ottawa-090827-jennifer-stoddart-elizabeth-denham-banner

Assistant privacy commissioner Elizabeth Denham, left, and privacy commissioner Jennifer Stoddart say they will monitor Facebook's implementation of the changes over the next year. ((Emily Chung/CBC))

Facebook has agreed to make changes to better protect users' personal information on the social networking site and comply with Canadian privacy laws within one year, Canada's privacy commissioner said Thursday.

"These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected," said privacy commissioner Jennifer Stoddart.

Personal Information Protection and Electronic Documents Act

PIPEDA specifies how private sector organizations may collect, use or disclose personal information in the course of commercial activities.

Under the act, in most circumstances:

  • Personal information must be collected for a specific purpose and cannot be used for other purposes.
  • The information cannot be collected unless the person that the information belongs to has been informed and has provided consent.
  • The information can only be kept for a specified amount of time and must be destroyed when it is no longer needed to fulfil its original purpose.

"This is extremely important. People will be able to enjoy the benefits of social networking without giving up control of their personal information. We're very pleased Facebook has been responsive to our recommendations."

However, the site will continue to keep users' information indefinitely if they have not deleted their accounts.

Facebook is used by 12 million Canadians. Canadian officials had been negotiating with representatives of the site since the Office of the Privacy Commissioner reported a month ago that Facebook's practices breached the Personal Information and Protection and Electronic Documents Act (PIPEDA).

The office began investigating following a complaint from the Canadian Internet Policy and Public Interest Clinic, based at the University of Ottawa.

In response to a report by assistant privacy commissioner Elizabeth Denham, Facebook has agreed to make changes in the following areas: third-party applications like quizzes and games; deactivation of accounts; the personal identification of non-users and clarification of its policy on retaining users' profiles.

Stoddart and Denham cautioned that most of the changes will simply better inform users what is being done with their information, and it's up to users to take note and make choices that protect their own information.

Facebook has specifically agreed to:

  • Prevent games, quizzes and other applications developed by third parties from accessing information until it obtains express consent for each category of personal information. Users' friends will also be able to block applications from accessing their information.
  • Make it clear to users that they can either deactivate or delete their accounts, whereby only deleting will remove the information entirely.
  • Remind users that they need to ensure they have the consent of non-users before sharing the non-users' email addresses with Facebook.
  • Clarify in its privacy policy that it will retain a user's profile after the user dies so friends can post comments and pay tribute.

Facebook expects to have the changes in place within a year. The privacy commissioner has agreed the timeframe is reasonable, as the changes concerning third-party applications will require substantial technological changes on the part of both Facebook and the developers. The changes will affect both existing and new applications.

On a conference call, Facebook executives said they were not sure how much the changes would cost the company but added that instituting "granular control" for users will take about 12 months.

"This is going to require some time and resources here at Facebook in order to both build and test the changes," said Dave Morin, senior platform manager. "We're going to take our time to ensure that the outcome is something users understand and the developers have ample time to adapt to."

The company also said the changes will be rolled out worldwide because some of the concerns raised in Canada have also been raised by privacy watchdogs in other countries.

However, the commissioner cautioned that information that users have already provided cannot be taken back.

Facebook is allowing the privacy commissioner's office to test its new model for application developers, and the office will also be monitoring the company's progress overall in implementing the changes.

"It's now up to Facebook to demonstrate to us that they are living up to their commitments," said Denham.

No retention policy

While the privacy commissioner's office had recommended in its report that Facebook have a retention policy specifying how long it will keep information after a user has deactivated his or her account before deleting the information, the office eventually agreed to let Facebook keep the information indefinitely. Denham said Facebook's agreement to provide clarity about the issue is acceptable and in compliance with Canadian law.

Other social networking sites are expected to look at the Facebook case to see what needs to be done to improve their own privacy practices. In fact, one has already contacted the commissioner's office requesting help in making changes to better protect users' privacy, Stoddart said Thursday. However, she would not disclose which site it was.

PIPEDA came into effect in 2000, four years before Facebook was born and well before the social web made the exchange of personal information on the internet more commonplace.

With files from The Canadian Press