Facebook correspondence with Canadian regulator opens window into collapse of Cambridge Analytica settlement talks

In December 2018, senior officials with Canada’s national privacy regulator and the provincial regulator for British Columbia prepared detailed notes for a private meeting with Facebook in Gatineau, Quebec, to present their preliminary conclusion that the US company had violated Canada’s national privacy law.

The high-stakes meeting with Facebook, nine months after the Cambridge Analytica privacy scandal broke, was the first time the federal Office of the Privacy Commissioner of Canada and the provincial Office of the Information and Privacy Commissioner of British Columbia, which partnered in the probe, would present their informal preliminary findings.

The regulators hoped to sell a settlement that would give Facebook users more control and transparency over the personal data they shared with apps. They brainstormed in notes marked “discussion purposes only” on how to answer questions from Facebook such as, “Why should we enter into a compliance agreement?”

“We believe a compliance agreement shows Facebook’s dedication to working together to rebuild that trust” with users and regulators in the wake of Cambridge Analytica, the Canadians said in their FAQ notes for the slide deck prepared for the Dec. 14, 2018, meeting. “Our hope is that Facebook can set a model for the rest of the industry in how to strike this balance” on privacy.

Ultimately, that hope was in vain and settlement talks failed. Now it is up to a Canadian national court to interpret the communications that led to that failure. The court could determine as soon as next year whether the OPC becomes — in the agency's view — the first privacy regulator to use an existing data protection law to force data collection changes, rather than just fines, on a global Internet platform.

Facebook agreed to pay a $5 billion settlement to the US Federal Trade Commission over the Cambridge Analytica breach the same spring of 2019, and Facebook Chief Executive Mark Zuckerberg was contrite in public about the company’s privacy “mistakes,” but the social media giant aggressively fought the Canadian regulators’ settlement demands behind the scenes for months, internal documents obtained by MLex show — even though the OPC wasn’t seeking a fine.

The company now known as Meta Platforms rebuffed the remedy sought by the Canadians, who were attempting to force changes to Facebook’s data collection infrastructure and its integration with independent developers’ apps.

The OPC’s proposed changes included a retroactive review of personal data collected by all apps on the platform, notifications to “clearly inform” users about that data collection, and new controls that would allow users to block app data collection. The OPC also wanted a compliance monitor chosen by the regulator, not by Facebook, whose findings during a five-year window could greenlight the OPC to audit any Facebook data collection problems the monitor found.

Facebook, in a letter to the OPC marked confidential, said it was “unreasonable” to give the national privacy regulator broad latitude to audit its data practices, even for a limited time.

That “would provide the OPC with an unfettered, continuous right to audit any of Facebook’s personal information practices, without any reasonable grounds to do so, and without any necessary connect to the practices at issue in this investigation,” the company said in a March 2019 letter.

The negotiations ultimately died a few weeks later when the OPC and the British Columbia regulator told Facebook in a confidential letter that its counter-proposals were “wholly insufficient.”

Facebook “has effectively refused the implementation of certain of our recommendations, or offered proposed alternatives that not only fail to address the objectives of our proposed remedies, but in certain instances, alter the nature of the recommendation itself via wording changes,” the Canadian regulators said.

Unlike in 2009, when the OPC challenged Facebook’s data-sharing practices but ultimately accepted the company's proposed remedy, the Canadians elected to fight.

'Daily Life'

In Canada before 2015, just 272 Facebook users had downloaded a personality quiz called “This is Your Daily Life.” But because the TYDL app had access not only to the data of those 272 but also their friends on Facebook, the personal data of about 622,000 Canadians was exposed in the global Cambridge Analytica privacy scandal that erupted in the spring of 2018, the OPC said.

More than 8,000 pages of previously unreported documents submitted this year by the OPC and the British Columbia privacy commissioner to the Federal Court of Canada open a window unprecedented in its detail into the back-and-forth between the regulators and the company in late 2018 and 2019.

Those documents, obtained by MLex through a records request to the court, are evidence that will be examined by the Federal Court in early March of next year as it decides whether to enforce the regulators’ recommendation. Both the OPC and Meta declined to comment for this story, citing pending litigation.

The OPC said in a recent court filing that the Facebook case is “precedent setting” because it is the first under Canada’s two-decade old commercial privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, to reach a hearing before the Federal Court. The case has global ramifications, the regulator said, because the “forward-looking” reforms the OPC is trying to enforce would be “the first of its kind to attempt to regulate a global Internet platform such as Facebook.”

Correspondence

The correspondence, which took place during the six months before the OPC released its final report in late April 2019, illustrates how a Silicon Valley tech giant was willing to bat down a regulator’s demand for restrictions to its access to user data. The exchange supports the testimony of a Twitter whistleblower who told Congress in September that US tech companies would rather pay a one-time fine than face restrictions in their ability to monetize data.

Despite Canada’s relatively small population, its privacy regulator in 2019 had as much experience as any in the world with Facebook apps, and perhaps more. Because Canada adopted a national privacy law more than two decades ago, the Canadians had PIPEDA in place to police the legality of app privacy practices on the Facebook platform in 2009, almost a decade before Europe’s General Data Protection Regulation took effect.

In 2007, an era before smartphone apps, a brash, three-year old Facebook opened its platform to apps with its Graph API, wooing developers with access to not just the data of people downloading their app but also the data of their Facebook friends. Two years later, the OPC confronted Facebook with its conclusion that the privacy consent mechanisms for apps was insufficient to satisfy PIPEDA.

Recommendation rejected

In that earlier probe, the Canadian regulator recommended that apps should be cut off from access to the data of Facebook friends of users who installed an app. Facebook rejected that step in 2010, which could well have avoided the Cambridge Analytica debacle years later.

By 2018, Facebook had more than 40 million apps integrated into its platform, many of which had access to the data not only of people who installed the app, but also their friends on the social network. That kind of sharing, Zuckerberg said, meant a Facebook user’s “calendar should be able to show your friends' birthdays, your maps should show where your friends live, and your address book should show their pictures.”

Those were benign applications. But when Cambridge Analytica acquired the data of up to 87 million Facebook users from the developer of the TYDL app, which was downloaded by fewer than 300,000 Facebook users, and used that data to try to steer the 2016 US elections, the global outcry was massive. Facebook said it had been duped by a rogue app developer, but it also admitted to problems.

“We have a responsibility to protect your data, and if we can't then we don't deserve to serve you,” Zuckerberg said in a blog post in March 2018. Zuckerberg admitted “mistakes,” but he did not disclose that the OPC had tried to cut off apps’ access to friend data in 2009. Facebook itself phased out apps’ access to friend data in 2014 and 2015.

OPC's mistrust

The OPC had not forgotten, however.

“The problems identified in 2009 have recurred,” OPC said in its internal notes for the December 2018 meeting with Facebook. “In 2009, you didn't accept our recommendations and instead raised an alternative resolution, which we accepted on your assurances that monitoring and enforcement of Platform would be enhanced. You have failed to meet even that commitment in a meaningful way. This failure compounds the lack of accountability, as it indicates a disregard for prior commitments and has sown mistrust.”

Moreover, the Canadians had asserted it was not likely that the TYDL app was unique among the millions of apps on the platform that abused its access to user data.

“Without knowledge, there cannot be consent,” the OPC’s internal notes said. “The TYDL App is only one of millions of apps; but it is naive to believe it was the only one violating the Platform Policy in this way. It is likely there were thousands, if not millions of other apps collecting information in this way, that slipped under Facebook's radar.”

Tough exchanges

If Zuckerberg was contrite in public, the lawyers representing Facebook in the Canadian regulatory investigation were decidedly less so.

In early March 2019, a month after the OPC sent its written preliminary report to Facebook, the company's lawyers continued to argue that the Canadian regulators lacked jurisdiction to even investigate. In letters labeled "confidential," Facebook said that the regulator could not prove Cambridge Analytica ever obtained Canadian Facebook data.

Adam Kardash, a lawyer representing Facebook, said in a March 4 letter that the regulators’ preliminary report “mischaracterizes” the facts in the case and that there was no proof that data collected by the TDYL app from Canadians had made its way to Cambridge Analytica.

