Privacy Commissioner Finds Facebook Violating Canadian Privacy Law

The Office of the Privacy Commissioner of Canada has released its long-awaited finding (media release, finding, backgrounder) in the complaint against Facebook on a variety of privacy grounds.  The complaint was launched by CIPPIC in May 2008 (note that I am an advisor to CIPPIC but had no involvement in this complaint).  The case marks an important step in assessing how Canadian privacy law addresses social media with the Commissioner identifying some significant concerns.  Moreover, as the case potentially heads to court, it will be closely watched to see whether the findings can be enforced against a global social media power like Facebook. 

The big issues include:

Default Settings:  The Commissioner was generally satisfied with Facebook's "extensive privacy settings." The finding notes that consent is different in a site like Facebook since users voluntarily upload their personal information.  She concluded that Facebook's defaults were reasonable and that the large number of settings meant that choices needed to be made. There were a couple of exceptions – photo privacy and search privacy – and Facebook is planning to introduce a "Privacy Wizard" within the next 60 days to address the concerns.

Facebook advertising:  The Commissioner was generally satisfied that the advertising does not run afoul of privacy law, though she concluded that a clearer explanation of the practices is needed.  Facebook agreed to some changes to address the concerns.

Third-Party Applications: The Commissioner identifies several concerns about third-party applications including a lack of information about third-party apps, the availability of too much personal information to third party developers without Facebook monitoring, inadequate disclosure to users about what is being disclosed, lack of consent, and lack of control over personal information with third-party developers.  Facebook objected strongly to these findings, but the Commissioner stands by the concerns associated with privacy safeguards and consent.  Facebook has thus far refused to comply.

Account Deactivation and Deletion:  The Commissioner was generally satisfied with account deletion option on Facebook.  The primary concern involves account deactivation, where the account is effectively retained but inaccessible to the public. The Commissioner notes that "the longer an account remains deactivated and the information in it unused, the more difficult it is to argue that retention of the user’s personal information is reasonable for the social networking purposes for which it was collected."  Further, the Commissioner expressed concern that the difference between deactivation and deletion is insufficiently clear.  Facebook has refused to set a clear timeline for account deletion after a user has deactivated.

Deceased Accounts: Facebook allows for the retention of accounts as a memorial for someone who is deceased.  The Commissioner found that there is inadequate disclosure of the practice to users when register for the service.

Personal Information of Non-Users: This arises when users post personal information about non-users on their profiles (including tagging on photos and videos) or provide Facebook with the email addresses of non-users.  In many instances, this activity falls outside the law (ie. a user tagging a photo is a non-commercial activity).  However, where Facebook sends an email notification to a non-user about a tagged photo or provides the "Invite New Friends" feature, the law kicks in. The Privacy Commissioner has asked Facebook to address the tagging of photos, invitation system, and retention of non-users email addresses.  Facebook declined to do so.

Facebook has 30 days to address the outstanding issues.  If they continue to decline to do so, the Commissioner can go to Federal Court for enforcement.  The finding is one of the longest and most detailed in memory as it chronicles not only the complaint and findings but the negotiations with Facebook in addressing the concerns.  In doing so, it represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world.


  1. Last I checked, Facebook was a US company. Why would a Canadian privacy commission, or even a Canadian Federal court, have any sway here?

  2. Chrystal Ocean says:

    Account Deleted
    Have had a Facebook account for about three years, but never really got hooked into it. For extroverts and people who are more social or attract friends like flies, I can see the attraction. But for loners and those more interested in exchange of info rather than “How ya doin’?”chatter, not so much.

    Ergo, the CIPPIC report was all the excuse I needed to finally take the step to delete my account.

    For anyone considering the same and wondering how to go about it, log onto your Facebook account and search ‘delete account’. There’s a group with over 30,000 members whose sole purpose is to explain and provide the most recent direct link. After you’ve verified you want to delete your account, FB will ‘deactivate’ the account for 14 days. Provided you don’t login within that period, the account will be deleted; otherwise, you’ll have the option of reactivating the account.

  3. Then what?
    So the privacy commissioner takes facebook to court, and let’s say for argument’s sake, the court finds facebook in violation. Then what? Facebook thumbs their nose and merrily goes on it’s way?

    Can the officers of the company be extradited (assuming they are somewhere where we have a treaty) to Canada for prosecution? Doesn’t seem likely. But IANAL.

    Can Canadian ISPs be forced to disallow people to use facebook? Again, doesn’t seem likely.

    Michael, perhaps you can share with us your take on the possibilities here. Is there really any point to (wasting the money in)taking facebook to court?

