I first used that image up there on this little legal blog back in 2011. It’s incredible how still useful it is. My Facebook tag of posts is pretty much the biggest font in that tag cloud somewhere over there on the right. But the last week has really been bad for Facebook. Even Canada is pissed! Oh wait, Facebook’s stock jumped 4% after a very good earnings quarter. Maybe not such a bad week after all.
So where to begin? Well let’s go back in time a bit. You see, there were these Winklevoss twins who had an idea for a computerized social network dating site at Harvard. Wait, maybe that’s a little too far back.
2018 (2014) – Cambridge Analytica
In March of 2018, the Cambridge Analytica scandal broke. In case you didn’t read my post from that simpler time, basically in 2014 data from some 50 million Facebook users, thanks to a third-party Facebook quiz / app, ended up in the hands of Cambridge Analytica and allegedly (not allegedly) helped Donald Trump become President. That was seen as, you know, bad. The 50 million number has been revised to 87 million. That’s more bad.
Wednesday, April 24, 2019
Facebook said Wednesday it is planning for a fine between $3 billion and $5 billion and formally set aside $3 billion for the FTC, which is investigating whether the social network violated its users’ privacy
That’s a lot of money! Or not. Remember that good earnings quarter I mentioned above? Facebook had $15.08 billion in revenue in the quarter. And $2.4 billion in profit. And that’s after they set aside the $3 billion for fines. They had $56 billion in revenue last year. Seems they can afford it!
We should note that technically, the fine would not be for the Cambridge Analytica scandal per se, but for Facebook violating a “consent agreement” it had signed with the FTC in 2011. Back in 2011 Facebook promised – pinky swear! – that they would be good boys and girls about privacy and data practices. That’s working out well.
Interestingly, a couple of weeks ago the Washington Post reported that the FTC was looking at Mark Zuckerberg personally, possibly holding him personally accountable for Facebook’s malfeasance. Too bad we can’t do that in Canada…
Thursday, April 25, 2019
After the Cambridge Analytica scandal broke, the Office of the Privacy Commissioner (OPC) received complaints! No surprise there. Approximately 600,000 of those 87 million users were Canadian. Maybe you reading right now! Anyway, the OPC, along with the B.C. Information and Privacy Commissioner, launched an investigation. If there is one thing the OPC can do, it’s investigate. It can’t do much else, as I’ve said a million times. Last Thursday, the OPC announced that it had published its Report of Findings #2019-002, its results of the investigation. Let’s read it!
Actually let’s not, because it’s 200+ paragraphs and I’ve got work to do. OK I’ll skim it. Hmmm, looks bad. Basically Facebook violated PIPEDA (Canada’s useless privacy and data protection law that you should know by now) and PIPA (the B.C. privacy law) in any number of ways. The OPC was nice enough to summarize what Facebook did wrong:
- Facebook failed to obtain valid and meaningful consent of installing users
- Facebook also failed to obtain meaningful consent from friends of installing users
- Facebook had inadequate safeguards to protect user information
- Facebook failed to be accountable for the user information under its control
The “installing users” were the people who installed the app / quiz thing, and you may recall from the original facts of Cambridge Analytica that personal info of those users’ friends was also shared. And without consent! Big no-no under PIPEDA.
Now, when PIPEDA is violated, the OPC can do… not much. It’s why I call PIPEDA useless, and you know that by now because you’ve been reading my rantings about it for a long time! The one thing the OPC can do is make recommendations, which it did:
Pursuant to our Findings in this report, we had made several recommendations, with a view to allowing Facebook to bring itself into compliance with PIPEDA and PIPA
I am sure Facebook took this all very seriously and immediately implemented those recommendations! Or, you know, the opposite of that:
We are disappointed that Facebook either outright rejected, or refused to implement our recommendations in any manner acceptable to our Offices. This is particularly troubling given Facebook’s public commitments to work with regulators and rectify the “breach of trust” associated with these events.
That’s more like it. So all this was just from the introduction, before the 200+ paragraph meat of the report. I said I’d skim it, so please stand by while I do so. You are welcome to grab a beverage…
…And we’re back. It was really just the details. Let’s try to recap with some bullet points:
- There is background facts and methodology;
- The OPC had also investigated Facebook back in 2009, and they didn’t implement the OPC’s recommendations then either, although they did take some steps with regard to data from the third-party apps at issue in Cambridge Analytica;
- There is a fun breakdown by province of how many users were affected. Nor surprisingly, Ontario had almost half of them;
- Then there is a detailed analysis of each of those four conclusions I put further up;
- I enjoyed the part where Facebook said it monitored the “top 500” apps for compliance with Facebook rules about use and disclosure of data, and the OPC points out “well what about the other 300,000 apps, huh???”
- I enjoyed this quote: “The facts in this case… do not in our view, portray an organisation taking responsibility for giving real and meaningful effect to privacy protection. They demonstrate Facebook abdicating its responsibility for personal information under its control” (the OPC bolded those words). No shit!
- The report finishes with the OPC listing all its recommendations that would bring Facebook in compliance with PIPEDA, and all the ways Facebook told the OPC to fuck off. That part was fun.
So there we go. 200+ paragraphs about how Facebook violated PIPEDA, a bunch of substantive and procedural recommendations from the OPC as to how to fix that, and Facebook giving the OPC the middle finger. Under PIPEDA, you can’t do much else now. Or can you? We’ll see after a quick detour to Europe.
Meanwhile, also on Thursday, April 25, 2019
I should mention that the Irish Data Protection Commission announced Thursday it was investigating Facebook for improperly storing millions of passwords as plain text. Because of the GDPR, Facebook could be fined up to $2.2 billion. That’s a lot! But you saw those numbers above – Facebook can find that in the couch cushions. But we digress. Let’s come back to Canada.
Still morning Thursday, April 25, 2019
It was actually announced in the press release of the report itself, but the shit really hit the fan Thursday when Privacy Commissioner Daniel Therrien, along with his B.C. counterpart, held a press conference to announce the OPC was taking Facebook to Federal Court. Whoa, dude! Can they do that? Yes they can! PIPEDA specifically states in its section 15 that the Commish can make an application to the court. The court can then “order an organization to correct its practices in order to comply” with its obligations under PIPEDA. Maybe even award damages to the person who complained about Facebook in the first place! Woohoo! That’ll show Facebook.
That will not show Facebook. How about a strongly worded statement Mr. Therrien?
The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified — or even acknowledge that it broke the law — is extremely concerning
Then, the OPC announced that it will take down its Facebook page. That’ll show ’em!
That will not show them.
Superterriffic Funtime Happy Hour Analysis Time
As The Commish mentioned in his press conference, PIPEDA is useless without meaningful fines. He’s certainly got a point, which I’ve mentioned a bunch of times. But if the FTC and the Irish authorities can fine Facebook BILLIONS of dollars and barely put a dent in Facebook’s bottom line, what the fuck is Canada supposed to do?