On July 16th, the Office of the Privacy Commissioner of Canada released a report of findings into complaints made by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. for alleged breaches of the Personal Information Protection and Electronic Documents Act (PIPEDA). Facebook, as most Canadians know by now, is a major online social networking website that has grown rapidly over the last few years to approximately 250 million users worldwide. Since it is estimated that over a third of the Canadian population is a part of that user base, Facebook’s policies and actions can be considered to be of significant importance to the Privacy Commissioner.
There were 12 major subject areas of complaints made, and the report by the Assistant Privacy Commissioner of Canada, Elizabeth Denham, stated that four were not well-founded and another four were well-founded but resolved by measures agreed to by Facebook. Issues within the following subjects were well-founded but not resolved: third-party applications, account deactivation and deletion, accounts of deceased users, and the personal information of non-users.
Third-party applications are those that have been created by outside developers but through the use of the Facebook Platform and can be added to a user’s profile. These can be anything from games to personality tests to a seemingly endless variety of other products. In order to add one these to their profile, a user must give their consent to allow the third-party developer access to the information on their profile. Furthermore, the application developer can have access to the information of other users that the adding user has access to even though the other users may not have added the application themselves. The report states that “[i]n its site literature, Facebook has represented itself as taking little or no responsibility for the activities of third-party application developers”. Despite this finding Facebook refused the Commissioner’s recommended measures:
“(1) to limit application developers’ access to user information not required to run a specific application;
(2) whereby users would in each instance be informed of the specific information that an application requires and for what purpose;
(3) whereby users’ express consent to the developer’s access to the specific information would be sought in each instance; and
(4) to prohibit all disclosures of personal information of users who are not themselves adding an application.”
Another recommendation that Facebook refused to comply with had to do with account deactivation and deletion, which are two separate actions a user may take. An account may be deactivated from a link on the My Account page, at which point it becomes no longer accessible or searchable by other users of the website and appears essentially non-existent. However, all of the information is stored indefinitely so that if and when the user wishes to reactivate the account, it will appear as if nothing has changed since the time of deactivation. In order for a user to delete their account, along with all of the information it contains, that user must access a link from the Help section (and this information is not available when deactivating an account), though Facebook also noted that it is technically challenging to delete all information. The report states that “[PIPEDA] is clear that organizations must retain personal information only for as long as necessary to fulfil the organization’s purposes”. Facebook disagreed to the measures of setting time limits for retention of information on deactivated accounts and placing links for the procedures to both delete and deactivate an account on the same account settings page.
When a user dies, and has not shared their login information with anyone else, the account cannot be deactivated or deleted from within. If notified by friends or family that the account’s user is no longer alive, Facebook will usually “memorialize” the profile, which used to be explained in its old Terms of Use with the following statement: “When we are notified that a user has died, we will generally, but are not obligated to, keep the user’s account active under a special memorialized status for a period of time determined by us to allow other users to post and view comments.” Despite this process continuing, there no longer seems to be any meaningful consent for it, but only a description in the Help section. Though at first the Assistant Commissioner believed that an opt-out procedure for the memorializing of profiles should be implemented, she then later found that based on the reasonable expectations of users, such a process would likely be welcome, in which case Facebook could rely on the continuing implied consent of its users to justify the lack of explicit agreement. Oddly enough, Facebook refused to comply with the simple recommendation to “include in its Privacy Policy, in the context of all intended uses of personal information, an explanation of the intended use of personal information for the purpose of memorializing the accounts of deceased users”, stating that it does not believe that memorializing constitutes a new use of the information collected under PIPEDA.
The final subject that was deemed in the report to be well-founded, but which Facebook refused to comply with, had to do with the personal information of non-users. Users may routinely post personal information of non-users such as when writing on a friend’s profile page or tagging an uploaded photo (whereby an individual’s image is indicated and outlined within a photo). The Assistant Commissioner stated that “I was mindful of a clear distinction between activities conducted by Facebook users for strictly personal reasons and activities in which Facebook itself is involved”, and that “[PIPEDA] would apply only where Facebook uses non-users’ personal information for purposes of its own”. So in such cases where a non-user is tagged in a photo and then an e-mail invitation to join the site is sent out to that non-user, the report stated that Facebook had a duty to exercise its due diligence in making sure that its users obtained consent to post the personal information of non-users, which meant “not only informing users clearly of the consent requirement in the Privacy Policy, but also notifying them of the requirement at each instance of disclosing non-users’ email addresses to Facebook”. The report also recommended that Facebook set a time limit for retaining the e-mail addresses that its users sent invites to; Facebook uses these addresses for the purposes of providing an invitation history to its users and documenting the success of its referral program. Facebook disagreed to follow the measures recommended by the Assistant Privacy Commissioner.
Facebook was given 30 days to comply with all outstanding requests by the Office of the Privacy Commissioner, and if they are still found to be in breach of PIPEDA at this point the report states that the Commissioner “will then consider how best to address these …issues in accordance with our authorities”. Despite these disagreements, the report commended Facebook for its privacy efforts on a number of fronts. At the same time, the Assistant Commissioner made it clear that her office takes seriously any continued breaches of privacy legislation. In a speech announcing the report, she stated, “[p]eople have every right to share their thoughts, their images and their personal information. But they need to understand what they’re getting into, and to do it on their own terms”.