Canada's Privacy Commissioner Daniel Therrien

Canadian privacy watchdogs slam Facebook for ‘refusal to act responsibly’

Image credit: REUTERS/Chris Wattie

Two Canadian privacy regulators have fiercely accused Facebook of breaking its privacy laws, and of a “deeply troubling” refusal to accept responsibility for its role in the Cambridge Analytica scandal and enact change.

The Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia began investigating Facebook in March 2018 after reports published in the Observer and the New York Times revealed that a UK-based company, Cambridge Analytica, had surreptitiously harvested data from 87 million Facebook users through a personality quiz and used the data to develop sophisticated ad targeting tools. The tools – which targeted susceptible Facebook users based on their psychological profiles – were used by the Trump campaign in 2016.

In 2009, Facebook was warned by Canada’s privacy watchdog about how users’ data could be scraped via their friends’ use of third-party games, apps and quizzes. In response, Facebook agreed to add new privacy safeguards. The regulator stated that “if Facebook had implemented [its] recommendations […] the risk of unauthorised access and use of Canadians’ personal information by third-party apps would have been avoided or significantly mitigated”.

The Canadian authorities – which have been cooperating with their UK counterparts – concluded that Facebook had failed to protect its users and had failed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Either 650,000 Canadian Facebook users either installed the personality quiz app or were connected to a Facebook user who had used it.

The investigation concluded that Facebook had 1) failed to obtain “valid and meaningful consent” of the users who chose to install the app, 2) failed to obtain meaningful consent from the friends of these users, instead relying on “overbroad and conflicting language in its privacy communications that was clearly insufficient to support meaningful consent”, 3) failed to put up adequate safeguards to protect user data, and 4) failed to be accountable for the user data under its control.

The regulator set out recommendations which Facebook could enact to come in line with Canada’s privacy laws, including allowing for an audit of its privacy policies and practices over the next five years and ensuring that “meaningful consent” is acquired from users before installing third-party apps. However, it reported that: “Facebook either outright rejected, or refused to implement our recommendation in any manner acceptable to our offices. This is particularly troubling given Facebook’s public commitments to work with regulators and rectify the “breach of trust” associated with these events.”

“In our view, therefore, the risk is high that Canadians’ personal information will be disclosed to apps and used in ways the user may not know of or expect.”

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” said Daniel Therrien, Privacy Commissioner of Canada. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning. Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy, but when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard,” said Michael McEvoy, British Columbia Information and Privacy Commissioner.

Both commissioners commented that they should be given the authority to inspect the practices of organisations like Facebook to ensure that privacy laws are being respected, while McEvoy called for the ability to levy fines rather than simply issue recommendations. While the UK data regulator has fined Facebook the maximum possible £500,000 for its role in the Cambridge Analytica scandal, Facebook has appealed the fine.

The two Canadian commissioners will seek a court order to force Facebook to follow the recommendations it has so far rejected.

Facebook has disputed the investigation’s conclusions, stating that it had not found evidence that Canadian users’ data was shared with Cambridge Analytica. It said that it had already made some improvements to protect user data before the release of the Canadian commissioner’s report, such as by limiting access by third-party developers.

Facebook stated that it had been engaged with “many months of good faith cooperation and lengthy negotiations” with the regulators, and that it was disappointed that the matter was to be taken to court.

Both commissioners are separately investigating Canadian political consultancy Aggregate IQ, which received £3.5m from pro-Brexit campaigns ahead of the 2016 EU referendum. The company is alleged to be closely affiliated with SCL Group, Cambridge Analytica’s parent company.

Meanwhile, the New York Attorney General Letitia James has announced that she will launch a new investigation into Facebook’s practices following reports that Facebook “unintentionally” uploaded the email contacts of 1.5 million new users since May 2016. Simultaneously, the European data regulator (the Data Protection Commission) announced that it would open an 11th investigation into Facebook over the company storing hundreds of millions of user passwords in plain text on its internal servers.

This week, Facebook acknowledged in its quarterly report to shareholders that it expected to have to pay a $3-5bn (£2.3-3.9bn) fine to the US Federal Trade Commission over its failure to protect user data from Cambridge Analytica.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles