From CBC News:
The online youth social networking site Nexopia is violating Canadian privacy laws by keeping members’ personal information indefinitely, Canada’s Privacy Commissioner has found.
Edmonton-based Nexopia, which bills itself as “the place to be for teens looking to express themselves,” is refusing to give users the option to permanently delete their data, despite Privacy Commissioner Jennifer Stoddart’s recommendation that such an option was required to comply with Canadian law, said a news release from Stoddart’s office Thursday.
Looking at the appendix of the report to see which action items/recommendations Nexopia agreed to remedy and which they didn’t, I note that they agreed to comply with most recommendations by June 2012 or September 2012, but this one caught my eye:
Implement appropriate policies and practices for the retention and destruction of personal information, including defined retention periods for non-user and user personal information.
Nexopia replied that, as it is not viable to implement a technical solution to ensure the destruction of users’ data and personal information, it did not need to implement a retention and destruction policies and practices. It suggested that a greater explanation of how it archives data and confirmation that such data is only accessible to its system administrators could be pursued.
We reminded Nexopia of the importance of developing guidelines and implementing procedures for the retention and destruction of personal information under Principles 4.5.2 and 4.5.3 of Schedule 1 of the Act. The difficulty in finding a solution to the permanent deletion of users’ data and accounts does not obviate the need for such guidelines and procedures.
Indeed, retaining vast amounts of former users’ personal information, long after it has served its original purpose represents a real and ongoing security risk. Nexopia needs to develop appropriate retention and destruction guidelines and procedures to minimize and mitigate the risk of a privacy breach.
So that one is not resolved.
In light of all the hacks that occur on a daily basis, Nexopia really does need to come up with a way to purge or delete and have a policy that tells users how to request such data destruction. In this case, transparency is simply not sufficient.
Similarly, consider this recommendation and Nexopia’s response:
Provide a true delete option for the accounts and personal information of users.
Nexopia was not prepared to comply with this Recommendation.
It explained that providing a true deletion option for the accounts and personal information of users is not currently possible. It pointed out the limitations of adopting such an option and justified its current practice of account “deletion” where all data and personal information is made invisible on the website. The information stored in the archives is only accessible to system administrators and recovered in the event that they receive a warrant from a law enforcement authority.
Nexopia argued that the development costs of adopting a “best practice” approach for the deletion of user data and personal information would be prohibitively high.
In our opinion, Nexopia’s current practice of storing personal information in its archives indefinitely, on the small possibility it may be the subject of an information request or warrant from a law enforcement agency is not acceptable. While such requests or warrants may justify a longer retention period for those specific cases affected, they do not justify wholesale and indefinite retention of all records.
In addition to the security risks inherent in retaining vast amounts of former users’ personal information, long after it has served its original purpose, we are concerned that all of Nexopia’s users are being misled into thinking they can delete their personal information at some point, if they want to. In this respect, Nexopia is retaining personal information without users’ knowledge and consent.
Does anyone else find Nexopia’s response unacceptable? Saying the cost of something is (too) high is not an acceptable answer. If the cost of doing business includes providing adequate privacy controls, either develop and implement the controls or shut down. Businesses should not have the option to refuse to comply based on their profit line.