MPs grill Facebook official
Tighter EU-style privacy law pitched as company insists it’s ‘taking action now’
Representatives from Facebook kept their privacy settings high Thursday, sharing very little new information as they were grilled at a committee hearing about a global controversy over how the company handles user data.
The company was especially tight-lipped about whether Canada should adopt strict, European Union-style privacy rules to guard against the misuse of sensitive data.
NDP MP Charlie Angus said Canada should use the new EU rules as “the floor, the starting point” for any measures that would be adopted in this country.
Facebook is already making many of the changes people are demanding, argued Kevin Chan, the head of public policy for Facebook Canada. “We are not waiting for regulation, we are taking action now.”
The Facebook officials appeared before a House of Commons committee on privacy and ethics in the wake of an international scandal caused by Cambridge Analytica, a voter profiling firm that used data from Facebook users.
Angus also grilled Chan about media reports that Facebook was shifting consumer data out of Ireland to keep it out of reach of the new EU regulations. Facebook confirmed to the Irish Times that more than 1.5 billion international users who weren’t EU citizens would now fall under U.S. privacy rules.
The EU legislation — known as the General Data Protection Regulation, or GDPR — would levy fines on rule-breakers as a percentage of their global revenue, which may have provided a compelling reason for Facebook to move user data out of Ireland. It also means officials at massive, wealthy companies won’t be able to laugh off fines that are a tiny percentage of earnings. That notion appealed to Angus. “Facebook today seemed to show a real disregard for the laws of our land. Whatever penalties we impose on Facebook will probably not be noticed,” said Angus. “Facebook left me pretty distressed about their cavalier attitude.”
Prime Minister Justin Trudeau didn’t reject the idea of Canada adopting legislation similar to the new EU rules, which come into effect on May 25, when he was asked about it at a press conference in London on Thursday. Trudeau said Canada will keep a close eye on what other countries do in response to privacy concerns.
Most of the questions at committee revolved around the Cambridge Analytica scandal, fake news on the platform and the possibility of a Canadian election being undermined by foreign actors.
Facebook said it still isn’t sure of the extent of the exposed data. The data Cambridge Analytica used came from a Cambridge researcher who developed a quiz that sucked up information from users and their friends on Facebook.
Liberal MP Nathaniel ErskineSmith asked Facebook’s deputy chief privacy officer Robert Sherman, who appeared by videoconference, if Canadian users’ private messages were exposed to Cambridge Analytica as part of the breach and Sherman confirmed it was a possibility. “It is possible that private message were shared in a small amount as part of that,” said Sherman. The company is embarking on a forensic audit of all the data that was caught up in the exposure, he said.
Whether Canada moves toward EU-style privacy laws or not, the regulations are going to have a big effect on Canadian businesses who have European customers. The Office of the Privacy Commissioner recently warned business owners to read up on the regulation to make sure they are in compliance.
The law beefs up the requirements around consent for the use of personal data, which in Canada are much looser. In the EU, users will have to give their consent on a more specific basis, whereas in Canada, it can be more general or even implied consent. That’s something Canada’s privacy commissioner has flagged as an issue, using the GDPR as a model to follow.
The EU rules also allow users the option to have their data erased by a company — more commonly known as the right to be forgotten. The decision on whether to remove information lies entirely in the hands of company controlling the data, which means they will be “judge and jury, with any mishandling of requests sitting on their shoulders,” as one British data company described its new responsibility toward EU users.