Information & Ethics Committee on May 7th, 2019

It is, more specifically, the number of privacy breach reports that has gone up by a factor of five. That increase is attributable to the coming into effect, on November 1, 2018, of regulation obliging companies to disclose any important privacy breach.

The number of regular investigations following complaints of violations of the Personal Information Protection and Electronic Documents Act, which applies to private sector organizations, has not increased as much.

Now that that regulation is in effect, the annual number of reports should ultimately stabilize over the years.

Surveys show that the level of concern has always been quite high. That said, I think that Canadians and people throughout the world have indeed become more concerned over these past years.

The Facebook and Cambridge Analytica affair certainly played a role in that. That serious incident showed that the consequences of privacy breaches were not just theoretical, but could be quite concrete. In this case, the integrity of the electoral process was affected.

The protection of privacy and personal information is a notion that can be relatively theoretical and abstract. But in the Cambridge Analytica case the results were very concrete, and that increased Canadians' level of concern.

Of course, Mr. Gourde.

We will pay for our legal costs and fees through our budget. We have a team of lawyers, some of whom plead, but we often rely on outside counsel as well, for cases in the Supreme Court, for instance. This is a very important case, and I will draw on our budget to be successful. My intent, obviously, is to be successful, and to have the court declare that Facebook violated PIPEDA. The company has treated our findings as a legal opinion. They will not be able to ignore the findings of the Federal Court, and the court's order will be binding on Facebook.

You might say that the fine will be inconsequential. Perhaps it will be, but there will be an order, we hope, at the end of that process, and that order cannot be ignored. There might be consequences other than monetary to disobeying a court order.

They're clearly not sufficient. I've said this a number of times. I think Facebook is a perfect illustration of the fact that the current tools that we have are insufficient. I cannot make binding orders, contrary to many other data protection authorities across the world, but I can bring them to court. One could be concerned about whether we have sufficient resources to fight equally with a company that size in court. It's fair question, but the federal budget has reserved not inconsequential sums of money for us. I will use them, and the Facebook Federal Court matter will be a priority. If I see that I need more resources to have success, I will not hesitate to ask this committee, Parliament and the government for additional funds. We're not there yet.

I approached this incrementally.

The first point of order is that the law needs to change so that we have the right tools, the right legal tools, to ensure compliance by corporations. That won't happen immediately, but my hope is certainly that within a very few years this will happen. Then, at that point, there needs to be a discussion around the resources necessary to make that system work.

With the sums reserved for us in the federal budget, I think there's a.... I asked for more, but we received a not inconsequential sum of money to bridge us toward this new legislation, which I hope will be adopted within a couple of years. I'm fairly optimistic.

Do we have all of the tools we need, including resources? No, and choices have to be made. You're right to point out that, as with any other regulator, because of the exponential changes to technology and the digital economy, we have many issues and companies to monitor and look at, and we need to make choices. We cannot go after all problems—even serious—but the resources that were given in the budget will certainly make an important difference. Let's have a discussion around what the shape of the new legislation should look like, and then we can talk about the necessary resources.

As a comparator, I would say that with the new funding our size would be similar to that of large European data protection authorities, but much smaller than the U.K. Information Commissioner's Office. What is the right size is a question for discussion.

Thank you.

You have a statement from me on Facebook. I'll use it liberally.

As to the conclusions of our study, we found that Facebook violated privacy on a number of counts, including the rules on obtaining meaningful consent.

We studied two groups of Facebook users. The first was made up of users who installed third-party apps. As far as they were concerned, Facebook counted on the privacy policies of app developers to see to it that users' privacy would be respected. However, when we dug a little to see if those policies had any substance, we found that Facebook did not in fact verify whether app developer policies protected privacy properly. That is one example we found of Facebook's lack of responsibility.

Facebook has direct obligations under PIPEDA, the Personal Information Protection and Electronic Documents Act. When that company discloses information to a third party application, it is unacceptable that Facebook counts on the other company's privacy policies to respect its own obligations, which are independent. There is, consequently, a breach of privacy in that instance.

The other type of user we studied included the friends of Facebook users who installed third-party apps. When people joined Facebook, according to Facebook, they consented to the disclosure of their own information when friends installed third-party apps. The friend of the user was thus considered, according to Facebook, to have given consent to some unknown action that could take place years later, for unknown purposes. That is the very opposite of informed consent. One of our conclusions was that informed consent was not obtained.

Ultimately, our final conclusion was that Facebook breached one of the PIPEDA principles, which is that companies that collect and use personal information are responsible for the management of that information. We feel Facebook's main transgression is that it shifted its responsibility onto the users or the third-party app developers it dealt with.

Facebook even challenged our conclusions. Among other things, and in a fundamental way, it challenged our assertion that when a user uses a third-party app, Facebook discloses information to that app. According to Facebook, the transfer of information from Facebook to the third-party apps was not a disclosure on its part. It characterized this as making information available at the request of its users.

Once again, we see that Facebook is sloughing off its responsibilities. It claims that it is up to others to be careful, whereas we are of the opinion that Facebook has a legal responsibility to obtain informed consent if information is disclosed.

Among the matters we will be submitting to Federal Court is this fundamental issue: does the fact that Facebook transfers information to third-party apps constitute a disclosure under the law, or not? We believe it is quite clear that the answer to that question is yes.

Another thing I would insist on is the difference between Facebook's actions and its statements; it says that it wishes to adopt a position that is favourable to protecting privacy, and that it wants to work with governments and regulatory agencies to better protect the privacy of its users. All of that is good, but in reality, we saw exactly the opposite. Facebook stated that it wanted to work to further the respect of users' privacy with the regulatory agencies, and so on. However, we had some conclusions to present to it, and recommendations to ensure the company would comply with federal legislation. In the final analysis, the result of our discussions with Facebook, which lasted a few weeks, was that it rejected our legal conclusions as well as our recommendations.

That is exactly the opposite of the official position Facebook puts out, which is that it wants to work to ensure the protection of privacy with the regulatory bodies.

Very briefly, Facebook, in our view, violated PIPEDA with respect to consent. We think the main violation is with respect to its lack of accountability. PIPEDA's first principle is that companies have a legal obligation to be accountable for the way in which they handle the personal information of those from whom they collect information. They did not comply with that fundamental obligation. At the end of the day, they refused our findings, point one and point two, our recommendations. I think it is untenable that the law is such that this is our current state of affairs.

A company should not be able to say to a regulator, after the regulator has done serious work to look at the practices of the company, “Thank you very much, but we disagree. We don't think we are disclosing information to third party applications. We think they are making that information available at the request of our users, therefore we, Facebook, think that you're incorrectly applying PIPEDA.”

It is completely unacceptable and untenable that as a regulator I am in that position and that my decisions are not binding on the company. That's the plea that I'm making to you. I know you have agreed with our office in the past that we need stronger enforcement powers to make sure that companies do comply with the law. I have to, in this forum, underline how unacceptable it is that we at the OPC are in that situation as we speak and that we have to go to court to ensure that this company is under an order to comply with the law.

We have not seen it in the context of the investigation we have concluded. They have told us publicly, “We want to work with you. Facebook wants to work with you, the regulator, OPC. Let's try to work together.” At the end of the day, they reject the legal conclusion and the recommendations.

Yes.

I'm unable to levy any fine.

After being asked to review the matter de novo—not our report, but the matter de novo—the court could certainly make a declaration, if it agrees with our position that Facebook violated PIPEDA. There could be damages that historically, in the Federal Court, have been in the tens of thousands of dollars.