John Edwards, the NZ privacy commissioner, explains why he has determined Facebook to be non-compliant with the New Zealand Privacy Act – and why he deleted the app.

I’ve been on Facebook for nearly 10 years. I wasn’t that keen on it at first, as I kept getting pestered by digital agriculturalists using the needy Farmville game.

In 2009 I established the first Facebook page in New Zealand designed to win support for a legal cause, and exert local pressure to achieve a just outcome for an aggrieved and powerless client. It worked. As part of the settlement the client had to agree to delete the page. That was impossible. As administrator, all I could do was set the page to “private” so no friends could see it, and it had no public face. But it remained visible to Facebook which, until Sunday, continued to send me “updates” on that long inactive page.

I joined because it was my business. I was a lawyer specialising in aspects of online life, and as Facebook soon steamrolled over my Bebo, MySpace, even TradeMe and its “OldFriends” platforms, it was clear that it was increasingly important to be there.

And it was (and continues to be) a useful way of keeping up with friends, and eventually, an essential way of accessing a number of unrelated online services.

In the beginning I would happily while away a bit of idle time clicking on all the novels I’d read, the albums I’d listened to, I’d allow this app access, in order to access that website or gizmo, and although I would often provide media commentary on the behemoth’s apparently insatiable appetite for your personal data, it all seemed pretty benign.

The terms and conditions and privacy policy began to change more frequently. Here’s an Electronic Frontier Foundation summary of some of the changes up to 2010 . Facebook responded to the increasingly complex changes with easy to use tools like its ironically labelled “privacy dinosaur”, launched in 2014.

People started getting tagged in publicly available photos whether they’d chosen to join Facebook or not. Employers and insurers started reviewing the profiles of prospective and current employees and policy-holders. As Privacy Commissioner by now, my angle was, that anyone could exploit a Facebook user’s failure to protect their profile from unwanted views, but I would still hold them liable for how they used that information.

Then we had the high watermark for what has become known as the Facebook Cake case – $168,000.00 awarded to a woman who had accepted a friend request from a former employer, who had then used that access in a campaign of harassment.

So far the risk seemed to come mostly from users’ own lack of care or awareness about the implications of what they were posting, or other users abusing their access, or thoughtlessly including others in the posts, regardless of their preferences.

Very few people got to “look under the hood” to see how Facebook was using the data itself. Many heard alarm bells with the emotional contagion study in 2014 in which researchers with access to 689,003 Facebook users were able to show users’ mood states could be manipulated by the kinds of posts to which they were exposed. The exposure of that study caused ripples around the data protection, and Facebook communities.

About the same time the scandal that has more recently enveloped the company began with a personality quiz developed by Global Science Research. The data harvested from that quiz is alleged to have been used by the firm Cambridge Analytica to influence elections, including that of President Donald Trump. That matter is currently under investigation by my counterparts in the UK, the Information Commissioner’s Office, in the US the Federal Trade Commission, and in Canada, the Office of the Privacy Commissioner. My Australian counterpart has asked for a “please explain”.

Throughout its life and rise to near monopoly status in the social media space, Facebook has maintained close links, and cultivated strong relationships with regulators. They host great parties, and I’ve enjoyed their hospitality and goody bags in Marrakesh and Washington, Amsterdam and Mauritius. Their language of engagement is about empowering the user, a philosophy which is consistent with many data protection regulatory frameworks. We see few complaints, and those that do arise Facebook has often thought of before, and engineered a solution into the ever complex and all encompassing code. So we’ve so far avoided the critical question, “Is Facebook subject to the New Zealand Privacy Act?”

Until recently. A complaint to my office has put that question front and centre. Every New Zealander has the right to find out what information an agency holds about them. It is a right of constitutional significance, and even this week’s Dotcom case noted that the right of individuals to access, challenge and to correct personal data is generally regarded as “perhaps the most important privacy protection safeguard” (Dotcom v Crown Law 2018 [2018] NZHRRT 7 para 69).

Facebook failed to meet its obligations under the Privacy Act, and when given a statutory demand from my office to produce the information at issue so that I could discharge my statutory duty to the requester to review it, Facebook initially refused to provide it, and then asserted that Facebook was not subject to the New Zealand Privacy Act, and was therefore under no obligation to provide it.

Our investigation was not able to proceed, and we notified the parties that while we were able to conclude that Facebook’s actions constituted an interference with privacy, and a failure to comply with its obligations both to the requester, and to my Office, there was nothing further we could do.

We applied our naming policy and today have identified Facebook as non-compliant with the New Zealand Privacy Act in order to inform consumers of the non-compliance, the associated risks, and their options for protecting their data.

Under current law there is little more I am able to do to practically to protect my, or New Zealanders’ data on Facebook. I will continue to assert that Facebook is obliged to comply with New Zealand law in relation to personal information it holds and uses in relation to its New Zealand users, and in due course a case may come before the courts, either through my Office, or at the suit of the company.

Until that happens, the 2.5 million New Zealanders who have a Facebook account have a range of options:

They can choose to continue under the current terms and conditions, uncertain as to whether they will be able to enforce the rights they enjoy in respect of their personal information held by every other agency in New Zealand;

They may choose to check that the terms and conditions under which they use Facebook continue to meet their needs and expectations, and modify their settings and postings accordingly; or

They may choose to delete their Facebook account, either permanently, and use some other platform, or temporarily, so as to start a new account with a clean slate.

Facebook has provided an easy to access facility to download all the data you have submitted since you joined. If you do decide to delete your account, keeping a copy of that will not only mean you don’t lose all your posts, messages and the like, but it will be a handy resource for you if you want to re-establish a new account, with some or all of the of the same friends. Advice on deleting your account is here.

Privacy and data protection is about the ability to exercise autonomy and control over your personal information. Clearing the slate, and removing data collected at an earlier time, under different terms and conditions, for different purposes, is an expression of that autonomy and control.

That’s why I’ve deleted Facebook (for now).

This section is made possible by Simplicity, New Zealand’s fastest growing KiwiSaver scheme. As a nonprofit, Simplicity only charges members what it costs to invest their money. It already has more than 12,500 plus members who, together, are saving more than $3.8 million annually in fees. This year, New Zealanders will pay more than $525 million in KiwiSaver fees. Why pay more than you need to? It takes two minutes to switch. Grab your IRD # and driver’s licence. It really is that simple.