Loading Profile...
Canadians are fighting back against the privacy violations.
from: Canadian Internet Policy and Public Interest Clinic
TO: Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3
Summary of PIPEDA Complaint
To summarize, we submit that Facebook is in violation of the following PIPEDA provisions in
the following regards:
Principle 4.2 – Identifying Purposes:
Principle 4.2.2
Principle 4.2.2 requires that an “organization identify the purpose for which personal information
is collected at or before the time of collection” and that an “organization collect only the
information necessary for the purposes that have been identified.”
• Facebook allows third party application developers to access User information that is
beyond what is necessary to operate their applications.
Principle 4.2.3
Principle 4.2.3 sets out that “the identified purposes should be specified at or before the time of
collection to the individual from whom the personal information is collected.”
• Facebook does not precisely identify why Users’ information is collected from other
sources.
Principle 4.2.4
Principle 4.2.4 sets out that “when personal information that has been collected is to be used for
a purpose not previously identified, the new purpose shall be identified prior to use. Unless the
new purpose is required by law, the consent of the individual is required before information can
be used for that purpose.”
• Facebook reserves the right to modify or add to its Terms of Use without notice.
• Facebook retains deceased Users’ profile for memorial reasons, a new purpose.
Principle 4.2.5
Principle 4.2.5 recommends that information collectors “should be able to explain to individuals
the purpose for which the information is being collected.”
• Facebook does not explain to Users why third party application developers need access
to all their User information.
Principle 4.3 – Consent:
Principle 4.3.1
Principle 4.3.1 sets out that “consent is required for the collection of personal information and
the subsequent use or disclosure of this information.”
• Facebook does not obtain the consent of non-Users to collect their information from
Users, to share their information with other Users, and to retain their information.
Principle 4.3.2
Principle 4.3.2 sets out that “organizations shall make a reasonable effort to ensure that the
individual is advised of the purposes for which the information will be used” and that meaningful
consent requires that “the purposes must be stated in such a way that the individual can
reasonably understand how the information will be used or disclosed”.
• Facebook does not make a reasonable effort to ensure that Users are advised of:
o The purposes for which their dates of birth will be used;
o The purpose of using User information for Social Ads;
o All the types of information that are shared with third party application developers,
including Friends’ information; and
o The purpose behind retaining information of Users who have deactivated their
accounts.
Principle 4.3.3
Principle 4.3.3 sets out that “an organization shall not, as a condition of the supply of a product
or service, require an individual to consent to the collection, use, or disclosure of information
beyond that required to fulfill the explicitly specified and legitimate purposes.”
• Facebook requires Users, as a condition of use of its service, to:
o Provide their dates of birth despite that its purpose for doing so is not explicitly
specified; and
o Participate in one variation of Social Ads despite that this activity is beyond that
required to fulfill Facebook’s explicitly specified and legitimate purpose of social
networking.
• Facebook requires Users, as a condition to use of third party platforms, to:
o Share personal information with third party application developers that is beyond
what is required to fulfill the purposes of the applications.
• Facebook retains non-Users’ email addresses for purposes beyond sending them an email
to invite them to Facebook.
Principle 4.3.6
Principle 4.3.6 sets out that “an organization should generally seek express consent when the
information is likely to be considered sensitive.”
• Facebook does not obtain express consent to share sensitive information in the following
ways:
o Users’ information with other Users in joined Networks;
o Users’ photo albums and associated comments with everyone;
o Users’ name and picture searchable to everyone;
o Users’ information with third party application developers and with third party
advertisers;
o Non-User’s information, including photographs, with Users; and
o To retain Users’ information after they deactivate their accounts.
Principle 4.3.8
Principle 4.3.8 sets out that “An individual may withdraw consent at any time, subject to legal or
contractual restrictions and reasonable notice.”
• Facebook does not permit active Users to withdraw consent from the Social Ads that are
displayed in the left hand “Ad Space” of their Profiles.
• Facebook does not inform Users who withdraw consent to share their personal
information with third party application developers that all their applications will be lost.
• Facebook does not permit Users who effectively withdraw consent to share their
information by deactivating their accounts to do so.
Principle 4.4 – Limiting Collection:
Principle 4.4.1
Principle 4.4.1 sets out that “both the amount and type of information collected must be limited
to what is necessary to fulfill the purposes identified.”
