Facebook Fallout: What the Facebook Investigation Means for the Future of the OPC

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the Northwind 2009 Privacy Invitational Forum

November 19, 2009
Cambridge, Ontario

Address by Jennifer Stoddart, Privacy Commissioner of Canada and
Chantal Bernier, Assistant Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good evening.  I am delighted to be with you again this year.  It was wonderful to have the opportunity to catch up with many of you at the pre-dinner reception.

I also spoke in this time slot last year and used the opportunity to mark my fifth anniversary as Privacy Commissioner by offering some reflections on the major developments of the first part of my mandate.  As I considered a topic for tonight, I thought about what my Office has been up to since we got together last November.  One issue towered over all others – Facebook.

Needless to say, that investigation was a huge undertaking for us.  The complaint we received was wide-ranging and the issues were incredibly complex and, in some aspects, highly technical.

After we went public with our findings, we were overwhelmed by the media coverage.  The investigation was scrutinized and commented on around the world. 

This evening, I’d like to share a few thoughts about how the Facebook investigation unfolded.  I’d also like to look ahead, and talk to you about what the investigation means in terms of where my Office is headed. 

The Investigation

To recap the basics: 

The Facebook story began in May 2008, when representatives of CIPPIC, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic, submitted a 35-page complaint about 24 aspects of the social networking site’s privacy policies and practices.

Under the leadership of Assistant Commissioner Elizabeth Denham, we launched an investigation that was, for us, of unparalleled scope and complexity.

Facebook was co-operative and, as a result, many issues were resolved in the course of our 14-month investigation.  However, we were unable to reach agreement on a handful of concerns – the big one involved applications, such as games or quizzes, developed by third parties to run on the Facebook platform in the clouds.

We were alarmed by a lack of adequate safeguards to effectively restrict those developers from accessing users’ personal information – as well as information about their online “friends.”  This was a major issue, given the fact that there are over 950,000 developers in more than 180 countries.

We went public with our findings and the outstanding issues in mid-July.  Facebook had 30 days to respond.

Following extensive discussions and negotiations, we were able to announce in August that the company had agreed to address all of the recommendations.

What’s more, Facebook pledged that the strengthened safeguards would apply throughout its global operations, thus extending the benefits to all 300 million users worldwide.

Facebook expects it will take a year to complete all the changes.  We’re monitoring their progress.  For example, we’ve recently commented on proposed changes to their privacy policy.  We will also have the opportunity to test some of their proposed solutions in advance.

Facebook has always said it cared about the privacy of its users, and perhaps the company recognized this as an opportunity to drive home this vital message. What’s more, I suspect Facebook ultimately acknowledged our recommendations as reasonable, and in line with what its own users wanted.

International Response

I suspect few of these details are new to you, given how intensively the investigation has been covered in the media.

After our August press conference, we counted more than 230 articles in newspapers around the world.  Someone calculated that meant we’d reached well over 41 million people through newspaper coverage alone.  Our communications director’s BlackBerry was buzzing constantly as Google alerts flooded in from the U.K., Australia, all over the U.S. and even China!

I was aware that a certain online demographic was critical of our investigation in blogs and chat rooms.

But much of the response from ordinary people – in Canada and beyond – was incredible.  People actually called us to offer their thanks for the investigation.  We’ve rarely seen that before.  One person who called our inquiries officers told us:  “I am proud to be Canadian,” and another actually said, (and I am not making this up): "I am a happy taxpayer today." 

We also received e-mails and calls from other data protection authorities congratulating us for our work and pointing out that the Canadian investigation will have a significant global impact.

Earlier this month, I was in Madrid for the International Conference of Data Protection and Privacy Commissioners and Facebook was the issue that people wanted to discuss with me.

No doubt this was in large part because Facebook said that the changes it was making in response to our investigation would be worldwide.

Faced with global privacy challenges and global corporations, data protection commissioners are increasingly looking at working in a co-operative way.

One of the ideas we discussed in Madrid was the notion that, for example, if Canada investigates Facebook, one of our European colleagues could take the lead on investigating another major privacy issue with international implications.

Given that Canadian and European privacy principles are closely aligned, this makes sense as a strategic and resource-effective approach to dealing with global corporations. It would be impossible for my Office to take on large numbers of these huge investigations. 

The Facebook investigation – and all the media coverage that resulted – has raised our profile amongst global corporations.  Immediately after we published our findings, another major social networking site asked to come in and meet with us.  Since then, we’ve had an unprecedented number of requests from U.S.-based companies wanting to talk with us about their global applications. 

This is a first – and it’s extremely positive. I hope – and expect – that all of these discussions will lead to better privacy protections for Canadians and people around the world.

PIPEDA Review (II)

Another key outcome of this exercise was that it showed Canada’s private-sector law to be pragmatic and flexible enough to accommodate the challenges of a business model that did not exist when PIPEDA was passed.

The next PIPEDA review is slated to begin in 2011, so we need to be thinking about these types of issues.  (Indeed, we are thinking about, and planning for PIPEDA Review II already – and I’ll tell you about that in a few moments.)

In the case of Facebook, PIPEDA’s principles-based approach – which falls somewhere between the market-based tack favoured by the U.S., and the more prescriptive approach prevalent in Europe – was effective.

For instance, building on previous court cases and investigations, this investigation was able to demonstrate that PIPEDA can apply to the commercial collection of personal information of Canadians by foreign entities, even if they are operating entirely online.

Another key issue we confronted was how to draw the line between the personal and commercial uses of personal information.  Facebook users decide on what information they are prepared to post about themselves on the site, in order to carry out their social networking. That information does not fall under PIPEDA. 

However, the moment Facebook uses the information for commercial purposes, the law applies and the commercial entity becomes responsible for safeguarding the data.

We’ve also recently dealt with some interesting questions arising from another new business model as part of our work with street-level imaging service providers Google Street View and CanPages. 

PIPEDA was built on one-to-one consent – I go to the bank and sign an agreement to open an account, for example.  But the collection of street-level images involves one-to-many consent. 

We’ve discussed how consent can be obtained with both Google and CanPages.  People need to know in advance that street-level images are being taken, when, and why, and how they can have their image removed if they don’t want it to appear online.  This can be achieved with clear markings on vehicles and through notification in the media.

If a company captures images for journalistic or artistic purposes, they don’t need to get consent.  Google and other providers of street-level imaging services may argue that they qualify for that exception.  On the face of it, this argument is problematic as it doesn't seem to me that this is an artistic or journalistic endeavour.  However, if we were presented with this argument during an investigation, we would look at it more closely.

Systemic Issues Focus

Facebook was significant in yet another respect.  It demonstrated the value of taking on a complex and, quite honestly, slightly overwhelming and intimidating issue.

Yes, Facebook did consume a lot of my Office’s time and a lot of our resources, but the end result was well worth it because there will be meaningful change for users around the world. 

The investigation is an example of where I would like to see the Office concentrating its energies in the future.  And I believe that the fact we were so successful with Facebook will help enable us to do that.

For some time, my view has been that the Office needs to be more focused on the big, systemic issues. 

Privacy issues have traditionally come up in the context of interactions between one person and an organization.  The individual makes a complaint to my Office.

Increasingly, however, we are seeing that the most critical privacy risks stem from systemic threats related to rapidly changing information technologies – the Internet and surveillance technologies, for example.  These types of threats – although they can affect our society as a whole and on a daily basis – are generally not the types of issues that the average person would think to complain to us about.

In my opinion, valuable resources are disproportionately consumed by having to open and investigate all individual complaints on a first-come first-served basis.

As data protection commissioners are discussing systemic, international approaches to addressing the privacy implications of global technologies, the issue of a strategic approach here at home becomes even more crucial.

I don’t want to ask the federal government for more money to help us fulfill our mandate.  We have been trying to work more efficiently and I’m pleased to be able to say that we are making good progress in tackling our backlog.

We also hope that our new refer-back and early resolution processes will mean that our investigators are spending less time on complaints that are extremely limited in scope and that do not have any policy implications for you or for us. 

I appreciate that these initiatives can require a great deal of effort on your part.  So far, the approach appears to be working well for us, for organizations, and, most importantly, for individuals – who have the benefit of a faster, more definitive answer.

We were very pleased when the government included PIPEDA amendments in the Electronic Commerce Protection Act that will provide me with the discretion to discontinue some investigations.  These include cases were there is insufficient evidence, where the complaint is trivial, frivolous or vexatious, or where the organization has provided a fair and reasonable response to the complaint.

I’d like to thank all of you who supported my Office by asking the government to provide us with greater discretion.

If we can free up some investigative resources, it will allow our Office to better focus on privacy issues with a broad public impact – the Facebook-type issues. 

We recently invested time on the issue of deep packet inspection, for example.  We are concerned about online privacy and websites targeted at children, as well commercial genetic testing enterprises – and those may be issues we examine more closely in the future.

PIPEDA Review/ Roundtables

I mentioned a moment ago that my Office is already in the early stages of preparing for “Round Two” of PIPEDA review.

As you know, we’ve already commissioned a paper by two distinguished law professors – Lorne Sossin of the University of Toronto and France Houle of the Université de Montréal – to conduct a study on various regulatory models for data protection enforcement.  The report should be complete early next year. 

During the first review of PIPEDA, we invited submissions to help us prepare for our discussions with Parliamentarians about how the legislation could be improved.  This time, we are planning a more consultative dialogue with stakeholders.

We’re organizing a series of roundtable discussions in 2010 on some of the most important emerging issues in privacy – behavioural advertising, cloud computing and location-based data. 

The plan is to explore the privacy implications of each of these technologies, but also whether PIPEDA is able to meet those new challenges. For example, there are issues of consent in behavioural advertising; questions of jurisdiction and adequate safeguards in cloud computing; and limitations on the collection, use and disclosure of personal information arising from location-based data.

Another objective of the roundtables is to help inform our own policy positions on these three technologies, which are likely play a larger and larger role in our daily lives.

The roundtables will be hosted by my Office and we’ll invite participation from industry, government, consumer associations, civil society and any other interested parties. We want to encourage a wide range of Canadians to take part and so we’ll be holding them in Calgary, Toronto and Montreal.

Stay tuned for the details.  I hope to see some of you taking part!

Conclusion

In closing, I have no doubt the Facebook investigation will influence our work in the future.

The investigation has once again highlighted the fact we live in a networked world and that there is an urgent need for a flexible, efficient approach to global privacy regulation. 

For me, it has reinforced that it has been well worth the time and effort my Office has invested in working with other data protection authorities and global corporations. 

I’d like to thank Treasury Board for recognizing the value of this work and for providing us with additional resources to allow us to work closely with international colleagues and to represent Canada at international meetings.

As a country, our prosperity is heavily dependent on international commerce.  But we also hold the protection of personal information to be an important social and cultural value.

We will continue to press for a better international approach to protecting personal information in an environment where trans-border data flows are ubiquitous.

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: