Canada’s weak privacy policy is struggling with the Cambridge Analytica scandal. The conditions imposed by the Canadian Federal Data Protection Commissioner for Facebook operator Meta Platforms are void. A Canadian federal judge made that decision. He awards Meta $80,000 Canadian for legal costs.
The data misuse by Cambridge Analytica, which became known in 2018, is one of the biggest scandals in Facebook’s history. The now bankrupt British company Cambridge Analytica had illegally obtained data from 87 million Facebook users: It had published a “survey” app called thisisyourdigitallife (TYDL), in which some Facebook users took part. But thanks to the privacy settings of the data company at the time, Cambridge Analytica also got access to information from their Facebook friends. This data was subsequently misused for manipulative political campaigns.
When this became known, Facebook, whose management sees itself as a victim in the data scandal, came under massive criticism and promised improvements in data protection. Various procedures followed; in the USA, Facebook had to pay a fine of five billion US dollars, the highest fine in the history of the US trade authority FTC (Federal Trade Commission). A class action lawsuit in the country resulted in a $725 million settlement from Meta. In Great Britain, the group took the measly maximum fine of half a million pounds, in Italy one put 1.1 million euros.
Lazy recommendations removed
In Canada, the Federal Data Protection Commissioner OPC (Office of the Privacy Commissioner) could not impose a fine, but only make recommendations. Facebook please
- Restrict third-party access to unnecessary data
- Inform users about what information an application needs and for what purpose
- and obtain user consent for the transfer of that data.
Meta even resisted these minimal editions – with astonishing success. According to the Federal Supreme Court ruling, the Federal Data Protection Bureau has not proven that Facebook did not obtain effective user consent. There would be a “vacuum of evidence”. This assessment is surprising, since Facebook claims to have been duped by Cambridge Analytica itself. If Facebook doesn’t know what data was copied for what, it’s hard to see how it could have obtained effective consent from its users.
Second, under Canadian data protection law, Facebook is under no obligation to protect user data once it is transferred to a third party. The judge does not shy away from criticizing the existing law: It is up to the legislature to create “well thought-out and balanced laws that address the challenges posed by (…) the digital sharing of personal data”. The court can only apply existing law that applies to social networks in the same way as it does to local car dealers.
The procedure is called Privacy Commissioner of Canada v. Facebook and was decided by the Federal Court in Ottawa on April 13 under case number 2023 FC 533.
Half-baked amendment in the works
The Canadian Data Protection Commissioner cannot impose penalties himself, but can only apply to the court for them. The upper limit is currently a meager 100,000 dollars (approx. 68,000 euros), which data companies like Meta Platforms would not notice.
In the Canadian Federal Parliament there is currently a Bill called Bill C-27 in progress, which should improve data protection, significantly increase possible fines and open up the possibility of lawsuits against sloppy companies. However, those affected should only be able to sue if Canada’s data protection commissioner or a new data protection tribunal has already found that data protection law has been violated.
Such a determination can take years, as can be seen in the present case. And consumers cannot force such an investigation. If Canada’s data protection commissioner has no capacity or desire to deal with a specific case, its victims will not be able to take legal action, even after the planned amendment to the law.
(ds)