Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Changes to Facebook's Statement of Rights and Responsibilities and Data Use Policy

Proposed changes to Facebook Data Use Policy and Statement of Rights and Responsibilities — Facebook response to OAIC letter

16 October 2013

Timothy Pilgrim
Australian Privacy Commissioner
Office of the Australian Information Commissioner 
GPO Box 5218 Sydney NSW 2001

Re: Proposed changes to Facebook Data Use Policy and State of Rights and Responsibilities

By email: [email address redacted]

Dear Mr. Pilgrim:

We appreciate the opportunity to respond to your letter of 12 September 2013. You have sought further information about proposed amendments to our Statement of Rights and Responsibilities ("Terms") and Data Use Policy that relate to advertising, Tag Suggest and the process by which these changes were made. 

Advertising on Facebook

As part of the proposed changes, we have rewritten the advertising section of our Data Use Policy to highlight how advertising works on Facebook and we updated our Terms to better explain what people can expect when it comes to using their name, profile picture, content, and information with ads or commercial content.  Through these proposed changes, we worked to explain key points of our policies, such as how we use the information we receive to tailor ads and that we do not share information that personally identifies a user (like their name or contact information) without their permission.  

We are not removing any controls.  The clarified language in our Data Use Policy will not change the way we provide interesting and relevant ads.  Users may still use the "Ads & Friends" setting to specify who can see ads paired with their social actions and will still have the option to specify the audience with whom they choose to share when they post. In addition to the updates to our Data Use Policy, we also expanded the explanation of our advertising products and the corresponding controls we give users by providing more information at: https://www.facebook.com/about/ads/.

Once implemented, our Data Use Policy will continue to include a specific reference that controls exist that people can use to manage how their actions on Facebook are paired with social ads. In Section IV -- Advertising and Facebook content it states: "You can learn more about ads and social context, including the relevant settings and controls available to you, by visiting the Advertising on Facebook page."

The updates to our Terms aligned with a court settlement where we agreed to clarify the section of our terms where we explain the way that Facebook may use someone's name or profile picture in connection with ads and commercial content.  The update included an example, which we believe will help people on Facebook best understand the purpose of the provision.  Importantly, the update to our Terms is only one element of our settlement obligations.  As you note in your letter, as part of the settlement, we also have agreed to provide additional transparency and controls.  We have not yet build these new features, but will provide them in accordance with our settlement obligations.  We would be happy to offer another briefing once we have built these new features.

Tag Suggest

Facebook currently uses facial recognition tools to suggest photo tags to other users, and under the proposed changes to our Data Use Policy, we aim to start using profile photos to enhance this experience. Users will continue to be able to use controls to manage the "Tag Suggest" feature. Facebook's Data Use Policy has always explained that Facebook may use all of the information we receive (which includes profile pictures - public information on Facebook) to provide better and more relevant services to users.  As you'll see in the Data Use Policy, we explain "We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you use. For example, in addition to helping people see and find things that you do and share, we may use the information we receive about you: ... to make suggestions to you and other users on Facebook, such as: suggesting that your friend use our contact importer because you found friends using it, suggesting that another user add you as a friend because the user imported the same email address as you did, or suggesting that your friend tag you in a picture they have uploaded with you in it; ..." (emphasis added).

Tag Suggest is a tool that helps Facebook users tag their friends in photographs more quickly and easily. The ability to make tagging faster and easier in uploaded albums where there are multiple pictures of the same person responds to feedback we received from users that they wanted a faster way to be able to tag people. Tagging is also a helpful method for notifying users about photos of them that have been uploaded. When a person is tagged in a photo, they receive a notification and can take action on it, including deciding if it will show on their timeline, to un-tag themselves, or use our tools to reach out to their friend to have the picture taken down.  We believe these notification and control measures are privacy protective (something that does not happen elsewhere on the Internet).

Facebook users have control over whether they appear in tag suggestions others receive.  If they opt-out using the setting provided, they will not be suggested for tagging based on the photo tag suggest tool and biometric data will not be stored. Users who receive tag suggestions must take an action before the photo will be tagged; Facebook does not automatically tag photos.

Every user can easily access their facial recognition template, which powers the photo tag suggest tool, through our "Download Your Info" and if they opt-out of the feature, Facebook deletes the template.

Process

Each time we have proposed changes to our Statement of Rights and Responsibilities and Data Use Policy, we've notified our users on Facebook through our Site Governance Page and we've provided educational materials about the changes.  Users that have "liked" the Site Governance Page can read the update in their News Feed and visit the page to learn more and leave comments.  As part of the materials we make available on that page, we provided a blog post that explained our proposal, a section by section summary that covered our proposal for the Terms and the Data Use Policy, and even a document that highlights the actual changes via "tracked changes" to show exactly where the amendment is proposed to be made.

As you noted, in addition to the above notice and information, we also emailed users informing them that we have proposed updates to our Terms and Data Use Policy.  In that email, we explained the proposal and encouraged users to visit the Site Governance page to learn more, review, and comment on the proposal.  We also remind users to "like" the page so they can receive additional information from time to time in their News Feed, including future proposed updates. 

Users are the central audience of our updates and are always part of the process. We carefully consider feedback before adopting changes and in the past we've adjusted our proposed changes based on user input. We also provide regular tips and updates on our Privacy Page, and answer both written and live user questions through our Ask the Chief Privacy Officer program.

We are unaware of any site that provides this much information and transparency and that actively solicits and reviews user feedback.  We believe our process provides industry-leading transparency around our policies and practices and gives people an opportunity to voice their opinion over how Facebook is governed and gives people the opportunity to identify the proposed changes and engage in the process.

Thank you for allowing us to provide this further information and we trust it addresses your concerns. Please do not hesitate to contact me if you require any further information.

We would also welcome the opportunity to talk to you further about how advertising works on Facebook and respond to any questions you have.

Kind regards,

[signature redacted]

Mia Garlick
Head of Policy
Facebook Australia and New Zealand

Back to Contents

Proposed changes to Facebook Data Use Policy and Statement of Rights and Responsibilities — OAIC letter to Facebook

12 September 2013

Ms Mia Garlick
Head of Communications & Policy Australia and New Zealand
Facebook Inc.
77 King Street
SYDNEY  NSW 2000

By email: [email address redacted]

Dear Ms Garlick

Proposed changes to Facebook Data Use Policy and Statement of Rights and Responsibilities

Thank you for the opportunity to comment on Facebook's proposed changes to its governing documents — the Statement of Rights and Responsibilities (Statement) and the Data Use Policy (Policy).

Background

In late August 2013, Facebook emailed the majority of Facebook users to notify them about the proposed changes, and on 29 August 2013 posted information about the changes on Facebook's Site Governance Page.[1] Facebook accepted user comments on the proposed changes until 5 September 2013.[2]

From the Site Governance Page I understand the proposed changes to the Policy and the Statement include changes that are required by a recent legal settlement regarding Facebook's 'Sponsored Stories' feature (Settlement).[3]

OAIC comments

I have a number of concerns regarding the proposed changes to the Statement and Policy. I would appreciate Facebook's response to these concerns.

User control and association of user information with commercial content

The proposed changes appear to include a significant shift in the way user information will be used by Facebook, and the ability of users to control and limit those uses.

In particular, Facebook proposes to delete from the Statement the provision that '[y]ou can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us'. A further reference to users being able to place limits on the association of their profiles with commercial content is also proposed to be removed. This suggests that users would be required to consent to the association of their identities with commercial content.

We note that, under the Settlement, Facebook is required to create 'an easily accessible mechanism that enables users to view… the subset of their interactions and other content on Facebook that have been displayed in Sponsored Stories (if any')' and 'enable users…to control which of these interactions and other content are eligible to appear in additional Sponsored Stories… [including] the ability to…prevent individual interactions and other content (or categories of interactions and other content) from appearing in additional Sponsored Stories (paragraph 2.1(b) of the Settlement). These mechanisms and settings are not however mentioned in the proposed changes to the Statement or Policy, or the supporting materials on Facebook's Site Governance Page.  

From a privacy enhancing perspective, the features outlined above would appear to give users control of how their personal information will be used. I would welcome clarification from Facebook as to whether these features will be implemented in the near future.

Addition of profile pictures to 'tag suggestions' and consent

Facebook is proposing to amend the Policy to include the addition of profile pictures to Facebook's 'tag suggestions' feature.

Profile pictures are likely to constitute 'sensitive information'[4]  within the meaning of the Privacy Act 1988 (Cth) as they generally contain information about the racial or ethnic origin of the user, and may reveal other information such as political beliefs, religious beliefs, and sexual preferences or practices. Further, the proposed addition of profile pictures to the tag suggestions database is likely to be considered to be a secondary use of sensitive information.

National Privacy Principle (NPP) 2 provides that secondary uses of sensitive information are only permissible in certain circumstances including, where the secondary purpose is directly related to the primary purpose of collection and the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose, or where the individual concerned hasconsented to the use or disclosure.

It is unlikely that current Facebook users (who joined under the existing or previous versions of the Statement and Policy) would reasonably expect Facebook to use profile pictures for the new purpose of tag suggestions. Further, I have some concerns about the way in which Facebook is seeking to obtain user consent to this proposed secondary use, as discussed below.

Consent

As discussed above, Facebook announced the proposed changes to the Statement and Policy on 29 August 2013 on the Site Governance Page, and accepted comments from users for 7 days. Facebook also emailed users that had provided a valid email address (which you have advised is more than 90% of users in most countries)[5] about the proposed changes.

Given the potential ramifications of the proposed changes, I believe a one week consultation period is insufficient. Further, it appears that some users have not been directly notified.

This is particularly concerning because it appears that Facebook intends to rely on the implied consent of users to the proposed changes, including the secondary use of sensitive information.

For consent to be valid:

  • it must be provided voluntarily
  • the individual must be adequately informed of what they are consenting to
  • the consent must be current and specific, and
  • the individual must have the capacity to understand and communicate their consent.[6]

Where implied consent is sought, affected individuals need to be adequately notified of the matters requiring their consent, and provided with sufficient information to understand the choice they are making, and be given enough time to consider that information.

Direct marketing

From 12 March 2014, the Australian Privacy Principles (APPs) will replace the NPPs. APP 7 imposes new obligations regarding direct marketing. Facebook should consider the application of APP 7 with respect to its delivery of commercial content. The draft APP 7 Guideline, which details the operation and application of APP 7, will be released for consultation in the coming weeks.

Consistent with the OAIC's usual practices, this letter will be published on our website. Facebook's response, if any, will be published on receipt.

