In late May of 2008, the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) filed a complaint against Facebook with the Office of the Privacy Commissioner of Canada (the “OPCC”) alleging that the social networking website was in breach of several provisions and principles of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

On July 16th of 2009, the OPCC published its findings with respect to CIPPIC’s allegations which focused on PIPEDA’s cornerstone principle of informed consent. The OPCC investigated twenty four (24) allegations. For the purposes of this article, there are three areas of particular interest. First, the OPCC investigated whether Facebook was obtaining meaningful consent from its users by adequately explaining the purposes for which it was collecting, using and/or disclosing personal information. Second, the OPCC paid particular attention to Facebook’s practices with respect to the retention of user’s personal information at the time of account deactivation or deletion. Finally, the issue of security safeguards of user’s personal information with respect to third party applications was also a major part of the investigation.

1. Personal Information & PIPEDA

PIPEDA was adopted in 1999 and came into force over a period of several years ending in 2004. It applies to private sector organizations across Canada conducting commercial activities, unless a province has enacted substantially similar legislation, in which case the provincial legislation will generally apply. To date, only the provinces of Québec, Alberta and British Columbia have enacted such substantially similar laws.

The general purpose of PIPEDA is to protect an individual’s personal information. When a private organization such as Facebook collects personal information from an individual, it must inform the individual of the purpose for which such information is being collected and obtain the individual’s consent to such collection, and to any relevant use or subsequent disclosure of that information. Furthermore, the collection of the information must be limited to the information necessary to fulfill the purpose. Once the information has been collected, it cannot be used or disclosed for any other purpose than the one for which it was originally collected, unless consent is obtained from the individual.

Under PIPEDA, personal information is broadly defined as “information about an identifiable individual.” There is no fixed list or set of categories of information which could be considered “identifiable.” Instead, the standard employed under Canada’s privacy legislation is one of reasonableness. In short, parties who collect, use or disclose information must ask themselves if the information could reasonably be expected to identify a person. If the answer is yes, then the information is considered “personal information” and parties must then meet their legal obligations as defined in PIPEDA.

In the case of Facebook, users are required to provide personal information at the time of registration. Personal information is also found in the content that they create or upload to Facebook throughout their use of the website.

2. Understanding Facebook

Often times, Facebook is described in the media as a “social network.” The social networking experience begins when a visitor signs-up for an account through which they create a personal profile and provide personal information to Facebook. At a minimum, a profile includes the same information provided at the time of registration: a person’s name, age (which can be hidden in whole or in part from view), gender, and email address. However, profiles on Facebook can be expanded by including information like education, place of employment, hobbies, interests and more. These are all examples of personal information provided by a user.

The “social” aspect is in the way profiles interact with one another. Profiles become connected when users become “friends” on Facebook; a process by which one user asks the other permission to add him or her to their “Friend List.”

Once a user builds up a list of friends, he will receive periodic updates of his friends’ activities on Facebook. For example, if one friend accepts an invitation to an event, this information will appear in a user’s “News Feed.” The amount of information which is broadcast out to friends via this feature can be limited through the account privacy settings.

The type of content which can be uploaded to Facebook generally consists of text (in messages or in the form of profile information), photos, and videos. That type of information is considered “personal information” within the meaning of PIPEDA.

Users are the owners of all of the information and content they post on Facebook. However, as a condition of use of the site, users must grant Facebook a non-exclusive, transferable, sublicensable, royalty-free, worldwide license to use any content covered by intellectual property rights. This license allows Facebook to use the user’s content in any way it wishes. For example, with this license, Facebook could use a user’s picture to promote the Facebook brand in its advertising, or allow a third party to do the same. The license terminates when the content is removed from Facebook or a user’s account is deleted.

This issue was not considered by the OPCC, as it is beyond the powers and the purpose of the OPPC investigation. Nevertheless, it remains in our view a very important issue that users should be aware of when accessing Facebook.

The social aspect to Facebook is far more complex than could be described here in these brief paragraphs, but the essential idea is that Facebook is a communication tool. Users can actively communicate with one another by adding each other as friends, messaging one another, etc… Or, users can passively communicate by permitting Facebook to broadcast their activities on the website to their list of friends.

3. Advertising

Access to Facebook is free for all site visitors and account holders. As opposed to collecting monthly or annual subscription fees from its users, the Facebook business model employs advertising as the major source of its revenue. The OPCC found advertising to be essential to the provision of the service. Facebook users must be willing to receive a certain amount of advertising in exchange for using the website. The Facebook advertising system is composed of “Social Ads” and “Facebook Ads.” Social Ads are triggered by a social action on Facebook, such as becoming a fan or joining a group. By tracking such social actions, Facebook can display Social Ads in certain strategic areas like the News Feed. In contrast, Facebook Ads are based on demographic profiles stored in Facebook’s database and targeted to key words in a user’s profile such as age and appear in the same advertising space on all pages of the website.

CIPPIC alleged that Facebook was not making a reasonable effort to explain why and how it was using users’ profile information in its advertising system, and that it was not obtaining appropriate consent.

