BreachOfPrivacy
Menu
Register / Login

No account? Contact us

Decisions/Federal (Canada)/Personal Information Protection and Electronic Documents Act/PIPEDA Report of Findings #2018-003: Facebook agrees to stop using non-users’ personal information in users’ address books
Federal (Canada)Office of the Privacy Commissioner of CanadaPersonal Information Protection and Electronic Documents ActPIPEDA Report of Findings #2018-003Well-founded & conditionally resolved
Flag of Canada

PIPEDA Report of Findings #2018-003: Facebook agrees to stop using non-users’ personal information in users’ address books

Organization: Facebook Inc.
Decision: May 24, 2018Published: May 24, 2018
Official Decision ↗BookmarkView Governing Law
Plain-Language Summary

The Office of the Privacy Commissioner of Canada investigated a complaint against Facebook Inc. regarding a privacy breach where personal information of users and non-users was inadvertently disclosed through the 'Download Your Information' tool. The investigation found that while Facebook had safeguards in place, they were not adequate prior to the breach, leading to the unauthorized disclosure of contact information. Additionally, Facebook was not sufficiently open about its practice of matching contact information across address books. Facebook has since implemented corrective measures, including a new Privacy Framework and revised notices, resolving the issues.

Key Issues
  • Adequacy of safeguards for personal information.
  • Facebook's practice of matching contact information across address books and consent requirements.
  • Openness and transparency of Facebook's policies and practices regarding contact information.
  • Facebook's provision of access to and correction of personal information.
Outcome

Complaint found to be well-founded and resolved, with some issues conditionally resolved.

Reasoning

The OPC found that Facebook's safeguards were inadequate before the breach and that the company was not sufficiently open about its contact matching practices. However, subsequent corrective actions and commitments by Facebook have resolved these issues to the OPC's satisfaction, with some aspects conditionally resolved pending further updates.

AI-generated summary for reference only. Always verify against the official decision ↗

Decision Notes
Recommended action / remedy

Facebook was required to implement new measures to improve testing and review of feature interactions, revise notices about the contact importer and matching process, and provide users with a mechanism to access and correct matched contact information. Facebook has since implemented these measures, including a Privacy Framework and updated notices.

Statutory provisions cited
  • Principle 4.7 PIPEDA
  • Principle 4.7.1 PIPEDA
  • Principle 4.5 PIPEDA
  • Principle 4.3 PIPEDA
  • Principle 4.3.1 PIPEDA
  • Principle 4.3.2 PIPEDA
  • Section 6.1 PIPEDA
  • Principle 4.8 PIPEDA
  • Principle 4.6 PIPEDA
  • Principle 4.9 PIPEDA
  • Principle 4.9.1 PIPEDA
  • Principle 4.9.5 PIPEDA
  • Subsection 9(1) PIPEDA
  • Subsection 5(3) PIPEDA

This summary is for informational purposes only and does not constitute legal advice.