There are two federal privacy laws that govern individual privacy in Canada:

1. The Privacy Act places obligations on 250 federal government departments and agencies to respect privacy rights by limiting the collection, use and disclosure of personal information.
2. Personal Information Protection and Electronic Documents Act (PIPEDA) sets the ground rules for how the private sector may collect, use, or disclose personal information in the course of commercial activities.

PIPEDA is that which most concerns us in this section, as it regulates behaviour of organizations in the private sector. We chose to address the most commonly used sites of concern that university students in Quebec face.

Every province and territory has privacy legislation. If provincial statutes have been deemed substantially similar to the language of PIPEDA, an organization can be exempt from the application of such law if a province's legislation can do the same job (paragraph 26 (2) (b)).

Quebec is one of the few provinces whose language is similar, thus organizations affecting individuals in Quebec are subject to the Act Respecting the Protection of Personal Information in the Private Sector (R.S.Q., chapter P-39.1). But even in Quebec, PIPEDA applies to those organizations under federal jurisdiction (ie telecommunications, transportation, banking, broadcasting).

Most of the rules governing Facebook's privacy policy is based on opt-out conditions. That is, it is articulated that they are able to do certain things only if we know and consent to this. If we don't, we can opt-out.

In the Act Respecting the Protection of Personal Information in the Private Sector, it states that "No person may communicate to a third person the personal information contained in a file he holds on another person, or use it for purposes not relevant to the object of the file, unless the person concerned consents thereto or such communication or use is provided for by this Act (1993, c.17, s. 13)."

PIPEDA states in 4.3.1 Principle 3 - Consent: "Consent is required for the collection of personal information and the subsequent use or disclosure of this information."

Finding where and when we can opt-out of certain things is a contentious issue.

In the Act Respecting the Protection of Personal Information in the Private Sector, it states "A person who collects personal information from the person concerned must, when establishing a file on that person, inform him: (1) of the object of the file; (2) of the use which will be made of the information and the categories of persons who will have access to it within the enterprise; (3) of the place where the file will be kept and of the rights of access and rectification (1993, c. 17, s. 8)."

There is similar language in PIPEDA 4.3.2 regarding the obligation to inform: "Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used."

When gaining membership to Facebook, one must agree to the privacy policy stated on the website's Terms of Use. They are allowed to change their Privacy Policy and Terms of Use at any time, with notification to the users (although, it is contested that such notification is simply not enough). What you agree to applies to all information that they have about your account.

There is evidence that most Facebook members do not read these documents in the first place, and thus an argument could be that they are too long and confusing for an average user to engage. That is why we are here. We will make sure that you understand how personalizing your Facebook account does not mean compromising your individual privacy.

45% of employers use Facebook to examine potential employees (Survey). But they cannot access anything they want. You have control. You can change your Facebook Search Results settings here.

Whatever you choose to display is up to you. You can even make yourself 'unsearchable'. But the point that many are making is that simply allowing people to search for you can be just as problematic as seeing your full profile. Your profile picture says a lot about you - your sex, race, age, and certain behaviour. Although employers are not allowed by laws governing discrimination to use this information against you, taking an employer to court is not an effective means to an end; most cases are problematic to defend.

There are two ways to deal with removing your account: one is to deactivate and the other is to completely delete.

Deactivation serves those best that want to temporarily remove their Facebook account with the option of reactivating it at a later date. But be advised - this information does not go away; in order for Facebook to be able to reactivate all the uploaded materials, they must be able to store it. Therefore, all that information is retained by Facebook. They can't do what they want with it, without your consent of course.

Permanently deleting your account was not an option until recently. In fact, the Canadian Privacy Commissioner was one of those responsible for putting pressure on Facebook to enable such action (News Release).

But even if you delete such material, copies of that information may remain elsewhere as you have shared such information with others. Your messages with others, pictures etc will remain, although your name will no longer be associated with that information on Facebook.

Adding an application can wreak more havoc than simply getting bombarded with messages and updates. Facebook sets up 'recommended' terms for third parties, but nothing that is binding.

PIPEDA 4.1.3 "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."

Facebook is able to communicate this information to third party applications, but they must require consent first from users.

1993, c. 17, s. 13. "No person may communicate to a third person the personal information contained in a file he holds on another person, or use it for purposes not relevant to the object of the file, unless the person concerned consents thereto or such communication or use is provided for by this Act."

Your consent can be initiated in many forms. You can block a certain application simply by going to the application's profile page and clicking "Block this Application" (Application Settings).

