Skip to main content

Facebook violated Canadian privacy laws, watchdogs threaten court action

B.C. privacy commissioner Michael McEvoy and Privacy Commissioner of Canada Daniel Therrien speak to media in Ottawa after their report on Facebook was released April 25, 2019. Photo by Andrew Meade

Support strong Canadian climate journalism for 2025

Help us raise $150,000 by December 31. Can we count on your support?
Goal: $150k
$32k

Facebook violated Canadian privacy laws, refused to take responsibility and even tried to propose "alternative commitments" that would fail to bring them into compliance, according to a year-long investigation by the federal and B.C. privacy commissioners.

The Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia say they plan to go to court as a result.

The commissioners released the results of their probe Thursday into whether Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C.'s Personal Information Protection Act (PIPA). The investigation was launched as a result of a complaint by NDP MP Charlie Angus.

It followed the data scandal tied to Cambridge Analytica, a now-defunct British firm founded by Stephen Bannon, former chief strategist for U.S. President Donald Trump, and billionaire Republican donor Robert Mercer.

Cambridge Analytica used data that had been gathered from users who had downloaded a personality quiz application, and the Facebook contacts of these users, in order to build psychological profiles with the aim of helping Trump's 2016 presidential campaign. Over 622,000 Canadians out of 87 million users globally were affected by the technique.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” Privacy Commissioner of Canada Daniel Therrien said in a statement. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection."

The law doesn’t give Canada's commissioner the power to impose any penalties, but it gives complainants the power to apply to federal court for a hearing as a result of commissioner reports. The court can then order an organization to “correct its practices” to comply with the law, and award damages.

Angus said in a statement Thursday he is consenting to court action.

The findings by Therrien and B.C. commissioner Michael McEvoy follow a report in December 2018 by the House of Commons ethics committee, which had carried out its own investigation into Facebook and Cambridge Analytica. The committee warned about "the threat to democracy in the era of disinformation and data monopolies" and said the privacy commissioner's office should be beefed up and PIPEDA amended to include political parties and data portability.

That committee also explored reports tying Canadian political consultancy AggregateIQ to the parent company of Cambridge Analytica, and to the campaign in the U.K. to leave the European Union. The U.K. Electoral Commission's investigation into Brexit referendum spending found Vote Leave broke the law in that country by sending money to AggregateIQ to use for political advertising on Facebook by working with BeLeave, another Brexit campaign.

Facebook banned the firm from its platform last year saying it may have improperly received user data. McEvoy said the commissioners were still working on that investigation and expected the results to be released "later this spring."

The company, which is also facing billions of dollars of federal fines in the U.S., said it was "disappointed" that the Canadian watchdog wasn't satisified with its responses.

"There's no evidence that Canadians' data was shared with Cambridge Analytica, and we've made dramatic improvements to our platform to protect people's personal information," the company told National Observer in a statement. "We understand our responsibility to protect people's personal information, which is why we've proactively taken important steps towards tackling a number of issues raised in the report and worked with the (Office of the Privacy Commissioner) to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement."

Possibility info 'can be used to influence elections'

Therrien and McEvoy's investigation is the latest in a string of reports cataloguing how Canadians have come to rely on giant social media platforms to engage with political parties, politicians and candidates, but that this situation exposes them to manipulated information from cyber actors trying to influence their vote.

This month, Canada's national electronic spy agency said Canadians are “very likely” to be targeted by foreign meddling in connection with the 2019 federal election in October, and that an unnamed foreign adversary had already manipulated information on social media to amplify and promote anti-Ottawa viewpoints.

“We are seeing very clearly the limits of the self-regulatory, voluntary compliance world," Therrien said Thursday. He said while the commissioners found no evidence the information of Canadians on Facebook was used to influence Canadian elections, Canadians are at risk of an attack like the one detailed by U.S. Special Counsel Robert Mueller.

Mueller's report showed how Russian intelligence-linked hackers broke into the email accounts of the U.S. presidential campaign of Hillary Clinton and the networks of the Democratic Congressional Campaign Committee and the Democratic National Committee. Russia-linked hackers also stole evidence connected with the Mueller investigation as part of a disinformation campaign.

“The fact that information can be used to influence elections is certainly a possibility. There is certainly no reason to believe that this kind of thing that happened with the American elections, could not happen in Canada," said Therrien.

The Trudeau government has passed an elections reform bill, C-76, that limits spending by political parties and advocacy groups in the lead-up to an election campaign, bans spending by foreign entities to influence elections and requires platforms to keep a registry of political and partisan ads, although it does not include the parties in privacy legislation.

But Democratic Institutions Minister Karina Gould has said she doesn't think social media platforms are taking the situation seriously enough.

