On April 25 the federal Privacy Commissioner and the Privacy Commissioner of British Columbia released a joint Report of Findings in an investigation into Facebook’s handling of personal information in relation to the Cambridge Analytica scandal. Not surprisingly, the report found that Facebook was in breach of a number of different obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA). Somewhat more surprisingly, the Report also finds that the corresponding obligations under BC’s Personal Information Protection Act (PIPA) were also breached. The Report criticizes Facebook for being less than fully cooperative in the investigation. It also notes that Facebook has disputed the Commissioners’ findings and many of their recommendations. The Report concludes by stating that each Commissioner will “proceed to address the unresolved issues in accordance with our authorities” under their respective statutes. Since the federal Commissioner has no order-making powers, the next step for him will be the Federal Court seeking a court order to compel changes. This will be a hearing de novo – meaning that the same territory will be covered before the Court, and Facebook will be free to introduce new evidence and argument to support its position. The court will owe no deference to the findings of the Privacy Commissioner. Further, while the Federal Trade Commission in the US contemplates fines to impose on Facebook in relation to its role in this scandal, Canada’s Commissioner does not have such a power, nor does the Federal Court. This is the data protection law we have – it is not the one that we need. Just as the Cambridge Analytica scandal drew attention to the dynamics and scale of personal data use and misuse, this investigation and its outcomes highlight the weaknesses of Canada’s current federal data protection regime.
As for the BC Commissioner – he does have order making powers under PIPA, and in theory he could order Facebook to change its practices in accordance with the findings in the Report. What the BC Commissioner lacks, however, with all due respect, is jurisdiction, as I will discuss below.
While the substantive issues raised in the complaint are important and interesting ones, this post will focus on slightly less well-travelled territory. (For comment on these other issues see, for example, this op-ed by Michael Geist). My focus is on the issue of jurisdiction. In this case, the two Commissioners make joint findings about the same facts, concluding that both statutes are breached. Although Facebook challenges their jurisdiction, the response, in the case of the BC Commissioner’s jurisdiction is brief and unsatisfactory. In my view, there is no advantage to Canadians in having two different data protection laws apply to the same facts, and there is no benefit in a lack of clarity as to the basis for a Commissioner’s jurisdiction.
This investigation was carried out jointly between the federal and the BC Privacy Commissioner. There is somewhat of a BC nexus, although this is not mentioned in the findings. One of the companies involved in processing data from Facebook is Aggregate IQ, a BC-based analytics company. There is an ongoing joint investigation between the BC and federal Privacy Commissioners into the actions of Aggregate IQ. However, this particular report of findings is in relation to the activities of Facebook, and not Aggregate IQ. While that other joint investigation will raise similar jurisdictional questions, this one deals with Facebook, a company over whose activities the federal Privacy Commissioner has asserted jurisdiction in the past.
There is precedent for a joint investigation of a privacy complaint. The federal privacy commissioners of Australia and Canada carried out a joint investigation into Ashley Madison. But I that case each Commissioner clearly had jurisdiction under their own legislation. This, I will argue, is not such a case. Within Canada, only one privacy Commissioner will have jurisdiction over a complaint arising from a particular set of facts. In this case, it is the federal Privacy Commissioner.
Unsurprisingly, Facebook raised jurisdictional issues. It challenged the jurisdiction of both commissioners. The challenge to the federal Commissioner’s jurisdiction was appropriately dismissed – there is a sufficient nexus between Facebook and Canada to support the investigation under PIPEDA. However, the challenge to the jurisdiction of the BC Commissioner was more serious. Nevertheless, it was summarily dismissed in the findings.
Uneasiness about the constitutional reach of PIPEDA in a federal state has meant that the law, which relies on the federal trade and commerce power for its constitutional legitimacy, applies only in the context of commercial activity. It applies across Canada, but it carves out space for those provinces that want to enact their own data protection laws to assert jurisdiction over the intra-provincial collection, use and disclosure of personal information. To oust PIPEDA in this sphere, these laws have to be considered “substantially similar” to PIPEDA (s. 26(2)(b)). Three provinces – BC, Alberta and Quebec, have substantially similar private sector data protection laws. Even within those provinces, PIPEDA will apply to the collection, use or disclosure by federally-regulated businesses (such as banks or airline companies). It will also apply to cross-border activities by private sector actors (whether international or inter-provincial). This split in jurisdiction over privacy can be complicated for individuals who may not know where to direct complaints, although the different commissioners’ offices will provide assistance. This does not mean there is no room for collaboration. The federal and provincial Commissioners have taken common positions on many issues in the past. These instances are conveniently listed on the website of Alberta’s privacy commissioner.
What has happened in this case is quite different. This is described as a joint investigation between the two Commissioners, and it has resulted in a joint set of recommendations and findings. Both PIPEDA and BC’s PIPA are cited as being applicable laws. In response to the challenge to the BC Privacy Commissioner’s jurisdiction, the Report tersely states that “PIPA (Personal Information Protection Act (British Columbia)) applies to Facebook’s activities occurring within the province of BC”. Yet no information is given as to what specific activities of Facebook were exclusively within the province of BC. No distinction is made at any point in the report between those activities subject to PIPA and those falling under PIPEDA. In this respect, it seems to me that Facebook is entirely correct in challenging the BC Privacy Commissioner’s jurisdiction. Facebook collects, uses and discloses personal information across borders, and its activities with respect to Canadians are almost certainly covered by PIPEDA. If that is the case, then they are not also subject to PIPA. The Exemption Order that finds PIPA BC to be substantially similar to PIPEDA provides:
1. An organization, other than a federal work, undertaking or business, to which the Personal Information Protection Act, S.B.C. 2003, c. 63, of the Province of British Columbia, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act, in respect of the collection, use and disclosure of personal information that occurs within the Province of British Columbia.
Section 3(2) of the Personal Information Protection Act provides:
(2) This Act does not apply to the following:
(c) the collection, use or disclosure of personal information, if the federal Act applies to the collection, use or disclosure of the personal information;
The “federal Act” is defined in s. 1 of PIPA to mean PIPEDA. The scheme is quite simple: if PIPEDA applies then PIPA does not. If the federal Commissioner has jurisdiction over the activities described in the Report, the provincial Commissioner does not. The only way in which the BC Commissioner would have jurisdiction is if there are purely local, provincial activities of Facebook that would not be covered by PIPEDA. Nothing in the Findings suggests that there are. At a minimum, if there are separate spheres of legislative application, these should be made explicit in the Findings.
Jurisdictional issues matter. We already have a complex mosaic of different data protection laws (federal, provincial, public sector, private sector, health sector) in Canada. Individuals must muddle through them to understand their rights and recourses; while organizations and entities must likewise understand which laws apply to which of their activities. Each statute has its own distinct sphere of operation. We do not need the duplication that would result from the adjudication of the same complaint under two (or more) different statutes; or the confusion that might result from different results flowing from different complaint resolutions. If there are separate sets of facts giving rise to separate breaches under different statutes, this has to be spelled out.
Federal-provincial cooperation on data protection is important; it is also valuable for the different privacy commissioners to reach consensus on certain principles or approaches. But creating overlapping jurisdiction over complaints flies in the face of the law and creates more problems than it solves. We have enough data protection challenges to deal with already.