The Office of the Privacy Commissioner of Canada has released its long-awaited finding (media release, finding, backgrounder) in the complaint against Facebook on a variety of privacy grounds. The complaint was launched by CIPPIC in May 2008 (note that I am an advisor to CIPPIC but had no involvement in this complaint). The case marks an important step in assessing how Canadian privacy law addresses social media with the Commissioner identifying some significant concerns. Moreover, as the case potentially heads to court, it will be closely watched to see whether the findings can be enforced against a global social media power like Facebook.

The big issues include:

Default Settings: The Commissioner was generally satisfied with Facebook’s “extensive privacy settings.” The finding notes that consent is different in a site like Facebook since users voluntarily upload their personal information. She concluded that Facebook’s defaults were reasonable and that the large number of settings meant that choices needed to be made. There were a couple of exceptions—photo privacy and search privacy—and Facebook is planning to introduce a “Privacy Wizard” within the next 60 days to address the concerns.

Facebook advertising: The Commissioner was generally satisfied that the advertising does not run afoul of privacy law, though she concluded that a clearer explanation of the practices is needed. Facebook agreed to some changes to address the concerns.

Third-Party Applications: The Commissioner identifies several concerns about third-party applications including a lack of information about third-party apps, the availability of too much personal information to third party developers without Facebook monitoring, inadequate disclosure to users about what is being disclosed, lack of consent, and lack of control over personal information with third-party developers. Facebook objected strongly to these findings, but the Commissioner stands by the concerns associated with privacy safeguards and consent. Facebook has thus far refused to comply.

Account Deactivation and Deletion: The Commissioner was generally satisfied with account deletion option on Facebook. The primary concern involves account deactivation, where the account is effectively retained but inaccessible to the public. The Commissioner notes that “the longer an account remains deactivated and the information in it unused, the more difficult it is to argue that retention of the user’s personal information is reasonable for the social networking purposes for which it was collected.” Further, the Commissioner expressed concern that the difference between deactivation and deletion is insufficiently clear. Facebook has refused to set a clear timeline for account deletion after a user has deactivated.

Deceased Accounts: Facebook allows for the retention of accounts as a memorial for someone who is deceased. The Commissioner found that there is inadequate disclosure of the practice to users when register for the service.

Personal Information of Non-Users: This arises when users post personal information about non-users on their profiles (including tagging on photos and videos) or provide Facebook with the email addresses of non-users. In many instances, this activity falls outside the law (i.e. a user tagging a photo is a non-commercial activity). However, where Facebook sends an email notification to a non-user about a tagged photo or provides the “Invite New Friends” feature, the law kicks in. The Privacy Commissioner has asked Facebook to address the tagging of photos, invitation system, and retention of non-users email addresses. Facebook declined to do so.

Facebook has 30 days to address the outstanding issues. If they continue to decline to do so, the Commissioner can go to Federal Court for enforcement. The finding is one of the longest and most detailed in memory as it chronicles not only the complaint and findings but the negotiations with Facebook in addressing the concerns. In doing so, it represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world.