Privacy commissioners of Canada and B.C. condemn Facebook for serious violations of privacy laws

    1 of 3 2 of 3

      The social media company founded by Mark Zuckerberg is again being criticized for its handling of personal information.

      Today, two Canadian privacy watchdogs accused Facebook of "serious contraventions of Canadian privacy laws".

      "Facebook did not exercise proper oversight with respect to the privacy practices of apps on its platform," Privacy Commissioner of Canada Daniel Therrien and B.C. Information and Privacy Commissioner Michael McEvoy concluded in a joint report. "It relied on contractual terms with apps to protect against unauthorized access to user information; however, its approach to monitoring compliance with those terms was wholly inadequate."

      Moreover, the commissioners concluded that Facebook "attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves". This occurred even though a basic principle of privacy laws is that organizations are responsible for data under their control.

      "The failures identified in the investigation are particularly concerning given that a 2009 investigation of Facebook by the federal Commissioner’s office also found contraventions with respect to seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps."

      The investigation was triggered by media reports about a personality quiz used to harvest personal information about users and their Facebook friends.

      At one point, the app was called "This is Your Digital Life"—and information obtained through it was shared with other organizations, including Cambridge Analytica.

      It led to unauthorized disclosures of personal information of 87 million people worldwide, including 60,000 in Canada. This data was used for political purposes without meaningful consent from Facebook users or their friends.

      “Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” Therrien said in a news release. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.

      “The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified—or even acknowledge that it broke the law—is extremely concerning.”

      B.C.'s commissioner, McEvoy, stated that Facebook has demonstrated "disregard" for taking concrete actions to "fix transgressions".

      The federal information commissioner does not have the power to levy fines against companies like Facebook for breaching privacy legislation.
      Metamorworks/Getty Images

      Commissioners want power to levy meaningful fines

      The investigation by the Canadian privacy commissioners highlighted shortcomings in federal legislation governing the protection of personal information.

      Therrien and McEvoy maintained that the law should authorize the Office of the Privacy Commissioner of Canada to levy fines. 

      According to them, it should also grant Therrien's office the right to inspect the practices of organizations and issue binding orders.

      Therrien plans to file an application in Federal Court for an order forcing Facebook to conform with the law.

      McEvoy's office has the power to issue binding orders and fines under the Personal Information Protection Act. His office is reserving this right "to consider future actions against Facebook".

      The provincial legislation allows for fines of up to $10,000 against individuals and up to $100,000 against organizations.

      In the commissioners' news release, McEvoy recommended that provincial and federal privacy regulators to have the power to levy "meaningful" fines.

      If an order is issued under the B.C. law and an organization is convicted, any individual affected can sue for damages suffered as a result of the breach.

      In the meantime, Facebook has told shareholders that it expects to be fined up to US$5 billion by the Federal Trade Commission in the United States for its privacy breaches.

      Last year, the social media giant posted net earnings of US$22.1 billion, up nearly 40 percent from 2017.

      Cambridge Analytica's former director of research, Christopher Wylie, was raised in Victoria.

      B.C. fingerprints all over Cambridge Analytica story

      There are several B.C. connections to the privacy scandals linked to Facebook.

      McEvoy was seconded to the U.K. Information Commissioner's Office last year as it conducted a formal investigation of the unauthorized use of personal information by Cambridge Analytica, which harvested the data from Facebook.

      The U.K. commissioner, Elizabeth Denham, was previously B.C.'s information and privacy commissioner.

      Cambridge Analytica's former director of research, Christopher Wylie, was born and raised in Victoria.

      And a Victoria-based digital-advertising company, AggregateIQ, worked with Cambridge Analytica's parent company, SCI, on the Brexit campaign.

      Cambridge Analytica was founded by Steve Bannon, who was Donald Trump's campaign manager during the 2016 presidential election. The company was partly owned by the billionaire Mercer family, which was a major backer of Trump.

      It filed for insolvency last year in the wake of the scandal.

      Comments