The Office of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia found Facebook violated the country’s privacy laws during its investigation of the Cambridge Analytica revelations.

The two agencies offered recommendations Facebook could implement to address deficiencies. Facebook both disputed the findings and refused to apply any of the recommendations laid out in the report. Privacy Commissioner of Canada Daniel Therrien and British Columbia Information and Privacy Commissioner Michael McEvoy both discussed why Facebook’s response highlights the longstanding need for regulatory changes in a conference call following the release of the findings.

Therrien also announced the OPC plans to take Facebook to federal court in order to force the tech company to change its practices.

“We have, with our colleagues, lead a very serious investigation into the practices of Facebook, which lasted for more than a year. We concluded that Facebook had been violating [the Personal Information Protection and Electronic Documents Act] in a number of ways, and the current law says all I can do is recommend to Facebook that they change their ways. And they have disagreed to do that,” Therrien said.

The commissioners started their investigation into Facebook back in March 2018 after it was reported Facebook allowed organizations to use the “This Is Your Digital Life” app to access users’ information. Cambridge Analytica was among the companies that received this data, which was then used for targeted political advertising.

The core findings from the agencies allege Facebook failed to obtain valid and meaningful consent from both users and friends of the users who had their information collected. The commissioners found Facebook did not have the proper safeguards in place to protect users’ data, nor was it accountable for the data it had under its control.

Therrien and McEvoy recommended Facebook implement measures to obtain meaningful consent and to allow their offices to conduct audits of the company’s privacy practices and assess its compliance with privacy laws over a five-year period.

Facebook disagreed with the findings, and the pair of regulators both said Facebook’s denial heightens a core problem for the agencies: They simply do not have enough regulatory authority.

By taking Facebook to federal court, Facebook may be required to change its privacy practices. The federal courts may require Facebook to pay for damages to those affected by the incident; however, Therrien said those totals are often much lower than the financial penalties levied by regulators around the world.

Therrien offered his frustration over the situation, saying companies can tell Canadian regulators “thank you for conclusions on matters of law, but we actually disagree, and we will continue as we were.”

Therrien offered his frustration over the situation, saying companies can tell Canadian regulators “thank you for conclusions on matters of law, but we actually disagree, and we will continue as we were.”

“It’s completely unacceptable. We should have order-making powers to ensure that after we do serious work, as we have done, that the conclusions are binding,” Therrien said. “Then, these orders should come with fines to ensure that companies have an incentive to respect the law. That is something that exists in other countries.”

As Facebook prepares to face a multibillion-dollar fine from the U.S. Federal Trade Commission, Sen. Elizabeth Warren, D-Mass., said the penalty is a nonfactor for the social media platform. McEvoy was asked a question in the same vein during the conference call and took a different stance from the U.S. senator.

“Fines are not insignificant. In the EU with the General Data Protection Regulation, fines can go anywhere upward to $50 million euros. These are not insignificant numbers,” McEvoy said. “The problem in Canada is that there is no deterrent whatsoever when it comes to fine making power. If companies are going to be held to account, and we are to act in step with other jurisdictions around the world, legislators here have to have that authority.”

Therrien agreed but acknowledged that enforcement authority needs to be more than just a monetary sum.

“I agree with my colleague that fines are not insignificant and are part of the solution, but they may not always be all of the solution, which is why I insist on talking about the need to be able to hold companies accountable, and by that I mean to inspect their practices. So [Facebook said] that they are accountable, and as we have seen in this instance that they were not accountable,” Therrien said.

Therrien cited accountability as particularly important for any type of legislative reform. It is why the report states the OPC should have the ability to inspect an organization’s practices to ensure it is compliant with privacy laws.

As a new Parliament potentially considers amending legislation, Therrien said members of industry will suggest that companies operate under the assumption that they are, in fact, accountable. And that is not a stance the commissioner agrees with.

“I think accountability is important, but we should not count on all companies to act responsibly, and a new law should ensure a regulator holds companies responsible,” Therrien said.

With an election on the horizon and a new Parliament about to start its term, Therrien hopes some of these concerns are addressed. As Europe and the U.S. take steps forward to address their privacy laws and empower their regulators, Therrien hopes Canada does the same.

“I’ve called for amendments to private law for quite some time. There will not be time in the current Parliament for any legislation to be, but my hope certainly is that in the next Parliament there will be legislation,” Therrien said. “It’s taking a lot of time, and we are behind many countries, but I sincerely hope in the new Parliament that this will be a priority.”   

Photo by Harry Sandhu on Unsplash.