On April 25, 2019, the Office of the Privacy Commissioner of Canada ("OPC") and British Columbia's Office of the Information and Privacy Commissioner ("OIPC BC"), collectively referred to as the "Commissioners", released a Report of Findings detailing findings from their joint investigation into Facebook's handling of the personal information of its users. The Report concludes that Facebook breached key requirements under both the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") and British Columbia's Personal Information Protection Act ("PIPA"), including the requirement to obtain informed consent to the collection, use, and disclosure of personal information, the requirement to implement safeguards appropriate to the sensitivity of the information, and the obligation to be accountable for one's practices with respect to personal information.
The investigation: Facebook's privacy practices and data sharing with third party applications
The OPC investigation into Facebook, which was first launched in March 2018, was later joined by the OIPC BC in April 2018. Spurred by a complaint about Facebook's privacy policies and the aftermath of global controversy surrounding the alleged use of personal information ultimately obtained from Facebook for political targeting, the investigation examined Facebook's disclosure of users' personal information to a third-party application called "This is Your Digital Life" ("TYDL App"), as well as Facebook's disclosure of personal information to third party applications more broadly.
The Report indicates that TYDL App encouraged users to fill out a personality quiz, ostensibly for what the application publisher informed Facebook were purposes associated with 'academic research'. Unbeknownst to users, the information gathered from these quizzes (as well as information about friends who never used the application directly) was allegedly made accessible to a political consulting firm. The firm, Cambridge Analytica, allegedly used this data to build psychological profiles with the intention of using them for political targeting.
This is not the first time the OPC has investigated Facebook's privacy policies vis-à-vis third party applications. Rather, this investigation followed an earlier investigation conducted in 2009, during which the OPC had similarly expressed concern with the broad scope of the personal information disclosures and the lack of consent to the disclosures for both users who installed apps and their friends. The OPC found the 2009 complaint partially not well-founded and partially well-founded, and made a number of recommendations of measures that the OPC wished Facebook to implement specifically with respect to third party apps. At the time, Facebook had declined to implement these measures and proposed a different set of measures, which the OPC had accepted.
Key findings from the Report of Findings and Facebook's response
According to the Report, Facebook estimated that of the 300,000 users who installed the TYDL App worldwide, 272 were identified as being in Canada. However, as the TYDL App also accessed information about the friends of individuals who installed it, this led to the disclosure of personal information pertaining to approximately 87,000,000 users worldwide, of which approximately 622,000 were identified as being in Canada.
The Report is highly critical of Facebook's actions, concluding that Facebook was in violation of core requirements of Canadian privacy law:
1. Facebook failed to obtain valid and meaningful consent of users installing third party apps to the disclosure of their personal information to those apps. Facebook submitted that it took a threefold approach to obtaining consent to disclose personal information to third party apps, relying on: i) broad statements in the Facebook Data Use Policy, to which all users agree, ii) a dialogue box that appeared on app installation and indicated what information was to be disclosed; and iii) a requirement Facebook imposed on the third party apps to obtain consent from users for its disclosures to those apps through the apps' own privacy policies.
2. Facebook also failed to obtain meaningful consent from friends of installing users. The Report noted that Facebook relied on overbroad and conflicting language in its privacy communications that was insufficient to support that the friends of an installing user had themselves provided meaningful consent to the disclosure of their information to an app installed by one of their friends. That language was presented to users, generally on registration, in relation to disclosures that could occur years later. The Commissioners considered that this language was not adequate to obtain consent in relation to unknown apps using information for unknown purposes. Facebook further relied on installing users to provide consent on behalf of each of their friends, often counting in the hundreds, to release those friends' information to an app, even though the friends would have had no knowledge of that disclosure. The Commissioners considered it unreasonable to rely on users to obtain the consent of their friends in this context.
3. Facebook had inadequate safeguards to protect user information. The Report indicated that Facebook relied on contractual terms with third party app developers to protect against unauthorized access by their apps to users' information. However, the Commissioners found that Facebook put in place superficial, largely reactive, and thus ineffective, monitoring to ensure compliance with those terms. Specifically, the Commissioners found that while Facebook implemented a program to review the top apps on its platform, such practices were not effective in respect of the millions of other lower volume apps on Facebook. Furthermore, the Report indicated that Facebook was unable to provide evidence of enforcement actions taken in relation to privacy related contraventions of those contractual requirements. The Report noted that Facebook also failed to investigate privacy related 'red flags', such as cases where Facebook noted an application was not in compliance with Facebook's policies.
4. Facebook failed to be accountable for the user information under its control. The Commissioners found that as a result of its failures outlined above, Facebook did not take responsibility for giving real and meaningful effect to the privacy protection of its users. The Commissioners stated that Facebook had in effect "abdicated" its responsibility for the personal information under its control, seeking to shift that responsibility to the users themselves, and to the third party apps. The Commissioners found that Facebook relied on overbroad consent language, consent mechanisms that were not supported by meaningful implementation, and on the actions of third parties, without implementing reasonable measures to ensure that such entities were in fact obtaining consent. As a result, the Commissioners considered Facebook's purported safeguards with respect to privacy, and implementation of such safeguards, superficial and found that they did not adequately protect users' personal information. The sum of these measures resulted in a privacy protection framework that the Commissioners described as "empty".
The Commissioners issued a number of compliance recommendations to Facebook, including (i) clearly informing users of the nature, purpose and consequences of the disclosure of their information; (ii) proactive review of the privacy policies of the millions of third party apps on Facebook for compliance with the contractual obligations Facebook places on them; (iii) an enhanced ability for users to determine specifically what apps have accessed their information; (iv) oversight by a third party monitor, appointed by and serving to the benefit of the Commissioners, at the expense of Facebook, to monitor and regularly report on Facebook's compliance with these recommendations over five years; and (v) permitting the Commissioners to conduct audits of Facebook's privacy policies and practices over five years. These recommendations were not accepted by Facebook, which proposed alternative approaches to the Commissioners. The complaint against Facebook on each of the aspects of accountability, consent, and safeguards, was considered well-founded and remains unresolved.
Following the publication of the Report, the OPC has announced it intends to pursue a federal court action against Facebook, seeking an order forcing Facebook to correct its practices. The OIPC BC reserved its right under PIPA to consider future actions against Facebook. Escalating an investigation to the Federal Court has been uncommon in the past, and has the potential to lead to a binding decision on the interpretation of PIPEDA. Such a decision may inform not only the practices of Facebook, but also those of organizations collecting the personal information of Canadians more broadly, and indeed, the interpretation of PIPEDA by the OPC itself.
Implications for Canadian privacy law and organizations
The Report again highlights important questions about Canada's privacy protection regime and the scope of powers available to Canadian privacy regulators. Whereas foreign privacy regulatory regimes, notably the GDPR in the European Union, include the potential for steep penalties, Canadian privacy regulators lack not only the ability to levy fines, but also the ability to order compliance with the laws they are charged with overseeing. We can expect that this Report will feed the ongoing discussions about stronger privacy regulations and wider powers for privacy regulators in Canada.
The Report also serves as a caution for organizations collecting personal information of Canadians – Canadian privacy regulators are following the lead of other countries and are attempting to crack down on companies for their privacy compliance, and taking a more robust, and consumer protective approach to enforcing privacy laws. All companies conducting business in Canada should familiarize themselves with Canadian privacy laws and re-evaluate how they will protect users' personal information when working with third-party applications, particularly in light of the OPC's recently issued Meaningful Consent Guidelines and the ongoing Consultation on Transborder Dataflows.