commissioner (New Zealand) about Facebook's commitment to privacy in New Zealand.
Firstly, we have the highest respect for the Commissioner and the role he plays in protecting the interests of New Zealand citizens. We have had a constructive relationship of cooperation with the Commissioner and his office for many years, and we have every intention of continuing this.
The privacy of the people who use Facebook is of the utmost importance to everyone who works here at the company. As our CEO Mark Zuckerberg said when he posted recently about the Cambridge Analytica issues (https://www.facebook.com/zuck/posts/10104712037900071) that has been much debated over recent days: “We have a responsibility to protect your data, and if we can't then we don't deserve to serve you”
The case in question is a difficult one. In September last year, the Commissioner notified us of a complaint — a Facebook user wanted access to content posted by other users of Facebook that he believes concerns him. The posts were private and the complainant did not know where or when this content had been shared. To locate the content, the Commissioner asked us to search through and disclose the records of seven people's account for a year long period — from August 2016 to August 2017.
In order to search through and disclose the private messages of people who use Facebook, we need to have a lawful basis to do that. In this case we don’t have that - disclosing the information requested by the OPC would violate Irish data protection law, which is the data protection law that applies to Facebook Ireland, the company that provides the Facebook service in New Zealand.
However, even if the New Zealand Privacy Act did apply to Facebook in this case, we firmly believe that Facebook would not be legally required to disclose the information requested, because it would violate the data protection rights of the New Zealand citizens concerned.
The usual course of action in cases like this is for the complainant to go to court and get an order for discovery. If the court saw fit after considering the interests of all those concerned, then the court may issue an order that would authorize Facebook to disclose the information. But he has chosen not to. Instead he has asked the OPC to treat this like a request for access to his own data. This doesn’t seem right to us, and we are concerned about the use of this process for this type of issue.
I hope that you understand why we believe it would be wrong to disclose the information requested by the OPC in this case. We remain open to finding a solution, and will work with the authorities in New Zealand and in Ireland to do so.
Global Deputy Chief Privacy Officer, Facebook