I was going to write about email marketing today, particularly how to get many of the same features that you can find in ExactTargets “social sharing” with some spit and elbow grease, but then on Friday Facebook announced that it was going to implement the changes suggested by the Canadian Privacy Commissioner. Big news. However, while a lot of people are talking about the decision, few people are covering what is going to change.
In this post I hope to clarify for you all Canadian Personal Information Protection law (as it applies to Facebook), the concerns of the Canadian Privacy Commissioner, Facebook's responses, and what that means not only for Canadian Facebook users, but for Facebook users world wide.
- The Law
- The Privacy Commissioners report
Section 1 – The Use of Date of Births (DOBs)
Section 2 – The Pre-selection of Privacy Settings
Section 3 – The use of personal information for advertising purposes
Section 4 – Third Party Applications
Section 6 – Collection of Information from Sources Other than Facebook
Section 7b – Accounts of Deceased Users
Section 8 – Personal Information of Non-users
Section 10 – Monitoring for Anomalous Activity
The Canadian Internet Policy and Public Interest Clinic (CIPPIC), a group whose name must have been chosen for its palindrome acronym, is a legal clinic based out of the University of Ottawa that was established in part by funding provided to Prof. Michael Geist (if you don't read his blog, you should) by the Amazon.com Cy Pres fund, and matched by the Ontario Research Network for Electronic Commerce.
Their self proclaimed mission is:
- to fill voids in public policy debates on technology law issues, ensure balance in policy and law-making processes, and provide legal assistance to under-represented organizations and individuals on matters involving the intersection of law and technology; and
- to provide a high quality and rewarding clinical legal education experience to students of law.
On May 30th 2008 they filed a complaint with the Canadian Privacy Commission claiming that Facebook was in breach of the Personal Information Protection and Electronic Documents Act
On July 16th, 2009, Elizabeth Denham, the Assistant Privacy Commissioner of Canada released the Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) Against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act outlining her response to the CIPPICs complaints, and the results of her meeting with Facebook Inc.
Following the Privacy Commissions suggestions, Facebook has agreed to:
- Encouraging users to review their privacy settings to make sure the defaults and selections reflect the user's preferences.
- Increasing the understanding and control a user has over the information accessed by third-party applications. Specifically, Facebook will introduce a new permissions model that will require applications to specify the categories of information they wish to access and obtain express consent from the user before any data is shared. In addition, the user will also have to specifically approve any access to their friends' information, which would still be subject to the friend's privacy and application settings.
To properly understand the comissions report we need to know something about Canadian privacy law. The following are excerpts from the Personal Information Protection and Electronic Documents Act: as cited by the privacy commissioner in dealing with the complaint by the CIPPIC. I have only included the sections that the report specifically cited that Facebook was in breach of.
4.1 Principle 1 – Accountabillity
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles.
Organizations shall implement policies and practices to give effect to the principles, including
(d) developing information to explain the organization's policies and procedures.
4.2 Principle 2 – Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
An organization shall document the purposes for which personal information is collected in order to comply with Principle 4.8 (Openness) and Principle 4.9 (Individual
The identified purposes should be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. An application form, for example, may give notice of the purposes.
4.3 Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, organizations that do not have a direct relationship with the individual may not always be able to seek consent. For example, seeking consent may be impractical for a charity or a direct-marketing firm that wishes to acquire a mailing list from another organization. In such cases, the organization providing the list would
The principle requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
4.5 Principle 5 – Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Organizations using personal information for a new purpose shall document this purpose (see Principle 4.2.1).
Organizations should develop guidelines and implement procedures with respect to the retention of personal information. These guidelines should include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual shall be retained long enough to allow the individual access to the information after the decision has been made. An organization may be subject to legislative requirements with respect to retention periods.
Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
This principle is closely linked to Principle 4.3 (Consent)
4.8 Principle 8 – Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization's policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.
The information made available shall include
- the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded;
- the means of gaining access to personal information held by the organization;
- a description of the type of personal information held by the organization, including a general account of its use;
- a copy of any brochures or other information that explain the organization's policies, standards, or codes; and
- what personal information is made available to related organizations (e.g.,subsidiaries).
Principle 4.8.3 states that an organization may make information on its policies and practices available in a variety of ways. The method chosen depends on the nature of its business and other considerations. For example, an organization may choose to make brochures available in its place of business, mail information to its customers, provide online access, or establish a toll-free telephone number.
Continued in Part 2