Facebook Broke Canadian Privacy Law, Federal Watchdog Finds

“They told us outright they do not agree with our legal findings,” Canada's privacy commissioner said of Facebook.
Facebook broke Canadian privacy law, the country's privacy watchdog has found
Image: Flickr/Christoph Scholz

Facebook broke Canadian privacy law in relation to the Cambridge Analytica scandal and failed to address regulators’ recommendations, officials announced on Thursday.

Canada’s Office of the Privacy Commissioner (OPC) and its British Columbia counterpart found after a yearlong investigation that Facebook failed to obtain meaningful consent from users who engaged with a quiz app, and their friends, when the app culled data from 50 million people. They also found that Facebook’s safeguards for user information were inadequate, and that the company failed to be accountable.


Yes, Cambridge Analytica—the words echo down the halls of memory. The world has moved on, and Facebook’s own steady march of scandal has continued, since a whistleblower revealed in 2018 (after initial reporting in 2015) how a quiz app culled data from millions of users without their consent on the social network. The app collected information not just from users who engaged with it directly, but anybody in their network, which Facebook allowed. The data was later used by analytics firm Cambridge Analytica to help Donald Trump’s presidential campaign.

At the time, Facebook vice president and deputy general counsel Paul Grewal argued that “users who chose to sign up to his app, and everyone involved gave their consent.”

Only 272 Canadians directly used the quiz app, but it collected the data of 622,000 Canadians, the regulators found, and described Facebook’s privacy safeguards during a press conference in Ottawa as “superficial and ineffective.”

“The protections offered by Facebook are essentially empty,” privacy commissioner Daniel Therrien said at a press conference on Thursday.

Now, the OPC plans to take the matter before a federal court, where it will seek a court order that will force Facebook to change its practices to protect users’ data. A federal court may also levy a fine on the company.

"After many months of good-faith cooperation and lengthy negotiations, we are disappointed that the OPC considers the issues raised in this report unresolved," Facebook told Motherboard in an emailed statement. "There's no evidence that Canadians' data was shared with Cambridge Analytica, and we've made dramatic improvements to our platform to protect people's personal information. We understand our responsibility to protect people's personal information, which is why we've proactively taken important steps towards tackling a number of issues raised in the report and worked with the OPC to offer additional concrete measures we can take to address their recommendations, which includes offering to enter into a compliance agreement.”


This week, Facebook revealed in its first quarter earnings report that it is expecting to pay a $3 billion fine from the US Federal Trade Commission, an immense sum that amounts to just 6 percent of Facebook’s cash and securities on hand, the Verge noted. Canadians shouldn’t expect anything similar to come down on Facebook.

Therrien noted repeatedly during the press conference that Facebook, when approached by regulators about its violation of Canadian law, effectively disregarded them. Under Canadian law, the federal privacy watchdog does not have the power to make binding orders or hand out fines; they can only make recommendations and go through the courts.

“They told us outright they do not agree with our legal findings,” Therrien said. “For a company to be able to say to a regulator, ‘Thank you very much for your opinion, but we’re going to continue like we did before,’ is entirely unacceptable.”

Of the possible fines that Facebook might see as a result of the court process, Therrien was not optimistic, noting that historically such fines have been “miniscule,” in the order of tens of thousands of dollars. Moreover, the court process is likely to take over a year.

“There’s no real conclusion; there’s no consequence to my finding that they’ve acted contrary to their accountability towards their users,” Therrien said.

Therrien stated that he believes his office should be given the power to make binding orders and impose fines on companies through an amendment to the Privacy Act, a refrain that the OPC has been repeating for years.

The OPC and its British Columbia counterpart are expected to reveal the results of an ongoing investigation into the activities of BC-based political consultancy firm Aggregate IQ, which was linked to Cambridge Analytica by whistleblower Christopher Wylie—the firm disputed this link—in the coming months. Get six of our favorite Motherboard stories every day by signing up for our newsletter.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.

Update: This story was updated with comment from a Facebook spokesperson.