Facebook’s use of Canadians personal data broke federal privacy law but Statistics Canada’s secret deal with TransUnion for access to personal banking information of 500,000 customers did not, according to Privacy Commissioner Daniel Therrien, who noted the stats bureau’s conduct raised “significant concerns”.
Therrien’s 2019 annual report concludes outdated rules permitted StatCan’s surreptitious data-sharing deal – since halted according to Therrien – Facebook’s Cambridge Analytica scandal, and for Equifax’s massive data breach to go unpunished; all of which have compromised the privacy of millions of Canadians.
“It’s no longer whether laws should be modernized, but how,” Therrien said during a Tuesday press conference in Ottawa, highlighting how Canada’s two-decade-old regulations threatened not only fundamental privacy rights, but international trade and the democracy itself.
“We have a crisis of trust,” he said of how obsolete laws have made the entire country vulnerable in an age of online banking, social media and instant communications.
“Terms and conditions are a less than a meaningful form of consent,” Therrien said of Facebook’s and others social media players’ shoddy privacy standards.
“And it’s untenable that Facebook is allowed to (view) my findings as mere opinions.”
In his report, Therrien describes the social media company’s privacy framework as “empty, and their vague terms were so elastic that they were not meaningful for privacy protection”, and is calling for “a set of enforceable rights and obligations” for data sharing.
“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning,” writes the Office of the Privacy Commissioner of Canada.
During his opening remarks and the following question and answer session with reporters, Therrien said our trading relations with the European Union and others could also be jeopardized without any corrective legislation.
“Canada’s laws were equivalent with European Union in 2000,” said Therrien who said this standard would be reviewed by the EU next year.
“So that (trading) status at risk if Canadian laws are not updated and that would put trade exchanges at risk between Canada and the other countries.”
But the extended Q&A with reporters revealed how toothless Therrien’s office actually is, apart from the ability to name and shame, as the Office of the Privacy Commissioner did in its first annual data breach report at the end of October.
Mandated by The Personal Information Protection and Electronic Documents Act, of Canadian banks, airlines and telecommunications firms obligated to report such breaches, there were 680 security hacks between Nov. 1, 2018, and Oct. 31, 2019, that exposed the personal information of more than 28 million people.
This included the Desjardins data breach that compromised the personal information of three million Canadian customers, including social insurance numbers, as well as a similar incident involving Capital One and as many as six million Canadian victims.
In Therrien’s annual report and during his press conference, the privacy commissioner said that Facebook basically ignored him and that there is nothing in the way of fines or quasi-judicial remedies for his federal office to levy against the social media giant, nor Equifax.
“Fines are part of the trick,” said Therrien whose report recommendations also advise tightening rules on what Statistics Canada is permitted to do with personal information under the law.
“On the one hand, Statistics Canada and policymakers have a legitimate need to lawfully access data and to generate timely and up-to-date statistics to inform sound decision-making. On the other hand, individual Canadians are rightly concerned that there must be appropriate limits,” reads Therrien’s report.
“Its authority to collect personal information indirectly from private sector companies is outdated, allows for overly broad collection, and is unsuited for today’s world of big data analytics, where privacy concerns have taken on a new and ever-present dimension.”
While the Equifax breach impacted 19,000 Canadians, Facebook 600,000, to cap it all off, current federal law allows Statistics Canada access to your personal banking and credit union data – that’s sensitive information on tens of millions of Canadians – without your consent, and there’s nothing illegal about it.
“To their credit, Statistics Canada decided to suspend the project and work with us…to limit collection and the intrusiveness,” said Therrien who earlier referred to the totality of banking data made available to StatCan as, “highly sensitive…paint(ing) an intrusively detailed portrait of spending habits, lifestyles and private interests.”
In Canada, Equifax’s will face just six years of monitoring while in the UK, the company was handed the maximum $1 million (USD) fine for the same incident and in the United States, Equifax cut a deal with federal regulators that included spending $1.5 billion to upgrade its cybersecurity and practices.
As for Facebook, Therrien said the Privacy Commission is “heading to Federal Court” for an enforcement order against the internet firm “to correct its privacy practices”.