Facebook committed serious violations of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation conducted by the Office of the Privacy Commissioner of Canada (OPC) has determined.
In a press release issued on Thursday, the OPC and the Information and Privacy Commissioner for British Columbia, the privacy watchdogs issue a scathing review of Facebook’s conduct around its privacy practices. Despite publicly acknowledging that the Cambridge Analytica scandal was a “major breach of trust,” Facebook has refused to implement recommendations to fix its problems. Facebook has also refused a voluntary audit of its privacy policies and practices over the next five years, and now the OPC must seek an order from the Federal Court to force it to do so.
“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” says Privacy Commissioner of Canada Daniel Therrien in the press release. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”
Facebook responded to a request for an interview from IT World Canada with a written statement. Here’s the complete quote:
“After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved. There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information. We understand our responsibility to protect people’s personal information, which is why we’ve proactively taken important steps towards tackling a number of issues raised in the report and worked with the OPC to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement.”
Facebook’s history of being the subject of investigations by privacy watchdogs in Canada goes back more than a decade. While the OPC has made many clear recommendations to Facebook about how to comply with Canadian law, many of those recommendations have never been acted upon by Facebook. For example, the steps required to delete an account are still unclear, with Facebook instead pushing unhappy users to “deactivate” their accounts, keeping their data on Facebook’s servers indefinitely.
Now the OPC and the B.C. commissioner are saying privacy regulators need new powers to fight for Canadians’ privacy against Facebook and other Internet giants, which have built a business model on targeting ads based on personal information that some have described as “surveillance capitalism.”
At the outset of the investigation in April 2018, Privacy Commissioner of Canada Daniel Therrien told a parliamentary committee that Canada’s current privacy law covering the private sector is not strong enough. He raised that argument again in delivering the investigation’s findings.
“All I can do is recommend to Facebook that they change their policies. They have not agreed to do that. It’s completely unacceptable,” Therrien said at Thursday’s news conference. “We should have order-making powers to ensure that the work we’ve done can be enforced and companies have a reason to respect the law. In Canada, there is no deterrent whatsoever.”
According to the investigation report, the OPC recommended that Facebook take steps to ensure it obtains meaningful and valid consent from users intalling apps, as well as their friends. The consent should include information on the nature, purposes, and consequences of information disclouse; be delivered before or at the time the information is disclosed; and express where the information to be disclosed is sensitive. It also recommends monitoring of third-party apps to make sure these provisions are followed.
Facebook did not agree to implement those measures, the report says, instead saying that updates it has already made changes that were adequate.
The OPC also recommended that Facebook pay for the appointment of a third-party monitor, appointed by the OPC, to monitor and regularly report on its compliance with recommendations for five years. Facebook said it was willing to agree to this, with some material conditions and restrictions. But since Facebook hasn’t agreed to implement the OPC’s recommendations, the monitor would serve no purpose, the report states.
The OPC wants the power to fine companies. It also wants the power to inspect the practices of organizations to confirm privacy laws are being respected. At present, the OPC can only respond when a formal complaint against an organization is filed.
In the case of this investigation, a complaint was filed with the OPC after a Facebook app, “This is Your Digital Life” that posed as a personality quiz collected information about users and their Facebook friends. The data of about 87 million users, including 600,000 Canadians was then shared with Cambridge Analytica, which used it to create psychographic models for the purposes of ad targeting in several U.S. political campaigns.
At Thursday’s news conference, Therrien argued that a complaints-driven model wasn’t effective in the digital era.
“The business models are opaque, the technology is complex,” he said. “You can’t count on complaints from individuals who might not know what is happening.”
Some in the tech community welcome tougher privacy legislation. David Masson is the Canada country manager for AI cyber security firm Darktrace, headquartered in Cambrdige, U.K. He says that last year’s Digital Privacy Act, which updated the law governing the private sector in Canada, didn’t go far enough. For example, where the European Union requires that firms report a data breach within 48 hours, Canada’s law requires it “as soon as possible.”
“That’s not going to cut it,” Masson says. “They might as well say report it as soon as possible, please.”
Masson points out that Canada’s authorities aren’t alone in taking Facebook to task. Facebook CEO Mark Zuckerberg has been dragged in front of the U.S. Senate and British Parliament in recent months. Government is becoming more aware of the platform’s power to influence individuals, thanks to all the data they’ve collected about them.
“Manipulating the public discourse and changing people’s minds is even more powerful than stealing people’s data,” he says.
A separate OPC investigation into B.C.-based AggregateIQ Data Services Ltd. and its role in the matter is still underway. According to testimony presented at parliamentary committees, it was involved in creating “custom audiences” on Facebook for the purpose of targeting with political ads.
Canadians’ trust in Facebook at an all-time low
Facebook’s reputation has taken a nosedive with Canadians since 2017, according to the 2019 Proof Inc. CanTrust Index. Released on the same day as the OPC investigation findings, the index tracks trust sentiment of major brands with Canadians.
In 20117, 51 per cent of Canadians trusted Facebook. Today, just 28 per cent say the same. Yet Facebook remains the most popular social media platform in Canada, with 36 per cent naming it as such in Proof’s survey, and 23 million active users of the platform.
“This is the Facebook paradox,” says Josh Cobden, executive vice-president at Proof Inc. “So many people are on it and so many people use it, that stopping to use it is difficult.”
Proof examines both organizational trust factors and product-based trust factors. While Canadians may read bad news headlines about privacy violations and distrust the organization, the product remains very good at keeping them connected with family and friends. But with Facebook standing in direct opposition to Canada’s top privacy authority, its possible that lack of organizational trust could erode trust in the product.
“That tactic may help Facebook delay litigation or to slow it down. But that sort of attitude does not instil trust among Canadians,” Cobden says. “So they’re going to lose reputationally by doing that.”