• Facebook allows third party application developers to collect information beyond what is
necessary to run the applications.
Principle 4.4.2
Principle 4.4.2 sets out that “consent with respect to collection must not be obtained through
deception.”
• Facebook deceives Users about its purposes for collecting personal information and
about the level of User control over their personal information.
Principle 4.5 – Limiting Use, Disclosure, and Retention:
Principle 4.5.2
Principle 4.5.2 sets out that “organizations should develop guidelines and implement procedures
with respect to the retention of personal information.”
• Facebook does not indicate the retention period for Profiles of Users who have
deactivated their accounts anywhere on its Privacy Policy or website.
Principle 4.5.3
Principle 4.5.3 sets out that “personal information that is no longer required to fulfill the
identified purposes should be destroyed, erased, or made anonymous”.
• Facebook does not guarantee that personal information that has been disclosed to third
party application developers will be destroyed once a User removes an application from
Facebook.
• Facebook retains Users’ personal information after they have terminated their accounts,
when their information is no longer necessary to serve Facebook’s identified purpose of
social networking.
Principle 4.7 – Safeguards:
Principle 4.7.1
Principle 4.7.1 sets out that an organization shall have security safeguards that “shall protect
personal information against loss or theft, as well as unauthorized access, disclosure, copying,
user, or modification.”
• Facebook enables a cookie of indefinite length on a User’s mobile device, which could
potentially allow others to access the User’s Facebook account.
Principle 4.8 – Openness:
Principle 4.8.1
Principle 4.8.1 sets out that “individuals shall be able to acquire information about an
organization’s policies and practices without unreasonable effort.”
• Facebook does not make its policies on the range of personal information that is
disclosed to third party application developers available on their general website.
• Facebook does not disclose that it uses technology to actively search for anomalous
behaviour.
We request that you investigate Facebook’s practices with a view to its compliance with
PIPEDA. We await your findings. Should you have any questions, please do not hesitate to
contact the undersigned.
Yours truly,
TO: Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3
Summary of PIPEDA Complaint
To summarize, we submit that Facebook is in violation of the following PIPEDA provisions in
the following regards:
Principle 4.2 – Identifying Purposes:
Principle 4.2.2
Principle 4.2.2 requires that an “organization identify the purpose for which personal information
is collected at or before the time of collection” and that an “organization collect only the
information necessary for the purposes that have been identified.”
• Facebook allows third party application developers to access User information that is
beyond what is necessary to operate their applications.
Principle 4.2.3
Principle 4.2.3 sets out that “the identified purposes should be specified at or before the time of
collection to the individual from whom the personal information is collected.”
• Facebook does not precisely identify why Users’ information is collected from other
sources.
Principle 4.2.4
Principle 4.2.4 sets out that “when personal information that has been collected is to be used for
a purpose not previously identified, the new purpose shall be identified prior to use. Unless the
new purpose is required by law, the consent of the individual is required before information can
be used for that purpose.”
• Facebook reserves the right to modify or add to its Terms of Use without notice.
• Facebook retains deceased Users’ profile for memorial reasons, a new purpose.
Principle 4.2.5
Principle 4.2.5 recommends that information collectors “should be able to explain to individuals
the purpose for which the information is being collected.”
• Facebook does not explain to Users why third party application developers need access
to all their User information.
Principle 4.3 – Consent:
Principle 4.3.1
Principle 4.3.1 sets out that “consent is required for the collection of personal information and
the subsequent use or disclosure of this information.”
• Facebook does not obtain the consent of non-Users to collect their information from
Users, to share their information with other Users, and to retain their information.
Principle 4.3.2
Principle 4.3.2 sets out that “organizations shall make a reasonable effort to ensure that the
individual is advised of the purposes for which the information will be used” and that meaningful
consent requires that “the purposes must be stated in such a way that the individual can
reasonably understand how the information will be used or disclosed”.
• Facebook does not make a reasonable effort to ensure that Users are advised of:
o The purposes for which their dates of birth will be used;
o The purpose of using User information for Social Ads;
o All the types of information that are shared with third party application developers,
including Friends’ information; and
o The purpose behind retaining information of Users who have deactivated their
accounts.
