[LINK] EPIC Note on Facebook and the Canadian PC'er
Roger Clarke
Roger.Clarke at xamax.com.au
Sat Aug 29 09:27:56 AEST 2009
http://www.epic.org/alert/EPIC_Alert_16.16.html
=======================================================================
[3] Privacy Compliance for Facebook, Some Changes Made
=======================================================================
In mid-July, the Office of the Privacy Commissioner of Canada released
a Report of "Findings into the Complaint Filed by the Canadian Internet
Policy and Public Interest Clinic" against Facebook, Inc. The complaint
was filed by the CIPPIC under the Personal Information Protection and
Electronic Documents Act and comprised 24 allegations ranging over 12
distinct subjects. These included default privacy settings, collection
and use of users' personal information for advertising purposes,
disclosure of users' personal information to third-party application
developers, and collection and use of non-users' personal information.
Although the Commissioner's Office made several recommendations which
were resolved, the Assistant Privacy Commissioner of Canada found that
in the subjects of third-party applications, account deactivation and
deletion, accounts of deceased users, and non-users' personal
information to be in contravention of PIPEDA. The Assistant
Commissioner determined that Facebook did not have adequate safeguards
in place to prevent unauthorized access by application developers to
users' personal information, and furthermore was not doing enough to
ensure that meaningful consent was obtained from individuals for the
disclosure of their personal information to application developers.
The Commissioner's Office made several suggestions to Facebook. The
Office advised the social networking firm to limit application
developers' access to user information, inform users specifically about
the nature and use of shared information, and share information after
obtaining consent of only users who add an application. The Office also
said that deactivated account information should be deleted after a
reasonable length of time, and that the privacy policy be amended to
include all intended uses of personal information. Facebook was given
30 days. Facebook updated its privacy policy on August 11, 2009 to
include "clarifying changes and minor updates."
The updated policy asks developers, operators of platform applications,
and websites to respect user privacy settings. The modified policy
directs developers to use the data received only to operate the
specific applications, inform readers on what data is being collected,
how it would be used, and whether it would be shared. The policy also
states that developers must delete user data if their application is
deleted by the user. The updated policy also made some clarifications
in terms regulating advertisements and in the special provisions
applicable to advertisers.
Facebook is complying with the Commissioner's Officer and revising
its Privacy Policy to better describe a number of practices, including
the reasons for the collection of date of birth, account
memorialization for deceased users, the distinction between account
deactivation and deletion, and how its advertising programs work.
It will also educate users about reviewing their privacy settings to
make sure the defaults and selections reflect the user's preferences.
The social networking firm has also undertaken the task of increasing
the understanding and control a user has over the information accessed
by third-party applications. Facebook plans to introduce a new
permissions model that will require applications to specify the
categories of information they wish to access and obtain express
consent from the user before any data is shared. Further, users would
also have to specifically approve any access to their friends'
information, which would still be subject to the friend's privacy and
application settings.
In June, the Article 29 Working Party warned about the dissemination
and use of information available on Social Networking Sites for other
secondary, unintended purposes. The officials issued an opinion
requiring robust security, privacy-friendly default settings. The
European Privacy Commissioners recommended that controllers take
"appropriate technical and organizational measures, 'both at the time
of the design of the processing system and at the time of the
processing itself' to maintain security and prevent unauthorized
processing, taking into account the risks represented by the processing
and the nature of the data." Earlier, in January, EPIC had suggested
the regulation of Social Network Service partners, including
advertisers and application developers.
Office of the Privacy Commissioner of Canada:
http://www.priv.gc.ca/index_e.cfm
Report of Findings into the Complaint Filed by the CIPPIC against
Facebook, Inc. under PIPEDA:
http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm
Personal Information Protection and Electronic Documents Act (PIPEDA):
http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm#appendixB
Remarks at a Media Briefing- Jennifer Stoddart (July 16, 2009):
http://www.priv.gc.ca/speech/2009/sp-d_20090716_e.cfm
Redlined Version of Proposed Changes to Facebook's SRR:
http://www.box.net/shared/hi66nsrhss
Facebook Announces Privacy Improvements in Response to Recommendations
by Canadian Privacy Commissioner :
http://www.facebook.com/press/releases.php?p=118816
Facebook agrees to address Privacy Commissioner's concerns:
http://www.priv.gc.ca/media/nr-c/2009/nr-c_090827_e.cfm
Delivering More Control and Transparency, Facebook Blog, August 27, 2009:
http://blog.facebook.com/blog.php?post=126129882130
Article 29 Working Party Opinion of Social Networking Sites:
http://epic.org/privacy/socialnet/Opinion_SNS_090316_Adopted.pdf
Article 29 Working Party:
http://epic.org/redirect/040109_A29WP.html
Facebook Privacy Policy:
http://www.facebook.com/policy.php
Facebook Statement of Rights and Responsibilities:
http://www.facebook.com/terms.php
EPIC's Suggestion on Social Networking Privacy:
http://www.cpdpconferences.org/L-Z/rotenberg.html
EPIC - Facebook Privacy:
http://epic.org/privacy/facebook/
EPIC - Social Networking Privacy:
http://epic.org/privacy/socialnet/
=======================================================================
_______________________________________________
EPIC_news mailing list
EPIC_news at mailman.epic.org
http://mailinglists.epic.org/mailman/listinfo/epic_news
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list