“Accordingly, neither your Office nor the OIPC BC has jurisdiction to investigate the subject matter of this complaint, because it lacks any Canadian nexus,” Kardash wrote.

Rather than acknowledging that following the OPC’s recommendation in 2009 might have averted the Cambridge Analytica mess, the Facebook lawyer argued that because the OPC had accepted Facebook’s proposed consent mechanism in 2009, the agency continued to be bound by that position a decade later.

OPC tested, approved

“The very approach and model for obtaining consent of Installing [app] Users and [their Facebook friends] that Facebook reviewed with your Office, that your Office tested, that your Office approved, and that formed the basis for your Office's resolution of the 2009/2010 investigation is now the very basis upon which your Office alleges that Facebook did not obtain a valid consent,” he wrote.

The Canadian regulators responded that their data showed that one person downloading the TYDL app multiplied the exposure of affected Facebook users by a factor of 2,286. Just three people in Newfoundland and Labrador had downloaded the TYDL app, but their downloads affected 9,861 other users. The 142 Facebook users in Ontario who downloaded the app exposed the data of about 300,000 Facebook users, the regulators said.

Moreover, those numbers didn’t count the impact on Canadians who had Facebook friends in the US or other countries who installed the app, Brent Homan, deputy commissioner of the OPC and Bradley Weldon, director of policy for the British Columbia regulator, said in a letter to Facebook.

“The Offices’ jurisdiction does not depend on the narrow issue of whether it can be proven that Canadians’ personal information was ultimately disclosed to” Cambridge Analytica, Homan and Weldon wrote, saying the regulators had been clear from the start that the investigation had “looked at Facebook disclosure of personal information to third-party apps in general.”

Denouement

As the private settlement negotiations continued in private through the winter and into the spring, the crux of the talks revolved around a confidential letter Facebook sent the regulators on March 27. Yes, Facebook was prepared to enter into a compliance agreement with the OPC, the company told the regulators. But, as the Canadians read on in the letter, they decided it offered a significant re-write of their recommendations for privacy improvements.

Facebook said that it — not the OPC — should propose the compliance monitor, and that approval of its choice was “not to be unreasonably withheld” by the regulator. Facebook deleted the OPC’s recommendation that the monitor would “regularly” report on its compliance. In its counter-proposal, Facebook said the OPC could audit its practices if Facebook’s designated monitor said the company “materially failed to comply” with the settlement, and if Facebook failed to fix the problem within 90 days of getting notice of it.

“As discussed, Facebook has an already established working relationship with a well-credentialed, independent third-party assessor that provides bi-annual reports to the FTC,” the company said.

Facebook deleted the OPC’s recommendation that users be given controls to “switch off any ongoing disclosure to individual apps, or all apps.” In the consent process, Facebook deleted the OPC’s proposal that Facebook would “clearly inform” users about how and why their data was being shared and used, substituting the language “enable users to access information provided by the app about the nature, purposes and consequences of the disclosures of their personal information to the app” — essentially requiring only that users could see the app’s privacy policy.

Facebook also deleted the OPC’s recommendation that, as it had proposed in 2009, users be able to block data collection by apps downloaded by their Facebook friends. The company said that consent was no longer necessary because “users can no longer re-share their friends’ data with apps in this manner.”

Rather than the OPC’s proposal that Facebook retroactively investigate the data sharing practices of “all apps” on its platform, the company said it should only have to investigate “certain apps” and that the existing “App Developer Investigation” it launched in 2018 – a study that Facebook has zealously fought in multiple US courts from becoming public – had already done that job.

That, the regulators responded, was not what they had proposed. In a terse, two-paragraph letter, Homan with the OPC and Jeanette Van Den Bulk of the British Columbia regulator said Facebook’s response showed it has “effectively refused” the regulators’ recommendations, and that they would proceed to issue their final report concluding that Facebook violated PIPEDA.

“Facebook has offered very limited remedial action over and above its existing state,” Homan and Van Den Bulk said, “which we find wholly insufficient.”

Facebook tried to get a last-minute meeting with Daniel Therrien, Canada's privacy commissioner. But the talking was over, and the OPC issued its report the next day.