The initial complaint, which prompted the Privacy Commissioner to begin the investigation, was filed by the Canadian Internet Policy and Public Interest Clinic.
An overarching concern was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers.The other big issue the report expresses concern with is the now over 950,000 Facebook applications which are made by third-party developers and the information about users they have access to. Facebook allows these applications to share the personal information of Facebook users.
The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.The recommendations made include "technological measures to ensure that developers can only access the user information actually required to run a specific application."
Importantly, the report suggests that Facebook violates the Personal Information Protection and Electronic Documents Act (PIPEDA) by retaining personal information about users after their accounts have been deleted. "The law is clear that organizations must retain personal information only for as long as is necessary to meet appropriate purposes."
Obviously in order for Facebook to comply with the report and the law it would have to permanently delete the records of users who have deleted their accounts. This ruling raises concerns not only for Facebook though, but for several other web services provided to Canadians. Google currently keeps an entire record of a user's web searches despite several complaints made by privacy advocates. A myriad of sites keep user information after accounts have been deleted or in ways users are not clearly aware.