Facebook has agreed to pay a fine of $9 million under the federal Competition Act stemming from the Cambridge Analytica matter and to reimburse the cost of the inquiry of $500,000 (without any acknowledgment of wrongdoing). This fine is the first issued for a privacy violation by the Competition Bureau under its authority to regulate deceptive marketing practices.

As previously reported by Bennett Jones in Competition Bureau Intends to Police Privacy Violations—Beware of Potential Fines and Organizations Can Expect Increased Canadian Regulation for Privacy Violations, regulation of privacy violations by the Competition Bureau was anticipated. Under the Competition Act, the Competition Bureau has the authority to regulate matters where an organization has made representations to a consumer about the collection, use or safeguard of personal information, and then fails to comply with those representations. The United States Federal Trade Commission regularly regulates privacy matters and imposes substantial fines under similar authority to regulate deceptive practices. 

The significance of the involvement of the Competition Bureau in privacy matters lies in the level of potential fines and the introduction of additional regulatory scrutiny. The Competition Bureau can seek an administrative penalty of up to $10 million, and up to $15 million for each subsequent order against the corporation. In the case of an individual (which conceivably could include directors or officers of company), the Competition Bureau may seek an administrative penalty of up to $750,000, and up to $1 million for each subsequent order against the individual. In contrast, the federal Privacy Commissioner currently has no authority to seek an administrative penalty against an organization that fails to comply with its privacy obligations. However, the federal Privacy Commissioner can seek a court order imposing restrictions on an organization's ability to collect or use personal information.

Companies—large and small—should expect surveillance of their marketing practices when it comes to privacy. Competition Bureau Commissioner Matthew Boswell has stated the following in connection with this matter: 

"[t]he Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies".

This development marks a noteworthy transition for the regulation of privacy matters in Canada, particularly as the digital economy introduces new opportunities for companies to commoditize and profit from the collection and manipulation of data. This development also coincides with repeated calls by the federal Privacy Commissioner for more authority (including the ability to issue fines), and with his increasing focus on issues relating to the use of personal information without appropriate consent. Companies should expect increased regulatory scrutiny regarding the use made of collected personal information, whether the use is for a reasonable purpose (as required by privacy legislation) and whether there is meaningful consent obtained for the collection and use of that information.

Being prepared should be a central priority for any organization involved in the collection, use, storage, or processing of personal information.

Key Takeaways

To manage the risk of regulatory exposure (as well as litigation risk involving privacy violations), organizations should consider the following:

1. Map and Characterize Your Data

Develop a clear understanding of the following (among other things):

  • the specific categories of personal information collected and the sensitivity of that information; 
  • how you use that information, and whether that use is for a reasonable purpose; 
  • who within the company can access the data and for what purpose; 
  • how employees can access the data and to whom can they transfer it; and 
  • the third-party companies with which the information is shared and for what purpose.

Personal information is broadly defined and includes categories of information beyond the more obvious types such as name, address, government identification numbers, and banking information. Personal information can include, for example, an individual's preferences (what items the user purchases), habits (frequency of travel and routes), or reactions (what ads the user clicks on).

2. Review Consent

Analyze the consent obtained from individuals, including the context in which consent is obtained (e.g., is it simply a "click-through" consent), and whether you have obtained valid and meaningful consent. In particular, consider whether it is reasonable to conclude that the individuals understand the following:

  • the categories of personal information being collected; 
  • the potential uses you will make of the information; 
  • the third parties with whom the information will be shared and the uses the third parties may make of the information; and 
  • the safeguards that will be employed to protect the information by the companies and any third parties.

A consideration of whether the consent is meaningful may require an assessment of the context in which the consent is given in view of the sensitivity of the information involved, and the purpose or potential for repurposing of the collection and use of the information.

3. Review Third-Party Contracts

Cover transfers of personal information to third parties by written agreements that include:

  • provisions regarding the permitted uses of the transferred information (which uses correspond to the consent obtained);
  • controls over the ability of the transferee to process or further transfer the information;
  • the required safeguards for protection of the information;
  • audit rights of the transferor; and
  • obligations of the transferee to notify the company of a potential compromise of the data.

4. Assess Safeguards

Assess whether the operational, physical and technical safeguards in place, and those of any third parties to which they transfer personal information, are reasonable, in the context of the sensitivity of the information, and the duration of time the information may be kept.

Do Not Assume

Corporate executives may assume their company obtains appropriate consent for the collection of personal information since they have language in their privacy policy that captures broad categories of potential uses of information. They may assume that because the company has asked for consent in the policy, the company can use the information for any purpose regardless of whether that purpose or repurposed use is reasonable. They may assume that the third parties to which the company has transferred data will comply with their obligations to limit use of the information or to safeguard the information. They may assume that because their IT department has said they have "good protections" they are taking all required steps to safeguard information.
These assumptions can be costly on a variety of levels, including the risk of regulatory fines under the Competition Act.

Originally published 21 May 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.