Fundamental Freedoms

In the fight for free speech, where does Facebook…

Cara Zwibel
Director of Fundamental Freedoms Program





As an organization with a strong commitment to freedom of expression, CCLA has traditionally focused on prohibitions and restrictions on speech put in place by government or state institutions. We have challenged the breadth of hate speech and child pornography laws, advocated for changes to the law of defamation to help foster free speech, and supported legislation to make it harder to succeed in using our courts to stifle public participation.

But the landscape relevant to protecting free expression has changed dramatically since CCLA’s inception in the 1960s. Today, Canadians don’t only live their lives in Canada – increasingly they live in online spaces that are governed by private (and global) corporations with an enormous amount of power. While those corporations are required to follow local law, they are not bound by the same Charter of Rights and Freedoms that requires that governments limit our rights only insofar as such limits are reasonable and can be justified. Facebook develops its own Community Standards and can then enforce those standards on its platform, and change those standards if and when it sees fit. It has no checks and balances, no separation of powers. But should it? Should we start treating Facebook more like a government? Is it moving in that direction itself?

Whether you think what Facebook does is best characterized as content moderation or simply censorship, it is clear that the social media behemoth is already deep into the business of deciding what kind of expressive content has a place on its platform, and what kind decidedly does not. In effect, this means that Facebook has a great deal of power over online expression – period. Over 2 billion people use the platform worldwide, and for some, there is no meaningful distinction between the internet and Facebook. Recognizing the enormous power the company has over online content, it has proposed the creation of a Facebook “oversight board” to make difficult content decisions. I was invited to participate in a Canadian Roundtable Discussion that the company hosted to discuss this proposal. They are engaged in these discussions worldwide, are soliciting comments from the public through a consultation process, and plan to have the board “up and running” by the end of the year.

The idea behind an oversight board is that the trickiest content decisions would not be left to the company, but instead the subject of a decision by an “independent” body by which Facebook agrees to be “bound”. I am being liberal in my use of quotation marks because the details around the proposal are still very preliminary. There are many challenging questions to address: how would the board be constituted; how would it decide which “cases” to “hear”; what would a “hearing” look like; would the process be adversarial or inquisitorial; how does the use of such a board serve Facebook’s interests; how does it serve those of its users? These are each complex questions with no easy answers. If there is one thing you can say about the proposal to establish an oversight board: it’s ambitious.

I’ll admit that I have not come to a landing on whether an oversight board for Facebook would be a welcome development. Part of me wonders whether global standards of free expression are even feasible given how rooted in local context and cultures expression is – particularly online. Nevertheless, I think experimenting with new governance structures may, at a minimum, create a global discussion about freedom of expression: what it means, its limits, and how it can be fostered. CCLA will definitely be engaged in that discussion, and if you care about free speech, you should be too.

Internet Privacy and Speech

Canada’s Privacy Commissioner’s Office Is Furious, and he’s Deleting…

Brenda McPhail
Director of Privacy, Technology & Surveillance Project





A blistering report issued by Canada’s and British Columbia’s Privacy Commissioners accuses Facebook of violating Canadian law following their joint investigation into the Cambridge Analytica scandal—and then refusing to comply with the Commissioner’s recommendations to make sure it doesn’t happen again.

Federal Privacy Commissioner Daniel Therrien states in a press release that Facebook’s “privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”

The report finds that:

  • Facebook’s “superficial and ineffective safeguards and consent mechanisms” allowed third-party apps to inappropriately access information of millions of users;
  • There was a lack of meaningful consent collected from users of the app at the core of the Cambridge Analytica scandal, and from their friends whose information was shared as a result;
  • Facebook did not properly oversee the way apps on its platform complied with privacy requirements;
  • Facebook demonstrated an overall lack of responsibility for personal information under its control.

The Commissioners warn that “there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.”

Both Commissioners are calling for legislative reform, including new powers of enforcement, in light of Facebook’s refusal to accept their findings or implement their recommendations.

It’s yet further evidence that privacy rights cannot be adequately protected through recommendations, voluntary compliance and organizational cooperation—as Facebook has just illustrated, that only works until they change their mind (because they’re not going to change their business model). It’s also worth noting that if Facebook had complied with earlier recommendations from the OPC in 2009, they might have avoided the Cambridge Analytica affair altogether—but they didn’t.

This report, and Facebook’s non-response, highlights the asymmetry of power between data goliaths, our Canadian privacy watchdog agencies, and us, the people of Canada. While Facebook’s CEO, Mark Zuckerberg, has been beating the privacy drum lately in an attempt to win back the trust of Facebook users, when faced with a series of concrete recommendations, Facebook has instead disputed the investigation’s findings and refused to comply. Granted, the recommendations, which included submitting to a voluntary audit of its privacy policies and practices over the next 5 years, were comprehensive and stringent, but surely compliance with privacy law should, in fact, be both of those things?

If governments were waiting for more evidence of the need to update Canada’s privacy laws to reflect the new value of data, the growing power of data collectors and aggregators, and the new risks—to individuals and groups—of ubiquitous, granular data collection, analysis and use, here it is. It’s time for our democratically elected officials to take the risks to their constituents seriously, starting by bringing political parties into a privacy law regime, and continuing with thorough reform of both our federal private and public sector privacy acts.

