Privacy Commissioner John Edwards says Facebook users should examine their use of the social media platform after it failed to comply with New Zealand law.

A war of words has erupted between the privacy commissioner and Facebook over an alleged breach of the Privacy Act by the social media giant.

Facebook said the request for information that sparked the dispute was too "broad and intrusive" for it to comply.

However, Privacy Commissioner John Edwards said the company's claims were a "smokescreen" designed to obscure what was essentially a flat-out refusal to comply with New Zealand laws.

KEVIN STENT/STUFF Want to know what data Facebook holds on you? Stuff shows you how.

Edwards made the accusation after Facebook refused a complainant access to personal information held on the accounts of several Facebook users.

READ MORE:

* Android should share the blame with Facebook for tracking calls and texts

* Kiwi software developer accuses Facebook of recording his calls and texts

* The Takeover: A Stuff series examining Facebook's place in our lives

* Facebook's crisis of confidence

The complainant raised the issue with Edwards, who found Facebook was subject to New Zealand's Privacy Act, and had fundamentally failed to engage with it.

AP Facebook CEO Mark Zuckerberg has made international headlines for refusing to appear in front of a parliamentary inquiry into fake news in the United Kingdom.

Facebook took the position that the act did not apply to it, and that the request was contrary to its own data policy.

A Facebook spokeswoman said the company was disappointed that Edwards had asked it to provide access to a year's worth of private data belonging to several people, and then criticised the company over privacy protection.

"We scrutinise all requests to disclose personal data, particularly the contents of private messages, and will challenge those that are overly broad," she said.

MONIQUE FORD/STUFF Privacy Commissioner John Edwards has taken Facebook to task over infringements on Kiwi privacy laws.

"We have investigated the complaint from the person who contacted the commissioner's office but we haven't been provided enough detail to fully resolve it. Instead, the commissioner has made a broad and intrusive request for private data."

Edwards said the request was adequately targeted for Facebook to act upon, but couldn't elaborate for privacy reasons.

Accusations the commission wanted access to private messages were "absurd and nonsensical".

SUPPLIED NetSafe chief executive Martin Cocker said there was a time to fight with giants like Facebook, and a time to work with them over issues.

"Any agency that this kind of request came to in New Zealand would be obliged to review information they held and then make an assessment as to whether the request should be transferred to another party, and here it was open to transfer the request to the individuals concerned."

If Facebook chose not to transfer the request, the commissioner said it could have offered justification for withholding.

"What Facebook has done instead is say the privacy act doesn't apply to them at all. That's actually of far greater concern than what did or didn't occur with a particular complaint."

DYLAN MCKAY/TWITTER Dylan McKay downloaded his Facebook data as a ZIP file and was astonished.

"[Facebook] does not believe when it operates in New Zealand, with the personal information of 2.5 million New Zealanders, that it needs to pay any attention to the regulatory regime."

The refusal meant Edwards was unable to review the material, and therefore unable to judge whether Facebook was justified in withholding.

Edwards said Facebook was subject to the Act because it operated in New Zealand and provided services to New Zealanders, regardless of the fact its data processing took place overseas.

He said he went public with his findings to highlight Facebook's demonstrated unwillingness to comply with the law, and inform the public of the company's position.

Edwards said he had no power to prosecute Facebook and there was nothing else he could do to hold the company to account.

Last year, Facebook made US$30.6 billion (NZ$42.1b) in revenue from selling advertising space on its website, its 2017 financial results revealed. It is unknown how much of that revenue was made in New Zealand.

The social media giant has been facing increased scrutiny internationally after revelations that data mining firm Cambridge Analytica, working for the Trump campaign, improperly obtained data on 50 million Facebook users.

NetSafe chief executive Martin Cocker said the commissioner may have his heart in the right place, but taking on a multinational like Facebook alone was futile.

"There's only two possible outcomes: he could be legally right and then Facebook will make adjustments to ensure that he is not, they are not going to accept the jurisdiction of every country they operate in," he said.

"They simply can't accept that as a multinational. It's just too much exposure."

The second outcome was finding common ground with Facebook.

"Facebook doesn't want its users to have a negative experience. It doesn't want people to think they are at risk."

Cocker's understanding of how the privacy law interacted with Facebook was that while the company had a local advertising and sales foothold, it was distinct and separate from the component that ran the network and handled content.

"Where we want to apply the law around harmful digital communications, or privacy, or data control, that stuff all applies to the half of the business which is the content part, and the content part is registered in two countries – one in Ireland and the other in California."

All Kiwi services were run out of Ireland, meaning the privacy commissioner there could hold sway over the rules Facebook played by.

It was an Irish ruling, Cocker said, that forced Facebook enabled users to download and look at all content held on them.

It was via this tool that Dylan McKay, a Wellingtonian software developer, was able to discover Facebook was recording the metadata from his phone calls and texts.

To effect change, Cocker said the commissioner could lobby his Irish counterpart, or seem signatures from other foreign governments, in order to increase pressure on the social network.

"There have been times when the privacy commissioners from a dozen different countries have joined together and written a joint letter and said as a group they didn't approve of behaviour, and that has gotten some traction.

Some countries, like China and Turkey, had in the past banned non-compliant websites, but Cocker said this only happened where the internet was far more policed.

THE PRIVACY BILL

A new Privacy bill, tabled by Justice Minister Andrew Little last week, could give the privacy commissioner the power to hand a compliance notice to companies like Facebook who are found to not be complying with New Zealand's privacy law.



If companies refuse to abide, Edwards wants to slap them with fines up to $1 million. Little's bill did not include that measure.

Little said he supported Edwards' decision to name and shame.

"The message to Facebook has to be if you come here with operational staff and operations to set up in New Zealand, it doesn't matter if you're hosting this information offshore somewhere – you are in New Zealand, you are signing up New Zealanders to your product, so you should be expected to comply with New Zealand laws and standards," he said.

Other proposed new protections for consumer information included mandatory notification of privacy breaches that could cause serious harm, and enabling the commissioner to make binding determinations that agencies should provide people with access to their information.

Edwards said he would use this case as an example of why the law reform was needed if the bill passed to select committee.

Under the new Bill the privacy commissioner will also be able to issue enforceable orders requiring agencies to fix their processes to comply with the privacy principles.

There would also be added requirements for Information being send offshore, with agencies required to check it was properly protected there.

Privacy Foundation chair Marie Shroff said traditionally New Zealands privacy laws were strong and practical, but over recent years it had become increasingly urgent to update them to keep pace with technology.

"So it's excellent to see a new version of the legislation introduced to Parliament, that includes some internationally accepted features to enhance consumer protection."

"The changes bring us closer into line with many of our trading partners, particularly Australia, which has introduced mandatory breach notification a few weeks ago, and Europe, with its new privacy laws coming into force in late May."

"This allows us to demonstrate that New Zealand businesses can be trusted to handle personal information appropriately."

The maximum fine attached to breaches - $10,000 - has been slated by the Foundation however, with Deputy Chair Gehan Gunasekara saying this was too low, especially given where corporate defendants were concerned.