Skip to main content

Business Commentary Thank Facebook for reminding us Canada’s privacy protection is utterly inadequate

It has long been an article of faith among privacy watchers that Canada features better privacy protection than the United States. While the United States relies on binding enforcement of privacy policies alongside limited sector-specific rules for children and video rentals (including digital), Canada’s private-sector privacy law (PIPEDA or the Personal Information Protection and Electronic Documents Act), which applies broadly to all commercial activities, has received the European Union’s stamp of approval and has a privacy commissioner charged with investigating complaints.

Despite its strength on paper, the Canadian approach emphasizes rules over enforcement, which runs the risk of leaving the public woefully unprotected. PIPEDA establishes requirements to obtain consent for the collection, use and disclosure of personal information, but leaves the Privacy Commissioner of Canada with limited tools to actually enforce the law. In fact, the not-so-secret shortcoming of Canadian law is that the federal commissioner cannot order anyone to do much of anything. Instead, the office is limited to issuing non-binding findings and racing to the federal court if an organization refuses to comply with its recommendations.

The weakness of Canadian law became evident this week when the federal and B.C. privacy commissioners released the results of their investigation into Facebook arising from the Cambridge Analytica scandal. The report details serious privacy violations and includes several recommendations for reform, including new measures to ensure “valid and meaningful consent,” greater transparency for users and oversight by a third-party monitor for five years.

Story continues below advertisement

Facebook’s response? No thanks. The social-media giant started by disputing whether the privacy commissioner even had jurisdiction over the matter. After a brief negotiation, the company simply refused to adopt the commissioners’ recommendations. As their report notes, “Facebook disagreed with our findings and proposed alternative commitments, which reflected material amendments to our recommendations, in certain instances, altering the very nature of the recommendations themselves, undermining the objectives of our proposed remedies, or outright rejecting the proposed remedy.”

The federal commissioner has indicated that he plans to take the case to federal court, where he will be forced to start from scratch by presenting sufficient evidence that Facebook violated Canadian law. Even with a successful claim, the law provides little in the way of penalties, with a newly established maximum of $100,000 for certain violations. By contrast, Facebook said this week that it has set aside US$3-billion in anticipation of U.S. enforcement penalties that could hit US$5-billion.

This is not the first time a major company has refused to comply with privacy commissioner recommendations. In 2015, Bell Canada initially rejected findings associated with its relevant advertising program that would have required customers to opt-out of behavioural tracking. After an avalanche of negative publicity, it reversed its position.

With companies seemingly free to reject privacy commissioner findings – Facebook earns more than enough revenue every 60 seconds to pay the maximum PIPEDA penalty – Canadians are left without effective privacy protection. Innovation, Science and Economic Development Minister Navdeep Bains touted changes to the law that added new penalties, but the reality is that Canadian law now badly lags behind other countries.

The obvious solution starts with granting the Office of the Privacy Commissioner order-making power and supplementing the law with penalties that would make companies think twice before ignoring PIPEDA.

The Office of the Privacy Commissioner was admittedly slow to recognize that the effectiveness of the law depends upon serious enforcement. In 2006, Jennifer Stoddart, then-federal privacy commissioner, told a House of Commons committee that order-making powers were not a priority. A year later, it took a federal court ruling to push a reluctant commissioner’s office to investigate foreign entities collecting personal information from Canadians.

Today, as global companies are on the verge of regarding Canadian privacy law as irrelevant and the European Union is increasingly likely to re-examine its decision to consider Canadian law “adequate” for the purposes of cross-border data transfers, the office has rightly become convinced that the law must be upgraded. That leaves the question of what more Mr. Bains and the government need to recognize that their vision of leadership in the digital economy is being undermined by privacy rules that leave millions of Canadians without effective and enforceable protection.

Story continues below advertisement

Michael Geist holds the Canada Research Chair in internet and e-commerce Law at the University of Ottawa, faculty of law. He can be reached at mgeist@uottawa.ca or online at michaelgeist.ca.

Report an error Editorial code of conduct
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter