Should Facebook and Google users in the U.S. thank the Canadian government for protecting their privacy? A pretty good case could be made that they should. Both Internet giants have had their hands slapped by the Canadian Privacy Commissioner, and have had to alter their policies as a result (although Facebook is still considering its full response to the CPC complaint), and those changes have had the net result of protecting the privacy of U.S. users as well.
In the case of Facebook, the Privacy Commissioner’s office filed notice last week that the social-network provider’s protection of personal data didn’t meet federal standards on a number of points — 22 of them, to be exact. The government department advised Facebook to alter its practices to bring them into compliance, or possibly face court proceedings that would compel the company to abide by the rules.
One of the aspects of Facebook’s privacy protections that caught the Commissioner’s eye was the amount of personal data that is transmitted to or shared with the creators of third-party applications that Facebook users often agree to add to their profiles. Under the company’s rules, these third-party apps don’t have to provide much detail about what they plan to do with your personal data, and they collect a lot of data that isn’t really necessary, according to Privacy Commissioner Jennifer Stoddart.
This is something that many users have noted (and programmers as well), but in Canada that kind of personal data collection and retention isn’t just an irritation or curiosity, it’s potentially a breach of Canadian law. The law in question is the federal Personal Information Protection and Electronic Documents Act (or PIPEDA), which sets strict limits on what information can be collected, the amount of disclosure required, the purposes to which it can be put, and how long it can legally be retained. It is different in many key respects from U.S. privacy laws.
The Facebook investigation raised what the Commissioner’s office called “significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes.” The agency said that the company “lacks adequate safeguards to effectively restrict these outside developers from accessing profile information.”
The Commissioner’s report recommended a number of changes, including “technological measures to ensure that developers can only access the user information actually required to run a specific application” as well as taking steps to “prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.” The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts.
This is the second time that Canada has stepped in to advise a major Internet player of their neglect of privacy rules. Last year, Google came under fire from the Commissioner’s office over its Streetview” service, which hasn’t even launched in Canada yet. After reports emerged that cars belonging to Google had been seen filming in Toronto and other major cities, the federal agency released a statement calling on the company to change its methods to better protect people’s privacy.
In particular, the Commissioner said that revealing the faces of specific individuals without their consent was a breach of Canadian privacy laws, and so was revealing personal information such as car license plates. In the U.S., taking a photograph of someone in a public place without their consent is legal, but in Canada such photos are considered an invasion of privacy, unless they are taken for artistic or journalistic purposes, such as reporting on a news event.
Google responded by using automated technology to blur the faces of people in its Street View photo montages – a feature it is also rolling out in the U.S. and other jurisdictions as well.