Facebook Data Breach Broke Canada’s Privacy Laws, Regulators Say

Data commissioner will take the social network to court

Daniel Therrien, Canada's privacy commissioner, said today that Facebook's privacy policies were 'empty' and 'vague.' The Privacy Commissioner of Canada, Facebook

Officials from Canada have concluded that Facebook “committed serious contraventions of Canadian privacy laws” when the personal data of more than 87 million worldwide users (and 622,000 Canadians) was leaked and leveraged by Cambridge Analytica.

Canada’s Office of the Privacy Commissioner said today that it planned to take Facebook to federal court and seek an order to force the company to change its privacy practices. British Columbia separately may also take additional legal action.

The announcement is the latest legal blow for Facebook, which is already bracing for up to a $5 billion fine from the U.S. Federal Trade Commission for lapses in data privacy.

In the report, the Privacy Commissioner of Canada and the Information and Privacy Commissioner from British Columbia concluded that Facebook had not done enough to safeguard against improper collection and use of users’ personal data when the app “This is Your Digital Life” mined the personal data of Facebook users and their friends. “This is Your Digital Life” subsequently shared that personal data outside of Facebook, including the political firm Cambridge Analytica.

Facebook, the commissioners said, implemented “superficial and ineffective safeguards and consent mechanisms” when it came to sharing data with third-party apps, and “failed to obtain meaningful consent” from the app’s users and their friends, whose data was also leaked. The commissioners also concluded that the company failed to oversee or monitor “the privacy practices of third-party Facebook apps. Approximately 622,000 users in Canada and British Columbia were affected in the scandal,” they said.

Facebook is disputing the findings and did not respond to some of the commissioners’ questions over the course of the investigation, the commissioners said. Facebook also declined to submit to an audit of its privacy policies and practices to address ongoing commissioner concerns about the company’s approach to protecting privacy.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” Daniel Therrien, Canada’s privacy commissioner, said in a statement. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”

Therrien called Facebook’s decision to dispute the office’s findings “untenable.”

A Facebook spokesperson did not immediately return a request for comment.

Canadian regulators say there is a “high risk” that Canadian residents’ personal information might be used in more ways they are not aware of and cause potential additional harms. The commissioners are seeking broader authority to issue fines against Facebook and other companies for breaches of this sort, and they say they are taking issue with Facebook’s failure to comply with earlier recommendations that officials provided in 2009 in another investigation.

“If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated,” a statement about the findings read.

The news is just the latest legal trouble for Facebook, which is bracing for the U.S. FTC to levy a record fine. State attorneys general are also reportedly looking into taking additional action against the company. Meanwhile, U.K. and European regulators are also taking a critical look at the massive social media giant.

Facebook has in recent months moved to emphasized privacy as a foundation of the company. In a September interview with Adweek, Facebook global head of marketing solutions Carolyn Everson said rebuilding trust with its users was the company’s “total focus.” In an earnings call with investors on Wednesday, Facebook CEO Mark Zuckerberg emphasized the company’s commitment to privacy and its focus on encrypted, private messaging.

B.C. Information and Privacy Commissioner Michael McEvoy isn’t convinced. He and Therrien today pushed for stronger privacy laws in Canada to better penalize Facebook.

“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy, but when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard,” McEvoy said.

@kelseymsutton kelsey.sutton@adweek.com Kelsey Sutton is the streaming editor at Adweek, where she covers the business of streaming television.