Canada: Privacy Commissioners Release Report On Facebook Investigation, Announce Plan For Court Action

On April 25, 2019, the Office of the Privacy Commissioner of Canada ("OPC") and British Columbia's Office of the Information and Privacy Commissioner ("OIPC BC"), collectively referred to as the "Commissioners", released a Report of Findings detailing findings from their joint investigation into Facebook's handling of the personal information of its users. The Report concludes that Facebook breached key requirements under both the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and British Columbia's Personal Information Protection Act ("PIPA"), including the requirement to obtain informed consent to the collection, use, and disclosure of personal information, the requirement to implement safeguards appropriate to the sensitivity of the information, and the obligation to be accountable for one's practices with respect to personal information.

The investigation: Facebook's privacy practices and data sharing with third party applications

The OPC investigation into Facebook, which was first launched in March 2018, was later joined by the OIPC BC in April 2018. Spurred by a complaint about Facebook's privacy policies and the aftermath of global controversy surrounding the alleged use of personal information ultimately obtained from Facebook for political targeting, the investigation examined Facebook's disclosure of users' personal information to a third-party application called "This is Your Digital Life" ("TYDL App"), as well as Facebook's disclosure of personal information to third party applications more broadly.

The Report indicates that TYDL App encouraged users to fill out a personality quiz, ostensibly for what the application publisher informed Facebook were purposes associated with 'academic research'. Unbeknownst to users, the information gathered from these quizzes (as well as information about friends who never used the application directly) was allegedly made accessible to a political consulting firm. The firm, Cambridge Analytica, allegedly used this data to build psychological profiles with the intention of using them for political targeting.

This is not the first time the OPC has investigated Facebook's privacy policies vis-à-vis third party applications. Rather, this investigation followed an earlier investigation conducted in 20091, during which the OPC had similarly expressed concern with the broad scope of the personal information disclosures and the lack of consent to the disclosures for both users who installed apps and their friends. The OPC found the 2009 complaint partially not well-founded and partially well-founded, and made a number of recommendations of measures that the OPC wished Facebook to implement specifically with respect to third party apps. At the time, Facebook had declined to implement these measures and proposed a different set of measures, which the OPC had accepted.2

Key findings from the Report of Findings and Facebook's response

According to the Report, Facebook estimated that of the 300,000 users who installed the TYDL App worldwide, 272 were identified as being in Canada. However, as the TYDL App also accessed information about the friends of individuals who installed it, this led to the disclosure of personal information pertaining to approximately 87,000,000 users worldwide, of which approximately 622,000 were identified as being in Canada.

The Report is highly critical of Facebook's actions, concluding that Facebook was in violation of core requirements of Canadian privacy law:

  1. Facebook failed to obtain valid and meaningful consent of users installing third party apps to the disclosure of their personal information to those apps. Facebook submitted that it took a threefold approach to obtaining consent to disclose personal information to third party apps, relying on: i) broad statements in the Facebook Data Use Policy, to which all users agree, ii) a dialogue box that appeared on app installation and indicated what information was to be disclosed; and iii) a requirement Facebook imposed on the third party apps to obtain consent from users for its disclosures to those apps through the apps' own privacy policies.

    However, the Report indicated that Facebook was unable to demonstrate that: (a) the TYDL App actually obtained meaningful consent for its purposes, including potentially, political purposes; or that (b) Facebook made reasonable efforts, in particular by reviewing app developer privacy communications, to ensure that the TYDL App, and apps in general, were obtaining meaningful consent from users. The Commissioners noted that they did not consider it reasonable to expect that a user's agreement to the Data Use Policy would in effect amount to advance consent to disclosure of their personal information years later to unknown apps for unknown purposes. The use of dialog boxes was insufficient to address this, as those boxes did not disclose the purposes for which the information requested would be used or disclosed, or the consequences associated with such use and disclosure. Finally, while the Commissioners noted that in some cases an organization can rely on consent obtained by a third party, merely linking to the app's privacy policy without actually verifying that it led to a policy explaining the purposes for which the information would be used was not sufficient. In this regard, consider that millions of third party apps exist on the Facebook platform.
  2. Facebook also failed to obtain meaningful consent from friends of installing users. The Report noted that Facebook relied on overbroad and conflicting language in its privacy communications that was insufficient to support that the friends of an installing user had themselves provided meaningful consent to the disclosure of their information to an app installed by one of their friends. That language was presented to users, generally on registration, in relation to disclosures that could occur years later. The Commissioners considered that this language was not adequate to obtain consent in relation to unknown apps using information for unknown purposes. Facebook further relied on installing users to provide consent on behalf of each of their friends, often counting in the hundreds, to release those friends' information to an app, even though the friends would have had no knowledge of that disclosure. The Commissioners considered it unreasonable to rely on users to obtain the consent of their friends in this context.
  3. Facebook had inadequate safeguards to protect user information. The Report indicated that Facebook relied on contractual terms with third party app developers to protect against unauthorized access by their apps to users' information. However, the Commissioners found that Facebook put in place superficial, largely reactive, and thus ineffective, monitoring to ensure compliance with those terms. Specifically, the Commissioners found that while Facebook implemented a program to review the top apps on its platform, such practices were not effective in respect of the millions of other lower volume apps on Facebook. Furthermore, the Report indicated that Facebook was unable to provide evidence of enforcement actions taken in relation to privacy related contraventions of those contractual requirements. The Report noted that Facebook also failed to investigate privacy related 'red flags', such as cases where Facebook noted an application was not in compliance with Facebook's policies.
  4. Facebook failed to be accountable for the user information under its control. The Commissioners found that as a result of its failures outlined above, Facebook did not take responsibility for giving real and meaningful effect to the privacy protection of its users. The Commissioners stated that Facebook had in effect "abdicated" its responsibility for the personal information under its control, seeking to shift that responsibility to the users themselves, and to the third party apps. The Commissioners found that Facebook relied on overbroad consent language, consent mechanisms that were not supported by meaningful implementation, and on the actions of third parties, without implementing reasonable measures to ensure that such entities were in fact obtaining consent. As a result, the Commissioners considered Facebook's purported safeguards with respect to privacy, and implementation of such safeguards, superficial and found that they did not adequately protect users' personal information. The sum of these measures resulted in a privacy protection framework that the Commissioners described as "empty".3

