The Public Voice



Take Action

Issues and Resources

About Us


Privacy Compliance for Facebook, Some Changes Made


In mid-July, the Office of the Privacy Commissioner of Canada released a Report of "Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic" against Facebook, Inc. The complaint was filed by the CIPPIC under the Personal Information Protection and Electronic Documents Act and comprised 24 allegations ranging over 12 distinct subjects. These included default privacy settings, collection and use of users' personal information for advertising purposes, disclosure of users' personal information to third-party application developers, and collection and use of non-users' personal information.

Although the Commissioner's Office made several recommendations which were resolved, the Assistant Privacy Commissioner of Canada found that in the subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users' personal information to be in contravention of PIPEDA. The Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users' personal information, and furthermore was not doing enough to ensure that meaningful consent was obtained from individuals for the disclosure of their personal information to application developers.

The Commissioner's Office made several suggestions to Facebook. The Office advised the social networking firm to limit application developers' access to user information, inform users specifically about the nature and use of shared information, and share information after obtaining consent of only users who add an application. The Office also
said that deactivated account information should be deleted after a reasonable length of time, and that the privacy policy be amended to include all intended uses of personal information. Facebook was given 30 days. Facebook updated its privacy policy on August 11, 2009 to include "clarifying changes and minor updates."

The updated policy asks developers, operators of platform applications, and websites to respect user privacy settings. The modified policy directs developers to use the data received only to operate the specific applications, inform readers on what data is being collected, how it would be used, and whether it would be shared. The policy also states that developers must delete user data if their application is deleted by the user. The updated policy also made some clarifications in terms regulating advertisements and in the special provisions applicable to advertisers.

Facebook is complying with the Commissioner's Officer and revising its Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.

It will also educate users about reviewing their privacy settings to make sure the defaults and selections reflect the user's preferences. The social networking firm has also undertaken the task of increasing the understanding and control a user has over the information accessed by third-party applications. Facebook plans to introduce a new
permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. Further, users would also have to specifically approve any access to their friends' information, which would still be subject to the friend's privacy and application settings.

In June, the Article 29 Working Party warned about the dissemination and use of information available on Social Networking Sites for other secondary, unintended purposes. The officials issued an opinion requiring robust security, privacy-friendly default settings. The European Privacy Commissioners recommended that controllers take
"appropriate technical and organizational measures, 'both at the time of the design of the processing system and at the time of the processing itself' to maintain security and prevent unauthorized processing, taking into account the risks represented by the processing
and the nature of the data." Earlier, in January, EPIC had suggested the regulation of Social Network Service partners, including advertisers and application developers.


, ,

Take Action


European Commission: Consultation on Personal Data Protection

Consultation due on December 31, 2009




This is a listing of events which may be useful for civil society to participate, connect and network on issues relating to information and communication technologies and policies.


العربية Български 简化字 正體字 Hrvatski čeština Dansk Nederlands Suomi Français Deutsch ελληνικά हिन्दी Italiano 日本語 한국말 Norsk Polski Português Români Русский Español Svenska

Past Events

Seoul logo

OECD 2008 Ministerial Meeting on the Future of the Internet Economy

Terra Incognita logo

Civil Society Privacy Conference
Sept. 25, 2007

OECD Participative Web Forum
Oct. 3, 2007

Past Public Events

Cape Town Conference »

Wroclaw Conference »

Buenos Aires Conference »

Participation in the World Summit on the Information Society Internet Governance Caucus »

Civil Society Background Paper

Background paper logo