28 Mar 2018

Facebook breached New Zealand's Privacy Act

3:31 pm on 28 March 2018

But what does this mean for me?



Facebook has refused to release a New Zealander’s personal information that was stored in “several” other Facebook accounts, thus breaching the Privacy Act. But what does this actually mean, and is Facebook in trouble?

Don't worry, we're here to explain this to you.


Facebook is in trouble with the Privacy Commissioner

Facebook is in trouble with the Privacy Commissioner Photo: Unknown


What even is the Privacy Act? 

The Privacy Act controls how 'agencies' - this could be anything from your gym, a bank, a club or a government department - collect, use, disclose, store and give access to your 'personal information' - info that identifies you. 

They have to keep your info secure, and they can’t just give it out willy-nilly to other people. 

If you want to get hold of information about yourself that an agency holds, you can ask for it under the Act. They’re required by law, with few exceptions, to give it to you. 

Cool, so what sort of stuff can I get? 

You can get all sorts of info this way - a transcript of that 111 call you made after hearing KFC had run out of chicken, your contact details held by an unnamed Auckland real estate agency that keeps emailing you since you went to nosy at your neighbour’s open home four years ago, how many times you have been to the gym this year, an audio recording of that time you yelled at someone from the Auckland Council call centre because they were pruning the trees on your street and you had to move your car but you didn’t want to, etc. 

But Facebook isn’t a NZ company, so does the Act apply to them? 

According to Privacy Commissioner John Edwards, the law does apply to Facebook, because the company operates in New Zealand and provides services to New Zealanders.

Ok, so why is Facebook in trouble with the Privacy Commissioner? 

Because someone requested information about themselves that was held by “several” other Facebook accounts, and Facebook refused to give it to them. That person then complained to the Commissioner, who opened an investigation, and Facebook refused to give them the information either.  

Why did they refuse? Can they even do that? 

There are grounds for refusal under the Act. Like, if the information given might endanger someone, prevent the investigation of criminal offences, or involve breaching someone else’s privacy. Facebook could have used this last reason. Or they could have said they weren’t able to access the information. 
At a stretch, they could have argued they weren’t the holder of the information requested; that they were only facilitating conversations between individuals; or they could have transferred the request to another agency to deal with.

OK. Which one of these reasons did they give? 

None of the above. 

Facebook refused to provide the info to the person who requested it, and then when the Commissioner got involved and requested to review the information as they normally would when investigating a complaint, Facebook refused to engage with him either. 


Because they say the act doesn’t apply to them. 

But the Commissioner says it does? 


Weird. So is Facebook in trouble now? Will they get a fine?  Does Mark Zuckerberg have to come to New Zealand? Will there be a trial? How do I get on the jury? 

Nope. The Privacy Commissioner doesn’t have the enforcement powers to bring legal action against Facebook. 

BUT there is a new Privacy Bill that’s been introduced in Parliament that will give him new enforcement powers. One of the proposals in the Bill is the introduction of compliance notices, to force an agency to take a particular action – or to stop from doing something. 

Important information held about Susan Strongman by Facebook.

Important information held about Susan Strongman by Facebook. Photo: Unknown


What does this mean for me? 

It means that if you want to find out what information other Facebook accounts hold about you, you might not be able to. 

Who else has information about me but me? 

Remember that time you did that “Which breed of dog are you?” quiz on Facebook, and it asked you to agree to their Terms & Conditions and Privacy Policy and you and you were like *yawn* and clicked accept because you JUST WANTED TO KNOW WHICH BREED OF DOG YOU WERE? 

You probably didn’t read the fineprint, I certainly didn’t, but that app might hold info about you now. Like what breed of dog you are. And who knows what they could do with that kind of power.