Facebook’s Remedial Efforts Get Passing Grade from Privacy Commissioner

Articles

As students head back to campus this September, much of their attention will be directed towards making and reconnecting with friends, both in person and on social networking sites such as Facebook. Facebook’s popularity and versatility mean that in addition to online socializing, many students (as well as educators and administrators) have come to rely on Facebook as a convenient method of exchanging ideas and information. Thanks to the Office of the Privacy Commissioner of Canada (“OPC”), the more than 200 million Facebook users worldwide will soon have greater privacy protection and greater control over their personal data.

A complaint regarding privacy concerns raised by the Canadian Internet Policy and Public Interest Clinic prompted the OPC to launch an in-depth investigation into Facebook’s privacy practices and policies. The investigation was conducted under the Personal Information Protection and Electronic Documents Act (“PIPEDA”), which is federal legislation regulating privacy in the private sector.

In July, the OPC issued its report which detailed its major outstanding privacy concerns. The primary concern was the risk to Facebook users resulting from the “over-sharing” of their personal information with third party application developers who create Facebook’s popular games and quizzes. Additional concerns raised included the indefinite storage of personal information for deactivated accounts and the privacy of non-users’ personal information.

Although the OPC was initially dissatisfied with Facebook’s response to the concerns raised in its investigation, the parties continued to work closely together and Facebook has now agreed to make significant additional changes in several key areas.

Third-Party Developers

Until now, third-party developers (located in 180 countries around the world) who develop applications such as quizzes and games have been able to collect virtually unlimited personal information about Facebook users who download such applications, as well as the personal information of those users’ “Friends” regardless of whether or not those Friends use the applications themselves.

Facebook now plans to introduce a new permissions model which will prohibit third-party developers from accessing personal information without the express consent of the user. Personal information will be separated into categories and Facebook users will soon be able to control which categories of information an application is allowed to access. Developers will also have to provide information on how they will use the information collected.

In addition, application developers will no longer have unfettered access to the Friends of users who add applications. Users will have to provide express consent for the application to access the personal information of their Friends and those Friends will further be able to limit access to their personal information by blocking certain or all applications.

Deactivation of Accounts

Currently, the difference between “account deactivation” (whereby personal information is stored indefinitely) and “account deletion” (whereby personal information is deleted from Facebook’s servers) is confusing.

Facebook has agreed to clarify the distinction and to notify users of the “account deletion” option during the deactivation process. While the OPC had originally pushed for a retention policy limiting the amount of time that deactivated information would be retained, it agreed to back down from this requirement provided that users were given a clear choice that would allow them to make an informed decision about the retention of their personal information.

Accounts of Deceased Users

To properly allow for accounts of deceased users to be “memorialized”, Facebook will revise its privacy policy to clarify that users’ profiles will be maintained after death in order to allow Friends to pay tribute.

Personal Information of Non-users

Facebook will clarify that users can only provide a non-user’s email address to Facebook (such as through the invitation feature) if they have the non-user’s consent. Facebook also confirmed that it does not use or maintain a separate list of non-users’ email addresses.

Facebook Advertising

Facebook uses the personal information of its users for two types of targeted advertising on its site: “Facebook ads” (which use information in a user’s profile to target ads, and are viewed only by the targeted user) and “social ads” (which are triggered by a user’s actions, such as becoming a fan or joining a group, and are seen by other users). The OPC found social ads to be more intrusive, as they make use of a user’s personal information to promote products and services and may give the impression that the user is providing an endorsement. Users can opt out of social ads but not Facebook ads. In light of the OPC’s concerns over informed consent, Facebook has agreed to clarify its policies on targeted advertising for users.

Default Privacy Settings

Facebook will introduce new default privacy settings that will allow users to select a low, medium or high privacy setting, and will also allow users to configure privacy settings on each piece of content. Once implemented, all users will be required to review their existing privacy settings.

Changes in all of these key areas are already underway, but will likely take up to a year to fully implement as they require technologically complex modifications. At a recent press conference, Privacy Commissioner Jennifer Stoddart stated “We’re satisfied that, with these changes, Facebook is on the way to meeting the requirements of Canada’s privacy law.” However, Assistant Commissioner Elizabeth Denham also warned that other social networking sites “should take note – and take steps to ensure they’re complying with Canadian law”.

From a privacy standpoint, such additional control is a positive step that will allow people to benefit from social networking on Facebook without relinquishing control of their personal information. Ultimately, armed with new privacy protection tools, it is up to individual users to take responsibility for the protection of their own personal information in social networking settings.