But not only is your information in the hands of these application if you consent to the terms to be able to use them, so is all the information you can see of others. Without any action by one of your friends, an individual who has never given the application access will have their information set to the third party. This is questionable considering PIPEDA 9.1: "Despite clause 4.9 of Schedule 1, an organization shall not give an individual access to personal information if doing so would likely reveal personal information about a third party." You can change your application settings to limit the information your friends can make available to applications (Edit Application Settings).

They can store any of the following information indefinitely: User Id, primary network ID, event ID, group ID, photo ID, photo album ID, notes written by the user; and the time profile was last updated. Developers can't share this data with advertisers, but they can use it to tailor features to users. They can create targeted ads based on a user's gender, age, or relationship status.

Once information is on a third party server, Facebook can't do anything about it. They only set up guidelines and restricted by the Statement of Rights and Responsibilities. They are required to delete all of your data if that certain application is disabled, and they are required to have their own privacy policy - separate from Facebook - which is binding to users.

This is once again an opt-out service. You can change your advertisement settings here. Facebook claims that they will not share information with advertisers without our consent. But once again, it is by your own doing that you can only prevent this type of intrusion.

"We will not share your information with advertisers without your consent. We allow advertisers to select characteristics of users they want to show their advertisements to and we use the information we have collected to serve those advertisements" (Privacy Policy).

Advertisers can use technological methods to ensure effectiveness and personalize their ads for you. You can opt out from placement of cookies in your computer here.

"We allow advertisers to choose the characteristics of users who will see their advertisements we may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements" (Privacy Policy).

They are prohibited by the Facebook Platform Developer Terms of Service from storing information for longer than 24 hours. They are obligated to respect privacy settings you have chosen for your own account (ie what anyone browsing on Facebook could see).

Most of the gadgets and widgets on iGoogle originate from third parties. But third parties are prohibited by contract with Google from accessing any of your Google cookies and any other information unrelated to that specific widget or gadget.

PIPEDA 4.1.3 "An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party."

Use of your information by third parties is not governed directly by the Google Privacy Policy. Therefore, watch what you are getting into. Although they are in a contract with Google to block access to other elements of your iGoogle choices, they are subject to their own conditions established in their own privacy policies.

There is an absence of a federal law governing collection, retention, and use of search query logs, therefore Google (among other search engines) created their own.

Google keeps internet log files for 9 months. That is, they begin anonymyzing such data after this 9 month period. They automatically record visits to any of Google's sites and can aggregate them. These include web request, your IP address, browser type/language, etc. You are not able to remove information about your searches. So be careful what you search for. They argue that they "store data to improve [their] search results and to maintain the security of [their] systems" (Google Privacy FAQ).

Google will only share personal information with other entities in certain situations:

Regarding government access: "We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law" (Google Privacy Policy).

In the Canadian Privacy Act: 4 "No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution."....5.2 "A government institution shall inform any individual from whom the institution collects personal information about the individual of the purpose for which the information is being collected."

But the architecture of Google's privacy policy places information about search-query logs far away. You can find more information here.

Google Buzz is an opt-out service. It's Google's version of a social networking site that builds up your most frequent contacts (a list of your followers and people who you follow) for your use. These lists were made publicly viewable by other Gmail users and could be publicly indexed by search engines (EPIC: Google Buzz). Essentially, our address books are published for all to see. They did this without properly and clearly notifying users.

Their desire to convert the personal information of users of one service into another service, complicated many privacy laws. EPIC (The Electronic Privacy Information Center) filed complaints about Google Buzz, arguing that:

• Gmail users were automatically signed up (unless they chose to opt-out); they argue it should be opt-in
• They argue that Google should not use Gmail users' address books to create Buzz follower lists as this is the use of private address book contract to develop another area of their business. When Gmail users agreed to their Terms of Use for Gmail specifically, the use of their address books in this public manner was not a part of it. This violates privacy expectations and contradicts their own privacy policy (specifically under Gmail).

Also, see Act Respecting the Protection of Personal Information in the Private Sector: "Any person collecting personal information to establish a file on another person or to record personal information in such a file may collect only the information necessary for the object of the file. Such information must be collected by lawful means (1993, c. 17, s.5)."

Here are some resources we used to make this site:

• Office of the Privacy Commissioner of Canada
• Electronic Privacy Information Center
• Protecting Privacy & Online Safety with Privacy Education & Tips
• Privacy.org
• Center for Digital Democracy
• A Guide to Privacy on Facebook
• iGoogle Privacy Notice
• An Act Respecting the Protection of Personal Information in the Private Sector
• Personal Information Protection and Electronic Documents Act
• Commission d'accès à l'information du Québec