UPDATE: Privacy Commissioner criticises Facebook for "misleading" and "disingenuous" response to his investigation, says today's explanation doesn't go far enough.
UPDATE /1pm: Facebook might have furnished some details this morning about New Zealanders' data ending up in the hands of Cambridge Analytica.
For Privacy Commissioner John Edwards, it's not nearly enough.
"While we received some information as to the scale and seriousness of the breach, my office is in the process of requesting more information from Facebook. We have yet to be fully informed about how the individuals affected will be told and what information the Kogan app was able to access. We also want to be advised by Facebook of the consequences that users potentially face as a result of this breach," he says.
Mr Edwards has yet to decide whether to launch his own investigation. He is monitoring the outcome of probes already underway by regulators in the US, Canada and Australia.
The Privacy Commissioner, who recently blogged about his decision to delete his own account from Facebook, also drops a veiled hint that others should do the same, saying "New Zealanders who are concerned about the security of their personal information on Facebook to take their own steps to protect themselves. Facebook is offering improved mechanisms for deleting data from users’ accounts but full deletion of an account remains an option for anyone concerned about Facebook’s ability to keep their data safe."
Mr Edwards has already been in a scrap with Facebook over the Cambridge Analytica scandal.
The commissioner accuses the social network of making misleading comments about his investigation.
He also rejects Facebook's assertion that because it shifts revenue generated from New Zealand to lower-tax Ireland, its New Zealand operation should be subject to Irish privacy law (more below).
EARLIER / 9am: Up to 64,000 New Zealanders had their data accessed by Cambridge Analytica, Facebook says.
The controversial firm, tied to US President Donald Trump's election campaign, has now been banned from the social media platform.
Facebook now admits that, worldwide, around 87 million of its users had their personal data accessed by Cambridge Analytica, most of them unknowingly.
A contractor for the marketing and psychological profiling firm, Aleksandr Kogan, posted a personality quiz to the social network in 2014. As was allowed at the time by Facebook, the app's fine print let it access data from the friends of people who downloaded it and their friends.
"For New Zealand, 10 people are estimated to have downloaded the quiz app, with 63,714 friends possibly impacted," Facebook Australia New Zealand head of communications Antonia Sanda says.
Changes promised
Facebook has now made a number of changes to tighten its privacy practices.
Apps can no longer access your friends' data.
And, from Monday (Tuesday NZ time), "We will begin showing everyone on Facebook at top of their News Feed the apps they have connected to and an easy way to delete them. As part of this, we will let people know if their data might have been accessed by Cambridge Analytica," Ms Sanda says.
Facebook also promises to shortly show people all the apps that access their personal data, in a new dashboard at the top of their newsfeed.
"Going forward, we’re dramatically reducing the information people can share with apps. We’re shutting down other ways data was being shared through Groups, Events, Pages and Search," Ms Sanda says.
On March 28, NZ Privacy Commissioner John Edwards found Facebook had breached the Privacy Act after it refused a complainant access to personal information held on the accounts of several other Facebook users.
At the time, Ms Sanda told NBR, "The commissioner has made a broad and intrusive request for private data. We have a long history of working with the commissioner, and we will continue to request information that will help us investigate this complaint further.”
In a subsequent blog post, Mr Edwards wrote that "Contrary to the claims that my office posed a threat to Facebook users' privacy, Facebook was already in breach of the Privacy Act before the matter was even raised with my office. Facebook’s actions in failing to deal with the request appropriately (note, not in failing to hand over information – we did not once suggest that Facebook was obliged to disclose any post or content, to the individual concerned) constituted an unlawful interference with the requester's privacy."
And in an email to NBR on March 29, he said "Facebook's public response is at best misleading but I’d characterise it as disingenuous. The biggest irony is that if Facebook had complied with the Privacy Act, it would very likely have not had to trawl through customers’ accounts, we wouldn’t have had to issue a statutory demand, and it wouldn’t have objected to the jurisdiction and wouldn’t have had to give any information to the complainant. New Zealand companies get requests like this every day and deal with them within the law. This is a huge Facebook own goal."
Mr Edwards found Facebook had breached NZ's Privacy Act but also bemoaned the current Privacy Act essentially only allows him the option of publically shaming the social network.
The commissioner is seeking wider powers under the Privacy Bill, which is winding its way through Parliament.
Deadman doesn't wear it
Facebook has rejected Mr Edwards' criticism.
In a response (posted in full on the Privacy Commissioner's website), Facebook global deputy privacy officer Stephen Deadman says:
"The case in question is a difficult one. In September last year, the Commissioner notified us of a complaint — a person wanted access to content posted by other users of Facebook that he believes concerns him. The posts were private and the complainant did not know where or when this content had been shared. To locate the content, the Commissioner asked us to search through and disclose the records of seven people's account for a year long period — from August 2016 to August 2017.
"In order to search through and disclose the private messages of people who use Facebook, we need to have a lawful basis to do that. In this case we don’t have that - disclosing the information requested by the OPC [Office of the Privacy Commissioner] would violate Irish data protection law, which is the data protection law that applies to Facebook Ireland, the company that provides the Facebook service in New Zealand."
For his part, Mr Edwards says New Zealand privacy law applies to Facebook's operation's in New Zealand, regardless of where it books its NZ revenue for tax purposes.
Revenue-shifting by Facebook and other multinationals has been widely criticised as tax avoidance.
Legislation currently going through Parliament seeks to crack down on the practice.
All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.
