The Facebook data scandal: How protected are Canadians?
When private companies abuse and misuse our personal data, Canada's laws are toothless — giving no power to the Privacy Commissioner to issue penalties or force compliance.
This article by our Victoria Henry was originally published by Rabble magazine.
"We are sorry."
This is what the head of public policy for Facebook in Canada has said in regards to the revelation that over 600,000 Canadians have had their privacy compromised and their data used by Cambridge Analytica.
When whistleblower Christopher Wylie revealed that Cambridge Analytica had inappropriately collected information from the Facebook profiles of more than 50 million users, he also showed the world the incredible scale of how social media companies and data brokers are harvesting and exploiting the private social media activity of millions of people around the world.
And it's shown us something else: how Canada's privacy laws have failed to protect us, and how they have no power to help us prevent something like this from happening again.
The law that governs our private data is called PIPEDA (the Personal Information Protection and Electronic Documents Act). It governs how private companies collect and use our personal information.
But when violations are found, the act is toothless: it gives no power for our Privacy Commissioner to issue penalties or force compliance. This means that companies have no incentive to comply, and if caught, suffer no real consequences. Political parties have a remarkable incentive to keep things as they are: they're exempt from the law, free to acquire, store and utilize your personal information however they wish.
And what's more, despite years of recommendations, our government had been stalling on implementing key fixes that could give our laws the teeth they need to take action on this. This includes things like implementing a data breach notification regime, putting an end to political parties being exempt from privacy laws, and providing actual powers to enforce compliance orders.
However, as pressure has increased from every direction following news of the data scandal, we're seeing the first signs of positive movement from our government.
The government has just pushed forward mandatory data breach disclosure rules that have been been delayed for nearly three years. We've also heard from the Acting Democratic Institutions Minister that he would be open to making changes to Canada's privacy laws, while the Privacy Commissioner has launched an investigation to find out if the data of any Canadians was compromised.
It's clear that there's an appetite for change -- but we must continue to push for a commitment to reform all the out-of-date parts of our privacy laws that are failing to protect us. With federal elections due in 2019, we need to safeguard our democracy and protect against undue influence stemming from online privacy violations.
What this scandal has really highlighted is how aggressive business models built on data harvesting, combined with deceptive marketing, which misleads users about their privacy options, lead to disturbing privacy violations like this.
Facebook's half-hearted apology to Canadians only makes it clearer that companies like this will never improve their practices unless the law compels them. With news of major data breaches coming almost every day now, it's time for the government to step up and give us all the protection we deserve.