The Canadian Press discusses a new report from Jennifer Stoddart, the Privacy Commissioner of Canada, looking into a complaint (pdf) against Facebook that was filed last year by the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”). CIPPIC claims Facebook has violated the Personal Information Protection and Electronic Documents Act (“PIPEDA”) by failing to: identify the purposes for which the personal data of users is collected (including the data’s use by third-party advertisers); obtain consent for all collection, use, and disclosure of user and non-user data; inform users that Facebook monitors what it calls “anomalous behavior”; or properly securing the data collected, used, and disclosed.
CIPPIC also accuses Facebook of “misrepresent[ing] the level of control available to Users over personal information.” Though one of Facebook’s core principles is: “You should have control over your personal information,” the group notes, “Users are not even permitted to opt out of certain kinds of information sharing.”
After completing the investigation into Facebook’s practices, the Commissioner found: on four subjects (including deception and misrepresentation, Facebook Mobile), the allegations were not well-founded; on four other subjects (including default privacy settings, advertising), the allegations were well-founded, but were “resolved on the basis of corrective measures proposed by Facebook in response to her recommendations”; and, as to the final four subjects at issue (third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information), the allegations were well-founded and Facebook was found to be “in contravention of the Act.”
The report states, “In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations.” The report emphasizes, “Most notably, regarding third-party applications, the Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.”
The Canadian Press reports:
Facebook lacks proper safeguards to prevent independent developers of games and other applications from seeing users’ profile information, along with details about their online “friends,” the investigation found.
The report recommends technological measures to ensure developers have access only to the user information actually required to run a specific application. It also says Facebook should prevent disclosure of personal information of any of the user’s friends who are not themselves signing up for the application, unless they consent.
Facebook hasn’t agreed to the recommendations on third-party access.
However, Facebook agreed to more fully explain the advertising used to generate revenue and to inform members that their profile information is used to decide which ads to feature.
The Commissioner will follow up with Facebook in 30 days concerning the four unresolved, well-founded allegations of violations of PIPEDA. The Commissioner has the option of taking the case court to force Facebook to implement the recommendations.