Internet Privacy and Speech

Canada’s Privacy Commissioner’s Office Is Furious, and he’s Deleting…

Brenda McPhail
Director of Privacy, Technology & Surveillance Project





A blistering report issued by Canada’s and British Columbia’s Privacy Commissioners accuses Facebook of violating Canadian law following their joint investigation into the Cambridge Analytica scandal—and then refusing to comply with the Commissioner’s recommendations to make sure it doesn’t happen again.

Federal Privacy Commissioner Daniel Therrien states in a press release that Facebook’s “privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”

The report finds that:

  • Facebook’s “superficial and ineffective safeguards and consent mechanisms” allowed third-party apps to inappropriately access information of millions of users;
  • There was a lack of meaningful consent collected from users of the app at the core of the Cambridge Analytica scandal, and from their friends whose information was shared as a result;
  • Facebook did not properly oversee the way apps on its platform complied with privacy requirements;
  • Facebook demonstrated an overall lack of responsibility for personal information under its control.

The Commissioners warn that “there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.”

Both Commissioners are calling for legislative reform, including new powers of enforcement, in light of Facebook’s refusal to accept their findings or implement their recommendations.

It’s yet further evidence that privacy rights cannot be adequately protected through recommendations, voluntary compliance and organizational cooperation—as Facebook has just illustrated, that only works until they change their mind (because they’re not going to change their business model). It’s also worth noting that if Facebook had complied with earlier recommendations from the OPC in 2009, they might have avoided the Cambridge Analytica affair altogether—but they didn’t.

This report, and Facebook’s non-response, highlights the asymmetry of power between data goliaths, our Canadian privacy watchdog agencies, and us, the people of Canada. While Facebook’s CEO, Mark Zuckerberg, has been beating the privacy drum lately in an attempt to win back the trust of Facebook users, when faced with a series of concrete recommendations, Facebook has instead disputed the investigation’s findings and refused to comply. Granted, the recommendations, which included submitting to a voluntary audit of its privacy policies and practices over the next 5 years, were comprehensive and stringent, but surely compliance with privacy law should, in fact, be both of those things?

If governments were waiting for more evidence of the need to update Canada’s privacy laws to reflect the new value of data, the growing power of data collectors and aggregators, and the new risks—to individuals and groups—of ubiquitous, granular data collection, analysis and use, here it is. It’s time for our democratically elected officials to take the risks to their constituents seriously, starting by bringing political parties into a privacy law regime, and continuing with thorough reform of both our federal private and public sector privacy acts.

The next step for the federal Privacy Commissioner will be to take the matter to Federal Court. And for good measure, they’ve put their money where their mouth is in relation to their complaints and have taken down their Facebook page.

Read the full report

Court Cases

Demanding our Privacy Rights Get a Seat at the…

Brenda McPhail
Director of Privacy, Technology & Surveillance Project





CCLA is going to court to reset the Waterfront Toronto/Sidewalk Labs smart city project.  A lot of people say, “wait for the plan, nothing has happened yet. Even if the plan is approved, it will take a long time for shovels to hit the ground.”  We have considered that perspective, and don’t take this action lightly. We are not scared of change or innovation. We are not anti-tech. We are firmly and unapologetically pro-rights and freedoms, and the way this project was conceived puts many of the rights people in Canada value at risk.

The problem is, the process that led to this project in the first place was fatally flawed and then presented to the public as a fait accompli, announced with fanfare by the Prime Minister, then Premier, and Mayor.

The problem is, the last year and a half of consultations haven’t been asking whether Torontonians want Google’s sister company, Sidewalk Labs, to create a sensor-laden “test bed” on the Waterfront, either in the Quayside Neighbourhood or ultimately across the Portlands. They have just been discussing what it should look like and promising us it will be awesome.

The problem is, we increasingly realize comprehensive data collection that permits granular monitoring of people’s activities and behaviour online is harming individuals and groups, infringing human rights, and diminishing human autonomy. So why on earth would we think it’s a good idea to import that big data model into our city streets by embedding multiple kinds of surveillance technologies into our infrastructure?  A city built “from the internet up” sounds more like a threat than a promise.

