On behalf of the Danish Data Protection Agency (DPA) I am writing to follow up to my April 3, 2009 letter and Facebook's June 11, 2009 letter regarding Facebook's privacy practices.
The positive reply received from Facebook in the letter of June 11, 2009, makes us confident that Facebook will conduct its activities in compliance with the Danish Act on Processing of Personal Data.
Furthermore we would like to draw your attention to the recommendations for social network services operating in Denmark issued by the DPA: www.datatilsynet.dk/erhverv/internettet/anbefalinger-til-beskyttelse-af-privatlivets-fred-i-sociale-netvaerkstjenester/
These recommendations are a Danish version of the international resolution on Privacy Protection in online social network services which was adopted at the 30th International Conference of Data Protection and Privacy Commis-sioners in Strasbourg October 2008: www.privacyconference2008.org/index.php
As the DPA receives inquiries from Danish users regarding Facebook's privacy practices and as there is a general interest of Facebook in Denmark, we would be grateful if you could provide information on the following topics.
1. Account deactivation and deletion
In Facebook's June 11, 2009 letter it is explained that users are presented with choices between deactivation and deletion of their accounts, and that the users must request deletion through the form provided in the Help Centre.
In the letter it is indicated that Facebook is investigating the problems some users may be having using Facebook's procedures for deletion. If you have reached a conclusion on this issue we would be very pleased if you would report back to us on this.
2. Third-party applications
For many Danish users it is a great concern what information the application developers can access, not only information about the user who has added the application but also about the users friends and any other network member the user can see.
We know that Facebook has taken major steps to address this concern and that Facebook's undertakings on this issue includes significant changes to Facebook's application platform in order to give users control over what personal information application developers may access.
We understand that these changes will take some time, and we would therefore very much appreciate if you could provide us with more detailed information on Facebook's activities regarding this issue.
3. Monitoring and retention of data
In the letter of June 11, 2009, it is indicated that Facebook has developed several automated systems that detect anomalous site activity.
Facebook also indicates that when a user deletes public content from Facebook it is made inaccessible through the service, but backup copies may exist for a short period of time in order to ensure that the account is not being deleted to hide evidence of criminal activity.
We understand that these practices can be necessary to maintain a trusted and safe on-line environment. However, we would like to learn more about 1) the exact period of time Facebook keeps backup copies, 2) how Facebook in-forms users of the monitoring and retention of data and 3) how Facebook ob-tains consent from users for specifically monitoring and retention of data.
4. Further remarks
We are aware that the Office of the Privacy Commissioner of Canada has published a report of findings into a complaint filed by CIPPIC regarding Facebook's privacy practices.
We have read the Canadian report of findings with great interest and we would highly appreciate if Facebook's undertakings on privacy matters raised by our Canadian colleagues will also apply to the Danish users. We would therefore be very pleased if you could report back to us that this is the case.
As you are aware, the Article 29 Data Protection Working Party has adopted an opinion on online social networking. The DPA participates in the working party, and we look forward to also working with you at this level.
We are pleased that we share common goals of providing users with a safe and privacy protective online environment, as well as respect for European and Danish privacy law.
Please let us know if you have any questions regarding the Danish Act on Processing of Personal Data.
For your information we publish this correspondence on our website www.datatilsynet.dk.