Privacy Commissioner of Canada Finds Facebook Broke the Law, But Regulators Are Powerless to Act Immediately

From the OPC’s press release:

Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found.

Despite its public acknowledgement of a “major breach of trust” in the Cambridge Analytica scandal, Facebook disputes the investigation findings of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. The company also refuses to implement recommendations to address deficiencies.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” says Privacy Commissioner of Canada Daniel Therrien. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”

David Carroll:

Report details use of [Facebook] Custom Audiences. This is crucial. It means illegal data models harvested from Facebook data were used to build user lists that were uploaded back into Facebook.

Michael Geist:

Facebook rejects Privacy commissioner findings it violated Canadian privacy law. Without order making power, Commissioner now has to go to the federal court to enforce the law.

The Commissioner has published its entire report, and it’s worth reading. It’s probably right for the court to decide what, if any, punishment Facebook should accept, but it’s shocking that they’re simply able to dismiss the findings of the report with no consequence.