If you have any questions, please contact Tim de Sousa, Assistant Director — Regulation and Strategy, on [phone number redacted] or at [email address redacted].

Yours sincerely

[signature redacted]

Timothy Pilgrim
Australian Privacy Commissioner
12 September 2013


Footnotes

[1] www.facebook.com/fbsitegovernance/posts/10151822720929323

[2] www.facebook.com/fbsitegovernance/posts/10151840808824323

[3] www.wired.com/images_blogs/threatlevel/2012/10/revisedfacebooksettlement.pdf

[4] See the definition of 'sensitive information' in s6 of the Privacy Act 1988 (Cth). www.comlaw.gov.au/Details/C2013C00125/Html/Text#_Toc352163820

[5] See your email to Tim de Sousa of the OAIC on 3 September 2013.

[6] See, for example, the draft Key Concepts section of the Australian Privacy Principle Guidelines, www.oaic.gov.au/images/documents/privacy/engaging-with-you/current-privacy-consultations/Draft-APP-Guidelines-2013/Draft_APP_Guidelines_Chapter_B_Key_concepts.rtf

Back to Contents

Further correspondence on changes to Facebook's Statement of Rights and Responsibilities and Data Use Policy

22 February 2013

On 10 January 2013 the OAIC again wrote to Facebook about changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy. This correspondence follows earlier communications on this issue.

Facebook responded on 11 February 2013. The OAIC sent a letter to Facebook on 22 February 2013 concluding this specific set of correspondence.

Back to Contents

Changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy — concluding letter from the OAIC

22 February 2013

Our reference: 12/000214-01

Mia Garlick
Communications and Policy Australia and New Zealand
Facebook Inc.
77 King Street
SYDNEY  NSW 2000

By email: [redacted]

Dear Ms Garlick

Changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy

Thank you for your letter dated 11 February 2013.

I have found this to be an informative dialogue that has clarified some aspects of how Facebook handles user information to target advertising.

There are however some areas where further clarity and information could be provided to users, in particular that advertising is not permitted to be targeted on the basis of certain categories of information users may provide in the ‘about’ section of their Timeline. As such, I strongly encourage Facebook to continue to increase education for new and existing users on this issue, to ensure that they are appropriately informed about how their information is being used.

Consistent with the OAIC’s usual practices, this letter will be published on our website.

 Yours sincerely

 [signed]

Timothy Pilgrim
Australian Privacy Commissioner
22 February 2013

Back to Contents

Facebook letter to OAIC: Recent changes to Facebook's Data Use Policy (February 2013)

11 February 2013

Timothy Pilgrim
Australian Privacy Commissioner
Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001

Re: Recent changes to Facebook's Data Use Policy

By email: [address]

Dear Mr. Pilgrim:

We appreciate the opportunity to respond to your letter of January 9, 2013.

Before responding to your specific queries, we wanted to provide some background on how advertising works on Facebook. When people create an account on Facebook, they agree to Facebook’s Data Use Policy[1] (DUP). The DUP is also linked to throughout the site. The DUP outlines how Facebook uses information to target advertisements. In this way, people consent to the use of their information as set out in the DUP.

Also by way of background, Facebook’s ad-targeting tool is automated and is based on matching words. For example, when an advertiser adds a key word (a “topic” or “interest”) in the ad-targeting tool, our automated systems match the word with words on Pages that users “like”. We explain this in our Data Use Policy.[2] We also explain that if a user “likes” a Page, she might see an ad related to that interest. For example, an advertiser for an exercise program might enter the word “health” in order to reach users who are interested in health-related products or services. Users who have liked Pages with the word “health” in them may be in the audience of the ad, whether or not the Page in fact has anything to do with health. Facebook’s automated systems have no way of knowing the intended meaning of any word.

We are confident that our users understand that ads are targeted based on the Pages they like and other information they provide on their timelines. We purposely made further explanation of this in the revised DUP.

To respond to your specific query, we limit the ways in which advertisers can target ads to users. For example, we do not allow targeting of certain categories of information that people may fill out in the “About” section of their Timelines, such as religious or political views. As with all Timeline “About” fields, people can choose not to add any information to those fields at all. In any event, Facebook does not process these identified categories of information for ad-targeting purposes.

You also asked in follow-up conversations about how we use status updates in the ad-targeting process. We use keywords from status updates – that are machine-scanned in an automated way – to inform ad “clusters”, which are groups of users who are put into a broad-based interest category for targeting. For example, users who mention cars in their status updates might get put into an “automobile” cluster.

Thank you for allowing us to provide this further information and we trust it addresses your concerns. Please do not hesitate to contact me if you require any further information.

Kind regards,

[signed]

Mia Garlick
Head of Policy and Communications
Facebook Australia and New Zealand


Footnotes

[1] https://www.facebook.com/about/privacy/

[2] Please see the relevant section of our Data Use Policy: https://www.facebook.com/about/privacy/advertising

Back to Contents

Changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy — a letter from the OAIC

10 January 2013

Our reference: P12/48
Mia Garlick
Communications and Policy Australia and New Zealand
Facebook Inc.
77 King Street
SYDNEY  NSW 2000

By email: [redacted]

Dear Ms Garlick

Changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy

Thank you for your letter dated 17 December 2012 and for providing further information about:

  • the use of sensitive information for targeted advertising, and
  • how Facebook will inform users about changes to the Statement of Rights and Responsibilities[1] (SRR) and Data Use Policy[2] (Policy) in the future.

