BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Findings #2019-002: Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Findings #2019-002Well-founded
Flag of Canada

PIPEDA Findings #2019-002: Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia

Organization: Facebook, Inc.
Decision: Apr 25, 2019Published: Apr 25, 2019
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

This joint investigation by the Office of the Privacy Commissioner of Canada (OPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) examined Facebook's compliance with privacy laws concerning the disclosure of user data to third-party apps, specifically the "thisisyourdigitallife" (TYDL) app. The investigation found that Facebook failed to obtain valid and meaningful consent from users whose information was disclosed, had inadequate safeguards to protect user data, and lacked accountability for the information under its control. These failures are particularly concerning given similar findings by the OPC in a 2009 investigation, indicating a lack of substantive improvement in Facebook's privacy practices.

Key Issues
  • Meaningful consent from installing users
  • Meaningful consent from affected users (friends of installing users)
  • Adequacy of safeguards to protect user data from third-party apps
  • Facebook's accountability for user data
Outcome

Complaint well-founded and unresolved.

Reasoning

Facebook failed to obtain valid and meaningful consent for the disclosure of personal information to third-party apps, had inadequate safeguards to protect that information, and demonstrated a lack of accountability for its privacy practices, particularly in light of previous OPC findings.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

The OPC and OIPC BC made several recommendations to bring Facebook into compliance with privacy laws, including implementing measures for meaningful consent, robust monitoring, effective enforcement, and allowing users to access controls over their data, which Facebook largely rejected.

Statutory provisions cited
  • Clause 4.3 PIPEDA
  • Clause 4.3.2 PIPEDA
  • Section 6.1 PIPEDA
  • Section 10 PIPA
  • Clause 4.7 PIPEDA
  • Clause 4.7.1 PIPEDA
  • Section 34 PIPA
  • Clause 4.1 PIPEDA
  • Clause 4.1.4(a) PIPEDA
  • Section 4(2) PIPA
  • Section 5 PIPA

This summary is informational only and not legal advice.