The latest damning assessment of Facebook’s trampling of user privacy comes from the Canada and British Columbia privacy commissioners — which have just published the results of an investigation kicked off in the wake of the Cambridge Analytica data misuse scandal last year.
They found the social network company committed serious contraventions of local laws and failed generally to take responsibility for protecting the personal information of Canadians.
Facebook has disputed the findings and refused to implement the watchdogs’ recommendations — including refusing to voluntarily submit to audits of its privacy policies and practices over the next five years.
The Office of the Privacy Commissioner of Canada said it therefore plans to take Facebook to Federal Court to seek an order to force it the company to correct its deficient privacy practices.
Both watchdogs have also called for local privacy laws to be beefed up so that regulators have stronger sanctioning powers to protect the public’s interest.
“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” said Daniel Therrien, privacy commissioner of Canada, in a statement. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.
“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”
“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy. But when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard,” added B.C. information and privacy commissioner, Michael McEvoy, in another supporting statement. “The ability to levy meaningful fines would be an important starting point.”
“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” added Therrien.
We’ve reached out to Facebook for comment.
The privacy watchdogs combined their efforts to investigate Facebook and Cambridge Analytica-linked data company Aggregate IQ last year — setting out to determine whether the companies had complied with local privacy laws.
More than 600,000 Canadians had their data extracted from Facebook via an app whose developer was working with Cambridge Analytica to try to build profiles of U.S. voters.
Among the privacy-related deficiencies the two watchdogs are attaching to Facebook’s business are what they dub “superficial and ineffective safeguards” of user data that enabled unauthorized access by third party apps on its platform; a failure to obtain meaningful consent for the use of users’ friends’ data; a lack of proper oversight of the privacy practices of apps using Facebook’s platform, with a reliance on contractual terms and “wholly inadequate” monitoring of compliance.
All familiar stuff if you were following the twists and turns of the Cambridge Analytica data misuse saga last year. (Aleksandr Kogan, the third party app developer at the centre of the Cambridge Analytica data misuse scandal also accused Facebook of not having a valid developer policy.)
“A basic principle of privacy laws is that organizations are responsible for the personal information under their control. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves,” the watchdogs write, further accusing Facebook of an overall lack of responsibility for the personal data of users.
They also point out that their findings are of particular concern given an earlier 2009 investigation of Facebook by the federal commissioner’s office — which found similar contraventions with respect to Facebook seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized data access by apps.
“If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated,” they add.
(Oh hai, deja vu… )
The commissioners are calling for not only the power to levy financial penalties on companies that break privacy laws — as equivalent watchdogs in Europe already can — but also broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected.
“This measure would be in alignment with the powers that exist in the U.K. and several other countries,” they note.
“Giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law,” they add.
The UK’s data protection watchdog levied the maximum possible fine on Facebook last year — although it’s ‘just’ £500,000 (and Facebook is appealing, claiming there’s no evidence that UK users’ data was misused).
But an updated pan-EU privacy framework, GDPR, which came into force after the Cambridge Analytica-related data misuse occurred, has massively upgraded the maximum possible fines that European data watchdogs can hand down for privacy violations. (And the Irish DPC, the lead privacy regulator for Facebook’s European business, has a very long list of open probes against Facebook and Facebook-owned platforms. So watch that space.)
Earlier this year a U.K. parliamentary committee which spend multiple months last year investigating Facebook and Cambridge Analytica, as part of a wider inquiry into online disinformation, called for Facebook’s use of user data to be investigated by the privacy watchdog.
The committee also urged the UK’s Competition and Markets Authority to undertake an antitrust probe Facebook’s business practices, and recommended that the social media ad market face a comprehensive audit to address concerns about its lack of transparency.