Facebook has long said security is an "arms race" and it is continually trying to bolster its defences against "well-funded adversaries." It has pointed to a series of steps the company has taken to address privacy and disinformation concerns. It is now making ad purchasers confirm identities to run election-related ads, and is expecting to roll out additional tools for advertisers this spring.

It has also launched the Canadian Election Integrity Initiative, partnering with a media literacy organization, released a guide for information security, and partnered with Agence France-Presse (AFP) news agency for third-party fact checking.

Facebook refused to implement recommendations

The commissioners spoke with Facebook, interviewed witnesses, reviewed transcripts from parliamentary hearings, and accessed technical analysis and academic research and reports from other regulators, such as the U.K. Information Commissioner’s Office which already fined Facebook 500,000 pounds (roughly $869,000) from its own probe into the Cambridge Analytica scandal.

They found that Facebook didn't obtain meaningful consent from users who installed the app involved in the data scandal, "nor did it make a reasonable effort to ensure users had sufficient knowledge to provide meaningful consent for disclosures to apps more generally."

Facebook also had "inadequate safeguards to protect user information" and "failed to be accountable for the user information under its control," it said.

What's more, the commissioners describe an antagonistic relationship with the social media giant as they tried to get answers about the company's practices. They said Facebook "repeatedly failed to meet submission deadlines" for their requests and "provided incomplete or deficient responses to several of our questions, certain of which remain unanswered."

The company was first presented with the commissioners' concerns in December 2018, they said, and given a preliminary report on Feb. 7, 2019 that contained recommendations. Facebook provided its response on March 4, and then for three weeks there was a back and forth, with the commissioners demanding more details. Finally, on March 27 the company provided its response.

"Facebook disagreed with our findings and proposed alternative commitments, which reflected material amendments to our recommendations, in certain instances, altering the very nature of the recommendations themselves, undermining the objectives of our proposed remedies, or outright rejecting the proposed remedy," the report stated.

"Facebook offered very limited remedial action over and above its existing practices. In our view, such commitments would not bring Facebook into compliance with PIPEDA or PIPA."

'Canada is being turned into a digital banana republic'

In an interview Thursday, Angus said what struck him as particularly "disturbing" was that "Facebook seems to think our privacy commissioner doesn’t have the jurisdiction to address the breaches that have happened of Canadians’ private information."

Facebook told the commissioners that it believed neither of them had jurisdiction to investigate the Cambridge Analytica scandal, given that "there is no known evidence" that Canadian Facebook users' data was passed to the political consulting firm, only users in the United States.

The commissioners retorted that Angus, the complainant, "specifically requested a broad examination of Facebook’s compliance with PIPEDA to ensure Canadian Facebook users’ personal information has not been compromised and is being adequately protected." They also told Facebook they would be looking into whether safeguards were sufficient overall.

"We are of the view that there is a clear and evident Canadian nexus in respect of the issues raised in the complaint and investigation," they wrote.

In the interview, Angus said it was ultimately up to the federal government to step in.

“I think Canada is being turned into a digital banana republic, because we have a government that is very comfy cozy with Facebook and Google lobbyists," he argued. "There have been repeated calls to give the privacy commissioner more powers, order-making powers and administrative monitoring penalties...we have a government that seems completely unwilling to do that, and I think that’s very problematic.”

Speaking at a news conference Thursday, Therrien said his office should have the power to protect the privacy rights of citizens. "My office plans to take the matter to Federal Court," he said. McEvoy said he would support that move.

Therrien said he felt his office’s jurisdiction in the matter was already well defined, but that court action could help “set a precedent” for how far digital companies can push in 2019. But he also said he expected that process to take “at least another year” and that historically, damages awarded by the federal court in this matter were “quite minimal,” in the range of tens of thousands of dollars.

That's compared to a penalty of up to US$5 billion that Facebook said April 24 it expected to be fined by the U.S. Federal Trade Commission, as the result of the agency’s probe into the social media platform’s practices surrounding user data.

In the company’s 2019 first quarter report, it estimated “the range of loss in this matter is $3 billion to $5 billion” from the FTC investigation into the Cambridge Analytica scandal.

Therrien and McEvoy said they believed that kind of authority is what’s needed in Canada. McEvoy noted Canada’s watchdogs were virtually alone in the Western world in their inability to wield these tough fines, while Therrien said their conclusions would have more teeth with this power.

“We should have order-making powers to ensure that, after we do serious work as we’ve done, that the conclusions that we have are binding on companies. Then the order should come with fines, to ensure that companies have an incentive to respect the law. That’s something that exists in other countries,” said Therrien.

Editor's note: This story was updated at 4:39 p.m. ET on April 25, 2019 to include additional information on Facebook and quotes from the commissioners and Angus. It was upated again at 9:13 a.m. on April 26, 2019 with a statement from Facebook.

Comments