The Federal Court of Appeal ("FCA") released a landmark ruling on September 9, 2024 in its decision of Privacy Commissioner of Canada v. Facebook, Inc., 2024 FCA 140.
In its decision, the FCA found that Facebook, Inc. (now, Meta Platforms, Inc.) breached its obligations under the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") when it was found to have shared user data with third-party applications hosted on its platform.
The complaint was initially investigated by the Office of the Privacy Commissioner of Canada ("OPC") with respect to allegations that Facebook provided user data to third-party application, TYDL. TYDL, in turn, was found to have sold the said data to Cambridge Analytica, a company widely and infamously known for engaging in targeted political advertising directed at users of the Facebook platform, with a view of manipulating and influencing users' votes during the lead up to the 2016 United States Presidential Election.
At the close of their investigation, the OPC found that Facebook was in breach of PIPEDA on two principal grounds:
- TYDL did not receive meaningful consent from Facebook users
with respect to the disclosure of their information to third party
applications, such as Cambridge Analytica; and
- Facebook failed to ensure that the user data was properly safeguarded.
Accordingly, the OPC filed a Notice of Application in Federal Court, where it sought an Order requiring that Facebook modify its policies and practices concerning the collection and use of personal information so as to bring the company into substantial compliance with PIPEDA, specifically on the issues raised above.
Lower Court Decision
In 2023, the Federal Court ruled in favour of Facebook and dismissed the OPC's application.
In its reasons, the Federal Court held that the OPC failed to meet its burden of proof on both of the above-listed points.
With respect to the allegation that Facebook failed to obtain "meaningful consent" from its users, the Federal Court held that a so-called "evidentiary vacuum" proved fatal to the OPC's case. More particularly, the Court found that the OPC failed to properly compel the production of evidence from Facebook via the appropriate channel being section 12.1 of PIPEDA. Moreover, the Court held that the OPC failed to tender any expert evidence in respect of what Facebook could have done differently in the specific circumstance.
Absent the requisite subjective and expert evidence, the Court found that the claims of the OPC were meritless speculations.
In dealing with the secondary allegation that Facebook failed to safeguard user data, the Court held that a data breach did not in and of itself equate to inadequate safeguards. The Court further held that any safeguarding obligations that did belong to Facebook would be ceased upon the disclosure of data to third-party applications.
Ultimately, in the absence of the OPC meeting its evidentiary burden, the Court was unable to conclude that Facebook's contractual agreements and privacy policies failed to provide adequate protections for data belonging to its users.
Federal Court of Appeal
The Federal Court of Appeal reversed the decision of its lower court.
In its reasons, the FCA determined that Facebook failed to obtain "meaningful consent" from its users whose data and information had been shared with TYDL and subsequently Cambridge Analytica. The FCA also rejected the lower court's requirement for subjective and expert evidence as it related to the analysis and determination of whether meaningful consent had been obtained. The FCA held that the standard as it relates to the obtaining of meaningful consent is that of a reasonable person, so as to be consistent with the pith and substance of PIPEDA as a whole.
As the preeminent piece of Canadian private sector privacy legislation, PIPEDA requires organizations to obtain "meaningful consent" from individuals before the organization can collect, use, or disclose said information. Consent, here, is construed against an objective standard, and is only considered to be valid if it can be said that a "reasonable person" would understand the nature, purpose, and consequences of the use and/or disclosure of their personal information.
The Federal Court of Appeal also found that the safeguarding of data requirement as set out in clause 4.7 of PIPEDA was similarly breached by Facebook. The Court acknowledged that organizational compliance with PIPEDA did not offer absolute immunity against data breaches, but clarified that the cause of the subject breach was more related to policy and user design decisions made by the company. In this instance, Facebook was found to have violated its obligation to safeguard its users' data by inviting users to their platform and subsequently failing to supervise the users' compliance with the terms and conditions of third-party applications - like TYDL - who also used their platform.
Facebook countered this specific charge by arguing that it would be nearly impossible to review and approve the privacy policies of all third-party applications which were hosted on its platform. The Court did not grant much weight to this contention, and ruled that an organization like Facebook could not avoid its various statutory responsibilities under PIPEDA by claiming that they had too many platformed third-party applications to review and manage. The Court rejected Facebook's contention, i.e. difficulty in respect of compliance does not extinguish organizational compliance requirements insofar as PIPEDA is concerned.
Key Takeaways
This decision stands for the proposition that private sector organizations will not be able to rely on their privacy statements alone to establish meaningful consent and that contractual provisions as set out in privacy policies alone are not sufficient to ensure safeguarding of personal information.
Organizations would be well advised to analyze this decision and make a more concerted effort to conduct routine privacy audits, simplify their privacy policies so as to make them more accessible and therefore digestible to ordinary users (i.e., avoid "legalese" and use plain language), and where possible, implement third-party oversight mechanisms specifically with respect to safeguarding user data.
Lastly, the Federal Court of Appeal warned that consent under PIPEDA ought to be obtained via an "active process" and not be obtained by default via default privacy settings. Organizations would be wise to implement settings which avoid the assumption of consent for data sharing and instead create a positive obligation on the part of the user - otherwise known as an "opt-in" method - to affirm their consent for data sharing. A PDF version is available for download here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
