A judge has dismissed the Facebook Cambridge Analytica lawsuit in Canada. Does Canada really have enforceable privacy laws at all?
Canada has privacy laws, but it appears that those privacy laws are there in name only. Time and time again, when there is a significant privacy incident of any kind, the outcome always show what a joke Canada’s privacy regime is. It’s always the same: the company that clearly broke the privacy laws get a finger waggle, a strongly worded letter, and told “don’t do that again.” After that, the company gets a pat on the head and sent on its way. As far as the regulation is concerned, the law was enforced. So what if lives got ruined because of negligence, the strongly worded letter got sent! What more do you want?
If you want a great example of why Canadian privacy laws have failed, look no further than the Cambridge Analytica scandal. In 2018, a company known as Cambridge Analytica began scraping Facebook for information without users permission. This while working with Facebook on their campaign. Afterwards, that information was used to micro-target users and gave a massive assist for Donald Trump’s election as well as helped make Brexit happen. The evidence of wrongdoing was obvious and other countries had no problem not only taking Facebook to court, but also fining the company for its role in the whole affair.
In Brazil, for instance, Facebook was fined $1.6 million. In the US, the FTC fined Facebook a record breaking $5 billion. The fines and settlements cropped up all over the world. Privacy violations were clear. Even in the US where there is, at best, a patchwork system in place to enforce privacy rules, regulators found a way to lay down the law.
So, you would think with a case so obvious, that something would happen over the Cambridge Analytica scandal here in Canada. Well, if Canadians were hoping that justice would be served in this country, they were in for a massive disappointment. A judge has sided with Facebook and dismissed the lawsuit. From the CBC:
A judge has dismissed the federal privacy watchdog’s bid for a declaration that Facebook broke the law governing the use of personal information in a case flowing from the Cambridge Analytica affair.
In his ruling, Justice Michael Manson says the privacy commissioner has not shown that the social media giant failed to obtain meaningful consent from Facebook users or neglected to adequately safeguard their information.
A 2019 investigation report from then-federal privacy commissioner Daniel Therrien and his British Columbia counterpart cited major shortcomings in Facebook’s procedures and called for stronger laws to protect Canadians.
The probe followed reports that Facebook, now called Meta, let an outside organization use a digital app to access users’ personal information, and that data was then passed to others.
Facebook argued that its network-wide policies, user controls and educational resources amounted to reasonable efforts under PIPEDA. It also criticized the commissioner’s suggestion that it manually review each app’s privacy policy as impractical, as it would require legal staff to examine millions of documents.
Manson said the court was left to “speculate and draw unsupported inferences from pictures of Facebook’s various policies and resources as to what a user would or would not read; what they may find discouraging; and what they would or would not understand.”
As a result, the commissioner failed to meet the burden of establishing that Facebook breached the law concerning meaningful consent, he wrote.
Manson also agreed with Facebook’s argument that once a user authorizes it to disclose information to an app, the social media company’s safeguarding duties under PIPEDA come to an end.
The idea that the end user simply agrees to a terms of service means that a company is absolved of all legal liability is stunning. This is not how contract law is supposed to work. Like, you legally can’t create a contract to have someone murder someone else. When a contract breaks the law, the contract is no longer legally binding. The person who crafted the contract to have someone murder is legally liable for his actions. Likewise, just because Facebook got a terms of service agreed to by the user doesn’t automatically absolve Facebook of all wrongdoing.
The real nails on chalkboard part in all of this is that it all comes back to the Canadian privacy law, PIPEDA. If an end user license agreement is all it takes to absolve a company of its legal obligations, then that is a clear signal that Canada’s privacy laws need immediate changing. Unfortunately, with the Canadian government dragging its feet on Bill C-27, that isn’t likely to happen any time soon.
All of this really leads to one question: does Canada really have enforceable privacy laws? The Cambridge Analytica outcome is a great example of maybe Canada doesn’t have real enforceable privacy laws, but it is far from the only one. Whether it is the Tim Hortons scandal, the Home Depot scandal, the Desjardins breach, the RCMP’s use of Clearview AI, or others, the evidence has been clear for years that Canada really doesn’t have anything in the way of enforceable privacy laws at all. The only sensible conclusion in the end is the idea that Canada really only has privacy laws in name only. Canada well and truly is nothing more than a doormat to anyone to waltz in and do whatever they want with people’s personal information. Is there really any consequences from a government enforcement side of things? Not really.
Drew Wilson on Twitter: @icecube85 and Facebook.
