After implementing stricter privacy laws in 2018, Canada has joined a number of countries with a shifting mentality regarding privacy rights. Individuals are becoming more aware of the information they are disclosing. Users of applications and services are becoming more cognizant of what data they are providing to organizations and more curious about how that information is being used. For the first time, people are paying close attention to what businesses are using their information for and expect that businesses will be transparent in their privacy policies.

Last week, the Office of the Privacy Commissioner of Canada released a report after conducting a lengthy investigation into Facebook. In sum, the report found that Facebook contravened Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians. The release noted that Facebook’s privacy framework was “empty” and their “vague terms were so elastic that they were not meaningful for privacy protection”. Part of the investigation revealed that an app called “This is Your Digital Life”, which was used by around 300,000 Facebook users around the world, potentially disclosed the personal information of approximately 87 million users, 600,000 of which were Canadian. The report revealed that Federal and British Columbia privacy laws were violated including unauthorized access (which included superficial and ineffective safeguards), lack of meaningful consent, no proper oversight over privacy practices, and an overall lack of responsibility for personal information.

More shocking than the findings was Facebook’s response to the reports and the recommendations contained therein. Facebook denied that they contravened privacy legislation and rejected the findings and recommendations. This response fueled the claim that Facebook lacks responsibility, especially considering that a 2009 Investigative Report, which largely revealed similar issues, proposed mechanisms to mitigate risk of unauthorized access and use of Canadians’ personal information – recommendations that were seemingly ignored by the organization. Interestingly, a March 2019 Edison Research Infinite Dial Report revealed that Facebook lost around 15 million active users since 2017 (6% of its active users).1 This may be in part as a result of the negative publicity the company has been receiving due to its handling of users’ personal information (the Cambridge Analytica Scandal for example).

One issue that Facebook’s reception of the report revealed was that the amendments in PIPEDA appear to lacks teeth. For instance, PIPEDA does not make a Privacy Commissioner’s recommendations mandatory, nor does the legislation grant a Commissioner the power to issue an order. This, however, does not stop the Office of the Privacy Commissioner of Canada from bringing an application to the Federal Court to compel Facebook to correct its privacy practices. This process, however, will likely be lengthy and it is currently unclear whether any Commissioner will take this step.

In light of the changing mentality, organizations that collect personal information, and who aim to be successful, must take a more conscious approach regarding the information that they collect. Even more so, organizations must be more transparent with their customers by explaining how and for what purpose an individual’s information will be used. The privacy policies that everyone hates to read are required to be much more user friendly than they once were. If a company’s privacy policy is too long and contains too much legalese, the organization risks a similar fate as Facebook – having those policies deemed so elastic that they are not meaningful. Organizations must consider what information they require to perform the services that they are undertaking to perform and provide the user a simple and easy to understand privacy policy that articulates in lay terms how the data will be used and for what purpose. The days of shifting the responsibility to the consumer regarding their data is over – organizations must take an active role to be more “data conscious” and protect the information that is provided to them.

Organizations should attempt to limit the amount of information that it collects from its users to the vital data that it needs to perform a service. Some key considerations regarding privacy policy are:

  • What information is needed for the organization to provide the service they are undertaking?
  • Who has access to that data?
  • How is that data handled (shared and used)?
  • How and how often is the data destroyed?

It is without doubt that the Privacy Commissioners throughout Canada will be lobbying to make PIPEDA more aggressive including providing executive power to the entities tasked with protecting the privacy rights of Canadians. Until that time comes, users will make their voices heard by giving their business to organizations that are more conscious about data use. In order to achieve greater success in this realm, organizations must be more transparent in their privacy policies and take a more conscious approach to data use than they have in the past.

To see the full report, please visit:



  • Stas Bodrov

    Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.