Privacy Commissioner John Edwards says Facebook is subject to the Privacy Act and has fundamentally failed to engage with the Act

Below is a statement issued by Privacy Commissioner John Edwards on Wednesday.

Privacy Commissioner: Facebook must comply with NZ Privacy Act

The Privacy Commissioner says Facebook has breached the Privacy Act 1993.

The Commissioner’s finding comes after Facebook refused a complainant access to personal information held on the accounts of several other Facebook users.

The social media company said the Privacy Act did not apply to it and it did not have to comply with the Commissioner’s request to review the information requested by the complainant.

The Commissioner found Facebook was subject to the Privacy Act and had fundamentally failed to engage with the Act. He said Facebook’s position that the Privacy Act did not apply to it was surprising and contrary to its own Data Policy in regards to responding to legal requests for any personal information it held.

Privacy Act process

The Commissioner identified that there were several options for engagement under the Privacy Act available to Facebook. Facebook failed to engage with the Privacy Act.

Failure to process the request

Upon receiving the request for personal information from an individual Facebook should have:

  • made a decision on the request within 20 working days and communicated this to the individual (section 40)
  • provided a reason for withholding/transferring it (section 44)
  • told the individual that they had a right to complain to the Commissioner about the decision (section 44)
  • generally assisted the individual in making their request for their personal information (section 38).

Facebook could have found that:

  • providing the information requested would constitute an unwarranted disclosure of the affairs of another person (section 29(1)(a))
  • the information requested was not readily retrievable (section 29(2)(a)).

Facebook could have also potentially:

  • Found that it was not the holder of the information requested (section 3)
  • Found that it was only facilitating conversations between individuals (section 55(a))
  • Transferred the request to another agency (section 39).

Failure to respond appropriately to notification of complaint

Once notified by the Commissioner of a complaint, Facebook should have:

  • Provided reasons for withholding the requested information (section 44)
  • Provided the information requested by the complainant to the Commissioner for his review (section 91 and 92).

Privacy Commissioner’s powers

Sections 91 and 92 require agencies to comply with requests from the Commissioner for information withheld by those agencies from individuals. These are some of only a limited number of powers the Commissioner has.

After being notified of the complaint Facebook said it did not have to comply with the Commissioner’s statutory demand for the information.

Due to Facebook ignoring a statutory demand the Commissioner was unable to review the material requested by the complainant and unable to arrive at a view that Facebook was justified in properly withholding information from the complainant.

This prevented the Commissioner from being able to address the complaint under the statutory process.

Applicability of the Privacy Act

The Commissioner’s view is that Facebook is subject to the Privacy Act because it operates in New Zealand and provides services to New Zealanders. Facebook is an agency for the purposes of section 2 of the Act, despite its data processing taking place overseas.

Section 10 of the Privacy Act expressly states that, for the purposes of access rights in principle 6, information held by an agency includes information held by that agency outside New Zealand.

Conclusion

Facebook did not comply with the Privacy Act as it failed to:

  • properly respond to the complainant’s request for information,
  • acknowledge it was subject to the Privacy Act, and
  • cooperate with the Commissioner’s investigation and statutory demand for information.

The Commissioner has publicly named Facebook in accordance with his office’s naming policy after first providing Facebook with an opportunity to comment on this finding. The Commissioner’s investigations are almost always confidential, but he considers it necessary to publicly identify Facebook in order to highlight its demonstrated unwillingness to comply with the law, and to inform the New Zealand public of Facebook’s position.