Two privacy commissioners found AggregateIQ broke privacy laws — but they can't do much about it

Ontario's former privacy commissioner Ann Cavoukian says Canadians shouldn't hold their breath for strengthened privacy legislation — even as the country's top privacy commissioners find a political advertising company breached Canada's laws.

Federal Privacy Commissioner Daniel Therrien, and his B.C. counterpart Michael McEvoy, concluded this week that the data collection and political advertising firm AggregateIQ broke Canada's privacy laws.

In a report published Tuesday, the commissioners found the company supplied information on voters in B.C., the U.S. and the U.K. without obtaining adequate consent.

AggregateIQ is linked to Cambridge Analytica, a company that came under fire in 2018 for misusing Facebook users' personal data in political advertising.

Federal Commissioner Therrien can't do much about the findings, however. Unlike in the U.S. and European Union, where officials can levy fines, Therrien can only make recommendations.

Cavoukian told Day 6 host Brent Bambury that needs to change.

Here is part of that conversation.

When a company like AggregateIQ or Facebook breaks the law, why does it seem like Canada's privacy commissioners are so powerless? 

Because they, in effect, are. 

The federal privacy commissioner, he can't issue large fines or an order. When I was a privacy commissioner, I had order making powers. I could order whoever I was working with, who has broken the act, to take corrective measures and they had to do it. 

Commissioner Therrien does not have those powers and he has been asking for it for a number of years. And it is atrocious that the federal government has not given him the authority he needs. 

So what are the powers that you would give the federal commissioner if you were in charge right now? 

I would give him the ability to issue significant fines, and also order making power. 

But let me tell you about fines: Just almost two years ago in the European Union, a new law was introduced called the General Data Protection Regulation [GDPR]. It's huge and increases control for personal information, protection, et cetera. 

They can issue [fines] up to four per cent of global revenues if they find someone who is in breach of the act. Think of four percent of the global revenues of a Facebook or Google or whatever.

Huge, huge amounts. Commissioner Therrien can't issue any fines. It's atrocious. 

How have the people who have had infractions levied against them thumbed their nose at Canada's laws? 

That's precisely what they've done. 

Commissioner Therrien, a number of months ago, found that in the [case of] Cambridge Analytica and other cases, Facebook was in breach of privacy laws, no question. And he told them what to do; things that they should be doing to protect data. 

What did Facebook do? They basically, as you said, thumbed their nose at him. They just shrugged their shoulders.

Can you imagine? He is our federal regulator and Facebook just walked away and just said, well, you know, we don't think that; we don't share your view. That's unthinkable. 

When I was privacy commissioner, I would never gotten anything done if I didn't have the authority to carry it out. 

Did you use that threat? How did you go about taking on a giant like Facebook or even a smaller company? 

They knew I had order making power. That was the stick, so I rarely used it. 

I'd much rather work with them to create informal resolutions to address the problem because they know I can do much more. 

So the carrot approach, which was my approach most of the time — let's resolve this informally and get an agreement — that way, it was actually a much stronger buy-in because they bought into it as I asked for various things. 

But that's what you need: you need a stick so they know you have some authority to execute this. 

So the Canadian government told us that they're in the process of reviewing our privacy regulations. They're looking at enhancing the powers of the privacy commissioner, and that might include orders and fines. How confident are you that the government will end up giving these powers to the commissioner in the near future? 

I would just tell people, don't hold your breath. Commissioner Therrien has been asking for these powers for well over two years.

So Commissioner Therrien went to the federal government several years ago and said, look, we need to upgrade our federal private sector legislation, PIPEDA. It's dated from the early 2000s. We are no longer compliant with the new law in the EU, and we need to add privacy by design to our law because they've done that in the EU ... We need to add that to our law.

So meanwhile, given the privacy legislation that we have in effect now, what's going to happen going forward as tech companies look at the results of the AggregateIQ and the Facebook cases? 

It's very unfortunate. If we don't strengthen our law, they're going to continue, like Facebook did, thumbing their nose [at] the government. 

Now, the federal commissioner, the only power he has is to take Facebook to court, which is what he's doing. But that takes forever [and] the resources of Facebook versus the commissioner's office, they're not equal at all. 

So my fear is that that will just drag on forever. It's just imperative that our privacy laws are strengthened.

This Q&A has been edited for length and clarity. To hear the full interview, download our podcast or click Listen above.