The next step for the federal Privacy Commissioner will be to take the matter to Federal Court. And for good measure, they’ve put their money where their mouth is in relation to their complaints and have taken down their Facebook page.

Read the full report

News and Analysis

CCLA Calls for Improvements to Canada’s Privacy Laws

The following is a reprint of a letter sent by the Canadian Civil Liberties Association to Minister Scott Brison on March 27, 2018.

The Honourable Scott Brison
Acting Minister of Democratic Institutions
90 Elgin Street, 8th Floor
Ottawa, Canada K1A 0R5

Dear Minister Brison,

The Canadian Civil Liberties Association has spoken out on the need for stronger, more effective, more enforceable, up-to-date public and private sector privacy legislation for a long time. Consequently, we welcome your recent remarks to the media on March 20, 2018 regarding the Facebook Cambridge Analytica affair which included a statement that the government is open to ways that we can strengthen Canada’s privacy laws.

There is a large body of information available regarding the ways to make our privacy laws stronger. The current Privacy Commissioner of Canada has spoken out, this week and in the past. His predecessor also did so. The Privacy Commissioner of Canada’s website lists 18 appearances before Parliament or Parliamentary Committees, submissions, reports, and letters relating to the need for reforming the Privacy Act between 2005 to 2018 and providing concrete suggestions as to what needs to be done. There are another 16 for the Personal Information Protection and Electronic Documents Act (PIPEDA). Most recently, on February 28 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics published its report, including recommendations, resulting from its most recent study of PIPEDA, the act that would apply to Facebook’s collection of Canadians’ personal information.

Big data practices, if unconstrained by strong legal protections for privacy, have already been shown to have the potential to interfere with the democratic process. Left unchecked, they may also introduce new forms of discrimination fueled by profiling and automated decisions-making, and potentially inhibit free speech if people in Canada fear their words may be collected, aggregated, and used to affect them in unpredictable ways.

Privacy law cannot solve all of these problems, but it is an excellent start.

We do not yet know if Canadians’ data has been caught up in this scandal, but we can predict with certainty that it will be in one of the next ones, unless steps are taken to give us the strong privacy protection we all deserve and need in order to participate safely in economic and social spheres online.

If there is any way we may assist you in moving forward to make the necessary improvements to Canada’s Privacy Act and the Personal Information and Protection of Electronic Documents Act, we stand ready.


Brenda McPhail
Director, Privacy, Technology & Surveillance Project
Canadian Civil Liberties Association

News and Analysis

Lessons to learn from the Facebook/Cambridge Analytica Scandal

There is a lot of outrage, blame, and more than a few “I told you so’s” circulating this week about Facebook. News that Cambridge Analytica acquired and used data on 50 million Facebook users to deliberately manipulate millions more has people angry and afraid.

What happened? A researcher, Aleksandr Kogan, paid some users a small fee to download an app and take a personality quiz which he told them was for research purposes. The app scraped information from those users’ Facebook profiles, and data from all of their friends as well. It was all part of project to develop psychographic profiles about people–profiles they hoped would reveal more about a person than their parents or romantic partners knew. Kogan sold the data to Cambridge Analytica (which broke Facebook’s rules) and they used it to develop techniques to influence voters.

But in all the anger and angst, we’re not asking the right questions about this scandal. The question isn’t how could this happen, but rather, why do we continue to support business models for data collection and use that allow it to happen?

Make no mistake, Facebook followed their own policies. The creator of the app that was designed to collect user’s data, along with that of all of their friends, followed the policy in place at the time too, at least up to the point he sold it to a third party (and to be fair, the policy about collection “friends” data changed in 2015). Facebook’s initial approach was to defend themselves by saying no systems were hacked and no information was stolen, but it’s arguable that only makes things worse—this happened because it was allowed to happen, on purpose.

It’s time to ask whether we as a society are willing to tolerate those policies that allow our data to be collected in bulk, shared or sold, often without consent and certainly without informed consent, because we’ve clicked “I agree” to a take-it-or-leave-it button on a terms of service agreement.

It’s time to recognise big data, and data-driven profiling and decision-making, for the civil liberties issues that they are. When data is collected and used to make decisions about us, market products or even politicians to us, predict our behavior and try to manipulate us, it not only erodes our privacy but puts our free speech at risk, and because of the ways Information gets grouped, often subjects us (or others) to discrimination.

Canada’s Privacy Commissioner is investigating whether Canadian data was included in the 50 million accounts. Canadian politicians are asking Facebook directly whether personal information of Canadians has been compromised.

But whether it was or not, this time, next time it may well be if we don’t do a better job of holding companies to account for the ways they set data policies that put private interests above privacy, and the ways they fail to adhere to Canadian privacy laws. We also need to take a good hard look at updating those laws, a move that CCLA and others have called for repeatedly, that has been the subject of studies, papers, and consultations, but has yet to see positive action.

The Cambridge Analytica/Facebook story is a harsh wake up call that reminds us the question when it comes to big data applications cannot always be “what can we do with this powerful technology” but rather must be “is this a good use of a powerful technology?” Let’s start asking the right questions.