The Privacy Commissioner of Canada’s recent report1 in response to complaints filed by the Canadian Internet Policy and Public Interest Clinic (“CIPPIC”) in respect of certain Facebook practices presents an interesting glimpse into the struggles multinational corporations face when attempting to comply with privacy regimes of the multiple jurisdictions in which they operate. Each jurisdiction, of course, seeks to enforce its own, and often distinct, rules and regulations. The recent Facebook findings are proof positive that many of the same issues raised by Canada’s patchwork of privacy regulation arise on an international level as well. Although the Commissioner’s findings are specific to social networking sites (which the Commissioner characterizes as a “cultural phenomenon”) her findings may, ultimately, have a far broader application across a wide range of commercial operations.
Facebook runs an immensely popular social networking website with 250 million active users and operates in dozens of countries, at least thirty of which have over 1 million users each. Canada represents only a fraction of Facebook’s overall user base (Canada has approximately 12 million Facebook users, while over 69 million users originate from the U.S.).2
In 2008, CIPPIC alleged that certain policies and practices of Facebook were contrary to the federal Personal Information Protection and Electronic Documents Act.3 Following investigation, the Privacy Commissioner issued a preliminary report on May 27, 2009 to CIPPIC and Facebook which referenced a number of concerns and made twenty recommendations. While a number of the Commissioner’s recommendations were accepted by Facebook, others were not. The Privacy Commissioner issued her final report on July 16, 2009.
RECOMMENDATIONS ACCEPTED BY FACEBOOK
RECOMMENDATIONS NOT ACCEPTED BY FACEBOOK
Facebook resisted recommendations by the Privacy Commissioner that could affect its overall business model, such as those that would require a change to the way disclosure of user information occurs or limit what user information may be disclosed to third parties (i.e., application developers and target advertisers). Facebook objected to the Privacy Commissioner’s findings and declined to implement recommendations that could affect Facebook’s third-party application development process.
Technically costly recommendations were also rejected (for example, requiring Facebook to delete deactivated accounts after a reasonable length of time). Facebook declined to institute a data retention policy for deactivated users (in contrast to deleted users, deactivated users are those who have “paused” their accounts). Facebook retains personal information of deactivated users for a “reasonable period” – whereas deleted users’ information is retained until the deletion process is complete, which “may take several weeks.” Facebook did, however, agree to provide an explanation between account deletion and account deactivation and the difference on data retention in both instances. Facebook also refused to provide notice to users that their personal information may be used for memorialization purposes after their death because it felt that this requirement was not well founded in law.
THE NEXT STEPS
The Commissioner’s findings present Facebook with the option of either adopting the outstanding recommendations (some of which may substantially affect not only its procedures but its revenue model), or facing the possibility (alluded to in the Commissioner’s findings) of further legal proceedings before the Federal Court. If the Commissioner decides to apply to the Federal Court she will likely seek an order to compel Facebook to change its practices to comply with the Commissioner’s recommendations. Failure to comply with a court order could result in Facebook being subject to penalties.
The Privacy Commissioner pledged to conduct a review of Facebook’s promised changes and check for evidence of acceptance and implementation of the recommendations. She also said she would follow up thirty days after her Report was issued and that she would consider how best to address any failure by Facebook to implement either her recommendations or “acceptable alternatives”.
Corporations that collect, use and disclose personal information in multiple jurisdictions must be wary of each jurisdiction’s privacy laws. While a one-size-fits-all approach may be procedurally (and economically) very efficient, it may not be realistic. Without adapting policies and procedures specific to each jurisdiction in which the corporation operates, such corporations must weigh the pros and cons of the business risks for non-compliance with all domestic laws – particularly those in jurisdictions in which the corporation concerned may have limited revenues. It will be interesting to see how the Privacy Commissioner and Facebook respond to each other, and to what extent the Privacy Commissioner will seek enforcement of her recommendations.