Facebook Privacy Report by Privacy Commissioner of Canada

In May 2008, University of Ottawa law students and The Canadian Internet Policy and Public Interest Clinic (CIPPIC) in Ottawa filed a complaint with the Office of the Privacy Commissioner of Canada over alleged poor privacy practices by social networking site Facebook. The office of the Commissioner has released its report today. The three biggest concerns found:

  • Facebook’s explanations of privacy are confusing and incomplete;
  • Facebook applications allow application developers access to private information where it is not necessary; and
  • when a Facebook account is deactivated, Facebook still retains personal information. This is in contravention of Canada’s privacy law PIPEDA.

Findings and conclusions from the report:

On four subjects (e.g., deception and misrepresentation, Facebook Mobile), the Assistant Commissioner found no evidence of any contravention of the Act and concluded that the allegations were not well-founded. On another four subjects (e.g., default privacy settings, advertising), the Assistant Commissioner found Facebook to be in contravention of the Act, but concluded that the allegations were well-founded and resolved on the basis of corrective measures proposed by Facebook in response to her recommendations.

On the remaining subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information, the Assistant Commissioner likewise found Facebook to be in contravention of the Act and concluded that the allegations were well-founded. In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations. Most notably, regarding third-party applications, the Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.

The Commissioner does warn Canadians to read the privacy statements before signing up for any social networking site, be aware of their policy with regard to privacy, and only sign up if it is on our terms. We should have the ability to share our information and photos but still be able to keep them private.

The Commissioner’s office have been working with representatives of Facebook on this issue. Facebook have 30 days to show evidence that they are making an effort to comply with the recommendations.

Related links:

News Release: Facebook needs to improve privacy practices, investigation finds (July 16, 2009) – Office of the Privacy Commissioner of Canada

Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act – PIPEDA Case Summary #2009-008 (July 16, 2009) by Elizabeth Denham, Assistant Privacy Commissioner of Canada – Office of the Privacy Commissioner of Canada

Remarks at a Briefing (July 16, 2009) – by Jennifer Stoddard, Privacy Commissioner of Canada

Remarks at a Briefing (July 16, 2009) – by Elizabeth Denham, Assistant Privacy Commissioner of Canada

Backgrounder: Report of Findings with respect to Facebook (July 16, 2009) – Office of the Privacy Commissioner of Canada

Facebook breaches Canadian privacy law: commissioner (July 16, 2009) – CBCnews.ca

University of Ottawa Law Students and CIPPIC File Privacy Complaint Against Facebook (June 2, 2008) – Slaw.ca

(via David T.S. Fraser)


  1. Thanks for the update!

    Out of curiosity, what could the privacy commission do if Facebook doesn’t comply? I know that Facebook has a sales office in Toronto. I imagine they could be influenced somehow.

  2. I’m honestly not sure what specific action they can take (I’m not a privacy expert); however, this report appears to have gotten notice outside of Canada. I noticed it covered on US news and the BBC. I’m wondering if the Commission helps set the standard and other countries will call for compliance also. In that case a lot of governmental pressure could be placed on Facebook.

    It is also bringing this issue to the forefront for average Facebook users, which in the end may be the most effective means of creating change with Facebook.

    Finally, it sounds like Facebook is working with the Privacy Commissioner so hopefully it is collaborative effort rather than an ultimatum.

  3. I doubt they’ll win smth.. :\

  4. Want to understand what this all means and how to change your Facebook privacy settings now to better protect your personal information? Check out the ACLU of Northern California Facebook Privacy Quiz at http://apps.facebook.com/aclunc_privacy_quiz/

    More info at our blog at http://www.aclunc.org/techblog.

  5. Important developments today

    Here is the announcement from the PrivCom:

    Facebook agrees to address Privacy Commissioner’s concerns

    Privacy Commissioner of Canada satisfied that proposed changes to the social networking site’s privacy practices and policies would bring Facebook into compliance with Canadian law.

    OTTAWA, August 27, 2009 — Facebook has agreed to add significant new privacy safeguards and make other changes in response to the Privacy Commissioner of Canada’s recent investigation into the popular social networking site’s privacy policies and practices.

    The company’s decision to implement the Privacy Commissioner’s recommendations is a positive step towards bringing Facebook in line with the requirements of Canada’s privacy law.  

