Being online not only makes it easier for organizations to share data in privacy policies, it also makes it easier for data subjects to disclose more information – or have data inferred about their behaviour. Organizations are incentivized to get privacy right; the more a user trusts an SNS for example, the more data they will share and the more ads the organization can serve. Privacy policies may spell out explicit terms of use, yet there is still a response when an organization goes ‘out of bounds’ with what user (perhaps unstated) expectations are.
In 2008, a non-profit advocacy group filed a complaint against Facebook under PIPEDA with the federal Government’s privacy commissioner. Of the 24 allegations over 11 subjects, the Assistant Commissioner concluded that 4 of the 11 subjects included well-founded non-resolved complaints. In particular, the finding concluded;
On the remaining subjects of third-party applications, account deactivation and deletion, accounts of deceased users, and non-users’ personal information, the Assistant Commissioner likewise found Facebook to be in contravention of the Act and concluded that the allegations were well-founded. In these four cases, there remain unresolved issues where Facebook has not yet agreed to adopt her recommendations. Most notably, regarding third-party applications, the Assistant Commissioner determined that Facebook did not have adequate safeguards in place to prevent unauthorized access by application developers to users’ personal information, and furthermore was not doing enough to ensure meaningful consent was obtained from individuals for the disclosure of their personal information to application developers (Denham, 2009).
Facebook continues to struggle with privacy issues.
In 2014, the company faced criticism for conducting research on 689,000 users in 2012 to manipulate news feeds after a research paper was published (“Facebook emotion experiment sparks criticism,” 2014). This original research was covered by the Terms of Use every user agrees to when they sign up for an account. Popular response was not favourable, with some users commenting “I’m not a lab rat”, “This is bad, even for Facebook” (“#BBCtrending: ‘I’m not a lab rat!’ … reaction to #FacebookExperiment,” 2014).
At the time, Facebook’s researchers took to the site to engage directly with users, provide more details and apologize (Kramer, 2014).