Facebook’s weak privacy protections exposed the personal data of millions of users, a serious failing that the company has acknowledged but refused to fix, Canadian regulators said on Thursday.
An investigation by the privacy commissioner of Canada and the information and privacy commissioner for British Columbia found that Facebook violated national and local laws in allowing third parties access to private user information through “superficial and ineffective safeguards and consent mechanisms.”
But Facebook has disputed the watchdogs’ findings, even after its chief executive, Mark Zuckerberg, apologized last year for what he called a “major breach of trust” in the Cambridge Analytica data harvesting scandal, the regulators said. The company ignored recommendations, some issued a decade ago, for how to prevent future exposure.
“There’s a significant gap between what they say and what they do,” said Daniel Therrien, who heads the federal privacy watchdog, at a news conference in Ottawa on Thursday.
The regulators, who have limited power to force Facebook’s compliance, plan to take the company to a Canadian federal court. The court, which focuses on regulatory issues and lawsuits against the government, may impose fines.
But Mr. Therrien said that “historically there have been very small penalties — in the tens of thousands of dollars.” He pushed for stronger privacy laws in Canada and more authority for regulators to inspect and penalize companies.
“They told us outright that they do not agree with our legal findings,” Mr. Therrien said. “I find that absolutely untenable that a company can tell a regulator that it does not respect its findings.”
Facebook did not immediately respond to a request for comment. Regulators said the company refused to allow audits of its privacy procedures over the next five years.
Pressure is increasing on Facebook from regulators in a number of countries.
On Thursday, Ireland’s Data Protection Commission said it opened an investigation into Facebook after being told by the company that hundreds of millions of user passwords were stored in plain-text format on its internal servers. On Wednesday, Facebook said that it expected to be fined up to $5 billion by the Federal Trade Commission for privacy violations.
In Canada, Mr. Therrien called for new laws that would allow his office to regularly examine the privacy practices of Facebook and other social media companies without waiting for a public complaint.
[Want more Canadian coverage in your inbox? Sign up for the Canada Letter newsletter.]
The complexity of Facebook’s systems and the company’s general opaqueness, he said, make it likely that users are unaware that the company is violating their privacy or breaking Canadian laws.
The Canadian investigation was launched following reports last year that Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, gained access to personal data on up to 87 million Facebook users. Some 622,000 Canadians may have been affected, according to the regulators.
The unauthorized access could have been avoided or alleviated if Facebook followed recommendations issued in 2009 after a similar investigation by the federal privacy commissioner, the regulators said.