91ɫ

Defriend: Privacy Concerns are back in the Newsfeed

An Austrian student studying law in Silicon Valley has raised serious flags about Facebook’s lack of adherence to privacy law and disclosure regulation.

Max Schrems usedto request his personal user data from Facebook international headquarters in Ireland. The first round of disclosure from Facebook wasof much of the detailed information that the social network tracks. But more concerning was that when Facebook provided fuller user data,that Schrem had deleted from his profile, such as automatic tags or chat messages; this was information that Facebook was legally required to remove from its database.

Schrem then successfully encouraged thousands of other Europeans to demand their user records and launched the organizationto raise awareness of and funds for his fight to demand greater privacy and disclosure from Facebook.

Facebook responded with – or coincidentally announced – proposed updates to its Data Use Policy and governance procedures under a letter posted in the Facebook Newsroom from Elliot Schrage, VP Communications, Public Policy and Marketing.

The letter, titled “”, allowed for user comments until 9 AM PST on November 28, 2012. In terms of privacy, the letter calls out pro-privacy and pro-disclosure changes like their new “Ask the Chief Privacy Officer” page, Facebook “Live Events” to answer privacy questions and additional Data Use Policy updates such as reminders “about what’s visible to other people on Facebook.” In terms of governance, the proposed changesuser voting rights.

Both sets of changes stimulated backlash. The privacy changes inspired aof pseudo-legalese that users seemed to believe would protect them from privacy and copyright breaches by Facebook. The removal of member voting rights sparked uproar byԻ.

Putting aside the red herring that is disenfranchisement (a right that few people used anyway), the lack of substantive privacy and disclosure remains troubling.

The privacy changes put forward by Facebook are cosmetic and unnecessarily security-centric. In short, they are retail politics. As Schrems and those coalescing around him will tell you, users don’t need Facebook to protect them from privacy breaches by other citizens, they need governments to protect them from privacy breaches by Facebook.

The question for Canadians is whether, like the EU, we are entitled to request access to the full gamut of information collected about us, and whether sites like Facebook are obligated to purge information that we have chosen to delete.

Though slow andfreedom of information acts andgenerally guarantee that government organizations provide information to citizens on demand. Private institutions like Facebook are not subject to these requests.

The(PIPEDA) was constructed in a pre-Facebook world and focuses more on preventing an organization from releasing information about a citizen than it does laying out the depths to which an organization is obligated to provide information to citizens about their individual profiles on request.

Similarly, S.9 of PIPEDA prevents the release of personal information if doing so would reveal personal information about a third party. In the world of social networking, how many degrees of separation in Facebook data sufficiently satisfies this requirement, and could Facebook lawyers use this as a shield to prevent requests by Canadians to view their profile information?

PIPEDA establishes the Privacy Commissioner as the ombudsperson for complaints and concerns, but the Privacy Commissioner’s office seems slow to grasp the technologies of and data amalgamated by Facebook.from the office shows they remained distracted by the same shiny security and retail politics material that populated the recent Facebook Newsroom post from VP Schrage.

Luckily, the Information and Privacy Commissioner is decidedly more in tune with privacy and disclosure needs, as evidence by last month’s white paper.

Unfortunately, no wealth of suggestions from either privacy commissioners will fill the gap between the EU and Canada in terms of legal tools available to hold Facebook to account for what personal information it retains, for how long or how much it should disclose to users.


Denise Brunsdon is a JD/MBA Candidate at Western University.