Facebook Bows to Canada's Privacy Demands
Facebook has capitulated under pressure brought by Canadian privacy regulators, agreeing to substantially revamp its policies regarding the use of members' information. The changes will be implemented universally, possibly with the hope of fending off more stringent demands from Europe or Australia -- or perhaps just to keep things simple for third-party app developers.
Aug 27, 2009 12:50 PM PT
The investigation was originally prompted by a complaint from a privacy advocacy group, the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa. The Commissioner's office investigated the matter and found several areas of concern.
Facebook addressed many of the issues at that point. However, the Canadian Commissioner remained concerned about the "over-sharing" of personal information with third-party developers of Facebook apps such as games and quizzes, as well as other matters. Facebook appears to have succeeded, the second time around, at satisfying these specific concerns.
"This morning, I am very pleased to be able to tell you that -- following further discussions with Facebook -- the company has now agreed to make several changes which address the issues uncovered during our investigation," Jennifer Stoddart, Privacy Commissioner of Canada, said at a press conference announcing the agreement.
The Commissioner's office was unable to return a call to TechNewsWorld in time for publication.
The changes put Facebook on the path to compliance with Canada's privacy laws, Stoddert went on to say, noting that they will benefit Facebook's entire network of 200 million users worldwide -- not just Canadians.
Facebook was unable to return a call to TechNewsWorld in time for publication.
The social networking site is not obliged to roll out these changes to all of its users, pointed out John M. Conley, an attorney with Robinson, Bradshaw & Hinson and a law professor at the University of North Carolina.
"Privacy law is much narrower in the United States than in Europe, for example," Conley told TechNewsWorld.
Canada is between the two, tilting towards Europe's comprehensive approach to privacy, he noted, adding that U.S. privacy laws and policies are oriented toward ID theft and medical disclosure.
"The presumption is that in the United States, a company can do just about anything it wants aside from these two areas," said Conley.
Why, then, has Facebook decided to extend the newly negotiated privacy changes to its worldwide constituency? A hint to the answer can be found in Canadian Privacy Commissioner Stoddert's comment that Canada is the first county to have completed a comprehensive investigation into Facebook's privacy policies. European regulators and the Australian Office of the Privacy Commissioner are looking at them as well.
"This investigation has clearly struck a chord worldwide," Stoddert said. "We've received many calls and emails thanking us for taking on these issues -- not only from Canadians, but from people as far as France and India."
Some of the changes that Canada has negotiated will require significant technological adjustments on the part of third-party developers, which may also have played a role in the decision to roll out the new policies globally.
The changes could have an even wider impact than the Commissioner envisions.
"Facebook's new policy may cause Internet users in the U.S. to expect a higher level of protection from other social media space providers," said Barnes & Thornburg's Wong.
The new policy, though, should go far in alleviating these concerns. Facebook will be introducing ways for users to control what personal information third-party developers can access. In general, the changes are designed to help users better understand how their personal information will be used and, ultimately, to make more-informed decisions about how to share that information.
Specifically, according to the Commissioner's office, Facebook has agreed to do the following:
- Retrofit its application platform in a way that will prevent any application from accessing information until it obtains express consent for each category of personal information. Users adding an application will be advised that the application wants access to specific categories of information. They will be able to control which categories of information an application is permitted to access. There will also be a link to a statement by the developer to explain how it will use the data.
In the long run, the changes should bolster Facebook's standing among users.
"Privacy policies for social networking sites generally work when affirmative notice, such as described here, is given to the account holder," said Renee F. Bergmann, an attorney with Thorp Reed & Armstrong.
Social networking sites can run into problems when they are not sufficiently clear about their policies or try to walk too close to the line separating what is permissible from what is not, said Jacqueline Klosek, an attorney with Goodwin Procter.
"This can lead to confusion and complaints among users of the sites, and, ultimately, even lawsuits," she told TechNewsWorld. "For example, Facebook came under fire for sharing information about users' video rentals when a user alleged that she was not aware that the site would be sharing this information."
Still, Facebook provides a very high level of user control, Klosek went on to say. "Users are able to determine whether they wish to make the whole profile public or to share it with only certain people."
Also, users can decide who is permitted to view certain content, such as photos or posts.
The changes are particularly significant as Facebook is making deeper inroads into the commercial world. Many businesses have a Facebook page for customers' use.
Business groups also have taken to using Facebook to interact with each other, Tony Roth, CEO of Celect.org, told TechNewsWorld.
"There are particular privacy concerns for organizations or professional groups using Facebook --especially with FacebookConnect," he said.
"Currently, it is all about giving the user total control of the permissions granted, without a lot of gatekeeping from the Web site per se. For example, let's say I am an alumnus at the University of Illinois serving on a committee for a capital campaign for a new stadium. If I use FacebookConnect as a social party line to communicate with my committee members, how do I know that data will remain private? As I log in and out, and add my friends and/or fellow committee members, how can I be sure that the data we share back and forth will remain proprietary to the 'user' or organization?"
The information eventually ends up being culled, segmented and used for marketing purposes by Facebook, suggested Roth.