The Privacy Commissioner says Facebook has breached the Privacy Act 1993.
The Commissioner’s finding comes after Facebook refused a complainant access to personal information held on the accounts of several other Facebook users.
The social media company said the Privacy Act did not apply to it and it did not have to comply with the Commissioner’s request to review the information requested by the complainant.
The Commissioner found Facebook was subject to the Privacy Act and had fundamentally failed to engage with the Act. He said Facebook’s position that the Privacy Act did not apply to it was surprising and contrary to its own Data Policy in regards to responding to legal requests for any personal information it held.
This simply isn't acceptable. The Privacy Act applies to all companies operating in New Zealand, regardless of where they hold data. Facebook operates in New Zealand, so it is subject to the law, no matter how inconvenient it is to lawless, tax-cheating silicon valley tech-bros.
Not that it is actually inconvenient. The Privacy Commissioner' statement makes it clear that Facebook had a number of options available to it, and there's a strong possibility they could have lawfully refused the request. Instead, they simply refused to process it. Unfortunately, there's no criminal penalties under the Privacy Act. This sort of attitude from foreign multinationals is a strong argument that we need some.