On Thursday, April 25, 2019, notable news broke that Canada is taking Facebook to court. Daniel Therrien, Canada’s federal privacy commissioner, gave a joint news conference with Michael McEvoy, the information and privacy commissioner for British Columbia. In this announcement, Therrien asserted that the existing accountability requirement enshrined in Canadian law, while meaningful, “is not sufficient to protect Canadians from companies that do not behave responsibly”.
Therrian went on to explain that as Canada continues working to refine its privacy laws, his office is taking Facebook to court based on the company’s response. He’s seeking a court order “to force Facebook to correct its privacy practices”.
If you’re thinking that sounds like an aggressive move, you’re not alone. How did it get to this point? Tensions had been brewing for some time. Therrian’s office came to the conclusion some time back that Facebook failed to protect privacy at the corporate level. The commissioner’s office then launched a thorough investigation into Facebook’s privacy practices. The investigation lasted over a year, and its conclusions included that Facebook had violated Canada’s privacy laws in numerous ways. Much of this relates to a massive user data leak, one where the data was used for political gain through a firm named Cambridge Analytica.
The privacy commissioner determined that at least 276 Canadians installed an app back in 2013 that violated privacy law, as David Akin reports. The app harvested the users’ data, but it didn’t stop there. It went two steps further, harvesting those users’ friends’ data as well as the data of their friends’ friends. In total, concluded the commissioner, around 650,000 Canadians had their data compromised. This information was stored and eventually shared with UK firm Cambridge Analytica.
Cambridge Analytica has made the news before. It’s the firm that assisted the Donald Trump campaign in targeting voters. There’s nothing wrong with using research to target voters, of course: all serious US presidential candidates follow similar tactics. The problem was with how the data that fed the research was collected. 650,000 Canadians and many more Americans had their data misused.
Under current Canadian law, the privacy commissioner’s only recourse is to recommend that Facebook change its ways. The office made this recommendation, and Facebook said “no”. The company rebuffed the government’s recommendations and made no changes as a result of them.
The problem here is straightforward. Facebook (and other private companies) essentially becomes a self-policing organization. If Facebook determines it has not violated the law, then it can continue to operate no matter what the privacy commissioner concludes.
Therrian said that he doesn’t think Canada’s privacy law makes sense. In his view it’s problematic that “a private company, with its private interests, can say to a regulator, ‘Thank you very much for your conclusions on matters of law, but we actually disagree, and we will actually continue as we were.’ It is completely unacceptable”.
Therrian is pushing for the legislature to amend its policies so that the privacy commissioner’s office has order-making power so that its conclusions are binding for private companies. He points to other countries that are rumored to be levying fines against Facebook for its privacy violations. It’s widely reported that the USA may fine Facebook up to $5 billion. Canada has no such ability under current law.
Companies are accountable for the information they hold on behalf of users, which is an important safeguard. Therrian’s complaint is that current law states that companies are accountable for this without giving the government any mechanism for enforcement. An accountability law that no one can enforce accomplishes nothing.
Therrian concluded his comments by encouraging the new legislature to undertake updated and enforceable legislation in their new session. He hopes this legislation will continue to hold companies accountable for their handling of data while giving regulators real power to enforce that this is done.
Facebook, for its part, claims to understand that it has an obligation to protect users’ private data. Erin Taylor, communications manager at Facebook, stated that the company was cooperating with the commissioner. In a prepared statement she remarked, “We are disappointed that the [privacy commissioner] considers the issues raised in this report unresolved”.
The results of the coming court case are anyone’s guess at this point. The federal commissioner’s footing is weakened, of course, by his own admission that the law grants him no authority to enforce action against Facebook. Even if no other positive outcome results from the lawsuit, the two privacy commissioners have at least gotten the issue into the public eye.
Then there’s the legislature, which is being pushed to fix this privacy enforcement loophole through new legislation. It’s too early to say how likely this action is, but the publicity of the commissioners’ actions last week may spur legislators to action.