The popular social networking site Facebook is not doing enough to protect the personal information it gets from subscribers, and it gives users confusing and incomplete information about privacy matters, Canada’s privacy commissioner said on Thursday.
“It’s clear that privacy issues are top of mind for Facebook, and yet we found serious privacy gaps in the way the site operates,” Privacy Commissioner Jennifer Stoddart said in a report on an investigation into Facebook.
The report said Facebook violates Canada’s privacy laws by keeping the personal information of people who have deactivated their accounts in its databases indefinitely.
It provides confusing information about privacy practices, for example showing users how to deactivate accounts but not how to delete them.
Facebook told the commissioner it needed to keep personal data for those who shut down accounts because about half of users reactivate accounts that they had deactivated.
The report said Facebook had strenuously objected to some of the commissioner’s preliminary conclusions, and the company said on Thursday it would continue to work with her to address outstanding areas and to raise awareness of privacy controls.
Facebook has 200 million active users, including about 12 million in Canada — more than one in three Canadians.
The report will set a precedent for other networking sites operating in Canada, and could influence practice in other countries. Stoddart said she believed Canada was the first to publish a formal privacy investigation of Facebook’s practices.
Stoddart also said Facebook lacked adequate safeguards to prevent unauthorized access to users’ personal information by third-party developers. There are more than 950,000 developers in 180 countries.
She said Facebook had resolved some issues and she gave it 30 days to comply with a series of “recommendations”, and said she could take it to Federal Court to enforce the recommendations.
Facebook’s chief privacy officer, Chris Kelly, told Reuters in San Francisco he did not expect this to be necessary.
“Given that we’ve had very productive conversations, I would be surprised if things move in that direction. Now, that being said, we don’t believe that there is any violation of Canadian law here and we think that a court would find that, were either party to go in that direction,” he said.
He also said Facebook did not want to end up with too many notifications interrupting users, and said any solutions should “reflect the fact that people come to Facebook to share information as opposed to hide it.”
The investigation was launched in response to complaints by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa.
In a written statement, Facebook said it was “pleased that the Canadian federal privacy commissioner has dismissed the most of the inaccurate claims brought by CIPPIC, and that we were able to collaboratively resolve other issues raised in the complaint.”