As the Privacy Commissioner of Canada clamps down on Facebook’s use of personal data and Facebook changes its policies as a result, other social networking sites around the world may well find themselves following suit. The threat of legal action by the Canadian Privacy Commission came after a year’s investigation into how Facebook’s practices met the requirements of Canadian Privacy Law. The consequences could be far-reaching.
Facebook plan to implement the new measures globally but, only weeks prior to the Canadian decision, the EU Article 29 Data Protection Working Party had issued an opinion suggesting guidelines and minimum requirements for Social Networking Providers (SNPs) to comply with EU law (namely, the Data Protection Directive 95/46/EC).[1] Whilst not legally binding, the Opinion will have persuasive force in changing the practices of SNP sites such as Facebook, My Space and Twitter, which come into contact with, and process, personal data, as an integral part of their existence.
Canadian Decision
Following a complaint from the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about Facebook’s privacy policies, the Privacy Commissioner launched an investigation into Facebook.
On 15 July 2009, the Office of the Privacy Commissioner published a report detailing how Facebook was failing to comply with Canadian privacy law and giving Facebook 30 days to respond. Whilst Facebook’s initial response was deemed unsatisfactory, the Commissioner is now apparently pleased with Facebook’s proposals to improve privacy protection on its web site.
The main issues the Canadian Privacy Commissioner had were in relation to:
· third-party application developers;
· deactivation of accounts (and the retention of personal information);
· personal information of non-users; and
· accounts of deceased users (and ‘memorializing’ their account profile).
Commenting on the outcome and proposed next steps by Facebook after the investigation, the Privacy Commissioner for Canada, Jennifer Stoddart, noted that the protection of personal information is a global issue. She hoped that, in the future, global technology firms would do more due diligence in the area of privacy, especially as the investigation had struck a chord worldwide.
Over the next year, the Office of the Privacy Commissioner will be following up to ensure that Facebook is continuing to comply with Canadian privacy law, as well developing the technologies promised within the required one-year time frame.
The official report of the Facebook investigation by the Canadian Privacy Commissioner is available at http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.cfm#summary; in particular, the table of findings set out in Appendix A to the report are especially worth reviewing.
For the purposes of this article, however, I have set out a brief summary of the key findings and recommendations in relation to the respective functionality of the Facebook site (the allegations refer to those made by CIPPIC which instigated the investigation). It is intriguing to see the breakdown of categories of personal information that have been used and this categorisation may be useful for other data privacy enforcement authorities elsewhere reviewing regulation in this area).
Allegations Not Well-Founded
New Uses of Personal Information, Collection of Personal Information from Sources Other than Facebook, Facebook Mobile and Safeguards, and Deception and Misrepresentation.
Allegations Well-Founded and Resolved
Collection of Date of Birth, Default Privacy Settings, Advertising, and Monitoring for Anomalous Activity (ie ‘resolved’ on the basis of corrective measures proposed by Facebook in response to recommendations).
Allegations Well-founded with Issues Unresolved
Third-party Applications, Account Deactivation and Deletion, Accounts of Deceased Users, and Personal Information of Non-Users (ie unresolved in that Facebook has not yet agreed to adopt certain recommendations or acceptable alternatives). The recommendations remaining at issue are as follows.
Third-party Applications
Facebook is to consider and implement measures:
1. to limit application developers’ access to user information not required to run a specific application;
2. whereby users would in each instance be informed of the specific information that an application requires and for what purpose;
3. whereby the user’s express consent to the developer’s access to the specific information would be sought in each instance; and
4. to prohibit all disclosures of personal information of users who are not themselves adding an application.
Account Deactivation and Deletion
Facebook is to develop, institute, and inform users of, a retention policy so that personal information of users who have deactivated their accounts will be deleted from Facebook’s servers after a reasonable length of time.
Accounts of Deceased Users
Facebook is to include in its Privacy Policy, in the context of all intended uses of personal information, an explanation of the intended use of personal information for the purpose of memorializing the accounts of deceased users.
Personal Information of Non-Users
Facebook is to: (a) consider and implement measures to improve its invitation feature so as to address concerns about non-users’ lack of knowledge and consent to collection, use, and retention of their e-mail addresses; and (b) set a reasonable time-limit on the retention of non-users’ e-mail addresses for purposes of tracking invitation history and the success of the referral program.
It is worthwhile comparing the findings of the Canadian Privacy Commissioner with the Opinion.
