Facebook just lost another user — New Zealand’s privacy commissioner

Mark Zuckerberg’s friend count continues to tick down in the face of a major data misuse scandal griping the company. The latest individual to #DeleteFacebook is no less than the privacy commissioner of New Zealand.

Writing in The Spinoff, John Edwards accuses Facebook of being non-compliant with the New Zealand Privacy Act — and urges other New Zealanders to follow his lead and ditch the social network.

He says he’s acting after a complaint that Facebook failed to provide a user in New Zealand with information it held on them.

“Every New Zealander has the right to find out what information an agency holds about them. It is a right of constitutional significance,” he writes. “Facebook failed to meet its obligations under the Privacy Act, and when given a statutory demand from my office to produce the information at issue so that I could discharge my statutory duty to the requester to review it, Facebook initially refused to provide it, and then asserted that Facebook was not subject to the New Zealand Privacy Act, and was therefore under no obligation to provide it.

“Our investigation was not able to proceed, and we notified the parties that while we were able to conclude that Facebook’s actions constituted an interference with privacy, and a failure to comply with its obligations both to the requester, and to my Office, there was nothing further we could do.”

Facebook’s strategy of arguing it is not under the jurisdiction of privacy laws in international markets is a standard play for the company which instructs its lawyers to argue it is only subject to Irish data protection law, given its international HQ is based in Ireland.

(NB: The geographical distance between Ireland and New Zealand is roughly 18,600km — a vast physical span that of course presents no barrier to Facebook’s digital business making money by mining personal data in New Zealand.)

The company’s ‘your local privacy rules don’t apply to our international business’ strategy appears to be on borrowed time, in Europe at least — with some European courts already feeling able to deny Facebook’s claim that Ireland be its one-stop shop for any/all international legal challenges.

The EU also has a major update to its data protection framework incoming, the GDPR, which will apply from May 25 — and which ramps up the liabilities for companies ignoring data protection rules by bringing in a new penalty regime that scales as high as 4% of a organizations global turnover (for Facebook that could mean fines as large as $1.6BN, based on the ~$40.6BN it earned last year — per its 2017 full year results).

And that’s all before you consider the huge public and political pressure now being brought to bear on the company over data handling and user privacy, as a result of the current data misuse scandal. Which has also wiped off billions in share value — and led to a bunch of lawsuits.

“We applied our naming policy and today have identified Facebook as non-compliant with the New Zealand Privacy Act in order to inform consumers of the non-compliance, the associated risks, and their options for protecting their data,” adds Edwards, joining the anti-Facebook pile-on.

“Under current law there is little more I am able to do to practically to protect my, or New Zealanders’ data on Facebook. I will continue to assert that Facebook is obliged to comply with New Zealand law in relation to personal information it holds and uses in relation to its New Zealand users, and in due course a case may come before the courts, either through my Office, or at the suit of the company.”

He goes on to suggest that the 2.5 million New Zealanders who use Facebook could consider modifying their settings and postings on the platform in light of its current non-compliant terms and conditions — or even delete their account altogether, linking to a page on the commission’s own website which explains how to delete a Facebook account.

So, er, ouch.

In response to the commissioner’s actions, Facebook has decided to try to brand the country’s privacy commissioner himself as, er, hostile to privacy…

A Facebook spokesperson emailed us the following statement:

We are disappointed that the New Zealand Privacy Commissioner asked us to provide access to a year’s worth of private data belonging to several people and then criticised us for protecting their privacy. We scrutinize all requests to disclose personal data, particularly the contents of private messages, and will challenge those that are overly broad. We have investigated the complaint from the person who contacted the Commissioner’s office but we haven’t been provided enough detail to fully resolve it. Instead, the Commissioner has made a broad and intrusive request for private data. We have a long history of working with the Commissioner, and we will continue to request information that will help us investigate this complaint further.

This of course is pure spin — and a very clunky attempt by Facebook to shift attention off the nub of the issue: Its own non-compliance with privacy laws outside its preferred legal jurisdictions.

Frankly it’s a very risky PR strategy at a time when it really has become impossible for Facebook to deny quite how comfortable the company was, up until mid 2015, to hand over reams of personal information on Facebookers to third party users of its developer platform — without requiring these external entities gain individual level consent (friends could ‘consent’ for all their friends!).

Hence the Cambridge Analytica scandal.

The non-compliance of Facebook with European data protection laws was in the spotlight yesterday, during an oral hearing in front of the UK parliamentary committee that’s looking into the Cambridge Analytica-Facebook data misuse scandal — as part of a wider enquiry into online disinformation and political campaigning.

Giving testimony to the committee as an expert witness Paul-Olivier Dehaye, the co-founder of PersonalData.IO — a startup service designed to help people control how their personal information is accessed by companies — recounted how he had spent “years” trying to obtain his personal information from Facebook.

Dehaye said his persistence in pressing the company eventually led it to build a tool that lets Facebook users obtain a subset list of advertisers who hold their contact information — though only for a rolling eight week period.

Downloaded FB data also gives you insight into whom else has data on you (used to run custom audiences). Have never engaged with 75% of these… pic.twitter.com/dQPjIcI8CW

— Christian Hernandez (@christianhern) March 26, 2018

“I personally had 200 advertisers that had declared to Facebook that they had my consent to advertise. One of them is Booz Allen Hamilton, which is an information company,” Dehaye told the committee. “I don’t know how [BAH got my data]. I don’t know why they think they have my consent on this. Where that information comes from. I would be curious to ask.”

Asked whether he was surprised by the data Facebook held on him and also by the company’s reluctance to share this personal information, Dehaye said he had been surprised they “implemented something” — i.e. the tool that gives an eight week snapshot.

But he also argued this glimpse is illustrative because it underlines just how much Facebook still isn’t telling users.

“They implicitly acknowledge that yes they should disclose that information,” said Dehaye, adding: “You have to think that these databases are probably trawled through by a tonne of intelligence services to now figure out what happened in all those different circumstances. And also by Facebook itself to assess what happened.”

“Facebook is invoking an exception in Irish law in the data protection law — involving, ‘disproportionate effort’. So they’re saying it’s too much of an effort to give me access to this data. I find that quite intriguing because they’re making essentially a technical and a business argument for why I shouldn’t be given access to this data — and in the technical argument they’re in a way shooting themselves in the foot. Because what they’re saying is they’re so big that there’s no way they could provide me with this information. The cost would be too large.

“It’s not just about their user base being so large — if you parse their argument, it’s about the number of communications that are exchanged. And usually that’s taken of a measure of dominance of a communication medium. So they are really arguing ‘we are too big to comply with data protection law’. The costs would be too high for us. Which is mindboggling that they wouldn’t see the direction they’re going there. Do they really want to make that argument?”

“They don’t price the cost itself,” he added. “They don’t say it would cost us this much [to comply with the data request]. If they were starting to put a cost on getting your data out of Facebook — you know, every tiny point of data — that would be very interesting to have to compare with smaller companies, smaller social networks. If you think about how antitrust laws work, that’s the starting point for those laws. So it’s kind of mindboggling that they don’t see their argumentation, how it’s going to hurt them at some point.”