Facebook has been bullish in its response to the Privacy Commissioner's claim that it breached the Privacy Act in refusing to co-operate with an investigation.

It is understood the complainant in this case was not a Facebook user and is alleging that users on Facebook were making defamatory remarks about the complainant in a series of private Facebook messages. The complainant wanted access to these messages to see the information they contained.

Facebook spokesperson Antonia Sanda said that the Privacy Commissioner could not provide and dates, times or further details in respect of the request - making it difficult to assess what the complainant was referring to.

"The Commissioner has made a broad and intrusive request for private data," Sanda said.


"We are disappointed that the New Zealand Privacy Commissioner asked us to provide access to a year's worth of private data belonging to several people and then criticised us for protecting their privacy."

Sanda said that the request in this instance was unreasonable.

"We scrutinise all requests to disclose personal data, particularly the contents of private messages, and will challenge those that are overly broad. We have investigated the complaint from the person who contacted the Commissioner's office but we haven't been provided enough detail to fully resolve it."

Asked for comment on the claim that the data request was overly broad, Privacy Commissioner John Edwards said the request was no different to the 400-500 similar requests made in respect to other New Zealand-based organisations every year.

"I don't accept the claim that we treated Facebook any differently," Edwards said.

The Privacy Commissioner told the Herald Facebook was subject to the same rules as any other organisation operating in New Zealand and should follow the same procedures.

Edwards also said that the fact the complainant was not a Facebook user did not make the request any less legitimate.

"If you are a New Zealand resident and you want access to the information that ASB, for instance, has on you, then you are entitled to request it," Edwards said.


Edwards said that if the request was deemed too broad, then Facebook should have included this in its response rather than claiming that the Privacy Act had no jurisdiction over the case.

The jurisdiction argument arises because the Facebook service in New Zealand is provided by Facebook Ireland, which in Facebook's view means the company is subject to Irish data protection law and regulated by the Irish Data Protection Commissioner.

Edwards has rejected this claim, saying that the Privacy Act does apply because Facebook operates in New Zealand and provides services to New Zealanders.

Given Facebook has refused to provide any of the user data, the Privacy Commissioner decided to make the case public.

Privacy Commissioner John Edwards wants to see the Commission given greater enforcement powers. Photo/File.
Privacy Commissioner John Edwards wants to see the Commission given greater enforcement powers. Photo/File.

This is an unusual step, most often treated as a last resort and used only if the Privacy Commissioner has been unable to resolve the issue quietly between the complainant and the organisation holding the information.

Edwards has been calling for new measures that would enable the Privacy Commission to fine offenders up to $1 million for failing to comply with the Privacy Act.

A bill tabled by Labour MP Andrew Little this week proposes a revision of the Privacy Act to give the Privacy Commissioner the power to fine organisations up to $10,000 for infringements.

Edwards has argued this doesn't go far enough - particularly when dealing with major multinational organisations operating in New Zealand.