Thursday, July 16, 2009

Canadian Privacy Commissioner calls on Facebook to improve privacy practices

The Privacy Commissioner of Canada has determined that Facebook needs to improve its privacy practices to comply with Canadian privacy laws.

The Report is here: Commissioner’s Findings - PIPEDA Case Summary #2009-008: Report of Findings: CIPPIC v. Facebook Inc. - July 16, 2009.

Here's the media release:

News Release: Facebook needs to improve privacy practices, investigation finds - July 16, 2009

Privacy Commissioner recommends steps to ensure social networking site better protects the privacy of users and meets the requirements of Canadian privacy legislation

OTTAWA, July 16, 2009 — In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care, the Privacy Commissioner of Canada said today in announcing the results of an investigation into the popular social networking site’s privacy policies and practices.

“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” says Privacy Commissioner Jennifer Stoddart.

The investigation, prompted by a complaint from the Canadian Internet Policy and Public Interest Clinic, identified several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law.

An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers.

The Privacy Commissioner’s report recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found.

The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts – a violation of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law. The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes.

Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Facebook has agreed to adopt many of the recommendations stemming from the Privacy Commissioner’s investigation or, in some cases, has proposed reasonable alternatives to the measures recommended. However, there remain a number of recommendations that Facebook has not yet agreed to implement.

“We urge Facebook to implement all of our recommendations to further enhance their site, ensure they are in compliance with privacy law, and ultimately show themselves as models of privacy,” says Assistant Commissioner Elizabeth Denham, who led the investigation on behalf of the Office.

“Social networking sites can be a wonderful way to connect. They help us keep up with friends and share ideas and information with people around the globe. It is important for these sites to be in compliance with the law and to maintain users’ trust in how they collect, use and disclose our personal information.”

The Office of the Privacy Commissioner will review after 30 days the actions Facebook takes to comply with the recommendations. The Commissioner is empowered to go to Federal Court to seek to have her recommendations enforced.

“The privacy issues stemming from social networking sites are still relatively new. All of us – social networking sites, users and data protection authorities – are only beginning to develop the appropriate rules of engagement in this new world of online communication,” says Assistant Commissioner Denham. “The findings of our Facebook investigation are an important contribution to the development of these rules.”

While the investigation recommendations are aimed at Facebook, Assistant Commissioner Denham said users of social networking sites also have responsibilities.

“We asked Facebook to clearly advise users about its privacy practices, but it’s still up to the user to actually read it and use the privacy tools to control how their information is shared,” she says. As a result of the investigation, Facebook has announced a new privacy tool for its site, which is aimed at giving users more control over who gets to see each item on their Facebook page.

A detailed report on the Facebook investigation is available at www.priv.gc.ca. The website also includes information about some of the other work the Privacy Commissioner’s Office has done on social networking, including guidelines for employers and public education materials.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

No comments: