Canada (Privacy Commissioner) v. Facebook, Inc., 2024 FCA 140
Facts
The Privacy Commissioner of Canada (the Commissioner) filed a federal lawsuit against Facebook in 2020, after concluding in an investigation that Facebook had failed to safeguard user information or obtain valid consent for disclosing data to third-party apps hosted on its platform. The proceeding arose from the Commissioner's investigation into the scraping of Facebook user data by the app "thisisyourdigitallife". At first instance, the Federal Court dismissed the Commissioner's application, finding that the Commissioner had not shown that Facebook failed to obtain meaningful consent from users for disclosure of their data, nor that Facebook failed to adequately safeguard user data. The Court also held there was a lack of subjective evidence about Facebook users' expectations and understandings of privacy. This led to the Court finding "itself in an evidentiary vacuum."
Decision
The Federal Court of Appeal allowed the appeal, finding that the lower court erred in its analysis of meaningful consent and safeguarding under the Personal Information Protection and Electronic Documents Act (PIPEDA). Specifically, the Federal Court of Appeal found that the Federal Court erred by premising its conclusion exclusively or in large part on the absence of expert and subjective evidence. Further, the Federal Court of Appeal found that the lower court failed to inquire into the existence or adequacy of the consent given by friends of users who downloaded third-party apps, separate from the installing users of those apps. The Federal Court of Appeal found that the friends were not given the opportunity to consider the third-party app's data policies on an app-by-app basis before disclosure and could not have understood the purposes for which their data would be used by the apps. Although Facebook's Data Policy — to which all users agreed — contained terms explaining how and when third-party apps could access their data, the Federal Court of Appeal found that the language was too broad to be effective as meaningful consent because a user reading the terms could not "sufficiently inform themself of the myriad ways that an app may use their data, and thus could not meaningfully consent to future disclosures to unknown third-party apps downloaded by their friends."
Key Takeaway
This case includes an extensive analysis of the principles of meaningful consent and safeguarding under PIPEDA.
Parker v. Ontario Medical Association, 2024 FC 667
Facts
The applicants, three physicians, sought judicial review under section 14 of the PIPEDA concerning a study commissioned by the respondent Ontario Medical Association (OMA) regarding physicians' overhead costs. The study would involve the OMA disclosing physicians' first name, last name, date of birth, gender, primary address, and specialty to Statistics Canada. The applicants were members of the Ontario Specialists Association (OSA). The OSA filed a complaint with the Office of the Privacy Commissioner of Canada (OPC), alleging that the OMA's proposed study would contravene section 6.1 and Principle 4.3 of PIPEDA. The OPC dismissed the complaint on the basis that the study would not constitute "commercial activity" within the meaning of the PIPEDA and was therefore beyond the scope of the legislation. Additionally, the OPC found that it did not have jurisdiction to investigate the complaint. The physicians brought an application to the Federal Court seeking judicial review of the OPC's decision.
Decision
The Court dismissed the judicial review application, finding that the proposed study was not "commercial activity" within the meaning of PIPEDA. Consequently, PIPEDA did not apply. Justice Fothergill found that the information that the OMA wished to disclose to Statistics Canada constituted "personal information" under PIPEDA because the information was intended to permit the identification of the individuals. However, the Court held that the disclosure of physicians' personal information to Statistics Canada would not amount to "commercial activity" because it would not involve the "exchange, trade, buying and selling" of anything. The proposed study was intended to support negotiations with the government leading to a Physician Services Agreement (PSA), which sets billing rates for healthcare services across the province of Ontario. The OMA would derive no profit or financial benefit from the proposed study or the negotiation of the PSA. Additionally, the OMA does not act on behalf of the government in receiving or paying physicians' invoices, nor does it refer patients to physicians for treatment. The study's purpose was to provide insight into physicians' overhead costs and promote greater "income relativity" in the next PSA.
Key Takeaway
This analysis sheds light on what will — and will not — amount to "commercial activity" within the meaning of PIPEDA. For example, the sharing of personal information may not amount to "commercial activity" if the disclosing organization does not derive a profit nor financial or other benefit from the disclosure.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.