Privacy Commissioner accuses Facebook of thumbing nose at New Zealand law
By Nikki Mandow
March 28 (BusinessDesk) - New Zealand’s government may not have evicted any Russian spies this week but its Privacy Commissioner today joined international allies blasting Facebook for a lax attitude to data privacy.
Not Cambridge Analytica this time. Instead, Privacy Commissioner John Edwards is accusing Facebook of refusing to release information it holds on a particular individual, despite being obliged to do so under the Privacy Act (which gives New Zealanders the right to find out what information an agency holds about them).
Facebook argues it doesn’t have to provide the information because as an Irish company (the 2.5 million or so Kiwi Facebook users are supplied with their service by Facebook Ireland) it isn’t subject to the provisions of the New Zealand legislation.
Facebook also says the Privacy Commissioner’s request for records amounts to little more than a fishing trip.
“We are disappointed the Privacy Commissioner asked us to provide access to a year's worth of private data belonging to several people and then criticised us for protecting their privacy. We scrutinize all requests to disclose personal data, particularly the contents of private messages, and will challenge those that are overly broad.
“We have investigated the complaint from the person who contacted the Commissioner's office but we haven't been provided with enough detail to fully resolve it. Instead, the Commissioner has made a broad and intrusive request for private data.”
So what’s this all about?
The impasse started with a non-Facebook user (we’ll call him Peter purely for ease of identification) who became concerned that a group of Facebook users were posting defamatory information about him online. Unable to get Facebook to release the posts and messages he believed concerned him, Peter made a complaint to the Privacy Commissioner. John Edwards asked Facebook for any posts or messages concerning Peter, so he could make the call whether the information should be released. Facebook refused, arguing it has a responsibility to keep contents of its users’ private communications safe and secure, and not share them with third parties.
Facebook and the Privacy Commissioner are now at an impasse, Edwards says. Because he can’t get access to the documents he’s asked for, he can’t decide whether Facebook was justified in withholding the information from Peter. And he hasn't got any powers to make Facebook change its position.
Stalemate, unless Peter chooses to escalate the case to the Human Rights Review Tribunal. The trouble is, the tribunal is overloaded and under-resourced, according to a Privacy Commission briefing to Justice Minister Andrew Little late last year. Long delays are common.
Meanwhile, Facebook’s arguments about being under Irish jurisdiction are nonsense, Edwards says.
“This is about 2.5 million New Zealanders on Facebook’s platform, who entrusted them with their personal information. How can they say they aren’t doing business in New Zealand when you arrive in Christchurch and straight away the app sends you advertisers offering you coffee in Christchurch.
“Facebook is offering New Zealand services in New Zealand to New Zealanders. They are obliged to comply with the Privacy Act."
And the law says if says if the Privacy Commissioner asks you for information, you have to give it to him - like you would to a judge or a regulatory body like the Commerce Commission.
Edwards is also frustrated that under the present legislation he can’t do anything to force Facebook to release the information or apply any penalties. He’s calling on Andrew Little, whose new Privacy Bill was introduced into Parliament this week, to toughen the legislation to give his office more teeth.
“Government should consider empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate). [We should also have] a power to require an agency to demonstrate its ongoing compliance with the Act."