Skip the navigation

Canadian group charges that Facebook violates privacy laws

Complaint seeks review of social network rules by Canadian Privacy Commissioner

By Heather Havenstein
May 30, 2008 12:00 PM ET

Computerworld - A Canadian public policy group today filed a complaint charging Facebook Inc. with 22 separate violations of a Canadian personal information protection law.

The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa, asks the Privacy Commissioner of Canada to investigate what it describes as Facebook's failure to inform members how their personal information is disclosed to third parties for advertising and other commercial activities. The complaint also alleges that Facebook has failed to obtain permission from members for disclosure of their personal information.

In a statement to Computerworld, Facebook said it prides itself in offering users "industry leading" over personal information.

"We believe that this is an important reason that nearly 40% of Canadians on the Internet use our service," the statement said. "We've reviewed the complaint and found it has serious factual errors -- most notably its neglect of the fact that almost all Facebook data is willingly shared by users. The complaint also misinterprets [the Canadian law in question] in a manner that would effectively forbid voluntary online sharing of information and ignores key elements of Facebook's privacy policy and architecture."

Facebook added that it will work with the Canadian privacy commissioner to "set the record straight and will continue out ongoing efforts to educate users and the public around privacy controls on Facebook."

The complaint alleges that Facebook violates the Canadian Personal Information Protection and Electronic Documents Act, which Philippa Lawson, the clinic's director, said is much stricter than U.S. personal information protection laws.

"In Canada, we have data protection legislation that applies to all commercial entities that require [them] to get informed consent from individuals before they collect, use or disclose personal information," she said. "You can't collect more personal information than you need for the purpose you get consent. We think Facebook is violating those rules in a number of respects."

The group contends that Facebook violates the law in three areas: social networking, social advertising and third-party applications.

On the social networking side, the complaint says that Facebook is not clear enough about broadly user information is shared with people they don't know, Lawson said. For example, Facebook allows users to join groups called Networks based on geographical location, hobbies and interests. The complaint acknowledges that upon joining a Network, users are informed that they will be sharing their profiles with other users in the network, and are informed they can change their privacy setting to prevent this sharing. However, the complaint notes that they are not prompted to go to a page to change the settings.

"There are problems with that in that it is not clear enough to users how broadly their information is being shared with people they don't know," according to Lawson. "The default privacy settings are set to share with strangers. Under Canadian law, they would have to get opt-in consent … rather than defaulting people to share and then expect them to figure out how they can opt out."

Our Commenting Policies