Use of sensitive information

From your letter I understand Facebook’s position to be, that when a user shares sensitive information on Facebook, as with any category of personal information, they are consenting to the use of that information for targeted advertising.

In your letter you highlighted that Facebook’s Advertising Guidelines[3] prohibit advertisement text from asserting or implying specified personal characteristics. However I see that as being separate to the issue of using sensitive information about an individual to determine whether they are served a specific advertisement.

When creating an advertisement on Facebook, I understand that advertisers have the option to ‘target by precise interests.’ This is done by targeting users based on the interests, activities, education, job titles and other information that they provide in their Facebook profile, together with pages they have ‘liked’ and groups they belong to.

The information users may share in this way may include ‘sensitive information’ such as political opinion, membership of a political association, religious belief or affiliation, health or genetic information. Based on the way advertising may be targeted, it appears that this sensitive information may then be used to target advertising. However, when users share their sensitive personal information the potential for it to be used for targeted advertising does not appear to be made sufficiently clear to the user.

It would be better privacy practice if users could opt-in for their sensitive personal information to be used in this way. This option should be accompanied by a clear description of how their information may be used, including examples, in context.

Notification of changes to the SRR and the Policy

I support Facebook’s intention to find ‘new and better ways’ to reach users to notify them about changes to how their data and information will be used and managed. One of the advantages of continuing to post changes to the Facebook Site Governance Page is that over 2.7 million users have ‘liked’ the page, arguably to ensure that they receive information about such changes.

Consistent with the OAIC's usual practices, this letter will be published on our website. For transparency and accountability, Facebook's response will also be published.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner
10 January 2013


Footnotes

[1] Proposed Statement of Rights and Responsibilities (2012) Facebook https://www.facebook.com/legal/proposedSRR at 21 November 2012.

[2] Proposed Data Use Policy (2012) Facebook https://www.facebook.com/legal/proposedDUP at 21 November 2012.

[3] Facebook Advertising Guidelines (2012) Facebook https://www.facebook.com/ad_guidelines.php at 21 December 2012.

Back to Contents

Changes to Facebook's Statement of Rights and Responsibilities and Data Use Policy

17 December 2012

On 21 November 2012, Facebook released proposed changes to its Statement of Rights and Responsibilities and Data Use Policy. The OAIC wrote to Facebook on 29 November 2012 about these changes. Facebook responded on 17 December 2012.

This correspondence follows earlier communications this year with Facebook about its Data Use Policy

Back to Contents

Facebook letter to OAIC: Recent changes to Facebook's Data Use Policy (December 2012)

17 December 2012

Timothy Pilgrim
Australian Privacy Commissioner
Office of the Australian Information Commissioner
GPO Box 5218 Sydney NSW 2001

Re: Recent changes to Facebook's Data Use Policy

By email: [address]

Dear Mr. Pilgrim:

In your letter of 29 November 2012, you asked for additional information about two specific issues: how information is used to serve ads on Facebook and changes to our site governance process. We appreciate the chance to give greater insight and background to the proposed changes.

At Facebook, our approach to privacy is focused on control, transparency and accountability. We give Australians the power to share what they want, when they want, with whom they want. Our Data Use Policy provides transparency about how that information may be used and our Statement of Rights and Responsibilities outlines our site governance process.Facebook welcomes the opportunity to provide you with more information about the recent proposed changes to Facebook's Data Use Policy and Statement of Rights and Responsibilities.

Targeted Advertising and Sensitive Information

In relation to the Data Use Policy, you have asked for additional information about the impact of the change that we have made to our Data Use Policy regarding advertising that may involve instances in which users have "liked" pages that relate to things like political association, religious affiliation, or health status.

The new language proposed for the Data Use Policy is intended to clarify how information that is shared on Facebook is used to serve relevant ads; it does not represent a new policy or practice by Facebook.  In the "explanation of changes" that we published for our users, we confirmed that "[t]his language does not mean that we are changing our Advertising Guidelines, which prohibit advertisers from running ads that assert or imply sensitive personal characteristics, such as race, ethnicity, religion, and sexual orientation."[1]  Because some of our users were concerned about this, we added additional language, including a link to our guidelines, to this proposal to make that clearer.

In our Advertising Guidelines, we prohibit targeting a user's personal characteristics that may be categorized as sensitive, that they choose to include in their Timeline. Specifically, our Advertising Guidelines state that "[a]d text may not assert or imply, directly or indirectly, within the ad content or by targeting, a user's personal characteristics within the following categories:

  1. race or ethnic origin;
  2. religion or philosophical belief;
  3. age;
  4. sexual orientation or sexual life;
  5. gender identity;
  6. disability or medical condition (including physical or mental health);
  7. financial status or information;
  8. membership in a trade union; and
  9. criminal record."[2]

In report that the Irish Data Protection Commissioner (DPC) published in December 2011, following his Office's audit of Facebook's data practices, the DPC encouraged Facebook Ireland (FB-I), the entity with which Australian Facebook users contract, to clarify its policies with respect to how advertisers are able to target ads based on potentially sensitive categories of information. The Irish DPC acknowledged the terms outlined our Advertising Guidelines but felt that greater clarity was advisable.[3]

In response to this recommendation by the Irish DPC, we undertook to clarify our policy in relation to targeted advertising based on sensitive data. The proposed changes to the Data Use Policy reflect that, in the advertising tool, advertisers can select from terms that are effectively an automatically-generated dictionary. These terms are dynamically created from all of the content on the site. For example, an advertiser can select the term "socialist" and this would reach people who have liked pages such as "I hate socialists" and "I love socialists". This is similar to the way that a search engine will return all content related to a word automatically.

