New Zealand Law Society - Facebook told it can’t hide from the Privacy Act

Facebook told it can’t hide from the Privacy Act

This article is over 3 years old. More recent information on this subject may exist.

The Privacy Commissioner has found Facebook has breached the Privacy Act 1993.

The Commissioner’s finding comes after the social media network refused a complainant access to personal information held on the accounts of several other Facebook users.

The company said the Privacy Act did not apply to it and it did not have to comply with the Commissioner’s request to review the information requested.

The Commissioner found Facebook was subject to the Privacy Act and had fundamentally failed to engage with the Act. John Edwards says Facebook’s position that the Privacy Act did not apply to it was surprising and contrary to its own Data Policy in regards to responding to legal requests for any personal information it held.

On receiving the request for personal information, the Commissioner says Facebook should have made a decision on the request within 20 working days and communicated this to the individual. It should also have provided a reason for withholding/transferring it, told the individual that they had a right to complain to the Commissioner about the decision and generally assisted the individual in making their request.

Once notified by the Commissioner of a complaint, Facebook should have provided reasons for withholding the requested information, and provided the information requested by the complainant to the Commissioner for his review.

Applicability of the Privacy Act

The Commissioner says Facebook is subject to the Privacy Act because it operates in New Zealand and provides services to New Zealanders. Facebook is an agency for the purposes of section 2 of the Act, despite its data processing taking place overseas.

Section 10 of the Privacy Act expressly states that, for the purposes of access rights in principle 6, information held by an agency includes information held by that agency outside New Zealand.

The Commissioner concluded that Facebook did not comply with the Privacy Act as it failed to:

  • Properly respond to the complainant’s request for information,
  • Acknowledge it was subject to the Privacy Act, and
  • Cooperate with the Commissioner’s investigation and statutory demand for information.

The Commissioner has publicly named Facebook in accordance with his office’s naming policy after first providing Facebook with an opportunity to comment on this finding. The Commissioner’s investigations are almost always confidential, but he considers it necessary to publicly identify Facebook in order to highlight its demonstrated unwillingness to comply with the law, and to inform the New Zealand public of Facebook’s position.