“It is
untenable that organizations are allowed to reject my office’s legal findings
as mere opinions. Facebook should not get to decide what Canadian privacy law
does or does not require.” [Canandian Privacy Commissioner Daniel
Therrien, 25 April 2019]
Facbook Inc. professes that it has taken steps to ensure the intregrity of political discourse on its platform, but rather tellingly will not roll out transparency features in Australia that it has already rolled out in the US, UK, Eu, India, Israel and Ukraine.
So it should come as no surprise that Canada issued this three page news release…….
Office of the Privacy Commission of
Canada, news
release, 25 April 2019:
Facebook refuses to
address serious privacy deficiencies despite public apologies for “breach of
trust”
Joint investigation
finds major shortcomings in the social media giant’s privacy practices,
highlighting pressing need for legislative reform to adequately protect the
rights of Canadians
OTTAWA, April 25,
2019 – Facebook committed serious contraventions of Canadian privacy laws
and failed to take responsibility for protecting the personal information of
Canadians, an investigation has found.
Despite its public
acknowledgement of a “major breach of trust” in the Cambridge Analytica
scandal, Facebook disputes the investigation findings of the Privacy
Commissioner of Canada and the Information and Privacy Commissioner for British
Columbia. The company also refuses to implement recommendations to address
deficiencies.
“Facebook’s refusal to
act responsibly is deeply troubling given the vast amount of sensitive personal
information users have entrusted to this company,” says Privacy Commissioner of
Canada Daniel Therrien. “Their privacy framework was empty, and their vague
terms were so elastic that they were not meaningful for privacy protection.
“The stark contradiction
between Facebook’s public promises to mend its ways on privacy and its refusal
to address the serious problems we’ve identified – or even acknowledge that it
broke the law – is extremely concerning.”
“Facebook has spent more
than a decade expressing contrition for its actions and avowing its commitment
to people’s privacy,” B.C. Information and Privacy Commissioner Michael McEvoy
says, “but when it comes to taking concrete actions needed to fix transgressions
they demonstrate disregard.”
Commissioner McEvoy says
Facebook’s actions point to the need for giving provincial and federal privacy
regulators stronger sanctioning power in order to protect the public’s
interests. “The ability to levy meaningful fines would be an important starting
point,” he says.
The findings and
Facebook’s rejection of the report’s recommendations highlight critical
weaknesses within the current Canadian privacy protection framework and
underscore an urgent need for stronger privacy laws, according to both
Commissioners.
“It is untenable that
organizations are allowed to reject my office’s legal findings as mere
opinions,” says Commissioner Therrien.
In addition to the power
to levy financial penalties on companies, both Commissioners say they should
also be given broader authority to inspect the practices of organizations to
independently confirm privacy laws are being respected. This measure would be
in alignment with the powers that exist in the U.K. and several other countries.
Giving the federal
Commissioner order-making powers would also ensure that his findings and
remedial measures are binding on organizations that refuse to comply with the
law.
The complaint that
initiated the investigation followed media reports that Facebook had allowed an
organization to use an app to access users’ personal information and that some
of the data was then shared with other organizations, including Cambridge
Analytica, which was involved in U.S. political campaigns.
The app, at one point
called “This is Your Digital Life,” encouraged users to complete a personality
quiz. It collected information about users who installed the app as well as
their Facebook “friends.” Some 300,000 Facebook users worldwide added the app,
leading to the potential disclosure of the personal information of
approximately 87 million others, including more than 600,000 Canadians.
The investigation
revealed Facebook violated federal and B.C. privacy laws in a number of
respects. The specific deficiencies include:
Unauthorized access
Facebook’s superficial
and ineffective safeguards and consent mechanisms resulted in a third-party
app’s unauthorized access to the information of millions of Facebook users.
Some of that information was subsequently used for political purposes.
Lack of meaningful
consent from “friends of friends”
Facebook failed to
obtain meaningful consent from both the users who installed the app as well as
those users’ “friends,” whose personal information Facebook also disclosed.
No proper oversight over
privacy practices of apps
Facebook did not
exercise proper oversight with respect to the privacy practices of apps on its
platform. It relied on contractual terms with apps to protect against
unauthorized access to user information; however, its approach to monitoring
compliance with those terms was wholly inadequate.
Overall lack of
responsibility for personal information
A basic principle of
privacy laws is that organizations are responsible for the personal information
under their control. Instead, Facebook attempted to shift responsibility for
protecting personal information to the apps on its platform, as well as to
users themselves.
The failures identified
in the investigation are particularly concerning given that a 2009
investigation of Facebook by the federal Commissioner’s office also found
contraventions with respect to seeking overly broad, uninformed consent for
disclosures of personal information to third-party apps, as well as inadequate
monitoring to protect against unauthorized access by those apps.
If Facebook had
implemented the 2009 investigation’s recommendations meaningfully, the risk of
unauthorized access and use of Canadians’ personal information by third party
apps could have been avoided or significantly mitigated.
Facebook’s refusal to
accept the Commissioners’ recommendations means there is a high risk that the
personal information of Canadians could be used in ways that they do not know
or suspect, exposing them to potential harms.
Given the extent and
severity of the issues identified, the Commissioners sought to implement
measures to ensure the company respects its accountability and other privacy
obligations in the future. However, Facebook refused to voluntarily submit to
audits of its privacy policies and practices over the next five years.
The Office of the
Privacy Commissioner of Canada plans to take the matter to Federal Court to
seek an order to force the company to correct its privacy practices.
The Office of the
Information and Privacy Commissioner for B.C. reserves its right under
the Personal Information Protection Act to consider future actions
against Facebook.
Related documents:
* Note: my yellow highlighting
Nor should this alleged 'mistake' made by Facebook cause surprise.......
SAN FRANCISCO — The New
York State attorney general’s office plans to open an investigation into
Facebook’s unauthorized collection of more than 1.5 million users’ email
address books, according to two people briefed on the matter.
The inquiry concerns a practice
unearthed in April in which Facebook harvested the email contact lists of a
portion of new users who signed up for the network after 2016, according to the
two people, who spoke on condition of anonymity because the inquiry had not
been officially announced.
Those lists were then
used to improve Facebook’s ad-targeting algorithms and other friend connections
across the network.
The investigation was
confirmed late Thursday afternoon by the attorney general’s office.
“Facebook has repeatedly
demonstrated a lack of respect for consumers’ information while at the same
time profiting from mining that data,” said Letitia James, the attorney general
of New York, in a statement. “It is time Facebook is held accountable for how
it handles consumers’ personal information.”…
Users were not notified
that their contact lists were being harvested at the time. Facebook shuttered
the contact list collection mechanism shortly after the issue was discovered by
the press…..
Facebook Inc's rapacious business practices has been the death of online privacy and now threatens the democratic process.