Social Media Giant Fails to Protect Canadian Privacy for Ten Years and Counting

By: Lee Rickwood

April 30, 2019

Social media giant Facebook has committed serious contraventions of Canadian privacy law.

According to a joint report released following investigations conducted by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, the company did not obtain proper consent from its users to disclose their personal data, it didn’t have adequate safeguards to protect that data and it didn’t take proper responsibility for the information under its control.

Facebook disputes the investigation’s findings. The company says it has “taken important steps towards tackling a number of issues” raised in the report. It offered to enter a compliance agreement with the Office of the Privacy Commissioner of Canada “after months” of discussion and negotiation.

Facebook privacy [page screen grab

Facebook reports it has made improvements to its social media platform to protect personal information, but the federal privacy commissioner will go to court to force the company to correct its privacy practices.

That seemingly lengthy timeframe is a reference to the onset of the Commissioners’ almost year-long investigation, triggered by revelations surrounding Facebook and Cambridge Analytica which surfaced in early 2018. There was a direct Canadian connection to that scandal, in which the personal Facebook data of some 50 million people worldwide was apparently obtained by a political consultancy that went on to work for Donald Trump, so privacy officials here launched an “extremely important privacy investigation”.

But this recent privacy investigation is a disconcerting, even shocking, echo from more than ten years ago!

In a complaint filed with the Privacy Commissioner of Canada back in 2008, a key privacy concern was “the way Facebook shares the personal information of its users with third-party software developers who create games and quizzes and other apps that run on its network.”

That description matches almost perfectly the methodology allegedly followed by the U.K. researcher Aleksandr Kogan, who developed and conducted a survey on Facebook which some 270,000 people completed in 2016.

Filling out that survey, in turn, seems to have led to the unauthorized ‘scraping’ of the data associated with some 87 million Facebook user accounts – including more than 600,000 Canadians. That data, in a digital chain of events, may have been shared with U.K.-based data analytics and social microtargeting company Cambridge Analytica.

Facebook denies the allegations, stating “[t]here’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.”

Despite the social media giant’s responses to the most recent Canadian investigation (if not in consideration of a ten-year track record of privacy complaints and concerns about its activities), the federal privacy commissioner says he intends to go to court to seek an order to force Facebook to correct its privacy practices.

As Canadian Privacy Commissioner Daniel Therrein has noted previously, his office needs some real power in its privacy protection toolkit, such as the ability to impose “substantial financial penalties” on companies that misuse the personal information they collect.

The Office of the Privacy Commissioner should be able to issue binding orders about privacy protection (or the lack thereof); right now, it can only make recommendations – recommendations that a company could ignore if it so desires.

That is a serious weakness in the current framework for providing privacy protection to Canadians, and it has a direct impact on the current investigation and recommendations.

The two privacy commissioners underscored their concern about the “stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we have identified – or even acknowledge that it broke the law.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive information people have entrusted to this company,” they said in their statement and report.

“We found that Facebook’s superficial and ineffective safeguards and consent mechanisms allowed a third-party app to gain unauthorized access to the personal information of millions of Facebook users.”

Despite recommendations from the privacy commissioners to Facebook to address the identified privacy protection problems in its operation, the social media giant has “declined to implement them.”

As such, the Office of the Privacy Commissioner of Canada plans to take the matter to Federal Court.

Canada is not alone in seeking legal mechanisms to get the company to correct its privacy practices.

The Attorney General of New York has opened an investigation into whether Facebook violated that state’s law by collecting users’ email and contact data without authorization as part of a password verification process.

Ireland’s Data Protection Commission also started a probe of whether Facebook violated privacy regulations there by storing hundreds of millions of passwords in an unencrypted format.

The tech giant has also been in talks with the U.S. Federal Trade Commission about concerns it may have violated a 2011 consent decree and failed to provide protection for the privacy of user data in that country.

The company has set aside up to $5 billion dollars, reports indicate, as it prepares itself for fines resulting from current or anticipated legal actions and lawsuits.

Facebook’s first-quarter revenues jumped 26% to $15 billion according to the company’s financial report. The number of monthly active users rose 8% to 2.38 billion. It generated $9.3 billion in cash from operations, an 18% increase from the year before.


Leave a Reply

Your email address will not be published. Required fields are marked *