Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Changes to Facebook’s Data Use Policy

Submission to Facebook

May 2012

(by emailed letter)

Our reference: P12/48
Mia Garlick
Communications and Policy Australia and New Zealand
Facebook Inc.


Dear Ms Garlick,

Changes to Facebook’s Data Use Policy

I refer to the proposed changes to Facebook’s Data Use Policy[1] (Policy), announced on Facebook’s Site Governance Page on 11 May 2012, and the briefing provided to staff of the Office of the Australian Information Commissioner (OAIC) on that date.

The OAIC acknowledges that the intent of the proposed amendments to the Policy is to improve readability, provide practical guidance to users and to include some positive messages about privacy awareness. This intent is welcomed.

However, the OAIC considers there are a number of areas where the proposed amended Policy could benefit from improvement. Our comments are set out below.

Title of the Policy

Initially, we would like to reiterate our concerns regarding the title of the Policy. Specifically, the OAIC considers that the nature of the ‘data’ that is the subject of the Policy is substantially personal information and, as such, giving the Policy a more general title may make its purpose unclear to users. In contrast, the term ‘privacy policy’ is commonly used and well understood by the public.

We note also that the Policy is accessed by clicking on a link titled ‘Privacy’. Reaching a policy titled ‘Data Use Policy’ could confuse users, which could reduce the effectiveness of the Policy in advising users on how their information will be handled and what options they may have in that respect.

We also suggest that, as Facebook relies on users providing their personal information to the site, a title for the Policy that refers to ‘personal’ information would better reflect Facebook’s business model.

Accordingly, the OAIC is of the view that, at the very least, the title of the Policy should reflect that the Policy relates to Facebook’s handling of users’ personal data or information.  

Collection of information by apps from third parties

We note that the proposed amended Policy states as follows:

Information others share about you

We receive information about you from your friends and others, such as when they upload your contact information, post a photo of you, tag you in a photo or status update, or at a location, or add you to a group.’

Under the heading ‘Controlling what information you share with applications’, the proposed amended Policy continues:

When you go to a game or application, or connect with a game, application or website - such as by going to a game, logging in to a website using your Facebook Platform, account, or adding an app to your timeline -we give the game, application, or website (sometimes referred to as just "Applications" or "Apps") your basic info, which includes your User ID, as well your friends' User IDs (or your friend list) and your public information.

National Privacy Principle (NPP) 1.3, set out in Schedule 3 to the Privacy Act 1988 (Cth)[2] (Privacy Act), provides that at or before the time (or if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual, the organisation must take reasonable steps to ensure that the individual is aware of specific listed matters.

The OAIC considers that it is best practice for organisations to notify individuals each time the organisation collects their personal information. In this instance, the OAIC considers it would be particularly helpful to users if the Policy provided a link to the detailed guidance about Profile (Timeline) Review[3] included in Facebook’s Help Centre. This would enable users to require that they be notified of posts in which they have been tagged, and approve each post before it is published on their Timeline.

We note that the Policy already discusses that users can control how much of their information may be shared by their friends with apps (under the heading ‘Controlling what is shared when the people you share with use applications’). However, it may not be clear to users when their friends have installed an app and, in doing so, have provided their information to that app. The OAIC suggests that it may assist users if Facebook could inform users of all apps that have access to or have collected their personal information. This would enable users to request deletion of that information if they so desire.

Access to user information by apps

Under the heading ‘Controlling what information you share with applications’, the proposed amended Policy also states:

If you haven’t used an app in a while, it won’t be able to continue to update the additional information you’ve given them permission to access[emphasis added].

In the interest of clarity and certainty, and as a matter of best practice, we consider that Facebook should be transparent about how long applications can access user information. 

Deletion of user information by apps

Under the heading ‘Controlling what information you share with applications’, the proposed amended Policy also states:

remember, apps may still be able to access your information when the people you share with use them. And, if you’ve removed an application and want them to delete the information you’ve already shared with them, you should contact the application and ask them to delete it. Visit the application’s page on Facebook or their own website to learn more about the app.

Further, under the heading ‘About instant personalization’, the proposed amended Policy relevantly states:

‘If you turn off an instant personalization site or app after you have been using it or visited it a few times (or after you have given it specific permission to access your data), it will not automatically delete your data received through Facebook. But the site is contractually required to delete your data if you ask it to.’

