The Myth of “Private” Facebook Groups

Recently a Facebook group that was informal, member-driven, and private became the subject of a legal ruling under the Privacy Act 2020 ('Landlords only' FB group admin must pay $7500 for ignoring privacy request). The case involving the “Bad Tenants, New Zealand (Landlords Only)” group, and the $7,500 award against its administrator for failing to comply with a privacy request.‍

Personal information about an individual was being collected and shared within the group. The individual concerned made a privacy request that was ignored and ultimately resisted. The Office of the Privacy Commissioner then issued an access direction to the admin of the group which also was not obeyed. The case went to the Human Rights Review Tribunal who ruled a Facebook group, however informal, can constitute an “agency” if it collects and uses personal information and therefore needs to comply with the Privacy Act.‍

When you then consider the upcoming changes for IPP3A this ruling becomes even more interesting as the group’s operation depends on the circulation of information about individuals who are not members, not aware of the sharing, and not able to respond about an incorrect information shared. ‍ ‍

IPP3A addresses situations where personal information is collected indirectly, that is from sources other than the individual concerned. It requires that reasonable steps be taken to ensure the individual is aware that information is being collected about them, the purpose of that collection, and their rights of access and correction.  Therefore, in this case it would require a privacy statement to be supplied to each individual whose information is shared by a group member unless one of the exemptions applies.

‍In this groups case information appears to have been contributed by landlords about tenants, without any systematic mechanism to notify those individuals. In effect, the group relies on a form of asymmetry: participants benefit from shared knowledge, while those being discussed remain unaware of both the existence and the content of that information. IPP3A challenges precisely this dynamic. It does not accept lack of awareness as a neutral condition; instead, it treats it as something that must, in most cases, be addressed.

For participants, especially admins, in such groups the recent ruling has practical implications. Activities that may be perceived as routine, sharing experiences, warning others, documenting interactions, can in aggregate, amount to the collection and use of personal information in a legally significant sense. Compliance, therefore, cannot be treated as optional or context dependent. At a minimum, there must be an awareness of privacy requests, and a willingness to respond to them appropriately. Prior to May there must be consideration of whether indirect collection triggers obligations under IPP3A, including the need to notify affected individuals.‍

This case is interesting in that it shows how far privacy obligations now stretch into our daily digital lives. The privacy obligations have not changed in substance, rather their application has extended into spaces where they were previously overlooked or underestimated. IPP3A, in particular, reinforces the expectation that transparency is not contingent on being asked if a group hold personal information.‍‍