A Canadian public policy group Friday filed a complaint charging Facebook with 22 separate violations of a Canadian personal information protection law.
The Canadian Internet Policy and Public Interest Clinic (CIPPIC), based at the University of Ottawa, asks the Privacy Commissioner of Canada to investigate what it describes as Facebook's failure to inform members how their personal information is disclosed to third parties for advertising and other commercial activities. The complaint also alleges that Facebook has failed to obtain permission from members for disclosure of their personal information.
Facebook did not respond to a request for comment.
The complaint alleges that Facebook violates the Canadian Personal Information Protection and Electronics Documents Act, which Philippa Lawson, the clinic's director, said is much stricter than US personal information protection laws.
"In Canada we have data protection legislation that applies to all commercial entities that require [them] to get informed consent from individuals before they collect, use or disclose personal information," she said. "You can't collect more personal information than you need for the purpose you get consent. We think Facebook is violating those rules in a number of respects."
The group contends that Facebook violates the law in three areas: social networking; social advertising; and third-party applications.
On the social networking side, the complaint says that Facebook is not clear enough about how broadly user information is shared with people they don't know, Lawson said. For example Facebook allows users to join groups called Networks based on geographical location, hobbies and interests. The complaint acknowledges that upon joining a Network, users are informed that they will be sharing their profiles with other users in the network, and are informed they can change their privacy setting to prevent this sharing. However, the complaint notes that they are not prompted to go to a page to change the settings.
"There are problems with that in that it is not clear enough to users how broadly their information is being shared with people they don't know," according to Lawson. "The default privacy settings are set to share with strangers. Under Canadian law they would have to get opt-in consent -- rather than defaulting people to share and then expect them to figure out how they can opt out."