Canada Says Facebook Violated Privacy LawsPrivacy Commissioner Will Go to Court to Enforce Recommendations
Canada's privacy commissioner says Facebook violated its privacy laws by failing to protect users' personal data, based on an investigation that stemmed from the Cambridge Analytica scandal.
The commissioner plans to take Facebook to federal court because the social media giant is allegedly refusing to implement the commissioner's recommendations to strengthen its privacy controls.
"Facebook's refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company," Privacy Commissioner Daniel Therrien says in a statement. "Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection."
Therrien says that Facebook has dismissed the findings as "opinions." He adds: "It is untenable that organizations are allowed to reject my office's legal findings as mere opinions."
Canada's privacy commissioner cannot levy fines or serve orders that would make its recommendations binding. But it can go to federal court, which could force Facebook to make changes. Therrien used the situation to make arguments that Canada's federal privacy law should be strengthened.
Facebook says it offered "concrete measures" to address the recommendations and offered to enter into a compliance agreement.
"After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved," the company says.
Therrien's comments point to less of a privacy problem and more of a democracy one "because big companies now see laws as mere suggestions," writes Matt Stoller, a fellow at the Open Markets Institute.
"What's amazing is that the Canadian privacy commissioner told Facebook 'Here's how you're violating the law, here's how to stop breaking the law. Please do so.' And Facebook's response was, 'No'," Stoller writes in a tweet.
The subtext of the FB scandal is the systemic breakdown of the rule of law over the past four decades. We don't think about business law as social justice-y but it is. This isn't a privacy problem, it's a democracy problem because big companies now see laws as mere suggestions.— Matt Stoller (@matthewstoller) April 25, 2019
Violation: No Meaningful Consent
Canada investigated Facebook in 2009, finding that the company sought "overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps."
As a result of that investigation, Canada says it made recommendations but Facebook didn't follow them.
The privacy commissioner launched another investigation in March 2018. The investigation focused on data sharing and third-party apps, including whether Canadians' personal data was exposed to Cambridge Analytica, a U.K.-based voter profiling firm. It also looked at Facebook's consent mechanisms.
It's unclear if Canadian data was passed to Cambridge Analytica, although Facebook says it wasn't. But the privacy commissioner concluded that Facebook allowed a personality quiz called "This Is Your Digital Life" to collect personal data without proper consent.
At the time when the app was deployed, Facebook allowed apps to not only collect the data of those who directly used the app, but also of their friends. The data of about 622,000 Canadians was scooped up by "This Is Your Digital Life," the privacy commissioner says.
The developer of the app later passed the personal data to Cambridge Analytica, which was against Facebook's rules (see: Besieged Cambridge Analytica Shuts Down).
David Carroll, an associate professor at Parsons School of Design in New York, writes on Twitter that Canada gave Facebook fair warning about leaking friend data a decade ago.
"Authorities tried to save Zuckerberg and Sandberg from their worst excesses long before Cambridge Analytica even existed," he writes.
Canada's privacy commissioners warned Facebook about friend data leakage in 2009. Authorities tried to save Zuckerberg and Sandberg from their worst excesses long before Cambridge Analytica even existed. https://t.co/hCYPsLNikL https://t.co/hNEv6jVg4D— David Carroll (@profcarroll) April 25, 2019
Canada's privacy commissioner found that Facebook failed to obtain meaningful consent from users and relied on app developers to gain that consent. Also, consent was not gained from friends of people who used apps to collect their data. The social network also failed to ensure that app developers abided by data-sharing terms, the commissioner says.
The regulator has given recommendations to Facebook to bring it into compliance with Canada's Personal Information Protection and Electronic Documents Act and the Personal Information Protection Act.
"We are disappointed that Facebook either outright rejected, or refused to implement our recommendations in any manner acceptable to our offices," the commissioner says.
Inquiries, Lawsuits Roll On
Facebook is still dealing with numerous regulatory inquiries and lawsuits related to Cambridge Analytica and other data-sharing practices.
In October 2018, the U.K.'s Information Commissioner's office handed Facebook its maximum fine, £500,000 ($645,000), over Cambridge Analytica. On Wednesday, Facebook said it was setting aside $3 billion from its first quarter profits this year to cover a potential fine from the U.S. Federal Trade Commission that could be up to $5 billion (see: Facebook Takes $3 Billion Hit, Anticipating FTC Fine).
The FTC is investigating whether Facebook violated a 2012 settlement agreement that required it to put stricter control on how it managed and shared personal data. The agency had accused Facebook of making personal data of users public without their consent.
Also on Thursday, Reuters reported that Ireland's Data Protection Commissioner has opened an investigation into a Facebook password storage error. Facebook stored hundreds of millions of plain text passwords its social network and Instagram users. The passwords should have been stored as hashes.
The company says the data was only visible to internal employees and was not abused (see: Facebook Password, Email Contact Mishandling Worsens).