Christopher Oates
Partner
Article
On April 25, 2019, the Office of the Privacy Commissioner of Canada ("OPC") and British Columbia's Office of the Information and Privacy Commissioner ("OIPC BC"), collectively referred to as the "Commissioners", released a Report of Findings detailing findings from their joint investigation into Facebook's handling of the personal information of its users. The Report concludes that Facebook breached key requirements under both the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and British Columbia's Personal Information Protection Act ("PIPA"), including the requirement to obtain informed consent to the collection, use, and disclosure of personal information, the requirement to implement safeguards appropriate to the sensitivity of the information, and the obligation to be accountable for one's practices with respect to personal information.
The OPC investigation into Facebook, which was first launched in March 2018, was later joined by the OIPC BC in April 2018. Spurred by a complaint about Facebook's privacy policies and the aftermath of global controversy surrounding the alleged use of personal information ultimately obtained from Facebook for political targeting, the investigation examined Facebook's disclosure of users' personal information to a third-party application called "This is Your Digital Life" ("TYDL App"), as well as Facebook's disclosure of personal information to third party applications more broadly.
The Report indicates that TYDL App encouraged users to fill out a personality quiz, ostensibly for what the application publisher informed Facebook were purposes associated with 'academic research'. Unbeknownst to users, the information gathered from these quizzes (as well as information about friends who never used the application directly) was allegedly made accessible to a political consulting firm. The firm, Cambridge Analytica, allegedly used this data to build psychological profiles with the intention of using them for political targeting.
This is not the first time the OPC has investigated Facebook's privacy policies vis-à-vis third party applications. Rather, this investigation followed an earlier investigation conducted in 2009[1], during which the OPC had similarly expressed concern with the broad scope of the personal information disclosures and the lack of consent to the disclosures for both users who installed apps and their friends. The OPC found the 2009 complaint partially not well-founded and partially well-founded, and made a number of recommendations of measures that the OPC wished Facebook to implement specifically with respect to third party apps. At the time, Facebook had declined to implement these measures and proposed a different set of measures, which the OPC had accepted.[2]
According to the Report, Facebook estimated that of the 300,000 users who installed the TYDL App worldwide, 272 were identified as being in Canada. However, as the TYDL App also accessed information about the friends of individuals who installed it, this led to the disclosure of personal information pertaining to approximately 87,000,000 users worldwide, of which approximately 622,000 were identified as being in Canada.
The Report is highly critical of Facebook's actions, concluding that Facebook was in violation of core requirements of Canadian privacy law:
The Commissioners issued a number of compliance recommendations to Facebook, including (i) clearly informing users of the nature, purpose and consequences of the disclosure of their information; (ii) proactive review of the privacy policies of the millions of third party apps on Facebook for compliance with the contractual obligations Facebook places on them; (iii) an enhanced ability for users to determine specifically what apps have accessed their information; (iv) oversight by a third party monitor, appointed by and serving to the benefit of the Commissioners, at the expense of Facebook, to monitor and regularly report on Facebook's compliance with these recommendations over five years; and (v) permitting the Commissioners to conduct audits of Facebook's privacy policies and practices over five years. These recommendations were not accepted by Facebook, which proposed alternative approaches to the Commissioners. The complaint against Facebook on each of the aspects of accountability, consent, and safeguards, was considered well-founded and remains unresolved.[4]
Following the publication of the Report, the OPC has announced it intends to pursue a federal court action against Facebook, seeking an order forcing Facebook to correct its practices. The OIPC BC reserved its right under PIPA to consider future actions against Facebook.[5] Escalating an investigation to the Federal Court has been uncommon in the past, and has the potential to lead to a binding decision on the interpretation of PIPEDA. Such a decision may inform not only the practices of Facebook, but also those of organizations collecting the personal information of Canadians more broadly, and indeed, the interpretation of PIPEDA by the OPC itself.
The Report again highlights important questions about Canada's privacy protection regime and the scope of powers available to Canadian privacy regulators. Whereas foreign privacy regulatory regimes, notably the GDPR in the European Union, include the potential for steep penalties, Canadian privacy regulators lack not only the ability to levy fines, but also the ability to order compliance with the laws they are charged with overseeing. We can expect that this Report will feed the ongoing discussions about stronger privacy regulations and wider powers for privacy regulators in Canada.
The Report also serves as a caution for organizations collecting personal information of Canadians - Canadian privacy regulators are following the lead of other countries and are attempting to crack down on companies for their privacy compliance, and taking a more robust, and consumer protective approach to enforcing privacy laws. All companies conducting business in Canada should familiarize themselves with Canadian privacy laws and re-evaluate how they will protect users' personal information when working with third-party applications, particularly in light of the OPC's recently issued Meaningful Consent Guidelines and the ongoing Consultation on Transborder Dataflows.
[1] See Canada, Office of the Privacy Commissioner of Canada, Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act by Elizabeth Denham Assistant Privacy Commissioner of Canada (OPC PIPEDA Report of Findings #2009-008, 16 July 2009), online: < https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2009/pipeda-2009-008/>.
[2] Canada, Office of the Privacy Commissioner of Canada, Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia (OPC, 25 April 2019), online: <www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-002/> at paras 18-21.
[3] Ibid at "Overview".
[4] Ibid at paras 183-202.
[5] Canada, Office of the Privacy Commissioner of Canada, Facebook refuses to address serious privacy deficiencies despite public apologies for "breach of trust" (OPC, 25 April 2019), online: < https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_190425/>.
NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.