On May 19, 2020, Canada's Competition Bureau announced that Facebook had agreed to pay a $9 million penalty for making misleading privacy claims about the access, use, and sharing of Canadian users' personal information. This conclusion of the Bureau's investigation was part of a consent agreement after an investigation and aligns with an earlier US Federal Trade Commission (FTC) proceeding, which led to Facebook agreeing to pay a US $5 billion penalty.

What you need to know

  • The Competition Act prohibits deceptive marketing practices, which include materially misleading claims that a business makes about its privacy protections about "free" digital offerings, just as it does to any regular product and service.
  • Businesses operating in Canada will see increased scrutiny of their data handling practices from multiple regulators. In addition to the Bureau's investigation, the Office of the Privacy Commissioner (OPC) conducted a separate privacy law compliance investigation into the same issues.
    • Further, the federal government has proposed increased regulation for technology companies through a new Data Commissioner, and civil litigation concerning privacy practices is common across Canada.
  • While Facebook has disputed the findings of both the Bureau and the OPC, the social media company has used different approaches with the two regulators, likely because of their different enforcement powers:
    • In the competition proceeding, Facebook agreed to pay an administrative penalty and will implement a corporate compliance program.
    • In the privacy proceeding, Facebook refused to implement the OPC's recommendations, prompting the OPC to pursue the matter in Federal Court.
  • The Bureau's enforcement action follows a larger international trend of regulators and courts examining companies' data practices through the lens of their competition, privacy and consumer protection rules. When reviewing data handling practices, businesses should therefore adopt a holistic view that assesses risk under multiple regulatory regimes domestically and internationally. 

The Bureau's investigation

The Bureau opened its investigation in October 2018, after the Cambridge Analytica privacy breach was reported and concluded Facebook had contravened the provisions in the Competition Act which prohibit false or misleading statements.

In findings described in the consent agreement, the Bureau concluded Facebook's representations between 2012 and 2018 created a "general impression" that users would be able to control with whom and how their data would be shared.

The Bureau concluded Facebook gave third-party developers access to users' information that was inconsistent with the company's representations, including by allowing certain third-party developers to access information about users' friends.

The Bureau also noted that Facebook's privacy representations were meant to promote its business.

The settlement consent agreement

In addition to the $9 million administrative penalty, Facebook also agreed to:

  1. Within 180 days, ensure that the company's corporate compliance program, mandated as a result of the FTC proceeding, supports compliance with Canada's competition laws;
  2. For the next 10 years, ensure that certain senior management take an "active and visible role" in establishing and maintaining the company's corporate compliance program; and
  3. Pay costs of $500,000 to the Bureau.

The $9 million administrative penalty in this case is significant and close to the maximum penalty obtainable under the Competition Act of $10 million for a first violation.

Following international trends

The Bureau's enforcement is in line with a growing international trend of competition regulators policing the digital marketplace through investigations of user privacy and data control. The Bureau's findings were foreshadowed by the German competition regulator's investigation into Facebook's data handling practices. In 2019, Germany's Federal Cartel Office (FCO) found that Facebook abused its dominant market position by making the use of its social network conditional on the collection of user data from third-party sites and apps (including WhatsApp and Instagram). Essentially, the FCO's finding relied on a breach of EU privacy law. Interestingly, the FCO did not impose penalties, instead requiring Facebook to stop these data sharing practices. Facebook has appealed the FCO's decision to the German courts.

Since the FCO's findings, antitrust regulators in the US, UK, Italy, and Luxembourg have opened investigations into Google, Facebook, and Amazon, focusing on the way these companies use and control big data.

Consistent with Canadian and international trends, businesses can expect that the OPC and other regulators active in privacy and data issues will welcome this step by the Bureau, with few concerns for jurisdictional conflict. As a result, businesses need to consider the significant investigative and enforcement powers of the Bureau when assessing risks associated with data analytics initiatives.

Implications for business

While the Bureau's investigation focused on deceptive marketing practices, the implications for businesses will be widespread. The Bureau is signaling that it will assume an active role in reviewing businesses' privacy practices to ensure Canadians have a competitive and vibrant digital economy, because privacy has come to represent an important component of a product offering and its quality.

The outcome of this investigation aligns with the Bureau's stated policy objective of policing the digital economy as an area of enforcement priority.

The following will be important for businesses to consider, especially for those in digital innovation and data analytics markets:

  • Businesses engaged in targeted advertising need to ensure: (i) that data is collected and shared in compliance with Canadian privacy laws (including informed consent), and (ii) that data practices are consistent Canadian competition law which prohibit false or misleading statements;
  • If a digital platform includes specific controls that allow users to choose how they want particular types of data shared or used, the company needs to ensure they actually handle user data in a way that reflect users' selections;
    • This applies even if the application in question is developed by a third party, a concept of demonstrable accountability that the OPC has emphasized recently as well;
  • Privacy practices relating to data collected by both paid digital products and "free" digital products will be reviewed by the Bureau in the same way. Offering a product for "free" is not also a "free" pass from Competition Act liability.

Originally published May 22, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.