This piece originally appeared in The Globe and Mail on January 12, 2023.
It seems that surveillance capitalism and hyper-personalized ads have become an inescapable part of our one-sided social contract with Big Tech. But last week, the European Union made clear to Meta (formerly Facebook) that some of its advertising practices won’t be tolerated, ruling that Facebook and Instagram can’t force users to accept personalized ads without their explicit consent.
The EU ruling represents a blow to Meta’s surveillance-based business model. Canadians may wonder what it will take for our country to follow other jurisdictions’ lead and place our citizens’ privacy interests ahead of Big Tech’s financial interests.
The EU’s landmark privacy legislation, the General Data Protection Regulation, created stronger privacy rights for users when it came into effect in 2018. It also created obligations around collection, retention and management for the companies that collect data (if you’ve ever clicked “accept all” to a tracking cookie notice on a website, then you’ve felt the impact of the regulation).
Nearly half a decade later, European data protection regulators found that Meta has been subverting the regulation’s requirement for personalized ads. Meta is starting 2023 facing €390-million ($562-million) worth of privacy fines. That’s already half of their EU fines from 2022 alone. The EU, while slapping huge fines on Meta, has also ruled one of the key components of its business model illegal.
Pause for a moment to consider that. A key component of how Meta makes its money is illegal.
Canadian internet users hoping to see new guardrails around the power of Big Tech will be disappointed to learn that our privacy regime lacks the same strength. It’s time we ask why and move expediently to get privacy reform right.
The Personal Information Protection and Electronic Documents Act, Canada’s private-sector privacy law, enacted in 2000, does not hold a candle to the General Data Protection Regulation. First off, the laws are fundamentally different: where Canada’s act accepts data collection and use as the norm as long as users provide consent, the European regulation tries to make it the exception to the rule by requiring organizations to prove a legitimate business interest for collecting any type of user data.
Moreover, the Canadian act lacks the teeth of the European regulation. Meta faces a fine in the hundreds of millions in the EU. Yet, in 2020, Canadian enforcement agencies could only fine Facebook $9-million despite the enormity of the data mishandling as a result of the Cambridge Analytica scandal. The Privacy Commissioner’s office is also severely limited in its ability to promote privacy and penalize organizations that contravene Canada’s act.
Despite attempts, Canada’s private-sector privacy legislation has not been substantively updated in over 20 years. The latest effort, Bill C-27, entered second reading in the House of Commons last November, and addresses some of the issues with the act mentioned above, but would still fail to curtail the surveillance capitalist business model of Big Tech.
If it becomes law, Bill C-27 would strengthen the power of the Privacy Commissioner, increase monetary penalties to a level comparable to those in the EU and introduce a new tribunal to administer them. It would also create new obligations for how companies manage different categories of personal data. However, unlike the General Data Protection Regulation, Bill C-27 remains based on consent, and the large swath of exceptions introduced by the bill invites the question: Do we want to protect our citizens’ privacy or the surveillance capitalism business model?
The EU ruling shows that it is possible to stand up to Big Tech’s predatory business practices, and should act as a catalyst for internet users, privacy advocates and law makers in Canada to move quickly on much needed and long overdue privacy reform. Without swift action, trust in the internet will continue to erode at the expense of the Canadian economy, culture and democracy.