On Facebook, people can choose whether or not they share information about themselves, including their religious beliefs or political associations, for example, or they can choose whether to like a Page that is dedicated to expressing particular points of view. People will then see relevant ads, based on the information they choose to share on Facebook, but without advertisers accessing personally identifying information.

We provide our users with more information about how ads work on Facebook through our "Advertising on Facebook" help page, which is available at https://www.facebook.com/about/ads/ and through an "About this ad" link that appears next to Facebook advertising.  Also, we post in the "Interactive Tools" section of our privacy page (https://www.facebook.com/about/privacy) a link to an interactive tool that advertisers can use to target relevant ads on Facebook.  We hope that this link - to the tool at https://www.facebook.com/ads/create/ -- makes the process of targeting ads on Facebook more transparent to our users.

We also give users the ability to impact the ads that they see. To see more of a certain type of ad, people can click or "like" an ad. To see less of other types of ads, people can click to hide an ad and they can also report ads that offend them. Information about these controls is also included in our "Advertising on Facebook" help page.

Site Governance Changes

With respect to the proposed changes to our Statement of Rights and Responsibilities, you have asked for further information about how Facebook intends to provide users with notifications of changes to our policies.

We share your view that it is important to ensure that people are given sufficient and appropriate notice about any changes to how their data is managed.  Accordingly, as you noted, we have retained the commitment in our Statement of Rights and Responsibilities that we will continue to notify users of changes that we propose to our Statement of Rights and Responsibilities and Data Use Policy.  Importantly, we also will continue our practice of receiving comments from users before we implement proposed changes (except changes made for administrative or legal reasons), which reflects a leading best practice in our industry.

As you note, we have changed the language to state that posting notices on the Site Governance Page is one example of how we will notify our users of changes, but not necessarily the only way we will do so.  In the near term, we plan to continue posting notices on the Site Governance Page as we have historically.  But we also believe that we can find new and better ways to reach our users with these notices, and we do not want to suggest that posting on the Site Governance Page is the only way that we will do this.  For example, with our most recent set of proposals, in addition to notification on the Facebook Site Governance and Privacy Pages, we sent email notices to our users to encourage them to view our proposed changes

In addition to these efforts, we have announced that we intend to make new efforts to engage with our users around data protection issues - both when we propose to change our Data Use Policy and more generally.  Accordingly, we recently offered a Facebook Live event, which was broadcast on our website and invited users to submit questions to be answered live by representatives from our privacy team.  That Facebook Live has been watched almost 50,000 times in the fewer than two weeks since it was broadcast.  We also have announced that we will begin a new "Ask Our CPO" feature, which will allow users to submit questions directly to our Chief Privacy Officer for Policy, who will answer them regularly on our Facebook and Privacy Page.  Over time, we hope to launch more initiatives like these.

Thank you for the time you and your Office have dedicated to review the proposed changes. We appreciate the opportunity to provide more information about them.

Kind regards,

[signed]

Mia Garlick
Head of Policy and Communications
Facebook Australia and New Zealand


Footnotes

[1] https://www.facebook.com/notes/facebook-site-governance/explanation-of-changes/10152338051340301

[2] https://www.facebook.com/ad_guidelines.php, sec. III(B)).

[3] Specifically, the Irish DPC advised that "there is an absolute necessity that members be fully aware of what information generated in their use of the service will be used for advertising purposes thereby allowing them to exercise choice."  Irish Data Protection Commissioner, Report of Audit - Facebook Ireland, 21 December 2011, page 44 (http://dataprotection.ie/viewdoc.asp?DocID=1182).

Back to Contents

Changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy

29 November 2012

Our reference: P12/48
Mia Garlick
Communications and Policy Australia and New Zealand
Facebook Inc.

By email: [redacted]

Dear Ms Garlick

Changes to Facebook’s Statement of Rights and Responsibilities and Data Use Policy

I refer to the proposed changes to Facebook’s Statement of Rights and Responsibilities[1] (SRR) and Data Use Policy[2] (Policy), announced on Facebook’s Site Governance Page on 21 November 2012.

A number of the changes that Facebook proposes to make to the SRR and the Policy provide more information to users about how their information is displayed and used, and how they can control their information. These include:

  • a link to the page where users can deactivate their accounts
  • additional information about the visibility of the information that users post on Facebook
  • notifying users that their friends may share information about them on Facebook
  • clarifying that Facebook gives applications a user’s ‘public profile’, and
  • directing users to consult their browser and device ‘help materials’ to learn how to block cookies.

These changes raise some questions that I would appreciate receiving further information about, particularly the changes to the SRR and the Policy that:

  • permit the use of sensitive information (including religion, health status or political views) to target advertising, and
  • modify Facebook’s commitments to notify users about future changes to the SRR and the Policy.

Use of sensitive information to target advertising

The proposed amended Policy states:

If you indicate that you are interested in topics, such as by liking a Page, including topics such as products, brands, religion, health status, or political views, you may see ads related to those topics as well.

