The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

Privacy Calendar

Links

RSS FEED for this site

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Thursday, July 16, 2009

Canadian Privacy Commissioner calls on Facebook to improve privacy practices

The Privacy Commissioner of Canada has determined that Facebook needs to improve its privacy practices to comply with Canadian privacy laws.

The Report is here: Commissioner’s Findings - PIPEDA Case Summary #2009-008: Report of Findings: CIPPIC v. Facebook Inc. - July 16, 2009.

Here's the media release:

News Release: Facebook needs to improve privacy practices, investigation finds - July 16, 2009
Privacy Commissioner recommends steps to ensure social networking site better protects the privacy of users and meets the requirements of Canadian privacy legislation
OTTAWA, July 16, 2009 — In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site’s privacy policies and practices.
“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” says Privacy Commissioner Jennifer Stoddart.
The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law.
An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers.
The Privacy Commissioner’s report recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.
The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found.
The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.
The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts – a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes.
Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.
Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.
“We urge Facebook to implement all of our recommendations to further enhance their site, ensure they are in compliance with privacy law, and ultimately show themselves as models of privacy,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.
“Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information.”
The Office of the Privacy Commissioner will review after 30 days the actions Facebook takes to comply with the recommendations. The Commissioner is empowered to go to Federal Court to seek to have her recommendations enforced.
“The privacy issues stemming from social networking sites are still relatively new. All of us – social networking sites, users and data protection authorities – are only beginning to develop the appropriate rules of engagement in this new world of online communication,” says Assistant Commissioner Denham. “The findings of our Facebook investigation are an important contribution to the development of these rules.”
While the investigation recommendations are aimed at Facebook, Assistant Commissioner Denham said users of social networking sites also have responsibilities.
“We asked Facebook to clearly advise users about its privacy practices, but it’s still up to the user to actually read it and use the privacy tools to control how their information is shared,” she says. As a result of the investigation, Facebook has announced a new privacy tool for its site, which is aimed at giving users more control over who gets to see each item on their Facebook page.
A detailed report on the Facebook investigation is available at www.priv.gc.ca. The website also includes information about some of the other work the Privacy Commissioner’s Office has done on social networking, including guidelines for employers and public education materials.
The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.