In light of its finding that displaying advertisements on the website was necessary in order for it to remain free to its users, the OPCC recommended that Facebook explain more fully its advertising system. Facebook was also asked to elaborate on this issue in its Privacy Policy. That recommendation is expected to be followed by Facebook, but nevertheless, users should be aware that Facebook uses their profile information and online habits for targeted advertising purposes, and that users can opt-out of Social Ads but not of Facebook Ads.

4. Facebook Platform (Third Party Applications)

Third parties can program their own applications (games, puzzles, etc…) for use on Facebook through the use of The Facebook Platform. There are approximately 350,000 applications currently on Facebook and more than one million developers worldwide. Anyone can become a Facebook Platform developer by downloading the Facebook Platform files and agreeing to the Terms of Service (now the Statement of Rights and Responsibilities). The Facebook Platform allows an application developer to interact with the Facebook database.

The Facebook Platform was also the subject of CIPPIC’s largest complaint. The substance of CIPPIC’s allegations regarding the Facebook Platform was that Facebook was not adequately disclosing to users why and how their personal information was being collected, used and disclosed to, and by, third party developers. In addition, the OPCC noted that users were being asked to provide far more information than was actually necessary for the functioning of any given application.

Facebook has consistently held that the Facebook Platform encourages responsible conduct on the part of application developers because each time a user engages the application, and the application in turn connects to the Facebook database, it is permitted to do so through an individual access “key” which identifies the application developer. An application developer can gain access to the entire Facebook database by submitting this key with each call to the Facebook database. This permits Facebook to track which applications and which developers are accessing users’ personal information. The OPCC determined that although this does encourage a moderate level of responsibility, this was an insufficient step given Facebook’s lack of supervision, and the absence of any technological barriers to accessing a user’s personal information.  

The OPCC also found that Facebook had failed to obtain meaningful consent from users who add third-party applications to their account.

In order to remedy this situation, the OPCC recommended that Facebook employ technological means to restrict application developers’ access to user information which is not necessary for the functioning of the application. Second, the OPCC suggested that users should be clearly informed of the particular information to be accessed by a given application, and that consent should be obtained from each user for access to such information. Finally, the OPCC strongly urged Facebook to prohibit the disclosure of information of friends of those users who add an application.

As of this writing, Facebook has not yet agreed to implement any of the OPCC’s recommendations regarding the disclosure of personal information through the Facebook Platform. In fact, Facebook has vehemently objected to the OPCC’s findings, arguing that the legal disclaimer of responsibility it employs is a standard term in web contracts, and that the structure of the Facebook Platform “allows identification and removal of potentially problematic applications.”

5. Account Deactivation & Deletion

Finally, another substantial allegation that the OPCC decided was well-founded and still unresolved by Facebook was the issue of account deactivations and deletions. When a user grows tired of using Facebook, they have two options. They can either decide to “deactivate” their account, which is a sort of user-initiated account suspension, or they can request a permanent deletion of their account. When a deactivation occurs, a user disappears from Facebook in the sense that they no longer appear in Friend Lists, in search results, while their profiles also become inaccessible.

However, the information contained in the users account remains on Facebook’s servers for an indefinite period of time. Facebook provides this option for those who may wish to return to Facebook at a later time, without having to entirely rebuild their social network. The second option is account deletion and constitutes a permanent removal of a user’s personal information from the site, servers and database. However, Facebook claims that this option is more complicated and time-consuming for both users and Facebook staff, and can take several days to complete.

In response to the OPCC’s findings, Facebook agreed to add information regarding account deletion to its Privacy Policy. However, it has so far refused to develop a retention policy which would result in the deletion of accounts for deactivated users after a reasonable period of time. Without this retention policy, it is possible for a deactivated user’s account information to remain on Facebook’s servers for years, or even indefinitely.

6. Impact on Your Business

Although Facebook and social networking may seem a world away from your business, the recent comments, findings and recommendations from the OPCC are suggestive of how businesses should be interpreting and applying the principles of PIPEDA. At the center of the entire Facebook privacy saga are the issues of informed consent and limiting the collection of personal information to that which is "necessary."

Organizations should be aware that the personal information they collect, use or disclose, can only be collected, used or disclosed for the purposes for which a person’s consent was originally obtained, and that they cannot collect more information than is necessary for their stated purposes.

The OPCC makes several references to a “reasonableness” standard. In essence, this means that businesses must determine if the collection, use or disclosure of the personal information they collect from their employees, clients and potential clients is reasonable in the particular circumstances. As a consequence, there can be no single answer as each case will vary with the circumstances.

It is interesting to note that Facebook was very cooperative with the OPCC. In fact, the OPCC made a point to thank Facebook explicitly for its cooperation in addressing the issues brought up in CIPPIC’s complaint. In attempting to comply with PIPEDA, a pioneer in privacy legislation worldwide, Facebook is taking advantage of an excellent opportunity to show its users and privacy authorities throughout the world, that the company is committed to the protection of personal information.

The outstanding issues discussed in this article are however significant and at the center of the social networking business model for both Facebook and other social networking sites worldwide.