The federal Privacy Commissioner has filed an application in the Federal Court to order Facebook to comply with Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).
Facebook/Cambridge Analytica data breach
The court proceedings arise out of the joint investigation by the Commissioner and the BC Information and Privacy Commissioner into the Facebook/Cambridge Analytica data breach. That investigation focused on the unauthorized collection and sharing of the personal information of more than 50 million users worldwide, including over 600,000 in Canada, for the purposes of targeting political messages.
The breach was revealed in a series of media articles in late 2017/early 2018 and related to data tracking and targeting activities going back as far as 2014.
The investigation followed a complaint that Facebook had allowed Cambridge Analytica and other organizations to use a social media app (“This Is Your Digital Life”) to access users’ personal information and the information of their Facebook friends, and then share that information with third parties for purposes of U.S. and other political campaigns, without obtaining proper consent.
The investigation was highly critical of Facebook’s policies and procedures regarding collection of personal information by social media apps and the sharing of that information. In particular, it found that Facebook failed to obtain meaningful consent from app users and their friends for the purposes for which the information was used. Facebook disagreed with the conclusions of the investigation and refused to change its privacy practices to address the deficiencies identified.
The court proceedings
The Court application is significant for a number of reasons. Firstly, it is only the second time that the Commissioner has sought this remedy and, if the proceedings result in a court order against Facebook, it will be the first such order under PIPEDA.
Secondly, the application must be seen in the context of the Commissioner’s outspoken urgings for reform of PIPEDA, in particular to provide him with order-making power and the authority to impose substantial fines on organizations that blatantly breach the law.
Significantly, in the application, the Commissioner is not seeking a monetary remedy, for the simple reason that PIPEDA currently does not allow it. However it does allow the Commissioner to seek an order requiring compliance.
In addition to a declaration that Facebook contravened PIPEDA, the Commissioner is asking for an order to compel Facebook to implement effective and easily accessible procedures for obtaining, and maintaining, meaningful consent from all users, and to specify modifications to its practices to achieve compliance with PIPEDA. In addition, the application asks the court to retain continuing jurisdiction to oversee Facebook’s compliance with these requirements.
The international context
The OPC’s application also should be seen in the context of other jurisdictions’ enforcement actions against Facebook resulting from the breach. In the UK, the Information Commissioner imposed a fine of £500,000, the maximum provided for in the pre-GDPR environment in which the activities took place. More significant is the US$5 billion fine imposed by the Federal Trade Commission – and agreed to by Facebook – the largest ever levied by the FTC against a technology company. Facebook also agreed to a 20-year settlement order that overhauls its privacy compliance procedures.
In the context of these enforcement actions concluded elsewhere it is a mystery why Facebook has not resolved the compliance issues raised by the federal and BC Commissioners’ investigations.
More public scrutiny of Facebook
The court application process, if not settled, will lead to proceedings in which Facebook’s policies and procedures will be subject to further scrutiny, including cross-examination of a representative of the company – all in the public eye. There has been much criticism that the Facebook representatives who appeared before parliamentary and congressional committees following the Cambridge Analytica data breach were not very forthcoming. It will be more difficult for Facebook to resist a full explanation of the circumstances relating to this matter when before the court.
© David Young Law 2018
Read the Full PDF: Privacy Commissioner seeks court order against Facebook
For more information please contact:
David Young 416-968-6286 firstname.lastname@example.org
Note: The foregoing does not constitute legal advice. Readers are cautioned that for application to specific situations, legal advice should be obtained.
 A version of this article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.