Previously, we posted about Facebook’s changes to its Data Use Policy and Statement of Rights and Responsibilities (SRR), as a result of a $20 million class action settlement. Recently, Timothy Pilgrim, the Australian Privacy Commissioner has submitted an open letter to Facebook on behalf of the Office of the Australian Information Commissioner (OAIC). This letter can be found online here.
The Privacy Commissioner’s letter raises four major concerns:
- (User control and association of user information with commercial content) The OAIC requests further clarification as to how users can easily view and control their content in relation to Sponsored Stories (as required by the settlement), given that Facebook has deleted relevant clauses about using such mechanisms;
(Addition of profile pictures to ‘tag suggestions’ and consent) The OAIC is of the view that profile pictures are likely to constitute ‘sensitive information’ within the meaning of the Privacy Act 1988 (Cth), because they “generally contain information about the racial or ethnic origin of the user, and may reveal other information such as political beliefs, religious beliefs and sexual preferences or practices”. The OAIC contends that using profile pictures in ‘tag suggestions’ is likely to be a secondary use of sensitive information, which may not be permissible in these circumstances given:
- the OAIC thinks it unlikely that current Facebook users would reasonably expect Facebook to use profile pictures for providing tag suggestions; and
- the OAIC queries the way in which Facebook is seeking to obtain user consent to this secondary use (outlined below).
- (Consent) The OAIC suggests that relying on ‘implied consent’ may not be sufficient, and that valid consent must be voluntary, informed, current and the user must have the capacity to understand and communicate their consent. To rely on implied consent, Facebook would need to prove that it has given its users adequate notice with sufficient time and information to make a choice.
- (Direct Marketing) From 12 March 2014, the Australian Privacy Principles will be introduced, including new obligations regarding direct marketing (APP 7). The OAIC urges Facebook to consider the application of the new APPs to its proposed changes.
The proposed changes by Facebook were open to user comment until 5 September 2013. However, the OAIC letter was submitted after this due date on 12 September 2013. It is unclear whether any of these concerns will be addressed by Facebook as Facebook has not yet published the final changes to their policies. The OAIC has indicated that if a response from Facebook is received, it will be published on the OAIC website.