Facebook chose not to notify Canada’s Federal Privacy Commissioner. As a result, outside of a strongly worded letter, there isn’t any consequences.
A privacy incident at Facebook has left millions of users vulnerable. In response, Canada’s Privacy Commissioners chose to investigate and found that Facebook had violated Canadians privacy laws. You might be thinking that those events happened recently. However, this occurred back in 2019. What happened after seemingly set the tone that many privacy advocates had been hoping Canada would make.
The follow-up to that incident was that the Privacy Commissioners issued a letter saying that Facebook has not taken adequate steps to rectify the privacy concerns that they put forward. The response from Facebook? It basically amounted to “bite me”. Given how toothless Canada’s privacy laws are when it comes to holding corporations to account, the Commissioners had effectively run out of options in their official roles. As a result, they had to step out of their roles and sue Facebook as individual citizens. We haven’t really heard a thing since then.
The problem is abundantly clear now as it was back then: Canada’s privacy laws need reform badly. If a corporation violates privacy laws, outside of a few headlines and strongly worded letters, there is no recourse legally speaking. By April of 2019, every political party agreed that changes to the law are needed. While the horse had long left the barn back then in terms of Canada taking a role as leader of the world thanks to the passage of the GDPR a year earlier, Canada could at least make an attempt to keep up with the rest of the world on this front.
In November of 2020, Canada finally introduced badly needed privacy reform laws. It came in the name of Bill C-11 or the Consumer Privacy Protection Act. While some are not thrilled by some of the details, it gave the Privacy Commissioner new powers including the ability to actually levy fines against companies that violate privacy laws. This really represented a breath of fresh air for Canadians because, finally, the Canadian government seemed to be acting on something that was needed long ago.
Then… nothing.
Faced with questions about why the legislation has stalled so severely to the point where debates weren’t even scheduled, Canada’s Innovation Minister, François-Philippe Champagne, blamed the opposition for a lack of movement on the legislation. Ever since, it’s been nothing but canned responses about how he and the Canadian government are committed to reforming privacy laws and moving the bill forward. Unfortunately, the actions told a much different story and it has left privacy advocates, at minimum, significantly disappointed.
Now, we are seeing yet another significant privacy incident at Facebook where 533 million users were compromised. A number of those users were, in fact, Canadian. Facebook not only chose not to alert various regulators around the world about it, but also chose not to notify users about it as well. In some parts of the world, there is enough there to find violations of the privacy law.
A report on the National Post notes that Canada’s Federal Privacy Commissioner was not notified of the latest incident. From the report:
The federal privacy commissioner’s office hasn’t heard from Facebook regarding a massive global data leak that looks to have included 3.49 million Canadian accounts, and is “actively following up with the company,” according to a spokesperson.
Gal said 3.49 million Facebook users in Canada were affected. Canada’s privacy law requires organizations to report breaches to the federal privacy commissioner, and notify affected individuals, for breaches “involving personal information that pose a real risk of significant harm to individuals.”
The report goes on to quote several people who note how Canada has dragged its feet on privacy reform even though Canadian officials say they are committed to meaningful privacy reform. Of course, the lack of debate and lack of sending the legislation to committee means that very little has been done to move the legislation forward.
It does lead to the question of what would the situation look like in Canada if the government’s actions kept up with their comments about being committed to privacy reform? Ideally, we would be well within the debate periods. We might be seeing witnesses coming forward to debate the law in committee. There might be more coverage to discuss the nuances of the law and whether provisions would actually hold corporations to account or not. Amendments could be proposed for the legislation as well at this stage. It might be quite unrealistic to expect the legislation to become law, but that doesn’t mean it couldn’t be further along than it really is at this stage.
Then, with this latest incident, it would not only highlight the need for reform, but also highlight any possible holes or weaknesses in the law as well. At any rate, it would highlight, yet again, why these reforms are sorely needed and further motivate people to get these laws passed.
Unfortunately, we are not in that timeline. Instead, we have a government who can’t be bothered to move this legislation forward. Instead, the most they will do is pay lip service to the legislation when asked before simply walking away from it all.
Because of that, we are left to discuss how Canada just can’t seem to get its act together. Europe came together already and passed their GDPR laws. The United States can be very touch and go when it comes to privacy violations. Sometimes, officials can effectively let companies off the hook. Other times, they can actually show that they are capable of laying down the law. In fact, it was non other than Facebook who was hit with a record $5 billion fine from the FTC back in 2019 over the Cambridge Analytica scandal.
Other countries around the world are capable of handing down fines, though it can be debatable whether the fines are really a deterrent or not. Examples include Brazil fining Facebook $1.6 million and Turkey fining Facebook $270,000. For so many other parts of the world, the debate is focused on whether or not the current laws are a sufficient deterrent for companies or not.
Meanwhile, back in Canada, Commissioners and the government simply do not have any capability of laying fines against companies at all. Sure, the current legislation was unlikely to become law to make it in time for this latest incident, but at least Canada could say, “hey, we are working on it at least.” As things stand now, Canada can’t even go so far as to say that reforms are happening. Instead, the conclusion is that Canada can’t even bother to get their act together on this file.
At best, Facebook faces a potentially strongly worded letter from the commissioners. Who knows? Maybe the commissioners might use a bold faced font. If they are really upset with Facebook, they might even break out the red font as well part way through. It might make a few headlines and Facebook can simply ignore it all. The letters might head straight to the trash folder or paper shredder if it’s sent in physical form. If Facebook learned anything from the last incident, it’s that there are no consequences for ignoring the law and doing whatever they darn well please.
Until Canada actually starts giving an expletive about their citizens and actually advance privacy reform laws, nothing is going to change. Corporations will notice that you can simply ignore officials who are telling you how you violate privacy laws and nothing will come of it and, eventually, follow suit. As a result, it will leave Canadians to continue to pay the price for the negligence of both the government and the corporations.
Drew Wilson on Twitter: @icecube85 and Facebook.
