A joint investigation by the federal and B.C. privacy commissioners found Facebook committed serious contraventions of Canadian privacy laws and claims the company is refusing to accept the findings or make requested changes.
Specifically, the report found Facebook failed to ensure third-party apps obtained valid and meaningful consent from its users about information-sharing, had inadequate safeguards to protect user information and failed to be accountable for the user information under its control.
Canada accuses Facebook of breaking its privacy laws, and plans to take the company to court
Facebooks refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company, Privacy Commissioner of Canada Daniel Therrien told reporters at a news conference in Ottawa. Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection. The stark contradiction between Facebooks public promises to mend its ways on privacy and its refusal to address the serious problems weve identified – or even acknowledge that it broke the law – is extremely concerning. The commissioners description of Facebooks position is based on meetings, discussions and written exchanges between the company and the commissioners offices.
The commissioners said their offices lack the teeth to impose new Canadian fines in addition to the billions in potential penalties the company already faces worldwide and urged politicians to follow the lead of other countries by giving privacy authorities the powers needed to ensure privacy laws are respected.
Therrien reiterated his long-standing call for the federal government to give him authority to issue binding orders to companies and levy fines for non-compliance with the law. In addition, he wants powers to inspect the practices of organizations.
The federal investigation was launched in March of 2018 – and became a joint investigation a month later – in response to the international scandal involving the misuse of Facebook data by Cambridge Analytica, a British political consulting firm. The scandal had several key Canadian connections, including the fact that Cambridge Analytica had links to a small Victoria-based firm called Aggregate IQ (AIQ). The main whistle-blower in the saga – Christopher Wylie – is also Canadian. Through a series of media interviews, Mr. Wylie spoke about his time working at Cambridge Analytica and alleged that the company and its affiliates misused personal Facebook data to influence election campaigns around the world, including the 2016 Brexit referendum and the 2016 U.S. presidential election.
The House of Commons committee on access to information, privacy and ethics conducted its own investigation and called last year for federal political parties to be subject to federal privacy laws.
Mr. Therrien and B.C. Information and Privacy Commissioner Michael McEvoy said the reports findings and Facebooks rejection of the reports recommendations highlight critical weaknesses in Canadas current privacy protection framework and the urgent need for stronger privacy laws.
The Liberal government passed electoral reform measures in December that aimed to block foreign interference in federal elections. It also requires social-media companies and large websites to create a registry of political ads that states who paid for them. However the legislation did not address the widespread calls to end the current exemption political parties currently have from federal privacy legislation.
The Globe has asked a spokesperson for Facebook Canada to comment on the report, but has not yet received a response.
Facebook said this week that it expected to be fined up to U.S.$5-billion by the Federal Trade Commission for privacy violations, but added the matter is ongoing and the timing is not clear.
Canadian privacy watchdogs find major shortcomings in Facebook probe
That penalty would be related to claims that Facebook breached a 2011 privacy consent agreement. That is separate from a FTC investigation launched last year into the company.
Mr. Therrien said his office will be asking the Federal Court to issue an order requiring Facebook to comply with federal privacy laws. The commissioner said this process could take more than a year and that any fines imposed by the court on Facebook are likely to be – at most – in the tens of thousands of dollars, which he said is much smaller than the fines Facebook faces in other countries for privacy violations.
In a conference call Wednesday, Facebook CEO Mark Zuckerberg said the company has a privacy-focused vision for the future of social-networking.
The federal commissioner says his office is ending its presence on facebook because he doesn’t want to have an association with a company that he has found to be irresponsible with user information #cdnpoli
Canada watchdogs investigation finds Facebook broke privacy laws
Mr. Zuckerberg also repeated his recent statement that government regulation of the internet would be welcome in some areas, such as content, privacy and elections.
Facebook hit with three privacy investigations in a single day
Opinion: Rewriting Canadian privacy law: Commissioner signals major change on cross-border data transfers
The reason I wrote this is because Ive spent most of the last couple of years focused on addressing the important social issues around the internet, and while Im proud of the progress weve made, these are areas where it doesnt feel right for a private company to make such important policy decisions by ourselves, he said. If the rules for the internet were being written from scratch today, I dont think people would want private companies to be making so many decisions around speech, elections and data privacy without a more robust democratic process.
Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection. The stark contradiction between Facebooks public promises to mend its ways on privacy and its refusal to address the serious problems weve identified — or even acknowledge that it broke the law – is extremely concerning, he added.
Mr. Zuckerberg said government regulations need to be updated to address the threat of foreign interference in election campaigns.
Those threats are often not covered by todays laws, and I think wed be better off if companies didnt define those policies themselves, he said.
