Facebook’s weak privacy protections exposed the personal data of millions of users, a serious failing that the company has acknowledged but refused to fix, Canadian regulators said on Thursday.
An investigation by the privacy commissioner of Canada and the information and privacy commissioner for British Columbia found that Facebook violated national and local laws in allowing third parties access to private user information through “superficial and ineffective safeguards and consent mechanisms.”
But Facebook has disputed the watchdogs’ findings, even after its chief executive, Mark Zuckerberg, apologized last year for what he called a “major breach of trust” in the Cambridge Analytica data harvesting scandal, the regulators said. The company ignored recommendations, some issued a decade ago, for how to prevent future exposure, they said.
“There’s a significant gap between what they say and what they do,” said Daniel Therrien, who heads the federal privacy watchdog, at a news conference in Ottawa on Thursday.
The regulators, who have limited power to force Facebook’s compliance, plan to take the company to a Canadian federal court. The court, which focuses on regulatory issues and lawsuits against the government, may impose fines.
But Mr. Therrien said that “historically there have been very small penalties — in the tens of thousands of dollars.” He pushed for stronger privacy laws in Canada and more authority for regulators to inspect and penalize companies.
“They told us outright that they do not agree with our legal findings,” Mr. Therrien said. “I find that absolutely untenable that a company can tell a regulator that it does not respect its findings.”
Canada passed its first digital privacy legislation in 2000, later updating it with stricter consent rules, but regulators never adopted the stiff fines and investigative powers authorized by their European counterparts.
“The problem in Canada is that there is no deterrent whatsoever,” said Michael McEvoy, who runs the privacy regulator in British Columbia.
Officials said Facebook refused to allow audits of its privacy procedures. But in a statement, the company said it had “proactively taken important steps towards tackling a number of issues raised in the report” and had offered to enter a compliance agreement with Mr. Therrien’s office.
“After many months of good-faith cooperation and lengthy negotiations, we are disappointed” that regulators consider the issues raised in this report unresolved, the company said.
Pressure is increasing on Facebook from regulators in a number of countries.
On Thursday, Ireland’s Data Protection Commission said it had opened an investigation into Facebook after the company told it that hundreds of millions of user passwords were stored in plain-text format on its internal servers. On Wednesday, Facebook said it expected to be fined up to $5 billion by the Federal Trade Commission for privacy violations.
In Canada, Mr. Therrien called for new laws that would allow his office to regularly examine the privacy practices of Facebook and other social media companies without waiting for a public complaint.
Other Canadian officials have complained about inaction from social media companies over election interference, although a federal election scheduled for October makes it unlikely that any new laws will appear until at least next year.
The complexity of Facebook’s systems and the company’s general opaqueness, Mr. Therrien said, make it likely that users are unaware that the company is violating their privacy or breaking Canadian laws.
The Canadian investigation began after reports last year that Cambridge Analytica, a political data firm hired by President Trump’s 2016 election campaign, gained access to personal data on up to 87 million Facebook users. Some 622,000 Canadians may have been affected, according to the regulators.
The unauthorized access could have been avoided or alleviated if Facebook had followed recommendations issued in 2009 after a similar investigation by the federal privacy commissioner, the regulators said.
Facebook said in its statement that “there’s no evidence that Canadians’ data was shared with Cambridge Analytica, and we’ve made dramatic improvements to our platform to protect people’s personal information.”
In a symbolic gesture, Mr. Therrien said his office was closing its Facebook account.