  4. Bob Morris says:

    You do of course have the option of not using Facebook

  5. My guesses on enforcement…
    The most obvious method of enforcement is that Facebook could be restricted from commerce in Canada – if they were to try to make money (once they figure out how to make money) in Canada the government could withhold their earnings. Also, developing apps for the Facebook platform could be made illegal which would stop some pretty big Canadian companies from using Facebook.

    Finally, Canadians could be stopped from buying anything using Facebook assuming that will eventually be possible. Look at online gambling – Canadian credit cards no longer work on those sites.

    The risk to Facebook, of course, is that they become supplanted by a competitor. It’s happened to Friendster and MySpace before them and I’m sure they’re well aware of how tenuous their hold on the market is.

  6. Canadians should come up with a social media platform whose inherent business model is _not_ centered around making a profit out of their users’ data. That would allow such a platform to offer much more restrictive privacy settings all without having to drag them to the privacy commissioner and then to court.

    Until such a platform exists, I will simply not sign up unless I have absolutely no other choice.

  7. feisty_jenn says:

    i don’ see the same gap others do — Cdn jurisdiction requires a “real and substantial connection” be established, and i think there’s a fairly clear connection btw Facebook and Canada, given number of users, existence of Canadian FB networks to belong to etc.

    If that’s the case, and Federal Court makes orders against FB, then I believe US courts can enforce judgements from other jurisdictions….

  8. Done
    I deleted my account months ago…

  9. Robert Smits says:

    Facebook does give me concerns about privacy
    As a Facebook user, it does give me concerns about privacy. I want the option, whebn a friend sends me an online poll, for example, of participating in the poll WITHOUT giving the application my addressbook, or my friends addresses. They have no need to know what they are. So I don’t go to a lot of apps simply because they are far too intrusive.

    As for connections to Canada, there are 12 million Canadian FB users.

    The only part of the preliminary privacy commissioners report I didn’t like was her suggestion that users should need permission from people tagged in a photograph. The last thing we need is more restrictions on photographers, and I’m glad to see she has changed this part of her report.

  10. Weekend Pictures says:

    Facebook Default Settings
    My understanding is that Facebook settings now default all posts to “public”.

    Do you think the Privacy Commissioner will modify her report based on this?

  11. milton freidman says:

    to operate in canada
    you need to conform within canada’s laws. if you’re canadian and you want to visit the states even without working you’ll obviously need to conform to their laws. why would it be any different for a corporation? supposedly alot of corporations want to think they share the rights of individual humans now. they should fall under most of the same laws. should they be able to skirt all regulations because they’re a corporation that wants to act like a human when it suits them, and a company when it doesn’t?

  12. Re: to operate in canada

    You do understand the dynamics here don’t you? The issue is not about facebook being a corporation and not an individual and if they should follow the rules that individuals have to follow and so on. The issue is that facebook is a non-canadian entity (corporation or otherwise).

    If facebook was a canadian corporation, none of this would be an issue as they would have complied with privacy rules here in canada from the outset, and if they didn’t it would hardly be as interesting as it is as they would just comply or be punished.

    The issue here is that facebook is not a canadian corporation, but a foreign corporation and what is most interesting here is how the prosecution of a non-canadian corporation will play out.

  13. pat donovan says:

    US privacy laws are MUCH worse than canadian.
    And this is a 1st year law-student case. seller here, buyer there, whose laws apply?
    the sellers, by the way. last time i looked.
    are you gonna ask rogers to censor out facebook for non compliance now?

  14. A Marketing Guy
    I find it funny how the Canadian Government is trying to impose rules and regulations on an American company. Couldn’t Facebook just turn around and say “Thanks for the recommendation, but no thanks” and go about business as usual? What jurisdiction does the Privacy Commission have on foreign corporations?

  15. Courtenay says:

    Unless they block all Canadian IP addresses, they have to actually TELL us Canadians that they are selling our information to third-party members. Regardless of whether or not this is an American Company, they have to comply with Canadian laws because they are in Canadian jurisdiction. How would you have reacted if this was a Canadian company not complying to American privacy laws?

    They need consent of the user to even have anyone else LOOK at our information, least of all sell it. I’d rather not have my phone number, address, and place of work be out for public display of people I have no idea who are. I deleted that information months ago, and only now do I realize that they hold on to that information indefinitely? Yeah, that’s just wonderful how they neglected to tell anyone that.


  16. Courtenay says:

    (Adding to my last sentence)

    Oh wait, they do tell us in the ToS, except they change that without notice and without letting anyone know they’ve even changed it.