The office of the Privacy Commissioner says Facebook has breached New Zealand's Privacy Act over its failure to provide information it held about several people.
Facebook refused a complainant access to personal information held on the account of several Facebook users, the Commission said in a statement, after the company said the Act did not apply to it.
Commissioner John Edwards said the Act does, in fact, apply to Facebook, and said it had "fundamentally failed to engage with the Act" and that it "must comply".
"Facebook's position that the Privacy Act did not apply to it was surprising and contrary to its own Data Policy in regards to responding to legal requests for any personal information it held," the Commission wrote.
"The Commissioner's view is that Facebook is subject to the Privacy Act because it operates in New Zealand and provides services to New Zealanders."
In response, Facebook's Australasian head of communications Antonia Sanda said they had rejected a "broad and intrusive" request for private data from the Privacy Comissioner, and were unpleased with the censure.
"We are disappointed that the New Zealand Privacy Commissioner asked us to provide access to a year's worth of private data belonging to several people and then criticised us for protecting their privacy," Ms Sanda said.
"We scrutinise all requests to disclose personal data, particularly the contents of private messages, and will challenge those that are overly broad."
Facebook refused to provide information to the Commission, it said, which was a breach of Section 91 and 92 of the Act.
"This prevented the Commissioner from being able to address the complaint."
"The Commissioner's investigations are almost always confidential, but he considers it necessary to publicly identify Facebook in order to highlight its demonstrated unwillingness to comply with the law, and to inform the New Zealand public of Facebook's position."