Privacy Commissioner of Canada satisfied that proposed changes to the
social networking site's privacy practices and policies would bring
Facebook into compliance with Canadian law.
OTTAWA, Aug. 27 /CNW Telbec/ - Facebook has agreed to add significant new
privacy safeguards and make other changes in response to the Privacy
Commissioner of Canada's recent investigation into the popular social
networking site's privacy policies and practices.
The company's decision to implement the Privacy Commissioner's
recommendations is a positive step towards bringing Facebook in line with the
requirements of Canada's privacy law.
"These changes mean that the privacy of 200 million Facebook users in
Canada and around the world will be far better protected," says Privacy
Commissioner Jennifer Stoddart.
"This is extremely important. People will be able to enjoy the benefits
of social networking without giving up control of their personal information.
We're very pleased Facebook has been responsive to our recommendations."
Last month, the Privacy Commissioner issued a report on an in-depth
investigation triggered by a complaint from the Canadian Internet Policy and
Public Interest Clinic.
While Facebook took some steps to resolve privacy concerns, the
Commissioner remained dissatisfied by Facebook's response at the end of the
investigation. She was particularly concerned about the risks posed by the
over-sharing of personal information with third-party developers of Facebook
applications such as games and quizzes.
Facebook was given 30 days to respond to the Commissioner's report and
explain how it would address the outstanding concerns. Following a review of
Facebook's formal response and discussions with company officials, the
Commissioner is now satisfied Facebook is on the right path to addressing the
privacy gaps on its site.
"Facebook is promising to make significant technological changes to
address the issue we felt was the biggest risk for users - the relatively free
flow of personal information to more than one million application developers
around the world," says Assistant Commissioner Elizabeth Denham, who led the
investigation on behalf of the Office.
"Application developers have had virtually unrestricted access to
Facebook users' personal information. The changes Facebook plans to introduce
will allow users to control the types of personal information that
applications can access."
An over-arching issue highlighted during the investigation was that the
way in which Facebook provides privacy information to users is often confusing
Facebook agreed to changes to help users to better understand how their
personal information will be used and, ultimately, to make more informed
decisions about how widely to share that information. The Commissioner has
reviewed these improvements and will be following up with Facebook as the
changes are implemented.
The following is an overview of key issues raised during the
investigation and Facebook's response:
1. Third-party Application Developers
Issue: The sharing of personal information with third-party developers
creating Facebook applications such as games and quizzes raises serious
privacy risks. With more than one million developers around the globe,
the Commissioner is concerned about a lack of adequate safeguards to
effectively restrict those developers from accessing users' personal
information, along with information about their online "friends."
Response: Facebook has agreed to retrofit its application platform in a
way that will prevent any application from accessing information until it
obtains express consent for each category of personal information it
wishes to access. Under this new permissions model, users adding an
application will be advised that the application wants access to specific
categories of information. The user will be able to control which
categories of information an application is permitted to access. There
will also be a link to a statement by the developer to explain how it
will use the data.
This change will require significant technological changes. Developers
using the platform will also need to adapt their applications and
Facebook expects the entire process to take one year to implement.
2. Deactivation of Accounts
Issue: Facebook provides confusing information about the distinction
between account deactivation - whereby personal information is held in
digital storage - and deletion - whereby personal information is actually
erased from Facebook servers. As well, Facebook should implement a
retention policy under which the personal information of users who have
deactivated their accounts will be deleted from the site's servers after
a reasonable length of time.
Response: Facebook has agreed to make it clear to users that they have
the option of either deactivating their account or deleting their
and users will receive a notice about the delete option during the
While we asked for a retention policy, we looked at the issue again and
considered what Facebook was proposing. We determined the company's
approach - providing clarity about the options, offering a clear choice,
and alleviating the confusion - is acceptable because it will allow users
to make informed decisions about how their personal information is to be
3. Personal Information of Non-users
Issue: Facebook should better protect the privacy of non-users who are
invited to join the site.
statement. Facebook confirmed that it does not use email addresses to
track the success of its invitation feature, nor does it maintain a
separate email address list for this purpose.
4. Accounts of Deceased Users
Issue: People should have a better way to provide meaningful consent to
have their account "memorialized" after their death. As such, Facebook
online after death so that friends can post comments and pay tribute.
explain what will happen in the event of a user's death.
Facebook has committed to a timetable for implementing all of the
changes, some of which, such as the third-party application changes, are
technologically complex. The company has already started to make changes and
we expect them to be fully complete within a year.
"It's now up to Facebook to demonstrate to us that they are living up to
their commitments," says Assistant Commissioner Denham.
"With the conclusion of the Facebook investigation, our Office has made
clear our expectations for how social networking sites need to protect
personal information. Other sites should take note - and take steps to ensure
they're complying with Canadian law."
Statements by the Commissioner and Assistant Commissioner are available
on the OPC's website.
The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of privacy and the protection of personal
information rights of Canadians.
For further information:
For further information: Anne-Marie Hayden, Office of the Privacy
Commissioner of Canada, Tel: (613) 995-0103, E-mail: firstname.lastname@example.org