December 5, 2009


By Eugene Oscapella

Eugene Oscapella explains how Facebook agreed to limit the sharing of personal data with application developers. Despite her lack of direct enforcement powers, Canada’s Federal Privacy Commissioner has secured important privacy measures from Facebook, not only for its Canadian users, but for users around the world. At the same time, Jennifer Stoddart became the first privacy commissioner to complete a comprehensive investigation into the privacy practices of the world’s most popular social networking site. Facebook has 12 million users in Canada – one third of the population.

In May 2008, Stoddart’s office received a wide-ranging complaint about Facebook from the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. The complaint, made under Canada’s federal private sector data protection legislation, the Personal Information Protection and Electronic Document Act (PIPEDA), was set out in a detailed, 36-page letter. The letter alleged that Facebook violated the principles of PIPEDA by failing to do the following: identify all the purposes for which it collects users’ personal information-obtain informed consent from users and non-users to all uses and disclosures of their personal information;allow users to use its service without consenting to supply unnecessary personal information; obtain express consent to share users’ sensitive information; allow users who have deactivated their accounts to easily withdraw consent to share information; limit the collection of personal information to that which is necessary for its stated purposes; be up front about its advertisers’ use of personal information and the level of users’ control over their privacy settings; destroy personal information of users who terminate their use of Facebook services; safeguard users’ personal information from unauthorised access; and explain policies and procedures on the range of personal information.

The Privacy Commissioner’s investigation focused on whether Facebook was providing sufficient information for users to give meaningful consent to the collection, use and disclosure of their personal information. This involved examining how Facebook documented its purposes for collecting, using or disclosing such information, and also if Facebook was bringing those purposes to the public’s attention in a “reasonably direct and transparent” way. Retention of personal information was an issue for users who wanted to deactivate or delete their accounts, and for non-users. Concerns were also raised about disclosure of personal information to third-party application developers and about Facebook Mobile, which allows people to use mobile devices to connect to Facebook.

According to Facebook, the service is now used by 65 million people. The complainant alleged that Facebook Mobile failed to safeguard personal information properly. Representatives from the Privacy Commissioner’s office met with Facebook officials on several occasions as the investigation progressed. In July 2009, some 14 months after the complaint was presented to the office, Stoddart issued a press release. “It’s clear,” she said in the release, “that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates.” Assistant Privacy Commissioner Elizabeth Denham, responsible for investigations under PIPEDA, concluded that there was no evidence of any contravention of PIPEDA in four areas raised in the complaint, including alleged deception and misrepresentation. Denham did find that Facebook had contravened PIPEDA in other areas, for example, default privacy settings and the collection and use of users’ personal information for advertising. However, she concluded that Facebook had resolved the problems raised in the allegations. On several other issues, however, Denham found that Facebook activities did not comply with PIPEDA – third party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information.

Here, Facebook did not immediately agree to adopt the Assistant Commissioner’s recommendations. Among her most significant findings 14 OCTOBER 2009 PRIVACY LAWS & BUSINESS INTERNATIONAL NEWSLETTER ANALYSIS was that Facebook did not have adequate safeguards to prevent the excessive sharing of personal information with more than one million third-party developers of popular Facebook applications, including games and quizzes. As well, Facebook was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers. Developers had almost unrestricted access to Facebook users’ personal information and that of their online “friends”.

Denham asked Facebook to reconsider her recommendations about these issues and advised that her office would check within the next month for evidence that Facebook had implemented the recommendations or introduced acceptable alternatives. Facebook relented and agreed to redesign its application platform to address the relatively free flow of personal information to application developers around the world. Developers using the platform would also need to adapt their applications. Facebook expected the necessary changes to take a year to implement. Once the changes are implemented, application developers will no longer be able to obtain access to users’ personal information without the users’ explicit consent. The new process will also allow users to control the types of personal information that applications can obtain. Facebook also agreed to changes to help users better understand how their personal information would be used and to make better informed decisions about how widely to share that information. The Commissioner indicated that she would be following up with Facebook as the changes are introduced.

At a press conference in late August, Stoddart praised Facebook for its response to her office’s investigation, stating that Facebook could “show other online companies that you can have an incredibly successful online company that’s responsible and respectful of privacy rights”. Speaking at the same press conference, Denham reminded users that protecting privacy was not Facebook’s responsibility alone. Many of the changes she had been discussing with Facebook, she said, were about empowering users. She encouraged users to learn about and take advantage of the information and mechanisms that Facebook was introducing.

Users of Facebook and other social networking sites, she stressed, have a responsibility to inform themselves about how their personal information will be used and shared. This meant reading privacy policies and using the privacy settings the sites offer. Before an audience of lawyers in Toronto in mid-September, Stoddart noted that her office had been able to obtain significant privacy improvements from Facebook, despite the lack of enforcement powers in PIPEDA.

She reminded the audience that the experience with PIPEDA since it began to come into force in stages in 2001 has been that lack of a direct enforcement power did not prevent her office from securing compliance with the Act. She noted that her office rarely needed to go to court: “Organisations – even giants like Facebook – tend to implement our recommendations. They recognise that it’s the right thing to do.” The original letter of complaint can be found at The Commissioner’s letter to the complainant outlining the resolution of the Facebook complaint can be found at let_090827_e.cfm

Eugene Oscapella is a Consultant at
Privacy Laws & Business, Canada

No comments:

Post a Comment