Privacy and the Worldwide Web: How the OPC Investigation of Facebook made Worldwide Waves
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at an ATIP Community Meeting
September 30, 2009
Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada
(Check against delivery)
Good morning, bonjour à tous, and thank you very much for that warm welcome.
It is a tremendous pleasure to join you this morning on your professional development day.
I must say it is an unusual treat for me, as the Assistant Commissioner responsible for the private-sector privacy law, to speak to an audience of ATIP professionals. It feels a bit like crossing the railway tracks to peek in on how the other half lives!
However, I was told that you might be interested in hearing a bit about our recent investigation of Facebook’s privacy policies and practices, and that’s a story I’m always delighted to tell.
And I want to underscore that it’s not a story confined to the private sector at all. As I will outline later, we’re deep inside the age of social networking, and the Government of Canada is very much a part of it.
And I suggest to you that if there is one lesson to be drawn from our experience, it’s this: Even in the most public of forums – and it doesn’t get more public than the Internet – privacy matters.
As we explore this new world of Web 2.0 and user-generated content, we have to remember that, even when we choose to share portions of our lives with others online, we do not extinguish our rights to control our personal information.
Social media – whether that’s Facebook, MySpace, LinkedIn or the federal government’s GCPedia – have an obligation to safeguard the privacy of users, just as users have a duty to read, understand and apply the settings and tools available to secure their own privacy.
Before I get into the Facebook story, permit me to give you just a bit of background on PIPEDA, the law under which we were able to carry out our investigation.
The Personal Information Protection and Electronic Documents Act has been fully in force for five years.
It governs the privacy practices of federal works, undertakings or businesses, such as banks and airlines. PIPEDA also applies to other businesses across most of Canada, except in provinces that have similar statutes – B.C., Alberta and Quebec, and, for health information, Ontario.
Specifically, PIPEDA applies to the personal information collected, used or disclosed by organizations engaged in commercial activities – whether they operate out of an actual building or – as in Facebook’s case – online.
Organizations covered under PIPEDA may only collect, use or disclose personal information for a purpose that a reasonable person would consider appropriate in the circumstances.
PIPEDA-Privacy Act Differences
PIPEDA differs from the Privacy Act in a number of fundamental ways, beginning with its very structure.
The private-sector law is based on 10 Fair Information Principles. Some, such as the notion of accountability for an organization’s control of personal information, do not appear at all in the Privacy Act.
Treasury Board policies and guidelines have served to flesh out the framework set forth in the Privacy Act. But under PIPEDA, the requirements are, for the most part, more explicitly stated and stronger.
The key difference between the two laws relates to consent.
Under the Privacy Act, consent is satisfied by notification.
PIPEDA, on the other hand, requires meaningful consent. In other words, an individual needs to be reasonably able to understand what it is they are consenting to. And so they need to have the issues brought to their attention, in plain language, at the time their personal information is collected.
PIPEDA is also crystal clear in obliging organizations to identify the purposes for which they want to collect information and to limit the collection to what is reasonably necessary for the stated purposes. Companies, moreover, must make their privacy policies readily available for individuals to consult.
On the other hand, one of the pivotal requirements of the Privacy Act – giving individuals access to their personal information held by the government of Canada – is better fleshed out under the public-sector law than under PIPEDA.
Other differences are that the notion of ‘consistent use’ does not exist under PIPEDA and that the obligation to have safeguards in place is explicit in the private-sector law.
A final point I want to make in this little overview of PIPEDA is that the law is technology-neutral. This was important in the Facebook case, because we were able to apply the law to technologies and a business model that did not exist when the legislation was drafted.
Overview of Facebook Case
The Facebook story begins in May 2008 when representatives of CIPPIC, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, submitted a 35-page complaint about 24 aspects of Facebook’s privacy policies and practices.
In response, we launched what turned out to be the world’s first full-scale probe of this social networking giant.
The investigation was of unparalleled scope and complexity for our Office.
But I am pleased to say that Facebook co-operated with us throughout the effort, so that many issues were resolved in the course of the investigation.
Even so, we could not reach agreement on a handful of concerns.
In mid-July of this year, we went public with my investigative findings, drawing attention from media, privacy experts and Internet observers around the world.
Following our report, Facebook had 30 days to respond to my recommendations, a period characterized by extensive discussions and negotiations between our Office and the company.
Finally, late last month, we were able to announce that Facebook had agreed to undertake comprehensive policy and technical changes that would address my concerns and enhance user privacy.
What’s more, Facebook pledged that the strengthened safeguards would apply across its global operations, thus extending the benefits to all 300 million users worldwide.
Scrutinized and commented on around the world, our decision to take on this U.S.-based global colossus was widely touted as a victory for the ‘little guys,’ whether that was our small Office, Canada, or the university students who filed the original complaint.
In fact, however, it was a victory for privacy for users of social networking sites – not just in Canada but around the world.
Even so, the investigation was not without controversy, as some critics questioned the logic of insisting on privacy in a forum where people post personal words and photos for viewing by friends, friends of friends – and, in many cases, complete strangers.
But with 12 million Canadians now on Facebook, we felt our investigation would shed invaluable light on the privacy issues raised by social media.
One key objective was to clarify the distinction between what people choose to do with their personal information, and what the social networking site does with it.
Facebook users decide what information they want to post about themselves on the site. That information does not fall under PIPEDA.
However, the moment Facebook uses that information for commercial purposes, the law applies and the commercial entity becomes responsible for safeguarding the data.
An added complexity was that we were confronted with a business model that was not around when PIPEDA was drafted. Part of this model involved the relationship between Facebook and the developers of the million or so games, quizzes and other applications that run on the platform.
