TORONTO — The Office of the Privacy Commissioner of Canada wants Facebook Inc. to reveal whether any Canadians had personal information compromised when a political firm used millions of users’ data without their consent.
“Recent media reports regarding the use of personal information posted on Facebook for political purposes raise serious privacy concerns,” Privacy Commissioner Daniel Therrien said in a statement.
“Our office will be reaching out to Facebook to seek information regarding whether Canadians’ personal information was affected by the issues raised in those reports. That will help us determine possible next steps.”
The social network giant saw its stock plummet 6.8 per cent on Monday after reports of misuse of its users’ data by Cambridge Analytica, a data analytics firm that helped Donald Trump’s campaign profile voters during the 2016 presidential race.
The New York Times and The Observer of London reported the firm bought information on 50 million user profiles from a University of Cambridge professor who harvested the data with a personality quiz. The professor obtained the information legally, but allegedly violated Facebook rules by selling it to Cambridge Analytica. The firm never obtained the users’ consent to use their data, nor did Facebook alert users when it found out Cambridge had their information, according to a whistleblower.
The U.K. Information Commissioner’s Office has launched an investigation into the matter. Canada’s privacy office said it will assist as appropriate.
“Ultimately, our goal is to ensure that the privacy rights of Canadian Facebook users are protected,” Therrien said.
The case raises questions about how Facebook protects and monitors consumer data, and whether users can trust third parties not to compromise their privacy. It’s not clear whether this is an isolated case.
Chantal Bernier, a global privacy and cybersecurity lawyer at Dentons and former interim privacy commissioner, said she believes such activity likely happens all over the place, including in Canada.
“This is certainly a wake-up call,” Bernier said in an interview. “This whole incident shows the disempowerment of the user in front of the organizations that collect the data.”
The incident reflects systemic problems surrounding online privacy including consent and accountability, Bernier said.
People often don’t understand what they’re consenting to when they click “I agree,” she said. Plus, there is limited accountability for companies that do break the rules. The privacy commissioner has limited powers to audit companies and no power to impose financial penalties.
“Personal information is extremely valuable, and therefore the misuse should be met with penalties that are proportionate to that value,” she said.
Still, public privacy breaches can come with a high cost. The stock market erased billions of dollars from Facebook’s value in response to the reports.
“What has become very clear to business is that it is now a competitive advantage to be privacy-protected,” she said.
In Canada, private businesses must obey the Personal Information Protection and Electronic Documents Act (PIPEDA). It requires consent for the collection, use and disclosure of personal information for commercial activities. Under the law, companies are accountable for the management and safekeeping of that information.
PIPEDA, however, does not apply to political parties. In 2016, the privacy commissioner asked Parliament to consider regulating how political parties use personal information.
Kris Klein, a privacy lawyer at nNovation, called on Parliament to make national political parties follow the same rules as other organizations as politics enters the Big Data game.
“We have just scratched the surface when it comes to data mining technologies so these issues are just going to get bigger and, perhaps even more scandalous,” Klein said in an email.
“I hope our lawmakers wake up and realize we’re fully into the information age and Canadians deserve the best protection possible when it comes to safeguarding our personal information.”