Privacy Commissioner Jennifer Stoddart ruled that social media giant Facebook has failed to adequately address four “well-founded” allegations about its practices that contravene federal privacy law. The ruling comes after an investigation into a complaint filed by the Canadian Internet Policy and Public Interest Clinic. The CIPPC had alleged that Facebook had contravened the Personal Information Protection and Electronic Documents Act in a dozen distinct subject areas. The commissioner ruled that in eight of these subjects the allegations were not well-founded or well-founded but had been resolved leaving four subjects (third-party software applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information) where the allegations were deemed to be well-founded and where Facebook had not yet agreed to adopt the commissioners’ recommendations. In particular, the commissioner raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications. According to the investigation Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information. The report recommended that third party developers should be able to access only the user information actually required to run a specific application and nothing else. The Office of the Privacy Commissioner will review after 30 days the actions Facebook takes to comply with the recommendations. In the event of non-compliance by Facebook the Commissioner has the authority to go to Federal Court to seek to have these recommendations enforced.
Remarks by Jennifer Stoddart, Privacy Commissioner of Canada:
Full Report of Findings: