Thursday, July 16, 2009

Canada Privacy Commissioner: Facebook Violates Privacy Law

A report released today by Canada's Privacy Commissioner finds that that Facebook is in violation of PIPEDA, Canada's Personal Information Protection and Electronic Documents Act, and calls upon Facebook to comply with Canadian privacy legislation.

See: Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc.Under the Personal Information Protection and Electronic Documents Act by Elizabeth Denham, Assistant Privacy Commissioner of Canada

A news release from the Office of the Commissioner summarizes the report:

OTTAWA, July 16, 2009 — In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site’s privacy policies and practices.

“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” says Privacy Commissioner Jennifer Stoddart.

...The Privacy Commissioner’s report recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found.

The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts – a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes.

Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

“We urge Facebook to implement all of our recommendations to further enhance their site, ensure they are in compliance with privacy law, and ultimately show themselves as models of privacy,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.

CBC News also reports on the Privacy Commissioner's findings today:
Facebook shares personal information with developers who create games and quizzes in a way that breaches Canadian privacy law, the office of the Privacy Commissioner of Canada has found.
The popular social networking site, which is used by 12 million Canadians, doesn't have enough safeguards to prevent those third-party developers from getting "unauthorized" access to users' personal information, said the report released Thursday by assistant privacy commissioner Elizabeth Denham.
The report also found Facebook continues to breach the Personal Information Protection and Electronic Documents Act in three other ways:
  • It keeps information from accounts deactivated by users indefinitely and does not make it clear that users can also choose to delete their accounts rather than just deactivate them. Nor does it explain the difference in its privacy policy.
  • It keeps the profiles of deceased users for "memorial purposes," including this in its terms of use. That means users cannot opt out.
  • It allows users to post personal information about non-users without their consent. For example, it allows them to tag photos and videos of non-users with their names, and provide Facebook with their email addresses to invite them to join the site. It keeps the addresses indefinitely.

No comments: