The following is the Privacy Commissioner’s response to a post by Facebook’s Global Deputy Chief Privacy Officer Stephen Deadman on the Commissioner’s finding that Facebook has failed to comply with its obligations under the New Zealand Privacy Act. For those who, like the Commissioner, have deleted or otherwise do not have access to Facebook, Mr Deadman’s post is pasted below.

As New Zealand’s Privacy Commissioner, I need to take a moment to tell you what this matter is really about.

The suggestion that I or my office want to trawl through Facebook users' accounts in breach of their privacy is mischievous, misleading, and disingenuous.

Agencies that operate in New Zealand, agencies that collect, publish, analyse, manipulate and profit from New Zealanders' personal information are required to comply with New Zealand law. Two and a half million New Zealanders entrust their personal information to Facebook. Facebook’s business model depends on extracting value from that information. The law that governs those activities in New Zealand is the Privacy Act 1993. The extent and nature of Facebook’s activities in New Zealand means it is required to comply with that law.

Rather than work with the Privacy Act, which neither throttles business and the digital economy nor unjustifiably exposes users' personal messages and the like to my office, Facebook simply declared that the Privacy Act did not apply to it and that it would not comply with those legal obligations.

Contrary to the claims that my office posed a threat to Facebook users' privacy, Facebook was already in breach of the Privacy Act before the matter was even raised with my office. Facebook’s actions in failing to deal with the request appropriately (note, not in failing to hand over information – we did not once suggest that Facebook was obliged to disclose any post or content, to the individual concerned) constituted an unlawful interference with the requester's privacy.

The biggest irony in this matter is that had Facebook actually complied with its legal obligations, and availed itself of the mechanisms to appropriately deal with requests of this nature under the Privacy Act, it is extremely unlikely that the matter would have got to the point where I felt obliged to warn the New Zealand public of Facebook’s wilful non-compliance, and the risks that stance holds for New Zealanders in the future.

Here’s what Facebook could have done;

Where person “A” says to Facebook “Under information privacy principle 6 of the Privacy Act, give me access to any personal information about me, held on the accounts of persons “B”, “C”, “D”, and “E”, Facebook could have transferred that request, to “B”, “C”, “D” and “E”, on the basis that the information is “more closely connected with the functions or activities" of those individuals.

Where “B”, “C”, “D” and “E”, are individuals, posting in their individual capacity, the Privacy Act simply will not apply. Instead of this simple solution, Facebook chose to go into bat for a hypothetical, and in doing so demonstrated not just to New Zealand users, but users worldwide a very selective approach to the privacy values it chooses to uphold.

There will be situations where, under New Zealand law, an individual is entitled to require Facebook to assess personal information it holds about them (for example where another user makes a complaint to Facebook about that individual). Where disclosing that information would “involve the unwarranted disclosure of the affairs of another individual” the law will support a decision to refuse to provide that information to that individual.

In those cases, the individual will be entitled to ask my office to review the decision, in order to have an independent assurance that their privacy rights have been given sufficient weight. In order to do that we need to review the information at issue. Parliament has given us the statutory power to do so, just like the court Facebook's Deputy Global Chief Privacy Officer, Stephen Deadman, refers to. Under New Zealand law it is the Privacy Commissioner’s job to perform the task Stephen describes of "considering the interests of all those concerned”, and making a determination.

We do this dozens of times a month, with hospital records, police investigations, security service records, counselling files, insurance information, employment records, and New Zealand agencies cope, and privacy is upheld, not trammelled. New Zealand citizens and businesses understand this and rely on this system working. If we overreach or get it wrong, there are a number of avenues under New Zealand law to hold my office accountable. Facebook is entitled to fair treatment from my office, like any other business over which I have jurisdiction, and it is entitled to access local remedies to hold me to account. What it is not entitled to do is simply thumb its nose at the law and deny it is subject to it, which it has done in this case.

Who would deny that Facebook is in crisis, and faces a significant global challenge in rebuilding the trust squandered by lax attention to what really matters to users? If Facebook is serious about rebuilding that trust among its New Zealand users, a good start would be by publicly committing to comply with the law this community has put in place to protect the privacy of personal information about its citizens.

John Edwards - Privacy Commissioner 

Mr Deadman's post

As Facebook's Global Deputy Chief Privacy Officer, I wanted to take a moment to provide some background about the recent comments made in the media by the Office of the Privacy Commissioner (New Zealand) about Facebook's commitment to privacy in New Zealand.

Firstly, we have the highest respect for the Commissioner and the role he plays in protecting the interests of New Zealand citizens. We have had a constructive relationship of cooperation with the Commissioner and his office for many years, and we have every intention of continuing this.

The privacy of the people who use Facebook is of the utmost importance to everyone who works here at the company. As our CEO Mark Zuckerberg said when he posted recently about the Cambridge Analytica issues (https://www.facebook.com/zuck/posts/10104712037900071) that has been much debated over recent days: “We have a responsibility to protect your data, and if we can't then we don't deserve to serve you”

The case in question is a difficult one. In September last year, the Commissioner notified us of a complaint — a person wanted access to content posted by other users of Facebook that he believes concerns him. The posts were private and the complainant did not know where or when this content had been shared. To locate the content, the Commissioner asked us to search through and disclose the records of seven people's account for a year long period — from August 2016 to August 2017.

In order to search through and disclose the private messages of people who use Facebook, we need to have a lawful basis to do that. In this case we don’t have that - disclosing the information requested by the OPC would violate Irish data protection law, which is the data protection law that applies to Facebook Ireland, the company that provides the Facebook service in New Zealand.

However, even if the New Zealand Privacy Act did apply to Facebook in this case, we firmly believe that Facebook would not be legally required to disclose the information requested, because it would violate the data protection rights of the New Zealand citizens concerned.

The usual course of action in cases like this is for the complainant to go to court and get an order for discovery. If the court saw fit after considering the interests of all those concerned, then the court may issue an order that would authorize Facebook to disclose the information. But he has chosen not to. Instead he has asked the OPC to treat this like a request for access to his own data. This doesn’t seem right to us, and we are concerned about the use of this process for this type of issue.

I hope that you understand why we believe it would be wrong to disclose the information requested by the OPC in this case. We remain open to finding a solution, and will work with the authorities in New Zealand and in Ireland to do so.

Stephen Deadman
Global Deputy Chief Privacy Officer, Facebook

Facebook