Last Thursday, Privacy Commissioner of Canada Daniel Therrien filed a notice of application with the Federal Court, setting into motion legal proceedings to hold Facebook accountable for sharing user data with Cambridge Analytica, who then used that data for targeted political messaging.
The notice of application follows a joint investigation into Facebook by the British Columbia and federal privacy commissioners in April 2019. The investigation found that Facebook violated several provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA). Therrien made a series of recommendations that, if implemented, would require Facebook to change some of its practices in handling and sharing information. Facebook — which challenged the privacy commissioners’ jurisdiction to carry out the investigation in the first place — declined to implement the recommendations, indicating that it had already taken other steps to improve the protection of users’ personal information.
This court challenge highlights a major problem with Canada’s federal regime for personal data protection: while the commissioner can engage in a detailed investigation of an organization’s personal data-handling practices, he is limited to issuing a non-binding report of findings, which the organization may choose to ignore. Actual enforcement requires the commissioner to apply to the Federal Court for a court order. While such a process is contemplated under PIPEDA, it results in a de novo hearing. However, the hearing does not provide a review of the findings of the commissioner to determine if the ruling was reasonable or correct in law — instead, it is a brand-new proceeding in which the commissioner must bring evidence to satisfy the judge that PIPEDA was breached. This process seems to be not only a duplication of effort but also a long, slow, drawn-out approach to redressing breaches of privacy laws. It undermines the credibility of the law and the need for organizations to comply.
Some will argue that this process creates necessary distance between the commissioner (who wears many hats under the legislation) and the issuance of any binding orders. The commissioner provides privacy guidance to businesses and consumers, carries out audits and provides for mediation of disputes, along with a range of other functions. The law does not provide for a separate privacy tribunal, and binding order-making powers might raise concerns about due process.
Be that as it may, this application to Federal Court will only emphasize the fact that the privacy challenges we face in the rapidly expanding digital, data-driven economy have far outgrown the modest — even tentative — data protection framework that is PIPEDA. This is not news to anyone working in the area. Both the current commissioner and his predecessor, Jennifer Stoddart, have called for significant reforms to PIPEDA that would include new powers of enforcement. The House of Commons Standing Committee on Access to Information, Privacy and Ethics has also called for significant changes to the legislation (again, including enhanced powers of enforcement). And prior to the 2019 Canadian election, the government seemed on board with this agenda for reform. Its Digital Charter lists strong enforcement and real accountability as core principles.
In this context, the commissioner’s recent application to the Federal Court in relation to Facebook is privacy theatre. While Facebook is being called to account for its privacy practices, PIPEDA is also on trial. The Court will be asked to decide whether PIPEDA even applies to Facebook’s activities in this case, and if it does apply, whether the law was breached. If the Court finds a breach, it must craft an order —something an independent privacy commissioner should be empowered to do. Canada’s commissioner cannot craft such an order — adding to the drama.
Other countries have acted — and decisively — on this scandal, but Canada still winds along its path of weak enforcement. In the background, the mass collection and processing of personal data for big data analytics and the development of artificial intelligence gain headway, kept in check only by a broken data protection law and the clumsy props of a privacy pantomime.