On August 27, 2009, the Office of the Privacy Commissioner of Canada (OPC) announced that Facebook, the world’s largest social networking site, has agreed to make significant changes to the manner in which it collects and safeguards the personal information of individuals. This agreement, reached over one year after the original complaint against Facebook was made, is significant not only as it relates to Facebook’s operations, but also for the clear message it sends to all organizations, both Canadian and foreign, that compliance with Canada’s privacy laws must not be taken lightly.

Background  

The OPC’s investigation into the practices of Facebook was initiated in response to a complaint filed with the OPC by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) dated May 30, 2008[1]. In its complaint, the CIPPIC alleged that Facebook was engaged in "unnecessary and non-consensual collection and use of personal information" and in doing so, was in violation of the Personal Information Protection and Electronic Documents Act  (PIPEDA).

The complaint focused on 12 areas in which CIPPIC alleged that Facebook was not compliant with PIPEDA. Some of the areas identified in the complaint were the collection of date of birth, default privacy settings, disclosure of personal information through third party applications, account deactivation and deletion, use of personal information of deceased users, and the collection of personal information of non-users.

Report of Findings  

Following the OPC’s investigation into the allegations made by CIPPIC, which included consultations with and representations by Facebook, the OPC released its "Report of Findings" on July 16, 2009. In the Report of Findings, the OPC stated that, on four of the twelve subjects identified in the complaint (i.e. new uses of personal information, collection of personal information from sources other than Facebook, Facebook Mobile safeguards, and deception and misrepresentation), it found no evidence of contravention of PIPEDA. With respect to another four subjects identified in the complaint (i.e. collection of date of birth, default privacy settings, advertising, and monitoring of anomalous activity), the OPC concluded that the allegations were well-founded, but that they had been resolved by corrective actions taken by Facebook in response to recommendations made by the OPC during the investigation and consultation process. Finally, the report indicated that the four remaining subjects identified in the complaint (i.e. third-party applications, account deactivation and deletion, accounts of deceased users, and personal information of non-users) were well-founded and had not been resolved, as Facebook had not agreed to adopt the recommendations of the OPC. A closer look at these unresolved issues provides insight into the conflict between an organization’s desire to use personal information for its business purposes and its legal obligation to safeguard such information and only use it with the informed consent of the individual to whom the information relates.

  1. Third-Party Applications

In May 2007, Facebook opened its platform to allow third party developers to create applications (e.g. games, quizzes, etc.) that are accessible to users within Facebook.[2] By adding an application to their Facebook account, users enable such applications to access most of the personal information found in such account, including personal information related to their Facebook friends.[3]

In its Report of Findings, the OPC identified a number of concerns with third party applications. These include:

  • the making available of more personal information than is necessary for the purpose of the application;
  • the reliance on contractual covenants by the developers to respect users’ privacy settings and safeguard their personal information in lieu of technological safeguards and effective monitoring of compliance;
  • a lack of meaningful consent to the collection and use of personal information by the user who adds the third party application; and
  • a lack of meaningful consent from users when their friends and fellow network members add applications that expose their own personal information to access the application.  

In its recommendations, the OPC asked Facebook to implement measures that would limit third-party developers’ access to personal information that is not required for the purposes of the application, inform users of the specific information that an application requires and for what purpose, obtain the express consent of users in each instance, and prohibit all disclosures of personal information of users that are not themselves adding the application.[4] Facebook declined to implement such measures.

  1. Account Deactivation and Deletion

Facebook allows users to deactivate or delete their account. When a user deactivates an account, his or her personal information is retained indefinitely, a practice which the OPC concluded is a contravention of Principle 4.5 and 4.5.3 of PIPEDA. In addition, while a user can find information concerning how to delete an account, such option is not given the same exposure as the deactivation option, making it less obvious to users as to how their accounts and personal information can be deleted from the service.

To address these concerns, the OPC recommended in a preliminary report that Facebook set a cutoff date after which Facebook would no longer retain the personal information of users who had deactivated accounts. The OPC did not suggest what a reasonable period of time would be, rather it suggested that the period of time be a period "that a reasonable person would consider appropriate in the circumstances and based on [Facebook’s] experiences with user reactivation patterns"[5]. The OPC also recommended that Facebook include an account deletion option on the users’ Account Settings pages, as is the case with the deactivation option. Facebook declined to act on these recommendations.

  1. Accounts of Deceased Users

When Facebook is notified that a user has died, it generally keeps such user’s profile active in a "memorialized" status (i.e. with certain information removed and only confirmed friends provided access) for a period of time. Such a practice is not referred to in Facebook’s Privacy Policy[6]. In its Report of Findings, the OPC concluded that the failure to advise users of this potential use of their personal information was a contravention of Principles 4.2.1, 4.2.3, 4.3.2 and 4.8 of PIPEDA which, in essence, require organizations that collect personal information to advise individuals as to the purposes for which such information is collected. Facebook declined to follow OPC’s recommendation of referencing such use in its Privacy Policy.

  1. Personal Information of Non-Users

Facebook allows users to post personal information of non-users to their Facebook pages, thereby making it available to anyone who has access to the applicable portions of that user’s Facebook account. While the majority of such postings are made for the personal use of the user, and therefore outside the scope of PIPEDA, the OPC determined that, in some instances, Facebook uses such non-user personal information for its own purposes.

For example, when a user ‘tags’ a non-user in a photograph that has been uploaded to his or her Facebook account, Facebook gives the user the option of providing to Facebook the non-user’s email address, which is then used by Facebook to send a notification to the non-user of the tagging and an invitation to join Facebook. While the notification of tagging is for the benefit of the non-user, the invitation to join Facebook is for the benefit of Facebook.

In addition, Facebook allows users to provide Facebook with the email addresses of non-users that Facebook uses to send invitations to non-users to join Facebook. Facebook retains such information for an indefinite period of time. In addition to using the email addresses to deliver invitations, Facebook uses the email addresses to provide users with a history of invitations sent out on their behalf and for tracking the success of the referral program.

The OPC concluded that in instances where personal information about an individual (i.e. the non-user) is being collected from another individual (i.e. the user), it is reasonable to allow Facebook to rely on the user to obtain the direct consent of the non-user, provided that Facebook takes reasonable measures to ensure that such consent is obtained. In the opinion of the OPC, merely referencing the requirement for the user to obtain the non-user’s consent in the Privacy Policy is not sufficient, and Facebook should include a reminder each time that a user discloses a non-user’s email address to Facebook. Facebook should also take action against those users who violate such consent requirements.

In addition, the OPC concluded that the retention of non-users’ email addresses for the purpose of invitation history and tracking without informing non-users of such use is a contravention of PIPEDA’s informed consent requirement. Retaining such addresses indefinitely beyond the time necessary for the initial purpose of collection was also a violation of PIPEDA.

Resolution of Outstanding Issues  

As part of its Report of Findings, the OPC requested that Facebook reconsider the OPC recommendations that it had declined to adopt, and that the OPC would give Facebook 30 days in which to do so. We do not know what actions the OPC would have taken had Facebook not satisfied the OPC’s request, as, on August 27, 2009, the OPC announced that the outstanding matters had been resolved to its satisfaction.

In a letter to CIPPIC dated August 25, 2009, the OPC advised CIPPIC of the outcome of its discussions with Facebook regarding the CIPPIC allegations that it determined were well-founded, including those that remained unresolved at the time that the OPC issued its Report of Findings. With respect to the previously unresolved matters, the OPC reported as follows:

  1. Third-Party Applications

Facebook agreed to redesign its API so that users will have greater control over the type of personal information that third party application developers may access, and the purposes for which such information can be used. While access to the personal information of friends and fellow network members may still be accessed by the third party applications, users will be able to control whether such information is made available to developers. Users will also be presented with a link to a statement of the developer explaining how it will use such personal information. The introduction of this new model for information sharing with third-party applications is to take place on or before September 1, 2010.

  1. Account Deactivation and Deletion

On the basis that most users reactivate accounts and expect to have access to their personal information when they do so, Facebook has not accepted the OPC’s recommendation that a finite retention period be instituted for deactivated accounts. The OPC accepted this position, provided that users are well informed of the differences between deactivating and deleting an account. To this end, Facebook has undertaken to include a more complete explanation of the differences between the two options in its Privacy Policy and Help Center, and include links to each option.

  1. Accounts of Deceased Users

In accordance with the recommendations of the OPC, Facebook has agreed to include a reference to the use of accounts to memorialize deceased users in its Privacy Policy within 10 weeks time.

  1. Personal Information of Non-Users

Facebook has agreed to include additional language in its Statement of Rights and Responsibilities that informs users of their obligation to obtain the consent of non-users before providing the non-user’s email address to Facebook. Facebook further undertook to follow up on any complaints by non-users with respect the use of their email address. Facebook also confirmed that it does not retain the email addresses of non-users in order to track the success of its invitation feature.

While the CIPPIC may take further action if it is not satisfied that the actions taken by Facebook adequately address its concerns, the OPC letter indicates that, so long as Facebook follows through on its undertakings, the OPC is satisfied with Facebook’s response.

Conclusion

The investigation into the practices of Facebook, and the resulting changes that Facebook has agreed to make to its service, were the result of a lengthy and, no doubt, costly process. While some suggest that individuals should resign themselves to the fact that privacy does not exist in the on-line world, the CIPPIC complaint and its apparent resolution illustrate the power that users have to change the behaviour of on-line business organizations, even if they are located outside of the country in which the users reside. This matter also demonstrates the seriousness with which Canadian regulators treat well-founded complaints. The Facebook complaint is a strong reminder that all businesses should be proactive in examining their practices in relation to the collection, use and safeguarding of personal information. Failing to do so can be costly, not only in time and money, but also with respect to the damage it can cause to relationships with customers.