Facebook violated the privacy of Canadians when it failed to ensure third-party apps obtained the clear consent of users – and their friends – on how their personal information would be used, privacy watchdogs say.

The company faces the possibility of billions of dollars in fines in the United States, and has already been fined £500,000 ($870,000) in Britain for those lapses.

But the federal regulator said it does not have the power to levy such penalties, and will ask the Federal Court to force Facebook to comply with privacy laws, a process that could require more than a year and lead to fines in only the tens of thousands. The federal and B.C. privacy watchdogs called on Canadians to tell governments to give them the teeth to act themselves.

Federal Privacy Commissioner Daniel Therrien launched the investigation in March, 2018, in response to an international scandal over misuse of Facebook data by the British political consulting firm Cambridge Analytica. The scandal involved a third-party Facebook app called This Is Your Digital Life that was promoted as a personality quiz, but was used to scoop up the personal data of users and their Facebook friends. The data were then compiled into psychological profiles to tailor political messages in international campaigns, including the 2016 vote in the United Kingdom on leaving the European Union and the most recent U.S. presidential election.

B.C. Information and Privacy Commissioner Michael McEvoy joined the investigation because Cambridge Analytica had links to a Victoria company.

The unauthorized use involved 87 million Facebook users worldwide. Facebook said last April it believed more than 622,000 Canadians were affected, but now says that figure was too high. The report says Facebook took the position that the Cambridge Analytica issue is not connected to Canada and is outside the jurisdiction of Canadian privacy authorities.

The report’s main findings are that Facebook broke several federal privacy laws by failing to ensure the third-party apps obtained clear consent regarding how personal information would be used. It also found the company’s safeguards for protecting personal information were inadequate and that it failed to demonstrate accountability for the user information under its control.

“Facebook’s refusal to act responsibly is deeply troubling, given the vast amount of sensitive personal information users have entrusted to this company,” Mr. Therrien told reporters at a news conference in Ottawa on Thursday. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.”

He said it is too late for the current Parliament to act, but hopes that the next government will quickly give his office the powers it needs after the election in October.

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” he said. “Facebook should not get to decide what Canadian privacy law does or does not require.”

The commissioners’ description of Facebook’s position is based on meetings, discussions and written exchanges between the company and the commissioners’ offices.

Facebook Canada spokesperson Erin Taylor said the company is disappointed by the report and the decision to pursue the matter in Federal Court.

“There’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information,” she said in a statement.

The Facebook scandal had several Canadian connections, including the fact that Cambridge Analytica had links to a small Victoria-based firm called AggregateIQ. The main whistle-blower in the saga – Christopher Wylie – is Canadian. In media interviews, Mr. Wylie spoke about his time working at Cambridge Analytica and alleged that the company and its affiliates misused personal Facebook data to influence election campaigns.

Both commissioners said Facebook’s rejection of the report’s recommendations highlights the weakness of Canadian privacy law.

Federal Innovation Minister Navdeep Bains and Democratic Institutions Minister Karina Gould said in a joint statement that the report reinforces the need to hold companies accountable, and new government action on digital privacy will be announced in the coming weeks.

A day before the Canadian privacy commissioners issued their findings, Facebook revealed that it expects the Federal Trade Commission (FTC), the U.S. consumer watchdog, to issue a record fine of US$3-billion to US$5-billion for privacy violations.

The FTC, which can issue fines and force companies to submit to privacy audits, opened its investigation into Facebook last March to determine whether the Cambridge Analytica scandal violated the terms of a 2011 investigation that found Facebook had engaged in “unfair and deceptive” practices.

Facebook has also said it was appealing the £500,000 fine issued by Britain for privacy breaches related to Cambridge Analytica last year.

Ireland’s Data Protection Commission, which has enforcement powers over Facebook’s European headquarters, is also investigating whether the social-media giant violated strict new European privacy rules introduced last year. Attorneys-general in several U.S. states have also launched probes.

Last month, Facebook chief executive Mark Zuckerberg unveiled his vision of more privacy-focused future, in which the platform will shift from a public “town square” model toward more private, temporary and encrypted messaging services. The transformation, which Mr. Zuckerberg said on Wednesday would take about five years, would include more closely integrating the company’s main apps, including Facebook, the photo-sharing service Instagram and private-messaging services Messenger and WhatsApp. It would move more conversations away from Facebook’s main news feed, which remains the largest source of the firm’s advertising revenue.

Earlier this month, the European Commission warned that Facebook and other social media need to do more to protect their platforms from fake news and foreign interference ahead of European parliamentary elections next month. Since the deadly attacks at two mosques in New Zealand, lawmakers in the United States and Britain have grilled Facebook, Google and Twitter over its role in the spread of hate speech online.

Canada’s Liberal government passed a new election law in December that aims to block foreign interference in federal elections. It also forces social-media companies and large websites to create a registry of political ads and to say who paid for them. However, the legislation did not address the widespread calls to end political parties’ exemption from federal privacy legislation, nor did it give the privacy commissioner new enforcement powers.

The Globe and Mail, April 25, 2019