Canadians are famous for saying 'sorry,' but Mark Zuckerberg's apologies are not ringing true for the northern nation.
The Canadian House of Commons is conducting formal hearings on the 'Breach of personal information involving Cambridge Analytica and Facebook.' On Tuesday, it kicked off two days of political and expert questioning in its Standing Committee on Access to Information, Privacy and Ethics (ETHI). Facebook Canada's Global Directeur and Head of Public Policy, Kevin Chan, is slated to appear on Thursday at 8:45 AM.
On Tuesday, Daniel Therrien, privacy commissioner of Canada, spoke with the committee. Therrien called for stronger regulations to protect Canadians' data. And, notably, for the ability of his agency and the election agency's ability to make and enforce orders.
"The time of self-regulation is over," Therrien said. "Transparency and accountability are necessary, but they are not sufficient."
Therrien also informed the committee that his organization is conducting a formal investigation into Facebook, Cambridge Analytica, and the Canadian data firm AggregateIQ that was recently booted from Facebook for its ties to Cambridge Analytica. Cyber risk researcher Chris Vickery also spoke with the committee, in large part to attest to the "porous" relationship between Cambridge Analytica and AggregateIQ. Vickery, Therrien, and the committee appear to be concerned about the use of citizens' data to influence elections and voters. Therrien said he believed that micro-targeted advertising could influence Canadian elections.
"My Facebook feed is full of political ads that I can tell are not from any political party, but somebody’s putting them there," MP Charlie Angus said during questioning.
Canadian Facebook users were not affected as widely as US users by Cambridge Analytica's 2014 data grab, but they were not immune, either. The CBC reported that Cambridge Analytica had the data of about 600,000 Canadians.
"Facebook has made many promises over the years to its users to rectify this or that, to put them in control of their personal information, and this is done year after year for a number of years," Therrien said. "And Facebook is not the only company that acts that way. Which leads me to accountability and responsibility on the part of companies is necessary, but is not sufficient.”
Data privacy in Canada is governed under PIPEDA: the Personal Information Protection and Electronic Documents Act. Unlike the US, Canada has "adequacy" status from the European Union with regard to how it safeguards data. But some Canadians and Therrien are calling for reform to PIPEDA, and crucially, the ability to inspect companies, and enforce regulations.
"It is more than time that Canada legislate," Therrien said. "The GDPR, the European regulation, is certainly a good standard to compare ourselves with. But i think it's important for each country to develop its own legislation."
"The main point," Therrien said. "Is it is high time, it is past time, to legislate."