On Thursday, April 25, 2019, notable news broke that Canada is taking Facebook to court. Daniel Therrien, Canadaâs federal privacy commissioner, gave a joint news conference with Michael McEvoy, the information and privacy commissioner for British Columbia. In this announcement, Therrien asserted that the existing accountability requirement enshrined in Canadian law, while meaningful, âis not sufficient to protect Canadians from companies that do not behave responsiblyâ.
Therrian went on to explain that as Canada continues working to refine its privacy laws, his office is taking Facebook to court based on the companyâs response. Heâs seeking a court order âto force Facebook to correct its privacy practicesâ.
If youâre thinking that sounds like an aggressive move, youâre not alone. How did it get to this point? Tensions had been brewing for some time. Therrianâs office came to the conclusion some time back that Facebook failed to protect privacy at the corporate level. The commissionerâs office then launched a thorough investigation into Facebookâs privacy practices. The investigation lasted over a year, and its conclusions included that Facebook had violated Canadaâs privacy laws in numerous ways. Much of this relates to a massive user data leak, one where the data was used for political gain through a firm named Cambridge Analytica.
The privacy commissioner determined that at least 276 Canadians installed an app back in 2013 that violated privacy law, as David Akin reports. The app harvested the usersâ data, but it didnât stop there. It went two steps further, harvesting those usersâ friendsâ data as well as the data of their friendsâ friends. In total, concluded the commissioner, around 650,000 Canadians had their data compromised. This information was stored and eventually shared with UK firm Cambridge Analytica.
Cambridge Analytica has made the news before. Itâs the firm that assisted the Donald Trump campaign in targeting voters. Thereâs nothing wrong with using research to target voters, of course: all serious US presidential candidates follow similar tactics. The problem was with how the data that fed the research was collected. 650,000 Canadians and many more Americans had their data misused.
Under current Canadian law, the privacy commissionerâs only recourse is to recommend that Facebook change its ways. The office made this recommendation, and Facebook said ânoâ. The company rebuffed the governmentâs recommendations and made no changes as a result of them.
The problem here is straightforward. Facebook (and other private companies) essentially becomes a self-policing organization. If Facebook determines it has not violated the law, then it can continue to operate no matter what the privacy commissioner concludes.
Therrian said that he doesnât think Canadaâs privacy law makes sense. In his view itâs problematic that âa private company, with its private interests, can say to a regulator, âThank you very much for your conclusions on matters of law, but we actually disagree, and we will actually continue as we were.â It is completely unacceptableâ.
Therrian is pushing for the legislature to amend its policies so that the privacy commissionerâs office has order-making power so that its conclusions are binding for private companies. He points to other countries that are rumored to be levying fines against Facebook for its privacy violations. Itâs widely reported that the USA may fine Facebook up to $5 billion. Canada has no such ability under current law.
Companies are accountable for the information they hold on behalf of users, which is an important safeguard. Therrianâs complaint is that current law states that companies are accountable for this without giving the government any mechanism for enforcement. An accountability law that no one can enforce accomplishes nothing.
Therrian concluded his comments by encouraging the new legislature to undertake updated and enforceable legislation in their new session. He hopes this legislation will continue to hold companies accountable for their handling of data while giving regulators real power to enforce that this is done.
Facebook, for its part, claims to understand that it has an obligation to protect usersâ private data. Erin Taylor, communications manager at Facebook, stated that the company was cooperating with the commissioner. In a prepared statement she remarked, âWe are disappointed that the [privacy commissioner] considers the issues raised in this report unresolvedâ.
The path forward is not completely clear at this time. Facebook will, for the time being, continue operating unaffected in Canada. The company is not compelled at this point by Canadian law to make any changes, though it has already made numerous changes to its privacy policy as part of the blowback from this scandal.
The results of the coming court case are anyoneâs guess at this point. The federal commissionerâs footing is weakened, of course, by his own admission that the law grants him no authority to enforce action against Facebook. Even if no other positive outcome results from the lawsuit, the two privacy commissioners have at least gotten the issue into the public eye.
Then thereâs the legislature, which is being pushed to fix this privacy enforcement loophole through new legislation. Itâs too early to say how likely this action is, but the publicity of the commissionersâ actions last week may spur legislators to action.
Check Out Some Of Other Toronto IT Service Blogs