Article 29 Working Party Opinion
As recently as February this year, SNPs made a voluntary commitment to improve transparency within the EU regarding the use of personal data. However, the plans are not as far-reaching as those recommendations set out in the Opinion.
Identification of SNPs as Data Controllers
One of the first recommendations of the Opinion is that the data controllers (as defined under the Directive) identify themselves as such. Generally the data controllers will be the SNP, but data controllers can also include third-party application providers if they develop applications that run in addition to those provided by the SNP, and members make use of them.
Users, who normally are not data controllers by virtue of the Household Exemption (Directive, Art 3(2)), may also themselves become data controllers if their activities go beyond purely personal use. The main instances when users will not benefit from the exemption will be where:
· the purpose and nature of processing activities go beyond purely personal activities, including where (i) social networks are used as collaboration platforms on behalf of an association or company or to advance political, commercial or charitable goals and (ii) users have a high number of contacts and it is likely that these contacts are not known to that user;
· access to profile information extends beyond self-selected contacts – a lot of other people may access the user’s profile (eg where data is indexable by internal search engines or all members have access to the profile or where a user allows those who are not self-selected friends to access profile information or where a user accepts a friend request in the absence of any genuine relationship with that person);
· users process third-party data where (a) users process sensitive personal information or (b) that processing is unlawful or illegal under national law (eg it is defamatory, harassment or criminal).
In some of these circumstances, therefore, the user will be a data controller and will need consent for such purposes or will need to benefit from another exemption under the Directive or otherwise (eg exemption for journalistic purposes, artistic or literary expression). In this event, a balance must be struck between the human rights of freedom or expression on the one hand and the right to privacy on the other.
The reality therefore is that, in many cases, users will not benefit from the Household Exemption.
Identification of Data Controllers
Of fundamental importance is that data controllers identify themselves as such to users, and give the user information on how their personal data is being used and for what purpose (thus ensuring compliance with Article 10 of the Directive). Additionally, on the SNP’s home page, there should be a clear reference to the existence of a complaints handling procedure.
Default Settings
The Working Party advocates the use of ‘privacy-friendly’ default settings in line with current user preferences, as many users do not change the default. For example, SNPs should, by default, restrict access to profiles by third parties and internal search engines.
Direct Marketing
The Opinion calls for SNPs to provide users with an overview on profiles and information on the use of data for direct marketing and the sharing of data with specified third parties.
The Working Party notes that SNPs have no legal basis for creating pre-built profiles for non-members even if an e-mail had been sent to that non-member to inform him or her of the existence of personal data relating to them being held by the SNP; this would fall foul of the ePrivacy Directive prohibiting unsolicited e-mail messages for direct marketing purposes.[2] Similarly, use of sensitive data in user profiling or behavioural advertising functionality should be avoided unless permitted by applicable exemptions.
Personal Data of Non-Users
The Opinion recommends that SNPs provide to users information on the use of sensitive data and warning users of the privacy risks to themselves and other upon the uploading of information. This is noted to be perhaps the most difficult problem of social networking on the Internet – the possibility of members posting information about non-members from which those non-members can be identified.
The Working Party is concerned about the rights of those individuals about whom users upload information; users need to be warned that they should obtain consent from individuals about whom information (including photos) is uploaded. Such a warning would provide a balance between the interests of the SNPs and the users.
This recommendation is of limited use as non-members have no information on what data members are posting about them.
Sensitive Data and Minors
Article 8 of the Directive concerns the processing of sensitive data, which includes any data relating to ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data relating to health or sex life.
Generally, sensitive personal data may be published on the Internet only if the subject of that data has made the data public himself. Interestingly, whilst some Member States consider images of a data subject to be ‘sensitive’, the Working Party does not take this view, unless the images are obviously used to reveal sensitive data about the individual. In their capacity as data controllers, the Opinion states that SNPs should not process sensitive data without explicit consent which is specific and voluntary or where the data subject has made that data public available themselves (this latter exemption may only be available where Member States have not laid down exemptions from this rule).
Further, the Working Party recommends that SNPs do not ask for sensitive data from minors in subscription forms. Again the recommendation may be of limited use as the subject of minors is tricky, especially as it is hard to verify a user’s real age.
