On April 25, 2019, the Office of the Privacy Commissioner of Canada (OPC) released its findings in its investigation into Facebook Inc’s (Facebook) disclosure of its users’ personal information to third-party applications (Apps) which later used the information for targeted political messaging. The OPC’s investigation was conducted as a joint investigation with the Office of the Information and Privacy Commissioner for British Columbia.

The OPC’s investigation focused on three general areas of concern:

  1. consent of users, both those who installed an app and their friends, whose information was disclosed by Facebook to apps; 
  2. safeguards against unauthorized access, use and disclosure by apps; and
  3. accountability for the information under Facebook’s control.

The OPC found that Facebook failed to obtain valid and meaningful consent from its users.  Facebook relied on Apps to obtain consent from users for its disclosures to those Apps, but Facebook was unable to demonstrate that it took reasonable efforts to ensure that the Apps actually obtained meaningful consent for Facebook’s purposes.

The OPC found that Facebook had inadequate safeguards to protect user information.  Facebook relied on contractual terms with the Apps to protect against unauthorized access to users’ information, but only had in place superficial, largely reactive, monitoring to ensure compliance with those terms.

The OPC also found that Facebook failed to be accountable for the user information under its control.  Facebook effectively shifted responsibility for personal information under its control almost exclusively to users and Apps.

In light of these findings, the OPC made several recommendations for Facebook to implement in order for it to bring itself into compliance with the Personal Information Protection and Electronic Documents Act and British Columbia’s Personal Information Protection Act.  As Facebook has so far refused to implement these recommendations, the OPC plans to take the matter to Federal Court to seek an order to force the company to correct its privacy practices.

Summary By: Jae Morris

E-TIPS® ISSUE

19 05 01