Canadian Group Files Facebook Privacy Complaint

bergkamp writes "A Canadian public policy group filed a complaint charging Facebook with 22 separate violations of a Canadian personal information protection law. The Canadian Internet Policy and Public Interest Clinic, based at the University of Ottawa, asked the Privacy Commissioner of Canada to investigate what it describes as Facebook's failure to inform members (PDF) how their personal information is disclosed to third parties for advertising and other commercial purposes. The complaint also alleges that Facebook has failed to obtain permission from members for disclosure of their personal information. The claim is that that Facebook violates the Canadian Personal Information Protection and Electronics Documents Act, which Philippa Lawson, the clinic's director, said is much stricter than US personal information protection laws."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:That's nice, and all

[sm62704]

Borders are a thing of the past.

Tell that to the Missouri Highway Patol when you cross the Mississippi river from Illinois on your motorcycle when you're not wearning a helmet.

Yes, borders are a thing of the past. They're also a thing of the present and a thing of the future.

If Facebook has offices in Canada, servers in Canada, or workers who live in Canada then Canada has a valid point. If not then Facebook can tell Canada to fuck off.

Re:That's nice, and all

[weffey]

A couple of months ago, I noticed that Facebook started telling me that I needed to turn on Javascript, even though I had facebook.com in my allow list in NoScript. I noticed that there was now a second server required, http://www.fbcdn.net/ (I checked CIRA's WhoIs and facebook.ca was snatched up by someone else in 2005). I was recently in the states, so I disallowed fbcdn.net in NoScript (just to see), and there were no complains about my Javascript setting until I returned north of the border.

This seems to imply that there are separate servers running for Canadians accessing Facebook, so at a minimum, that would give some leverage into forcing them to follow Canada's rules. Now, if those servers are physically located in Canada (no, I haven't bothered doing a traceroute to find out where fbcdn.net ends up), that would definitely force them to follow those rules.

Slightly OT, but in my current job and we recently went looking for a new hosting company to host our database (which has a fair amount of private data in it). Because my company gets a large amount of our budget for the federal and provincial governments (it's a non-profit) we like to abide by as many of the federal government rules when it comes to IT and data privacy. One of those rules is any private data must only be hosted in Canada and it can not leave the country. A few companies came to us as "the Canadian branch of hosting company X". The conversations went like this:
Me: Where are your datacenters?
Them: We have them all over the world.
Me: Ok, but in which of those datacenters is our data going to be physically hosted?
Them: We can do distributed hosting so it's in many different datacenters
Me: Yes or no, Are these datacenters in Canadian territory?
Them:
Me: So, I'll take that as a no, which means that you know we can't host with you because of the government ruling about hosting private data outside the country.
Them:
Me:

More and more Canadian companies are taking the approach of hosting only in Canada, if only to ensure that they know the rules for data privacy and know there won't be a conflict between Canada's and the other country's.