Facebook Not Complying with Canadian Privacy Law: Report

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

In order to comply with Canadian privacy law, popular social networking website operator Facebook must take greater responsibility for the personal information in its care, according to Canadian Privacy Commissioner Jennifer Stoddart.

On July 16, Stoddard released a report detailing the results of an investigation into Facebook’s privacy policies and practices.

The investigation was prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, a public-interest legal clinic based at the University of Ottawa. Stoddart said that the investigation identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law.

Privacy Information Confusing or Incomplete

An overarching concern was that information provided by Facebook about its privacy practices was often confusion or incomplete. For example, the “account settings” page described how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers.

The Privacy Commissioner’s report recommends more transparency to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

Access by Third Parties

The investigation also found that Facebook lacks adequate safeguards to effectively restrict third-party application developers from accessing users’ profile information, the investigation found.

The report recommended technological measures to ensure that developers can access only the user information actually required to run a specific application and to prevent the disclosure of personal information of any of the user’s friends who are not themselves sighing up for an application.

Deactivated Accounts

The Privacy Commission also recommended that Facebook change its policy of indefinitely keeping the personal information of people who have deactivated their accounts. According to the report, the practice violates Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA). To comply with PIPEDA, Facebook should delete personal information in deactivated accounts after a reasonable length of time.

The Office of the Privacy Commissioner will review after 30 days the actions Facebook takes to comply with the recommendations. The Commissioner is empowered to go to Canadian federal court to seek to have her recommendations enforced.

Text of the Privacy Commissioner’s report appears at CCH Privacy Law in Marketing ¶60,350.