On July 16th, the Office of the Privacy Commissioner of Canada released a report of findings into complaints made by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. for alleged breaches of the Personal Information Protection and Electronic Documents Act (PIPEDA). Facebook, as most Canadians know by now, is a major online social networking website that has grown rapidly over the last few years to approximately 250 million users worldwide. Since it is estimated that over a third of the Canadian population is a part of that user base, Facebook’s policies and actions can be considered to be of significant importance to the Privacy Commissioner.
There were 12 major subject areas of complaints made, and the report by the Assistant Privacy Commissioner of Canada, Elizabeth Denham, stated that four were not well-founded and another four were well-founded but resolved by measures agreed to by Facebook. Issues within the following subjects were well-founded but not resolved: third-party applications, account deactivation and deletion, accounts of deceased users, and the personal information of non-users.
Third-party applications are those that have been created by outside developers but through the use of the Facebook Platform and can be added to a user’s profile. These can be anything from games to personality tests to a seemingly endless variety of other products. In order to add one these to their profile, a user must give their consent to allow the third-party developer access to the information on their profile. Furthermore, the application developer can have access to the information of other users that the adding user has access to even though the other users may not have added the application themselves. The report states that “[i]n its site literature, Facebook has represented itself as taking little or no responsibility for the activities of third-party application developers”. Despite this finding Facebook refused the Commissioner’s recommended measures:
“(1) to limit application developers’ access to user information not required to run a specific application;
(2) whereby users would in each instance be informed of the specific information that an application requires and for what purpose;
(3) whereby users’ express consent to the developer’s access to the specific information would be sought in each instance; and
(4) to prohibit all disclosures of personal information of users who are not themselves adding an application.”
Another recommendation that Facebook refused to comply with had to do with account deactivation and deletion, which are two separate actions a user may take. An account may be deactivated from a link on the My Account page, at which point it becomes no longer accessible or searchable by other users of the website and appears essentially non-existent. However, all of the information is stored indefinitely so that if and when the user wishes to reactivate the account, it will appear as if nothing has changed since the time of deactivation. In order for a user to delete their account, along with all of the information it contains, that user must access a link from the Help section (and this information is not available when deactivating an account), though Facebook also noted that it is technically challenging to delete all information. The report states that “[PIPEDA] is clear that organizations must retain personal information only for as long as necessary to fulfil the organization’s purposes”. Facebook disagreed to the measures of setting time limits for retention of information on deactivated accounts and placing links for the procedures to both delete and deactivate an account on the same account settings page.
Facebook was given 30 days to comply with all outstanding requests by the Office of the Privacy Commissioner, and if they are still found to be in breach of PIPEDA at this point the report states that the Commissioner “will then consider how best to address these …issues in accordance with our authorities”. Despite these disagreements, the report commended Facebook for its privacy efforts on a number of fronts. At the same time, the Assistant Commissioner made it clear that her office takes seriously any continued breaches of privacy legislation. In a speech announcing the report, she stated, “[p]eople have every right to share their thoughts, their images and their personal information. But they need to understand what they’re getting into, and to do it on their own terms”.