On May 19, 2020, the Competition Bureau (the Bureau) announced that Facebook Inc. (Facebook) has entered into a consent agreement with the Commissioner of Competition (the Commissioner) in connection with Facebook’s alleged contravention of the civil misleading advertising provisions of Canada’s Competition Act1 (the Settlement).2 These provisions prohibit companies from making false or misleading claims about products or services they provide to promote their business. In this case, the representations at issue related to Facebook’s collection and disclosure of users’ personal information. This case highlights consumers’ increasing concerns regarding the protection of their personal information and the Commissioner’s willingness to use the misleading advertising provisions of the Competition Act to ensure that companies do not mislead consumers as to the protections provided for this information.
Under the Settlement, Facebook has agreed to pay (i) an administrative monetary penalty of $9 million;3 and (ii) $500,000 for costs incurred by the Commissioner.4 In addition, Facebook must implement a corporate compliance program that ensures it does not make any further false or misleading representations to the public regarding its disclosure of personal information. This compliance program will be monitored by the Commissioner.5
The Commissioner’s Findings Regarding Facebook’s Conduct
Following an investigation into Facebook’s privacy practices between 2012 and 2018, the Commissioner concluded that Facebook made false or misleading claims about its collection, use and disclosure of Canadians’ personal information on and through Facebook’s website and its “Facebook Messenger” instant messaging mobile application. Specifically, the Commissioner determined that Facebook made representations to the public, through its various privacy policies, settings, and controls available on its website and mobile application, that created a general impression about (i) who could see or access a user’s personal information; and (ii) users’ ability to control who could see or access their personal information. The Commissioner found that Facebook’s practices of sharing information with third parties were not consistent with its representations and that Facebook has made these false representations to the public for the purpose of promoting Facebook’s business interests.6
The OPC’s Report on Facebook’s Conduct and Application to the Federal Court of Canada
Facebook’s conduct is also the subject of a pending application to the Federal Court made by the Office of the Privacy Commissioner7 (OPC) under the Personal Information Protection and Electronic Documents Act8 (PIPEDA) pursuant to which the OPC is seeking remedies against Facebook that are similar to those obtained by the Commissioner in the Settlement. In April 2019, the OPC released a report9 in relation to the Cambridge Analytica scandal in which the OPC made four findings: Facebook contravened PIPEDA by (i) failing to obtain valid and meaningful consent from users who were installing apps; (ii) failing to obtain meaningful consent from friends of those app users to the disclosure of the friends’ information to the app (the friends would have had no knowledge of that disclosure); (iii) failing to implement inadequate safeguards to protect user information; and (iv) failing to take accountability for the information under Facebook’s control – i.e., the OPC said that Facebook “abdicated its responsibility for the personal information under its control” and that “the sum of these measures resulted in a privacy protection framework that was empty.” The OPC’s Federal Court application seeks a declaration that Facebook contravened PIPEDA, as well as various orders requiring Facebook to correct its practices to comply with PIPEDA and Canadian privacy laws.
Facebook is challenging the OPC’s application, disputes the findings of the OPC, and has refused to implement the recommendations of the OPC to address the privacy deficiencies the OPC has raised. It will be interesting to see how the Federal Court decides deals with the application given that Facebook did not contest the Commissioner’s findings, which largely overlap with the findings of the OPC. As of date of this article, Facebook has not withdrawn its challenge to the OPC’s application.
General Impact of the Settlement on the Enforcement of Privacy Laws in Canada
This case sends a clear signal that the Commissioner’s enforcement position is that statements made by an organization regarding its collection, use and disclosure of personal information fall within the scope of the misleading advertising provisions of the Competition Act. This is based on the view that a company’s statements regarding privacy protections can impact consumers’ decisions regarding whether to use a particular service, as well as how they use the service. The application of the Competition Act to privacy-related matters is a landmark moment for proponents who have argued that more significant oversight measures and enforcement tools are required in Canada to properly protect Canadians’ privacy rights. As a result of the more significant enforcement powers and penalties under the Competition Act, as well as the Commissioner’s willingness to use them, this case sends a clear message to businesses they need to ensure that their actions comply with federal and provincial privacy laws.
It is also important to note that the Canadian federal government’s release of Canada’s Digital Charter: Trust in a digital world10 and related discussion paper entitled Strengthening Privacy for the Digital Age11 suggest that the government plans to introduce more robust penalties for non-compliance with privacy laws that may be akin to those that are available to regulators in the European Union under the General Data Protection Regulation12. The purpose of these additional enforcement mechanisms would be to create an environment of accountability and security to ensure personal information is being used and protected appropriately in the digital economy.
When disclosing their privacy practices to the Canadian public, businesses must now be more keenly aware of the additional risks they face should they not accurately describe their privacy practices. These practices will likely be subject to more significant oversight by Canadian regulators going forward and it is important that businesses understand the legal requirements related to privacy protection of consumers’ data, as well as the need to clearly and accurately communicate their privacy practices to the public.
The Information Technology & Data Privacy and Competition & Foreign Investment Groups at Cassels will provide further updates on new developments in this matter as they occur.
The authors of this article gratefully acknowledge the contributions of articling student Reza Sarsangi.
1 Competition Act (R.S.C., 1985, c. C-34).
2 “The Competition Tribunal: Registered Consent Agreement” (19 May 2020), Commissioner of Competition and Facebook, Inc., CT-2020-004, <https://decisions.ct-tc.gc.ca/ct-tc/cdo/en/item/471812/index.do> [Consent Agreement].
3 Consent Agreement, section 3.
4 Consent Agreement, section 4.
5 Consent Agreement, sections 6-11.
6 Consent Agreement, recitals.
7 The Office of the Privacy Commissioner is the regulator responsible for the enforcement of the Personal Information Protection and Electronic Documents Act.
8 Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5).
9 Canada, Joint investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia: Report of findings (PIPEDA: Office of the Privacy Commissioner of Canada, 25 April 2019) <https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-002/>.
10 Government of Canada: Innovation, Science and Economic Development Canada, Canada’s Digital Charter: Trust in a digital world (25 June 2019), online: <https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00108.html>.
11 Government of Canada: Innovation, Science and Economic Development Canada, Strengthening Privacy for the Digital Age (21 May 2019), online: <https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html>.
12 European Union General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council (27 April 2016).