OTTAWA – Canada’s privacy watchdog says Internet phenomenon Facebook breaches the law by keeping users’ personal information indefinitely – even after members close their accounts.
Privacy Commissioner Jennifer Stoddart says the popular social networking site should hang on to the data only for as long as truly necessary.
In a report Thursday, Stoddart also raised concerns about the sharing of users’ personal information with the almost one million third-party developers around the globe who create Facebook applications such as games and quizzes.
She urged the site to remedy the privacy shortfalls, raising the possibility of legal action if it doesn’t comply.
Facebook, which has nearly 12 million Canadian users, allows people to keep in touch with friends and family by updating their personal pages with fresh messages and photos.
“Canadians live more and more in a virtual world,” Stoddart said at a news conference. “It brings many advantages.”
Her investigation found that although Facebook provides information about its privacy practices, it is often confusing or incomplete. “It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates.”
For example, the “account settings” page describes how to deactivate accounts but not how to delete them, which actually removes personal data from Facebook’s computer servers.
Stoddart wants Facebook to wipe the information in deactivated accounts after a reasonable length of time.
Facebook agreed to add information about account deletion to its privacy policy, but refused to come up with a policy on retention of old accounts.
Facebook lacks proper safeguards to prevent independent developers of games and other applications from seeing users’ profile information, along with details about their online “friends,” the investigation found.
The report recommends technological measures to ensure developers have access only to the user information actually required to run a specific application. It also says Facebook should prevent disclosure of personal information of any of the user’s friends who are not themselves signing up for the application, unless they consent.
Facebook hasn’t agreed to the recommendations on third-party access.
However, Facebook agreed to more fully explain the advertising used to generate revenue and to inform members that their profile information is used to decide which ads to feature.
In general, Stoddart calls for more transparency to ensure the site’s Canadian users have knowledge they need to make meaningful decisions about how widely they share personal information.
The privacy commissioner will review Facebook’s actions after 30 days to gauge progress. She can take the case to the Federal Court of Canada to have her recommendations enforced.
“It’s discretionary. We’re very hopeful that things can be solved,” she said. “But we can go to Federal Court on a variety of things.”
She launched the probe in response to a complaint last year from the Canadian Internet Policy and Public Interest Clinic.
The clinic, based at the University of Ottawa’s law faculty, alleged numerous violations by Facebook.
Stoddart found four of 12 aspects of the complaint were well-founded. Four were well-founded but resolved after Facebook agreed to make changes. The final four issues were dismissed.
