This blog was written with the assistance of summer law student Jake Tesarowski.
There was insufficient evidence to prove that Facebook violated the Personal Information Protection and Electronic Documents Act (PIPEDA) after a third-party app sold the personal information of hundreds of thousands of Facebook users, according to the Federal Court of Canada (the "Court").
On April 14, 2023, the Court dismissed an application by the Privacy Commissioner of Canada (the "Privacy Commissioner") seeking to enforce an investigation that found Facebook (now Meta Platforms Inc.; "Facebook") violated PIPEDA. The Court concluded there was not enough evidence to demonstrate that Facebook failed to acquire meaningful consent before sharing user information with third-party apps and rejected the claim that Facebook did not adequately safeguard user information.
On May 12, 2023 the Privacy Commissioner announced it was appealing this finding.
The Privacy Commissioner conducted an investigation on Facebook's practices following reports that a third-party service provider obtained data through its app's access to Facebook and proceeded to sell the data to a British research firm, in violation of Facebook's policies. The app in question was installed 272 times, giving the service provider access to the data of more than 600,000 Canadians.
An inability to prove a lack of meaningful consent
The Court rejected the Privacy Commissioner's arguments that Facebook failed to obtain meaningful consent from users before disclosing their information to third parties by relying on third-party applications to obtain user consent and failing to manually verify the content of third-party privacy policies.
The Court did not endorse Facebook's efforts, but instead found there was insufficient evidence to show a breach of PIPEDA. Without further evidence, including expert evidence on what measures Facebook should have had in place, the Court was left in an "evidentiary vacuum."
Safeguarding user information
The Court agreed with Facebook's claims that "safeguarding obligations end once information is disclosed to third-party applications." The Court made specific reference to the difference between Facebook transferring personal information for business transactions and protecting information outside of its control.
Takeaways for your organization
While the Court found in favour of Facebook, this decision nonetheless highlights the need to ensure compliance with applicable privacy laws such as PIPEDA when transferring personal information to third parties. For example, under PIPEDA, an organization is accountable for the information in its custody, including information transferred to third parties. In particular, this decision highlights the importance of having consent and contractual protections any time your organization transfers data to third parties.
That said, whether an organization's safeguarding obligations end once data is disclosed to a third party will be considered on appeal. The appeal will provide further insight on what is expected of organizations to meet PIPEDA obligations when transferring data to third parties.
Your organization should also be aware of Bill C-27, the Digital Charter Implementation Act, which stands to make significant changes to PIPEDA. Bill C-27 has gone through two readings in the House of Commons and is awaiting review by the Standing Committee on Industry and Technology.
If passed, Bill C-27 would empower the Privacy Commissioner and a newly formed Personal Information and Data Protection Tribunal ("PIDPTA") to recommend stricter penalties and make binding orders for privacy law violations, subject to judicial review under the Federal Courts Act. Notably, PIDPTA includes a specific requirement that organizations transferring data to service providers provide a level of protection in line with the organization's PIDPTA obligations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.