Privacy Commissioner Investigating Allegations RBC Could Read Private Facebook Messages

The government has launched an investigation into claims that the Royal Bank of Canada had access to private Facebook messages of people using its app.

According to the New York Times, Facebook allowed Spotify, Netflix, and RBC the ability to “read, write and delete users’ private messages, and to see all participants on a thread — privileges that appeared to go beyond what the companies needed to integrate Facebook into their systems, the records show.”

“RBC’s use of the Facebook platform was limited to the development of a service that enabled clients to facilitate payment transactions to their Facebook friends,” the bank told CBC News in a statement, noting the launch of a program in late 2013 that allowed the banks clients to send money to each other via Facebook’s messaging service.

“As part of our security and fraud protocols, we needed to uniquely identify the recipient of funds and payments to securely process the transaction and deliver the notification. We did not have the ability to see users’ messages,” the bank said.



However, last week a Facebook employee said that the RBC did indeed have the ability to read, write, and delete private Facebook messages from users using the bank’s app between 2013 and 2015.

“[RBC] said they never had those privileges; they never did that,” said MP Charlie Angus during a Jan. 31 meeting of the Parliamentary Standing Committee on Access to Information, Privacy and Ethics. “The Tyee is now reporting that Facebook has told them that RBC had the capacity to read, write and delete private messages of Facebook users who were using the banking app. Have you looked into that? Do you think it’s something that requires followup? Should we take RBC’s word for it?”

Privacy Commissioner Daniel Therrien confirmed that his office is investigating the allegations.

“We actually received complaints from individuals on whether or not the Royal Bank was violating PIPEDA [The Personal Information Protection and Electronic Documents Act] in some way in receiving information in that way,” he explained.