nNovation LLP

Small Canadian regulatory law firm with a big presence

Competition Act

Comparing Facebook’s Settlement with Canada’s Competition Bureau with the Privacy Commissioner’s Recommendations

by Leave a Comment

Now that Facebook’s settlement with the Competition Bureau Canada (the “Settlement”) has been published, it is interesting to consider how this could impact other regulatory actions Facebook is dealing with in Canada with the federal Office of the Privacy Commissioner (OPC).

The Settlement is quite short but has some interesting implications. First, it expressly states that Facebook’s agreement does not constitute an admission of guilt under the Competition Act or any other law; so this settlement doesn’t preclude Facebook’s ability to challenge the OPC’s report, as it is currently doing, through a judicial review application or at the hearing of the OPC application to enforce its report. However, Facebook is not permitted to make any public statements that contradict the terms of the settlement agreement. The recitals state the Competition Bureau Commissioner’s conclusions, which are not admitted to, but the fact of those conclusion and the commitments by Facebook, cannot be denied. The recitals also note Facebook’s Consent Decree with the FTC of July 2019, which brings Facebook’s compliance program into the Settlement.

The financial penalty is substantial for Canada: $9 million, plus $500K to cover the Bureau’s costs of investigation.

More interesting is the ongoing commitments. Facebook is first of all not permitted to make any materially false or misleading statements in the future concerning the extent to which users can control access to their personal information, as explained here:

The Respondent shall not make, in connection with a Facebook product or service,  any representation to the public that, taking into account its general impression as  well as its literal meaning, is materially false or misleading regarding the disclosure  of Personal Information, including how and the extent to which Users can control who can access the Personal Information.

Secondly, Facebook must within 180 days ensure its compliance program supports this commitment. Facebook is obliged to ”review” the Bureau’s Corporate Compliance Program Bulletin (“Bulletin”) with the aim of aligning Facebook’s compliance program with the Bulletin. To reinforce these obligations, senior management is required to sign and acknowledge this commitment to “fully support and enforce” the compliance program. This creates the risk of personal liability, both civilly and criminally, for future transgressions.

Third, there is ongoing monitoring: senior management must be provided with a copy of the settlement agreement with the view to ensuring that Facebook responds to the Bureau on matters covered by the sections dealing with statements about user control, as well as senior management acknowledgement of the Settlement and its terms. There must be a response within 45 days. The Settlement is binding on Facebook for 10 years.

What is “review” of and “aligning” to the Bulletin? The Bureau obviously has a wider remit than privacy – competition law, of course, and misleading advertising, which is how, like the FTC, privacy statements can bring companies under its authority. The Bulletin speaks to  compliance more broadly, and would include privacy programs:

  1. Management Commitment and Support
  2. Risk‑based Corporate Compliance Assessment
  3. Corporate Compliance Policies and Procedures
  4. Compliance Training and Communication
  5. Monitoring, Verification and Reporting Mechanisms
  6. Consistent Disciplinary Procedures and Incentives for Compliance
  7. Compliance Program Evaluation

Privacy Commissioners’ Recommendations

  • Implementation of measures to obtain meaningful consent that clearly informs users of consequences in a timely manner
  • Because of the failure to take accountability, the OPC and BC Commissioner recommended the ability to conduct audits of the privacy policies and practices

Competition Bureau Settlement

  • While expressed in the negative, the Settlement effectively require meaningful consent
  • The ability of the Bureau to monitor for 10 years how Facebook complies with its commitment to the section noted above gives it considerable insight into how Facebook obtains data from users, and to monitor its practices.

It will be interesting to see how the Facebook challenge to the OPC’s report continues, and whether in fact it will be meaningful in light of this settlement.

For businesses operating in Canada, the settlement indicates a new and material enforcement player in the area of privacy, the Competition Bureau Canada; it has been traditionally hard to get management attention given the limitations on our Commissioners’ enforcement powers, which the Competition Bureau does not suffer from. It also gives privacy officers and privacy program designers an additional resource/checklist against which to measure the effectiveness of the programs, and common framework with which to integrate privacy to general compliance programs.

Facebook’s $9M Settlement with Canada’s Competition Bureau makes history

by Leave a Comment

Following Facebook’s challenge to the Office of the Privacy Commissioner (OPC) report arising from the Cambridge Analytica scandal, the fall-out for Facebook in Canada continues. While not at the scale of fines faced in the US and elsewhere, the involvement of a non-traditional regulator for privacy sends several signals to Canadian and multinational organizations.

In a news release today from the Competition Bureau Canada, Facebook has agreed to pay a penalty of $9 million to settle the Bureau’s investigation into Facebook’s privacy practices. (according to the press release – at this writing the settlement is not yet available from the Competition Tribunal).

The Bureau’s investigation concluded that Facebook had given the impression that users could control who could see and access their data, without limiting the sharing of users’ personal information with third-party developers. Further, third party developers could also access users’ friends’ personal information after users installed third-party applications.

The Bureau’s jurisdiction is based on the prohibition against false or misleading claims about products or services under the Competition Act. This is quite similar to section 5 of the US Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce“, and is commonly applied by the US Federal Trade Commission to enforce so-called “privacy promises”.

This is new territory for Canada, however. Given the OPC’s challenges enforcing the Personal Information Protection and Electronic Documents Act (PIPEDA), this settlement is a watershed in that privacy-related matters could increasingly be subject to oversight by a regulator who has significant enforcement powers.

The interaction with the OPC’s own enforcement, which its first application to the Federal Court to seek remedies against Facebook, deserves comment. The remedies being sought by the OPC mirrors some of the remedies obtained by the Competition Bureau, by requiring Facebook to cease making these representations. If the Competition Bureau’s enforcement reflects synchronization with the OPC’s views, as an expert tribunal, and particularly with the Guidelines for obtaining meaningful consent, jointly developed by the OPC and both British Columbia’s and Alberta’s Commissioners, then this enforcement action has suddenly put teeth into those guidelines and the privacy commissioners’ views.  It also raises the question of what the Facebook’s Federal Court application to set aside the OPC’s report is intended to accomplish, given what it has now agreed to.

Another observation to be drawn arises from the ‘non-traditional’ regulator; increasingly in Canada, other regulators are stepping into the privacy fray. Some examples: The Office of the Superintendent of Financial Institutions (OSFI), which supervises Canada’s federally regulated financial institutions, issued a notice requirement in January 2019 for cyber and privacy breaches. IIROC, the Investment Industry Regulatory Organization of Canada also issued a rule in November 2019 to require mandatory reporting of cybersecurity incidents. And the Ontario Energy Board which governs utilities in Ontario, has for several years had cybersecurity and privacy obligations made a requirement of licensing.

While it is natural that specialized regulators have a vested interest in the security and privacy given their roles in regulating markets and ensuring stability, it represents a risk of a patch work approach to privacy unless the principles upon which regulation is based are consistent. 

The Government’s Digital Charter, announced in May last year, is intended to not only chart a course for PIPEDA reform, but also is intended to provide a framework and direction for consistency with the provinces and regulatory agencies. With the COVID-19 crisis still underway, it is uncertain when reform will come, but the Competition Bureau settlement suggests that the enforcement of privacy obligations in Canada is still evolving.