Those apps were a key element of what ultimately became a 12-part investigation.
The allegation was that users who downloaded these little programs were giving the unknown developers – in 180 different countries around the world – practically unfettered access to their profile information – as well as that of their Facebook friends.
There was also concern about the collection of personal information, such as the birth dates asked for during the registration of new users.
The complainants further alleged that Facebook was not making reasonable efforts to notify users that their personal information would be used for advertising purposes.
There were, moreover, concerns about what happens when people die or wish to quit Facebook.
In particular, we were asked to examine Facebook’s practice of “memorializing” the accounts of deceased users; the distinction between deactivating and deleting accounts; and Facebook’s retention of personal information.
A final major issue to mention here related to people who are not on Facebook. In fact, their personal information can be uploaded to the site in a number of ways, including photo tagging and by way of invitations from users to join the site.
Findings – Not well founded/ Well-founded and resolved
In the end, I dismissed four aspects of the complaint – which I think underscores that Facebook really does care about user privacy.
For example, I found no evidence to support the allegation that Facebook was willfully misleading or deceiving users about the purposes for which it collects information.
In four other areas, I agreed that the complaints were well-founded, but concluded that the issues had been resolved to my satisfaction over the course of the investigation.
For instance, it was alleged that Facebook was not making reasonable efforts to inform users that their personal information is used for advertising. By the time of my report, Facebook had agreed in principle to describe its advertising more clearly in its information for users, and help users to find that information more readily.
Findings – Well-founded
I upheld as well-founded the remaining four aspects of the complaint because I felt Facebook had not proposed or implemented satisfactory remedies to my concerns.
The most significant one related to those third-party applications I mentioned earlier.
In a traditional business model, a company may disclose to a third party specific pieces of the personal information of customers – with their consent and under defined terms and conditions.
In the Facebook model, things worked differently. By access to download an application, users are effectively inviting the application’s developer into Facebook’s database to retrieve information about them – and not just them, but their Facebook friends as well.
We felt this exposed far too much personal information.
We wanted to see a mechanism to ensure that developers of such applications have access only to the information they actually need for their applications to operate. Moreover, we wanted Facebook to deny access to the information of users who are not themselves adding the program.
As a remedy for another well-founded complaint, we also called for a retention policy under which the personal information of users who have deactivated their accounts would be deleted from the site’s servers after a reasonable length of time.
Finally, we recommended that people be able to consent to having their accounts memorialized after death, and called for better privacy protection for non-users “tagged” in photos or invited to join the site.
We gave Facebook 30 days to show progress on its commitments and to respond to my recommendations on the four outstanding issues.
This sparked a period of intense discussions between our Office and Facebook representatives.
Facebook may not have loved the worldwide coverage of this investigation, but they clearly grasped this opportunity to drive home their oft-stated concern for user privacy.
I also believe they ultimately acknowledged our recommendations as reasonable, and in harmony with the sentiments of many of their own users.
In any event, it was gratifying to note that Facebook demonstrated a clear desire to get it right.
And so, five weeks later, we were able to go public with a comprehensive resolution to all outstanding issues.
With respect to my biggest concern, for example, the company agreed to retrofit its application platform to prevent third-party application developers from accessing personal information until they obtain express consent from users for each category of information they’re seeking to access.
A Victory for Privacy
All this effort, as I said at the outset, amounted to a major victory for privacy.
The one-third of Canadians on Facebook will enjoy stronger protections for their personal information, and a more informed and meaningful say over how it is collected, used and disclosed.
Other social networking sites eager to forestall a similar investigation have been watching the Facebook case. Indeed, one has already approached us to ensure its privacy practices are up to snuff.
The ultimate outcome is that people will be able to engage in social networking without relinquishing a meaningful level of control over their personal information.
While that was the object of the exercise, there was another important side benefit worth noting:
The initiative demonstrated the effectiveness of PIPEDA’s pragmatic principles-based approach, which falls somewhere between the market-based tack favoured by the U.S., and the more prescriptive approach prevalent in Europe.
For instance, building on previous court cases and investigations, this file showed that PIPEDA can apply to the commercial collection of personal information of Canadians by foreign entities, even if they are operating entirely online.
So far, moreover, the law appears to be flexible enough to apply to modern technologies and business models, although we will continue to monitor that situation closely in future.
The Road Ahead
Facebook anticipates that bringing its practices fully in line with PIPEDA could take a year to complete.
We will be monitoring their progress over this time. They are furnishing us with progress reports, and giving us an opportunity to test out some of the proposed solutions in advance.
At the same time, we will continue to build on extensive sociological research that our Office has conducted, in order to understand the behaviours, motivations and privacy expectations of people who use social networking sites. Earlier this week, we released a new report that compares privacy policies and tools on six social networking sites. It is available on our web site if you are interested in learning more.
You in the ATIP Community will also be wrestling with these issues in the years ahead, as public servants flock to blogs, wikis like the GCPedia, and other forms of online interaction made possible in this Web 2.0 era.
As you may already know, the Treasury Board Secretariat is working on guidelines for the appropriate use of social networks, in light of the challenges to consistent and bilingual government communications, and the risk of unauthorized disclosures of sensitive government and personal information.
We will also continue to remind Canadians at every opportunity that they have a vital role to play.
There’s much a social networking site can do to enhance its privacy protections and ensure that safeguards for personal information are in place, all the while remaining an attractive place for people to play.
But, at the end of the day, it’s up to individuals to look out for themselves – to understand the policies, to apply the privacy settings and, to be master of their own data.
- Date modified: