Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc.
Remarks at a Media Briefing
July 16, 2009
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good morning, ladies and gentlemen, and welcome.
The Office of the Privacy Commissioner of Canada is releasing today the report of our investigative findings with respect to the privacy policies and practices of Facebook.
It was a comprehensive and detailed investigation triggered by a complaint lodged by CIPPIC, the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.
In all, we looked at 11 different aspects of the social networking site, and how it treats the personal information of its nearly 12 million users – and, in some instances, non-users.
Our investigation prompted a series of recommendations on how to strengthen privacy protections.
It’s clear that privacy issues are a key concern for Facebook. And yet, we found some serious gaps. In some cases, Facebook must make changes to its site to bring it into compliance with Canadian privacy law.
In discussing our findings today, I want to underline that we all understand that social networking sites can be a wonderful way to connect. They help us keep up with friends, share ideas with colleagues, and trade information with people who share the same interests and hobbies.
We also understand that not everybody sees privacy in the same light. Indeed, the social networking phenomenon itself has really highlighted a broad spectrum in people’s appetite for showcasing their lives.
We also recognize that the technologies continue to evolve at a dazzling pace, presenting all of us – users, parents, regulators, businesses – with ever-changing choices and challenges with respect to privacy.
But amid these shifting social norms and technologies, one thing is constant and for certain:
Our role, as privacy guardians, is to ensure adherence to PIPEDA, the federal private-sector privacy law.
Not by individuals, because they are free to make their own choices, but by Facebook, as a commercial enterprise operating in Canada under Canadian privacy law.
In particular, PIPEDA, the Personal Information Protection and Electronic Documents Act, aims to ensure that people are well informed about, and consent to, the collection, use and disclosure of their personal information.
It also seeks to ensure that companies such as Facebook treat the personal information entrusted to them with all due diligence and care.
And what we found is that privacy is a top-of-mind concern for Facebook. For the most part, Facebook is also to be applauded for its efforts at communicating in plain language with its users, and for offering them a variety of mechanisms to safeguard their privacy.
Even so, there’s definitely room for improvement.
We discovered areas where the personal information of users could be at risk. We also found instances where users ought to be better informed about the site’s privacy practices, so that they can give meaningful consent to the collection, use and disclosure of their personal information.
Throughout this process, we have been talking to Facebook officials about ways to address our concerns. They have previously received an interim report from us, containing specific recommendations for change and they have recently announced some changes to the site that are intended to address our concerns.
What you have before you today is our final report, including our findings as to which aspects of the complaint were well founded. Facebook now has 30 days to respond to our report.
I’d like to turn the microphone over now to Assistant Commissioner Elizabeth Denham to provide you with more details on our findings.