Director of Privacy, Technology & Surveillance Project
A blistering report issued by Canada’s and British Columbia’s Privacy Commissioners accuses Facebook of violating Canadian law following their joint investigation into the Cambridge Analytica scandal—and then refusing to comply with the Commissioner’s recommendations to make sure it doesn’t happen again.
Federal Privacy Commissioner Daniel Therrien states in a press release that Facebook’s “privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”
The report finds that:
- Facebook’s “superficial and ineffective safeguards and consent mechanisms” allowed third-party apps to inappropriately access information of millions of users;
- There was a lack of meaningful consent collected from users of the app at the core of the Cambridge Analytica scandal, and from their friends whose information was shared as a result;
- Facebook did not properly oversee the way apps on its platform complied with privacy requirements;
- Facebook demonstrated an overall lack of responsibility for personal information under its control.
The Commissioners warn that “there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.”
Both Commissioners are calling for legislative reform, including new powers of enforcement, in light of Facebook’s refusal to accept their findings or implement their recommendations.
It’s yet further evidence that privacy rights cannot be adequately protected through recommendations, voluntary compliance and organizational cooperation—as Facebook has just illustrated, that only works until they change their mind (because they’re not going to change their business model). It’s also worth noting that if Facebook had complied with earlier recommendations from the OPC in 2009, they might have avoided the Cambridge Analytica affair altogether—but they didn’t.
This report, and Facebook’s non-response, highlights the asymmetry of power between data goliaths, our Canadian privacy watchdog agencies, and us, the people of Canada. While Facebook’s CEO, Mark Zuckerberg, has been beating the privacy drum lately in an attempt to win back the trust of Facebook users, when faced with a series of concrete recommendations, Facebook has instead disputed the investigation’s findings and refused to comply. Granted, the recommendations, which included submitting to a voluntary audit of its privacy policies and practices over the next 5 years, were comprehensive and stringent, but surely compliance with privacy law should, in fact, be both of those things?
If governments were waiting for more evidence of the need to update Canada’s privacy laws to reflect the new value of data, the growing power of data collectors and aggregators, and the new risks—to individuals and groups—of ubiquitous, granular data collection, analysis and use, here it is. It’s time for our democratically elected officials to take the risks to their constituents seriously, starting by bringing political parties into a privacy law regime, and continuing with thorough reform of both our federal private and public sector privacy acts.
The next step for the federal Privacy Commissioner will be to take the matter to Federal Court. And for good measure, they’ve put their money where their mouth is in relation to their complaints and have taken down their Facebook page.