Facebook has responded to the report of the Privacy Commissioner of Canada on complaints it received about Facebook.
The Commissioner’s report summarizes their findings this way:
Allegations Not Well-Founded
379. With regard to New Uses of Personal Information, Collection of Personal Information from Sources Other than Facebook, Facebook Mobile and Safeguards, and Deception and Misrepresentation, I have concluded that CIPPIC’s allegations are not well-founded.
Allegations Well-Founded and Resolved
380. With regard to Collection of Date of Birth, Default Privacy Settings, Advertising, and Monitoring for Anomalous Activity, I have concluded that CIPPIC’s allegations are well-founded and resolved on the basis of corrective measures proposed by Facebook in response to my recommendations.
381. I have indicated to Facebook that our Office will follow up after 30 days to verify that the proposed measures have been implemented.
Allegations Well-founded with Issues Unresolved
382. With regard to Third-Party Applications, Account Deactivation and Deletion, Accounts of Deceased Users, and Personal Information of Non-Users, I have concluded that CIPPIC’s allegations are well-founded. In these cases, however, there remain unresolved issues where Facebook has not yet agreed to adopt certain of my recommendations or acceptable alternatives.
383. The recommendations remaining at issue are as follows:
(Third-Party Applications)
* That Facebook consider and implement measures
1. to limit application developers’ access to user information not required to run a specific application;
2. whereby users would in each instance be informed of the specific information that an application requires and for what purpose;
3. whereby users’ express consent to the developer’s access to the specific information would be sought in each instance; and
4. to prohibit all disclosures of personal information of users who are not themselves adding an application.(Account Deactivation and Deletion)
* That Facebook develop, institute, and inform users of, a retention policy whereby the personal information of users who have deactivated their accounts will be deleted from Facebook’s servers after a reasonable length of time.
(Accounts of Deceased Users)
* That Facebook include in its Privacy Policy, in the context of all intended uses of personal information, an explanation of the intended use of personal information for the purpose of memorializing the accounts of deceased users.
(Personal Information of Non-Users)
* That Facebook consider and implement measures to improve its invitation feature so as to address our Office’s concerns about non-users’ lack of knowledge and consent to Facebook’s collection, use, and retention of their email addresses;
* That Facebook set a reasonable time limit on the retention of non-users’ email addresses for purposes of tracking invitation history and the success of the referral program.384. I have asked Facebook to reconsider these remaining recommendations in the light of my findings. I have also indicated that, in our follow-up on other matters after 30 days, our Office will check for evidence of acceptance and implementation of these recommendations or acceptable alternatives to them. Should we find no such evidence, we will then consider how best to address any unresolved issues in accordance with our authorities.
385. I look forward to reviewing Facebook’s progress in implementing my recommendations and to its continuing cooperation in resolving the issues involved in this complaint.
In response, Facebook issued the following statement:
Facebook is pleased that the Canadian Federal Privacy Commissioner has dismissed most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised
in the complaint.The Commissioner also recognised, as we do, that privacy and user control on the social web is a new area, which requires websites, users and data protection authorities to work together. Without question, Facebook and the Canadian Privacy Commissioner’s Office share the common goal of making the Internet more privacy friendly for Canadians and users across the world.
We are also pleased that the Commission has recognized the fact that Facebook provides significantly greater protection of users’ interests than most websites and commended Facebook for providing its users with extensive privacy settings. Facebook has made privacy a core part of its business, and is the industry leader in developing and deploying privacy tools and advocating their use. We believe that the very reason Facebook is popular in Canada is because the site offers people a way to share information, enables them to chose what information they share with whom, and is very easy to use.
As part of our continued leadership in developing privacy tools that advance user control over their information, Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have. In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook.