Privacy Bill will help Kiwis to rein in Facebook
THE latest scandal involving Facebook has renewed public discussion on the potential pitfalls of trusting corporates such as Facebook with personal information.
The current furore stems from Facebook allowing third party app developers to extract personal data about users and their friends from 2007 to 2014.
While Facebook reduced the amount of data available to third parties in 2014, data already extracted by its permitted app developers remained in the possession of developers.
One user, a Cambridge University researcher named Aleksandr Kogan, used an app to extract the information of more than 50 million people and then transferred it to Cambridge Analytica for commercial and political use.
There are several particularly concerning aspects of this revelation. Firstly, Facebook was aware of the data misuse since December 2015, having been advised by The Guardian newspaper. Facebook could have advised individuals whose data was mined by Cambridge Analytical but chose not to do so.
The company offered no explanation for why it did not do this and has only now agreed to inform users whose data was misused in this and any other situations discovered as a result of intense public pressure.
Facebook’s initial response to concerns raised over its lax policies that allowed data harvesting through information shared with ‘‘friends’’ was that users signed up for the app developed by Aleksandr Kogan and everyone involved gave their consent. Only now is Facebook acknowledging that blaming users for not understanding the consequences of the terms of service is simply not sufficient to meet the company’s obligations of privacy protection.
Facebook has also not explained why it enabled so much third party access to its users’ personal information for so many years. It appears that Facebook was building tools that enabled marketing partners to access their users’ data. They also relied on certification by the app developer data had been destroyed when in fact it had not.
The latest revelations have demonstrated that even if you are using Facebook on an occasional basis for posting the odd holiday photos or sharing articles of interest with your ‘‘friends’’, Facebook will know all about your friends, your politics, your education, and similar information in relation to your ‘‘friends’’ as well as websites that you chose to visit, particularly where you chose to ‘‘log in using Facebook’’ as a short cut to accessing third party sites. As a free site, Facebook has to make money somewhere and this collation of information and its potential value to third parties is in essence what Facebook is all about.
On an international level, the public is demanding greater protection for individual privacy and this has seen some new legislative moves in other jurisdictions as well as New Zealand. The Labour Government has moved to implement draft legislation started under the National Government but never enacted. The Privacy Bill tabled by
Justice Minister Andrew Little last week gives increased powers to the Privacy Commissioner, although it does not go as far as the Commissioner would have liked.
Decisions by the Privacy Commissioner in response to privacy complaints will now be binding and the commissioner will have the power to issue compliance notices. This could require an individual or an organisation to undertake certain action or desist from other actions. They can be enforced by the Human Rights Review Tribunal and parties will have a right of appeal to that tribunal.
Another key change is the mandatory requirement to report to the Privacy Commissioner and any affected individuals any unauthorised access to or disclosure of personal information which has caused the individual harm. This could encompass breaches such as the recent Facebook privacy breaches and mining of individuals data.
A further requirement is that New Zealand agencies take reasonable steps to ensure any personal data disclosed overseas will be subject to acceptable privacy standards.
The Bills also creates a criminal offence of obtaining another person’s private information by deceit. It will also be an offence to knowingly destroy documents under request by the Privacy Commissioner.
While the proposed Bill represents a positive step towards increased teeth for the Privacy Commissioner, many practitioners would like to see even more change, including civil penalties for privacy breaches. The Bill is open for public submissions.
A