A decision by the U.K. privacy watchdog earlier this week to slap Facebook with a £500,000 ($871,000) fine is throwing the lack of power available to the Canadian privacy commissioner to do the same into stark contrast.
In an announcement on July 11, Information Commissioner Elizabeth Denham said her office would hit Facebook with the maximum fine available to drive home the “magnitude” of the breach of user privacy it had allowed.
Facebook let British political data firm Cambridge Analytica use data obtained by a third party application and did not notify users their data was being shared or that it was then being used as the basis to target them for political advertising by the firm, which worked to sway votes in favour of the Brexit “leave” campaign.
It also used the data to support the presidential campaign of U.S. President Donald Trump.
More than 600,000 Canadians had their data accessed and shared in the scandal, which impacted at least 87 million people globally.
WATCH BELOW: Micro-targeting: How Facebook is selling you to advertisers
In response, Canadian Privacy Commissioner Daniel Therrien opened an investigation into whether Facebook breached its duties to protect Canadians’ privacy.
A spokesperson for his office could not say when that investigation will wrap up but noted that when it does, Therrien will not be able to impose any fines if there is a finding that Facebook breached its responsibilities under Canadian privacy laws.
“Currently, the privacy commissioner is an ombudsman and may make recommendations to an organization he has investigated,” said Tobi Cohen, a spokesperson for the privacy commissioner’s office.
“He does not have order making power and cannot impose fines.”
The lack of powers available to the Canadian privacy commissioner to enforce the rules has been an issue raised repeatedly by privacy advocates over the years.
All the office can do right now is issue recommendations to the subjects of its investigations, which they are not legally bound to apply.
Denham herself told a House of Commons committee studying the Facebook/Cambridge Analytica scandal in May 2018 that the status quo no longer reflects the rapidly evolving digital landscape and the implications that has for Canadians.
“The Canadian privacy commissioner’s powers have fallen behind the rest of the world,” she said.
WATCH BELOW: Facebook Canada head flees reporter questions following committee appearance
That committee heard repeated testimony from witnesses including Therrien who urged them to recommend giving the office teeth.
As a result, the committee included a recommendation in its final June report on the matter that new enforcement powers for the office are urgently required.
Even so, one privacy expert says he is not holding his breath that anything will actually change.
“It’s hard to be optimistic about strengthening the Canadian privacy law framework given decades of neglect,” said Michael Geist, a professor at the University of Ottawa who specializes in information and technology law.
Geist, who also holds the Canada Research Chair in Internet and E-Commerce Law, said the issue ultimately comes down to a lack of “political will.”
“We haven’t seen that from successive governments (whether Liberal or Conservative) but perhaps the mounting awareness and concern with privacy safeguards — along with the heightened EU standards — will be enough to see some movement.”
In May, new rules for data protection came into force in the European Union.
Those rules replaced a patchwork of policies in individual member states with one cohesive set of rules that focus on giving people more control over their personal information as well as levelling the playing field and consumer protection expectations for companies operating within the union.
Since entering into force, the rules have won wide praise and calls for other countries, including Canada, to follow suit.
At this point, there is no indication the government plans to do so.