Political opinion, membership of a political association, religious beliefs or affiliations, health information and genetic information are defined as ‘sensitive information’ by the Privacy Act 1998 (Cth).[3]

National Privacy Principle 2 provides that an organisation must not use or disclose personal information about an individual for a purpose other than the primary purpose of collection (secondary purpose), unless a listed exception applies. With respect to the use or disclosure of sensitive information, the only relevant exceptions are:

  • where the use or disclosure for the secondary purpose is directly related to the primary purpose of collection, and the individual would reasonably expect the organisation to use or disclose information for the secondary purpose (NPP 2.1 (a)), or
  • where the individual has consented to the use or disclosure (NPP 2.1(b)).

Further, I note the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 retains the current definition of ‘sensitive information’. Proposed Australian Privacy Principle 7.4 states that sensitive information can only be used for direct marketing if the individual has consented to the disclosure of the information for that purpose.[4]

Accordingly, please provide me with further information about how users will consent to the use of their sensitive personal information for targeted advertising. Specifically:

  • Will ‘liking’ a page be the sole trigger, or will the user be required to take an additional step to notify Facebook that they are willing to receive advertising on the basis of a category of information that may be sensitive information?
  • What other actions does Facebook use or propose to use to target advertising on the basis of sensitive categories, apart from ‘liking’ a page?

Notification of changes to the SRR and the Policy

The amendments to clause 14.1 of the SRR remove the requirement to notify users about changes to that document by posting to the Facebook Site Governance Page. Instead, posting to that page is now given as an example of how users will be notified. I note that Facebook has retained its commitment to notify users of changes and provide an opportunity to comment.

Similarly, the Policy now states:

After the comment period, if we adopt any changes, we will provide notice (for example, on the Facebook Site Governance Page or in this policy) of the effective date.

I would appreciate if you could provide further information about how Facebook intends to provide users with notification of changes to the SRR and the Policy. It is very important that users are provided with clear and easy to understand notification if there is to be any change in how their data will be collected, used, and published or otherwise disclosed.

Consistent with the OAIC's usual practices, this letter will be published on our website. For transparency and accountability, Facebook's response will also be published.

I look forward to your response to these issues.

Yours sincerely

[signed]

Timothy Pilgrim
Australian Privacy Commissioner
29 November 2012


Footnotes

[1] Proposed Statement of Rights and Responsibilities (2012) Facebook, https://www.facebook.com/legal/proposedSRR at 21 November 2012.

[2] Proposed Data Use Policy (2012) Facebook, https://www.facebook.com/legal/proposedDUP at 21 November 2012.

[3] Privacy Act 1988 (Cth) s 6.

[4] Privacy Amendment (Enhancing Privacy Protection) Bill 2012, Australian Privacy Principle 7.4.

Back to Contents

Facebook's data use policy

8 August 2012

Facebook announced consultation on its proposed Data Use Policy on 11 May 2012. The OAIC made a submission on 23 May 2012, and later met with Facebook to discuss issues identified in the submission. Facebook’s Data Use Policy came into effect on 9 June 2012. The OAIC received Facebook’s written response on 30 July 2012.

The OAIC’s discussions with Facebook about privacy are ongoing, with the aim of ensuring users have control of their personal information and who has access to it. Given the significant amount of information Australians share on Facebook the OAIC encourages users to put in place strong privacy protections.

Back to Contents

Correspondence —  Facebook's data use policy response

30 July 2012

(received by emailed letter 30 July 2012)

Mr. Timothy Pilgrim
Australian Privacy Commissioner
Office of the Australian Information Commissioner 
GPO Box 5218 Sydney  NSW  2001

Re: Recent changes to Facebook’s Data Use Policy

By email: [address]

Dear Mr. Pilgrim:

Thank you very much for your letter of May 2012, which describes your suggestions for future improvements to our Data Use Policy. At Facebook, we work hard to be transparent with people about how we use their data, and so we appreciated the opportunity to discuss this important issue with you and your staff, both before and after the most recent changes to our Data Use Policy became effective on 9 June 2012.

Facebook’s Commitment to Privacy

Facebook is a global communications platform embraced by over 10 million Australians because we give them the power and controls to share what they want, when they want, with whom they want. When it comes to privacy, we are focused on transparency, control, and accountability.

As Facebook’s founder and CEO Mark Zuckerberg has explained, Facebook is based “on the idea that people want to share and connect with people in their lives, but to do this everyone needs complete control over who they share with at all times.”[1]

To realize this foundational goal, our platform is designed with permissions models, dashboards to manage the information you’ve shared, and mobile privacy controls, among other tools. We also provide a range of interactive tools so that Australians have a practical way of understanding how their information is being used, including for example, how advertisers can target ads and how such targeting is done without personal information being shared with advertisers.[2]

Our Data Use Policy presents information about how we use people’s information in a layered way so that people can get the most important information up front and then drill down if they want more details. Rather than simply describing our policies generically, we also provide screenshots and “tips” marked with light bulb icons to provide key information and examples that help people understand how our policies work in practice.

We recognize, of course, that many people will have questions about how we use data on Facebook and that we cannot answer every question in our Data Use Policy while maintaining it at a manageable length.  Consequently, we provide additional information to users in our Help Center, which is available on virtually every page of Facebook by clicking the word “Help” in the page header or footer.  The Help Center includes a page of frequently asked questions about privacy and also offers a full-text searching tool that makes it easy for people to find answers to their questions. 