On this issue, it is also worth bearing in mind the Canadian Privacy Commissioner’s report and findings in relation to Facebook in relation to age verification and minors: in particular, the comments on the FTC’s role in enforcing privacy for children under the US Children’s Online Privacy Protection Act (COPPA).[3] Namely that SNP sites offer date of birth (DOB) drop down boxes which are not limited to the years for those aged 13 and over (but allow users to set their age unrestrictedly) and also use a tracking mechanism to prevent children from ‘back-clicking’ to change their DOBs once they have been blocked from a site.
Third-party Access
The Working Party recommends that SNPs should ensure access by third parties is limited to only what is necessary. Users should have the opportunity to report concerns and have clear and specific information about third parties’ use of data. The Opinion therefore recommends that, when offering an application programming interface (API) which enables access to a user’s personal data, the SNP should provide for a sufficient ‘level of granularity’ that allows a user to choose an appropriate level of access as is necessary for that third-party application to provide the service on offer.
One way of ensuring this would be to require third-party application providers to agree to specific terms of service which include a provision to this effect (and, perhaps, even an appropriate template of data fields for authorising such access).
Interestingly, the Canadian Privacy Commissioner’s report drew on research carried out in October 2007 by the University of Virginia, which published a survey of the information needs of the top 150 Facebook applications:[4]
‘We found that 8.7% didn’t need any information; 82% used public data (name, network, list of friends); and only 9.3% needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7% of applications are being given more privileges than they need’.
Facebook has disputed the methodology used in this research but, nonetheless, this appears persuasive in requiring SNPs to tighten privacy rules and requirements for third-party applications. As a result of the investigation by the Canadian Privacy Commissioner, Facebook will now require third-party application developers to specify what type of information they want access to and they will have to get express consent from the user before data is sent. Further, the user will have to approve any access to any of their contacts’ information.[5]
Retention of Information
The Working Party is concerned about retention of information and has suggested that in the case of:
o banned users, information about them should be deleted after 1 year;
o users who have deleted profiles, the information should be deleted immediately;
o users who have an inactive account, the information should be deleted after a designated period – before which the user is warned of this fact.
Territorial Application
The Opinion also reminds us that the Directive may apply to SNPs even where they have headquarters outside the EEA – so it is potentially of global application. Whether or not the Directive applies is down to whether the SNP is ‘established’ in the EEA or the relevant Member State (in the UK, this is determined by the Data Protection Act 1998, s 5).[6]
New ICO Code of Practice
Looking forward, it is worth noting that the UK Information Commissioner’s Office (ICO) are in the process of writing a new Personal Information Online Code of Practice to help organisations which collect personal information through web sites comply with the law. It will include guidance on the rights and protections for individuals as well as how to run a privacy-friendly site. Publication of the new Code is expected in around May 2010.
The launch of the consultation for the new code is to take place at the Personal Information Online Conference on 9 December later this year where Christopher Graham, the newly appointed Information Commissioner, will give the key note address.
It is hoped that the ICO will take on board and consider the previous findings and recommendation made by the Working Party and the Canadian Privacy Commissioner (especially in relation to the latter since its report findings are particularly detailed and pragmatic and have involved the specific consultation and co-operation of a key SNP).
In addition, the ICO may wish to consider the application of these findings and the Opinion in relation to the use of personal data in the context of other applications and new media platforms, such as the iPhone and Sky’s new ‘AdSmart’ targeted advertising, user profiling technology (due to go live on Sky Player next year and on its main linear service in early 2011). Data privacy is often sniffed at, but given that Facebook has 250 million users worldwide, these findings are significant.
Philip James is a Senior Associate in the Media, Brands & Technology team at Lewis Silkin LLP: philip.james@lewisssilkin.com
[1] 01189/09/EN WP 163 Adopted 12.06.2009
[2] EC Directive 2002/58/EC
[3] See: p 12 ff of the Federal Trade Commisions Report to Congress: ‘Implementing the Children’s Online Privacy Protection Act’ on age verification practices which may assist in the protection of minors at http://www.ftc.gov/reports/coppa/07COPPA_Report_to_Congress.pdf.
[4] See para 182 of the Canadian Privacy Commissioner’s Report.
[5] The Privacy Commissioner’s report also looked closely at Facebook’s Terms of Service and operators in this space would be advised to review the original and revised terms following the findings.
[6] See Article 29 Working Party Opinion on Search Engines and the establishment and the use of equipment in determining applicability of the Directive: 00737/EN WP 148 dated 04.04.2008