    “These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected,” says Privacy Commissioner Jennifer Stoddart.

    “This is extremely important. People will be able to enjoy the benefits of social networking without giving up control of their personal information. We’re very pleased Facebook has been responsive to our recommendations.”

    Last month, the Privacy Commissioner issued a report on an in-depth investigation triggered by a complaint from the Canadian Internet Policy and Public Interest Clinic.

    While Facebook took some steps to resolve privacy concerns, the Commissioner remained dissatisfied by Facebook’s response at the end of the investigation. She was particularly concerned about the risks posed by the over-sharing of personal information with third-party developers of Facebook applications such as games and quizzes.

    Facebook was given 30 days to respond to the Commissioner’s report and explain how it would address the outstanding concerns. Following a review of Facebook’s formal response and discussions with company officials, the Commissioner is now satisfied Facebook is on the right path to addressing the privacy gaps on its site.

    “Facebook is promising to make significant technological changes to address the issue we felt was the biggest risk for users – the relatively free flow of personal information to more than one million application developers around the world,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.

    “Application developers have had virtually unrestricted access to Facebook users’ personal information. The changes Facebook plans to introduce will allow users to control the types of personal information that applications can access.”

    An over-arching issue highlighted during the investigation was that the way in which Facebook provides privacy information to users is often confusing or incomplete.

    Facebook agreed to changes to help users to better understand how their personal information will be used and, ultimately, to make more informed decisions about how widely to share that information. The Commissioner has reviewed these improvements and will be following up with Facebook as the changes are implemented.

    The following is an overview of key issues raised during the investigation and Facebook’s response:

    1. Third-party Application Developers

    Issue: The sharing of personal information with third-party developers creating Facebook applications such as games and quizzes raises serious privacy risks. With more than one million developers around the globe, the Commissioner is concerned about a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information, along with information about their online “friends.”

    Response: Facebook has agreed to retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information it wishes to access. Under this new permissions model, users adding an application will be advised that the application wants access to specific categories of information.  The user will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.

    This change will require significant technological changes. Developers using the platform will also need to adapt their applications and Facebook expects the entire process to take one year to implement.

    2. Deactivation of Accounts

    Issue: Facebook provides confusing information about the distinction between account deactivation – whereby personal information is held in digital storage – and deletion – whereby personal information is actually erased from Facebook servers. As well, Facebook should implement a retention policy under which the personal information of users who have deactivated their accounts will be deleted from the site’s servers after a reasonable length of time.

    Response: Facebook has agreed to make it clear to users that they have the option of either deactivating their account or deleting their account. This distinction will be explained in Facebook’s privacy policy and users will receive a notice about the delete option during the deactivation process.

    While we asked for a retention policy, we looked at the issue again and considered what Facebook was proposing. We determined the company’s approach – providing clarity about the options, offering a clear choice, and alleviating the confusion – is acceptable because it will allow users to make informed decisions about how their personal information is to be handled.

    3. Personal Information of Non-users

    Issue:  Facebook should better protect the privacy of non-users who are invited to join the site.

    Response: Facebook agreed to include more information in its terms of use statement. Facebook confirmed that it does not use email addresses to track the success of its invitation feature, nor does it maintain a separate email address list for this purpose.

    4. Accounts of Deceased Users

    Issue: People should have a better way to provide meaningful consent to have their account “memorialized” after their death. As such, Facebook should be clear in its privacy policy that it will keep a user’s profile online after death so that friends can post comments and pay tribute.

    Response: Facebook agreed to change the wording in its privacy policy to explain what will happen in the event of a user’s death.

    Facebook has committed to a timetable for implementing all of the changes, some of which, such as the third-party application changes, are technologically complex. The company has already started to make changes and we expect them to be fully complete within a year.

    “It’s now up to Facebook to demonstrate to us that they are living up to their commitments,” says Assistant Commissioner Denham.

    “With the conclusion of the Facebook investigation, our Office has made clear our expectations for how social networking sites need to protect personal information. Other sites should take note – and take steps to ensure they’re complying with Canadian law.”

    Statements by the Commissioner and Assistant Commissioner are available on the OPC’s website.

    The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

  6. And further comments from the Guardian, the Globe and Mail, and the blogMashable