Federal Privacy Commissioner Daniel Therrien and his B.C. counterpart, Michael McEvoy say Facebook’s actions during the Cambridge Analytica breach point to “the need for giving provincial and federal privacy regulators stronger sanctioning power to protect the public’s interest.”
The Cambridge Analytica scandal involves the research firm that helped U.S. President Donald Trump win the 2016 presidential election campaign by harvesting data from millions of Facebook users.
In Canada, over 600,000 people were affected by the scandal.
The commissioners began the investigation last spring and looked at whether social media sites were complying with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C. Person Information Protection Act (PIPA).
According to PIPEDA, companies are required to be accountable for how they collect and use personal information, and must take the necessary steps not to disclose the information inappropriately.
The complaint that began the investigation followed many reports that Facebook allowed an organization to use an app to access personal information.
The app, at one point, was called “This is Your Digital Life.” In Ontario, only 142 people used the app, but it was able to harvest information from almost 300,000 people, according to Toronto Star reporter Alex Boutilier.
He noted that in Canada, less than 300 people used the app and in turn allowing the app creator to harvest the information of 622,161 Canadians.
Wow. So recall that at the centre of this was one of those silly survey apps, which collected data on not only people who used it but their entire network. Only 142 people in Ontario used the app, but that allowed the app to harvest the data of *almost 300,000 people* in ON.
— Alex Boutilier (@alexboutilier) April 25, 2019
“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” said Therrien.
“Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection. The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified — or even acknowledge that it broke the law – is extremely concerning,” he added.
Both commissioners note that there is “critical weakness within the current Canadian privacy protection framework and underscore an urgent need for stronger privacy laws.”
According to the report’s findings, the recommendations state that not only should there be a power to “levy financial penalties on companies,” but that the commissioners should also be given “broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected.”
These practices are similar to what exists in the United Kingdom and several other countries.
Government wants to regulate social media sites
Democratic Institutions Minister Karina Gould recently noted that the government may regulate social media platforms and that it is very likely foreign actors will attempt to interfere in the upcoming federal election.
She also added that social media sites like Facebook, Twitter and Google need to promote transparency, authenticity and integrity on their platforms better.
For its part, Facebook has launched several initiatives to combat election meddling through its platform, including a support program for politicians and an ad transparency tool.
In September 2017, Facebook confirmed that thousands of ads focused on divisive topics like race and immigration where shared by accounts likely operating out of Russia ahead of the U.S. election.
Facebook broke federal, B.C. privacy laws
According to the investigation, the commissioners note that Facebook broke several laws.
Concerning unauthorized access, Facebook’s existing safeguards resulted in third-party access and gave unauthorized access to the personal information of millions of Facebook users.
The commissioner’s note that Facebook “failed to obtain meaningful consent” from users who installed its app as well as users’ “friends” whose information Facebook also revealed.
The commissioners noted that the app did not have proper oversight and overall showed a lack of responsibility regarding personal information.
OPC intends to seek order to force Facebook to have better practices
A similar investigation occurred in 2009, but Facebook did not implement any of the recommendations then.
“If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third-party apps could have been avoided or significantly mitigated,” the commissioners said.
The report noted that the social media’s refusal to accept these recommendations “means there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.”
The Office of the Privacy Commissioner intends to seek an order to force Facebook to “correct its privacy practices,” while the Office of the Information and Privacy Commissioner for B.C. intends to use rights under the PIPA to consider “future actions against Facebook.”
Facebook noted in an email to MobileSyrup that it was disappointed the commissioner’s office felt it did not resolve issues that were mentioned in the report despite working collaboratively and in “good faith.”
“There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.
“We understand our responsibility to protect people’s personal information, which is why we’ve proactively taken important steps towards tackling a number of issues raised in the report and worked with the OPC to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement,” a Facebook spokesperson said.
Image Credit: YouTube (screenshot)
Update 25/04/19: The article was updated with a quote from Facebook.