Principle 4.3.3
Principle 4.3.3 sets out that “an organization shall not, as a condition of the supply of a product
or service, require an individual to consent to the collection, use, or disclosure of information
beyond that required to fulfill the explicitly specified and legitimate purposes.”
• Facebook requires Users, as a condition of use of its service, to:
o Provide their dates of birth despite that its purpose for doing so is not explicitly
specified; and
o Participate in one variation of Social Ads despite that this activity is beyond that
required to fulfill Facebook’s explicitly specified and legitimate purpose of social
networking.
• Facebook requires Users, as a condition to use of third party platforms, to:
o Share personal information with third party application developers that is beyond
what is required to fulfill the purposes of the applications.
• Facebook retains non-Users’ email addresses for purposes beyond sending them an email
to invite them to Facebook.
Principle 4.3.6
Principle 4.3.6 sets out that “an organization should generally seek express consent when the
information is likely to be considered sensitive.”
• Facebook does not obtain express consent to share sensitive information in the following
ways:
o Users’ information with other Users in joined Networks;
o Users’ photo albums and associated comments with everyone;
o Users’ name and picture searchable to everyone;
o Users’ information with third party application developers and with third party
advertisers;
o Non-User’s information, including photographs, with Users; and
o To retain Users’ information after they deactivate their accounts.
Principle 4.3.8
Principle 4.3.8 sets out that “An individual may withdraw consent at any time, subject to legal or
contractual restrictions and reasonable notice.”
• Facebook does not permit active Users to withdraw consent from the Social Ads that are
displayed in the left hand “Ad Space” of their Profiles.
• Facebook does not inform Users who withdraw consent to share their personal
information with third party application developers that all their applications will be lost.
• Facebook does not permit Users who effectively withdraw consent to share their
information by deactivating their accounts to do so.
Principle 4.4 – Limiting Collection:
Principle 4.4.1
Principle 4.4.1 sets out that “both the amount and type of information collected must be limited
to what is necessary to fulfill the purposes identified.”
• Facebook allows third party application developers to collect information beyond what is
necessary to run the applications.
Principle 4.4.2
Principle 4.4.2 sets out that “consent with respect to collection must not be obtained through
deception.”
• Facebook deceives Users about its purposes for collecting personal information and
about the level of User control over their personal information.
Principle 4.5 – Limiting Use, Disclosure, and Retention:
Principle 4.5.2
Principle 4.5.2 sets out that “organizations should develop guidelines and implement procedures
with respect to the retention of personal information.”
• Facebook does not indicate the retention period for Profiles of Users who have
deactivated their accounts anywhere on its Privacy Policy or website.
Principle 4.5.3
Principle 4.5.3 sets out that “personal information that is no longer required to fulfill the
identified purposes should be destroyed, erased, or made anonymous”.
• Facebook does not guarantee that personal information that has been disclosed to third
party application developers will be destroyed once a User removes an application from
Facebook.
• Facebook retains Users’ personal information after they have terminated their accounts,
when their information is no longer necessary to serve Facebook’s identified purpose of
social networking.
Principle 4.7 – Safeguards:
Principle 4.7.1
Principle 4.7.1 sets out that an organization shall have security safeguards that “shall protect
personal information against loss or theft, as well as unauthorized access, disclosure, copying,
user, or modification.”
• Facebook enables a cookie of indefinite length on a User’s mobile device, which could
potentially allow others to access the User’s Facebook account.
Principle 4.8 – Openness:
Principle 4.8.1
Principle 4.8.1 sets out that “individuals shall be able to acquire information about an
organization’s policies and practices without unreasonable effort.”
• Facebook does not make its policies on the range of personal information that is
disclosed to third party application developers available on their general website.
• Facebook does not disclose that it uses technology to actively search for anomalous
behaviour.
We request that you investigate Facebook’s practices with a view to its compliance with
PIPEDA. We await your findings. Should you have any questions, please do not hesitate to
contact the undersigned.
Yours truly,
I’m confident more people will expose Facebook
1
person likes this idea
I like this idea!
Tell me when this idea gets some attention.
The more people who like this idea, the more it gets noticed.
The more people who like this idea, the more it gets noticed.
Create a customer community for your own organization
Plans starting at $19/month
