Facebook breaking Canadian privacy laws, commissioners say

Quiz app collected personal data, disclosed data of 87 million, including 100,000 British Columbians


Facebook’s privacy protections are empty and a risk to Canadians, the federal privacy commissioner said April 25.

And, said Daniel Therrien and B.C. commissioner Michael McEvoy, governments are failing to protect Canadians’ privacy as regulators continue to have no authority to enforce decisions or fine organizations violating Canadian laws. That lack of teeth persists despite repeated entreaties from regulators to government to better protect Canadians’ information.

 “People will have to make a decision as to whether they want to continue to be on social media,” Therrien said, adding he’s going to Federal Court to get Facebook to comply.

That Facebook has breached multiple federal and provincial laws is among conclusions McEvoy and Therrien arrived at after a joint investigation spurred by a complaint that Facebook had allowed an organization to use an app, This is Your Digital Life, to gain access to users’ personal information.

Some of that data was then shared with other organizations, including Cambridge Analytica, which was involved in U.S. political campaigns. Therrien and McEvoy say the potential exists for such data to be used to influence Canadian elections.

2019 04 25 - Facebook Repor... by on Scribd


The app encouraged Facebook users to take a personality quiz, which collected information about users and their Facebook friends.

The commissioners said about 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians.

That number included 100,000 British Columbians, McEvoy said.

“This was done without any meaningful consent, which Facebook continues to deny,” McEvoy said. “This is completely unacceptable.”

The investigation revealed Facebook violated federal and B.C. privacy laws in four major areas:

•Unauthorized access  – Facebook’s “superficial and ineffective safeguards and consent mechanisms” resulted in the app’s unauthorized access to millions of Facebook users’ information. “Some of that information was subsequently used for political purposes,” the report said;

•Lack of meaningful consent from ‘friends of friend’ –  Facebook failed to obtain meaningful consent from the users who installed the app and from those users’ ‘friends,’ whose personal information Facebook also disclosed;

•No proper oversight over privacy practices of apps  - Facebook didn’t exercise proper oversight on privacy practices of apps on its platform. Rather, the report said, Facebook relied on contractual terms with apps to protect against unauthorized access to user information. The report called compliance monitoring  “wholly inadequate,” and:

•Overall lack of responsibility for personal information – The report said a basic privacy law principle is that organizations are responsible for the personal information under their control. “Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves,” the report said.

In a statement to Glacier Media, Facebook said it took the investigation seriously and that it notified Canadians affected by the This is Your Digital Life app

“After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the [federal commissioner] considers the issues raised in this report unresolved,” Facebook Canada communications manager Erin Taylor said. “There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.

Taylor said Facebook is working to deal with issue sin the report and has offered to enter into a compliance agreement with the federal commissioner.

Among measures Facebook says it has taken are:

• Limiting third-party app access to cut down on  information – limiting information developers can access using Facebook login. “We will reduce the data someone gives to an app when they sign in to only their name, profile photo, and email address.”

• Extensive app investigation - investigating apps that had access to large amounts of user information before the platform was changed dramatically reduce data access in 2014. “We are conducting a full review of any app with suspicious activity. If we find developers that misused personally identifiable information, we will ban them and tell users affected by those apps.”

• Giving people transparency and control – a tool is available at the top of the news feed with the apps they have used and an easy way to revoke those apps’ permissions to their data. “We’ve also introduced improved privacy measures across our services that go beyond the legal requirements in many countries.”

• Launched data abuse bounty program – a program so that people can report  misuses of data by app developers. “This program rewards people with first-hand knowledge and proof of cases where a Facebook platform app collects and transfers people’s data to another party to be sold, stolen or used for scams or political influence.

McEvoy said Canada needs legislation allowing regulators to bring companies into line with the law where need be.

“We are sadly lacking and far behind,” McEvoy said. “Canada has a lot of catching up to do in this regard at a federal and provincial level.”

“I completely agree,” Therrien said.

However, in the absence of regulatory teeth, Therrien said, he is now going to the Federal Court of Canada to get an order for Facebook to amend its data-sharing practices.

In the meantime, McEvoy said Canadians should urge politicians to create law to ensure their information cannot be shared with third parties.

“I think accountability is important but we should not rely on companies to act responsibly,” Therrien said. “We need laws to hold them accountable.”

McEvoy said Canadian jurisdictions should examine data protection laws in other areas such as the European Union whose General Data Protection Regulation is considered the global standard.