The problem is, virtually everyone—project detractors and supporters alike—agrees that the laws we have to protect privacy are simply not good enough to safeguard us against the potential harms of this kind of pervasive surveillance infrastructure. Many of the technologies that will facilitate the smart city were unimagined when our laws were written. Data has a different value now, whether it is individualized or aggregate, because it can be used in so many ways that create potential benefits but also raise concrete risks. Voluntary best practices, self-assessments for responsible data use, civic data stewardship models, none of these are bad but they are inadequate. We need, and deserve, accountable, enforceable legislation, not promises of good behaviour.

The list of problems could (and does) continue. Which is why the Quayside project should not.

Our Notice of Application filed today, which we bring forward with co-applicant Lester Brown, a citizen of Toronto, is addressed to Waterfront Toronto and all three levels of government, municipal, provincial and federal. We are arguing that the agreements at the heart of the project are in violation of administrative and constitutional law, and are thus invalid. This project should be reset as a result.

We will keep you updated about this litigation over the upcoming months. For today, we wanted to share the news of its launch.

CCLA is grateful for the work by our amazing counsel, a team from Fogler Rubinoff LLP led by Bill Hearn and Young Park.

Read our filed Notice of Application

News and Analysis

Mass surveillance challenge proceeds to Europe’s highest human rights…

Brenda McPhail
Director of Privacy, Technology & Surveillance Project





CCLA and 9 partner organisations have made another step forward in our attempt to stop mass surveillance of the world’s networked communications systems.

Today, our request for a referral to the Grand Chamber of the European Court of Human Rights has been granted. This means that the highest European Human Rights Court will consider our argument that the routine, daily surveillance of millions of communications around the world for national security purposes is incompatible with human rights law and unjustifiable in a democracy.

CCLA is participating in this fight because laws that allows bulk collection of communications data impact us all. Messages we send at home in Canada flow with those from every other nation across the internet and are subject to bulk interception, without any suspicion that we’ve done anything wrong.  

We have been fighting this fight for a long time, building on each success. In 2013, whistleblower Edward Snowden revealed the incredible scope and reach of mass surveillance affecting us all. CCLA joined with our international colleagues to challenge the UK regime, which was extensively documented in the Snowden revelations. We asked the U.K. Investigatory Powers Tribunal (IPT) – the highly secretive UK court which hears claims against GCHQ, MI5 and MI6 –  to examine whether the British signals intelligence agency’s (GCHQ) was intercepting emails to and from 10 rights and liberties organisations (including CCLA), whether such interception was lawful, and whether it was a breach of the right to privacy under Article 8 of the British Human Rights Act.

In 2014, the IPT found that UK intelligence agencies had unlawfully spied on the communications of Amnesty International and South Africa’s Legal Resources Centre. The tribunal also found that UK intelligence sharing with the US, which had been governed under a secret legal framework, was unlawful until disclosed during the proceedings. Disappointingly, however, the IPT ruled that these practices may in principle comply with the UK’s human rights obligations. This was the finding challenged in the ECtHR.

We disagree that mass interception can ever, in principle, comply with human rights obligations, and so we launched a case at the European Court of Human Rights to argue that position. On 13 September 2018, the ECtHR ruled that UK laws enabling mass surveillance violate rights to privacy and freedom of expression.

That was another important victory. However, the judgment did not go far enough with regard to the unlawfulness of bulk interception powers and the fundamental shortcomings in inter-state intelligence sharing based on communications intercepts. Our argument is simple and principled: “the fact that it is now possible for the state to retain private information about the population of a whole nation (or even many nations) … and that retaining such information may be operationally useful, does not justify the intrusion of doing so.”

Requests to the Grand Chamber are accepted on an exceptional basis; it is a testament to the public importance of the issue of mass surveillance that our case was accepted.

This opens up the opportunity for CCLA and our partners, the American Civil Liberties Union (ACLU), Amnesty International, Bytes for All, the Egyptian Initiative for Personal Rights, the Hungarian Civil Liberties Union, the Irish Council for Civil Liberties, the Legal Resources Centre, Liberty, and Privacy International to continue pushing for the Court to hold that bulk powers can never be justified in a rights-respecting democracy.

It’s a long fight. It’s an important fight. And we continue to press forward.


Related links:

Back to the beginning: British Spies Violated Privacy of Rights Organisations Worldwide,

A win at the U.K. Investigatory Powers Tribunal :

We move the fight to the European Court of Human Rights for another win: 

We ask to be allowed to continue to fight:

And we win again: our case is accepted by the Grand Chamber of the European Court of Human Rights: Grand Chamber Panel’s decisions – February 2019