The Commissioners issued a number of compliance recommendations to Facebook, including (i) clearly informing users of the nature, purpose and consequences of the disclosure of their information; (ii) proactive review of the privacy policies of the millions of third party apps on Facebook for compliance with the contractual obligations Facebook places on them; (iii) an enhanced ability for users to determine specifically what apps have accessed their information; (iv) oversight by a third party monitor, appointed by and serving to the benefit of the Commissioners, at the expense of Facebook, to monitor and regularly report on Facebook's compliance with these recommendations over five years; and (v) permitting the Commissioners to conduct audits of Facebook's privacy policies and practices over five years. These recommendations were not accepted by Facebook, which proposed alternative approaches to the Commissioners. The complaint against Facebook on each of the aspects of accountability, consent, and safeguards, was considered well-founded and remains unresolved.4

Following the publication of the Report, the OPC has announced it intends to pursue a federal court action against Facebook, seeking an order forcing Facebook to correct its practices. The OIPC BC reserved its right under PIPA to consider future actions against Facebook.5 Escalating an investigation to the Federal Court has been uncommon in the past, and has the potential to lead to a binding decision on the interpretation of PIPEDA. Such a decision may inform not only the practices of Facebook, but also those of organizations collecting the personal information of Canadians more broadly, and indeed, the interpretation of PIPEDA by the OPC itself.

Implications for Canadian privacy law and organizations

The Report again highlights important questions about Canada's privacy protection regime and the scope of powers available to Canadian privacy regulators. Whereas foreign privacy regulatory regimes, notably the GDPR in the European Union, include the potential for steep penalties, Canadian privacy regulators lack not only the ability to levy fines, but also the ability to order compliance with the laws they are charged with overseeing. We can expect that this Report will feed the ongoing discussions about stronger privacy regulations and wider powers for privacy regulators in Canada.

The Report also serves as a caution for organizations collecting personal information of Canadians - Canadian privacy regulators are following the lead of other countries and are attempting to crack down on companies for their privacy compliance, and taking a more robust, and consumer protective approach to enforcing privacy laws. All companies conducting business in Canada should familiarize themselves with Canadian privacy laws and re-evaluate how they will protect users' personal information when working with third-party applications, particularly in light of the OPC's recently issued Meaningful Consent Guidelines and the ongoing Consultation on Transborder Dataflows.

Footnotes

1 See Canada, Office of the Privacy Commissioner of Canada, Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act by Elizabeth Denham Assistant Privacy Commissioner of Canada (OPC PIPEDA Report of Findings #2009-008, 16 July 2009), online: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2009/pipeda-2009-008/

2 Canada, Office of the Privacy Commissioner of Canada, Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia (OPC, 25 April 2019), online: at paras 18-21.

3 Ibid at "Overview".

4 Ibid at paras 183-202.

5 Canada, Office of the Privacy Commissioner of Canada, Facebook refuses to address serious privacy deficiencies despite public apologies for "breach of trust" (OPC, 25 April 2019), online: https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_190425/.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Events from this Firm
7 May 2019, Webinar, Birmingham, UK

Join us for our next TUPE Club webinar, where we will be covering how TUPE applies when there is an Insolvency situation. We will look at the consequences of TUPE applying in various types of insolvency scenario and how can you manage the risks that creates.

30 May 2019, Seminar, Waterloo, Canada

Gowling WLG's popular Employment & Labour Law Seminar returns to the Waterloo Region on Thursday, May 30, giving you the opportunity to learn about the latest legal developments affecting your workplace.

Our leading professionals will guide you through these changes and offer practical insight and advice on what they mean for your organization.

11 Jun 2019, Seminar, Birmingham, UK

In recent months we have seen a plethora of changes to IP law, with varying levels of impact on UK businesses. During this workshop our IP experts will guide senior in-house counsel through recent developments in brands and designs law and practice, giving practical tips and guidance on how to get the best from your brand and design portfolio. 

Similar Articles
Relevancy Powered by MondaqAI
Roper Greyell LLP – Employment and Labour Lawyers
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Roper Greyell LLP – Employment and Labour Lawyers
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions