In May 2008, University of Ottawa law students and The Canadian Internet Policy and Public Interest Clinic (CIPPIC) in Ottawa filed a complaint with the Office of the Privacy Commissioner of Canada over alleged poor privacy practices by social networking site Facebook. The office of the Commissioner has released its report today. The three biggest concerns found:
- Facebook’s explanations of privacy are confusing and incomplete;
- Facebook applications allow application developers access to private information where it is not necessary; and
- when a Facebook account is deactivated, Facebook still retains personal information. This is in contravention of Canada’s privacy law PIPEDA.
Findings and conclusions from the report:
On four subjects (e.g., deception and misrepresentation, Facebook Mobile), the Assistant Commissioner found no evidence of any contravention of the Act and concluded that the allegations were not well-founded. On another four subjects (e.g., default privacy settings, advertising), the Assistant Commissioner found Facebook to be in contravention of the Act, but concluded that the allegations were well-founded and resolved on the basis of corrective measures proposed by Facebook in response to her recommendations.
On the remaining subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information, the Assistant Commissioner likewise found Facebook to be in contravention of the Act and concluded that the allegations were well-founded. In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations. Most notably, regarding third-party applications, the Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.
The Commissioner does warn Canadians to read the privacy statements before signing up for any social networking site, be aware of their policy with regard to privacy, and only sign up if it is on our terms. We should have the ability to share our information and photos but still be able to keep them private.
The Commissioner’s office have been working with representatives of Facebook on this issue. Facebook have 30 days to show evidence that they are making an effort to comply with the recommendations.
News Release: Facebook needs to improve privacy practices, investigation finds (July 16, 2009) – Office of the Privacy Commissioner of Canada
Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act – PIPEDA Case Summary #2009-008 (July 16, 2009) by Elizabeth Denham, Assistant Privacy Commissioner of Canada – Office of the Privacy Commissioner of Canada
Remarks at a Briefing (July 16, 2009) – by Jennifer Stoddard, Privacy Commissioner of Canada
Remarks at a Briefing (July 16, 2009) – by Elizabeth Denham, Assistant Privacy Commissioner of Canada
Backgrounder: Report of Findings with respect to Facebook (July 16, 2009) – Office of the Privacy Commissioner of Canada
Facebook breaches Canadian privacy law: commissioner (July 16, 2009) – CBCnews.ca
University of Ottawa Law Students and CIPPIC File Privacy Complaint Against Facebook (June 2, 2008) – Slaw.ca
(via David T.S. Fraser)