The Office of the Privacy Commissioner (OPC) has come down hard on Facebook, and will be taking the company to court. As I wrote in an earlier post, we should be skeptical of Facebook’s now-insistent message about protecting users’ privacy; a new report of findings of the OPC and the Information and Privacy Commissioner of British Columbia illustrate this even further.
In brief, the report has found that Facebook:
- failed to obtain meaningful consent for disclosure of your personal data to third-party apps, and allowed those apps to also capture data from your friends. A third-party app includes games and features available within Facebook, but it also includes external applications that request access to Facebook profile data.
- relied on “overbroad” and conflicting language in its communications about privacy. This would make it difficult for you to understand what data collection you were agreeing to, or how that data would be used.
- did not implement safeguards to protect your data, relying on “agreements” with developers that the company did not adequately monitor or enforce. Moreover, Facebook did not take responsibility for protecting your data; instead, it tried to make that your responsibility, and the responsibility of app developers. This is consistent with Facebook’s ongoing insistence that they’re just a platform—a “cipher” for your personal data, with no accountability for how others us it.
- did not implement recommendations made by the OPC in a similar investigation in 2009.
- had an empty privacy framework.
Facebook’s response is that they see the findings as invalid. This denial is somewhat expected, since an admission could open them up to (gasp) regulation or penalties. The company recently got a bothersome £500,000 fine from the UK Information Commissioner, and just yesterday reported they were expecting a fine of up to $5 billion from the United States’ Federal Trade Commission.
Facebook has refused to implement the recommendations in the OPC findings, so the OPC is going to take them to court. The OPC has little choice, since there is no mechanism in the Personal Information Protection and Electronic Documents Act (PIPEDA) to allow fines to be levied (there are fines for failing to report privacy breaches in subsection 46(1), but that’s it).
It’s easy, here, to get angry at Facebook, but let’s face it: we have all known, for some time now, what kind of animal Facebook is. What this report really highlights—as has already been pointed out repeatedly—is that Canada’s privacy protection framework is woefully behind the times and does not have nearly enough teeth.
I would love to see the government finally take action in response to Commissioner Therrien’s constant calls for reform, but I fear that privacy failures of this kind have become so common that we no longer view them as exceptional, and won’t make it an election issue this year.