Language selection


Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc.

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at a Media Briefing

July 16, 2009
Ottawa, Ontario

Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada

(Check against delivery)


Thank you, Commissioner Stoddart, and good morning.

As you just heard, we were presented with an 11-part complaint from CIPPIC, the Canadian Internet Policy and Public Interest Clinic.

For several aspects of the complaint, our investigation did not substantiate the complainant’s allegations. For a few others, we felt that Facebook could quite simply address the concerns by being more explicit in its privacy policy.

In some cases, however, we concluded that the complaints were well-founded, and made some concrete recommendations on how Facebook could rectify the situation, some of which it agreed to and others it did not.

Specific examples

For example, our investigation raised significant concerns around the sharing of users’ personal information with third-party developers who create popular Facebook applications such as games and quizzes.

In our investigation, we found that Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing a user’s profile information, along with information about their online “friends.”

I want to underline that this is no trivial issue: There are close to a million developers out there, scattered across some 180 countries.

Among other things, we called for technological measures to ensure that developers can only access the user information that is actually required to run a specific application. We also wanted Facebook to prevent the disclosure of the personal information of any of the user’s friends who are not themselves signing up for the application unless they consent.

Another area that concerned us is that Facebook has a policy of keeping indefinitely the personal information of people who have deactivated their accounts. The law says that organizations must retain personal information only for as long as necessary to meet appropriate purposes. 

As such, we recommended that Facebook adopt a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Overarching concern

An overarching concern for us related to meaningful consent. We were looking for readily available and understandable explanations about the privacy implications of specific actions on the Facebook platform. And we wanted people to be able to opt out of actions that they felt could unduly compromise control over their personal information.

We found that, although Facebook provides information about privacy issues, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts. It does not, however, explain how to delete them, which actually removes personal data from Facebook’s servers.

And so, many of our recommendations were related to transparency. For instance, we urged Facebook to consolidate detailed explanations of various privacy-related issues within a single privacy policy.

In that context, I am pleased to note that Facebook has recently announced a new privacy tool for the site, which is aimed at giving users the power to control who gets to see each item they post on their Facebook pages.       


Every measure to strengthen privacy protections on social networking sites is a good thing, and I welcome every sign that companies take seriously their obligations to safeguard the personal information of their customers.

But I want to underscore one other point – and that is the role of the users themselves.

In the end, even the most comprehensive privacy policy, and the most elaborate privacy tools, are not enough – if people ignore them.

And so I would urge Canadians to get into the habit of reading privacy policies, and to take advantage of privacy settings and other mechanisms to protect their personal information.

As the Commissioner said a moment ago, social networking sites can be a wonderful way to connect.

But connection should never come at the cost of privacy: People have every right to share their thoughts, their images and their personal information. But they need to understand what they’re getting into, and to do it on their own terms.

Thank you. 

Report a problem or mistake on this page
Error 1: No selection was made. You must choose at least 1 answer.
Please select all that apply (required):


Date modified: