Facebook privacy and personal data security criticised by Canadian information commissioner

News by Dan Raywood

Social networking site Facebook does not do enough to protect personal information, according to the Canadian Privacy Commissioner.

Social networking site Facebook does not do enough to protect personal information, according to the Canadian Privacy Commissioner.

The office of Jennifer Stoddart investigated the website's use of personal information and found that Facebook is not clear enough about how users can control their information or restrictive enough in limiting other companies' access to it.

In a detailed report, the investigation found that users were told on Facebook how to deactivate accounts, but not how to delete them and remove personal information from the Facebook servers. The commissioner's office said that the company needed to be more transparent.

Its complaint comprised 24 allegations ranging over 12 distinct subjects. These included: default privacy settings, collection and use of users' personal information for advertising purposes, disclosure of users' personal information to third-party application developers, and collection and use of non-users' personal information.

It found that on four subjects, including deception and misrepresentation and Facebook Mobile, there was no evidence of any contravention of the Canadian Privacy Law and concluded that the allegations were not well founded.

On another four subjects including default privacy settings and advertising, the assistant commissioner found Facebook to be in contravention of the Canadian Privacy Law, but concluded that the allegations were well founded and resolved on the basis of corrective measures proposed by Facebook in response to her recommendation.

With regards to the entry and retention of a user's date of birth, the commissioner found that Facebook to be in contravention of two principles relating to identified purposes that 'should be specified at or before the time of collection to the individual from whom the personal information is collected'.
She also stated that 'the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed'.

Facebook has since responded by agreeing to amend the language of the pop-up in question as follows: “Facebook requires all users to provide their real date of birth to encourage authenticity and provide only age-appropriate access to content. You will be able to hide this information if you wish, and its use is governed by the Facebook Privacy Policy.”

With regard to the controversial privacy settings, the commissioner found that Facebook did not do as much as it should to inform users about privacy settings at registration, as there is no direct link to the privacy settings and no upfront message about these settings.

It also found that Facebook's notification efforts relating to privacy settings fail to meet a reasonable standard in the circumstances, and needed to do more to ensure that new users can make informed decisions about controlling access to their personal information when registering.
The report claimed: “Facebook has given its users tools to control their personal information; it needs to ensure that users better understand these tools.”

In a summary of the investigation, the commissioner found no evidence that Facebook is wilfully misleading or deceiving users about the purposes for which it collects information or is obtaining consent through deception. It also claimed that an allegation of misrepresentation is not well founded.

However in its conclusion, it claimed that once implemented, Facebook's proposed corrective measure of its privacy policy will meet its recommendation and bring the organisation into compliance with the Canadian Privacy Law. It will follow up with Facebook on the status of its implementation of this measure within 30 days.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews