The controversy over Facebook and Cambridge Analytica was back in the spotlight in Canada as the Federal Court sided with Facebook and against the Privacy Commissioner of Canada in a decision arising from a 2019 investigation into the matter. The Privacy Commissioner ruled against Facebook in 2019, but Facebook disagreed with the findings, took the matter to court, and won. What lies behind the decision and what does it mean for privacy in Canada? My colleague Teresa Scassa, who holds the Canada Research Chair In Information Law, is widely regarded as one of Canada’s leading privacy law experts. She posted on the decision soon after its release and joins the Law Bytes podcast to talk about the ruling and its broader implications.
Post Tagged with: "cambridge analytica"
Canada’s Privacy Failure: Federal Court Dismisses Privacy Commissioner’s Complaint Against Facebook Over Cambridge Analytica
The Federal Court of Canada last week dismissed the Privacy Commissioner of Canada’s complaint against Facebook stemming from alleged privacy violations involving Cambridge Analytica. The Privacy Commissioner ruled against Facebook in 2019, but Facebook disagreed with the findings and took the matter to court. Last week, a court sided with the social media giant, concluding that the Privacy Commissioner did not provide sufficient evidence that Facebook failed to obtain meaningful consent when sharing information with third-party applications and rejecting a claim that Facebook did not adequately safeguard user information. The Cambridge Analytica case sparked investigations and complaints worldwide, leading to a $5 billion penalty in the U.S., significant settlements of private lawsuits, fines in the UK, and extensive new rules in the European Union. Yet in Canada, the case against the company has been dismissed, raising troubling questions about how it was handled and the adequacy of Canadian privacy law.
Does Canadian Privacy Law Matter if it Can’t be Enforced?
It has long been an article of faith among privacy watchers that Canada features better privacy protection than the United States. While the U.S. relies on binding enforcement of privacy policies alongside limited sector-specific rules for children and video rentals, Canada’s private sector privacy law (PIPEDA or the Personal Information Protection and Electronic Documents Act), which applies broadly to all commercial activities, has received the European Union’s stamp of approval, and has a privacy commissioner charged with investigating complaints.
Despite its strength on paper, my Globe and Mail op-ed notes the Canadian approach emphasizes rules over enforcement, which runs the risk of leaving the public woefully unprotected. PIPEDA establishes requirements to obtain consent for the collection, use and disclosure of personal information, but leaves the Privacy Commissioner of Canada with limited tools to actually enforce the law. In fact, the not-so-secret shortcoming of Canadian law is that the federal commissioner cannot order anyone to do much of anything. Instead, the office is limited to issuing non-binding findings and racing to the federal court if an organization refuses to comply with its recommendations.