Back to all blog posts

Posted in: Privacy | Data Security/Privacy

Jul 7, 2020

Competition Bureau Brings Big Stick to Privacy Claims – $9.5 Million Penalty for Privacy Claim

By Paige Backman

The Competition Bureau (the “Bureau”) recently concluded that Facebook Inc. made false or misleading claims to the public about the privacy of Canadians’ personal information on Facebook and Messenger. Facebook disagreed with the conclusion of the Bureau, but wished to resolve the matter by entering into a consent agreement and not contesting the conclusions for purposes of the agreement. As a result, Facebook is required to pay a $9 million penalty, plus an additional $500,000 for the costs of the Bureau’s investigation.

Canadian privacy regulators have not historically had significant tools to financially penalize companies for breaching the privacy rights of individuals. The Bureau is stepping into that gap, at least in part.

In light of this recent decision, organizations should take a good look at their privacy policies, statements and notices and consider whether any of the statements contained therein are or may be considered inaccurate or misleading.

The Bureau’s investigation looked at Facebook’s practices between August 2012 and June 2018. While Facebook disagrees with the Bureau’s conclusion, the Bureau concluded that:

  • “Facebook gave the impression that users could control who could see and access their personal information on the Facebook platform when using privacy features, such as the general “Privacy Settings” page, the “About” page and the audience selector menu on posts, among others.
  • … Facebook did not limit the sharing of users’ personal information with some third-party developers in a way that was consistent with the company’s privacy claims. This personal information included content users posted on Facebook, messages users exchanged on Messenger, and other information about identifiable users.
  • Facebook also allowed certain third-party developers to access the personal information of users’ friends after users installed certain third-party applications. While Facebook made claims that it would no longer allow such access to the personal information of users’ friends after April 30, 2015, the practice continued until 2018 with some third-party developers.”

When assessing privacy obligations and risks in Canada, most people look at the more traditional pieces of privacy legislation across Canada, such as PIPEDA, PIPA (British Columbia and Alberta) and Quebec’s private sector privacy act. However, one must remember that the Competition Act prohibits companies from making false or misleading claims about a product or service to promote their business interests. This includes statements made in privacy policies and other public facing privacy statements. The Bureau further confirms that their jurisdiction includes claims made by organizations about the information they collect, why they collect it and how they use it, and that it applies to “free” digital products the same way it applies to regular products or services purchased by consumers.

In a foreboding quote about what we can expect in the future, the Bureau made it clear that they will be using this stick on large and small companies alike. “Canadians expect and deserve truth from businesses in the digital economy, and claims about privacy are no exception. The Competition Bureau will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies.”

Take this opportunity to review all of your privacy policies, notices and statements. Reflect on whether the statements contained therein remain true, whether any important terms on the business’s information handling practices are omitted, or whether any terms could give a misleading impression to the individuals to which it applies.

If you have any questions about privacy compliance or data security matters, please contact a member of the Aird & Berlis Privacy & Data Security Group.

Areas of Expertise

Related Categories

Related Blogs

Posted in: Court Decision | Privacy

Insights TheSpotlight
Ontario Recognizes False Light Tort of Invasion of Privacy By Paige Backman Feb 24, 2020 Hidden in the text of a strongly-worded family law case, Yenovkian v. Gulian, 2019 ONSC 7279, a new and timely tort based on invasion of privacy was recognized – Publicity Placing Person in False Light.

Posted in: Data Security/Privacy | Privacy | Data Protection

Insights TheSpotlight
Federal Privacy Law – Is It About to Change: Part Deux? By Donald B. Johnston Jan 13, 2020 In my last blog, I speculated about whether privacy law is about to change and promised to write more about it. My speculation was sparked by the 2018-2019 Annual Report to Parliament made by the Office of the Privacy Commission. Here’s a bit more about this excellent report.

Posted in: Privacy

Insights TheSpotlight
Federal Privacy Law – Is It About to Change? By Donald B. Johnston Dec 19, 2019 The 2018-2019 Annual Report to Parliament of the Office of the Privacy Commissioner is interesting reading, and it shows that the OPC has been doing some deep thinking about the nature of privacy and has been looking around the world at the philosophies of privacy in other jurisdictions.

Posted in: Blockchain

Insights TheSpotlight
Facebook’s New Digital Currency By Donald B. Johnston, Paige Backman and Kaija Sandberg Jul 09, 2019 On June 19, Facebook announced plans to launch a new digital currency, Libra, which will allow users to make online payments via digital wallets as soon as early next year.