EU and Canada raise fears over protection afforded by Facebook's privacy policy.

Amid growing public and legislative concerns over online privacy, particularly in relation to the privacy of user-generated content, Facebook has been in the spotlight over its privacy policies. As the company focuses its attention on monetisation of its user network, concerns have been raised by both the European Union and the Canadian government that Facebook's privacy policies give users inadequate protection.

In Europe, a group made up of Europe's data protection and privacy commissioners which acts as an advisory body to the European Commission, the Article 29 working party, has written an unpublished opinion paper which heralds an attempt by regulators to address "open" internet platforms which allow other applications to interface with the platform and make use of the personal data stored on the platform by users. The report recommends that:

  • tighter rules are needed to protect personal data given to third party developers; and
  • developers outside the EU should be subject to the rules irrespective of whether they are located inside or outside the EU.

Closer to home for Facebook, the Canada Privacy Commissioner has recently issued a report stating that, in order to comply with Canadian privacy law, Facebook must take greater responsibility for personal information in its care. Concerns highlighted by the Commissioner in her report include:

  • Facebook's provision of confusing or incomplete information of its privacy practices;
  • users not being given the opportunity to wipe out their accounts, rather than merely deactivating them;
  • a lack of adequate safeguards to restrict third party developers from accessing private profile information;
  • the absence of controls to ensure that developers can only access information necessary to run a specific application; and
  • the absence of controls to prevent disclosure of personal information of any of a user's friends' personal information if those friends are not themselves signed up to the relevant application.

Facebook does seem willing to engage with debate in the area: it recently announced that it will be introducing additional privacy features to its service to address some of the concerns in this area. As a step in the right direction, at the end of July the company announced new rules for the way platform ad networks can incorporate user photos. These rules now stipulate that, regardless of whether data is sent to ad networks, ads that display user data are not allowed onto Facebook unless specifically approved by the company (while it explores how to better enable the ads). However, its recently revamped privacy controls appear to have taken a significant step in the other direction: the privacy setting page now gives users the prominent option of sharing their information with "Everyone", with a note at the top of the page that "Everyone" means "everyone on the internet".

Given its vast user base and users' willingness to share significant amounts of personal information with their friends online, Facebook is likely to remain at the centre of the online privacy debate for some time as the online industry, the regulators, and the public seek to find common ground.