Appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia

May 7, 2019
Ottawa, Ontario

Opening statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Thank you for this opportunity to speak before the Committee about the findings of the investigation of Facebook on the Cambridge Analytica matter which my office conducted together with our British Columbia counterparts.

We found that Facebook violated privacy law on a number of counts, including:

• failing to obtain meaningful consent of users to disclose their personal information to third party applications;
• disclosing the personal information of friends of users who installed applications without their knowledge or meaningful consent;
• failing to maintain adequate safeguards to protect against the unauthorized access, use, or disclosure of personal information; and
• failing to be accountable for the personal information in its control.

On the last point, Facebook violated the accountability principle by attempting to shift its privacy responsibilities onto the applications on its platform and onto users themselves.

In fact, Facebook even disputed that it was disclosing personal information to third party apps. It preferred to characterize the activity as making personal information available to apps at the request of Facebook users.

The legal characterization of Facebook’s relationship with third party apps is a fundamental issue we will address in our Notice of Application before the Federal Court.

Canadians using Facebook are at high risk that their personal information will be used in ways they may not be aware of, for purposes that they did not agree to and which may be contrary to their interests and expectations.

This could result in real harms, including political targeting and surveillance.

This is not the first time we have investigated Facebook and third party applications.

In a 2009 investigation, the OPC arrived at very similar conclusions - that Facebook’s terms and conditions were too vague to allow for meaningful consent to be given and that Facebook’s safeguards were inadequate to protect the personal information of its users.

At that time, Facebook undertook to correct its practices by improving the language of its policies and developing a privacy framework for the disclosure of personal information to applications.

Our 2019 investigation found that although Facebook took some steps to improve its policies and practices, it failed to meaningfully correct the contraventions identified in the OPC’s 2009 investigation. In essence, the privacy framework Facebook promised is an empty shell.

Given the extent and severity of the issues identified in our 2019 investigation, we made a number of recommendations to Facebook aimed at bringing the company into compliance with Canadian laws.  

We also asked Facebook to voluntarily submit to audits of its privacy policies and practices over the next five years in order to ensure that the company respects its accountability and other privacy obligations in the future.

Facebook has failed to even acknowledge that it contravened the law and has refused to implement our recommendations.

The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we have identified – or even acknowledge that it broke the law – is extremely disconcerting.

We are now in the process of preparing to apply to the Federal Court to seek a binding order requiring Facebook to take action to correct its practices.

The court process will be protracted and expensive. Our investigation has taken a year and it may take another year before this case is heard by the court.

This case is a perfect illustration of why federal privacy law must be improved. It is also an important lesson on which path the government should take, and not take, as it considers how to amend privacy laws following its national digital and data consultations as well as recommendations from this Committee and others.

The government has stated that social media platforms must be held accountable for their behaviour.

Under PIPEDA, organizations have a legal obligation to be accountable. But this principles-based law is quite permissive and gives companies wide latitude to use personal information.

Our investigation demonstrates Facebook’s lack of true accountability and the weakness of PIPEDA in forcing the company to be accountable.  Canadians clearly cannot rely exclusively on companies to manage their information responsibly. It is not enough to ask companies to live up to their responsibilities.

Canadians need modern, rights-based legislation that will protect them when organizations fail to do so. Respect for those laws must be enforced by a regulator, independent from industry and government, with sufficient powers to ensure compliance.

As this Committee has recognized, I should be empowered to make binding orders and impose fines to incentivize organizations to follow the law. But even large fines may not be enough.

To address accountability concerns, PIPEDA should also authorize my office to proactively inspect the practices of organizations. This measure exists in the U.K. and several other countries.

We live in a world of data analytics, artificial intelligence and the Internet of Things where business models are opaque and information flows are complex. Individuals are unlikely to file a complaint when they are unaware of a practice that may harm them.

It is therefore important that the regulator be able to inspect the practices of organizations proactively. It is not enough for an organization to say it is accountable – it must be able to show that it is.

The existing accountability requirement under the law is an important safeguard, but – as we have so clearly seen in this case – it is not sufficient to protect Canadians from the practices of companies that do not behave responsibly.

Any legislative changes should not rely solely on accountability as a solution.

What is required is a law that promotes demonstrable accountability. 

We have seen the limits of voluntary compliance with privacy laws.

It is incumbent on the government to act to protect Canadians from online harms and to uphold trust and privacy in the digital realm.

Thank you and I welcome your questions.