The Application against Facebook for Privacy Breaches
Organizations governed by the Personal Information Protection and Electronic Documents Act (“PIPEDA”)[i] should monitor the Privacy Commissioner of Canada (the “OPC”)’s application filed recently against Facebook. As a result of this application, there may be serious consequences for organizations both for failing to collect and use personal information of users in a manner consistent PIPEDA and for failing to implement effective measures to obtain meaningful consent from those users.
On February 6, 2020, the OPC filed in the Federal Court a Notice of Application seeking, among other things, a declaration that Facebook contravened PIPEDA. The OPC’s application follows its investigation, jointly conducted with British Columbia’s Information and Privacy Commissioner, which found major failings in Facebook’s privacy practices. They conducted the investigation after the OPC received a complaint that Facebook had allowed an organization to use an application to access users’ personal information and then share that information with other organizations, including Cambridge Analytica.
The OPC and the Privacy Commissioner for British Columbia found that Facebook failed to do the following:
- Obtain valid and meaningful consent of installing users;
- Get meaningful consent from friends of installing users;
- Have adequate safeguards to protect user information; and
- Be accountable for the user information under its control.
Facebook not only has disputed the findings of the investigation but also has declined to implement the recommendations. The OPC’s application seeks, among other things, the following:
- An order requiring Facebook to specify the technical revisions, modifications, and amendments to be made to its practices to achieve compliance with PIPEDA;
- An order that the Court retain jurisdiction for the purposes of ongoing monitoring and enforcement;
- An order requiring Facebook to publish a public notice of any action taken or proposed to be taken to correct its practices that contravene PIPEDA.
Organizations governed by PIPEDA must monitor this application to see what, if any, remedies the Court is willing to issue to enforce compliance with PIPEDA, and whether the Court is willing to use extraordinary compliance and monitoring functions, by ordering changes to legal and technical elements of an organization’s privacy practices and by supervising, monitoring, and enforcing court-mandated compliance measures. If a Court is willing to make such orders, this will enhance the OPC’s enforcement powers under PIPEDA, allowing it to better fulfill its supervisory role. Moreover, this should cause organizations to be proactive to make sure their privacy practices are in full compliance with PIPEDA.
[i] S.C. 2000, c. 5