Facebook agrees to address Privacy Commissioner's concerns

    Privacy Commissioner of Canada satisfied that proposed changes to the
    social networking site's privacy practices and policies would bring
    Facebook into compliance with Canadian law.

    OTTAWA, Aug. 27 /CNW Telbec/ - Facebook has agreed to add significant new
privacy safeguards and make other changes in response to the Privacy
Commissioner of Canada's recent investigation into the popular social
networking site's privacy policies and practices.
    The company's decision to implement the Privacy Commissioner's
recommendations is a positive step towards bringing Facebook in line with the
requirements of Canada's privacy law.
    "These changes mean that the privacy of 200 million Facebook users in
Canada and around the world will be far better protected," says Privacy
Commissioner Jennifer Stoddart.
    "This is extremely important. People will be able to enjoy the benefits
of social networking without giving up control of their personal information.
We're very pleased Facebook has been responsive to our recommendations."
    Last month, the Privacy Commissioner issued a report on an in-depth
investigation triggered by a complaint from the Canadian Internet Policy and
Public Interest Clinic.
    While Facebook took some steps to resolve privacy concerns, the
Commissioner remained dissatisfied by Facebook's response at the end of the
investigation. She was particularly concerned about the risks posed by the
over-sharing of personal information with third-party developers of Facebook
applications such as games and quizzes.
    Facebook was given 30 days to respond to the Commissioner's report and
explain how it would address the outstanding concerns. Following a review of
Facebook's formal response and discussions with company officials, the
Commissioner is now satisfied Facebook is on the right path to addressing the
privacy gaps on its site.
    "Facebook is promising to make significant technological changes to
address the issue we felt was the biggest risk for users - the relatively free
flow of personal information to more than one million application developers
around the world," says Assistant Commissioner Elizabeth Denham, who led the
investigation on behalf of the Office.
    "Application developers have had virtually unrestricted access to
Facebook users' personal information. The changes Facebook plans to introduce
will allow users to control the types of personal information that
applications can access."
    An over-arching issue highlighted during the investigation was that the
way in which Facebook provides privacy information to users is often confusing
or incomplete.
    Facebook agreed to changes to help users to better understand how their
personal information will be used and, ultimately, to make more informed
decisions about how widely to share that information. The Commissioner has
reviewed these improvements and will be following up with Facebook as the
changes are implemented.
    The following is an overview of key issues raised during the
investigation and Facebook's response:

    1. Third-party Application Developers

    Issue: The sharing of personal information with third-party developers
    creating Facebook applications such as games and quizzes raises serious
    privacy risks. With more than one million developers around the globe,
    the Commissioner is concerned about a lack of adequate safeguards to
    effectively restrict those developers from accessing users' personal
    information, along with information about their online "friends."

    Response: Facebook has agreed to retrofit its application platform in a
    way that will prevent any application from accessing information until it
    obtains express consent for each category of personal information it
    wishes to access. Under this new permissions model, users adding an
    application will be advised that the application wants access to specific
    categories of information. The user will be able to control which
    categories of information an application is permitted to access. There
    will also be a link to a statement by the developer to explain how it
    will use the data.

    This change will require significant technological changes. Developers
    using the platform will also need to adapt their applications and
    Facebook expects the entire process to take one year to implement.

    2. Deactivation of Accounts

    Issue: Facebook provides confusing information about the distinction
    between account deactivation - whereby personal information is held in
    digital storage - and deletion - whereby personal information is actually
    erased from Facebook servers. As well, Facebook should implement a
    retention policy under which the personal information of users who have
    deactivated their accounts will be deleted from the site's servers after
    a reasonable length of time.

    Response: Facebook has agreed to make it clear to users that they have
    the option of either deactivating their account or deleting their
    account. This distinction will be explained in Facebook's privacy policy
    and users will receive a notice about the delete option during the
    deactivation process.

    While we asked for a retention policy, we looked at the issue again and
    considered what Facebook was proposing. We determined the company's
    approach - providing clarity about the options, offering a clear choice,
    and alleviating the confusion - is acceptable because it will allow users
    to make informed decisions about how their personal information is to be

    3. Personal Information of Non-users

    Issue: Facebook should better protect the privacy of non-users who are
    invited to join the site.

    Response: Facebook agreed to include more information in its terms of use
    statement. Facebook confirmed that it does not use email addresses to
    track the success of its invitation feature, nor does it maintain a
    separate email address list for this purpose.

    4. Accounts of Deceased Users

    Issue: People should have a better way to provide meaningful consent to
    have their account "memorialized" after their death. As such, Facebook
    should be clear in its privacy policy that it will keep a user's profile
    online after death so that friends can post comments and pay tribute.

    Response: Facebook agreed to change the wording in its privacy policy to
    explain what will happen in the event of a user's death.

    Facebook has committed to a timetable for implementing all of the
changes, some of which, such as the third-party application changes, are
technologically complex. The company has already started to make changes and
we expect them to be fully complete within a year.
    "It's now up to Facebook to demonstrate to us that they are living up to
their commitments," says Assistant Commissioner Denham.
    "With the conclusion of the Facebook investigation, our Office has made
clear our expectations for how social networking sites need to protect
personal information. Other sites should take note - and take steps to ensure
they're complying with Canadian law."
    Statements by the Commissioner and Assistant Commissioner are available
on the OPC's website.

    The Privacy Commissioner of Canada is mandated by Parliament to act as an
ombudsman, advocate and guardian of privacy and the protection of personal
information rights of Canadians.

For further information:

For further information: Anne-Marie Hayden, Office of the Privacy
Commissioner of Canada, Tel: (613) 995-0103, E-mail: ahayden@privcom.gc.ca

Custom Packages

Browse our custom packages or build your own to meet your unique communications needs.

Start today.

CNW Membership

Fill out a CNW membership form or contact us at 1 (877) 269-7890

Learn about CNW services

Request more information about CNW products and services or call us at 1 (877) 269-7890