Open this photo in gallery Mark Zuckerberg speaks on stage during the annual Facebook F8 developers conference in San Jose, Calif., on April 18, 2017. Stephen Lam/Reuters

More than 622,000 Canadian Facebook users − and 87 million people across the globe − may have had their personal information improperly shared with a U.K.-based political consulting firm, the social-media giant said on Wednesday.

The official Facebook figures on the scale of Cambridge Analytica’s data-collection efforts are much broader than the initial estimate of 50 million users first offered by Canadian whistle-blower Christopher Wylie.

The revelations come as Facebook unveiled significant changes in how app developers access personal data.\p[

Story continues below advertisement

Facebook confirmed an estimated 622,161 Canadians likely had their profile information improperly shared with the consulting firm hired by Donald Trump’s 2016 presidential campaign.

Facebook said it calculated the worldwide figures by estimating the maximum possible number of Facebook friends of each of the 270,000 users who accessed a personality quiz developed by a researcher who later shared their personal details, and those of their friends, with the political consultants.

Chief executive officer Mark Zuckerberg is set to testify next week before the U.S. Congress. Regulators in the United States, Britain and Canada have all opened investigations into the company’s past data-sharing policies.

Speaking to reporters after a conference in Toronto, Canadian Privacy Commissioner Daniel Therrien said he viewed the disclosure about the 622,000 Canadian victims as a key piece of information. “That’s a question we asked Facebook when we started our investigation two weeks or so ago,” he said.

The allegations about Cambridge Analytica prompted Mr. Therrien’s office to investigate whether the social-media giant has run afoul of Canada’s Privacy Act, though no conclusions have been made yet.

Mr. Therrien also signalled that he would like to have his office take a closer look a Canadian entity – AggregateIQ, based in Victoria – accused of being a player in the improper data-collection.

The new details on the number of Canadians whose information was likely shared with Cambridge Analytica were “deeply concerning,” acting minister of Democratic Institutions Scott Brison said in a statement. “While Facebook has begun to take initial steps to address these issues, it is clear that much more needs to be done.”

Story continues below advertisement

In an hour-long call with reporters, Mr. Zuckerberg acknowledged that the fierce backlash over the company’s data-collection policies had forced him to rethink his entire philosophy about how Facebook works to connect users from around the world. He said he expects the company to spend years working to regain users’ trust.

“I think our view in a number of aspects of our relationship with people is that our job was to give them tools and that it was largely people’s responsibility for how they chose to use them,” he said.

“I think we [now] understand … that we’re not just building tools, but we need to take full responsibility for the outcomes of how people use those tools as well.”

Starting Monday, Facebook will begin notifying users if their information may have been misused by Cambridge Analytica.

As it battles against a global firestorm that has prompted some users, advertisers and investors to walk away from the platform, Facebook unveiled major new restrictions on how third-party apps access personal information.

Developers will now be required to get Facebook’s permission before being able to access information about events, groups and pages posted on Facebook. Apps will be banned from collecting many personal details about users, including their political and religious views, relationship status, education and video-watching activity.

Story continues below advertisement

The company also shut down a feature that allowed people to search for Facebook users based on their phone number or e-mail address, information Mr. Zuckerberg said he believed had been scraped in bulk by “malicious actors.” The setting had been turned on by default for Facebook users, meaning potentially billions of people’s public data could have been collected. “It is reasonable to expect that if you had that setting turned on that at some point in the last several years someone has probably accessed your public information,” he said.

Overhauling how apps collect data from its platform is the latest in a string of changes Facebook has announced to address privacy concerns. The company said it plans to rewrite its privacy disclosure practices to better explain to users how it collects and uses personal information.

Last week, the social-media giant said it would end the practice of allowing advertisers to target users based on information purchased from data brokers, companies that collect personal data from a wide range of sources. It also said it would create centralized hubs where users could review their personal information, control privacy settings and see what apps have permission to access their data.

“It’s clear from people’s reaction over the past couple weeks that we’ve lost a lot of trust and we have a lot of work to do to regain it,” Facebook’s deputy chief privacy officer Rob Sherman said in an interview this week with The Globe and Mail. “So my hope is that this is one step in that direction, but we’ll have more to do.”

Digital privacy advocates applauded Facebook’s recent changes, but said the company needs to do more to address its trust crisis.

New restrictions on the kinds of personal data third-party apps collect on Facebook is a “positive step,” said Jeff Chester, executive director of the Center for Digital Democracy, in Washington. But he said Facebook itself should stop collecting sensitive information such as people’s political or religious views without informed consent and proper safeguards.

Story continues below advertisement

“They must be in full panic mode, because they don’t know exactly what to give,” he said. “What’s the right set of policies and tools so they can protect their brand and maintain the level of monetization or revenue? I don’t think they have developed a kind of coherent approach to all this.”

Marc Rotenberg, president of the Electronic Privacy Information Center said despite the flurry of policy changes and announcements, Facebook has proven it’s incapable of policing itself. He urged regulators to take a more aggressive stand.

’“It’s no longer for Facebook to decide whether Facebook is doing enough to protect online privacy,” he said. “That approach has failed.”

With reports from Bill Curry and Colin Freeze

Got a news tip that you’d like us to look into? E-mail us at tips@globeandmail.com. Need to share documents securely? Reach out via SecureDrop.

