Canada’s new privacy watchdog
There’s more to the Competition Bureau’s $9.5 million settlement with Facebook over misleading privacy claims than the modesty of the sum.
Like the guest who shows up late to the barbecue with the same potato salad everyone else brought, the recent attempt by Canada’s Competition Bureau to bring Facebook’s privacy practices to heel probably struck some people as tardy — or redundant.
Earlier this month, the Bureau reported that, after having investigated Facebook’s operations between August 2012 and June 2018, it had concluded that while the company had given users the impression that they could control who had access to their personal information, they really couldn’t. Developers of third-party applications had access to users’ personal data, and to information about their friends.
The Bureau started looking into Facebook in spring 2018, in response to the Cambridge Analytica scandal. So did the Office of the Privacy Commissioner, which produced a report a year later accusing Facebook of violating the privacy rights of Canadians. The OPC went to Federal Court in February seeking a declaration that the company had violated federal privacy law. Facebook went to court in April seeking to overturn the OPC’s findings.
Less than a year ago, the U.S. Federal Trade Commission also punished Facebook for misleading users about their ability to control access to their personal information. The commission fined Facebook $5 billion US.
The Competition Bureau’s fine was a lot more subtle: $9 million, plus $500,000 for costs — chicken feed for a company that reported first-quarter earnings of $4.9 billion in April. But the fine was also close to the Bureau’s legal limit of $10 million and, coming after the U.S. fine and the OPC report, it ramped up the public pressure on the social media mammoth to take privacy rights more seriously.
“As my mother used to say, it’s better than a kick in the head,” said Teresa Scassa, Canada Research Chair in Information Law and Policy at the University of Ottawa.
“The goal of these measures is to change behaviour, and Facebook has received that message globally by now.”
Some observers say the modest size of the Bureau’s fine is less important than the fact of the fine itself. “Although the sum might not seem like much,” said Molly Reynolds, a privacy law specialist at Torys, “it’s more significant as a sign that the Bureau is taking a longer step into this area.”
And while large fines can rattle shareholders, she said, serial fines from multiple jurisdictions can really get them to take notice. “There’s a cumulative effect, especially coming after the privacy commissioner’s finding that Facebook violated privacy law,” she said. “It has a reputational impact and an impact on shareholders, who will make their opinions known.”
“It’s a mistake to see the $9 million as merely symbolic,” said Michael Binetti, who handles corporate litigation at Affleck Greene McMurtry LLP in Toronto. “It sends a message to companies like Facebook that agencies like this can operate across jurisdictions.”
And the Bureau was obliged to render a fine that made sense in the context, he said. “$9 million seems commensurate with the impact,” he said, adding the Bureau would lose all “credibility” if it based the fine on the American one, rather than coming up with a sum that reflects the effect of Facebook’s actions on Canadians.
“The Bureau can’t be arbitrary like that.”
Facebook’s reaction to government pressure over its privacy practices actually suggests a lot about what worries the company most. It’s not contesting the Bureau’s fine, even though it’s insisting that paying the fine doesn’t constitute acceptance of the Bureau’s conclusions.
“Our firm has been on both sides of these conflicts and, yeah, no one ever owns up to the conduct when they pay the fine,” said Binetti. “Without the $5 billion penalty, settling up with Canada might have been a business decision. But with that massive penalty, it looks more like Facebook just rolling with the expected knock-on effect of that earlier ruling.”
But Facebook is in court now pushing back against the OPC’s conclusion that it violated the Personal Information Protection and Electronic Documents Act (PIPEDA) by failing to ensure that third-party Facebook apps obtained clear consent from users regarding how their personal information was to be used. So far, the OPC’s activities haven’t cost the company any money — which indicates that curbing the OPC’s oversight is more important to Facebook than any mere fine.
“From Facebook’s perspective, it probably made sense to just pay the $9 million to swat this mosquito,” said Scassa. “The OPC and PIPEDA case is different, because there Facebook is challenging the jurisdiction of the OPC and its findings.
“PIPEDA is drafted quite broadly. The complainant doesn’t even need to be directly affected in order to file under PIPEDA. Who gets to file privacy complaints and where, and on what evidence, which facts are allowed to constrain the investigation — these are the things that matter more to Facebook than $9 million does.”
In other words, the outcome of Facebook’s conflict with the OPC could amount to the difference between being bitten by a mosquito and getting swarmed.