Canadian Privacy Commissioner: Facebook Violates National Law
Friday, July 17, 2009 at 05:16 PM EDT
The Privacy Commissioner of Canada, a federal regulator responsible for overseeing compliance with that countryâ€™s broad data protection statute, has issued a long-awaited report on Facebookâ€™s privacy practices. The investigation was triggered by a formal complaint filed by students at the University of Ontarioâ€™s cyberlaw clinic. The result is a comprehensive and sophisticated analysis that gives Facebook deserved credit for attention to privacy in some areas, but identifies troubling aspects of its practices that are unlawful in Canada. The full report is worth a look; an official summary is here; and Canadian cyberprof extraordinaire Michael Geist has written up a good overview as well.
As news coverage (see here and here) emphasizes, the Commissionerâ€™s main concerns are the extent to which third-party applications within the Facebook platform slurp up personal information irrelevant to their functions. The report also identifies some ways in which Facebookâ€™s disclosures of its practices are insufficiently clear and criticizes certain data retention practices (particularly after deactivation of accounts). The Commissioner suggested changes Facebook could make to comply with the law; after 30 days if Facebook has not taken adequate corrective action the Commissioner may initiate a lawsuit in Canadian court.
I highlighted the Ottawa clinicâ€™s complaint in my article about social marketing (which, of course, went to the printer just a few days too early to add mention of the report!). So I was especially interested in the reportâ€™s analysis of Facebookâ€™s advertising practices. In my view, the Commissioner gets it partly, but not entirely, right, stating:
It seems to me, and I argue in the article, that a social marketing endorsement like the one described here should require an opt in â€” not only for privacy and reputation reasons, but also for information quality (to ensure it is a true endorsement). In practice, though, since the effective demise of Facebookâ€™s Beacon program, these sorts of social ads only occur when you take actions within Facebook, and in those situations it seems to me reasonable to assume implicit opt-in â€” after all, why do you â€œbecome a fanâ€ of something in Facebook if not to â€œshareâ€ with your friends? The report does go on to criticize the clarity of disclosure about the use of information for social marketing and the difficulty of locating the opt-out. The Commissioner proposed more frequent reminders, but Facebook objected, and the report concludes that if Facebook makes its policies clearer and more accessible that will be good enough.
Overall, a great example of the careful (and collaborative) work a robust privacy regulator can do if given the necessary legal muscle and adequate resources. Now letâ€™s see how Facebook responds next monthâ€¦
This article originally appeared on Info/Law.