Fraud Management & Cybercrime , Geo-Specific , Governance & Risk Management
Facebook's Privacy Practices Targeted by Canadian RegulatorTo Force Changes, Regulator Must Prove Facebook Violated Canada's Privacy Law
Canada's privacy commissioner is taking Facebook to court to try to force the social network to make changes to its privacy practices.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The Office of the Privacy Commissioner of Canada has filed an application asking a federal court to declare that Facebook violated the country's privacy law over the Cambridge Analytica scandal. In April 2019, the OPC alleged Facebook "outright rejected" the regulator's recommendations issued following the scandal (see: Canada Says Facebook Violated Privacy Laws).
Cambridge Analytica was a digital consulting firm that received profile data for 87 million Facebook users, mostly in the U.S., in violation of Facebook's internal rules. The firm specialized in targeting voters with customized digital messages based on psychographic profiles, aka in-depth analyses of voters.
Canada was one of many nations that launched investigations into Facebook following the Cambridge Analytica revelations that came to light in early 2018 (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).
The U.S. Federal Trade Commission subsequently levied a $5 billion fine against Facebook as a result of its investigation - the biggest privacy fine in history. Whether civil fines are an effective tool for altering the behavior of a technology giant that posts revenus of tens of billions of dollars per quarter, however, remains an open question (see: It's Official: FTC Fines Facebook $5 Billion).
Responding to the Canadian regulator's new lawsuit, Facebook says in a statement that "the commission is choosing to pursue legal action despite our many attempts to work with them and offer measures that would go above and beyond what other companies do. We look forward to defending the many proactive and robust improvements we've made to our platform to better protect people's personal information."
Regulator Has No Teeth
Canada's OPC has to go to the federal court because of a unique aspect of the agency: it can't issue binding orders or fines.
"The federal court has, among other powers, the authority to impose binding orders requiring an organization to correct or change its practices and comply with the law," the OPC says.
The privacy regulator, however, doesn't have any enforcement powers, and Facebook has remained at odds with it. The OPC recommended changes to Facebook's privacy practices in a previous investigation around 2009, for example, but it says Facebook failed to implement them.
"The legal proceedings may be lengthy, with the timing dependent on numerous procedural issues."
—Office of the Privacy Commissioner of Canada
After Cambridge Analytica unfolded, the regulator launched a new investigation into Facebook's privacy practices in May 2018. Facebook maintains that no Canadians' data was improperly shared as part of the debacle, but the OPC says that 622,000 Canadians' personal information was exposed.
The profile data was collected around 2013 by a survey app called This Is Your Digital Life, built by Aleksandr Kogan, a Cambridge University lecturer. His app collected profile data for individuals who took the survey, as well as data on their friends. Kogan then shared the data with Cambridge Analytica.
The OPC's investigation found that Facebook didn't obtain meaningful consent from users to collect that data or secure consent from users' friends. While Facebook said it prohibited the kind of sharing Kogan did, the regulator says that Facebook failed to ensure that app developers were complying with the social network's data-sharing policies.
Lengthy Court Battle
Now, the OPC has petitioned Canada's federal court for several orders.
First, the privacy regulator wants the court to declare that Facebook violated Canada's Personal Information Protection and Electronic Documents Act. Second, it wants orders that would force Facebook to obtain meaningful consent from users and make changes to its privacy practices to bring it into compliance with PIPEDA.
Finally, the OPC wants the court to oversee ongoing monitoring and compliance by Facebook and require the social network to publish its course of action if the court mandates any specific changes.
The OPC warns that it has to start from scratch in its efforts to obtain the orders, despite having conducted extensive, previous probes into Facebook's practices. But the regulator says the federal court is considered a "de novo" proceeding, meaning that the regulator cannot file reports from any of its investigations. Instead, the privacy commissioner must prove that Facebook failed to comply with PIPEDA.
"The legal proceedings may be lengthy, with the timing dependent on numerous procedural issues," the OPC says.