An Austrian student studying law in Silicon Valley has raised serious flags about Facebook’s lack of adherence to privacy law and disclosure regulation.
Max Schrems used EU privacy and personal data statute to request his personal user data from Facebook international headquarters in Ireland. The first round of disclosure from Facebook was void of much of the detailed information that the social network tracks. But more concerning was that when Facebook provided fuller user data, it contained items that Schrem had deleted from his profile, such as automatic tags or chat messages; this was information that Facebook was legally required to remove from its database.
Schrem then successfully encouraged thousands of other Europeans to demand their user records and launched the organization Europe v Facebook to raise awareness of and funds for his fight to demand greater privacy and disclosure from Facebook.
Facebook responded with – or coincidentally announced – proposed updates to its Data Use Policy and governance procedures under a letter posted in the Facebook Newsroom from Elliot Schrage, VP Communications, Public Policy and Marketing.
The letter, titled “Proposed Updates to our Governing Documents”, allowed for user comments until 9 AM PST on November 28, 2012. In terms of privacy, the letter calls out pro-privacy and pro-disclosure changes like their new “Ask the Chief Privacy Officer” page, Facebook “Live Events” to answer privacy questions and additional Data Use Policy updates such as reminders “about what’s visible to other people on Facebook.” In terms of governance, the proposed changes eliminated user voting rights.
Both sets of changes stimulated backlash. The privacy changes inspired a much-mocked viral Facebook post of pseudo-legalese that users seemed to believe would protect them from privacy and copyright breaches by Facebook. The removal of member voting rights sparked uproar by users and pundits alike.
Putting aside the red herring that is disenfranchisement (a right that few people used anyway), the lack of substantive privacy and disclosure remains troubling.
The privacy changes put forward by Facebook are cosmetic and unnecessarily security-centric. In short, they are retail politics. As Schrems and those coalescing around him will tell you, users don’t need Facebook to protect them from privacy breaches by other citizens, they need governments to protect them from privacy breaches by Facebook.
The question for Canadians is whether, like the EU, we are entitled to request access to the full gamut of information collected about us, and whether sites like Facebook are obligated to purge information that we have chosen to delete.
Though slow and much-criticized freedom of information acts and access to information protections generally guarantee that government organizations provide information to citizens on demand. Private institutions like Facebook are not subject to these requests.
The Personal Information Protection and Electronic Documents Act (PIPEDA) was constructed in a pre-Facebook world and focuses more on preventing an organization from releasing information about a citizen than it does laying out the depths to which an organization is obligated to provide information to citizens about their individual profiles on request.
Similarly, S.9 of PIPEDA prevents the release of personal information if doing so would reveal personal information about a third party. In the world of social networking, how many degrees of separation in Facebook data sufficiently satisfies this requirement, and could Facebook lawyers use this as a shield to prevent requests by Canadians to view their profile information?
PIPEDA establishes the Privacy Commissioner as the ombudsperson for complaints and concerns, but the Privacy Commissioner’s office seems slow to grasp the technologies of and data amalgamated by Facebook. This 2012 release from the office shows they remained distracted by the same shiny security and retail politics material that populated the recent Facebook Newsroom post from VP Schrage.
Luckily, the Information and Privacy Commissioner is decidedly more in tune with privacy and disclosure needs, as evidence by last month’s white paper Privacy by Design and the Emerging Personal Data Ecosystem.
Unfortunately, no wealth of suggestions from either privacy commissioners will fill the gap between the EU and Canada in terms of legal tools available to hold Facebook to account for what personal information it retains, for how long or how much it should disclose to users.
Denise Brunsdon is a JD/MBA Candidate at Western University.