The Irish Data Protection Commissioner (DPC) recently verified our efforts to promote transparency and control as a part of his office’s comprehensive audit of Facebook Ireland, which provides the Facebook service in Australia.[3] In his audit report, the Irish DPC “found a positive approach and commitment on the part of [Facebook Ireland] to respect the privacy rights of its users”.[4]   

In light of that commitment, we are proud of the level of detail we provide in our Data Use Policy, and of our industry-leading efforts to engage our users in the process of updating our policies by soliciting their comments about changes that we propose to make.  We appreciate your feedback on how we can continue to improve our Policy and our efforts to provide transparency to our users.

Specific Comments

Title of the Policy

In your letter, you suggested that we retitle our Data Use Policy as “Privacy Policy.” As we discussed, we adopted the title “Data Use Policy” last year in place of “Privacy Policy” specifically in response to feedback from privacy advocates.  These advocates told us that, because our policy is mostly about the ways in which we share information and how users can control it, “Data Use Policy” was a more accurate way to describe the document than “Privacy Policy.”[5]  We believe that the current title is more transparent and more likely to trigger engagement with users because it explains how their data is being used.  

Despite this name change, we still use the word “privacy” in the sign-up process, and throughout the site when linking to the policy, when linking to the settings that people can use to control their information on the site, and throughout the Help Center to help people understand the tools and settings on the site.  We do this to help users who are looking for privacy information find our disclosures, and we believe this approach should effectively address your concern while promoting transparency and engagement with our Policy.

Transparency and control in information-sharing

You suggested that we provide additional information about how people can use Facebook to learn when information is shared about them on Facebook and to exercise control over that sharing.

We notify people by default when they are tagged in posts on Facebook.  This empowers people by letting them know when information is being shared about them so that they can engage with the person who posted it or, if they do not like the post, untag themselves or request that it be removed.  We recently launched an additional tool -- Activity Log -- which provides a centralized place for people to find the information that they have posted on Facebook as well as information that we receive about their activities using apps and gives people the tools to manage the privacy of, hide, or delete this information.  The Data Use Policy points users to this tool.

You suggested that we supplement our Data Use Policy by describing another tool that we offer -- Timeline Review -- which provides an added control for people who want the opportunity to approve a post in which they are tagged before it appears on their timeline.  Consistent with your suggestion, we provide this explanation in our updated Policy: 

“When someone tags you in a story (such as a photo, status update or check-in), you can choose whether you want that story to appear on your timeline. You can either approve each story individually or approve all stories by your friends. If you approve a story and later change your mind, you can remove it from your timeline.”

In your letter, you noted that our Data Use Policy “already discusses that users can control how much of their information may be shared by their friends with apps.”  You suggested that we expand this discussion by identifying the specific applications that a person’s friends use, and that may receive the information that the user has permitted his or her friends to share with apps.

With regard to friend sharing, our app controls balance the privacy interests of two users — the person who is sharing the information and the person who is using the app.  In that regard, we recognize that not everyone wants a list of which apps they use to be shared with all of their friends.  

In an effort to achieve this balance, we respect a person’s preferences about whether we disclose his or her use of a particular app to other users of Facebook.  We also restrict the information that someone can share with an app to only the information that they can see.  Moreover, we have added additional controls, so that people can choose what information their friends can share about them with apps.  Finally, we offer the choice to opt out of Facebook Platform together.  

Following our adoption of the updated Data Use Policy, we launched App Center, which is a centralized place to learn about apps on Facebook.  App Center includes a list of “apps your friends have used recently,” which provides a simple mechanism by which people can monitor which apps are receiving information about them through friends.  (As you know, not all apps receive information about friends of the people who use them.)  In an effort to honor the privacy interests of all our users – including those who use apps and those whose information is shared – a person’s use of an app would only be visible to people whom he or she has permitted to see that activity.  We believe that this new feature, together with our existing controls around sharing of information with apps, is responsive to your suggestion.

In our updated Data Use Policy, we explain that we may expire apps’ permission to access data about a user, even after the user has authorized that app, if the user has not used the app recently.  The purpose of this practice is to avoid apps collecting data indefinitely about users who may not remember what they authorized.  Your letter inquires about the specific timeframe in which we expire this permission. Although many Internet companies never voluntarily expire data sharing permissions, our policy is to do so but not to expressly describe the specific timeframe within which data access permissions expire to avoid creating an incentive for apps to collect information about people immediately before they believe their access will expire.  This approach also gives us the discretion to limit apps’ access to data in particular situations when we believe that doing so helps us protect users’ information.

Deletion of user information by apps

You suggest that Facebook should require third party apps that operate on Facebook Platform to automatically delete user data when users remove applications, rather than only in response to a direct request from the user.  We have decided not to adopt this policy because we recognize that many Facebook apps interact with the people who use them both on and off Facebook, and that people may turn off a particular app on Facebook for a great variety of reasons.

For example, some users who publish their activity in apps to their Facebook Timelines might choose to remove an app temporarily if they wanted to disable sharing while they used the app privately and then restart their use of that app later.  Similarly, people may wish to continue their relationships with an app outside of Facebook and may not intend for their data to be deleted simply because they deauthorize the app’s connection with Facebook.  Our concern is that requiring apps to automatically delete data in these circumstances could be frustrating to users who do not want data to be removed.

