In their appearance before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on May 7, 2019, Daniel Therrien, the Privacy Commissioner of Canada made another strong plea for changes to our Canadian Privacy laws. ” It is incumbent on the government to act to protect Canadians from online harms and to uphold trust and privacy in the digital realm.” While he is addressing the government his comments are meant for Minister Bains, Innovation, Science and Economic Development (ISED), formerly known as Industry Canada.
Mr Therrien also stated “Under PIPEDA, organizations have a legal obligation to be accountable. But this principles-based law is quite permissive and gives companies wide latitude to use personal information.
Our investigation demonstrates Facebook’s lack of true accountability and the weakness of PIPEDA in forcing the company to be accountable. Canadians clearly cannot rely exclusively on companies to manage their information responsibly. It is not enough to ask companies to live up to their responsibilities.
Canadians need modern, rights-based legislation that will protect them when organizations fail to do so. Respect for those laws must be enforced by a regulator, independent from industry and government, with sufficient powers to ensure compliance.
As this Committee has recognized, I should be empowered to make binding orders and impose fines to incentivize organizations to follow the law. But even large fines may not be enough.
To address accountability concerns, PIPEDA should also authorize my office to proactively inspect the practices of organizations. This measure exists in the U.K. and several other countries.”
Despite the Office of the Privacy Commissioners’ best efforts over the past 10 years, Facebook has chosen to defy their recommendations opting to take the revenue rather than do the right thing. Specifically Mr. Therrien listed the following violations of Canadian law by Facebook: “
- failing to obtain meaningful consent of users to disclose their personal information to third party applications;
- disclosing the personal information of friends of users who installed applications without their knowledge or meaningful consent;
- failing to maintain adequate safeguards to protect against the unauthorized access, use, or disclosure of personal information;
- and failing to be accountable for the personal information in its control.”
Many Privacy Professionals believe monetary fines are not enough to change Facebook’s behaviour. The FTC is assessing how many billions to fine Facebook for similar activities in the USA, but it seems the revenues they make from this “bad behaviour” is substantial enough to withstand multi-billion dollar fines, globally. The privacy insiders state there are several major investigations within the EU community that will result in many more billions in violations. The limits of GDPR fines is 4% of Facebook’s global revenue. So far the EU has shown a determination to levy significant fines to force some of these large data plays to respect the individual’s right to privacy (see the CNIL fine of $57 Million to Google regarding their Android account sign up process – and that’s just the tip of the iceberg)
Clearly technology is moving at a much faster pace than our legislators. Our privacy law here in Canada is from 2000. While some amendments have been made, clearly our Privacy Commissioner believes it is far too little, far too late.
What can we do? For starters we should heed Mr. Therrien’s counsel. Then reach out to your Member of Parliament and ask them to ask Minister Bains why this government has been so slow to act. To quote Mr. Therrien “It is incumbent on the government to act to protect Canadians from online harms and to uphold trust and privacy in the digital realm.”