Joint investigation finds major shortcomings in the social media giant’s privacy practices, highlighting pressing need for legislative reform to adequately protect the rights of Canadians
OTTAWA – Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found.
Despite its public acknowledgement of a “major breach of trust” in the Cambridge Analytica scandal, Facebook disputes the investigation findings of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. The company also refuses to implement recommendations to address deficiencies.
“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” says Privacy Commissioner of Canada Daniel Therrien. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.
“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”
“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy,” B.C. Information and Privacy Commissioner Michael McEvoy says, “but when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard.”
Commissioner McEvoy says Facebook’s actions point to the need for giving provincial and federal privacy regulators stronger sanctioning power in order to protect the public’s interests. “The ability to levy meaningful fines would be an important starting point,” he says.
The findings and Facebook’s rejection of the report’s recommendations highlight critical weaknesses within the current Canadian privacy protection framework and underscore an urgent need for stronger privacy laws, according to both Commissioners.
“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” says Commissioner Therrien.
In addition to the power to levy financial penalties on companies, both Commissioners say they should also be given broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected. This measure would be in alignment with the powers that exist in the U.K. and several other countries.
Giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law.
The complaint that initiated the investigation followed media reports that Facebook had allowed an organization to use an app to access users’ personal information and that some of the data was then shared with other organizations, including Cambridge Analytica, which was involved in U.S. political campaigns.
The app, at one point called “This is Your Digital Life,” encouraged users to complete a personality quiz. It collected information about users who installed the app as well as their Facebook “friends.” Some 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians.
The investigation revealed Facebook violated federal and B.C. privacy laws in a number of respects. The specific deficiencies include:
Unauthorized access
Facebook’s superficial and ineffective safeguards and consent mechanisms resulted in a third-party app’s unauthorized access to the information of millions of Facebook users. Some of that information was subsequently used for political purposes.
Lack of meaningful consent from “friends of friends”
Facebook failed to obtain meaningful consent from both the users who installed the app as well as those users’ “friends,” whose personal information Facebook also disclosed.
No proper oversight over privacy practices of apps
Facebook did not exercise proper oversight with respect to the privacy practices of apps on its platform. It relied on contractual terms with apps to protect against unauthorized access to user information; however, its approach to monitoring compliance with those terms was wholly inadequate.
Overall lack of responsibility for personal information
A basic principle of privacy laws is that organizations are responsible for the personal information under their control. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves.
The failures identified in the investigation are particularly concerning given that a 2009 investigation of Facebook by the federal Commissioner’s office also found contraventions with respect to seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps.
If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated.
Facebook’s refusal to accept the Commissioners’ recommendations means there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.
Given the extent and severity of the issues identified, the Commissioners sought to implement measures to ensure the company respects its accountability and other privacy obligations in the future. However, Facebook refused to voluntarily submit to audits of its privacy policies and practices over the next five years.
The Office of the Privacy Commissioner of Canada plans to take the matter to Federal Court to seek an order to force the company to correct its privacy practices.
The Office of the Information and Privacy Commissioner for B.C. reserves its right under the Personal Information Protection Act to consider future actions against Facebook.
Related documents:
Chart: Facebook findings highlight the need for legislative reform
SOURCE Office of the Privacy Commissioner of Canada