Federal Privacy Commissioner Daniel Therrien and his B.C. counterpart, Michael McEvoy say Facebooks actions during the Cambridge Analytica breach point to the need for giving provincial and federal privacy regulators stronger sanctioning power to protect the publics interest.
On privacy, the Facebook CEO said it would be positive if more countries adopted regulations like those currently in place in the European Union. Canadas privacy commissioner has made similar recommendations, but the federal government has not committed to such a change.
Exposing Facebooks deeply troubling behaviour – Macleans.ca
Canada's federal privacy watchdog plans to take Facebook to court following an investigation that found the social media giant broke a number of privacy laws and failed to take responsibility for protecting Canadians' personal information.
"Canadians are at risk because the protections offered by Facebook are essentially empty," said Privacy Commissioner Daniel Therrien after releasing a blistering report into the company's operations Thursday.
If Facebook had implemented the 2009 investigations recommendations meaningfully, the risk of unauthorized access and use of Canadians personal information by third-party apps could have been avoided or significantly mitigated, the commissioners said.
Canada watchdog to seek court order to force Facebook to follow privacy laws
Therrien and his B.C. counterpart, Michael McEvoy, joined forces last spring to investigate the roles of Facebook and the Canadian company AggregateIQ in the scandal involving the British firm Cambridge Analytica.
Cambridge Analytica is accused of harvesting data of more than 50 million Facebook users worldwide to create social media strategies to support U.S. President Donald Trump's 2016 election campaign.
The Canadian investigation was triggered by reports that an app called "This is Your Digital Life," which encouraged users to complete a personality quiz, collected the information of users as well as their Facebook friends — information later used by Cambridge Analytica.
Facebook data leak: Province-by-province breakdown of affected Canadians
The report estimates about 87 million users worldwide had their information disclosed, including more than 600,000 Canadians.
"They say that they are accountable. We have seen in this instance that they were not accountable," Therrien told reproters during a media conference in Ottawa Thursday.
Facebook has publicly acknowledged a "major breach of trust," but vehemently disputes the Canadian report.
Therrien did not say Canadians should get off of Facebook, but said they should exercise caution when choosing to connect with friends and family on the social media site.
"After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved. There's no evidence that Canadians' data was shared with Cambridge Analytica, and we've made dramatic improvements to our platform to protect people's personal information," said Erin Taylor, communications manager for Facebook Canada, in an email.
"We understand our responsibility to protect people's personal information, which is why we've proactively taken important steps towards tackling a number of issues raised in the report and worked with the OPC to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement."
"The stark contradiction between Facebook's public promises to mend its ways on privacy and its refusal to address the serious problems we've identified — or even acknowledge that it broke the law — is extremely concerning," said Therrien.
The commissioners said they tried to implement measures to ensure Facebook respects its privacy obligations in the future, but the company reportedly has refused to submit voluntarily to audits of its privacy policies and practices over the next five years.
The Office of the Privacy Commissioner of Canada says it will now take the matter to Federal Court to seek an order to force the company to change its privacy practices.
Facebook users care less about privacy than regulators
Therrien also said his office will take down its Facebook page because it doesn't want to be associated with the platform's privacy rules.
"We do not want to continue to be associated with an organization that we found is irresponsible," he said.
Both commissioners are using Thursday's report to call for stronger sanctioning powers for provincial and federal privacy regulators.
Democratic Institutions Minister Karina Gould said the government is open to bringing in regulations and "all options are on the table." But with an October election fast approaching, Gould is left with little legislative runway.
"We understand that the time of self-regulation is coming to an end. Governments around the world are realizing and understanding, as are citizens around the world, as to how these social media companies, these digital platforms, have been using data and how they have also been manipulated by malicious actors."
"This Liberal government's cozy relationship with the American tech giants and their lobbyists means that they always put Canadians' privacy rights second. We need a government that will be willing to implement the all-party recommendations of the Ethics Committee and stand up to the web giants and their disregard for Canadian law," said Angus, the party's ethics critic.
Recode Daily: Facebook is anticipating a $5 billion fine from the FTC
"It's wrong that the Liberals and Conservatives always prefer to let private companies self-regulate instead of requiring them to do the right thing by putting the safety and privacy of Canadians before profits."
Facebook broke Canada privacy laws, watchdog says
McEvoy is also looking into AggregateIQ (AIQ), the Victoria, B.C.-based marketing and software development company accused of sidestepping Brexit campaign spending limits.
The Canadian whistleblower at the centre of the scandal, Christopher Wylie, told a U.K. parliamentary committee last year that he "absolutely" believed AIQ had drawn on Cambridge Analytica's databases for its work on the Brexit referendum.
To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.