Facebook Breaches Canadian Privacy Law, Says Federal Privacy Commissioner
After a 14 month investigation by the Office of the Privacy Commissioner of Canada (“Office”), the Office has concluded that Facebook breaches Canadian privacy law. The investigation was initiated by the Office after the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) filed a Complaint in May 2008 against Facebook.
Under the Personal Information Protection and Electronic Documents Act, the Office oversees private sector privacy law. In particular, the Office investigates complaints with respect to the private sector and issues reports with recommendations to resolve complaints, much like the Federal Trade Commission in the US. The Office may resolve complaints by pursuing legal action before Federal Courts.
The Office’s report identified a number of ways that Facebook currently breaches Canadian privacy law.
The investigation found that Facebook lacks adequate safeguards to restrict the disclosure of personal information to third-party developers who create Facebook applications. The Office recommended that Facebook implement technological measures to restrict developers’ access only to the personal information necessary to run a specific application, and to obtain express consent of users to provide their personal information to third-party developers.
Facebook indefinitely retains personal information of users who have deactivated their accounts. The Office recommended that Facebook adopt a retention policy to delete personal information in deactivated accounts after a reasonable length of time.
Facebook was found to retain user profiles of deceased users for memorial purposes, but failed to clearly inform users of such a purpose. The Office recommended that Facebook include an explanation of this practice in its Privacy Policy.
The investigation found that users can provide personal information of non-users without their consent, by “posting” it or by identifying an image of a non-user by name in a picture or video. The Office recommended that Facebook inform users to obtain consent of non-users before providing their personal information.
Facebook was also found to retain the e-mail addresses of non-users invited to join Facebook indefinitely. The Office recommended that Facebook limit retention of such e-mail addresses for a reasonable length of time.
The investigation identified several other privacy concerns, which were resolved by Facebook. Several allegations in CIPPIC’s Complaint were dismissed by the Office as not well-founded.
For the Office of the Privacy Commissioner of Canada’s Report of Findings, visit:
http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm
Summary by: Lauren Lodenquai
