Facebook Privacy: Canadian Privacy Laws and How Facebook is Changing Pt.1

I was going to write about email marketing today, particularly how to get many of the same features that you can find in ExactTargets “social sharing” with some spit and elbow grease, but then on Friday Facebook announced that it was going to implement the changes suggested by the Canadian Privacy Commissioner. Big news. However, while a lot of people are talking about the decision, few people are covering what is going to change. In this post I hope to clarify for you all Canadian Personal Information Protection law (as it applies to Facebook), the concerns of the Canadian Privacy Commissioner, Facebook’s responses, and what that means not only for Canadian Facebook users, but for Facebook users world wide.

Background:

The Canadian Internet Policy and Public Interest Clinic (CIPPIC), a group whose name must have been chosen for its palindrome acronym, is a legal clinic based out of the University of Ottawa that was established in part by funding provided to Prof. Michael Geist (if you don’t read his blog, you should) by the Amazon.com Cy Pres fund, and matched by the Ontario Research Network for Electronic Commerce. Their self proclaimed mission is:  

• to fill voids in public policy debates on technology law issues, ensure balance in policy and law-making processes, and provide legal assistance to under-represented organizations and individuals on matters involving the intersection of law and technology; and
• to provide a high quality and rewarding clinical legal education experience to students of law.

On May 30th 2008 they filed a complaint with the Canadian Privacy Commission claiming that Facebook was in breach of the Personal Information Protection and Electronic Documents Act On July 16th, 2009, Elizabeth Denham, the Assistant Privacy Commissioner of Canada released the Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) Against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act outlining her response to the CIPPICs complaints, and the results of her meeting with Facebook Inc. Following the Privacy Commissions suggestions, Facebook has agreed to:  

• Updating the Privacy Policy to better describe a number of practices, including the reasons for the collection of date of birth, account memorialization for deceased users, the distinction between account deactivation and deletion, and how its advertising programs work.
• Encouraging users to review their privacy settings to make sure the defaults and selections reflect the user’s preferences.
• Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends’ information, which would still be subject to the friend’s privacy and application settings.

The Law

To properly understand the commission’s report we need to know something about Canadian privacy law. The following are excerpts from the Personal Information Protection and Electronic Documents Act: as cited by the privacy commissioner in dealing with the complaint by the CIPPIC. I have only included the sections that the report specifically cited that Facebook was in breach of.

4.1 Principle 1 – Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

• 4.1.4

  Organizations shall implement policies and practices to give effect to the principles, including […] (d) developing information to explain the organization’s policies and procedures.

4.2 Principle 2 – Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

• 4.2.1An organization shall document the purposes for which personal information is collected in order to comply with Principle 4.8 (Openness) and Principle 4.9 (Individual Access).
• 4.2.3The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.

4.3 Principle 3 – Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate. Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would

• 4.3.2The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
• 4.3.3 An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.

4.5 Principle 5 – Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

• 4.5.1Organizations using personal information for a new purpose shall document this purpose (see Principle 4.2.1).
• 4.5.2Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
• 4.5.3Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
• 4.5.4This principle is closely linked to Principle 4.3 (Consent)

4.8 Principle 8 – Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

• 4.8.1Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
• 4.8.2The information made available shall include
  1. the name or title, and the address, of the person who is accountable for the organization’s policies and practices and to whom complaints or inquiries can be forwarded;
  2. the means of gaining access to personal information held by the organization;
  3. a description of the type of personal information held by the organization, including a general account of its use;
  4. a copy of any brochures or other information that explain the organization’s policies, standards, or codes; and
  5. what personal information is made available to related organizations (e.g., subsidiaries).

Principle 4.8.3 states that an organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number. Continued in Part 2