Canada has a Privacy Watchdog with Teeth: Competition Bureau Issues $9M Penalty to Facebook for Misleading Privacy Claims
Posted in Privacy

Canada’s Competition Bureau determined Facebook Inc. made false or misleading claims about the privacy of Canadians’ personal information on Facebook and Messenger. Facebook Inc. will pay a $9 million penalty in a settlement as a result, and pay an additional $500,000 for investigation costs.

This settlement is an important indicator of the shift that Canada’s Competition Bureau is making towards policing false or misleading privacy statements. The Bureau has substantial enforcement powers under the Competition Act to levy significant fines and penalties for deceptive online practices.

Organizations should take note that their privacy statements, consents and policies cannot be false or misleading. The Bureau is investigating false claims that mislead consumers into giving away their personal data. For Facebook, it primarily derives its revenues from advertising which is, in part, targeted based on personal information derived from users.

The issues behind the Facebook settlement arise from inflated promises about privacy protection; unmet assurances to consumers about how they can control their information; and information sharing with third parties without adequately bringing it to the attention of users. The Commissioner concluded Facebook made representations to the public that created a general impression about who could see or access users’ personal information and about users’ ability to control who could see or access their personal information. However, Facebook did not limit information sharing in a manner consistent with those representations.

In a news release about this decision, the Commissioner stated that the Competition Bureau “will not hesitate to crack down on any business that makes false or misleading claims to Canadians about how they use personal data, whether they are multinational corporations like Facebook or smaller companies”.

Organizations should be reviewing and scrutinizing their privacy statements, policies and practices. A privacy review should include analysis to confirm what information the organization is collecting and why, as well as how it is used, with whom it is shared, and whether it is properly secured and destroyed. A real risk assessment will be vital for the defence of any action by the Competition Bureau.

If we can be of any assistance to you in implementing any aspect of your privacy program, please contact a member of our Privacy & Data Management Group.

You may find our organizational Risk Assessment Outline useful.

  • Ryan  Berger

    Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.

    Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...

  • Cory  Sully

    Cory Sully is an associate in both the Labour, Employment and Human Rights Group and the Privacy and Data Management Group in Vancouver. Cory provides practical and strategic advice to clients regarding various issues relating to ...

About Us

Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.

Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage. 




Recent Posts



Jump to Page