• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer
nNovation LLP

nNovation LLP

Small Canadian regulatory law firm with a big presence

  • Home
  • About Us
  • Our Team
    • Kim D.G. Alexander-Cook
    • Timothy M. Banks
    • Shaun Brown
    • Anne-Marie Hayden
    • Constantine Karbaliotis
    • Kris Klein
    • Dustin Moores
    • Florence So
  • Blog

Posted By: Constantine Karbaliotis May 21, 2020Category: Privacy Commissioner of Canada

Facebook’s $9M Settlement with Canada’s Competition Bureau makes history

Following Facebook’s challenge to the Office of the Privacy Commissioner (OPC) report arising from the Cambridge Analytica scandal, the fall-out for Facebook in Canada continues. While not at the scale of fines faced in the US and elsewhere, the involvement of a non-traditional regulator for privacy sends several signals to Canadian and multinational organizations.

In a news release today from the Competition Bureau Canada, Facebook has agreed to pay a penalty of $9 million to settle the Bureau’s investigation into Facebook’s privacy practices. (according to the press release – at this writing the settlement is not yet available from the Competition Tribunal).

The Bureau’s investigation concluded that Facebook had given the impression that users could control who could see and access their data, without limiting the sharing of users’ personal information with third-party developers. Further, third party developers could also access users’ friends’ personal information after users installed third-party applications.

The Bureau’s jurisdiction is based on the prohibition against false or misleading claims about products or services under the Competition Act. This is quite similar to section 5 of the US Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce“, and is commonly applied by the US Federal Trade Commission to enforce so-called “privacy promises”.

This is new territory for Canada, however. Given the OPC’s challenges enforcing the Personal Information Protection and Electronic Documents Act (PIPEDA), this settlement is a watershed in that privacy-related matters could increasingly be subject to oversight by a regulator who has significant enforcement powers.

The interaction with the OPC’s own enforcement, which its first application to the Federal Court to seek remedies against Facebook, deserves comment. The remedies being sought by the OPC mirrors some of the remedies obtained by the Competition Bureau, by requiring Facebook to cease making these representations. If the Competition Bureau’s enforcement reflects synchronization with the OPC’s views, as an expert tribunal, and particularly with the Guidelines for obtaining meaningful consent, jointly developed by the OPC and both British Columbia’s and Alberta’s Commissioners, then this enforcement action has suddenly put teeth into those guidelines and the privacy commissioners’ views.  It also raises the question of what the Facebook’s Federal Court application to set aside the OPC’s report is intended to accomplish, given what it has now agreed to.

Another observation to be drawn arises from the ‘non-traditional’ regulator; increasingly in Canada, other regulators are stepping into the privacy fray. Some examples: The Office of the Superintendent of Financial Institutions (OSFI), which supervises Canada’s federally regulated financial institutions, issued a notice requirement in January 2019 for cyber and privacy breaches. IIROC, the Investment Industry Regulatory Organization of Canada also issued a rule in November 2019 to require mandatory reporting of cybersecurity incidents. And the Ontario Energy Board which governs utilities in Ontario, has for several years had cybersecurity and privacy obligations made a requirement of licensing.

While it is natural that specialized regulators have a vested interest in the security and privacy given their roles in regulating markets and ensuring stability, it represents a risk of a patch work approach to privacy unless the principles upon which regulation is based are consistent. 

The Government’s Digital Charter, announced in May last year, is intended to not only chart a course for PIPEDA reform, but also is intended to provide a framework and direction for consistency with the provinces and regulatory agencies. With the COVID-19 crisis still underway, it is uncertain when reform will come, but the Competition Bureau settlement suggests that the enforcement of privacy obligations in Canada is still evolving.

Share this article:

Previous Post Federal Court of Appeal to rule on the constitutionality of CASL
Next Post Comparing Facebook’s Settlement with Canada’s Competition Bureau with the Privacy Commissioner’s Recommendations

Related Posts

February16

Limitation of liability in B2B contracts valid under Quebec civil law

January28

Maturing the Privacy Impact Assessment

January07

10 crisis communications tips for privacy breaches

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Categories

  • Adequacy
  • CASL
  • Class Actions
  • Communications
  • Competition Act
  • Genetic Privacy
  • IT Contracts
  • Legislation
  • Ontario
  • PIPEDA
  • Privacy
  • Privacy Breach
  • Privacy Commissioner of Canada
  • Privacy Impact Assessment
  • Privacy Reform
  • Privacy Shield
  • Quebec
  • Right to be forgotten
  • Smart Cities
  • Supreme Court
  • Transborder Data Flows
  • Uncategorized

Recent Posts

Limitation of liability in B2B contracts valid under Quebec civil law

February 16, 2022

Maturing the Privacy Impact Assessment

January 28, 2022

10 crisis communications tips for privacy breaches

January 7, 2022

Tag Cloud

Access to Information Act CASL Class Actions CompuFinder Constitutionality CRTC Cybersecurity Equifax data breach Federal Court of Appeal google National Security OPC Consultation PIPEDA Privacy Privacy Commissioner of Canada Smart Cities spam Transborder Data Flows

Footer

EXPERT LEGAL SERVICES

135 Laurier Avenue West, Suite 100 Ottawa Ontario K1P 5J2
  • Home
  • About Us
  • Our Team
  • Blog
  • Privacy

Copyright © 2020 nNovation LLP. All Rights Reserved