September 11, 2020 | By Julius Melnitzer
There’s a shroud hanging over the $9 million fine that the Competition Bureau imposed on Facebook in May.
Facebook consented to the administrative monetary penalty, the largest privacy noncompliance fine imposed in Canada. Some observers tout it as a landmark conclusion to the Bureau’s two-year long investigation into the Cambridge Analytica data breach.
But what’s missing is any hint of co-operation with the Office of the Privacy Commissioner of Canada (OPC), which has broad general jurisdiction over privacy in the federally-regulated sector. By contrast, the Competition Act limits the Bureau to privacy concerns arising from misleading advertising about the use of data.
“I would have thought we’d see a more coordinated effort,” says Anita Banicevic, a competition partner in Davies Ward Phillips & Vineberg LLP’s Toronto office. “What will the business community do, for example, if the two regulators take different approaches going forward?”
And they very well might.
“The Bureau’s press release on the Facebook settlement asked other complainants to come forward,” Banicevic says. “That sets up a real tension between the roles of the regulators.”
David Young of David Young Law, a privacy and regulatory law counsel practice in Toronto, says it’s a “turf thing.”
“Although both agencies are working in the same arena, each has its own modus operandi,” he says. “But the OPC operates under PIPEDA, much more nuanced privacy legislation than the Competition Act. That’s produced a lot of regulatory expertise that the Bureau doesn’t have.”
The OPC has also been under considerable pressure recently.
“They’ve been through quite a shakeup of late,” Young says. “I suspect they have their nose to the grindstone.”
That may be why Facebook’s responses to the two regulators have been poles apart. While Facebook consented to the settlement with the Bureau, the social media giant is currently embroiled with the OPC in Federal Court.
In April, Facebook asked the court to throw out the OPC’s finding that the company allowed the use of personal data for political purposes. Some two months earlier, Privacy Commissioner Daniel Therrien had sought a declaration that the company misused personal information.
“It’s a real irony that Facebook consented to the Bureau’s fine, but is fighting the OPC tooth and nail,” Young says. “There may be roles for both regulators, but they should be coordinated.”
In contrast, the OPC worked with the Privacy Commissioner of British Columbia. The regulators issued joint findings that formed the basis of the actions against Facebook.
“However, there’s no precedent for the Bureau to work with provincial authorities,” Young says. “That’s what should have happened here.”
Coordination is also important because Canada’s privacy laws are laggard on enforcement.
“The maximum fine under the Competition Act is $10 million, which pales with norms we’ve seen in privacy cases all over the world,” Young says. “The numbers are in the billions in places like the European Union.”
Indeed, Competition Commissioner Matthew Boswell has publicly stated that larger fines are necessary.
“That sort of thing was unheard of a few years ago,” Young says. “In fact, even the current maximums blew everyone away when the feds enacted them in 2009.”
Making matters worse is the fact that the OPC has no power to impose fines or orders.
“The Bureau got a consent agreement in a flash, while the OPC can’t get a cent out of anyone” Young says.
Expansion of the OPC’s enforcement powers, however, is a ways off.
“It’s been like pulling teeth in Ottawa,” Young says. “Most recently, the OPC asked the government to give it the power to impose fines, but COVID-19 derailed that.”
Indeed, piecemeal efforts to amend PIPEDA are unlikely to bear fruit.
“The feds will be changing the whole Act, but that will take years,” Young says. “That’s another reason for the OPC and the Bureau to co-operate.”
What’s clear is that our privacy regime has a long way to go. Provincially, only Quebec, B.C., and Alberta have private sector legislation. Ontario is in the throes of consultation. The upshot is a nationwide gap.
Still, Young believes that a “decentralized privacy idiom” is emerging, especially with Quebec moving to a more stringent model closer to the EU’s GDPR standard.
That may work out or it might not. But decentralization requires co-operation, and so far, the indicators aren’t hopeful.
GDPR Impact: Canadian Companies Beware
Into the Breach: Canada’s data breach notification regulations