Canadian Privacy Commissioner Says Facebook Is Full Of Holes

In order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care. That’s not what we said, it’s what Canada Privacy Commissioner Jennifer Stoddart says in a statement following an investigation into the social network’s privacy policies and practices.

That investigation was reportedly prompted by a complaint from the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (ahem), and identified “several areas where Facebook needs to better address privacy issues and bring its practices in line with Canadian privacy law”.

(Update: Facebook statement below)

You may want to read our post on “The Looming Facebook Privacy Fiasco” for more context. We also recently reported on independent European advisory body on data protection and privacy to the EC Article 29 Working Party’s arguments that social networks like Facebook, Twitter and MySpace need more government regulation in Europe.

The organization and Commissioner’s main concern is that Facebook provides confusing or incomplete information about its privacy practices, like not giving users to opportunity to complete wipe out their accounts instead of merely deactivating them. Stoddart also criticizes Facebook’s policy of indefinitely keeping the personal information of people who have done just that. Another issue that gets raised in the report is the sharing of users’ personal information with third-party developers creating Facebook apps, for which the report claims Facebook lacks adequate safeguards to restrict them from accessing private profile information.

Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time, although it doesn’t specify what period would be within reason exactly. According to Canada’s private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must retain personal information only for as long as is necessary to meet appropriate purposes.

The report also recommends a number of other changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The Office of the Privacy Commissioner will review the actions Facebook takes to comply with the recommendations in a month, and hints that Stoddard is empowered to go to Federal Court to seek to have her recommendations enforced.

One tidbit of information in the statement: Facebook apparently boasts about 12 million Canadian users.

The full report can be found here.

Update: Facebook’s response:

Facebook is pleased that the Canadian Federal Privacy Commissioner has dismissed the most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised in the complaint.

As part of our continued leadership in developing privacy tools that advance user control over their information, Facebook will soon be introducing a number of new additional privacy features to its service that we believe will keep the site at the forefront of user privacy and address any remaining concerns the Commission may have. In the meantime, we will also continue our efforts to work with the Canadian Federal Privacy Commissioner to address the outstanding areas highlighted in the report and will continue our efforts to raise awareness of the privacy controls on Facebook.