Our solution is to require anyone who connects with the Facebook ecosystem to comply with users’ deletion requests.  And we are continually working to inform users about this process, such as adding educational information in our Privacy Center[6] and via our new App Center (referred to above). The App Center provides a centralized place for users to go to learn about an app’s privacy practices.  From the App Center page, you can see an app’s privacy policy, learn what information it receives from Facebook, and find the contact information for the developer that people need to make a deletion request.

Clarity regarding Facebook partners

In our Policy, we refer to various circumstances in which we may share information with our partners.  As you note, we have a number of different types of partners, and you have asked if we can be more specific about the kinds of partners to which we refer.  You specifically mention the first reference to our partners in the policy.  This reference relates to all of our partners; consequently, we do not list out the different types in this first instance of the word.  When we use the term “partners” later in the policy, we do specify if the usage is narrower, such as when we talk about “instant personalization partners” or “advertising or platform partners.”

Links to educational information about instant personalisation

You suggested that we link to further information in our Help Center about our instant personalization feature.  As we discussed with your staff, we do provide links to relevant information about instant personalisation in the version of the Policy that appears on our website at https://www.facebook.com/about/privacy/your-info-on-other#instantpersonal.  In the Policy, we provide a screenshot of our instant personalisation control and a link directly to an educational page on our site that explains how instant personalisation works and how to disable it.

Location Data

You suggest that we provide additional information in our Policy about the circumstances in which we may collect location information such as GPS data from our users’ mobile devices and that we describe how users can opt out of providing GPS data to Facebook through our mobile apps.

As we described during our meeting, our practice is to comply with the standard location controls provided by mobile operating systems, which generally obtain users’ consent prior to sharing GPS data with an app.  We believe that honoring device-level controls is the best way to honor our users’ expectations with regard to this data and to obtain consent in the manner that they are most accustomed to providing it.  Of course, these controls vary from device to device, and so it would not be feasible for us to include in our Data Use Policy an exhaustive description of how the controls work for each device on which people access Facebook.

Data Retention

In our Data Use Policy update, we expanded our existing commitment about retention of certain information that we obtain from advertisers by broadly committing to only keep data that we receive “for as long as it is necessary to provide products and services to you and others,” regardless of the source of the data.  You asked us to specify the precise retention periods that apply to the various categories of data that we collect.

In many instances it is impossible for us to define a precise retention period.  For example, when people post data on their timelines, we do not delete that data after a specific number of days.  Instead, we will keep the data until the user deletes it or deletes his or her account.  We do, however, explain in our Policy and elsewhere when we have adopted specific data retention periods.  For example, we state that information contained in a deleted account will typically be deleted within about a month, although it may take up to 90 days to remove from logs and backup copies.  We also describe a specific limit on retention of information that we receive when people view pages that include our social plugins.  We hope that this information is responsive to your inquiry.

Sharing settings

You asked why we removed our statement that, “[i]f you do not make a selection, your information will be shared with the last audience you selected. If you want to change your selection later you can do that too on your profile.” As we discussed, this change does not reflect a change in functionality. Instead, it reflects the fact that there are a diverse number of situations in which a person can control the audience for a particular post. For example, if a person comments on another’s post, then that comment will be subject to the privacy settings applied to that post.  Alternately, a person may have chosen one type of privacy setting for one of their apps but a different setting for another.

Cookies

As you note, as part of updating the Policy, we have developed an extensive FAQ that provides useful information about the use and purpose of cookies by Facebook. In this new cookies FAQ section, we clearly disclose that we receive information when people use sites that incorporate our plugins. In particular, we have an FAQ that specifically outlines how we use cookies for people who do not have a Facebook account or who have logged out.[7]  We will continue to work to identify ways that we can enhance our disclosures about how we use cookies and similar technologies, including in our Data Use Policy and our cookies FAQ.

***

Thank you for the time you and your Office have dedicated to review the proposed changes and develop these suggestions. We appreciate the opportunity to discuss them with you.

Kind regards,

[signed]

Mia Garlick
Head of Policy and Communications
Facebook Australia and New Zealand


Footnotes

[1] Mark Zuckerberg, “Our Commitment to the Facebook Community” November 30, 2011, https://blog.facebook.com/blog.php?post=10150378701937131

[2] https://www.facebook.com/about/privacy/tools

[3] Facebook Ireland (FB-I) is the entity with which users based outside the United States and Canada have a contractual relationship. FB-I is the “data controller” in respect of the personal data of these users.

[4] Irish Data Protection Commissioner, Report of Audit – Facebook Ireland, 21 December 2011, page 3 (http://dataprotection.ie/viewdoc.asp?DocID=1182).

[5] See, e.g., Facebook, “A Privacy Policy Re-Imagined For Users Like You,” Facebook Site Governance (25 Feb. 2011), available at https://www.facebook.com/note.php?note_id=10150434660350301&id=69178204322; Thomas Claburn, “Facebook Proposes ‘Data Use’ Policy To Replace ‘Privacy Policy,’” Information Week (25 Feb. 2011), available at http://www.informationweek.com/news/229219459 (“Privacy advocates have long complained that the term ‘Privacy Policy’ is misleading because privacy policies generally describe how and when data is shared.”).

[6] https://www.facebook.com/help/privacy

[7] https://www.facebook.com/help/?faq=239530772765713#Does-Facebook-use-cookies-if-I-don%27t-have-an-account-or-have-logged-out-of-my-account?

Back to Contents