After implementing stricter privacy laws in 2018, Canada has joined a number of countries with a shifting mentality regarding privacy rights. Individuals are becoming more aware of the information they are disclosing. Users of applications and services are becoming more cognizant of what data they are providing to organizations and more curious about how that information is being used. For the first time, people are paying close attention to what businesses are using their information for and expect that businesses will be transparent in their privacy policies.
Last week, the Office of the Privacy Commissioner of Canada released a report after conducting a lengthy investigation into Facebook. In sum, the report found that Facebook contravened Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians. The release noted that Facebook’s privacy framework was “empty” and their “vague terms were so elastic that they were not meaningful for privacy protection”. Part of the investigation revealed that an app called “This is Your Digital Life”, which was used by around 300,000 Facebook users around the world, potentially disclosed the personal information of approximately 87 million users, 600,000 of which were Canadian. The report revealed that Federal and British Columbia privacy laws were violated including unauthorized access (which included superficial and ineffective safeguards), lack of meaningful consent, no proper oversight over privacy practices, and an overall lack of responsibility for personal information.
More shocking than the findings was Facebook’s response to the reports and the recommendations contained therein. Facebook denied that they contravened privacy legislation and rejected the findings and recommendations. This response fueled the claim that Facebook lacks responsibility, especially considering that a 2009 Investigative Report, which largely revealed similar issues, proposed mechanisms to mitigate risk of unauthorized access and use of Canadians’ personal information – recommendations that were seemingly ignored by the organization. Interestingly, a March 2019 Edison Research Infinite Dial Report revealed that Facebook lost around 15 million active users since 2017 (6% of its active users).1 This may be in part as a result of the negative publicity the company has been receiving due to its handling of users’ personal information (the Cambridge Analytica Scandal for example).
One issue that Facebook’s reception of the report revealed was that the amendments in PIPEDA appear to lacks teeth. For instance, PIPEDA does not make a Privacy Commissioner’s recommendations mandatory, nor does the legislation grant a Commissioner the power to issue an order. This, however, does not stop the Office of the Privacy Commissioner of Canada from bringing an application to the Federal Court to compel Facebook to correct its privacy practices. This process, however, will likely be lengthy and it is currently unclear whether any Commissioner will take this step.
- What information is needed for the organization to provide the service they are undertaking?
- Who has access to that data?
- How is that data handled (shared and used)?
- How and how often is the data destroyed?
It is without doubt that the Privacy Commissioners throughout Canada will be lobbying to make PIPEDA more aggressive including providing executive power to the entities tasked with protecting the privacy rights of Canadians. Until that time comes, users will make their voices heard by giving their business to organizations that are more conscious about data use. In order to achieve greater success in this realm, organizations must be more transparent in their privacy policies and take a more conscious approach to data use than they have in the past.
To see the full report, please visit:
Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.