Canada’s privacy commissioner isn’t surprised by Facebook privacy scandal

Therrien believes that imposing fines and penalties would encourage companies to treat privacy more responsibly

Canada’s Privacy Commissioner Daniel Therrien told reporters on Wednesday afternoon that he wasn’t surprised by the news that approximately 600,000 Canadians were affected by the Facebook Cambridge Analytica data scandal.

“Given the numbers — 50 million or so people affected worldwide, the proximity of Canadians to the U.S., the fact that many Canadians are friends of have people they know in the U.S. — no, I’m not surprised,” said Therrien, speaking to reporters at a Canadian Journalism Foundation (CJF) privacy summit, held at the Globe and Mail Centre in downtown Toronto.

Therrien also said that his office is giving priority to the investigations that impact the most Canadians. As of this afternoon, the Office of the Privacy Commissioner’s (OPC) is most focused on the Facebook Cambridge Analytica case.

“We’ll do the best we can and we will give priority to that investigation,” said Therrien.

“…it is a challenge…because these breaches…occur all the time.”

The privacy commissioner said that it’s a “challenge” having to investigate all of the privacy breaches and scandals that have emerged over the past year.

“You’re right that it is a challenge and that we could certainly do with more resources, because these breaches, as you say, occur all the time,” Therrien replied, in response to a reporter’s question.

Therrien told MobileSyrup that his office will not “draw any conclusions on what our investigation will bare on Facebook,” until the investigation itself has concluded.

“The allegation — one of the allegations — is that information was used for purposes other than the purpose for which people put it on Facebook, based on liberal or loose consent rules,” said Therrien.

“Part of the issue is whether the consent model that we have in Canada currently gives too much latitude to companies based on long privacy policies to craft a contract whereby they say they have consent to use it for other purposes.”

“…information was used for purposes other than the purpose for which people put it on Facebook…”

Therrien has previously expressed the belief that companies need to simplify their privacy policies, in order for users to more easily understand precisely what information they hand over.

Therrien told reporters that “in the world of new technology,” enforcing consent is a difficult task, because the ways in which modern companies utilize user data — for big data, machine learning or artificial intelligence — doesn’t lend itself to asking individual users for consent.

“That means that companies have an important responsibility and accountability to handle that information responsibly, in accordance with privacy laws,” said Therrien.

Pieces missing from the puzzle

As of right now, the OPC has the legal powers to conduct searches and compel organizations to hand over documents during investigations. Once an investigation has concluded, however, the OPC is only able to offer recommendations to the company — suggestions that companies don’t always follow.

To that extent, Therrien believes that the OPC needs some kind of mechanism to enforce fines on penalties on companies that have been found to violate Canada’s privacy laws.

“It’s at the end, after the investigation, that our powers are lacking,” Therrien told reporters.

“…I think if privacy laws are to be effective, there needs to be a financial impetus for companies to respect privacy laws…”

Therrien has asked Parliament for the ability to impose fines, “only when necessary, because it will not always be necessary.”

“We’ve recommended to Parliament to have the authority to make orders against companies and, when needed, to impose fines,” said Therrien. “That’s an authority that my equivalents in Europe — but not only Europe, also the U.S. — have.”

“In a world where companies make considerable profits with the personal information of individuals, I think if privacy laws are to be effective, there needs to be a financial impetus for companies to respect privacy laws… there are companies that will not respect privacy laws unless they feel that financially they must and the question of fines comes into the picture.”

Addressing the right to be forgotten

Facebook confirmed that roughly 600,000 Canadians were involved in the Cambridge Analytica breach during an unrelated privacy summit taking place in Toronto.

The summit itself was an opportunity for members of the media, legal authorities, as well as Therrien to discuss the privacy commissioner’s policy proposal on online reputation.

The right to online reputation is also known as the right to be forgotten.

Therrien told reports that the Facebook privacy scandal is related to the right to be forgotten “at the most general level.”

“At that very general level, whether privacy rights are respected, yes it’s the same thing and when there needs to be effective remedies for the privacy rights of Canadians to be respected,” said Therrien.