TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | How Facebook's settlement with Canada’s Competition Bureau may impact OPC's recommendations Related reading: Facebook's $9M settlement with Canada’s Competition Bureau makes history

rss_feed

""

Now that Facebook’s settlement with the Competition Bureau Canada has been published, it is interesting to consider how this could impact other regulatory actions Facebook is dealing with in Canada with the Office of the Privacy Commissioner of Canada.

The settlement is quite short but has some interesting implications.

First, it expressly states that Facebook’s agreement does not constitute an admission of guilt under the Competition Act or any other law, so this settlement doesn’t preclude Facebook’s ability to challenge the OPC’s report, as it is currently doing, through a judicial review application or at the hearing of the OPC application to enforce its report. However, Facebook is not permitted to make any public statements that contradict the terms of the settlement agreement. The recitals state the Competition Bureau Commissioner’s conclusions, which are not admitted to, but the fact of those conclusions and commitments by Facebook cannot be denied. The recitals also note Facebook’s Consent Decree with the U.S. Federal Trade Commission of July 2019, which brings Facebook’s compliance program into the settlement.

The financial penalty is substantial for Canada: $9 million, plus $500,000 to cover the bureau’s costs of the investigation.

More interesting is the ongoing commitments. Facebook is, first of all, not permitted to make any materially false or misleading statements in the future concerning the extent to which users can control access to their personal information, as explained here:

  1. The Respondent shall not make, in connection with a Facebook product or service, any representation to the public that, taking into account its general impression as well as its literal meaning, is materially false or misleading regarding the disclosure of Personal Information, including how and the extent to which Users can control who can access the Personal Information.

Secondly, Facebook must within 180 days ensure its compliance program supports this commitment. Facebook is obliged to "review" the bureau’s Corporate Compliance Program Bulletin with the aim of aligning Facebook’s compliance program with the bulletin. To reinforce these obligations, senior management is required to sign and acknowledge this commitment to “fully support and enforce” the compliance program. This creates the risk of personal liability, both civilly and criminally, for future transgressions.

Third, there is ongoing monitoring. Senior management must be provided with a copy of the settlement agreement with the view to ensuring that Facebook responds to the bureau on matters covered by the sections dealing with statements about user control, as well as senior management acknowledgment of the settlement and its terms. There must be a response within 45 days. The settlement is binding on Facebook for 10 years.

What are “review” of and “aligning” to the bulletin? The bureau obviously has a wider remit than privacy — competition law, of course, and misleading advertising, which is how, like the FTC, privacy statements can bring companies under its authority. The bulletin speaks to compliance more broadly and would include the following privacy programs:

  1. Management commitment and support.
  2. Risk‑based corporate compliance assessment.
  3. Corporate compliance policies and procedures.
  4. Compliance training and communication.
  5. Monitoring, verification and reporting mechanisms.
  6. Consistent disciplinary procedures and incentives for compliance.
  7. Compliance program evaluation.

While the recommendations of the OPC, which Facebook is currently challenging, are broader than the scope of the settlement, it is arguable that core elements are not fundamentally different from what has been agreed to in the settlement and would be required in any event as part of its alignment with the bulletin’s principles:

Privacy Commissioners' recommendations Competition Bureau settlement
  • Implementation of measures to obtain meaningful consent that clearly informs users of consequences in a timely manner.
  • Because of the failure to take accountability, the OPC and British Columbia Commissioner recommended the ability to conduct audits of the privacy policies and practices.
  • While expressed in the negative, the Competition Bureau requires effectively require meaningful consent.
  • The ability of the bureau to monitor for 10 years how Facebook complies with its commitment to the section noted above, gives it considerable insight into the main way in which Facebook obtains data from users, and to monitor its practices.

It will be interesting to see how the Facebook challenge to the OPC’s report continues and whether, in fact, it will be meaningful in light of this settlement.

For businesses operating in Canada, the settlement indicates a new and material enforcement player in the area of privacy, the Competition Bureau Canada; it has been traditionally hard to get management attention given the limitations on our commissioners’ enforcement powers, which the Competition Bureau does not suffer from. It also gives privacy officers and privacy program designers an additional resource/checklist against which to measure the effectiveness of the programs and common framework with which to integrate privacy to general compliance programs.

The author would like to thank nNovation Lawyer Shaun Brown for his edits and comments.

Photo by Tim Bennett on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.