The Federal Privacy Commissioner has issued a sweeping decision based on a complaint filed against Facebook for various violations of Canada’s
Personal Information Protection and Electronic Documents Act (PIPEDA).
Filed in the spring in 2008 by CIPPIC, the complaint alleged that Facebook was in violation of PIPEDA’s privacy protections
While it remains to be seen how cooperative Facebook will be complying with all of the aspects of the decision, and how the Commissioner might ultimately enforce the order against an American company, the decision sends a clear message that the privacy rights of Canadians must be followed in the increasingly important world of online social media sites, even where the data is being held outside of Canada.
The Commissioner found that with regard to the claims of New Uses of Personal Information, Collection of Personal Information from Sources Other than Facebook, Facebook Mobile and Safeguards, and Deception and Misrepresentation, CIPPIC’s allegations were not well-founded. With regard to the claims for Collection of Date of Birth, Default Privacy Settings, Advertising, and Monitoring for Anomalous Activity, the complaints were upheld as well-founded and resolved (based on corrective measures already proposed by Facebook).
But there are several areas where the complaints were upheld and are still outstanding including Third-Party Applications, Account Deactivation and Deletion, Accounts of Deceased Users, and Personal Information of Non-Users. These are the four areas which are potentially the most contentious. Specifically, the Commissioners is making the following recommendations (paragraph 383) with respect to these four issues:
- That Facebook consider and implement measures
- to limit application developers’ access to user information not required to run a specific application;
- whereby users would in each instance be informed of the specific information that an application requires and for what purpose;
- whereby users’ express consent to the developer’s access to the specific information would be sought in each instance; and
- to prohibit all disclosures of personal information of users who are not themselves adding an application.
Account Deactivation and Deletion
- That Facebook develop, institute, and inform users of, a retention policy whereby the personal information of users who have deactivated their accounts will be deleted from Facebook’s servers after a reasonable length of time.
Accounts of Deceased Users
Personal Information of Non-Users
- That Facebook consider and implement measures to improve its invitation feature so as to address our Office’s concerns about non-users’ lack of knowledge and consent to Facebook’s collection, use, and retention of their email addresses;
- That Facebook set a reasonable time limit on the retention of non-users’ email addresses for purposes of tracking invitation history and the success of the referral program
The Commissioner has given Facebook 30 days to reconsider these remaining recommendations. It will be interesting to see whether they comply or push the Commissioner to the next stage in the federal courts. Regardless of the outcome, the students and staff at CIPPIC have done an excellent job on this file and should be commended for their ongoing work on behalf of privacy rights in Canada.