The OAIC appreciates that the proposed amendments inform users of how they can request that applications delete their personal information. However, in the view of the OAIC , where a user removes an application, that application no longer has any need for that user’s data.

Relevantly, NPP 4.1 requires that organisations take reasonable steps to protect the personal information they hold from misuse or loss. NPP 4.2 provides that an organisation must take reasonable steps to permanently destroy or de-identify information that is no longer needed. As such, the OAIC considers that it would be best privacy practice for Facebook to require applications to automatically delete user data when users remove applications, rather than only in response to a direct request from the user.

Clarity regarding Facebook Partners

Under the heading ‘How we use the information we receive’, the proposed amended Policy relevantly states:

‘We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use.’

The reference to ‘partners’ in this paragraph is somewhat vague. The Policy variously refers to ‘advertising partners’, ‘instant personalization partners’ and ‘platform partners’. In the interests of clarity, we suggest that the Policy clarify whether this reference is to specific kinds of partners, or all partners.

Instant personalization

In many sections, the Policy provides helpful links to specific pages where settings can be altered. However, in the section titled ‘About instant personalization’, the proposed amended Policy does not include a link to further information about instant personalization,[4] or how to turn off instant personalization.[5] The OAIC considers that the inclusion of such links would be helpful to Facebook users.

Location Data

We note that, under the heading ‘Other information we receive about you’, the proposed amended Policy provides that Facebook ‘may get your GPS data or other location information. However, it is not clear from the Policy when Facebook collects GPS data. It is also unclear what kind of information ‘other location information’ may include. Further, the Policy does not discuss whether users can opt out of providing GPS or location information and, if so, how.

Location information, and GPS data in particular, has the potential to be privacy invasive. The OAIC considers that Facebook should be transparent about what specific location information it collects, and how and when it collects it. As a matter of best practice:

  • the default position should be that location data is not collected unless users opt in to that collection, and
  • the Policy should include links to further information about the handling of location and GPS data, and information on how to disable location services and the provision of GPS data.

Data Retention

We also note that the proposed amended Policy would apparently alter the existing data retention period for information about a user received from advertising partners from 180 days to until the user’s account is deleted. Specifically, under the heading ‘Other information we receive about you’, the following is proposed to be omitted:

Similarly, when we receive data about you from our advertising partners or customers, we keep the data for 180 days. After that, we combine the data with other people's data in a way that it is no longer associated with you.

Under the heading, ‘How we use the information we receive’, the following text is proposed:

We store data for as long as it is necessary to provide products and services to you and others, including those described above. Typically, information associated with your account will be kept until your account is deleted. For certain categories of data, we may also tell you about specific data retention practices [emphasis added].

In the interest of clarity and certainty, we consider that the Policy should specify what categories of data may be subject to different data retention practices (if any), and where to obtain further information about those specific practices. 

Sharing settings

Under the heading ‘Control each time you post’, the following omission is proposed regarding the default disclosure setting of a ‘story’ (formerly known as a ‘post’):

If you do not make a selection, your information will be shared with the last audience you selected. If you want to change your selection later you can do that too on your profile.

It is unclear to the OAIC why this omission is proposed. We would appreciate clarification on whether Facebook proposes a new default setting for the disclosure of a ‘story’ and, if so, what that setting is.

The OAIC considers that it would be best privacy practice for the default setting to be ‘Friends only’, or as otherwise specified by the user.

Cookies

The OAIC notes that the proposed amended Policy includes an extensive section on the use of cookies and related software. We consider that this new section provides users with useful information about the use and purpose of Facebook’s cookies.

However, the OAIC has noted a level of public anxiety regarding the use of cookies, particularly with respect to the possibility that sites that use cookies may be able to track users’ internet use, even after users have logged out of Facebook. The OAIC suggests that Facebook directly address this concern in the Policy.

If you have any questions or concerns, please contact Melanie Drayton, Director – Policy, on (02) 9284 9[800].

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner
May 2012


Postscript: Subsequent to this submission being made, the OAIC met with Facebook to discuss issues identified in the submission. Facebook’s Data Use Policy came into effect on 9 June 2012. The OAIC received Facebook’s written response on 30 July 2012.