Recently, a cybersecurity leak occurred within media giant Facebook that led to a privacy breach of more than 533 million Facebook accounts worldwide. Alon Gal, the chief technology officer of Facebook’s cybersecurity company said the leaked database includes information about users’ phone numbers, past and current locations, birthdates, relationship statuses, bios and, in some cases, email addresses. Generally, such mass scale breaches are reported immediately in order to insulate Facebook from long term legal ramifications. This one, however, took time.
A clear estimate puts 3.49 million Facebook users in Canada having been affected by the breach. Canada’s privacy law requires organizations like Facebook to report breaches to the federal privacy commissioner, and notify affected individuals, for breaches “involving personal information that pose a real risk of significant harm to individuals.” What is interesting is that there was no report filed with the privacy commissioner regarding this incident, as Facebook stated it was an extension of a privacy breach from mid-2019 that had previously been disclosed. However, Canadian privacy organizations argue that the breach is new, and as such had to have been reported when it occurred.
The toss up between both sides comes at a time where the Liberal government is under criticism for what many see as it dragging its feet on legislation tabled in the fall to reform the private sector’s privacy law — the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-11 is currently stuck in the house of commons, but once (if) passed would give additional powers to the privacy commissioner and create an administrative tribunal that can levy fines against private actors that fail to follow the Act.
The announcement that Facebook’s leak had been kept quiet from the Federal Privacy Commissioner comes at a very useful time for those proponents of Bill C-11 that can likely use this as fuel to push the bill through faster.